DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default Script to test whether an IP address has been listed in a DNSBL

1. Script to test whether an IP address has been listed in a DNSBL
  • 1.1 Introduction
  • 1.2 Manual DNSBL list check
  • 1.3 The 'blcheck' shell script
  • 1.4 Examples of correct and incorrect usage
  • 1.5 The role of 'sed'
  • 1.6 Explanation of the 'sed' regular expression
  • 1.7 Alternative approach for this rather long regex
1.1 Introduction

If you run a mail or a web server it nice to know in time whether the IP address of your server has been submitted to a so-called DNSBL list. Being listed can mean that one of your network boxes, or that a site you host on your webserver, has been compromised and is sending out spam.

Many administrators find out the hard way, that their server has been blacklisted. Customers or users complain about their mail not being accepted by their recipients. Checking the mail logs then usually reveals an pointer to an URL which states something like this
Code:
IP Address 1.2.3.4 was found in the CBL.

It was detected at 2007-06-16 20:00 GMT (+/- 30 minutes), approximately
8 hours ago.

ATTENTION: This IP has an open web or socks proxy which is being
hijacked by the 'DMS' spam tool to send spam. This is usually due
to proxy trojans being installed on your IP (or a machine "behind"
this IP if it is a NAT gateway) via the vulnerabilities described
in the Microsoft MS06-040 security bulletin. Please see the top
news item on our home page for more information.

You need to patch your system, find then fix/remove the proxy, and
then contact the CBL at xxxxx@xxxx.org to remove this listing.
This is why every responsible system administrator should check on a regular basis for being listed.

See http://en.wikipedia.org/wiki/DNSBL and the excellent http://www.spamhaus.org/dnsbl_function.html page for more information about these lists and their role in anti-spam policies.

1.2 Manual DNSBL list check

The organizations maintaining these lists, have a page on their website where you can check if your server is on their list. For example http://www.spamhaus.org/lookup.lasso and http://www.spamcop.net/bl.shtml.

For a regular check however, for example to be run by 'cron', these facilities are not really helpful. And for a manual check of the IP address from the 'sh' command line you have to do quite some work too. Take as example the IP address 125.175.43.40 that sent me a spam message. For a black list check of this address you have to perform the following steps:
  1. Reverse the address 125.175.43.40 to 40.43.175.125.

  2. Append the name of the blacklist.

    For the 'zen.spamhaus' list, that results in '40.43.175.125.zen.spamhaus.org'

  3. Resolve the resulting name in DNS with a DNS tool
    Code:
    $ dig 40.43.175.125.zen.spamhaus.org
    
    ; <<>> DiG 9.3.2-P1 <<>> 40.43.175.125.zen.spamhaus.org
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11694
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;40.43.175.125.zen.spamhaus.org.        IN      A
    
    ;; ANSWER SECTION:
    40.43.175.125.zen.spamhaus.org. 1800 IN A       127.0.0.4
    
    ;; Query time: 384 msec
    ;; SERVER: 192.168.222.10#53(192.168.222.10)
    ;; WHEN: Sat Jun 16 13:42:10 2007
    ;; MSG SIZE  rcvd: 64
    The 127.0.0.4 results means the address is on that list.

    A similar test but now for Spamcop:
    Code:
    $ dig 40.43.175.125.bl.spamcop.net
    
    ; <<>> DiG 9.3.2-P1 <<>> 40.43.175.125.bl.spamcop.net
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16727
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;40.43.175.125.bl.spamcop.net.  IN      A
    
    ;; ANSWER SECTION:
    40.43.175.125.bl.spamcop.net. 2100 IN   A       127.0.0.2
    
    ;; Query time: 141 msec
    ;; SERVER: 192.168.222.10#53(192.168.222.10)
    ;; WHEN: Sat Jun 16 13:58:33 2007
    ;; MSG SIZE  rcvd: 62
    Again the response is an address in the loopback 127.0.0.0/8 range, meaning it has been listed.

If you are familiar with reverse name lookups, you will noticed that the same mechanism is used here. Instead of appending '.in-addr.arpa.' to the reversed IP, you use the name of the black list.

