• New ABUSE sublist -- SC, AB sublists deprecated -- migration to ABUSE

    December 17, 2015
    In order to keep improving SURBL data, we plan to reorganize some of the sublists inside the combined list multi as described below.

    SC, AB sublists deprecated, merged into ABUSE sublist with JP

    Until now the SURBL multi data set consisted of the two typed sublists MW (malware) and PH (phishing) and several general data sets (AB, JP, SC and WS), each with its own bit mask value. To simplify the use of multi and to prepare for more detailed typing information in the future we will be merging the above general lists into a single sublist that will be known as ABUSE. All domains listed on ABUSE will return bit mask 64, the value previously used by the JP sublist.  
    Effective immediately, the SC and AB data sets have been migrated and are already part of ABUSE, as is the JP data set. These migrated data sets now no longer return bit mask values 2 (SC) and 32 (AB) but 64. Their old bit mask values have been deprecated.  

    WS sublist to be deprecated after transition period

    The WS sublist will be migrated into ABUSE (bit mask value 64) after a transition period, per the timeline at the end of this announcement. Its old bit mask value 4 will then be deprecated. 

    For compatibility with existing applications, any TXT records for hosts listed on ABUSE will continue to identify the sublist name as JP until the end of the transition period. To existing unmodified applications it will appear that the SC and AB sublists have been emptied and their data added to the JP sublist. 
    Generally we recommend that application developers not depend on particular TXT records, as  they are meant for human readers (for example, in non-delivery messages) and are subject to change without notice. Applications should always use the numeric (A record) return values from DNS queries instead. 


    Deprecation of the SC, AB sublists - Immediate 
      AB => bit mask value 64
      SC => bit mask value 64
    Migration of WS dataset to ABUSE - 1 May 2016 
      WS => bit mask value 64
      renaming of ABUSE TXT record
    The documentation on the SURBL site will be updated over the next few weeks to reflect the changes. It has not been updated yet.

    Recommended action

    We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files.
    Please direct followup discussion to the SURBL Discussion list.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists