All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:
- 8 = listed on PH
- 16 = listed on MW
- 64 = listed on ABUSE
- 128 = listed on CR
If an entry belongs to just one list it will have an address where the last octet has that value. For example 127.0.0.8 means it's on the phishing list, while 127.0.0.64 means it's listed on the ABUSE list. An entry on multiple lists gets the sum of those list numbers as the last octet, so 127.0.0.80 means a record is on both MW and ABUSE (comes from: 16 + 64 = 80). In this way, membership in multiple lists is encoded into a single response. Octets other than the first and last one are reserved for future use and should be ignored.
We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.
Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.
More information about how to use SURBL data can be found in the Implementation Guidelines