SURBL – Hash BL / Shortener Feed

  • Home
  • SURBL – Hash BL / Shortener Feed
Newest threat feed from SURBL

SURBL – Hash / Shortener Feed

SURBL Hash Blocklist kicks in where IP and domain blocklists stop.  

Systems are now able to filter based on hash strings of email content. Blocking based on hashes allows for enhanced, precise protection beyond traditional IP and domain based filters. SURBL Hash BL allows blocking of known, malicious redirectors / shortened URIs, crypto-wallets, email addresses and phone numbers. 

SURBL’s Hash / Shortener Feed provides a dynamic, current list of bad shortened domains (including major shorteners, like and These shortened domains can ultimately direct to known bad / malicious sites – and should be scored, and managed accordingly.

Hash / Shortener Data Feed enhances a system’s protection beyond IP and Domain reputation data. 


SURBL – Hash / Shortener Feed

Recently, shortened url’s are being used by cybercriminals to obfuscate and hide the intended ‘bad domain’, to avoid filters and blocklists. Hash / Shortener Feed from SURBL will help detect threats not caught by traditional domain blocklists.  The feed recognizes abused shorteners, abused cloud services, storage platforms, and more. 

HashBL is a new service to identify known bad URIs such as shortener URIs whose domain may have legitimate purposes. SURBL provides domain intelligence in the form of zone files and other data files that enumerate hosts used in spam malware phishing or cracked websites. 

Blocking by domain is so effective malicious actors have been using redirector and URI shortener services such as to hide the target domain behind a shortener URI. The domain of the shortener service cannot be listed without triggering false positives as such services also have legitimate uses. 

In order to address this new type of abuse, SURBL introduces HashBL a lookup service for identifying known malicious shortener URI. When a mail filter identifies a URI whose domain belongs to a shortener service, it can compute a hash code of the URI and look up this hash code against a DNS zone.  If the URI is known as malicious this will be identified via the return code of the lookup.


Additional Hash Blocklist Feeds

SURBL HashBL provides a feed of hashes related to known malicious content. Hash feeds of email addresses, phone numbers, and crypto-wallets are now available for enhanced, precise protection. 

Email Addresses

Cybercriminal often hide behind large, free email service providers or "free-mail" (Ex: Gmail or Yahoo). Systems cannot block these large domains without blocking millions of legitimate email users. SURBL HashBL now allows systems to block these specific known email addresses using hashes.

Phone Numbers

Using hashes can allow systems to filter emails containing phone number known to be involved in malicious activity. SURBL HashBL contains a list of hashes that can be used to block messages containing phone numbers, involved in scams and criminal activity.


Cryptocurrency and crypto wallets are frequently abused for cybercrime. SURBL HashBL contains a feed of known, abused crypto wallets hashes. Systems can now use this feed to protect their users from connecting with these fraudulent crypto wallets.


Key Features and Benefits

Additional Coverage: Blocking compromised shorteners, URIs, and content that are often missed using traditional IP and Domain Block Lists.

User Submissions: Ability for subscribers to submit new shorteners and abused shortener links

Updated Continuously: System and users are protected from bad domains within a minute of discovery.

Near-Zero False Positives: Extremely accurate data allows your team to focus on their goals, not waste time with 

Reduce Risk: Enhanced protection can save your organization a lot of trouble from accessing domains involved in ransomware, phishing, 

Flexible Delivery Options: Organizations can choose which option works best for their workflow. Via Rsync, CSV file drops, or private query service 

SpamAssasin Plug-In Available: Current SpamAssassin customers may utilize existing plug-in configuration file to query the SURBL Hash Blocklist feed. 

Sample Hash / Shortener Feed

Redirector abuse –
[xxx@v2.surbl]# wget

–2022-09-07 08:23:09–


Connecting to||:443… connected.

HTTP request sent, awaiting response… 301 Moved Permanently

Location: [following]

–2022-09-07 08:23:09–


Result for

Listed under: FRESH
Monday, 05-Sep-22 01:15:57 GMT (1662340557)

Result for

Listed under: ABUSE

Target blocked in FRESH and ABUSE

Start your free trial.

Design the best set of data feeds to meet your needs!

Experience improved cybersecurity and stop phishing emails, ransomware, malware, and other cyber threats. Sign up for your free consultation and receive an in-depth technical deep dive and a 30-day free trial.