[SURBL-Announce] New CR (cracked sites) sublist and UriQ (URI query) API

SURBL Announcement list [READONLY] announce at lists.surbl.org
Wed Dec 30 17:36:33 CET 2015

New CR (cracked sites) sublist and UriQ (URI query) API

December 19, 2015

CR (cracked sites) sublist to be added to multi.surbl.org

SURBL traditionally lists hosts (domains and IPs) owned by abusers,
but as blacklisting their own hosts has impacted them, some have
switched to using cracked third party sites.  Criminals steal
credentials or exploit vulnerabilities to break into sites to upload
malicious pages, including redirectors that forward browsers to other
sites.  Often, only the cracked URIs will appear in abusive messages.

To better handle such sites we are creating the new CR sublist to
identify cracked hosts. The new list uses bitmask value 128.  Since
this value was previously unused, there should be no compatibility
issues with existing applications that use SURBL data and only test
for previously defined bitmask values.

UriQ – Introducing a URI query API

Sites listed on CR may not be completely bad, but are known to host
specific malicious URIs (created by abusers) in addition to the
original legitimate site contents. To distinguish between URIs created
by abusers and URIs that are part of the legitimate content we have
created SURBL UriQ, a new API to query full URIs against our URI data.

We will provide a way of checking on multi.surbl.org lookups if URI
information is available for a given host. In that case, an additional
UriQ query of a specific URI on that host will indicate whether that
URI is bad or not.

UriQ uses HTTP POST to send URIs and is currently in beta testing.  If
you would like to join the beta test, then please contact us via your
SURBL reseller.  The general availability of UriQ and its production
status will be announced in future.

Implementation recommendations

We encourage software developers to update their applications to test
for the CR sublist bitmask to detect known cracked sites in URIs. We
recommend using the presence of the CR listing as part of a scoring
algorithm, as not all URIs on CR-listed hosts are bad.


Creation of the CR (cracked) dataset - 1 February 2016

The documentation on the SURBL site will be updated over the next few
weeks to reflect the changes. It has not been updated yet.


Recommended action:

We recommend that SURBL application developers prepare to update their
configurations according to these changes so they are ready when the
changes are put into production on our name servers and zone files.

Please direct followup discussion to the SURBL Discussion list.

More information about the Announce mailing list