Created
February 11, 2015 22:53
-
-
Save anonymous/9b4d5875d3c536e747b6 to your computer and use it in GitHub Desktop.
rblcheck.pl - This script queries DNS Blacklists for listings. Based on Ruby script rbl.check (https://github.com/jjmartres/Zabbix/tree/master/zbx-scripts/rbl.check)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| use warnings; | |
| use strict; | |
| use Getopt::Std; | |
| use YAML::XS; | |
| use Net::DNSBL::Client; | |
| my %runOptions=(); | |
| getopts("q:", \%runOptions); | |
| my $config; | |
| { local $/; $config = <DATA>; } | |
| $config = Load($config); | |
| if ($runOptions{q} eq 'RBLS') { | |
| map { | |
| print "$config->{$_}->{name} ($_). "; | |
| print $config->{$_}->{enabled} ? "Enabled: true" : "Enabled: false"; | |
| print "\n" | |
| } sort keys %{$config}; | |
| } elsif ($runOptions{q} =~ /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/) { | |
| map { push @{$config->{DNSBL}}, { 'domain' => "$_"} } sort grep { $config->{$_}->{enabled} == 1 } keys %{$config}; | |
| my $DNSBLClientObj = Net::DNSBL::Client->new({ timeout => 3 }); | |
| $DNSBLClientObj->query_ip($runOptions{q}, \@{$config->{DNSBL}}); | |
| my $DNBLAnswers = $DNSBLClientObj->get_answers(); | |
| if (scalar @$DNBLAnswers == 0) { print "Not listed\n"; exit(0) } | |
| foreach my $entry (grep { $_->{hit} } @$DNBLAnswers) { | |
| if ($entry->{hit}) { | |
| print "$config->{$entry->{domain}}->{name} ($entry->{domain})\n"; | |
| } | |
| } | |
| } else { | |
| print qq{ | |
| Usage: $0 [options] | |
| Options | |
| -q FLAG Flag: RBLS|IP_ADDRESS | |
| } | |
| } | |
| =head1 AUTHOR | |
| Fd <[email protected]> | |
| =head1 COPYRIGHT AND LICENSE | |
| Copyright (c) 2015 Net By Net Holding LLC | |
| This program is free software; you can redistribute it and/or modify it under | |
| the same terms as Perl itself. | |
| =cut | |
| __DATA__ | |
| --- | |
| dyna.spamrats.com: | |
| enabled: true | |
| name: DYNA_SPAMRATS | |
| domain: dyna.spamrats.com | |
| type: ip | |
| data: | |
| 127.0.0.36: Blacklisted | |
| noptr.spamrats.com: | |
| enabled: true | |
| name: NOPTR_SPAMRATS | |
| domain: noptr.spamrats.com | |
| data: | |
| 127.0.0.37: Blacklisted | |
| spam.spamrats.com: | |
| enabled: true | |
| name: SPAM_SPAMRATS | |
| domain: spam.spamrats.com | |
| data: | |
| 127.0.0.38: Blacklisted | |
| cbl.anti-spam.org.cn: | |
| enabled: true | |
| name: CBL_ANTISPAM_ORG_CN | |
| domain: cbl.anti-spam.org.cn | |
| data: | |
| 127.0.8.2: Blacklisted | |
| cdl.anti-spam.org.cn: | |
| enabled: true | |
| name: CDL_ANTISPAM_ORG_CN | |
| domain: cdl.anti-spam.org.cn | |
| data: | |
| 127.0.8.4: Blacklisted | |
| psbl.surriel.com: | |
| enabled: true | |
| name: SURRIEL | |
| domain: psbl.surriel.com | |
| data: | |
| 127.0.0.2: Blacklisted | |
| rbl.spamlab.com: | |
| enabled: true | |
| name: SPAMLAB | |
| domain: rbl.spamlab.com | |
| data: | |
| 127.0.0.2: Blacklisted | |
| bogons.cymru.com: | |
| enabled: true | |
| name: BOGONS_CYMRU | |
| domain: bogons.cymru.com | |
| data: | |
| 127.0.0.2: Blacklisted | |
| ubl.unsubscore.com: | |
| enabled: true | |
| name: UNSUBSCORE | |
| domain: ubl.unsubscore.com | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| virbl.dnsbl.bit.nl: | |
| enabled: true | |
| name: VIRBL | |
| domain: virbl.dnsbl.bit.nl | |
| type: ip | |
| data: | |
| 127.0.0.2: malware or phishing email sources | |
| zen.spamhaus.org: | |
| enabled: true | |
| name: SPAMHAUS | |
| domain: zen.spamhaus.org | |
| type: ip | |
| data: | |
| 127.0.0.3: Illegal 3rd party exploits, including proxies, worms and trojan exploits | |
| 127.0.0.4: Illegal 3rd party exploits, including proxies, worms and trojan exploits | |
| 127.0.0.5: Illegal 3rd party exploits, including proxies, worms and trojan exploits | |
| 127.0.0.6: Illegal 3rd party exploits, including proxies, worms and trojan exploits | |
| 127.0.0.2: Direct UBE sources, verified spam services and ROKSO spammers | |
| 127.0.0.10: ISP Maintained Policy Block List | |
| 127.0.0.11: SpamHaus Maintained Policy Block List | |
| multi.uribl.com: | |
| enabled: true | |
| name: URIBL | |
| domain: multi.uribl.com | |
| type: domain | |
| data: | |
| 127.0.0.4: Address found in UBE/UCE, and probably honour opt-out requests | |
| 127.0.0.8: Address not listed on black and are either very young (domain age via whois), or use whois privacy features to protect their identity. | |
| 127.0.0.2: Address belonging to and used by spammers | |
| multi.surbl.org: | |
| enabled: true | |
| name: SURBL | |
| domain: multi.surbl.org | |
| type: domain | |
| data: | |
| 127.0.0.64: jwSpamSpy + Prolocation data source | |
| 127.0.0.32: AbuseButler spamvertised sites | |
| 127.0.0.4: sa-blacklist and other sources | |
| 127.0.0.8: Phishing data source | |
| 127.0.0.16: Outblaze spamvertised sites | |
| 127.0.0.2: SpamCop message-body URI domains | |
| dnsbl.njabl.org: | |
| enabled: true | |
| name: NJABL | |
| domain: dnsbl.njabl.org | |
| type: ip | |
| data: | |
| 127.0.0.3: Dial-up/dynamic IP range | |
| 127.0.0.4: Spam source | |
| 127.0.0.5: Multi-stage open relays | |
| 127.0.0.8: Insecure CGI web server, possible spam source | |
| 127.0.0.9: Open proxy servers | |
| 127.0.0.2: Open relay | |
| bl.spamcop.net: | |
| enabled: true | |
| name: SPAMCOP | |
| domain: bl.spamcop.net | |
| type: ip | |
| data: | |
| 127.0.0.2: Spam source | |
| dnsbl.sorbs.net: | |
| enabled: true | |
| name: SORBS | |
| domain: dnsbl.sorbs.net | |
| type: ip | |
| data: | |
| 127.0.0.3: Open SOCKS Proxy Servers | |
| 127.0.0.10: Dial Up Users | |
| 127.0.0.11: domain names where the A or MX records point to bad address space | |
| 127.0.0.4: Misc Open Proxy Servers | |
| 127.0.0.12: domain names where the owners have indicated no mail should ever be sent with these domains | |
| 127.0.0.5: Open SMTP Relays | |
| 127.0.0.6: Spam Sources | |
| 127.0.0.7: web (WWW) server which have spammer abused vulnerabilities (e.g. FormMail scripts) | |
| 127.0.0.8: hosts demanding they are never tested by SORBS | |
| 127.0.0.9: Botnet/DDoS Zombies | |
| 127.0.0.2: Open HTTP Proxy Servers | |
| dnsbl.dronebl.org: | |
| enabled: true | |
| name: DRONEBL | |
| domain: dnsbl.dronebl.org | |
| type: ip | |
| data: | |
| 127.0.0.1: Host listed in DroneBL | |
| 127.0.0.2: Sample | |
| 127.0.0.3: IRC Drone | |
| 127.0.0.5: Bottler | |
| 127.0.0.6: Unknown spambot or drone | |
| 127.0.0.7: DDOS Drone | |
| 127.0.0.8: SOCKS Proxy | |
| 127.0.0.9: HTTP Proxy | |
| 127.0.0.10: ProxyChain | |
| 127.0.0.13: Brute force attackers | |
| 127.0.0.14: Open Wingate Proxy | |
| 127.0.0.15: Compromised router / gateway | |
| 127.0.0.17: Automatically determined botnet IPs (experimental) | |
| 127.0.0.255: Unknown | |
| b.barracudacentral.org: | |
| enabled: true | |
| name: BARRACUDA | |
| domain: b.barracudacentral.org | |
| type: ip | |
| data: | |
| 127.0.0.2: Listed | |
| drone.abuse.ch: | |
| enabled: true | |
| name: DRONE_ABUSE_CH | |
| domain: drone.abuse.ch | |
| type: ip | |
| data: | |
| 127.0.0.2: Spam related FastFlux Bot | |
| 127.0.0.3: Malware related FastFlux Bot | |
| 127.0.0.4: Phish related FastFlux Bot | |
| 127.0.0.5: Scam related FastFlux Bot | |
| httpbl.abuse.ch: | |
| enabled: true | |
| name: HTTPBL_ABUSE_CH | |
| domain: httpbl.abuse.ch | |
| type: ip | |
| data: | |
| 127.0.0.2: Hacking activities | |
| 127.0.0.3: Hijacked server automated scanning drone | |
| 127.0.0.4: Referrer spam | |
| spam.abuse.ch: | |
| enabled: true | |
| name: SPAM_ABUSE_CH | |
| domain: spam.abuse.ch | |
| type: ip | |
| data: | |
| 127.0.0.1: Sends spam to spamtrap | |
| dnsbl.mailshell.net: | |
| enabled: true | |
| name: MAILSHELL | |
| domain: dnsbl.mailshell.net | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| 127.0.0.188: Blacklisted | |
| 127.0.0.190: Blacklisted | |
| cbl.abuseat.org: | |
| enabled: true | |
| name: CBL | |
| domain: cbl.abuseat.org | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| blackholes.five-ten-sg.com: | |
| enabled: true | |
| name: FIVETENSG | |
| domain: blackholes.five-ten-sg.com | |
| type: ip | |
| data: | |
| 127.0.0.2: Spam | |
| 127.0.0.3: Dialup | |
| 127.0.0.4: Bulk | |
| 127.0.0.5: Multistage | |
| 127.0.0.6: Singlestage | |
| 127.0.0.7: Spam-support | |
| 127.0.0.8: Webform | |
| 127.0.0.9: Misc | |
| 127.0.0.10: klez | |
| 127.0.0.11: tcpa | |
| 127.0.0.12: free | |
| 127.0.0.13: cr | |
| dnsbl.inps.de: | |
| enabled: true | |
| name: INPS | |
| domain: dnsbl.inps.de | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| ix.dnsbl.manitu.net: | |
| enabled: true | |
| name: MANITU | |
| domain: ix.dnsbl.manitu.net | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| no-more-funn.moensted.dk: | |
| enabled: true | |
| name: NOMOREFUN | |
| domain: no-more-funn.moensted.dk | |
| type: ip | |
| data: | |
| 127.0.0.2: Direct spam sources | |
| 127.0.0.3: Dynamic IP or generic rDNS. | |
| 127.0.0.4: Bulk mailers | |
| 127.0.0.5: Multi stage open relay | |
| 127.0.0.6: single stage open relay | |
| 127.0.0.7: Ignoring complaints of spamming by customers | |
| 127.0.0.8: Please update your formmail.pl script | |
| 127.0.0.9: See http://moensted.dk/spam/no-more-funn/?addr=$ | |
| 127.0.0.10: Possible open proxy | |
| 127.0.0.11: Please stop testing our servers | |
| bl.spamcannibal.org: | |
| enabled: true | |
| name: SPAMCANNIBAL | |
| domain: bl.spamcannibal.org | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| dnsbl-1.uceprotect.net: | |
| enabled: true | |
| name: UCEPROTECT1 | |
| domain: dnsbl-1.uceprotect.net | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| dnsbl-2.uceprotect.net: | |
| enabled: true | |
| name: UCEPROTECT2 | |
| domain: dnsbl-2.uceprotect.net | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| dnsbl-3.uceprotect.net: | |
| enabled: true | |
| name: UCEPROTECT3 | |
| domain: dnsbl-3.uceprotect.net | |
| type: ip | |
| data: | |
| 127.0.0.2: Blacklisted | |
| ips.whitelisted.org: | |
| enabled: true | |
| name: WHITELIST | |
| domain: ips.whitelisted.org | |
| type: ip | |
| data: | |
| 127.0.0.2: Whitelisted | |
| ips.backscatterer.org: | |
| enabled: true | |
| name: BACKSCATTERER | |
| domain: ips.backscatterer.org | |
| type: ip | |
| data: | |
| 127.0.0.2: Backscatterer | |
| dnsbl.httpbl.org: | |
| enabled: false | |
| name: PROJECTHONEYPOT | |
| domain: dnsbl.httpbl.org | |
| type: ip | |
| apikey: abcdefghijkl | |
| decoder: phpot_decoder | |
| torexit.dan.me.uk: | |
| enabled: true | |
| name: TOREXITNODE | |
| domain: torexit.dan.me.uk | |
| type: ip | |
| data: | |
| 127.0.0.100: Tor Exit Node |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment