Announce December 2015

announce@lists.surbl.org

1 participants
2 discussions

New CR (cracked sites) sublist and UriQ (URI query) API
by SURBL Announcement list [READONLY] 30 Dec '15

30 Dec '15

New CR (cracked sites) sublist and UriQ (URI query) API December 19, 2015 CR (cracked sites) sublist to be added to multi.surbl.org SURBL traditionally lists hosts (domains and IPs) owned by abusers, but as blacklisting their own hosts has impacted them, some have switched to using cracked third party sites. Criminals steal credentials or exploit vulnerabilities to break into sites to upload malicious pages, including redirectors that forward browsers to other sites. Often, only the cracked URIs will appear in abusive messages. To better handle such sites we are creating the new CR sublist to identify cracked hosts. The new list uses bitmask value 128. Since this value was previously unused, there should be no compatibility issues with existing applications that use SURBL data and only test for previously defined bitmask values. UriQ – Introducing a URI query API Sites listed on CR may not be completely bad, but are known to host specific malicious URIs (created by abusers) in addition to the original legitimate site contents. To distinguish between URIs created by abusers and URIs that are part of the legitimate content we have created SURBL UriQ, a new API to query full URIs against our URI data. We will provide a way of checking on multi.surbl.org lookups if URI information is available for a given host. In that case, an additional UriQ query of a specific URI on that host will indicate whether that URI is bad or not. UriQ uses HTTP POST to send URIs and is currently in beta testing. If you would like to join the beta test, then please contact us via your SURBL reseller. The general availability of UriQ and its production status will be announced in future. Implementation recommendations We encourage software developers to update their applications to test for the CR sublist bitmask to detect known cracked sites in URIs. We recommend using the presence of the CR listing as part of a scoring algorithm, as not all URIs on CR-listed hosts are bad. Timeline: Creation of the CR (cracked) dataset - 1 February 2016 The documentation on the SURBL site will be updated over the next few weeks to reflect the changes. It has not been updated yet. http://www.surbl.org/lists Recommended action: We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files. Please direct followup discussion to the SURBL Discussion list.

1 0

New ABUSE sublist -- SC, AB sublists deprecated -- migration to ABUSE
by SURBL Announcement list [READONLY] 18 Dec '15

18 Dec '15

New ABUSE sublist -- SC, AB sublists deprecated -- migration to ABUSE December 18, 2015 In order to keep improving SURBL data, we plan to reorganize some of the sublists inside the combined list multi as described below. SC, AB sublists deprecated, merged into ABUSE sublist with JP Until now the SURBL multi data set consisted of the two typed sublists MW (malware) and PH (phishing) and several general data sets (AB, JP, SC and WS), each with its own bit mask value. To simplify the use of multi and to prepare for more detailed typing information in the future we will be merging the above general lists into a single sublist that will be known as ABUSE. All domains listed on ABUSE will return bit mask 64, the value previously used by the JP sublist. Effective immediately, the SC and AB data sets have been migrated and are already part of ABUSE, as is the JP data set. These migrated data sets now no longer return bit mask values 2 (SC) and 32 (AB) but 64. Their old bit mask values have been deprecated. WS sublist to be deprecated after transition period The WS sublist will be migrated into ABUSE (bit mask value 64) after a transition period, per the timeline at the end of this announcement. Its old bit mask value 4 will then be deprecated. For compatibility with existing applications, any TXT records for hosts listed on ABUSE will continue to identify the sublist name as JP until the end of the transition period. To existing unmodified applications it will appear that the SC and AB sublists have been emptied and their data added to the JP sublist. Generally we recommend that application developers not depend on particular TXT records, as they are meant for human readers (for example, in non-delivery messages) and are subject to change without notice. Applications should always use the numeric (A record) return values from DNS queries instead. Timeline Deprecation of the SC, AB sublists - Immediate AB => bit mask value 64 SC => bit mask value 64 Migration of WS dataset to ABUSE - 1 May 2016 WS => bit mask value 64 renaming of ABUSE TXT record The documentation on the SURBL site will be updated over the next few weeks to reflect the changes. It has not been updated yet. http://www.surbl.org/lists Recommended action We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files. Please direct followup discussion to the SURBL Discussion list.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Announce December 2015