Newest threat feed from SURBL
SURBL – Hash / Shortener Feed
SURBL Hash Blocklist kicks in where IP and domain blocklists stop.
Systems are now able to filter based on hash strings of email content. Blocking based on hashes allows for enhanced, precise protection beyond traditional IP and domain based filters. SURBL Hash BL allows blocking of known, malicious redirectors / shortened URIs, crypto-wallets, email addresses and phone numbers.
SURBL’s Hash / Shortener Feed provides a dynamic, current list of bad shortened domains (including major shorteners, like bit.ly and t.co). These shortened domains can ultimately direct to known bad / malicious sites – and should be scored, and managed accordingly.
Hash / Shortener Data Feed enhances a system’s protection beyond IP and Domain reputation data.
PRODUCT OVERVIEW
SURBL – Hash / Shortener Feed
Recently, shortened url’s are being used by cybercriminals to obfuscate and hide the intended ‘bad domain’, to avoid filters and blocklists. Hash / Shortener Feed from SURBL will help detect threats not caught by traditional domain blocklists. The feed recognizes abused shorteners, abused cloud services, storage platforms, and more.
HashBL is a new service to identify known bad URIs such as shortener URIs whose domain may have legitimate purposes. SURBL provides domain intelligence in the form of zone files and other data files that enumerate hosts used in spam malware phishing or cracked websites.
Blocking by domain is so effective malicious actors have been using redirector and URI shortener services such as bit.ly to hide the target domain behind a shortener URI. The domain of the shortener service cannot be listed without triggering false positives as such services also have legitimate uses.
In order to address this new type of abuse, SURBL introduces HashBL a lookup service for identifying known malicious shortener URI. When a mail filter identifies a URI whose domain belongs to a shortener service, it can compute a hash code of the URI and look up this hash code against a DNS zone. If the URI is known as malicious this will be identified via the return code of the lookup.
Additional Hash Blocklist Feeds
SURBL HashBL provides a feed of hashes related to known malicious content. Hash feeds of email addresses, phone numbers, and crypto-wallets are now available for enhanced, precise protection.
Email Addresses
Cybercriminal often hide behind large, free email service providers or "free-mail" (Ex: Gmail or Yahoo). Systems cannot block these large domains without blocking millions of legitimate email users. SURBL HashBL now allows systems to block these specific known email addresses using hashes.
Phone Numbers
Using hashes can allow systems to filter emails containing phone number known to be involved in malicious activity. SURBL HashBL contains a list of hashes that can be used to block messages containing phone numbers, involved in scams and criminal activity.
Crypto-wallets
Cryptocurrency and crypto wallets are frequently abused for cybercrime. SURBL HashBL contains a feed of known, abused crypto wallets hashes. Systems can now use this feed to protect their users from connecting with these fraudulent crypto wallets.
SURBL HASH / SHORTENER FEED
Key Features and Benefits
Additional Coverage: Blocking compromised shorteners, URIs, and content that are often missed using traditional IP and Domain Block Lists.
User Submissions: Ability for subscribers to submit new shorteners and abused shortener links
Updated Continuously: System and users are protected from bad domains within a minute of discovery.
Near-Zero False Positives: Extremely accurate data allows your team to focus on their goals, not waste time with
Reduce Risk: Enhanced protection can save your organization a lot of trouble from accessing domains involved in ransomware, phishing,
Flexible Delivery Options: Organizations can choose which option works best for their workflow. Via Rsync, CSV file drops, or private query service
SpamAssasin Plug-In Available: Current SpamAssassin customers may utilize existing plug-in configuration file to query the SURBL Hash Blocklist feed.
Sample Hash / Shortener Feed
Redirector abuse –
[xxx@v2.surbl]# wget https://bit.ly/3qAv9Nr
–2022-09-07 08:23:09– https://bit.ly/3qAv9Nr
Resolving bit.ly… 67.199.248.11, 67.199.248.10
Connecting to bit.ly|67.199.248.11|:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://ztljz.keenshaky.link/235256643562325363523763622 [following]
–2022-09-07 08:23:09– http://ztljz.keenshaky.link/235256643562325363523763622
Resolving ztljz.keenshaky.link… 45.67.34.199
Result for keenshaky.link:
Listed under: FRESH
Monday, 05-Sep-22 01:15:57 GMT (1662340557)
Result for keenshaky.link:
Listed under: ABUSE
Target blocked in FRESH and ABUSE
Start your free trial.
Design the best set of data feeds to meet your needs!
Experience improved cybersecurity and stop phishing emails, ransomware, malware, and other cyber threats. Sign up for your free consultation and receive an in-depth technical deep dive and a 30-day free trial.
