diff --git a/README.md b/README.md index 0932840..fc81017 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,7 @@ Nagios or Icinga, Python3 with the following modules: ## Usage ```lang-none -$ ./check_dnsbl.py --help -usage: check_dnsbl.py [-h] --host HOST [--warn WARN] [--crit CRIT] [--providers PROVIDERS] +usage: check_dnsbl.py [-h] --host HOST [--warn WARN] [--crit CRIT] [--providers PROVIDERS] [--verbose] Check if a hostname/IP address appears in DNS based blacklists @@ -23,4 +22,101 @@ optional arguments: --host HOST the IP/host to check --warn WARN, -w WARN WARN when host appears in this many blacklists. Defaults to 1 --crit CRIT, -c CRIT CRIT when host appears in this many blacklists. Defaults to 2 + --providers PROVIDERS, --blacklists PROVIDERS + Comma or space separated list of DNS blacklist provider hostnames. Defaults to: all.s5h.net, aspews.ext.sorbs.net, + b.barracudacentral.org, bl.nordspam.com, bl.spamcop.net, blackholes.five-ten-sg.com, blacklist.woody.ch, bogons.cymru.com, + cbl.abuseat.org, combined.abuse.ch, combined.rbl.msrbl.net, db.wpbl.info, dnsbl-2.uceprotect.net, dnsbl-3.uceprotect.net, + dnsbl.cyberlogic.net, dnsbl.dronebl.org, dnsbl.sorbs.net, drone.abuse.ch, dul.ru, dyna.spamrats.com, images.rbl.msrbl.net, + ips.backscatterer.org, ix.dnsbl.manitu.net, korea.services.net, matrix.spfbl.net, noptr.spamrats.com, + phishing.rbl.msrbl.net, proxy.bl.gweep.ca, proxy.block.transip.nl, psbl.surriel.com, rbl.interserver.net, + relays.bl.gweep.ca, relays.bl.kundenserver.de, relays.nether.net, residential.block.transip.nl, singular.ttk.pte.hu, + spam.dnsbl.sorbs.net, spam.rbl.msrbl.net, spam.spamrats.com, spambot.bls.digibase.ca, spamlist.or.kr, spamrbl.imp.ch, + spamsources.fabel.dk, ubl.lashback.com, virbl.bit.nl, virus.rbl.msrbl.net, virus.rbl.jp, wormrbl.imp.ch, z.mailspike.net, + zen.spamhaus.org. + --verbose, -v Show verbose output +``` + +## Examples + + +```sh +# Default with just a host +./check_dnsbl.py --host de-smtp-1.mimecast.com +OK: None of de-smtp-1.mimecast.com's IP addresses (62.140.10.21, 51.163.159.21) appear on a blacklist +``` + +```sh +# Verbose, will list the used blacklists +./check_dnsbl.py --host de-smtp-1.mimecast.com --verbose +OK: None of de-smtp-1.mimecast.com's IP addresses (62.140.10.21, 51.163.159.21) appear on a blacklist +Blacklists used: + +all.s5h.net +aspews.ext.sorbs.net +b.barracudacentral.org +bl.nordspam.com +bl.spamcop.net +blackholes.five-ten-sg.com +blacklist.woody.ch +bogons.cymru.com +cbl.abuseat.org +combined.abuse.ch +combined.rbl.msrbl.net +db.wpbl.info +dnsbl-2.uceprotect.net +dnsbl-3.uceprotect.net +dnsbl.cyberlogic.net +dnsbl.dronebl.org +dnsbl.sorbs.net +drone.abuse.ch +dul.ru +dyna.spamrats.com +images.rbl.msrbl.net +ips.backscatterer.org +ix.dnsbl.manitu.net +korea.services.net +matrix.spfbl.net +noptr.spamrats.com +phishing.rbl.msrbl.net +proxy.bl.gweep.ca +proxy.block.transip.nl +psbl.surriel.com +rbl.interserver.net +relays.bl.gweep.ca +relays.bl.kundenserver.de +relays.nether.net +residential.block.transip.nl +singular.ttk.pte.hu +spam.dnsbl.sorbs.net +spam.rbl.msrbl.net +spam.spamrats.com +spambot.bls.digibase.ca +spamlist.or.kr +spamrbl.imp.ch +spamsources.fabel.dk +ubl.lashback.com +virbl.bit.nl +virus.rbl.msrbl.net +virus.rbl.jp +wormrbl.imp.ch +z.mailspike.net +zen.spamhaus.org +``` + +```sh +# Use custom blacklists +/check_dnsbl.py --host de-smtp-1.mimecast.com --blacklists zen.spamhaus.org,proxy.block.transip.nl -v +OK: None of de-smtp-1.mimecast.com's IP addresses (62.140.10.21, 51.163.159.21) appear on a blacklist +Blacklists used: + +zen.spamhaus.org +proxy.block.transip.nl +``` + + +```sh +# Approximation of the blacklists that are used by mxtoolbox.com +# See 'mxtoolbox.blacklists.txt' +./check_dnsbl.py --host outbound2.mail.transip.nl --blacklists 'bl.0spam.org rbl.abuse.ro spam.dnsbl.anonmails.de ips.backscatterer.org b.barracudacentral.org bl.blocklist.de dnsbl.calivent.com.pe v4.fullbogons.cymru.com v6.fullbogons.cymru.com tor.dan.me.uk torexit.dan.me.uk bl.drmx.org dnsbl.dronebl.org spamsources.fabel.dk hostkarma.junkemailfilter.com dnsrbl.imp.ch spamrbl.imp.ch wormrbl.imp.ch uribl.swinog.ch rblspamassassin.interserver.net rbl.interserver.net mail-abuse.blacklist.jippg.org dnsbl.kempt.net ubl.unsubscore.com bl.mailspike.net phishing.rbl.msrbl.net spam.rbl.msrbl.net ix.dnsbl.manitu.net bl.nordspam.com bl.nosolicitado.org psbl.surriel.com all.spamrats.com all.s5h.net rbl.schulte.org backscatter.spameatingmonkey.net bl.spameatingmonkey.net korea.services.net spam.dnsbl.sorbs.net dnsbl.sorbs.net bl.ipv6.spameatingmonkey.net bl.spamcop.net zen.spamhaus.org dnsbl.spfbl.net bl.suomispam.net truncate.gbudb.net dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net blacklist.woody.ch ipv6.blacklist.woody.ch db.wpbl.info dnsbl.zapbl.net' +WARNING: outbound2.mail.transip.nl's IP address 149.210.149.73 appears in 1 blacklist: hostkarma.junkemailfilter.com ``` diff --git a/check_dnsbl.py b/check_dnsbl.py index a9ce957..f47dcca 100755 --- a/check_dnsbl.py +++ b/check_dnsbl.py @@ -4,6 +4,8 @@ import argparse import socket import ipaddress +import re +from pprint import pprint def nagios_exit(message, code): print(message) @@ -17,26 +19,34 @@ def is_ipaddr(string): return False try: + from pydnsbl.providers import BASE_PROVIDERS, Provider + parser = argparse.ArgumentParser(description='Check if a hostname/IP address appears in DNS based blacklists') parser.add_argument('--host', help='the IP/host to check', required=True) parser.add_argument('--warn', '-w', - help='WARN when host appears in this many blacklists. Defaults to 1', - required=False, type=int, default=1) + help='WARN when host appears in this many blacklists. Defaults to 1', + required=False, type=int, default=1) parser.add_argument('--crit', '-c', - help='CRIT when host appears in this many blacklists. Defaults to 2', - required=False, type=int, default=2) - # TODO - # parser.add_argument('--providers', - # help='Comma separated list of DNS blacklist provider hostname. Defaults to the _BASE_PROVIDERS set that is listed at https://github.com/dmippolitov/pydnsbl/blob/master/pydnsbl/providers.py' - # ) + help='CRIT when host appears in this many blacklists. Defaults to 2', + required=False, type=int, default=2) + parser.add_argument('--providers', '--blacklists', + help=f"Comma or space separated list of DNS blacklist provider hostnames. Defaults to: {', '.join([p.host for p in BASE_PROVIDERS])}.", + default=','.join([p.host for p in BASE_PROVIDERS]), + required=False, + ) + parser.add_argument('--verbose', '-v', + help='Show verbose output', + action="store_true") args = parser.parse_args() host = args.host warn = args.warn crit = args.crit - # providers = args.providers + providers = re.split(r',+| +', args.providers) + verbose = args.verbose + # pprint(providers) # Start with a clean slate ok_msg = [] warn_msg = [] @@ -47,10 +57,10 @@ def is_ipaddr(string): # Find all IPv4 and IPv6 addresses ip_addresses = [a[4][0] for a in socket.getaddrinfo(host=host, port=0, proto=socket.IPPROTO_TCP)] - checker = pydnsbl.DNSBLIpChecker() + checker = pydnsbl.DNSBLIpChecker(providers=[Provider(prov) for prov in providers]) # List of blacklist results per IP - results = [p for p in [checker.check(ip) for ip in ip_addresses] if p.blacklisted] + results = [p for p in map(checker.check, ip_addresses) if p.blacklisted] msg = [] total_hits = 0 @@ -61,7 +71,6 @@ def is_ipaddr(string): reported_host = host else: reported_host = f"{host}'s IP address {result.addr}" - msg.append(f"{reported_host} appears in {len(detected_by)} blacklist{'s' if len(detected_by) > 1 else ''}: {', '.join(list(detected_by.keys()))}") if total_hits == 1 and crit > warn: @@ -74,13 +83,18 @@ def is_ipaddr(string): else: ok_msg.append(f"None of {host}'s IP addresses ({', '.join(ip_addresses)}) appear on a blacklist") + if verbose: + verbose_text = ['\nBlacklists used:\n\n' +'\n'.join(providers)] + else: + verbose_text = [] + except Exception as e: nagios_exit("UNKNOWN: Unknown error: {0}.".format(e), 3) # Exit with accumulated message(s) if crit_msg: - nagios_exit("CRITICAL: " + ' '.join(crit_msg + warn_msg), 2) + nagios_exit("CRITICAL: " + ' '.join(crit_msg + warn_msg + verbose_text), 2) elif warn_msg: - nagios_exit("WARNING: " + ' '.join(warn_msg), 1) + nagios_exit("WARNING: " + ' '.join(warn_msg + verbose_text), 1) else: - nagios_exit("OK: " + ' '.join(ok_msg), 0) + nagios_exit("OK: " + ' '.join(ok_msg + verbose_text), 0) diff --git a/mxtoolbox.blacklists.txt b/mxtoolbox.blacklists.txt new file mode 100644 index 0000000..bf5575b --- /dev/null +++ b/mxtoolbox.blacklists.txt @@ -0,0 +1 @@ +bl.0spam.org rbl.abuse.ro spam.dnsbl.anonmails.de ips.backscatterer.org b.barracudacentral.org bl.blocklist.de dnsbl.calivent.com.pe v4.fullbogons.cymru.com v6.fullbogons.cymru.com tor.dan.me.uk torexit.dan.me.uk bl.drmx.org dnsbl.dronebl.org spamsources.fabel.dk hostkarma.junkemailfilter.com dnsrbl.imp.ch spamrbl.imp.ch wormrbl.imp.ch uribl.swinog.ch rblspamassassin.interserver.net rbl.interserver.net mail-abuse.blacklist.jippg.org dnsbl.kempt.net ubl.unsubscore.com bl.mailspike.net phishing.rbl.msrbl.net spam.rbl.msrbl.net ix.dnsbl.manitu.net bl.nordspam.com bl.nosolicitado.org psbl.surriel.com all.spamrats.com all.s5h.net rbl.schulte.org backscatter.spameatingmonkey.net bl.spameatingmonkey.net korea.services.net spam.dnsbl.sorbs.net dnsbl.sorbs.net bl.ipv6.spameatingmonkey.net bl.spamcop.net zen.spamhaus.org dnsbl.spfbl.net bl.suomispam.net truncate.gbudb.net dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net blacklist.woody.ch ipv6.blacklist.woody.ch db.wpbl.info dnsbl.zapbl.net \ No newline at end of file diff --git a/mxtoolbox.blacklists.yml b/mxtoolbox.blacklists.yml new file mode 100644 index 0000000..aa88484 --- /dev/null +++ b/mxtoolbox.blacklists.yml @@ -0,0 +1,200 @@ +--- +# List of DNS based blacklists, as used by MXtoolbox.com: +# https://mxtoolbox.com/problem/blacklist/ +# Note: some of these require subscriptions/API keys/etc + +blacklists: + # 0SPAM + - bl.0spam.org + + # Abuse.ro + - rbl.abuse.ro + + # Abusix blacklists require an API key + + # Anonmails DNSBL + - spam.dnsbl.anonmails.de + + # BACKSCATTERER + - ips.backscatterer.org + + # BARRACUDA + - b.barracudacentral.org + + # BLOCKLIST.DE + - bl.blocklist.de + + # CALIVENT + - dnsbl.calivent.com.pe + + # CYMRU BOGONS + - v4.fullbogons.cymru.com + + # CYMRU BOGONS IPv6 + - v6.fullbogons.cymru.com + + # DAN TOR + - tor.dan.me.uk + + # DAN TOREXIT + - torexit.dan.me.uk + + # DNS SERVICIOS + # service seems dead: https://mxtoolbox.com/problem/blacklist/dns-servicios + + # DRMX + - bl.drmx.org + + # DRONE BL + - dnsbl.dronebl.org + + # FABELSOURCES + - spamsources.fabel.dk + + # HIL + # service seems dead: https://mxtoolbox.com/problem/blacklist/hil + + # HIL2 + # service seems dead: https://mxtoolbox.com/problem/blacklist/hil2 + + # Hostkarma Black + - hostkarma.junkemailfilter.com + + # IBM DNS Blacklist + # service seems dead: https://mxtoolbox.com/problem/blacklist/ibm-dns-blacklist + + # ICMFORBIDDEN + # http://sunsite.icm.edu.pl/spam/bh.html lists several other services + # Most of them are ancient/offline + + # IMP SPAM & IMP WORM + - dnsrbl.imp.ch + - spamrbl.imp.ch + - wormrbl.imp.ch + - uribl.swinog.ch + + + # INTERSERVER + - rblspamassassin.interserver.net + - rbl.interserver.net + + # ivmSIP & ivmSIP24 + # requires subscription: https://www.invaluement.com/subscribe/ + + # JIPPG + - mail-abuse.blacklist.jippg.org + + # KEMPTBL + - dnsbl.kempt.net + + # KISA + # service seems dead: https://mxtoolbox.com/problem/blacklist/kisa + + # Konstant + # service seems dead: https://mxtoolbox.com/problem/blacklist/konstant + + # LASHBACK + - ubl.unsubscore.com + + # LNSGBLOCK, LNSGMULTI, LNSGOR, LNSGSRC + # Confusing service, unsure how to use: https://mxtoolbox.com/problem/blacklist/lnsgbulk + + # MADAVI + # service seems dead: https://mxtoolbox.com/problem/blacklist/madavi + + # MAILSPIKE BL + - bl.mailspike.net + + # MSRBL Phishing + - phishing.rbl.msrbl.net + + # MSRBL Spam + - spam.rbl.msrbl.net + + # NETHERRELAYS & NETHERUNSURE + # Service seems dead: https://mxtoolbox.com/problem/blacklist/netherrelays + + # NIXSPAM + - ix.dnsbl.manitu.net + + # Nordspam BL + - bl.nordspam.com + + # NoSolicitado + - bl.nosolicitado.org + + # ORVEDB + # Service seems dead: https://mxtoolbox.com/problem/blacklist/orvedb + + # PSBL + - psbl.surriel.com + + # RATS (Dyna + NoPtr + Spam) + - all.spamrats.com + + # RBL JP + # Service seems dead: https://mxtoolbox.com/problem/blacklist/rbl-jp + + # RSBL + # Service seems dead: https://mxtoolbox.com/problem/blacklist/rsbl + + # s5h.net IPv6 + - all.s5h.net + + # SCHULTE + - rbl.schulte.org + + # SEM BACKSCATTER + - backscatter.spameatingmonkey.net + + # SEM BLACK + - bl.spameatingmonkey.net + + # Sender Score Reputation Network + # Provider has gone commercial? https://mxtoolbox.com/problem/blacklist/sender-score-reputation-network + + # SERVICESNET + - korea.services.net + + # SORBS http://www.sorbs.net/general/using.shtml#largesites + - spam.dnsbl.sorbs.net + - dnsbl.sorbs.net + + # Spam Eating Monkey SEM IPv6BL + - bl.ipv6.spameatingmonkey.net + + # SPAMCOP + - bl.spamcop.net + + # Spamhaus ZEN + - zen.spamhaus.org + + # SPFBL DNSBL + - dnsbl.spfbl.net + + # Suomispam Reputation + - bl.suomispam.net + + # SWINOG + # Appears to be the same as "IMP SPAM & IMP WORM" above + + # TRIUMF + # Seems dead: https://mxtoolbox.com/problem/blacklist/triumf + + # TRUNCATE + - truncate.gbudb.net + + # UCEPROTECT (level 1, 2, and 3) + - dnsbl-1.uceprotect.net + - dnsbl-2.uceprotect.net + - dnsbl-3.uceprotect.net + + # WOODY SMTP Blacklist + - blacklist.woody.ch + - ipv6.blacklist.woody.ch + + # WPBL + - db.wpbl.info + + # ZapBL + - dnsbl.zapbl.net