What is SURBL aka URL scanning

Scan for URLs with phishing or malware

URL scanning of mail body


E-mails do not always come with weaponised payloads or attachments, sometimes all it takes to hurt you is just a malicious link which apparently leads to a banking or some trusted website with a typo or spelling error in the domain or some such thing.

Phishing or suspicious links could often be HTTP but some may even have a valid certificate that the browser misses warning you. In general applying the principle of suspicion for any browsing or serious action like sharing personal credentials like passwords, credit card numbers or bank account details is vital here.

In case you end up downloading some malware or end up losing money then this link if sent through email , it will be as harmful as an attachment that executes on your desktop. So URL scanning or SURBL is additional layer of protection that SpamCheetah employs to safeguard you from online abuse.

As mentioned above, social engineering attacks cannot be prevented with technology, so exercising utmost caution before clicking at links, checking the link at bottom of browser and looking for obvious bad domains is a great skill to have for one and all. As attackers are getting smarter with PKI technology and stricter security enforcements attacks are also getting harder to succeed.

The ability to scan all the URLs in an e-mail means deconstructing the MIME envelope, enumerating all the clickable links and running the malware link test against each link is to be done. This ensures that no suspicious or known weaponized payload is downloaded by clicking at e-mails.

SURBL URL scanning for suspicious payloads

SURBL test is vital to safeguard against phishing attacks and malware distributed through URLs in email.

SURBL test is essential part of any serious spam control product. Using this API service we can identify dangerous or potentially harmful download links.

SURBL is the URL block list that is similar to the relay blackhole list that all spam control products use to identify spammy mail sending hosts. In case of SURBL the concept is that the URL Is one of

And you can figure out if a URL in the email payload is spammy by doing a DNS query just like we find out the sender score .

However the challenge is to fish out all the links in the email be the mail HTML or plain text and ferret out the clickable links. Once you get them, SpamCheetah uses an API service to check if the link is malicious.

The way the detection algorithm works is even if the mail has a 100 links and one is bad the entire mail is dropped. I guess that is fair game since no legitimate human generated mail can have them.

Moreover just like malware attachments can harm your computer and network and infrastructure and other IT assets, links can be just as bad if not worse. In today’s world of high speed Internet most emails have links to sites like dropbox or some file sharing site.

SURBL checking happens with every mail passing through SpamCheetah. So by protecting you from clicking at dangerous links the mails containing them are dropped or quarantined which get deleted eventually.

URL scanning previously called as SURBL test is vital for stopping link based spam. But since most customer environments have a very high speed Internet access, most attackers nowadays use links for attacking victims be it spearphishing or any other form of attack.

SpamCheetah uses the API service at Abuse.ch for scanning suspicious URLs.

How does it work?

To scan a URL , first all URLs in the e-mail are extracted and then each URL is queried using a submission query. Once the queries are submitted, then the results are made available through status queries and suspicious URLs are flagged.

If the email contains even one suspicious URL the entire email is dropped or quarantined based on admin configuration in SpamCheetah web interface.

Each URL or URI to be precise is sent one by one to the API endpoint which tells us if the URI is good or known to contain malware and if all links are found safe then mail is passed.

The SURBL test will be increasingly relevant in coming years since as of 2021 the third party services where you can easily host malware for free are far more prevalent and viable than it was before, so attack vectors are shifting in favor of URL based malware attacks than through attachments. Of course phishing is only possible through the web browser or the phone browser, no phishing attack can happen with an attachment.

Can it stop phishing?

URL scanning does have the capability to stop 90% of all phishing attacks. Most phishing links are transmitted using spamming botnets or already blacklisted IP addresses and SpamCheetah has both built in.

Greylisting arrests the botnet spew and most phishing emails do not even get in. And blacklisting allows known spam sources to never talk to company mail server. Thereby SpamCheetah already builds a layer of protection for phishing attacks.

URL scanning is one more layer to safeguard you.

Despite all this, please apply common sense whilst reading an email asking you to share confidential banking information. If someone asks for your bank account, please apply caution. Common sense is by far the most effective tool against online abuse.

Can it stop malware?

Yes whenever malware gets distributed through links URL scanning does help. But malware needs an environment to run. After clicking the link to malware only when you run the malware it spreads and causes harm.

By cleaning all malware links SpamCheetah protects you from hazardous payloads that can harm your network.

Malware and links that host them are always evolving, changing and it takes time to detect new compromises. But the tools at our disposal and technologies to share new attack vectors are all network enabled and there are probes worldwide that share information instantly across and so as attacks evolve so do we as defense experts.

E-mail spam control is not very different from security products that keep evolving as threats evolve. And URLs as new method of transmission need to be stopped effectively using the same methods employed to pump them for cheap in the first place.

In this context it is helpful to enable greylisting if not already done.

Though there is some initial pain with greylisting it effectively and quite efficiently deals with many families of attacks in the email world.

In case you find some URL slipping in then please feed spam to SpamCheetah using the mailbot feature.

If attack persists then please contact us

Phishing in particular spearphishing is almost impossible to prevent since they are crafted by humans targeting specific high powered individuals. But other categories of phishing attacks are covered by the URL scanning or SURBL feature described in this page.