SURBL

Level 1

The SURBL event checks each message against the SURBL databases listed in the SURBL servers listed, to see if the sending server is included on the SURBL list. If it is included, the message is blocked. SURBL servers may be added or removed from the active list as desired. (It is not recommended to have more than two SURBL servers active at the same time as it may extend the scanning time with extra lookups.)

You have the option to do any of the following: Block the message, Quarantine the message, Notify the sender, Nofity the recipient(s), and/or Notify the administrator.

Level 2

The SURBL server that we recommend using is multi.surbl.org.

SURBL uses DNS lookups to check against their blacklists.

To understand how this process works we need to first understand how normal DNS works. For example, if I type google.com in my web browser, the browser then does a DNS lookup to find the IP address for google.com. Once I have the IP address my browser can access the resources for the web page. Think of a DNS server as a phone book, it ties names to internet addresses.

RBL/SURBL works much the same way with a few exceptions. If the uri 'www.freeviagra.com' appears in an email, GWAVA contacts their DNS server and asks it to do a lookup on 'freeviagra.com.multi.surbl.org' (notice the surbl server attached on to the domain). The DNS server will in the end contact multi.surbl.org and ask if it recognizes that domain. Multi.surbl.org will return a simple, yes I recognize that domain (meaning block it, because it is on my blacklist), or no I don't recognize that address (meaning that domain is not blacklisted). DNS is merely the method used to check their blacklists.

It is not recommended to quarantine SURBL, as there are very few false positives. This will prevent any messages that fire on this SURBL event from being quarantined even if it fires on another event that is set to be quarantined. Use 4 state Locks to never quarantine. Close lock with quarantine the message unchecked. This will help reduce the amount of spam in your QMS and Digest reports. It is also recommend to close the lock next to the quarantine option (with the box unchecked).

Using the SURBL server black.uribl.com can cause a lot of false positives. It is not recommended to use this server.

If the SURBL look ups are taking a long time to return, then most likely there is a DNS issue. Try using a different DNS server to see if that speeds things up.

Hands On

1) Log into the GWAVA Management Web Page and go to Scanner/Policy Mangement | policy | scanning configuration | SURBL

2) Make sure 'Enable SURBL test' and 'Block the message' are checked.

3) Make sure you have the recommended free SURBL server in the server list, which is: multi.surbl.org.

4) Send a test message via telnet with 'http://surbl-org-permanent-test-point.com/' in the message body, or any url that will fire on SURBL.

5) After the message has been sent, check the GWAVA/support log (/opt/beginfinite/gwava/services/logs/gwava/support) to ensure the SURBL event fired.