SURBL – Multi

SURBL Multi is a composite feed of current, active bad domains. You get accurate threat data on malicious domains in real time with near-zero false positives that includes up-to-date intel on malware, phishing, botnets, spam domains, and other cyber threats.

SURBL Multi is highly effective at controlling the hard-to-detect phishing and botnet domains.   The SURBL Multi datafeed contains approximately 1,500,000 current, active malicious domains and is updated continuously. Data can be delivered: 

  • As an rsync datafeed 
  • As wild, CSV formats
  • Va Private Query Service (PQS), which requires keyed access to private servers

    ‘Multi’ dataset:
  • SURBL’s comprehensive feed of current bad domains, includes real-time, actionable list of domains associated with malware, phishing, botnets, and spam
    • Consists of approx. 1.5 mil – 2.0 mil current, active, bad domains
    • Continuously updated (every 1-2 minutes)
    • Currently used to protect over 1 Billion users
    • Highly regarded as the Industry’s most comprehensive & accurate list of ‘bad’ domains

SURBL Sublists

  • Phishing sites (PH): This list contains phishing data from multiple sources and is included in the PH phishing data source. Phishing data was first provided by MailSecurity, later joined by PhishTank data, OITC phishing data, PhishLabs data, and several other sources.
  • Malware sites (MW): This list contains data from multiple sources covering sites that host malware. This includes OITC, the DNS blackhole malicious site data from and Malware Domain List. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that this is only a sampling of many different malware data sources in MW.
  • Cracked sites (CR): This list contains data from multiple sources that cover cracked sites. Cybercriminals steal credentials or abuse vulnerabilities in CMSs, like WordPress or Joomla, to break into websites and add malicious content. Often, cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.
  • Combined SURBL list ( All of the SURBL data sources are combined into a single, bitmasked list: Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates to which lists it belongs. The bit positions in that last octet for membership in the different lists are:
    • 8 = listed on PH
    • 16 = listed on MW
    • 64 = listed on ABUSE: JP, SC, AB
    • 128 = listed on CR 

Using SURBL Multi Data

SURBL Multi data can be directly plugged into existing solutions and used to detect and prevent malicious domains. This blockable, actionable threat intelligence feed is suited for use in:

  • DNS firewall
  • Email filtering
  • Security alerts
  • Phishing protection
  • Malware detection
  • Infected hosts, infected users
  • Identifying bot infections
  • Enhancing anti-phishing, anti-malware
  • Web filtering
  • Social media filtering
  • Email antispam filters
  • DNS Firewall/RPZ
  • URL shorteners 
  • SIEM 

Want to find out if SURBL Multi is beneficial for your business? Sign up for your free trial below!