Introducing SURBL URI reputation data


SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders.


Web sites seen in unsolicited messages tend to be more stable than the rapidly changing botnet IP addresses used to send the vast majority of them. Sender lists like can be used in a first stage filter to help identify 80% to 90% of unsolicited messages. SURBLs can help find about 75% of the otherwise difficult, remaining unsolicited messages in a second stage filter. Used together with sender lists, SURBLs have proven to be a highly-effective way to detect 95% of unsolicited messages.


Using SURBLs requires a mail filter that can extract web sites from message bodies and check them against the lists. Many applications support SURBLs, including SpamAssassin and filters for most major MTAs including sendmail, postfix, qmail, exim, Exchange, qpsmtpd and others. For a partial list of dozens of applications supporting SURBLs, please see the Links page. Note that direct blocking at the MTA level is not recommended. It's generally better to use SURBLs along with multiple, weighted factors, as SpamAssassin does. For new implentations, please see the Implementation Guidelines.


Other SURBL data

In addition to our main dataset introduced above, SURBL has other types of data available privately.


SURBL UriQ enables checking of full URIs, in particular for legitimate but cracked or abused sites that can't be listed at the host (domain or IP) level in our main dataset.


SURBL Fresh is a list of domains that have been recently added to TLD zone file delegations. It includes a UNIX Epoch timestamp of when we most recently detected the changes, and therefore gives an indication of recently delegated domains. Since younger domains are more likely to be abusive, this can be used as one of multiple factors to help indicate domain reputation. Naturally, not all new domains are bad, but many bad domains are young.

SURBL shortener domain list

SURBL shortener domain list is a list of some URI shorteners that we are aware of. It includes major ones like,, etc., and many more minor, hobbyist shorteners.

SURBL abused shortener URI list

SURBL abused shortener URI list has specific abused shortener URIs.

Please note that these additional datasets are not available on our public DNS servers.

Please use our Datafeed form to request trial access.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists