SURBL - Spam URI Realtime Blocklists
Surbl
SURBL offers a highly accurate and dynamic list of current, active, bad domains, as well as up-to-date threat data on malicious websites. SURBL is extremely effective at detecting and controlling difficult-to-detect phishing, malware, and bot-net domains.
SURBL data contains approximately 1.5 million current, active, bad domains, is continuously updated (updated every 1-2 minutes), and significantly improves detection of phishing, malware, and bot-net domains.
SURBL data contains approximately 1.5 million current, active, bad domains, is continuously updated (updated every 1-2 minutes), and significantly improves detection of phishing, malware, and bot-net domains.
Protect from malicious URL’s and malicious websites
SURBLs contain web sites that appear in unsolicited messages. They can be used with programs that can check message body web sites against SURBLs, such as SpamAssassin 3 and others mentioned on the links page.
Identify your competitive edge
Here's an overview of the lists and their data sources.
˃ jwSpamSpy + Prolocation sites
˃ sa-blacklist web sites
˃ SpamCop web sites
˃ AbuseButler web sites
This list contains mainly general spam sites (pills, counterfeits, dating, etc.). It combines data from the formerly separate JP, WS, SC and AB lists. It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in ABUSE come from internal, proprietary research by SURBL itself.
This list contains mainly general spam sites (pills, counterfeits, dating, etc.). It combines data from the formerly separate JP, WS, SC and AB lists. It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in ABUSE come from internal, proprietary research by SURBL itself.
jwSpamSpy + Prolocation sites
Joe Wein's jwSpamSpy program along with systems operated by Raymond Dijkxhoorn and his colleagues at Prolocation provide JP data. The resulting list has a very good detection rate and a very low false positive rate.
sa-blacklist web sites
WS started off with records from Bill Stearns' SpamAssassin ruleset sa-blacklist but nowadays holds data from many different data sources.
SpamCop web sites
SC contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.
Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.
AbuseButler web sites
AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.
jwSpamSpy + Prolocation sites
Joe Wein's jwSpamSpy program along with systems operated by Raymond Dijkxhoorn and his colleagues at Prolocation provide JP data. The resulting list has a very good detection rate and a very low false positive rate.
sa-blacklist web sites
WS started off with records from Bill Stearns' SpamAssassin ruleset sa-blacklist but nowadays holds data from many different data sources.
SpamCop web sites
SC contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.
Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.
AbuseButler web sites
AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.
This list contains mainly general spam sites (pills, counterfeits, dating, etc.). It combines data from the formerly separate JP, WS, SC and AB lists. It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in ABUSE come from internal, proprietary research by SURBL itself.
This list contains mainly general spam sites (pills, counterfeits, dating, etc.). It combines data from the formerly separate JP, WS, SC and AB lists. It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in ABUSE come from internal, proprietary research by SURBL itself.
jwSpamSpy + Prolocation sites
Joe Wein's jwSpamSpy program along with systems operated by Raymond Dijkxhoorn and his colleagues at Prolocation provide JP data. The resulting list has a very good detection rate and a very low false positive rate.
sa-blacklist web sites
WS started off with records from Bill Stearns' SpamAssassin ruleset sa-blacklist but nowadays holds data from many different data sources.
SpamCop web sites
SC contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.
Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.
AbuseButler web sites
AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.
jwSpamSpy + Prolocation sites
Joe Wein's jwSpamSpy program along with systems operated by Raymond Dijkxhoorn and his colleagues at Prolocation provide JP data. The resulting list has a very good detection rate and a very low false positive rate.
sa-blacklist web sites
WS started off with records from Bill Stearns' SpamAssassin ruleset sa-blacklist but nowadays holds data from many different data sources.
SpamCop web sites
SC contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.
Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.
AbuseButler web sites
AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.
Phishing data from multiple sources is included in the PH Phishing data source. Phishing data includes PhishTank, OITC, PhishLabs, Malware Domains and several other sources, including proprietary research by SURBL.
This list contains data from multiple sources that cover sites hosting malware. This includes OITC, abuse.ch, The DNS blackhole malicious site data from malwaredomains.com and others. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW. Malware data also includes significant proprietary research by SURBL.
All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:
We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.
Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.
More information about how to use SURBL data can be found in the Implementation Guidelines
- 8 = listed on PH
- 16 = listed on MW
- 64 = listed on ABUSE
- 128 = listed on CR
We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.
Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.
More information about how to use SURBL data can be found in the Implementation Guidelines
If you get a result of 127.0.0.1 when doing a SURBL DNS query into the public nameservers, then it means your access is blocked. Please see SURBL's Usage Policy and sign up for SURBL's Sponsored Data Service (SDS).
Other lists and data feeds may become available as future SURBLs. Please check back here occasionally, but be sure to subscribe to the low-volume Announce mailing list for important updates.
To request removal from a SURBL list, please start with the the SURBL Lookup page and follow the instructions on the removal form.
For the Cracked (CR), Phishing (PH) or Malware (MW) lists or any cracked (breached) web sites, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the web site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.
Note that there has also been cracking of DNS control panels resulting in malicious subdomains being added to domains. Please also check and fully secure all DNS infrastructure for your domains. Please contact a security expert if you need help with this.
For the Cracked (CR), Phishing (PH) or Malware (MW) lists or any cracked (breached) web sites, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the web site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.
Note that there has also been cracking of DNS control panels resulting in malicious subdomains being added to domains. Please also check and fully secure all DNS infrastructure for your domains. Please contact a security expert if you need help with this.
Phishing data from multiple sources is included in the PH Phishing data source. Phishing data includes PhishTank, OITC, PhishLabs, Malware Domains and several other sources, including proprietary research by SURBL.
This list contains data from multiple sources that cover sites hosting malware. This includes OITC, abuse.ch, The DNS blackhole malicious site data from malwaredomains.com and others. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW. Malware data also includes significant proprietary research by SURBL.
All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:
We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.
Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.
More information about how to use SURBL data can be found in the Implementation Guidelines
- 8 = listed on PH
- 16 = listed on MW
- 64 = listed on ABUSE
- 128 = listed on CR
We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.
Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.
More information about how to use SURBL data can be found in the Implementation Guidelines
If you get a result of 127.0.0.1 when doing a SURBL DNS query into the public nameservers, then it means your access is blocked. Please see SURBL's Usage Policy and sign up for SURBL's Sponsored Data Service (SDS).
Other lists and data feeds may become available as future SURBLs. Please check back here occasionally, but be sure to subscribe to the low-volume Announce mailing list for important updates.
To request removal from a SURBL list, please start with the the SURBL Lookup page and follow the instructions on the removal form.
For the Cracked (CR), Phishing (PH) or Malware (MW) lists or any cracked (breached) web sites, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the web site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.
Note that there has also been cracking of DNS control panels resulting in malicious subdomains being added to domains. Please also check and fully secure all DNS infrastructure for your domains. Please contact a security expert if you need help with this.
For the Cracked (CR), Phishing (PH) or Malware (MW) lists or any cracked (breached) web sites, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the web site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.
Note that there has also been cracking of DNS control panels resulting in malicious subdomains being added to domains. Please also check and fully secure all DNS infrastructure for your domains. Please contact a security expert if you need help with this.
Malicious Domain and URL Datasets
If you have any questions about Surbl Datasets, or if you would like to request more information, please contact us
Talk to an Expert
Fill out the form below and one of our experts will get in touch with you.
Products
Data Market
Services
News
About
© 2023 Pipeline Inc. All Rights Reserved