Implementation Guidelines

Here are some brief guidelines for applications using SURBL intelligence datasets.

  1. Extract URIs from your application. (Extraction of URIs from your application should ideally include full resolution of redirections into the final target domain or subomain)
  2. Extract domains or subdomains from those URIs. When using the wildcarded version of multi (e.g., for public DNS queries), it is not necessary to reduce domains to a specific level.  Due to wildcards, subdomains of a blacklisted domain will match a blacklisted domain.  For matching queries against the non-wildcarded version of multi, domains will need to be reduced in order to match the level of blacklisted domains.  We recommend and use the wildcarded version of multi for DNS.
  3. Perform NO name resolution on the extracted domains. 
  4. Look up the domain name in the SURBL by prepending it to the name of the SURBL, e.g.,, then doing Address (A) record DNS resolution on the resulting combined name. A non-result (NXDOMAIN) indicates lack of inclusion in the list. An Address result indicates list inclusion. SURBL matches also have a TXT record associated with them containing a descriptive reason for list inclusion, but the A record is the strongly preferred response for automated use.

    Using the combined list, results will be bitmasked as described in the Lists section. In this case, membership in multiple lists is encoded according to respective bit positions in the returned Address value, and programs should decode these results into their respective individual lists.
  5. Handle numeric IPs in URIs similarly, but reverse the octet ordering before comparison against the DNSBL. This is a standard practice for DNSBLs. For example, is checked as Numeric addresses should be in base-10 representation. If other representations of numeric IP addresses appear in messages, then they should be converted into four, reversed-order, dotted, base-10 octets before checking.
  6. Include a local whitelist function to exclude certain known whitehat domains or IPs from SURBL intelligence checking. This is very important since it prevents many unnecessary queries against common domains like,,, etc., which will never be blacklisted. It's described further in the FAQ.
  7. An increasing number of DNS services are being deployed to protect end users against typo, malware, phishing and unsolicited message web sites by redirecting web service to an alternate site. Generally they do this by changing the IP address or NXDOMAIN responses to DNS queries. Unfortunately these changes can adversely affect SURBL DNS responses and create false positives or false negatives. One way to test for this is to make sure that responses to SURBL DNS queries are in 127/8, in other words that 127 is its first octet. While this won't fully determine correct results, it's still a recommended and good basic input verification test. A good administrative solution is to run a local caching nameserver for DNS resolution, which can also improve performance. More information is in our FAQ.
  8. If you get a result of when doing a SURBL DNS query into the public nameservers, then it means your access is blocked. Please see SURBL's Usage Policy and sign up for SURBL's Sponsored Data Service (SDS).

SURBL lists somewhat unusually have both names and numbers in the same list. For example, and and similar actual unsolicited message URI domains and IP addresses both appear in SURBL lists. IP addresses appearing in SURBL intelligence datasets are not the result of applying name resolution to domain names. Numbered addresses in SURBL intelligence are actually seen in apoplication flows with the uri presented as numbers, e.g.: literally Additional SURBL test points are mentioned in the FAQ. For more information about list data please also see the Lists section.

Please do not use SURBL intelligence to check sender IP addresses. Also do not resolve domains on SURBL lists and make blacklists of the resulting IPs. These may result in unexpected false positives, for example for services hosted on shared IP web or mail servers.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists