The Spamhaus Project

news

Using the SBL and XBL against spamvertized URLs

by The Spamhaus TeamJune 27, 20082 minutes reading time

A lot of people are using our SBL and XBL lists to guard their mail infrastructure against the incoming floods of spam. While we encourage all SBL-XBL users to switch to ZEN to check the connecting IP, the SBL-XBL combination still has a very powerful, but lesser-known application area: use it against spamvertized URLs in the message content.

While the spam emitting bots move around at a high pace, most websites that are mentioned in spam are a lot easier to pin down because there are not much networks that want to host these. You will find that the majority of the IP addresses that host spamvertized websites (or do DNS for them) are listed in the SBL. So if a mail gets sent from a yet unlisted infected machine you can still check whether the spamvertized URL is hosted on or gets DNS service from a SBL'ed IP address. The same goes for spamvertized domains that are not yet on the URL based blacklists like SURBL: If they're hosted on SBL-listed IP addresses you can safely assume it's spam.

If you plan to do this, please make sure that you only use the SBL or the SBL-XBL combination for this. Checking website addresses against Zen might produce false positives, because some legitimate websites are hosted on PBL listed addresses, and PBL is included in Zen. Why? Simply because the PBL policy states that no mail will be emitted from those addresses. That does not mean that those IP addresses should not run web or DNS servers. So it's best to use the SBL or the SBL-XBL combination for this.

Adding XBL is particularly interesting in this case to catch fast-flux hosted websites. Our users report very good results in catching fast-flux hosted URLs when adding XBL to the URL checks.

Lots of spam filtering software already has the ability to check spamvertized URLs against our lists. SpamAssassin and its URI_SBL rule are widely used for this, as is SpamBouncer. (Aug 2008: rule now called URIBL_SBLXBL.) Also see our page on Effective Spam Filtering and our FAQ on DNSBL Usage.