Multiple RBL check – DNS Blacklist Entries

In case you are a system administrator and you are running your own mail or a web server, it would be good to know in time whether the IP address of your server has been blacklisted in the Internet. What does that mean? It means your server has been compromised and it sending lot of unwanted SPAM mail and in no time users would complain that their mail not being accepted by their recipients.

There are a lot of websites online, some paid and some free, which would provide you the necessary information stating whether your IP is blacklisted or not, but the drawback is that this online websites allows IP’s to be scanned on minimum hourly basis. This might be too late for a system administrator wherein you can find yourself in the tip of the knife as mails would start bouncing back. So what is the solution?

One can use the `host` command or `dig`to find this out and then create a automated script run it in cron.

As an example, let us take into consideration, your IP is A.B.C.D, so your reverse would be D.C.B.A. You need to check against frequently used SPAM databases. Let use take `zen.spamhaus.org` as one of the domain as this is most frequently by users for SPAM checks.


root@ophiophagus:~$ host -t a D.C.B.A.zen.spamhaus.org
D.C.B.A.zen.spamhaus.org has address 127.0.0.11

root@ophiophagus:~$ dig D.C.B.A.zen.spamhaus.org

; <<>> DiG 9.8.1-P1 <<>> D.C.B.A.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31887
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 21, ADDITIONAL: 0

;; QUESTION SECTION:
;D.C.B.A.zen.spamhaus.org. IN A

;; ANSWER SECTION:
D.C.B.A.zen.spamhaus.org. 839 IN A 127.0.0.11

;; AUTHORITY SECTION:
zen.spamhaus.org. 86270 IN NS r.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS t.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS x.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS 0.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS 2.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS 3.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS 5.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS 7.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS 8.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS a.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS b.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS c.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS d.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS f.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS g.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS h.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS i.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS k.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS l.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS o.ns.spamhaus.org.
zen.spamhaus.org. 86270 IN NS q.ns.spamhaus.org.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 28 20:06:42 2014
;; MSG SIZE rcvd: 405

If the response is an address in the loopback 127.0.0.0/8 range, it means that it has been listed against the particular domain. Time for de-listing and check what caused the IP to be blacklisted.

Frequently used SPAM databases creates a DNS entry on their local nameserver making all RDNS entries resolve to their local IP.

Automate PHP script to find out the blacklisted IP:

File name: rblcheck.php

$message="";
$ips=array("D.C.B.A"); // Add more IP's comma separated
$handle = fopen("domain-check-for-rbl.txt","r");
while (($line = fgets($handle)) !== false) {
foreach($ips as $ip){
$result = shell_exec("host -t a ".$ip.".".trim($line)." >/dev/null;echo $?");
if($result!=1){
$message = $message."\n".$ip." Blacklisted in ".trim($line)."\n";
}
}
}
if($message!=""){
mail("yourmail@example.com","Blacklisted",$message);
}
?>

Crontab entry running every 5 minute:

0/5 * * * * /usr/bin/php /rblcheck.php 2>&1

Filename: domain-check-for-rbl.txt

b.barracudacentral.org
blackholes.five-ten-sg.com
blacklist.woody.ch
bl.deadbeef.com
bl.emailbasura.org
bl.spamcannibal.org
bl.spamcop.net
cbl.abuseat.org

Leave a Comment