1.3 The 'blcheck' shell script

In the beginning of 2007 I saw an increase of spam in my Gmail spam folders. Because I wanted a comfortable way to find out whether this junk originated from black listed senders, I wrote the following script.
Code:
#!/bin/sh
# -- $Id: blcheck.xml,v 1.8 2007/06/17 23:38:00 j65nko Exp $ --

# Check if an IP address is listed on one of the following blacklists
# The format is chosen to make it easy to add or delete
# The shell will strip multiple whitespace

BLISTS="
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"

# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
# >&2  : redirect/send the message to stderr

ERROR() {
  echo $0 ERROR: $1 >&2
  exit 2
}

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'

# -- if the address consists of 4 groups of minimal 1, maximal digits, separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable 'reverse will be empty'

reverse=$(echo $1 |
  sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p")

if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1
fi

# Assuming an IP address of 11.22.33.44 as parameter or argument

# If the IP address in $0 passes our crude regular expression check,
# the variable  ${reverse} will contain 44.33.22.11
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue

# An empty '${reverse}' means that shell argument $1 doesn't pass our simple IP address check
# In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function and quit

# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)

echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do

    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S_%Z")

    # show the reversed IP and append the name of the blacklist
    printf "%-40s" " ${reverse}.${BL}."

    # use dig to lookup the name in the blacklist
    #echo "$(dig +short -t a ${reverse}.${BL}. |  tr '\n' ' ')"
    LISTED="$(dig +short -t a ${reverse}.${BL}.)"
    echo ${LISTED:----}

done

# --- EOT ------
The script has been rather heavily commented and is available for downloading. The regular expression used by 'sed' will be explained in detail in another section.

1.4 Examples of correct and incorrect usage

Correct
Code:
$ ./blcheck 125.175.43.40

IP 125.175.43.40 NAME p4040-ipbf1108marunouchi.tokyo.ocn.ne.jp.
2007-06-17_01:11:05_UTC 40.43.175.125.cbl.abuseat.org.         127.0.0.2
2007-06-17_01:11:06_UTC 40.43.175.125.dnsbl.sorbs.net.         ---
2007-06-17_01:11:07_UTC 40.43.175.125.bl.spamcop.net.          127.0.0.2
2007-06-17_01:11:07_UTC 40.43.175.125.zen.spamhaus.org.        127.0.0.4
2007-06-17_01:11:12_UTC 40.43.175.125.combined.njabl.org.      ---

$ ./blcheck 80.100.2.99 

IP 80.100.2.99 NAME fia99-2-100.dsl.mxposure.nl.
2007-06-17_21:01:42_UTC 99.2.100.80.cbl.abuseat.org.           ---
2007-06-17_21:01:42_UTC 99.2.100.80.dnsbl.sorbs.net.           ---
2007-06-17_21:01:42_UTC 99.2.100.80.bl.spamcop.net.            ---
2007-06-17_21:01:43_UTC 99.2.100.80.zen.spamhaus.org.          ---
2007-06-17_21:01:43_UTC 99.2.100.80.combined.njabl.org.        ---

$ for X in 24.209.96.220 124.160.89.56; do ./blcheck $X; done

IP 24.209.96.220 NAME cpe-24-209-96-220.woh.res.rr.com.
2007-06-17_01:18:29_UTC 220.96.209.24.cbl.abuseat.org.         127.0.0.2
2007-06-17_01:18:29_UTC 220.96.209.24.dnsbl.sorbs.net.         127.0.0.10
2007-06-17_01:18:30_UTC 220.96.209.24.bl.spamcop.net.          127.0.0.2
2007-06-17_01:18:30_UTC 220.96.209.24.zen.spamhaus.org.        127.0.0.11 127.0.0.4
2007-06-17_01:18:30_UTC 220.96.209.24.combined.njabl.org.      127.0.0.3
IP 124.160.89.56 NAME ---
2007-06-17_01:18:31_UTC 56.89.160.124.cbl.abuseat.org.         127.0.0.2
2007-06-17_01:18:31_UTC 56.89.160.124.dnsbl.sorbs.net.         ---
2007-06-17_01:18:31_UTC 56.89.160.124.bl.spamcop.net.          127.0.0.2
2007-06-17_01:18:31_UTC 56.89.160.124.zen.spamhaus.org.        127.0.0.11 127.0.0.4
2007-06-17_01:18:31_UTC 56.89.160.124.combined.njabl.org.      127.0.0.3

