Announce

announce@lists.surbl.org

183 discussions

New CR (cracked sites) sublist and UriQ (URI query) API
by SURBL Announcement list [READONLY] 30 Dec '15

30 Dec '15

New CR (cracked sites) sublist and UriQ (URI query) API December 19, 2015 CR (cracked sites) sublist to be added to multi.surbl.org SURBL traditionally lists hosts (domains and IPs) owned by abusers, but as blacklisting their own hosts has impacted them, some have switched to using cracked third party sites. Criminals steal credentials or exploit vulnerabilities to break into sites to upload malicious pages, including redirectors that forward browsers to other sites. Often, only the cracked URIs will appear in abusive messages. To better handle such sites we are creating the new CR sublist to identify cracked hosts. The new list uses bitmask value 128. Since this value was previously unused, there should be no compatibility issues with existing applications that use SURBL data and only test for previously defined bitmask values. UriQ – Introducing a URI query API Sites listed on CR may not be completely bad, but are known to host specific malicious URIs (created by abusers) in addition to the original legitimate site contents. To distinguish between URIs created by abusers and URIs that are part of the legitimate content we have created SURBL UriQ, a new API to query full URIs against our URI data. We will provide a way of checking on multi.surbl.org lookups if URI information is available for a given host. In that case, an additional UriQ query of a specific URI on that host will indicate whether that URI is bad or not. UriQ uses HTTP POST to send URIs and is currently in beta testing. If you would like to join the beta test, then please contact us via your SURBL reseller. The general availability of UriQ and its production status will be announced in future. Implementation recommendations We encourage software developers to update their applications to test for the CR sublist bitmask to detect known cracked sites in URIs. We recommend using the presence of the CR listing as part of a scoring algorithm, as not all URIs on CR-listed hosts are bad. Timeline: Creation of the CR (cracked) dataset - 1 February 2016 The documentation on the SURBL site will be updated over the next few weeks to reflect the changes. It has not been updated yet. http://www.surbl.org/lists Recommended action: We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files. Please direct followup discussion to the SURBL Discussion list.

1 0

New ABUSE sublist -- SC, AB sublists deprecated -- migration to ABUSE
by SURBL Announcement list [READONLY] 18 Dec '15

18 Dec '15

New ABUSE sublist -- SC, AB sublists deprecated -- migration to ABUSE December 18, 2015 In order to keep improving SURBL data, we plan to reorganize some of the sublists inside the combined list multi as described below. SC, AB sublists deprecated, merged into ABUSE sublist with JP Until now the SURBL multi data set consisted of the two typed sublists MW (malware) and PH (phishing) and several general data sets (AB, JP, SC and WS), each with its own bit mask value. To simplify the use of multi and to prepare for more detailed typing information in the future we will be merging the above general lists into a single sublist that will be known as ABUSE. All domains listed on ABUSE will return bit mask 64, the value previously used by the JP sublist. Effective immediately, the SC and AB data sets have been migrated and are already part of ABUSE, as is the JP data set. These migrated data sets now no longer return bit mask values 2 (SC) and 32 (AB) but 64. Their old bit mask values have been deprecated. WS sublist to be deprecated after transition period The WS sublist will be migrated into ABUSE (bit mask value 64) after a transition period, per the timeline at the end of this announcement. Its old bit mask value 4 will then be deprecated. For compatibility with existing applications, any TXT records for hosts listed on ABUSE will continue to identify the sublist name as JP until the end of the transition period. To existing unmodified applications it will appear that the SC and AB sublists have been emptied and their data added to the JP sublist. Generally we recommend that application developers not depend on particular TXT records, as they are meant for human readers (for example, in non-delivery messages) and are subject to change without notice. Applications should always use the numeric (A record) return values from DNS queries instead. Timeline Deprecation of the SC, AB sublists - Immediate AB => bit mask value 64 SC => bit mask value 64 Migration of WS dataset to ABUSE - 1 May 2016 WS => bit mask value 64 renaming of ABUSE TXT record The documentation on the SURBL site will be updated over the next few weeks to reflect the changes. It has not been updated yet. http://www.surbl.org/lists Recommended action We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files. Please direct followup discussion to the SURBL Discussion list.

1 0

Experimental list: XS deprecated
by SURBL Announcement list [READONLY] 30 Jan '14

30 Jan '14

The experimental sublist XS which we set up a few years ago has been deprecated. If you are querying it, then please stop querying it. :)

1 0

MW malware sublist added to multi, replaces OB
by SURBL Announcement list [READONLY] 01 May '13

01 May '13

As announced last October, malware data has been moved from PH to a new list MW, taking the bit of OB, which was deprecated last year. Along with malware data, limited set of cracked hosts also has been moved from PH to MW, in part because cracked sites often have or can have malware on them. The bitmask bit 16 therefore is no longer used by OB, but is used by MW now. Please update configurations appropriately. For example in SpamAssassin, change: urirhssub URIBL_OB_SURBL multi.surbl.org. A 16 body URIBL_OB_SURBL eval:check_uridnsbl('URIBL_OB_SURBL') describe URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist tflags URIBL_OB_SURBL net reuse URIBL_OB_SURBL score URIBL_OB_SURBL 0 0.785 0 0.122 to: urirhssub URIBL_MW_SURBL multi.surbl.org. A 16 body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL') describe URIBL_MW_SURBL Contains an URL listed in the MW SURBL blocklist tflags URIBL_MW_SURBL net reuse URIBL_MW_SURBL score URIBL_MW_SURBL 0 0.001 0 0.610 Please direct followup discussion to the SURBL Discussion list.

1 0

Heads up: Updates on two-level-tlds/three-level-tlds
by SURBL Announcement list [READONLY] 28 Jan '13

28 Jan '13

Dear SURBL community, Just a heads up that we added some more domains on the two-level-tlds/three-level-tlds files as available on the SURBL site. The updated files can be found at: http://www.surbl.org/tld/two-level-tlds http://www.surbl.org/tld/three-level-tlds We will add new domains to these files to reflect better detection of abused freehosting envirionments. Raymond Dijkxhoorn - SURBL

1 0

Phishlabs data added to SURBL phishing list
by SURBL Announcement list [READONLY] 27 Nov '12

27 Nov '12

We are very pleased to announce that the SURBL phishing list: http://www.surbl.org/lists.html#ph now includes data from Phishlabs: http://www.phishlabs.com/ Thanks to Phishlabs for allowing us to include their anti-phishing data in PH.

1 0

Deprecation of OB sublist, creation of MW malware sublist
by SURBL Announcement list [READONLY] 22 Oct '12

22 Oct '12

In order to keep improving SURBL data, we plan to reorganize some of the sublists inside the combined list multi as described below. OB -- OB sublist to be deprecated immediately Due to reduced effectiveness, SURBL will be deprecating the data in the OB sublist in a multi-stage process described below, with a the timeline at the end of this announcement. We will emptying the OB dataset beginning immediately. Since the current OB data are resulting in few detections, the effect of emptying the list should not significantly impact most production systems that are using the data. After the OB dataset has been empty for a period of time, we will be replacing bitmask bit 16 that OB currently uses with a new list described next. SURBL would like to sincerely thank the Outblaze team and their successor organization IBM for very kindly making the Outblaze data available to the SURBL community for several years. Special thanks go to Suresh Ramasubramanian and his colleagues for their many years of dedication in helping SURBL and the broader Internet community to stop messaging, botnet, malware, phishing and other forms of abuse. MW -- New malware sublist After some time with OB data emptied, the bitmask bit 16 formerly used by OB will be used by a new list MW which will consist of malware domains and IPs, most of which which are currently merged into the PH list. We had overloaded the phishing list PH with both phishing and malware data since they were somewhat related, but several users of SURBL data have expressed an interest in separate classifications for phishing and malware. Splitting those categories of data info separate sublists will make the distinctions between phishing and malware available for the whole SURBL community to use. Having a separate malware sublist should allow SURBL applications to make finer-grained, more accurate classifications and to perform better as a result. Some records may be on multiple lists. For example if a site has both phishing and malware, then it may be on both the PH and MW lists. Overlap between any datasets has been and will continue to be possible. Timeline: Deprecation of the OB dataset - Immediate Creation of the MW (malware) dataset - 1 May 2013 The documentation on the SURBL site will be updated the next few weeks to reflect the changes. It has not been updated yet. http://www.surbl.org/lists Recommended action: We recommend that SURBL application developers prepare to update their configurations according to these changes so they are ready when the changes are put into production on our name servers and zone files. Please direct followup discussion to the SURBL Discussion list.

1 0

SURBL Open Letter To Operators Of Redirection Sites updated with best practice recommendations
by SURBL Announcement list [READONLY] 24 Oct '11

24 Oct '11

SURBL has updated its Open Letter To Operators Of Redirection Sites by adding some best practice recommendations: http://www.surbl.org/redirection-sites They include: * Check links against URI Blacklists, * Recheck periodically including, if possible, when redirecting, * Deny link creation from malicious IP addresses, * Check the resolved IP addresses of the original url, * Disallow redirection to other redirectors, * Register an abuse contact role account at abuse.net, * Return an http status code of 410 when an abused redirector is removed.

1 0

ANNOUNCE: Some two-level-tlds accented characters changed to IDN
by SURBL Announcement list [READONLY] 04 Apr '11

04 Apr '11

Anthony Howe noticed that gcc was complaining about ISO 8859-1 accented characters used in the two-level-tlds file. With his kind help, we converted those to equivalent IDN representation. Diffs are: 278c278 < aéroport.ci --- > xn--aroport-bya.ci 893c893 < drøbak.no --- > xn--drbak-wua.no 1955c1955 < lea?gaviika.no --- > xn--leagaviika-52b.no 2835c2835 < osterøy.no --- > xn--ostery-fya.no 3554c3554 < tysvær.no --- > xn--tysvr-vra.no 3587c3587 < unjárga.no --- > xn--unjrga-rta.no 3650c3650 < vegårshei.no --- > xn--vegrshei-c0a.no As a practical matter this should have little operational impact since those domains are obscure and unlikely to be abused. Nonetheless, we thank Anthony for the correction.

1 0

SURBL at RSA
by SURBL Announcement list [READONLY] 29 Jan '11

29 Jan '11

SURBL will be exhibiting at RSA Conference 2011 in San Francisco, California from February 14 through 18 with our reseller http://www.mxtools.com/ MXTools at booth 1159. Please stop by and say hi if you use SURBL data. We'd love to meet you and let you know about our latest initiatives to improve SURBL data. You can use code EC11MXT to gain free access to the show floor and keynote addresses, a $100 value. Please feel free to share the code with friends.

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Announce