From e54d128bf551f1bb6e4b4e8e4a180b9e68d165c9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 25 Dec 2017 15:14:33 +0100 Subject: [PATCH] First version of multi-rblcheck --- README.md | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ rbl.py | 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 249 insertions(+) create mode 100644 README.md create mode 100644 rbl.py diff --git a/README.md b/README.md new file mode 100644 index 0000000..c68a684 --- /dev/null +++ b/README.md @@ -0,0 +1,125 @@ +# multi-rblcheck + +multi-rblcheck is a Python script to test a list of IP addresses against RBLs. + +The output is a JSON object per IP address. + +# Usage + +~~~~ +usage: rbl.py [-h] [-d] [-t] -i IP [-a] + +multi-rblcheck A simple script to test a list of IP addresses against RBLs. +The output is a JSON object per IP address. + +optional arguments: + -h, --help show this help message and exit + -d, --debug Include debug message + -t, --test + -i IP, --ip IP IPv4 address to check against the RBLs (one or more IP + addresses) + -a, --all Include unlisted results +~~~~ + +# Requirements + +- Python 3 +- dnspython3 library + +# Output + +~~~~ +{ + "not_listed": [], + "date": "2017-12-25T14:08:58.111259+00:00", + "query": "127.0.0.2", + "info": [ + "\"Blocked - see http://www.spamcop.net/bl.shtml?127.0.0.2\"", + "\"Sender has sent to LashBack Unsubscribe Probe accounts\"", + "\"Sender has sent to LashBack Unsubscribe Probe accounts\"", + "\"Blocked due to spam, see http://korea.services.net/blocked.phtml?addr=127.0.0.2\"", + "\"Blocked due to spam, see http://korea.services.net/blocked.phtml?addr=127.0.0.2\"", + "\"Blocked due to spam, see http://korea.services.net/blocked.phtml?addr=127.0.0.2\"", + "\"Spam source - http://wpbl.info/record?ip=127.0.0.2\"", + "\"Open SMTP Relay See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Hijacked/Disused Netblocks See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Hijacked/Disused Netblocks See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Testing class.\"", + "\"wild.surbl.org permanent test point\"", + "\"Test entry, see http://www.dnsbl.manitu.net/lookup.php?value=127.0.0.2\"", + "\"Test entry, see http://www.dnsbl.manitu.net/lookup.php?value=127.0.0.2\"", + "\"Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Infected System, see http://www.blocklist.de/en/view.html?ip=127.0.0.2\"", + "\"SOCKS Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"SOCKS Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"SOCKS Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"SOCKS Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Listed in PSBL, see http://psbl.org/listing?ip=127.0.0.2\"", + "\"Misc Proxy/Server See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Misc Proxy/Server See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"https://www.spamhaus.org/query/ip/127.0.0.2\"", + "\"https://www.spamhaus.org/query/ip/127.0.0.2\"", + "\"RFC5782 Test Entry\"", + "\"Test Record\"", + "\"Exploitable Server See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"https://www.spamhaus.org/query/ip/127.0.0.2\"", + "\"Blocked - see http://www.abuseat.org/lookup.cgi?ip=127.0.0.2\"", + "\"Dial-Up/Cable/DSL IP Range - Use your providers SMTP Gateway\"", + "\"Blocked at http://sigs.interserver.net/ip?ip=127.0.0.2\"", + "\"HTTP Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"", + "\"Spam Received See: http://www.sorbs.net/lookup.shtml?127.0.0.2\"" + ], + "listed": [ + "2.0.0.127.bl.spamcop.net", + "2.0.0.127.ubl.unsubscore.com", + "2.0.0.127.zen.spamhaus.org", + "2.0.0.127.zen.spamhaus.org", + "2.0.0.127.korea.services.net", + "2.0.0.127.bogons.cymru.com", + "2.0.0.127.bogons.cymru.com", + "2.0.0.127.access.redhawk.org", + "2.0.0.127.access.redhawk.org", + "2.0.0.127.db.wpbl.info", + "2.0.0.127.smtp.dnsbl.sorbs.net", + "2.0.0.127.zombie.dnsbl.sorbs.net", + "2.0.0.127.rbl.efnetrbl.org", + "2.0.0.127.rbl.efnetrbl.org", + "2.0.0.127.dnsbl.dronebl.org", + "2.0.0.127.multi.surbl.org", + "2.0.0.127.ix.dnsbl.manitu.net", + "2.0.0.127.noptr.spamrats.com", + "2.0.0.127.noptr.spamrats.com", + "2.0.0.127.dnsbl.sorbs.net", + "2.0.0.127.all.bl.blocklist.de", + "2.0.0.127.socks.dnsbl.sorbs.net", + "2.0.0.127.spam.spamrats.com", + "2.0.0.127.spam.spamrats.com", + "2.0.0.127.dyna.spamrats.com", + "2.0.0.127.dyna.spamrats.com", + "2.0.0.127.dnsbl.inps.de", + "2.0.0.127.dnsbl.inps.de", + "2.0.0.127.psbl.surriel.com", + "2.0.0.127.misc.dnsbl.sorbs.net", + "2.0.0.127.short.rbl.jp", + "2.0.0.127.short.rbl.jp", + "2.0.0.127.pbl.spamhaus.org", + "2.0.0.127.b.barracudacentral.org", + "2.0.0.127.b.barracudacentral.org", + "2.0.0.127.wormrbl.imp.ch", + "2.0.0.127.truncate.gbudb.net", + "2.0.0.127.web.dnsbl.sorbs.net", + "2.0.0.127.xbl.spamhaus.org", + "2.0.0.127.cbl.abuseat.org", + "2.0.0.127.spamguard.leadmon.net", + "2.0.0.127.rbl.interserver.net", + "2.0.0.127.http.dnsbl.sorbs.net", + "2.0.0.127.dul.dnsbl.sorbs.net", + "2.0.0.127.sbl.spamhaus.org", + "2.0.0.127.sbl.spamhaus.org", + "2.0.0.127.spam.dnsbl.sorbs.net" + ] +} +~~~~ + diff --git a/rbl.py b/rbl.py new file mode 100644 index 0000000..0b3060e --- /dev/null +++ b/rbl.py @@ -0,0 +1,124 @@ +#!/usr/bin/env python +# coding=utf-8 +# +# Quick-and-dirty(tm) Python script to check a set of IPv4 addresses against known RBLs +# + +__author__ = "Alexandre Dulaunoy" +__copyright__ = "Copyright 2017, Alexandre Dulaunoy" +__license__ = "AGPL version 3" +__version__ = "0.1" + +import sys +import argparse +import json +import datetime + +try: + import dns.resolver + resolver = dns.resolver.Resolver() + resolver.timeout = 0.2 + resolver.lifetime = 0.2 +except: + print('dnspython3 is missing, pip install dnspython3') + sys.exit(0) + +parser = argparse.ArgumentParser(description='multi-rblcheck\nA simple script to test a list of IP addresses against RBLs.\n The output is a JSON object per IP address.') +parser.add_argument("-d","--debug", default=False, action='store_true', help='Include debug message') +parser.add_argument("-t", "--test", default=False, action='store_true') +parser.add_argument("-i", "--ip", default=None, action='append', required=True, help='IPv4 address to check against the RBLs (one or more IP addresses)') +parser.add_argument("-a", "--all", default=False, action='store_true', help='Include unlisted results') +args = parser.parse_args() + +if args.test: + args.ip = ['127.0.0.1'] + +rbls = { + 'spam.spamrats.com': 'http://www.spamrats.com', + 'spamguard.leadmon.net': 'http://www.leadmon.net/SpamGuard/', + 'rbl-plus.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html', + 'web.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'ix.dnsbl.manitu.net': 'http://www.dnsbl.manitu.net', + 'virus.rbl.jp': 'http://www.rbl.jp', + 'dul.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'bogons.cymru.com': 'http://www.team-cymru.org/Services/Bogons/', + 'psbl.surriel.com': 'http://psbl.surriel.com', + 'misc.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'httpbl.abuse.ch': 'http://dnsbl.abuse.ch', + 'combined.njabl.org': 'http://combined.njabl.org', + 'smtp.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'korea.services.net': 'http://korea.services.net', + 'drone.abuse.ch': 'http://dnsbl.abuse.ch', + 'rbl.efnetrbl.org': 'http://rbl.efnetrbl.org', + 'cbl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US', + 'b.barracudacentral.org': 'http://www.barracudacentral.org/rbl/removal-request', + 'bl.spamcannibal.org': 'http://www.spamcannibal.org', + 'xbl.spamhaus.org': 'http://www.spamhaus.org/xbl/', + 'zen.spamhaus.org': 'http://www.spamhaus.org/zen/', + 'rbl.suresupport.com': 'http://suresupport.com/postmaster', + 'db.wpbl.info': 'http://www.wpbl.info', + 'sbl.spamhaus.org': 'http://www.spamhaus.org/sbl/', + 'http.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'csi.cloudmark.com': 'http://www.cloudmark.com/en/products/cloudmark-sender-intelligence/index', + 'rbl.interserver.net': 'http://rbl.interserver.net', + 'ubl.unsubscore.com': 'http://www.lashback.com/blacklist/', + 'dnsbl.sorbs.net': 'http://www.sorbs.net', + 'virbl.bit.nl': 'http://virbl.bit.nl', + 'pbl.spamhaus.org': 'http://www.spamhaus.org/pbl/', + 'socks.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'short.rbl.jp': 'http://www.rbl.jp', + 'dnsbl.dronebl.org': 'http://www.dronebl.org', + 'blackholes.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html', + 'truncate.gbudb.net': 'http://www.gbudb.com/truncate/index.jsp', + 'dyna.spamrats.com': 'http://www.spamrats.com', + 'spamrbl.imp.ch': 'http://antispam.imp.ch', + 'spam.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'wormrbl.imp.ch': 'http://antispam.imp.ch', + 'query.senderbase.org': 'http://www.senderbase.org/about', + 'opm.tornevall.org': 'http://dnsbl.tornevall.org', + 'netblock.pedantic.org': 'http://pedantic.org', + 'access.redhawk.org': 'http://www.redhawk.org/index.php?option=com_wrapper&Itemid=33', + 'cdl.anti-spam.org.cn': 'http://www.anti-spam.org.cn/?Locale=en_US', + 'multi.surbl.org': 'http://www.surbl.org', + 'noptr.spamrats.com': 'http://www.spamrats.com', + 'dnsbl.inps.de': 'http://dnsbl.inps.de/index.cgi?lang=en', + 'bl.spamcop.net': 'http://bl.spamcop.net', + 'cbl.abuseat.org': 'http://cbl.abuseat.org', + 'dsn.rfc-ignorant.org': 'http://www.rfc-ignorant.org/policy-dsn.php', + 'zombie.dnsbl.sorbs.net': 'http://www.sorbs.net', + 'dnsbl.njabl.org': 'http://dnsbl.njabl.org', + 'relays.mail-abuse.org': 'http://www.mail-abuse.com/lookup.html', + 'rbl.spamlab.com': 'http://tools.appriver.com/index.aspx?tool=rbl', + 'all.bl.blocklist.de': 'http://www.blocklist.de/en/rbldns.html' +} + + +def checkAll(ip=None): + if ip is None: + return None + results = {} + results['query'] = ip + results['date'] = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + results['listed'] = [] + results['info'] = [] + results['not_listed'] = [] + for rbl in rbls: + ipRev = '.'.join(ip.split('.')[::-1]) + query = ipRev+'.'+rbl + if args.debug: + print ('{}'.format(query)) + try: + resolver.query(query,'A') + try: + txt = resolver.query(query, 'TXT') + except: + results['listed'].append(query) + results['listed'].append(query) + results['info'].append(str(txt[0])) + except: + if args.all: + results['not_listed'].append(query) + return results + +for ip in args.ip: + print (json.dumps(checkAll(ip=ip)))