This was originally posted by sdietz on the old forum, but was not migrated over!
The Malwareurl active list is a CSV imported from http://www.malwareurl.com/export.php. The Malwareurl Active list has four columns. The First Column is BadIP which is the IP address of the malicious IP listed on Malwareurl.com this is also the key field in the active list. The second column is called Domain this is the malicious domain listed on Malwareurl.com. The third column is called the Discovery date and it is the date the Domain was added to the Malwareurl.com site. The last column is the description column which is a brief description/categorization of the Malware domain/IP ex. Rouge Antivirus, LuckySploit, Trojan, Redirects to Exploits. etc..
There are rules and filters that try to match inbound and outbound connections against the active lists. If there is a match the rule pulls all the contextual information out of the active list.