$ while true; do echo IP?; read IP; ./blcheck $IP; done

IP?
201.13.22.241
IP 201.13.22.241 NAME 201-13-22-241.dsl.telesp.net.br.
2007-06-17_23:12:10_UTC 241.22.13.201.cbl.abuseat.org.         127.0.0.2
2007-06-17_23:12:11_UTC 241.22.13.201.dnsbl.sorbs.net.         127.0.0.10
2007-06-17_23:12:11_UTC 241.22.13.201.bl.spamcop.net.          127.0.0.2
2007-06-17_23:12:11_UTC 241.22.13.201.zen.spamhaus.org.        127.0.0.11 127.0.0.4
2007-06-17_23:12:11_UTC 241.22.13.201.combined.njabl.org.      127.0.0.3
IP?
67.133.212.132
IP 67.133.212.132 NAME ;; connection timed out; no servers could be reached
2007-06-17_23:14:32_UTC 132.212.133.67.cbl.abuseat.org.        127.0.0.2
2007-06-17_23:14:33_UTC 132.212.133.67.dnsbl.sorbs.net.        ---
2007-06-17_23:14:34_UTC 132.212.133.67.bl.spamcop.net.         127.0.0.2
2007-06-17_23:14:34_UTC 132.212.133.67.zen.spamhaus.org.       127.0.0.4
2007-06-17_23:14:34_UTC 132.212.133.67.combined.njabl.org.     ---
IP?
^C
Incorrect and error message
Code:
$ ./blcheck
./blcheck ERROR: Please specify a single IP address

$ ./blcheck 1.2.3.4]
./blcheck ERROR: IMHO '1.2.3.4]' doesn't look like a valid IP address

$ ./blcheck 1.2.3.4 5.7.7.8
./blcheck ERROR: Please specify a single IP address
Incorrect (invalid octet 400), but no error message
Code:
$ ./blcheck 125.175.43.400

IP 125.175.43.400 NAME ---
2007-06-17_01:29:03_UTC 400.43.175.125.cbl.abuseat.org.        ---
2007-06-17_01:29:03_UTC 400.43.175.125.dnsbl.sorbs.net.        ---
2007-06-17_01:29:04_UTC 400.43.175.125.bl.spamcop.net.         ---
2007-06-17_01:29:04_UTC 400.43.175.125.zen.spamhaus.org.       ---
2007-06-17_01:29:04_UTC 400.43.175.125.combined.njabl.org.     ---
1.5 The role of 'sed'

To reverse the IP address the script uses 'sed'. The man page tersely describes this program as follows:
Code:
DESCRIPTION
     The sed utility reads the specified files, or the standard input if no
     files are specified, modifying the input as specified by a list of com-
     mands.  The input is then written to the standard output.

     A single command may be specified as the first argument to sed.  Multiple
     commands may be specified separated by newlines or semicolons, or by us-
     ing the -e or -f options.  All commands are applied to the input in the
     order they are specified regardless of their origin.
'sed' is one of the many text processing utilities which acts as a filter. It takes input, applies some commands to that input and sends the result to the standard output.
Code:
reverse=$(echo $1 |
  sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p")
'reverse' is a variable which we fill with the output of a command.
Code:
reverse=$( command )
The '$( command )' construct is called command substitution and is the preferred alternative for the older construct which uses backticks:
Code:
reverse=`command`
The command in this case is echo $1 | sed -ne "......."

$1 is the IP address passed as argument to the 'blcheck' script and is echoed to standard output. The '|' pipe symbol causes it to be fed to 'sed' as standard input for processing.

The options used in calling 'sed':
Code:
-n            By default, each line of input is echoed to the standard output
              after all of the commands have been applied to it.  The -n option
              suppresses this behavior.

-e command    Append the editing commands specified by the command argument to
              the list of commands.
We only want to echo the reversed IP if the regular expression matches But that means we have to use the 'sed' 'p' command to force a print if the match and reversal has been successful.

1.6 Explanation of the 'sed' regular expression
Code:
s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p"
Starting at beginning of string '^' and starting storage in '\1', look for a sequence of at least 1, at most 3 digits, and store or remember in container \1.

Then do something similar for the remainder of the IP address 3 times: Look for a leading period '.' and a sequence of at least 1, and a maximum of 3 digits and store each of these digit groups (octets) in the containers \2, \3 and \4.
Code:
s~^\([0-9]\{1,3\}\)\.

s 	: substitute/replace
~	: our own chosen delimiter denoting start of the subst. pattern
	: instead of the default "/"
^	: beginning of line (the shell will strip all leading whitespace )
\(	: start storing in the first container \1
[0-9]	: a character in the range 0-9, a digit
\{	: start of quantifier
1,3	: minimal one, maximal 3
\}	: end of quantifier
\) 	: end of storing in container \1
\.	: a literal period '.'
A "." is a so-called meta-character in regular expressions and stands for "any" character. Because we want to match a real literal '.' we have to escape it with a '\'.

The opposite is true for the quantifier indicators \{ and \} and the grouping indicators \( and \). Here the opening and closing brace and the '(', ')' have no special meaning in the regular expression language To upgrade them to their special meaning, of start and stop storing, they need a leading "\".
Code:
\([0-9]\{1,3\}\)\.

\(	: start storing in next container \2
[0-9]	: a character in the range 0-9
\{	: start of quantifier
1,3	: minimal one, maximal 3
\}	: end of quantifier
\) 	: end of storing in container \2
\.	: a literal '.' escaped with '\'

\([0-9]\{1,3\}\)\.

\(	: start storing in next container \3
[0-9]	: a character in the range 0-9
\{	: start of quantifier
1,3	: minimal one, maximal 3
\}	: end of quantifier
\) 	: end of storing in container \3
\.	: a literal '.' escaped with '\'

\([0-9]\{1,3\}\)$

\(	: start storing in next container \4
[0-9]	: a character in the range 0-9
\{	: start of quantifier
1,3	: minimal one, maximal 3
\}	: end of quantifier
\) 	: end of storing in container \4
$	: end of string
We now have matched the 4 groups of digits of the IP address in four containers: '\1', '\2', '\3' and '\4'

We only stored the digit groups, not the separating periods or dots. Now we substitute and rearrange them in reverse order and re-insert the periods.

Note that in the search or matching pattern, the period "." is a special character, that needs to be escaped if we want to match a real period. That doesn't apply to the substitution or replacement. Here a period is just a plain normal period.
Code:
~\4.\3.\2.\1~p

~	: our custom delimiter, marking the end of the matching pattern, and start of
	  the substituting part
\4	: 4th digit group first
.	: a '.' has no special meaning in replacement part, so not escaped with '\')
\3	: 3th digit group
.	: a '.'
\2	: 2nd digit group
.	: a '.'
\1	: 1st digit group
.	: a '.'
p	: print the matched and substituted pattern
If the regular expression did not match, this substitution will not be done and nothing will be printed to standard output. So nothing would be stored in the variable 'reverse'.

1.7 Alternative approach for this rather long regex

Both 'awk' and it's descendant 'perl' have an operator called 'split'. From the 'awk' man page:
Code:
     split(s, a, fs)  Splits the string s into array elements a[1], a[2], ...,
                      a[n] and returns n.  The separation is done with the
                      regular expression fs or with the field separator FS if
                      fs is not given.  An empty string as field separator
                      splits the string into one array element per character.
So you could split on the dots separating the 4 IP address octets and store the octets in 4 array elements. This is left as an exercise for the reader

Both 'sed' and 'awk' are part of the base installation of all Unix-like operating systems, while 'perl' for example is not part of FreeBSD base and needs to be installed separately. This fact made me use 'sed' instead of 'perl' for this particular script.
Attached Files
File Type: sh blcheck.sh (2.2 KB, 955 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 13th May 2008 at 12:22 AM. Reason: typo
Reply With Quote
  #2   (View Single Post)  
Old 13th May 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Nice.

I added it to my periodic scripts, here's the script I used, maybe it's useful to other persons too:

/usr/local/etc/periodic/weekly/510.blcheck
Code:
#!/bin/sh -
#

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

case "${weekly_blcheck_enable}" in
        [Yy][Ee][Ss])
        rc=0
        echo ""
        echo "Checking for DNSBL:"
        for i in ${blcheck_ip}; do
                echo ""
                /bin/sh /root/blcheck.sh ${i}

                if [ $? -ge 1 ]; then
                        rc=$?
                fi
        done

        [ ${rc} -gt 1 ] && rc=1;;
                *) rc=0;;
esac

exit $rc

You will need to enable the script in /etc/periodic.conf, you will also need to specify the IP there with the "weekly_blchecl_ip" variable, you can specify multiple IP's, for example:
Code:
# 510.blcheck
weekly_blcheck_enable="YES"
blcheck_ip="82.93.23.199 76.162.25.203"
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 14th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Default Questions about a blacklist ip checker script

A few days ago, I found in this forum a great and useful script to check from command line if some ip addreess it´s listed on some blacklists: daemonforums.org / showthread.php ? t=302.

The script itself describes how to perform manually this queries from a particular blacklist which procedure consists in:
* Reverse the address 125.175.43.40 to 40.43.175.125.
* Append the name of the blacklist.
* (Sample)For the 'zen.spamhaus' list, that results in '40.43.175.125.zen.spamhaus.org'
* Resolve the resulting name in DNS with a DNS tool
================================================== ========
Again the response is an address in the loopback <b>127.0.0.0/8 range</b>, meaning it has been listed.---> Is this a standard or rfc?

Why this happens in this way? All the blacklist dns servers add blacklisted ips with a ip in address range 127.0.0.0/8?

I have tested and I got a output like this:
2013-01-11_15:08:54_UTC 30.75.194.82.bl.csma.biz. 208.91.197.19

If I query blacklisted ip on a website (whatismyipaddress.com / blacklist-check) I get a question with that searcher.

Are blacklister servers using different ways to blacklist ip address?

If I get a ip different from 127.0.0.0/8, always will be listed?

Thanks in advance for your help.
Reply With Quote
  #4   (View Single Post)  
Old 14th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

http://en.wikipedia.org/wiki/DNSBL#DNSBL_queries describes that most DNSBLs return a 127.0.0.0/8 address as indicator that the IP adress is been listed in their database.
It also refers to RFC 5782 for the full technical details.

At this moment the 125.175.43.40 IP address is not been listed at all:

Code:
$  ./blcheck 125.175.43.40                               
IP 125.175.43.40 NAME ---
2013-01-14_15:49:28_UTC 40.43.175.125.cbl.abuseat.org.         ---
2013-01-14_15:49:28_UTC 40.43.175.125.dnsbl.sorbs.net.         ---
2013-01-14_15:49:28_UTC 40.43.175.125.bl.spamcop.net.          ---
2013-01-14_15:49:28_UTC 40.43.175.125.zen.spamhaus.org.        ---
2013-01-14_15:49:28_UTC 40.43.175.125.combined.njabl.org.      ---
The 82.194.75.30 also is not listed:
Code:
./blcheck 82.194.75.30                                
IP 82.194.75.30 NAME hs-443.dedicated.hostalia.com.
2013-01-14_15:55:39_UTC 30.75.194.82.cbl.abuseat.org.          ---
2013-01-14_15:55:39_UTC 30.75.194.82.dnsbl.sorbs.net.          ---
2013-01-14_15:55:41_UTC 30.75.194.82.bl.spamcop.net.           ---
2013-01-14_15:55:41_UTC 30.75.194.82.zen.spamhaus.org.         ---
2013-01-14_15:55:41_UTC 30.75.194.82.combined.njabl.org.       ---
Please describe exactly what you did to get the 2013-01-11_15:08:54_UTC 30.75.194.82.bl.csma.biz. 208.91.197.19 result.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 14th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Default

Hi again .

I have added some extra blaklists in your scripts to make a wide search:
access.redhawk.org
bl.emailbasura.org
bl.spamcop.net
blackholes.five-ten-sg.com
block.dnsbl.sorbs.net
cart00ney.surriel.com
dev.null.dk
dialups.visi.com
dnsbl.anticaptcha.net
dnsbl.justspam.org
dnsbl.sorbs.net
dnsbl-2.uceprotect.net
dul.dnsbl.sorbs.net
hil.habeas.com
intruders.docs.uu.se
l2.apews.org
msgid.bl.gweep.ca
old.dnsbl.sorbs.net
proxy.bl.gweep.ca
rbl.schulte.org
relays.bl.gweep.ca
relays.nether.net
smtp.dnsbl.sorbs.net
spam.olsentech.net
tor.ahbl.org
web.dnsbl.sorbs.net
zombie.dnsbl.sorbs.net
rbl.megarbl.net
b.barracudacentral.org
bl.shlink.org
bl.technovision.dk
blackholes.wirehub.net
blocked.hilli.dk
cbl.abuseat.org
dialup.blacklist.jippg.org
dnsbl.abuse.ch
dnsbl.antispam.or.id
dnsbl.kempt.net
dnsbl.tornevall.org
dnsbl-3.uceprotect.net
dul.ru
black.junkemailfilter.com
ips.backscatterer.org
mail-abuse.blacklist.jippg.org
new.dnsbl.sorbs.net
opm.tornevall.org
psbl.surriel.com
rbl.snark.net
relays.bl.kundenserver.de
rsbl.aupads.org
socks.dnsbl.sorbs.net
spamguard.leadmon.net
tor.dnsbl.sectoor.de
xbl.spamhaus.org
dnsbl.inps.de
bl.csma.biz
bl.spamcannibal.org
bl.tiopan.com
blacklist.sci.kun.nl
bogons.cymru.com
cblless.anti-spam.org.cn
dialups.mail-abuse.org
dnsbl.ahbl.org
dnsbl.dronebl.org
dnsbl.njabl.org
dnsbl-1.uceprotect.net
duinv.aupads.org
escalations.dnsbl.sorbs.net
http.dnsbl.sorbs.net
korea.services.net
misc.dnsbl.sorbs.net
no-more-funn.moensted.dk
pbl.spamhaus.org
pss.spambusters.org.ar
recent.dnsbl.sorbs.net
relays.mail-abuse.org
sbl.spamhaus.org
spam.dnsbl.sorbs.net
spamsources.fabel.dk
ubl.unsubscore.com
zen.spamhaus.org
dyn.shlink.org


I keep the query algorithm: LISTED="$(dig +short -t a ${reverse}.${BL}.)" and modify printing output in order to filter later with grep -v "NOLISTADO" (NOTLISTED in your language ).

I got surprised to obtain responses as:
sudo ./blcheck.sh 82.194.86.158
IP 82.194.86.158 NAME server1.dnsaccesodirecto.com.
2013-01-14_16:20:47_UTC 158.86.194.82.access.redhawk.org. NOLISTADO
2013-01-14_16:20:48_UTC 158.86.194.82.bl.emailbasura.org. NOLISTADO
2013-01-14_16:20:48_UTC 158.86.194.82.bl.spamcop.net. NOLISTADO
2013-01-14_16:20:49_UTC 158.86.194.82.blackholes.five-ten-sg.com.NOLISTADO
2013-01-14_16:20:49_UTC 158.86.194.82.block.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:50_UTC 158.86.194.82.cart00ney.surriel.com. NOLISTADO
2013-01-14_16:20:50_UTC 158.86.194.82.dev.null.dk. NOLISTADO
2013-01-14_16:20:50_UTC 158.86.194.82.dialups.visi.com. NOLISTADO
2013-01-14_16:20:50_UTC 158.86.194.82.dnsbl.anticaptcha.net. NOLISTADO
2013-01-14_16:20:51_UTC 158.86.194.82.dnsbl.justspam.org. NOLISTADO
2013-01-14_16:20:51_UTC 158.86.194.82.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:51_UTC 158.86.194.82.dnsbl-2.uceprotect.net. NOLISTADO
2013-01-14_16:20:51_UTC 158.86.194.82.dul.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:52_UTC 158.86.194.82.hil.habeas.com. NOLISTADO
2013-01-14_16:20:52_UTC 158.86.194.82.intruders.docs.uu.se. NOLISTADO
2013-01-14_16:20:52_UTC 158.86.194.82.l2.apews.org. NOLISTADO
2013-01-14_16:20:52_UTC 158.86.194.82.msgid.bl.gweep.ca. NOLISTADO
2013-01-14_16:20:52_UTC 158.86.194.82.old.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:52_UTC 158.86.194.82.proxy.bl.gweep.ca. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.rbl.schulte.org. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.relays.bl.gweep.ca. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.relays.nether.net. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.smtp.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.spam.olsentech.net. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.tor.ahbl.org. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.web.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.zombie.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.rbl.megarbl.net. NOLISTADO
2013-01-14_16:20:53_UTC 158.86.194.82.b.barracudacentral.org. NOLISTADO
2013-01-14_16:20:54_UTC 158.86.194.82.bl.shlink.org. NOLISTADO
2013-01-14_16:20:54_UTC 158.86.194.82.bl.technovision.dk. NOLISTADO
2013-01-14_16:21:05_UTC 158.86.194.82.blackholes.wirehub.net. NOLISTADO
2013-01-14_16:21:05_UTC 158.86.194.82.blocked.hilli.dk. NOLISTADO
2013-01-14_16:21:05_UTC 158.86.194.82.cbl.abuseat.org. NOLISTADO
2013-01-14_16:21:06_UTC 158.86.194.82.dialup.blacklist.jippg.org.NOLISTADO
2013-01-14_16:21:06_UTC 158.86.194.82.dnsbl.abuse.ch. NOLISTADO
2013-01-14_16:21:06_UTC 158.86.194.82.dnsbl.antispam.or.id. NOLISTADO
2013-01-14_16:21:06_UTC 158.86.194.82.dnsbl.kempt.net. NOLISTADO
2013-01-14_16:21:06_UTC 158.86.194.82.dnsbl.tornevall.org. NOLISTADO
2013-01-14_16:21:07_UTC 158.86.194.82.dnsbl-3.uceprotect.net. NOLISTADO
2013-01-14_16:21:07_UTC 158.86.194.82.dul.ru. NOLISTADO
2013-01-14_16:21:07_UTC 158.86.194.82.black.junkemailfilter.com.NOLISTADO
2013-01-14_16:21:07_UTC 158.86.194.82.ips.backscatterer.org. NOLISTADO
2013-01-14_16:21:07_UTC 158.86.194.82.mail-abuse.blacklist.jippg.org.NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.new.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.opm.tornevall.org. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.psbl.surriel.com. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.rbl.snark.net. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.relays.bl.kundenserver.de.NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.rsbl.aupads.org. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.socks.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.spamguard.leadmon.net. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.tor.dnsbl.sectoor.de. NOLISTADO
2013-01-14_16:21:08_UTC 158.86.194.82.xbl.spamhaus.org. NOLISTADO
2013-01-14_16:21:09_UTC 158.86.194.82.dnsbl.inps.de. NOLISTADO

