News & Notes

 

How you can help

The success of SURBLs will depend on several things which you may be able to help with:

  1. Please report any false positives to us so that we can review and remove them as appropriate. For further list removal information please start with the Lookup page.
  2. Use multi.surbl.org instead of individual lists since it reduces the number of DNS queries needed if you're using more than one list. Current versions of SpamAssassin use multi.surbl.org by default, as should all SURBL-compatible applications.
  3. If you run a high volume mail server (e.g., processing more than a few hundred thousand messages per day), then please set up rbldnsd, then fill out our Data Feed request form (to the right) to request access to the SURBL zone files. BIND zone files are also available by rsync. Please see Links for some references and instructions on using rbldnsd and rsync. Please do not use public name servers for processing large volumes of mail. This is true for any DNS blacklists you may be using.
  4. If you are using SpamAssassin, please upgrade to version 3.1 or later since it uses SURBLs most correctly. You will often get the best overall performance by running the latest version, which is therefore recommended.
  5. Please consider helping to port or write applications such as MTA filters or mail filter plug-ins to use SURBLs. Our Implementation Guidelines provide an overview of the functionality needed. The Links page lists some of the existing applications.
  6. If you have any information about ccTLDs that are not in our two-level-tld list, please let us know at our contacts.

News

Internal

  • 4/4/2011: Accented characters of a few uncommon domains in two-level-tlds have been converted to IDN representation.
  • SURBL will be exhibiting at RSA Conference 2011 in San Francisco, CA from February 14 through 18 with our reseller MXTools at booth 1159. Please stop by and say hi if you use SURBL data. We'd love to meet you and let you know about our latest initiatives to improve SURBL data and frustrate the bad guys even more. You can use code EC11MXT to gain free access to the show floor and keynote addresses, a $100 value. Please feel free to share the code with friends.
  • 2/25/2010: We have created a three-level-tld list that contains domains that should be checked at the fourth level. It joins the existing list of two-level-tld domains that should be checked at the third level. We also added some frequently abused web hosts into these tld files. We also moved the location of the files. For more information please see our Implementation Guidelines.
  • 11/2/2009: SURBL has added a report of Most Abused TLDs. This is a daily count of the TLDs most commonly appearing in SURBL data and is an indication of relative abuse levels. The TLD .cn is disproportionately represented, most likely due to persistent and widespread abuse by the "Canadian Pharmacy" botnet-using spam gang.
  • 10/18/09: As of October 2009, data from Malware Domain List has been added to the ph list.
  • 6/27/09: As of 27 June 2009, the PH list includes ZeuS Tracker malware host data.
  • 6/22/09: As of 22 June 2009, NS records have been removed from the SURBL zone files. This should not affect operators of either public or private DNS mirrors, since the records are not needed in either case. The main impact is that private DNS mirrors no longer need to take the extra step of removing the NS records.
  • 3/1/09: As of 1 March 2009, public DNS of individual lists such as sc.surbl.org is disabled. Please use multi.surbl.org instead. multi includes all of the individual lists, so the individual lists are obsolete. SpamAssassin 3.0 and later queries multi by default, so it does not need any changes. If you are using SpamAssassin 2.6, then plesae upgrade to version 3 or later.
  • 10/1/08: SURBL rsync access is moving to a Sponsored Data Service in order to keep the project operating and improving. Public DNS service for small to medium sized organizations with fewer than 1,000 users remains free. Please see the Usage Policy for more information.
  • 4/6/08: The SURBL phishing list now includes malware site data from malware.com.br.
  • 12/5/07: As of December 2007, we have added The DNS blackhole malware, malicious software and phishing site data to our phishing list.
  • 10/19/06: As of October 2006, we are adding PhishTank data to our phishing list.
  • 2/7/05: We have removed the JP data from WS. If you did not have a separate rule or configuration to use JP before, then please add one. Examples for SpamAssassin are in the Quick Start. (Starting with version 3.1, SpamAssassin has a JP rule included in the default configuration. For SA versions prior to 3.1, please add configurations for JP as described in the Quick Start.)
  • 2/7/05: SC and WS zone files have been removed from the SURBL web site per below. Please use invURIBL or another SURBL plug in with Declude instead.
  • 1/29/05: SC and WS zone files will be removed from the SURBL web site by 1/7/05. This does not affect DNS operation or most SURBL applications which use it, but it does mean that users of Roger Eriksson's Windows command script with Declude Junkmail should use Invariant Systems invURIBL or similar Windows SURBL plug-ins instead.
  • 11/12/04: We have added data from fraud.rhs.mailpolice.com into ph, joining our exiting phishing data from mailsecurity.net.au. This has doubled the size of our phishing list to about 1000 records. Thanks to Jay Swackhamer of MailPolice for gathering this data and making it available to us.
  • 9/27/04: A new list jp.surbl.org is now part of multi.surbl.org. With a bitmask value of 64, it exists only as part of the combinded SURBL list multi, not as a standalone list. JP is based on trap data from Joe Wein and from Raymond Dijkxhoorn and his colleagues at Prolocation which are then processed using Joe's jwSpamSpy program. JP has a very good detection rate around 80% and a very low false positive rate below 0.02%. For information about the JP list, please see the Lists section.
  • 9/17/04: After trying DNS TTLs at 25, 20 and 15 minutes, it appears that 15 minute TTLs optimizes both name server traffic and the quickness of records being added or deleted from the lists. Therefore we are standardizing on 15 minute TTLs for all SURBLs.
  • 8/20/04: As part of our continuing TTL experiment, we have set the TTLs on all lists to 25 minutes. If the resulting DNS traffic does not change much, then we will leave the slower-changing lists at 25 minutes and change SC back to 10 minutes.
  • 8/17/04: We are deprecating be.surbl.org, the SURBL list made from a stale snapshot of the BigEvil list before it got ws added into it. BE probably isn't too useful anymore since it's not getting updated, so please change to using ws.surbl.org instead. Eventually we would like to get rid of BE entirely.
  • 8/17/04: We are cleaning up some of the redundant zone files in the SURBL rsync server:
    1. surbl.rbldnsd - going away, use sc.surbl.org.rbldnsd instead
    2. *.rbldns - going away when no traffic, use *.rbldnsd instead
    3. surbl.bind - going away, use surbl.org.bind instead
    In all cases the replacement files use the preferred names, already exist, and have identical content. If you are using any of the old names, please change them to the new names.
  • 8/11/04: We have lowered the TTLs on SURBL zone files to 1 hour. This includes multi.surbl.org, but does not include sc.surbl.org which already had a 10 minute TTL. This should cause new entries to take effect sooner since the negative caching TTL should also be 1 hour.
  • 8/1/04: ws.surbl.org now has some additional data sources including: MailSecurity's SURBL lists.
  • 7/1/04: Added a new whitelist source: domains of publically-traded companies listed at dmoz and Google. Each yields lists of about 4300 or so of mostly the same domains which are now excluded from SURBLs. Here are the extracted dmoz and Google public company domain lists.
  • 6/30/04: Three new SURBL lists are available: ob.surbl.org, ab.surbl.org, multi.surbl.org. The first two match advertised sites kindly provided by Outblaze and AbuseButler respectively. multi is a bitmask-combined list of all the other SURBL lists, for use with programs that can decode these back into their constiuent lists, such as SpamAssassin 3's urirhssub. More information on these additional lists can be found in the Lists sections.
  • 6/29/04: be.surbl.org records are now included in ws.surbl.org, so please use ws.surbl.org instead of be. be is now frozen and the content in it may go away eventually.
  • 5/6/04: We are now properly removing any subdomains (third or greater level domains or host names) from generic TLDs. (For example, abc.defxyz.com becomes defxyz.com.) This change may result in slightly better matching on both be and sc lists since the clients are supposed to be doing similar things with domains found in message body URIs. The new-style sed expression doing this on the SURBL side is chop-two-level-domains.sed.

External News

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

Data feeds are available in three formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists