Threat Intelligence Center

Sender Support ►

Understanding Blacklists
ISP Filtering Reference
Threat Level Guide

Threat Classifications

Spam Traps & Honeypots
Recycled Traps & Moles
Oversight Seeds
Typo & Fake Emails
Black Holes
Dormant Accounts
Parked Resources
Disposable Email Accounts

Blacklist Profiles

URIBL Advisory Sites
RBL Advisories
Blacklist Removal

Recent Articles

Spam Trap Hit?
Suspended ESP account?

Anti-Spam Blogs

Word-to-the-Wise Blog
Al Iverson Blog

Blacklist Profiles\SURBL URI Reputation Data

SURBLs contain web sites that appear in unsolicited messages. They can be used with programs that can check message body web sites against SURBLs, such as SpamAssassin 3 and others mentioned on the links page.

Here's an overview of the lists and their data sources.

ABUSE - spam and abuse sites ? jwSpamSpy + Prolocation sites
sa-blacklist web sites
SpamCop web sites
AbuseButler web sites
PH - Phishing sites
MW - Malware sites
CR - Cracked sites
multi.surbl.org - Combined SURBL list

http://www.surbl.org

Blacklist Zone(s)

multi.surbl.org

Blacklist type

URIBL: A URI dnsbl is simply an anti-spam “black list” delivered via DNS which consists of domain names and IP addresses which are found in the body of the message. Specifically, there are the domains and IP addresses which spammers use to host their web sites.

Threat level/ delivery impact

Brand/ Network Resource/ Deliverability Harm - If your firm is impacted by threats shown below, you need to take immediate action as a laundry list of negative outcomes have potentially already begun ranging from significant deliverability issues to service termination from your ESP or ISP. If ignored, your brand reputation could be permanently tarnished and easily become associated in some circles with known spam organizations such as SpamHaus’s ROKSO or other similar blacklists.

Nomination

Automatic (upon receipt of a spam to a spamtrap mailbox), with extensive whitelists and filtering to prevent false positives.

Listing lifetime

Typically Permanent. Very hard to get removed.

Notes

ABUSE - spam and other abuse sites.

This list contains mainly general spam sites (pills, dating, etc). It combines data from the formerly separate JP, WS, SC and AB lists.

jwSpamSpy + Prolocation sites

Joe Wein's jwSpamSpy program along with systems operated by Raymond Dijkxhoorn and his colleagues at Prolocation provide JP data. The resulting list has a very good detection rate and a very low false positive rate.

sa-blacklist web sites

WS started off with records from Bill Stearns' SpamAssassin ruleset sa-blacklist but nowadays holds data from many different data sources.

SpamCop web sites.

SC contains message-body web sites processed from SpamCop URI reports, also known as ""spamvertised"" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.

Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.

AbuseButler web sites.

AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.

PH - Phishing sites.

Phishing data from multiple sources is included in the PH Phishing data source. Phishing data was first provided by MailSecurity, later joined by PhishTank data, OITC phishing data, PhishLabs data and several other sources.

MW - Malware sites.

This list contains data from multiple sources that cover sites hosting malware. This includes OITC, The DNS blackhole malicious site data from malwaredomains.com and Malware Domain List. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW.

CR - Cracked sites.

This list contains data from multiple sources that cover cracked sites. Criminals steal credentials or abuse vulnerabilities in CMS such as Wordpress or Joomla to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.

Delisting guidance

To request removal from a SURBL list, please start with the the SURBL Lookup page (http://www.surbl.org/surbl-analysis) and follow the instructions on the removal form.

About Impressionwise

Impressionwise is a firm that provides professional real-time email verification, validation, and list cleaning services. Our core belief is that in order to have a successful email campaign, a company must send only a clean, well maintained email list. Our cleansing methodology is focused on the health of your sending network resources. The cleaner the domain and IP the better the delivery. Specifically helping email marketers validate and remove threat based email elements such as spam traps to ensure you are maximizing your lists' potential resulting in a higher level of engagement with your recipients. Our services allow you eliminate hard bounces and thus avoid being banned by your email service provider. Having been around for the past decade, Impressionwise’s longevity and industry experience have allowed us to amass the industry’s largest set of email list cleaning resources with the most flexible service options resulting in the highest level of actionable insight.