Skip to content

Template: Are your servers blacklisted?

Spam - BlacklistedMost companies have a wide variety of services running, usually with public and private facing interfaces. If you are providing services like SMTP, DNS or similar to your customers, those services might be misused and you could end up getting your servers IP addresses blacklisted on various Domain Name System Blackhole Lists (DNSBL). This could hurt your reputation as a service provider and will certainly result in a bad experience for your customers.

Checking regularly if your hosts are blacklisted is key, but what if you have hundreds or thousands of servers? You make Zabbix do it for you!

Requirements

  • CentOS/RHEL
    • # yum install bind-utils
  • Debian/Ubuntu
    • # apt-get install dnsutils

How it works

This template utilizes External Checks. The script “check_dnsbl.sh” is run with parameters for the hostname of the server you wish to check and which DNSBL you wish to check against. It simply returns “0” if the server is not listed and “1” if it is.

The template has 5 pre-made items and corresponding triggers. The items should be pretty self-explanatory. Example: check_dnsbl.sh[{HOST.DNS},zen.spamhaus.org]

You can change the existing DNSBL servers in the template or add your own, although the ones already added should cover most users quite well.

“{HOST.DNS}” is a macro that uses the DNS name you have specified for your hosts on their interfaces. The script requires the use of DNS names for it to function, however the script and template can be modified to use IP addresses instead. I wouldn’t recommended this though, since not using hostnames is bad practice anyway.

The default DNSBL’s used are:

  • b.barracudacentral.org – A free DNSBL of IP addresses known to send spam
  • bl.spamcop.net – The SCBL is a fast and automatic list of sites sending reported mail, fueled by a number of sources, including automated reports and SpamCop user submissions.
  • cbl.abuseat.org – The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.
  • dnsbl.sorbs.net – The SORBS (Spam and Open Relay Blocking System) provides free access to its DNS-based Block List (DNSBL) to effectively block email from more than 12 million host servers known to disseminate spam, phishing attacks and other forms of malicious email.
  • zen.spamhaus.org – ZEN is the combination of all Spamhaus IP-based DNSBL’s into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

You can find additional ones at: www.dnsbl.info

DNSBL queries

As an example, when a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let’s say, dnsbl.example.net), it does more or less the following:

  1. Take the client’s IP address—say, 192.168.42.23—and reverse the order of octets, yielding 23.42.168.192.
  2. Append the DNSBL’s domain name: 23.42.168.192.dnsbl.example.net.
  3. Look up this name in the DNS as a domain name (“A” record). This will return either an address, indicating that the client is listed; or an “NXDOMAIN” (“No such domain”) code, indicating that the client is not.
  4. Optionally, if the client is listed, look up the name as a text record (“TXT” record). Most DNSBL’s publish information about why a client is listed as TXT records.

Looking up an address in a DNSBL is similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the “A” rather than “PTR” record type, and uses a forward domain (such as dnsbl.example.net above) rather than the special reverse domain in-addr.arpa.

How could my servers end up in the database of a DNSBL?

You can end up becoming blacklisted in any number of ways. Spam being sent from an improperly secured SMTP server. Misconfigured proxy services that are open to relaying. Compromised systems that are used in botnet networks. Hostile users on your company network. Unfortunately, the list goes on and on.

Disclaimer

Verifying if your servers are indeed blacklisted doesn’t just require you to initiate a DNS question towards any DNSBL. It requires you to use a reputable one. Otherwise you might end up with false-positives or outdated answers. Always research your DNSBL provider and read through their documentation to find out exactly how they populate and update their database.

Instructions – Are your servers Blacklisted?

  1. First, head over to Zabbix Share to fetch the template and script.
  2. Copy “check_dnsbl.sh” to your Zabbix Servers and Proxies and place it in “/usr/local/share/zabbix/externalscripts” *
    1. * Check your server and proxy configuration file for the correct folder, look for the tag “ExternalScripts”
  3. Make the script executable: chmod +x /usr/local/share/zabbix/externalscripts/check_dnsbl.sh
  4. Create the following value map (Administration -> General -> Value mapping: Create value map)
    1. Name: IP Blacklist
      0 -> Not listed
      1 -> Listed
  5. Import the template and assign it to your host(s).

If you run into trouble executing the script, here’s an excerpt from the Zabbix Wiki:

Zabbix server will look in the directory defined as the location for external scripts (parameter ‘ExternalScripts’ in Zabbix server configuration file) and execute the command. The command will be executed as the user Zabbix server runs as, so any access permissions or environment variables should be handled in a wrapper script, if necessary, and permissions on the command should allow that user to execute it. Only commands in the specified directory are available for execution.

 

Script: check_dnsbl.sh

#!/bin/bash

if [[ $# -ne 2 ]]; then
    echo "Usage: ./${0##*/} <hostname> <blacklist service>"
    exit 1
fi

# Retrieves A record for hostname ($1)
HOSTLOOKUP=`host -t a $1`

# IP address validity check
if [[ ! ${HOSTLOOKUP##*[[:space:]]} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
    echo "Could not resolve a valid IP for $1"
    exit 1
fi

# Converts resolved IP into reverse IP
REVIP=`sed -r 's/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/\4.\3.\2.\1/' <<< ${HOSTLOOKUP##*[[:space:]]}`

# Performs the actual lookup against blacklists
if host -W 2 -t a $REVIP.$2 >/dev/null 2>&1; then
    ((listed++))
    echo $listed
else
    echo "0"
fi

exit 0

18 Comments

  1. rasa rasa

    Hi!

