Testing DNSBLs

Andrew Kirch AKirch at AllThingsIT.com
Tue Aug 14 14:47:37 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't know that I'd use argus for this.  www.dnsstuff.com queries all
of the major DNSBL's.  I think that'd be a lot easier than doing DNSBL
lookups for every IP you have, and it'd reduce the load on our (I own
and operate the AHBL (www.ahbl.org)) servers.  If you wanted to do
something more automated consider writing a shell script to parse your
mail log for 550's and have it fail when someone 550's your mail with a
regexp check for "please see www.<DNSBL THAT BLACKLISTED
YOU>.TLD/<somelookuppage>.pl" and then have argus fail on the exit code.
(export the mail log via NFS if it's not on the machine running Argus).
You might find starting with the AHBL SpamHaus, SpamCop, SORBS, DSBL,
NJABL is a good start, and their websites (and spamassassin/other spam
tools include example phrases to look for).  Hopefully this is a couple
good suggestions to get you started.

Andrew D Kirch - AllThingsIT
Office: 317-755-0200
GPG: 735D020C

> -----Original Message-----
> From: arguslist-bounces at tcp4me.com
[mailto:arguslist-bounces at tcp4me.com]
> On Behalf Of ml-it-argus at epigenomics.com
> Sent: Tuesday, August 14, 2007 10:33 AM
> To: arguslist at tcp4me.com
> Subject: Testing DNSBLs
> 
> Hi!
> 
> Has anyone created a test to check if a specific IP is in a DNS based
> black list?
> 
> It could be done with a DNS based test but you want the test to fail
if
> the entry is found and not if the entry is not found, i.e. Argus
should
> complain when the IP address is listed.
> 
> I guess that could be done with something like
> 
>         Service UDP/DNS {
>                 zone:   2.0.0.127.ix.dnsbl.manitu.net
>                 class:  IN
>                 query:  A
>                 test:   answer
>                 nexpect:        127.0.0.2
>         }
> 
> but is there a more "elegant" way for multiple DNSBLs?
> 
> We want to keep an eye on the IP addresses of our mail servers and if
> they are listed in the various black lists.
> 
> Greetings
> --
> Robert Sander                     Senior Manager Information Systems
> Epigenomics AG    Kleine Praesidentenstr. 1    10178 Berlin, Germany
> phone:+49-30-24345-0                            fax:+49-30-24345-555
> http://www.epigenomics.com             robert.sander at epigenomics.com
> _______________________________________________
> http://argus.tcp4me.com/
> Arguslist at tcp4me.com
> http://www.tcp4me.com/mailman/listinfo/arguslist
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD4DBQFGwfjGkAlCbnNtAgwRAvfUAJibeWyG/wzgbJqahMjvNOpViOcVAKDciq+W
hp9GlrwW+y2E9C2JCz/MUg==
=D+nI
-----END PGP SIGNATURE-----

More information about the Arguslist mailing list