<b>2013-01-14_16:21:09_UTC 158.86.194.82.bl.csma.biz. 208.91.197.19</b>
What this ip means?

2013-01-14_16:21:09_UTC 158.86.194.82.bl.spamcannibal.org. NOLISTADO
2013-01-14_16:21:10_UTC 158.86.194.82.bl.tiopan.com. NOLISTADO
2013-01-14_16:21:21_UTC 158.86.194.82.blacklist.sci.kun.nl. NOLISTADO
2013-01-14_16:21:21_UTC 158.86.194.82.bogons.cymru.com. NOLISTADO
2013-01-14_16:21:21_UTC 158.86.194.82.cblless.anti-spam.org.cn.NOLISTADO
2013-01-14_16:21:21_UTC 158.86.194.82.dialups.mail-abuse.org. NOLISTADO
2013-01-14_16:21:33_UTC 158.86.194.82.dnsbl.ahbl.org. NOLISTADO
2013-01-14_16:21:33_UTC 158.86.194.82.dnsbl.dronebl.org. NOLISTADO
2013-01-14_16:21:33_UTC 158.86.194.82.dnsbl.njabl.org. NOLISTADO
2013-01-14_16:21:33_UTC 158.86.194.82.dnsbl-1.uceprotect.net. NOLISTADO
2013-01-14_16:21:33_UTC 158.86.194.82.duinv.aupads.org. NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.escalations.dnsbl.sorbs.net.NOLISTAD O
2013-01-14_16:21:34_UTC 158.86.194.82.http.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.korea.services.net. NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.misc.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.no-more-funn.moensted.dk.NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.pbl.spamhaus.org. NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.pss.spambusters.org.ar. NOLISTADO
2013-01-14_16:21:34_UTC 158.86.194.82.recent.dnsbl.sorbs.net. NOLISTADO
2013-01-14_16:21:35_UTC 158.86.194.82.relays.mail-abuse.org. NOLISTADO
2013-01-14_16:21:46_UTC 158.86.194.82.sbl.spamhaus.org. NOLISTADO

<b>2013-01-14_16:21:46_UTC 158.86.194.82.spam.dnsbl.sorbs.net. 127.0.0.6</b> : I guess this means is not listed because is in 127.0.0.0/8 range or am I wrong?

2013-01-14_16:21:46_UTC 158.86.194.82.spamsources.fabel.dk. NOLISTADO
2013-01-14_16:21:46_UTC 158.86.194.82.ubl.unsubscore.com. NOLISTADO
2013-01-14_16:21:46_UTC 158.86.194.82.zen.spamhaus.org. NOLISTADO
2013-01-14_16:21:46_UTC 158.86.194.82.dyn.shlink.org. NOLISTADO

A last question, would you be mind to tell me which lists are you using?

Kind regards

Last edited by pablovalcarcel; 14th January 2013 at 04:35 PM.
Reply With Quote
  #6   (View Single Post)  
Old 14th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Quote:
2013-01-14_16:21:09_UTC 158.86.194.82.bl.csma.biz. 208.91.197.19
What this ip means?
I have no idea, you should asks the folks at csma.biz. It seems the domain is for sale

Quote:
158.86.194.82.spam.dnsbl.sorbs.net. 127.0.0.6
As mentioned before any answer to the DNS query indicates that the address is listed. These answers usually use addresses from the 127.0.0.0/8 subnet.

If you do a query for the TXT record you can see the reason:
Code:
$ dig +short -t txt 158.86.194.82.spam.dnsbl.sorbs.net. 
"Spam Received See: http://www.sorbs.net/lookup.shtml?82.194.86.158"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 14th January 2013 at 10:53 PM. Reason: clarification
Reply With Quote
  #7   (View Single Post)  
Old 15th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Default

Quote:
Originally Posted by J65nko View Post
I have no idea, you should asks the folks at csma.biz. It seems the domain is for sale

As mentioned before any answer to the DNS query indicates that the address is listed. These answers usually use addresses from the 127.0.0.0/8 subnet.

If you do a query for the TXT record you can see the reason:
Code:
$ dig +short -t txt 158.86.194.82.spam.dnsbl.sorbs.net. 
"Spam Received See: http://www.sorbs.net/lookup.shtml?82.194.86.158"
Thanks, I understand it better. So TXT dns records are not only for spf texts, you can use it to add the text you need?

Thanks again for your script, is very usefull.
Reply With Quote
  #8   (View Single Post)  
Old 15th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I see you inquire a couple of spamhaus lists while you actually only need one, the "Zen" list.:

From http://www.spamhaus.org/zen/
Quote:
zen.spamhaus.org

ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

zen.spamhaus.org should be the only spamhaus.org DNSBL in your IP blocklist configuration. You should not use ZEN together with other Spamhaus IP blocklists, or with blocklists already included in our zones (such as the CBL) or you will simply be wasting DNS queries and slowing your mail queue.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 15th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Default

Thanks again.

I´m going to remove all spamhaus lists and add zen.spamhaus.org as you suggest.

Thanks again for your help and script!!!!
Reply With Quote
Old 12th March 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

According to http://h-online.com/-1820906 the NJABL blacklist goes offline so please remove it from the script:

Code:
BLISTS="
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1st February 2016
aitor aitor is offline
New User
 
Join Date: Jan 2016
Posts: 1
Default

Hello! thank you for sharing this script. Do you have any modification where only if there it's any IP listed send and email?
Reply With Quote
Old 2nd February 2016
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You would have to write a small script that runs blcheck and sends out that mail.
To make that easier, the script should be changed to exit with an error code 4 (1 and 2 are already taken) when the IP is listed.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 2nd February 2016
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

With the following modifications the script exits with error code 4, when the IP is listed:
Code:
     56 EXITCODE=0      # assume no listing 
     57
     58 # -- cycle through all the blacklists
     59 for BL in ${BLISTS} ; do
     60
     61     # print the UTC date (withour linefeed)
     62     printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S_%Z")
     63
     64     # show the reversed IP and append the name of the blacklist
     65     printf "%-40s" " ${reverse}.${BL}."
     66
     67     # use dig to lookup the name in the blacklist
     68     #echo "$(dig +short -t a ${reverse}.${BL}. |  tr '\n' ' ')"
     69     LISTED="$(dig +short -t a ${reverse}.${BL}.)"
     70     echo [${LISTED:-OK}]
     71     # set exit code when answer contains '127.'
     72     echo $LISTED | grep '127\.' >/dev/null  &&  EXITCODE=4
     73 done
     74
     75 exit $EXITCODE
Example run:
Code:
$ blcheck 114.97.100.118 ; echo Errorcode: [$?]
IP 114.97.100.118 NAME ---
2016-02-02_03:22:40_UTC 118.100.97.114.cbl.abuseat.org.        [127.0.0.2]
2016-02-02_03:22:40_UTC 118.100.97.114.dnsbl.sorbs.net.        [OK]
2016-02-02_03:22:40_UTC 118.100.97.114.bl.spamcop.net.         [OK]
2016-02-02_03:22:40_UTC 118.100.97.114.zen.spamhaus.org.       [127.0.0.11 127.0.0.4]
Errorcode: [4]

$ blcheck 1.2.3.4 ; echo Errorcode: [$?]        
IP 1.2.3.4 NAME ---
2016-02-02_03:24:38_UTC 4.3.2.1.cbl.abuseat.org.               [OK]
2016-02-02_03:24:38_UTC 4.3.2.1.dnsbl.sorbs.net.               [OK]
2016-02-02_03:24:38_UTC 4.3.2.1.bl.spamcop.net.                [OK]
2016-02-02_03:24:38_UTC 4.3.2.1.zen.spamhaus.org.              [OK]
Errorcode: [0]
Attached Files
File Type: sh blcheck.sh (2.3 KB, 307 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
blacklist, rbl, spam

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
test port connection carpman FreeBSD Security 5 9th February 2009 11:12 AM
MAC address to IP rex FreeBSD General 9 11th November 2008 07:06 PM
Asking about IPv6 address berlowin Off-Topic 2 9th July 2008 02:39 AM
how extract specific test from Postfix logs with PHP or Perl marco64 Programming 3 21st June 2008 12:46 PM
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) NathanPardoe FreeBSD General 9 21st May 2008 12:00 AM


All times are GMT. The time now is 06:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick