New CR (cracked sites) sublist and UriQ (URI query) API
December 19, 2015
CR (cracked sites) sublist to be added to multi.surbl.orgSURBL traditionally lists hosts (domains and IPs) owned by abusers, but as blacklisting their own hosts has impacted them, some have switched to using cracked third party sites. Criminals steal credentials or exploit vulnerabilities to break into sites to upload malicious pages, including redirectors that forward browsers to other sites. Often, only the cracked URIs will appear in abusive messages.To better handle such sites we are creating the new CR sublist to identify cracked hosts. The new list uses bitmask value 128. Since this value was previously unused, there should be no compatibility issues with existing applications that use SURBL data and only test for previously defined bitmask values.
UriQ – Introducing a URI query APISites listed on CR may not be completely bad, but are known to host specific malicious URIs (created by abusers) in addition to the original legitimate site contents. To distinguish between URIs created by abusers and URIs that are part of the legitimate content we have created SURBL UriQ, a new API to query full URIs against our URI data.We will provide a way of checking on multi.surbl.org lookups if URI information is available for a given host. In that case, an additional UriQ query of a specific URI on that host will indicate whether that URI is bad or not.UriQ uses HTTP POST to send URIs and is currently in beta testing. If you would like to join the beta test, then please contact us via your SURBL reseller. The general availability of UriQ and its production status will be announced in future.
Implementation recommendationsWe encourage software developers to update their applications to test for the CR sublist bitmask to detect known cracked sites in URIs. We recommend using the presence of the CR listing as part of a scoring algorithm, as not all URIs on CR-listed hosts are bad.
Timeline:Creation of the CR (cracked) dataset - 1 February 2016The documentation on the SURBL site will be updated over the next few weeks to reflect the changes. It has not been updated yet.http://www.surbl.org/lists
Recommended action:We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files.Please direct followup discussion to the SURBL Discussion list.
SURBL Data Feed Request
SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.
The main data set is available in different formats:
Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.
For more information, please contact your SURBL reseller or see the references in Links.
Sign up for SURBL Data Feed Access.