Personal blog for expressing my experiences


Multiple RBL check – DNS Blacklist Entries

In case you are a system administrator and you are running your own mail or a web server, it would be good to know in time whether the IP address of your server has been blacklisted in the Internet. What does that mean? It means your server has been compromised and it sending lot of unwanted SPAM mail and in no time users would complain that their mail not being accepted by their recipients.

There are a lot of websites online, some paid and some free, which would provide you the necessary information stating whether your IP is blacklisted or not, but the drawback is that this online websites allows IP’s to be scanned on minimum hourly basis. This might be too late for a system administrator wherein you can find yourself in the tip of the knife as mails would start bouncing back. So what is the solution?

One can use the `host` command or `dig`to find this out and then create a automated script run it in cron.

As an example, let us take into consideration, your IP is A.B.C.D, so your reverse would be D.C.B.A. You need to check against frequently used SPAM databases. Let use take `` as one of the domain as this is most frequently by users for SPAM checks.

root@ophiophagus:~$ host -t a has address

root@ophiophagus:~$ dig

; <<>> DiG 9.8.1-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31887
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 21, ADDITIONAL: 0

; IN A


;; AUTHORITY SECTION: 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS 86270 IN NS

;; Query time: 4 msec
;; WHEN: Sat Jun 28 20:06:42 2014
;; MSG SIZE rcvd: 405

If the response is an address in the loopback range, it means that it has been listed against the particular domain. Time for de-listing and check what caused the IP to be blacklisted.

Frequently used SPAM databases creates a DNS entry on their local nameserver making all RDNS entries resolve to their local IP.

Automate PHP script to find out the blacklisted IP:

File name: rblcheck.php

$ips=array("D.C.B.A"); // Add more IP's comma separated
$handle = fopen("domain-check-for-rbl.txt","r");
while (($line = fgets($handle)) !== false) {
foreach($ips as $ip){
$result = shell_exec("host -t a ".$ip.".".trim($line)." >/dev/null;echo $?");
$message = $message."\n".$ip." Blacklisted in ".trim($line)."\n";

Crontab entry running every 5 minute:

0/5 * * * * /usr/bin/php /rblcheck.php 2>&1

Filename: domain-check-for-rbl.txt

Leave a Reply

  −  4  =  4