SURBL Listing Policy

Here are some guidelines for adding records to SURBL lists:

A. Add domains that appear only in spam. Do not add any domains that appear in ham.

B. Beware of poisoning, joe jobs and misreporting; not every domain that appears in spam belongs to a spammer!

C. Use these important sources of information as additional input:

1. Check domain age using whois.

   The older a domain is the less likely it should be listed. Most spam domains are used for 3 days then abandoned. Domains older than 90 days probably should not be added. Domains more than 1 year old usually should not be added. However, domains that use name servers listed in SBL as belonging to known spam operators can be included, regardless of age. (See below.)

2. Check the resolved IP address of the site against sbl.spamhaus.org.

   If you get a match it's likely a spammer. However lack of an SBL match doesn't mean it's not a spammer. Also SBL checks may result in some false positives. Therefore SBL inclusion does not always mean we should list.

3. Check the resolved name servers of the site, i.e., the NS resource records in DNS, against sbl.spamhaus.org.

   If you get a match it's likely a spammer. SBL lists the name servers of several known spam gangs. Those spam gangs are responsible for a large portion of all spam. However lack of an SBL match doesn't mean it's not a spammer. Also SBL nameserver checks may result in some false positives (such as gov.ru). Therefore SBL inclusion does not always mean we should list.

   (For this purpose, checking the resolved NS records is safer than checking registrar database name servers, because the domains could be further delegated to other name servers.)

4. If the NS record doesn't resolve, the domain is probably unusable and should not be listed. Be sure to use an accurate program such as dig.

5. Check whether the sending IP address (top address in the headers outside the destination network) appears in reliable open relay, open proxy, exploited hosts, etc. RBLs like xbl.spamhaus.org. If so, that's an additional indication this is a spam and the domain should be listed. Legitimate organizations probably don't steal services with zombies or use spammers who do.

   On the other hand, be aware that spammers sometimes mention legitimate URIs for example, to abuse an otherwise legitimate marketing site. For example they can do this to gain incentive or click-through points, etc. Therefore using zombies, etc. does not automatically mean that URIs themselves actually belong to spammers, only that spammers sent the message.

   Conversely, if a sending IP is not in an RBL and appears consistent across multiple reports, then this is less of a good candidate for SURBL listing. SURBLs were especially intended to be used against zombie-sent spam, since regular RBLs are far more efficient against fixed sending networks than SURBLs. (SURBLs require more resource-expensive content parsing, storage, etc. than conventional RBLs.)

6. Check IADB status.
   1. For IP addresses look them up in reverse octet order against iadb.isipp.com .
   2. For domains, resolve the domains against iddb.isipp.com first, take any returned IP addresses, then reverse the octets and check them against iadb.isipp.com.

   If they appear to be whitehats in IADB, then don't list.

7. Check the Usenet group news.admin.net-abuse.sightings (NANAS) for example at google.

   If a URI domain or IP is mentioned in many recent postings there, it may be a spammer. But actually look at the content of messages. Sometimes there are subscribed newsletters, misclassifications, joe jobs and other erroneous inclusions there. Lack of NANAS does not indicate a lack of spammyness. Many NANAS does not necessarily indicate spammyness. You must look at a sampling of the actual content.

8. Visit the site or at least check the google summary of it.

   If the site looks like a mostly legitimate site do not add it. (I usually use google's cache of the site, or a text browser like lynx. This is somewhat safer than using a full browser to go to a site, which could contain malicious code. Viewing google summaries is sometimes good enough.)

9. Check hand-built directories of web sites such as DMOZ, Wikipedia, Yahoo, Google, etc.

   It's unlikely that hand-edited URL lists, which these directories are, would include sites that belong to spam gangs. (The editors tend to remove abuse.)

Additional Considerations:

1. About ham:
   • Hams are ordinary legitimate messages, not including meta-discussion about spam.
   • Discussion about spam can mention spam domains or IPs, but that doesn't make those mentions hammy.
   • Discussion about spam should not be filtered using anti-spam tools, so it's not a disqualifier for listing spammy domains.

2. Don't add domains or IPs that are mentioned in legitimate newsletters, mailing lists or other similar mailings. Too often people forget that they subscribed to such mailings then report them as spam. Do not add domains of otherwise legitimate sites that have open (unconfirmed) subscriptions.

3. Add domains or IP addresses that only appear in spams. Spam examples include:
   • drug or herbal
   • pirated software
   • mortgage
   • porn (There may be some "legitimate" porn sites which should not be listed.)
   • gambling (Note that there are some "legitimate" gambling sites with affiliate problems. They should probably not be listed.)
   • cable TV descrambler
   • fraud
     • phishing
     • fake contest (fraud)
     • pyramid or ponzi scam
     • other scams
   • stocks (though these seldom seem to have spammer URIs)

4. Do not add domains or IPs from virus-generated messages, unless they point to obvious spammer sites, like those mentioned above.

5. This is not your personal blocklist. These lists are used by millions of people. We do not want their desired mail to be blocked falsely. Create your own personal blocklist for messages you don't want to get but which other people might consider legitimate. This can include sites like topica, yahoogroups, lyris, joke-of-the-day, weird news, electronic greeting cards, and similar things that some people actually subscribe to. Do not list them, even if they get abused to send spam, and even if you don't like these sites or would never use them personally.

6. Don't list any mostly legitimate domains or IP addresses. The goal is not to "catch every spam." The goal is to catch only domains that only appear in spams.

   If we created a list to try to catch every spam, it would be unusable by most people because it would create false positives and block many desired messages. If a domain has legitimate uses or could get mentioned in ordinary hams, then don't list it.

7. Do not try to add every domain that appears in spams. The question is not whether a given domain appears in spams, but whether a domain has legitimate uses. If a warez spammer links to the microsoft.com site, does that mean microsoft.com should be listed? Of course not. The same applies to domains that may be less well-known, but still legitimate. Just because a domain or IP appears in a spam URI doesn't mean it belongs to a spammer. Consider the possibility of a Joe Job or other innocent bystanders. Check out the sites. When in doubt, don't list.

8. Don't blacklist parked, tasted or kited domains unless they redirect to spam gang sites, or belong to spam gangs. Of the 35 million total domains registered as of April 2006, Bob Parsons of GoDaddy found that 33 million of them were tasted/kited. We can't blacklist 33 million domains, nor should we. Many parked 2, 3, and 4 letter domains are appearing on botnet sent spam. They are probably decoy domains meant to obscure the actual payload domains. Don't blacklist the decoys. Blacklist the payload domains!

When in doubt, don't list!