Spam URI Realtime Blacklist (SURBL)

A Universal Resource Identifier (URI) is a standard means of addressing resources on the Web. Common URIs such as Uniform Resource Locators (URLs) and Uniform Resource Names (URNs) are used to identify the destination of hypertext links as well as the sources of images, information and other objects in a Web Page. URLs are most generally used in web sites but can also be included as part of an email message body e.g. to attract new visitors to a web site.

SURBLs differ from most other RBLs in that they are used to detect spam based on message body URIs. Unlike most other RBLs, SURBLs are not used to block spam senders. Instead they allow you to block messages that have spam hosts (e.g. web servers, domains, web sites) which are mentioned in message bodies.

Screenshot 43 - Spam URI Realtime Blacklist properties

To enable the SURBL check:

Right-click on the Anti Spam > Spam URI Realtime blacklist node and select Properties.
In the default opening page, mark the `Check if mail message contains URLs with domains that are in these blacklists:' option to enable the SURBL check on inbound messages.
Mark on the available list, the blacklists that will be used as reference when checking messages using the SURBL function. (e.g., if you mark sc.surbl.org, the domains (URLs) in the message body will be compared to the blacklist present (sc.surbl.org). If the message contains URLs with domains that are on the selected blacklist, it will be marked as spam).
When ready, click on the Apply button.

NOTE: You can test the connection to the selected SURBL providers by clicking on the Test button.

NOTE: To add more SURBLs, click on the Add button, specify the full name of the domain (e.g. URIBL.com) containing the blacklist and click on the OK button to accept the new entry.

TIP: Multi.surbl.org combines the following lists in a unique list:

sc.surbl.org
ws.surbl.org
phishing data source from mailsecurity.net.au
phishing data source from fraud.rhs.mailpolice.com
ob.surbl.org
ab.surbl.org
jp data source

This means that Multi.surbl.org includes all other SURBL Lists already listed in GFI MailEssentials 11, as well as two other sources. Hence you can enable multi.surbl.org only for SURBL checks since this leads to the following advantages:

You need to click only one blacklist.
You would have 2 extra sources against which the URLs/domains are being checked.
Multi.surbl.org has a unique list with no re-occurrence (i.e. a domain will appear only once in multi.surbl.org even if it is found in more than 1 list) thus it is faster than using the other four lists simultaneously (due to re-occurrence).

NOTE: When enabling multi.surbl.org it is recommended to disable all other SURBL lists from the configuration, otherwise the same scan will be performed more than once (in deferent lists) leading to lengthy mail processing.

NOTE: The disadvantages of using multi.surbl.org only are:

You might have a higher rate of false positives since more blacklists are present.
The entries present in multi.surbl.org list have a higher (6 hours) TTL (Time to live) than those present in other lists (sc.surbl.org entries TTL is 10 minutes). This means that you might encounter some false positives.
If for some reason the multi.surbl.org list is not reachable, no checks will be performed.

TIP: If SURBL is giving a lot of false positives it is suggested that you try to disable multi.surbl.org and enable the other 4 SURBL lists. You can attempt reducing the amount of lists enabled in SURBL filter every time a high rate of false positives is present.

For more information on SURBL lists, please refer to http://www.surbl.org/lists.html.

Actions tab

After you have specified which SURBLs will be referenced, click on the Actions tab to specify what you want to do with emails marked as spam by this filter. For more information on possible actions, please refer to the `Actions - what to do with spam mail' section in this chapter.

Other tab

Please refer to the `Other options' section in this chapter.