Introducing SURBL intelligence reputation data

All mentions of "SURBL" on this website refer to "SURBL BV", a corporation registered in the Netherlands.

We are about reputation

SURBL BV (subsequently referred to as "SURBL") specializes in reputation data provided in near real-time feeds. This data can be used to secure mail flow, mobile communications (SMS), web access (safe browsing, DNS Firewalls) and many other activities. Our most well-known data set is the publicly provided Multi, but besides that we also offer privately available datasets (see below). They are not limited to mail operations. Currently SURBL is providing Crypto address, Phone number, an E-Mail source list and newly activated domain feeds (Fresh).

Many of the feeds are available as RPZ (Response Policy Zone). RPZ datasets can be used to trigger actions in DNS firewalls, e.g. to block access to dangerous sites. We were involved in creating the first RPZ dataset.


This data set lists domains of malicious or abused web sites. It can be used to filter or tag unsolicited messages based on links in the message body, regardless of sender IP addresses. It ideally complements filtering based on known bad sender IPs. Used together with sender lists, SURBL intelligence datasets have proven to be a highly-effective way to detect 95% of unsolicited messages. An RPZ version of Multi is available privately.

Other datasets that are available privately:


Fresh is a list of domains that have been recently added to TLD zone file delegations. It includes a UNIX Epoch timestamp of when we most recently detected the changes, and therefore gives an indication of recently delegated domains. Since younger domains are more likely to be abusive, this can be used as one of multiple factors to help indicate domain reputation. Naturally, not all new domains are bad, but many bad domains are young. Selected subsets are available for RPZ.


HashBL is a list of cryptocraphic hashes for various items connected to abuse on the Internet.
This dataset is still growing, with new categories being added. Currently the following are identified:
- Abused public cloud providers
- Abused sender and reply-to e-mail addresses
- Full URI listings
- Abused shortener links
- Crypto address listings
- Phone number listings

Shortener domain list

Shortener domain list is a list of URI shortener services that we are aware of, from major ones like,, to many more minor, hobbyist shorteners.

Abused shortener URI list

Abused shortener URI list contains specific recently appeared abused shortener URIs.


UriQ (URI Query) is an API to check full URIs, in particular for legitimate but cracked or abused sites that can't be listed at the host (domain or IP) level in our main dataset.

Please note that these additional datasets are not available on our public DNS servers.

Please use our Datafeed form to request trial access for any of the above.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists