[SURBL-Discuss] Abuse combat feed

Jeff Chan jeffc at surbl.org
Wed Feb 15 04:07:32 CET 2017

On Tuesday, February 14, 2017, 6:22:23 PM, Rubens Kuhl wrote:

>> SURBL has a main list of abuse, phishing, malware, and cracked hosts
>> (domains and IPs).  Most of the abuse hosts are used for spam.
>> Cracked hosts tend to be used for spam, phishing, malware, botnets,
>> DDOS, etc.  SURBL also has full URI data available in different ways.
>> Both types of data may be useful for you, but it may be simplest to
>> start with the host data and then try URIs.  There is also a logical
>> process to check our host data first, then check our URI data for
>> deeper information where available.  (Not all blacklisted hosts have
>> corresponding blacklisted URIs, and vice versa.)

> Ok, got it. I was thinking on parsing URIs only, now I know better.

You can check our host data against the host portion of URIs.  That's
how our main set is used for spam filtering, for example:


> URIs are good when verifying the case is not a false positive. 


We do blacklist some URIs that are abused sites (essentially abused
URI paths or URI subdomains) where we don't blacklist their (otherwise
legitimate) host.

>> We can make reports about specific TLDs, for example .br or even
>> Brazilian brands, but the .br domains are also trivially searchable
>> in our main host blacklist.

> It's usually simpler parsing than asking for an specific subset.


> But if an specific subset is all that the source is willing to make
> available, than we can live with that... we have done it both ways
> with other data feeds. Having them complete though is showing one
> interesting feature: if a domain registrant asks for a CNAME or HTTP
> redirection to a different TLD, having the full dataset instead of
> per-TLD helps preventing those redirections from ever being provisioned.

Agree a complete set can give a larger view.  Certainly abuse crosses
TLDs often, globally speaking.

> Rubens


Jeff C.

More information about the Discuss mailing list