Introducing SURBL URI reputation data

What

SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders.

Why

Web sites seen in unsolicited messages tend to be more stable than the rapidly changing botnet IP addresses used to send the vast majority of them. Sender lists like zen.spamhaus.org can be used in a first stage filter to help identify 80% to 90% of unsolicited messages. SURBLs can help find about 75% of the otherwise difficult, remaining unsolicited messages in a second stage filter. Used together with sender lists, SURBLs have proven to be a highly-effective way to detect 95% of unsolicited messages.

How

Using SURBLs requires a mail filter that can extract web sites from message bodies and check them against the lists. Many applications support SURBLs, including SpamAssassin and filters for most major MTAs including sendmail, postfix, qmail, exim, Exchange, qpsmtpd and others. For a partial list of dozens of applications supporting SURBLs, please see the Links page. Note that direct blocking at the MTA level is not recommended. It's generally better to use SURBLs along with multiple, weighted factors, as SpamAssassin does. For new implentations, please see the Implementation Guidelines.

Future

SURBLs continue to improve listing speed and coverage through a variety of techniques.

Please see the rest of this site for more information.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

Data feeds are available in three formats:

  • rsync (Sponsored Data Service - SDS)
  • DNS (Private Query Service - PQS)
  • RPZ (DNS Response Policy Zones)

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

    • Apache SpamAssassin - #1 Open-Source Spam Filter
    • milter-link - filter for Sendmail and Postfix
    • More...

  • Learn about SURBL lists

    • AB - AbuseButler web sites
    • WS - sa-blacklist web sites
    • JP - JP web sites
    • More...