Quick Start

SURBLs differ from most other lists in that they're used to detect unsolicited messages based on message body URIs (usually web sites). Unlike most other lists, SURBLs are not meant to identify messages senders by their message headers or connection IP addresses. Instead they help identify messages by the sites mentioned in their message bodies.

Some results of using SURBLs appear in the News section. Detection rates are around 80 to 90%, with false positive rates of the different lists ranging from about 0.001 to 0.05%. We continually work to improve both the detection and false positive rates in a variety of ways. Descriptions of the different SURBL lists and their data sources can be found in the Lists section.

SURBLs are often used in conjunction with other conventional lists, such as those that list open relays, compromised hosts, etc.

In order to use SURBLs you need software that can parse URIs in message bodies, extract their hosts, and check those against a SURBL. Programs such as SpamAssassin 3 and many others now support SURBLs. For a list of some of those applications please see our Links page.

DNS bugs and incompabilities leading to false positives

There is a bug (#3997) in versions of SpamAssassin older than 3.1 where the responses to DNS queries occasionally get mixed up, resulting in very rare false positives (wanted mail tagged as unsolicited). This can be seen when SpamAssassin shows a domain as blacklisted but it is not blacklisted when checking with a manual DNS query or on the lookup page. The solution is to upgrade to SpamAssassin version 3.1 or later.

Another issue for some anti-spam or anti-phshing DNS or proxy services that modify the results of DNS queries is that some of those changes may not compatible with SURBL applications. In particular, modification of NXDOMAIN responses can result in false positives due to the changed Address bits in the response. But any modification of the DNS query results can lead to application errors. The solution is to not use DNS or proxy services that modify query results on your systems running SURBL applications.

Additionally some ISPs such as Verizon and others are now modifying some DNS NXDOMAIN responses in a way that causes what look like false positives on domains that are not blacklisted. They appear to be doing this to drive search traffic to other sites, but unfortunately it breaks DNS responses for SURBLs and other blacklists. Please check with your ISP if you are seeing DNS responses modified in this way. Verizon has an opt-out procedure with instructions on switching to DNS servers that do not change NXDOMAIN responses. Others such as Charter have opt-out nameservers that reportedly do not support NXDOMAIN. If so, then none of their nameservers may be compatible. One solution is to not use their nameservers.

These cases are very rare, but worth mentioning if it prevents some confusion.

SURBL removal requests

Please follow the List Removal instructions at the end of the Lists page if you have a domain to remove from SURBL lists. SURBLs are not IP address blacklists, nor do they list sending IPs or sending domains. SURBLs do not list senders, but do list web site domains advertised in unsolicited messages. Also note that SURBL does not block any messages. SURBLs are informational tools to help mail systems identify potential unsolicited messages.

SURBL application support

SURBL support in SpamAssassin 3

SpamAssassin 3 supports SURBLs by default. You should not need to make any changes to the default rules or scores to use SURBLs, but make sure to have a recent version of Net::DNS installed and network tests enabled. If you're not seeing SURBL hits in SA 3, please check that network tests are enabled. Additional debugging hints are available in our FAQ.

If you were using SpamCopURI in an earlier version of SpamAssassin, please remove references to it when using SpamAssassin 3. We also recommend discontinuing the use of the BigEvil.cf ruleset if you are using ws.surbl.org, which is enabled by default in SA 3.

SURBLs are used in SpamAssassin 3 by the commands urirhsbl and urirhssub which can be found in the plugin URIDNSBL. The default command urirhssub is the preferred one since it uses SURBLs in the combined form of multi.surbl.org. More information about the SURBL lists combined into multi can be found in the Lists section. An older command urirhsbl would use SURBL lists individually, but it is not configured in the default rules, and it generally should not be used since it's much less efficient.

Important Note Regarding SpamAssassin 3.0.1 and later: When adding URIDNSBL rules, including SURBL or SBL ones using urirhsbl, urirhssub or uridnsbl, be sure to set the rule type to body. For example: 
urirhssub URIBL_JP_SURBL  multi.surbl.org.        A   64
body      URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflags    URIBL_JP_SURBL  net

score URIBL_JP_SURBL    3.0
This is a change from SpamAssassin 3.0.0, where body above was previously header. Here is the changelog reference: 
r54022 | felicity | 2004-10-07 22:21:30 +0000 (Thu, 07 Oct 2004) | 1 line

bug 3734: uridnsbl rules work on body data, not header data, so change
the rule type from header to body

SpamCopURI - A SpamAssassin 2.63 and 2.64 program

Unlike SpamAssassin 3, earlier SpamAssassin versions 2.63 and 2.64 don't have built-in support for SURBLs, but you can add it with Eric Kolve's SpamCopURI patch. The sample rules included with the distribution use the latest and greatest combined list multi.surbl.org.

When installing SpamCopURI, please make sure your Net::DNS is current. If you want to use the optional redirection resolution, also make sure that your libwww-perl (LWP) is current.

Note: If you are using SpamCopURI version 0.22 then please update your configuration to add two recent lists AB and JP. There are also a few typos corrected in this sample configuration.
Important Note: Matt Kettler says: DO NOT run SA 2.63 on a production server. Upgrade to 2.64 or 3.x because 2.63 has a MIME parsing bug that can be used to DoS your server.

URIBL qpsmtpd MTA plugin supports SURBLs

Devin Carraway has written a plugin for the Perl-based MTA qpsmtpd to compare domains from message body URIs to SURBL domain lists. Here's his announcement on perl.qpsmtpd, and a link to his uribl plugin. Congratulations to Devin on the first MTA use of SURBL we've heard about. Usage instructions are in the package.

Additional programs using SURBLs

Many programs now support or can use SURBLs including sendmail, qmail, qmail-ldap, Exim, Exchange, Policy Patrol, MailScanner, Declude Junkmail, Merak Mail Server, MDaemon, NetIQ MailMarshal, ALOAHA, ASTPS, NEMX Power Tools, XWall, ORFilter, GEE Whiz, SpamAssassin, SpamBouncer, STAT AntiSpam, MTS Professional, Trash Finder, SpamPal, Secure Mail Suite, and many others. Please see the News and Links sections for more information.

Implementation Guidelines available

Implementation Guidelines are available for anyone writing code to use SURBL lists. It provides an overview of the steps needed to process messages and check them against SURBLs.

New SURBL lists

Most programs using SURBLs use all of the existing lists as of September 2004. However there is a good new one, JP, that is not in the default configurations of some programs. We recommend adding it as a separate configuration until updates of those programs can add it into their defaults. Update: JP is now included in the default configuration of SpamAssassin 3.1, though it may still need to be added to other applications manually.

jp - jwSpamSpy + Prolocation data source

Joe Wein's jwSpamSpy program is used both by Joe's own systems and also Raymond Dijkxhoorn and his colleagues at Prolocation to process more than 300,000 likely unsolicited messages per day. The resulting list has a very good unsolicited message detection rate around 80% and a very low false positive rate below 0.02%. This data is only available in the combined list multi.surbl.org.

An SA 3.0.1 and later rule and score using URIBL's urirhssub looks like this: 

urirhssub URIBL_JP_SURBL  multi.surbl.org.        A   64
body      URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflags    URIBL_JP_SURBL  net

score URIBL_JP_SURBL    3.0
An SA 2.63 and 2.64 rule and score using SpamCopURI 0.22 or later looks like this: 
uri       JP_URI_RBL  eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+64')
describe  JP_URI_RBL  Has URI in JP at http://www.surbl.org/lists.html
tflags    JP_URI_RBL  net

score     JP_URI_RBL  3.0
(Note: JP is included in the default configuration of SpamAssassin 3.1, so it's no longer necessary to manually add the configurations above if you are using SA 3.1 or later. It needs to be manually added to versions before 3.1 however.)

For more information about JP and the other SURBL lists, please see the SURBL Lists section. Additional new lists may be added as new data sources emerge. Please check the News and Lists pages for updates.

Announcement list

If you use SURBLs, please sign up for our announcement list in order to be informed about important updates to data sources, lists, formats, programs, etc. Message volume on the announcement list is very low.

Administrators of high volume mail servers

If you run a high volume mail server (e.g., processing more than a few hundred thousand messages per day), please set up rbldnsd, then please fill out our rsync request form to request rsync access to the SURBL zone files. BIND zone files are also available by rsync. Please see Links for some references and instructions on using rbldnsd and rsync. Please do not use public name servers for processing large volumes of mail. This is true for any RBLs you may be using.

If your daily mail volume is below 250,000, use the public DNS servers. If your mail volume is above 250,000 per day, use rsync to get the zone files. Thank you.

Next Section: News & Notes >>
quickstart.html version 2.57 on 2/5/08