SURBL

'Multi'


SURBL ‘Multi’ (composite feed of ‘current, active, bad domains)

SURBL ‘Multi’ datafeed :

  • Fast, dynamic intel to identify Advanced phishing, malware data sources
  • Accurate, block-able source of Domain Intel
  • Delivers real time, accurate, threat data on malicious domains
  • Includes up-to-date intel on malware, phishing, botnet, and spam domains

SURBL is highly effective at controlling the hard to detect phishing and bot-net domains.   SURBL data contains approx. 800,000 current, active, bad domains, is updated continuously (updated every 1-2 minutes), and greatly improves detection of phishing, malware and bot-net domains.

-------------------------------------------------------------------------------------------------------

SURBL Overview  

SURBL is a highly regarded, and trusted, member of the Internet eco-system, for 12 years. SURBL’s expertise and core competency includes global coverage of malicious domains, domain reputation, and global visibility / global relationships. The reach and coverage provided by SURBL is truly remarkable.

 - SURBL just celebrated their 12th year anniversary.
- SURBL is a highly regarded, and trusted, member of the Internet eco-system
- SURBL’s footprint includes direct coverage on all continents and many key data exchange relationships… including direct relationships with xSP’s, Security Vendors, Messaging Providers and also the Registry’s and Registrars.
- SURBL data is used to protect over 1 Billion end users
- SURBL data is highly dynamic and highly accurate - updates every 1-2 minutes, with ‘near-zero’ false positives (many, many customers would attest to this accuracy)

----------

SURBL ‘Multi’ Data:

SURBL ‘Multi’ is highly effective at controlling the hard to detect phishing and bot-net domains.   SURBL ‘Multi’ datafeed contains approx. 800,000 current, active, bad domains, is updated continuously (updated every 1-2 minutes), and greatly improves detection of phishing, malware and bot-net domains.

  • The ‘Multi’ data provides a comprehensive, highly accurate and highly dynamic list of current, active, bad domains
  • Actionable, block-able source of domain intel
  • Highly accurate feed of – phishing, malware, botnet, and spam domains, with ‘near-zero’ false positives
  • Real time – updated every 1-2 minutes
  • widely regarded as one of the absolute best sources of domain threat intel. 
  • accurate, actionable, and reliable source – to many of the world’s leading technology companies and xSP’s (globally).

SURBL data are used in commercial and open source mail filters, security appliances, and a wide range of mail and web applications and systems

- Fast, dynamic intel to identify Advanced phishing, malware data sources

- SURBL customers (email providers, filter vendors, security vendors) find SURBL to be a very high value source of intel, and an excellent addition to their solutions. 

- SURBL was directly involved in the initial launch of RPZ, and is one of the best sources of intel for RPZ solutions

- SURBL is a trusted broker within the Internet ecosystem… which many of the world’s leading security vendors, threat research organizations, and ISP’s trust to capture, share, and deliver Global Domain Intelligence - highly reliably and effectively.

--------------

Data Delivery Options:

- Delivered as rsync datafeed – also avail as wild, csv formats
- also available via Private Query Service (PQS) – keyed access to private servers

--------------

SURBL Categories, sub lists:

PH - Phishing sites

Phishing data from multiple sources is included in the PH Phishing data source. Phishing data was first provided by MailSecurity, later joined by PhishTank data, OITC phishing data, PhishLabs data and several other sources.

MW - Malware sites

This list contains data from multiple sources that cover sites hosting malware. This includes OITC, The DNS blackhole malicious site data from malwaredomains.com and Malware Domain List. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW.

CR - Cracked sites

From 1 Feb 2016 this new list will contain data from multiple sources that cover cracked sites. Criminals steal credentials or abuse vulnerabilities in CMS such as Wordpress or Joomla to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.

multi.surbl.org - Combined SURBL list

All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:

8 = listed on PH

16 = listed on MW

64 = listed on ABUSE: JP, SC, AB

128 = listed on CR (active from 1 February 2016)

Customer Use Cases - SURBL ‘Multi’ Data:

Customer Use Cases:

- - plug directly into existing solutions
- - detect and prevent malicious domains / activities - with accurate, real time feed

Block able, actionable intel feed (of phishing, malware, botnet domains) ideally suited for use in, but not limited to:

 
- dns firewall
- email filtering
- SIEM
- Security alerts
- phishing protection
- malware detecion
- infected hosts, infected users
- Identify bot infections
- enhance anti-phishing, anti-malware
- web filtering
- social media filtering

 - Email AntiSpam Filters - highly effective data source to ID bad links in messages. Used very effectively as a second-stage mail filter, checks message body websites against SURBL. Greatly improves protection against hard to detect phishing and botnet, malicious domains.

- Social Media - identify, and block links to malware, phishing, virus infections via social media

- DNS Firewall / RPZ - excellent source of intel, to enable DNS Firewall… and prevent resolution of bad domains, at the dns level. Covers all users, all propocols, all applications within yout network… anyone looking to visit a website, from your dns servers.

- url shorteners - SURBL 'Shorts' provides current list of bad shortened domains (eg bit.ly/123689). SURBL 'Multi' used to identify the utlimate landing site, for miscreant owned / infected sites.

- SIEM – plugs directly into SIEM, to accurately identify and alert on meaningful security events, in near real time

- Http / Web Filtering – enhance web filtering services, improving accuracy and coverage of users attempting to visit malicious sites