    Running zabbix 3.2. on ubuntu 16.04

    Script in /usr/lib/zabbix/externalscripts
    chmod +x against script file

    Imported template and assigned to hosts.

    But [no data] received from default blacklist servers.

    Any suggestions?

    Thanks!

  2. Kpax Kpax

    running zabbix 4.2
    this is what i get from Host Item

    Preprocessing failed for: Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]. [-R number] [-m f…
    1. Failed: cannot convert value of type “string” from boolean format: invalid value format

    • Can you try testing the “host” command manually from your system and verify that it works and returns exit code 0:

      host -W 2 -t a 1.1.1.1.zen.spamhaus.org; echo $?;

      • Kpax Kpax

        Hey mate,
        the value I receive after pasting the command from Zabbix Server is:

        root@zabbix:~# host -W 2 -t a 1.1.1.1.zen.spamhaus.org; echo $?;
        Host 1.1.1.1.zen.spamhaus.org not found: 3(NXDOMAIN)
        1

        I this the value is: 1

        thanks heaps

        • Okay, so the actual DNSBL lookup command works as expected. That’s really strange. Can you please try running the ‘check_dnsbl.sh’ script manually, like this:
          ./check_dnsbl.sh google.dk zen.spamhaus.org
          It should simply return ‘0’.

          • Kpax Kpax

            you right.

            root@zabbix:/usr/lib/zabbix/externalscripts# ./check_dnsbl.sh google.dk zen.spamhaus.org
            0

          • Okay, that’s great, the script is working as expected on your host.

            So what I’m guessing, is that you are trying to use it on a Zabbix host that doesn’t have a DNS name configured. Unfortunately I made the script rely on having a DNS name to use, since the template uses the {HOST.DNS} macro in the item key, e.g.: check_dnsbl.sh[{HOST.DNS},zen.spamhaus.org]

            If your host is doesn’t have a DNS name, then it won’t work. If you know Bash, you can modify the script to check if it receives a DNS name or not and react based upon that.

  3. Kpax Kpax

    Hey Martin,

    We attache te template to our mail server IP and DNS name as a host
    1.1.1.1 is mail.abc.com.

    Interestingly by removing the IP field and leaving DNS name.
    Now I am not receiving any error all looks OK and enabled but graphs are empty [no-data]

    note: Zabbix server needs to be restarted (its a production environment and can be done on Sunday) might this have any effect to the script working?

    thanks again for your direction.

    regards,

    • Strange. The template specifically uses {HOST.DNS} to make sure it uses the FQDN of the host, so it supports having both DNS and IP. Good to hear it works for you!

      To force retrieving data, you can go to the item on a host, configure it and choose “Check now” at the bottom. That will force data retrieval.

      • Kpax Kpax

        WORKING now data starts to get in 😉

        one quick question if I wish to add additional DNSBL’s sites I add it to the template item isn’t it?

        thanks again mate

        • Yes, you can simply change the template, or add new items. Cheers!

          • Kpax Kpax

            Cheers and many thanks!

  4. Sérgio Sérgio

    Hi, i’m trying to create this monitoring, but i’m not succeed.
    Those commands that you ask to user Kpax, show this results:

    host -W 2 -t a 1.1.1.1.zen.spamhaus.org; echo $?;
    1.1.1.1.zen.spamhaus.org has no A record
    0

    ./check_dnsbl.sh google.dk zen.spamhaus.org
    1

    Can you help me?
    Tks!

    • Hi! I just tested the script and checking google.dk returns ‘0’ as it should. To troubleshoot, I would suggest you try running:
      bash -x check_dnsbl.sh google.dk zen.spamhaus.org
      That will print the script commands and arguments as the are executed. This should make you able to easily troubleshoot where the issue is.

  5. Sérgio Sérgio

    Hello.
    You said one thing and I ended up having another idea and it worked to some extent. So there are 2 things at first:

    1) see the output of the command:

    bash -x check_dnsbl.sh google.dk zen.spamhaus.org
    + [[ 2 -ne 2 ]]
    ++ host -t a google.dk
    + HOSTLOOKUP=’google.dk has address 172.217.162.99′
    + [[ ! 172.217.162.99 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
    ++ sed -r ‘s/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/\4.\3.\2.\1/’
    + REVIP=99.162.217.172
    + host -W 2 -t a 99.162.217.172.zen.spamhaus.org
    + (( listed++ ))
    + echo 1
    1
    + exit 0

    2) the domain I am checking at spamhaus is returning as listed by zabbix, but if I go over there and check the IP, it does not appear as listed. In fact, zabbix just showed here that the IP is listed in all the lists it contains. Very strange

    • Yes, it is indeed strange. I get NXDOMAIN for the same reverse IP, so it’s definitely not listed.

      Try running the command “host -W 2 -t a 99.162.217.172.zen.spamhaus.org; echo $?” manually and see what it returns for you. The “echo” part is to grab the exit code, which is what the script depends on.

      • Sérgio Sérgio

        host -W 2 -t a 99.162.217.172.zen.spamhaus.org; echo $?
        99.162.217.172.zen.spamhaus.org has no A record
        0

  6. Sérgio Sérgio

    I’m really not able to understand how to make it work.
    I did the test as above and even in the Zabbix terminal showing that the IP has no results, and consulting the SPAMHAUS website also does not show anything, the trigger continues to inform that the IP is listed in that blacklist.
    Look:
    # host -W 2 -t to 35.252.34.189.zen.spamhaus.org; echo $?
    35.252.34.189.zen.spamhaus.org has no A record
    0

    Zabbix: zen.spamhaus.org 2020-07-16 14:37:31 Listed (1)

    = (

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.