• Deprecation of OB sublist, creation of MW malware sublist

    October 21, 2012

    In order to keep improving SURBL data, we plan to reorganize some of the sublists inside the combined list multi as described below.

    OB -- OB sublist to be deprecated immediately

    Due to reduced effectiveness, SURBL will be deprecating the data in the OB sublist in a multi-stage process described below, with a the timeline at the end of this announcement.

    We will emptying the OB dataset beginning immediately. Since the current OB data are resulting in few detections, the effect of emptying the list should not significantly impact most production systems that are using the data.

    After the OB dataset has been empty for a period of time, we will be replacing bitmask bit 16 that OB currently uses with a new list described next.

    SURBL would like to sincerely thank the Outblaze team and their successor organization IBM for very kindly making the Outblaze data available to the SURBL community for several years. Special thanks go to Suresh Ramasubramanian and his colleagues for their many years of dedication in helping SURBL and the broader Internet community to stop messaging, botnet, malware, phishing and other forms of abuse.

    MW -- New malware sublist

    After some time with OB data emptied, the bitmask bit 16 formerly used by OB will be used by a new list MW which will consist of malware domains and IPs, most of which which are currently merged into the PH list. We had overloaded the phishing list PH with both phishing and malware data since they were somewhat related, but several users of SURBL data have expressed an interest in separate classifications for phishing and malware.

    Splitting those categories of data info separate sublists will make the distinctions between phishing and malware available for the whole SURBL community to use. Having a separate malware sublist should allow SURBL applications to make finer-grained, more accurate classifications and to perform better as a result.

    Some records may be on multiple lists. For example if a site has both phishing and malware, then it may be on both the PH and MW lists. Overlap between any datasets has been and will continue to be possible.


    Deprecation of the OB dataset - Immediate Creation of the MW (malware) dataset - 1 May 2013 The documentation on the SURBL site will be updated the next few weeks to reflect the changes. It has not been updated yet.

    Recommended action:

    We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files.

    Please direct followup discussion to the SURBL Discussion list.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists