SURBL Lists

SURBL intelligence datasets contain information that can be used to filter or tag application data. The information can be used with programs that can check message body web sites against SURBL intelligence, such as SpamAssassin 3 and others mentioned on the links page. But it can also be used to filter data inside DNS firewalls or other application types. We still discover new use cases where our datasets could be applied to. Most of the use cases now day are not related to email. Some datasets are provided to mitigate botnet traffic, hosting providers can use it to find bad actors inside their customerbase.  Or simply use the data to avoid their servers to talk to botnets. The fresh dataset is a very good usecase for that type of data.  Not all new domains are bad but a lot of malicious domains are newly registered.

Here's an overview of the multi lists and their data sources.

ABUSE - spam and other abuse sites

This list contains mainly general abused sites (pills, counterfeits, dating, etc.). It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in ABUSE come from internal, proprietary research by SURBL itself. The data is sourced in many ways including use of passive dns and handling the zonefile data that we get from the various TLD operators around the globe.

PH - Phishing sites

Phishing data from multiple sources is included in the PH Phishing data source. Phishing data includes PhishTank, PhishLabs and several other sources, including proprietary research by SURBL.

MW - Malware sites

This list contains data from multiple sources that cover sites hosting malware. This includes abuse.ch and others. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW. Malware data also includes significant proprietary research by SURBL.

CR - Cracked sites

This list contains data from multiple sources that cover cracked sites, including SURBL internal ones. Criminals steal credentials or abuse vulnerabilities in CMS such as Wordpress or Joomla to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.

multi.surbl.org - Combined dataset multi

All of the our public data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:

8 = listed on PH
16 = listed on MW
64 = listed on ABUSE
128 = listed on CR

If an entry belongs to just one list it will have an address where the last octet has that value. For example 127.0.0.8 means it's on the phishing list, while 127.0.0.64 means it's listed on the ABUSE list. An entry on multiple lists gets the sum of those list numbers as the last octet, so 127.0.0.80 means a record is on both MW and ABUSE (comes from: 16 + 64 = 80). In this way, membership in multiple lists is encoded into a single response. Octets other than the first and last one are reserved for future use and should be ignored.

Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated every 30-40 seconds.

Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.

More information about how to use our datasets can be found in the Implementation Guidelines.

Blocked Result Code 127.0.0.1

If you get a result of 127.0.0.1 when doing a DNS query into the public nameservers, then it means your access is blocked. Please see our Usage Policy and sign up for our Sponsored Data Service (SDS).

Other SURBL intelligence datasets

Other lists and data feeds are available from SURBL intelligence. Be sure to subscribe to the low-volume Announce mailing list for important updates.

SURBL operates various datasets (Crypto listings / Abused e-mail sender and reply-to datasets / Phone number lists / Various shortner lists / Fresh) Most of these sets are available with granted access. Fill out the datafeed form for more information about those.

List Removal

To request removal from a SURBL list, please start with the the SURBL Lookup page and follow the instructions on the removal form.

Before submitting a removal request of the Cracked (CR), Phishing (PH) or Malware (MW) lists, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the web site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.

Note that there has also been cracking of DNS control panels resulting in malicious subdomains being added to domains. Please also check and fully secure all DNS infrastructure for your domains. Please contact a security expert if you need help with this.

List Performance

We aim for fast updates, minimal false positives and high catch rates. The results can be confirmed here:

 


lists.html version 2.55 on 12-12-2020

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists