Kaseya Community

Spam Blacklist Alert script

  • Here is a script I am working on (hope I'm not reinventing the wheel.) I am interested in being able to check several public email blacklists to see if a public IP is on them. I deal with a bunch of SBS servers and occasionally (actually more rarely) they make it onto the lists, but I'd rather know about it before they start forwarding me bounces. For the moment I have picked several lists that I know I can do a DNS query against and get a result. The script is rather clunky but I know it works. I'd like to know if someone has something similiar. It's two parts, both below.

    Thanks,

    Peter

    Script Name: Spam Blacklist PT1
    Script Description: This scripts checks to see if a public IP returns a value that contains 127.0.0.* from DSBL, SpamHaus and abuse.net. It will email an alert to Support if it finds one listed.

    IF True
    THEN
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Get Variable
    Parameter 1 : 11
    Parameter 2 : vMachine/ConnectionGatewayIp
    Parameter 3 : PublicIP
    OS Type : 0
    Get Variable
    Parameter 1 : 11
    Parameter 2 : vMachine/DnsServer1
    Parameter 3 : dns
    OS Type : 0
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : agentdir
    OS Type : 0
    Execute Shell Command
    Parameter 1 : echo #machineid# results of Spam List Tests >>c:\spamheader.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : nslookup #PublicIP#.abuse.net #dns# >>c:\abusenet.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : nslookup #PublicIP#.zen.spamhaus.org #dns# >>c:\spamhaus.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : nslookup #PublicIP#.list.dsbl.org #dns# >>c:\dsbl.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : copy >>c:\spamheader.txt + >>c:\dsbl.txt + >>c:\spamhaus.txt + >>c:\abusenet.txt >>c:\spamresults.txt /Y
    Parameter 2 : 0
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : c:\spamresults.txt
    Parameter 3 : results
    OS Type : 0
    Execute Script
    Parameter 1 : Spam Blacklist PT2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 0
    ELSE




    Script Name: Spam Blacklist PT2
    Script Description:

    IF Check Variable
    Parameter 1 : #results#
    Contains :127.0.0
    THEN
    Send Email - (Continue on Fail)
    Parameter 1 : support@paradigmcomputer.com
    Parameter 2 : EMAIL BLACK LIST ALERT! #MachineID#
    Parameter 3 : #results#
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\dsbl.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamhaus.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\abusenet.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamresults.txt
    OS Type : 0
    Delete File
    Parameter 1 : c:\spamheader.txt
    OS Type : 0
    ELSE
    Write Script Log Entry
    Parameter 1 : Spam Black Lists Ran, no listings found.
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\dsbl.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamhaus.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\abusenet.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamresults.txt
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamheader.txt
    OS Type : 0

    Legacy Forum Name: Spam Blacklist Alert script,
    Legacy Posted By Username: pjones
  • pjones
    Execute Shell Command
    Parameter 1 : copy >>c:\spamheader.txt + >>c:\dsbl.txt + >>c:\spamhaus.txt + >>c:\abusenet.txt >>c:\spamresults.txt /Y
    Parameter 2 : 0
    OS Type : 0


    Great Work, however I could not get the above copy to work, i ended up using the code:

    Execute Shell Command
    Parameter 1 : type c:\spamheader.txt c:\spamhaus.txt c:\abusenet.txt c:\dsbl.txt >>>>c:\spamresults.txt
    Parameter 2 : 0
    OS Type : 0

    Regards

    Jon

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jonaskew
  • Ok, you showed me what I was looking for. Instead of making multiple files and adding them together, I can now create one. I reworked the two scripts to the following (much cleaner and easily expanded):


    Script Name: Spam Blacklist Pt1
    Script Description: This scripts checks to see if a public IP returns a value that contains 127.0.0.* from DSBL, SpamHaus and abuse.net. It will email an alert to Support if it finds one listed.

    IF True
    THEN
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Get Variable
    Parameter 1 : 11
    Parameter 2 : vMachine/ConnectionGatewayIp
    Parameter 3 : PublicIP
    OS Type : 0
    Get Variable
    Parameter 1 : 11
    Parameter 2 : vMachine/DnsServer1
    Parameter 3 : dns
    OS Type : 0
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : agentdir
    OS Type : 0
    Execute Shell Command
    Parameter 1 : echo #machineid# results of Spam List Tests >>>>c:\spamresults.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : nslookup #PublicIP#.abuse.net #dns# >>>>c:\spamresults.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : nslookup #PublicIP#.zen.spamhaus.org #dns# >>>>c:\spamresults.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : nslookup #PublicIP#.list.dsbl.org #dns# >>>>c:\spamresults.txt
    Parameter 2 : 0
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : c:\spamresults.txt
    Parameter 3 : results
    OS Type : 0
    Execute Script
    Parameter 1 : Spam Blacklist PT2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 0
    ELSE






    Script Name: Spam Blacklist PT2
    Script Description:

    IF Check Variable
    Parameter 1 : #results#
    Contains :127.0.0
    THEN
    Send Email - (Continue on Fail)
    Parameter 1 : support@paradigmcomputer.com
    Parameter 2 : EMAIL BLACK LIST ALERT! #MachineID#
    Parameter 3 : #results#
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamresults.txt
    OS Type : 0
    ELSE
    Write Script Log Entry
    Parameter 1 : Spam Black Lists Ran, no listings found.
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : c:\spamresults.txt
    OS Type : 0

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: pjones
  • Ok, this is a really cool idea but I think there might be a problem. I'm not an expert but I'm pretty sure you need to reverse the IP before using nslookup to query an IP address. I have used both mxtoolbox and well as dnsbl.info and spamcop to verify my results. I will post a vb script to flip the IP's on monday.
    Notice the reversed ip address
    example:

    C:\>nslookup 201.143.17.228.bl.spamcop.net
    Server: ns1.norcalisp.com
    Address: 64.55.115.51

    *** ns1.norcalisp.com can't find 201.143.17.228.bl.spamcop.net: Non-existent domain

    C:\>nslookup 228.17.143.201.bl.spamcop.net
    Server: ns1.norcalisp.com
    Address: 64.55.115.51

    Non-authoritative answer:
    Name: 228.17.143.201.bl.spamcop.net
    Address: 127.0.0.2

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Mac
  • Adding something like this to turn around the IP is easy, no need to add more files to the remote computer:

    for /f "tokens=1,2,3,4 delims=." %a in ("#PublicIp#") do nslookup %d.%c.%b.%a.bl.spamcop.net >>>>#temp#\spam-results.txt

    Note: use %%a if in a batch script, %a works for the command line.

    for each DNSBL you want to use, Spamcop uses the reverse IP, not sure about the others.

    I made mine look something like this:

    Script Name: Spam Blacklist Pt1
    Script Description: This scripts checks to see if a public IP returns a value that contains 127.0.0.* from DSBL, SpamHaus and abuse.net. It will email an alert to Support if it finds one listed.
    IF True
    THEN
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Get Variable
    Parameter 1 : 11
    Parameter 2 : vMachine/ConnectionGatewayIp
    Parameter 3 : PublicIP
    OS Type : 0
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : temp
    OS Type : 0
    Execute Shell Command
    Parameter 1 : echo #machineid# results of Spam List Tests >>>>#temp#\spam-results.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : for /f "tokens=1,2,3,4 delims=." %a in ("#publicip#") do nslookup %d.%c.%b.%a.abuse.net >>>>#temp#\spam-results.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : for /f "tokens=1,2,3,4 delims=." %a in ("#publicip#") do nslookup %d.%c.%b.%a.zen.spamhaus.org >>>>#temp#\spam-results.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : for /f "tokens=1,2,3,4 delims=." %a in ("#publicip#") do nslookup %d.%c.%b.%a.list.dsbl.org >>>>#temp#\spam-results.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : for /f "tokens=1,2,3,4 delims=." %a in ("#publicip#") do nslookup %d.%c.%b.%a.dnsbl.sorbs.net>>>>#temp#\spam-results.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : for /f "tokens=1,2,3,4 delims=." %a in ("#publicip#") do nslookup %d.%c.%b.%a.bl.spamcop.net>>>>#temp#\spam-results.txt
    Parameter 2 : 0
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #temp#\spam-results.txt
    Parameter 3 : results
    OS Type : 0
    Execute Script
    Parameter 1 : Spam Blacklist PT2 (NOTE: Script reference is NOT imported. Correct manually in script editor.
    Parameter 2 :
    Parameter 3 : 0
    OS Type : 0
    ELSE


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ryan.odwyer
  • The other question to ask, how do we prevent a cached lookup of the IP?

    running flushdns prior to running the script?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ryan.odwyer
  • Mac
    Ok, this is a really cool idea but I think there might be a problem. I'm not an expert but I'm pretty sure you need to reverse the IP before using nslookup to query an IP address. I have used both mxtoolbox and well as dnsbl.info and spamcop to verify my results. I will post a vb script to flip the IP's on monday.
    Notice the reversed ip address
    example:

    C:\>nslookup 201.143.17.228.bl.spamcop.net
    Server: ns1.norcalisp.com
    Address: 64.55.115.51

    *** ns1.norcalisp.com can't find 201.143.17.228.bl.spamcop.net: Non-existent domain

    C:\>nslookup 228.17.143.201.bl.spamcop.net
    Server: ns1.norcalisp.com
    Address: 64.55.115.51

    Non-authoritative answer:
    Name: 228.17.143.201.bl.spamcop.net
    Address: 127.0.0.2




    Darn, you're right. Do the other lists also do the same (as far as reversing the octects?)

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: pjones
  • pjones
    Darn, you're right. Do the other lists also do the same (as far as reversing the octects?)


    My buddy at norcalisp said that this is the norm but I have no idea why. BTW, nice DOS command ryan.odwyer, that is a tricky little piece of work.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Mac
  • This is exactly why I love the Kaseya community!!

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Interprom
  • wow awesome script.

    fyi

    dnsbl and spamhaus are belly up. dont know if there are others we can add to this but i disabled those in my script.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: saybrook
  • saybrook
    wow awesome script.
    fyi
    dnsbl and spamhaus are belly up. dont know if there are others we can add to this but i disabled those in my script.


    I was trying this script over the weekend, and running into problems. Maybe that explains why?

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • Spamhaus is still there, and SORBS(dnsbl) is due to be shutdown on the 22nd July unless they can sell the company.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ryan.odwyer
  • big problem i have is if i do even manual nslookups with any of these i dont get any response other than a "non existant domain"

    i.e. nslookup 227.146.129.69.zen.spamhaus.org (doing a lookup of 69.129.146.227)

    even if the host isnt listed you should still receive a confirmation from the lookup such as 127.254.254.254 no?


    edit: ok after more reading that "non existant domain" may be what we want. although that abuse.net lookup does return a value even if you arent listed.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: saybrook
  • Has anyone had this successfully alert on a blocked domain. I am trying to run the commands manually on IPs listed in the blocklists and i cannot seem to get a 127.0.0 result ever. I want to make sure this is working correctly.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Obie
  • Definitely works ok - I have an updated version of the script here if you want:
    http://www.tullibo.com/2009/12/01/kaseya-spam-blacklist-checker/

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: tbone2345