Monitor Email IP for Blacklisting with Linux

Overview

This setup uses bash scripts in linux, the mutt command line email program, a unique gmail account created for the purpose of emailing the alerts, and cron (in this example it’s cronie due to Arch Linux working well with that version of the program) to send alerts to an email account of your choice for the purpose of hourly checks for when your mail server ip address has been added to a blacklist, removed from a blacklist, is no longer blacklisted, and a weekly update for any blacklists that still remain. This does not say what specific blacklist was added or removed you but it does give you the total blacklists that your ip is now on.

Instructions

  1. login to a linux operating system
  2. set up mutt using the settings below then create the .sh and cron files below that with vim
    • .sh and cron files can be created in the directory you arrive at when you ssh in to the server

Mutt Config Settings

  • this is used to send email when blacklist status changes
set realname = "Captain Bodega"
set from = "youremail@gmail.com"
set use_from = yes
set envelope_from = yes
set smtp_url = "smtps://youremail@gmail.com@smtp.gmail.com:465/"
set smtp_pass = "password"
set imap_user = "youremail@gmail.com"
set imap_pass = "password"
set folder = "imaps://youremail@gmail.com@imap.gmail.com:993/"
set spoolfile = "+INBOX"
set ssl_force_tls = yes
# G to get mail
bind index G imap-fetch-mail
set editor = "vim"
unset record
set move = no
set charset = "utf-8"

blacklistchecker.sh

  • This can be updated regularly as blacklists change (check around for up-to-date blacklist server lists)
  • All blacklists use the reverse of the ip that is blacklisted + their domain and they assign an ip to that if it’s blacklisted. So a positive result shows a 127. address
    • For example: ‘55.22.130.52.uceprotect.net has address 127.0.0.2’ means that uceprotect.net has blacklisted 52.130.22.55
#!/bin/bash
host 55.22.130.52.spam.dnsbl.sorbs.net
host 55.22.130.52.zen.spamhaus.org
host 55.22.130.52.0spam.fusionzero.com
host 55.22.130.52.access.redhawk.org
host 55.22.130.52.all.rbl.jp
host 55.22.130.52.all.spamrats.com
host 55.22.130.52.aspews.ext.sorbs.net
host 55.22.130.52.b.barracudacentral.org
host 55.22.130.52.bb.barracudacentral.org
host 55.22.130.52.bl.emailbasura.org
host 55.22.130.52.bl.spamcop.net
host 55.22.130.52.blacklist.woody.ch
host 55.22.130.52.block.dnsbl.sorbs.net
host 55.22.130.52.cbl.abuseat.org
host 55.22.130.52.cbl.anti-spam.org.cn
host 55.22.130.52.cblless.anti-spam.org.cn 
host 55.22.130.52.cblplus.anti-spam.org.cn
host 55.22.130.52.cdl.anti-spam.org.cn
host 55.22.130.52.combined.abuse.ch
host 55.22.130.52.db.wpbl.info
host 55.22.130.52.dnsbl-0.uceprotect.net
host 55.22.130.52.dnsbl-1.uceprotect.net
host 55.22.130.52.dnsbl-2.uceprotect.net
host 55.22.130.52.dnsbl-3.uceprotect.net
host 55.22.130.52.dnsbl.inps.de
host 55.22.130.52.dnsbl.kempt.net
host 55.22.130.52.dnsbl.sorbs.net
host 55.22.130.52.dnsrbl.swinog.ch
host 55.22.130.52.drone.abuse.ch
host 55.22.130.52.dul.dnsbl.sorbs.net
host 55.22.130.52.dul.ru
host 55.22.130.52.dyna.spamrats.com
host 55.22.130.52.escalations.dnsbl.sorbs.net
host 55.22.130.52.http.dnsbl.sorbs.net
host 55.22.130.52.httpbl.abuse.ch
host 55.22.130.52.ips.backscatterer.org
host 55.22.130.52.korea.services.net
host 55.22.130.52.l1.bbfh.ext.sorbs.net
host 55.22.130.52.l2.bbfh.ext.sorbs.net
host 55.22.130.52.l3.bbfh.ext.sorbs.net
host 55.22.130.52.l4.bbfh.ext.sorbs.net
host 55.22.130.52.list.bbfh.org
host 55.22.130.52.mail-abuse.blacklist.jippg.org
host 55.22.130.52.misc.dnsbl.sorbs.net
host 55.22.130.52.new.spam.dnsbl.sorbs.net
host 55.22.130.52.noptr.spamrats.com
host 55.22.130.52.old.spam.dnsbl.sorbs.net
host 55.22.130.52.orvedb.aupads.org
host 55.22.130.52.pbl.spamhaus.org
host 55.22.130.52.problems.dnsbl.sorbs.net
host 55.22.130.52.proxies.dnsbl.sorbs.net
host 55.22.130.52.psbl.surriel.com
host 55.22.130.52.rbl.efnet.org
host 55.22.130.52.rbl.efnetrbl.org
host 55.22.130.52.rbl.interserver.net
host 55.22.130.52.rbl.orbitrbl.com
host 55.22.130.52.recent.spam.dnsbl.sorbs.net
host 55.22.130.52.relays.bl.kundenserver.de
host 55.22.130.52.relays.dnsbl.sorbs.net
host 55.22.130.52.rsbl.aupads.org
host 55.22.130.52.safe.dnsbl.sorbs.net
host 55.22.130.52.sbl-xbl.spamhaus.org
host 55.22.130.52.sbl.spamhaus.org
host 55.22.130.52.short.rbl.jp
host 55.22.130.52.smtp.dnsbl.sorbs.net
host 55.22.130.52.socks.dnsbl.sorbs.net
host 55.22.130.52.spam.abuse.ch
host 55.22.130.52.spam.dnsbl.sorbs.net
host 55.22.130.52.spam.spamrats.com
host 55.22.130.52.spamrbl.imp.ch
host 55.22.130.52.spamsources.fabel.dk
host 55.22.130.52.tor.dan.me.uk
host 55.22.130.52.tor.efnet.org
host 55.22.130.52.torexit.dan.me.uk
host 55.22.130.52.virus.rbl.jp
host 55.22.130.52.web.dnsbl.sorbs.net
host 55.22.130.52.wormrbl.imp.ch
host 55.22.130.52.xbl.spamhaus.org
host 55.22.130.52.zen.spamhaus.org
host 55.22.130.52.zombie.dnsbl.sorbs.net

sizecheck.sh

  • This script checks the file size of the blacklist files and compares them to identify if changes have occurred to blacklisting status, then emails are sent to youremail@whatever.com (this can be whatever you want and doesn’t have match configuration anywhere else) if there has been a change. If there is no change to blacklisting status, no email is sent.
#!/bin/bash
#establishing the current blacklist file size variable
CURRENT="$(wc -c blacklistcurrent.txt | awk '{print $1}')"
#establishing the old blacklist file size variable
OLD="$(wc -c blacklistold.txt | awk '{print $1}')"
#outputting the variable values, for troubleshooting purposes. These two lines can be commented out after things are verified working
echo blacklistcurrent.txt file size equals $CURRENT
echo blacklistold.txt file size equals $OLD
#checks to see if there is any difference in content between the old record of the blacklist file and the new blacklist file
if diff blacklistcurrent.txt blacklistold.txt >/dev/null ; then
	echo there has been no change to 52.130.22.55 blacklist status
#checks to see if there are any blacklistings at all now that there is a change blacklist status. If they are all gone, then it's reported as such. 
elif    (( CURRENT < 5 )); then
	mutt -s "52.130.22.55 is no longer on any blacklists" youremail@whatever.com < blacklistcurrent.txt 
#if there is a difference then this checks to see if the new data has less of a file size than the old data, and if so, 1 or more blacklists have been removed, otherwise there have been 1 or more additions.
elif	(( CURRENT < OLD )); then
	mutt -s "52.130.22.55 removed from 1 or more blacklists. Remaining blacklistings are in this email body." youremail@whatever.com < blacklistcurrent.txt
else 
	mutt -s "52.130.22.55 added to 1 or more blacklists. Total blacklistings are in this email body." youremail@whatever.com < blacklistcurrent.txt
fi

weekly.sh

  • if there is no change but your mail ip is on one or more blacklists, an email is still sent as a reminder. This is only weekly.
#!/bin/bash
#establishing the current blacklist file size variable
CURRENT="$(wc -c blacklistcurrent.txt | awk '{print $1}')"
#outputting the variable values, for troubleshooting purposes. This line can be commented out after things are verified working
echo blacklistcurrent.txt file size equals $CURRENT
#checks to see if there are any blacklistings at all on a weekly basis. If any are found, they are reported.
#5 is used rather than 0 for file size, for testing purposes as any blacklists will be greater than 5 and manually deleting everything for testing in blacklistcurrent.txt will not put that file at 0. Any file size indicates that there is at least one blacklisting result and it should be reported. 
if    (( CURRENT > 5 )); then
	mutt -s "52.130.22.55 weekly blacklist check - 52.130.22.55 was found to be on the following blacklists" support@dca.net < blacklistcurrent.txt 
else
	:
fi

Cron Configuration

*For this cron setup, cronie was installed on arch linux, and the commands to enable it on boot work on arch linux.
reference
*https://crontab.guru/#0_*_*_*_*
*https://crontab.guru/every-5-minutes
Make cron start when the computer/server starts
*sudo pacman -S cronie to install crontab then to start the service I had to run ‘systemctl start cronie’
*systemctl enable cronie (to start the service on startup)
*systemctl status cronie (to check cron service status, it should say up now)
Config
*after adding or making changes to this file, run ‘systemctl restart cronie’ and then ‘systemctl status cronie’ to verify status (should be active).
*edit with ‘EDITOR=vim crontab -e’ via command line
**or access the cron file directly via /var/spool/cron/username

#This writes the output from blacklistcheck.sh to blacklistcurrent.txt while removing all the unnecessary junk with awk
1 */1 * * * sh blacklistcheck.sh | awk '$0 !~ /NXDOMAIN/' | awk '$0 !~ /SERVFAIL/' | awk '$0 !~ /alias/' > blacklistcurrent.txt
#This compares the the filesize between blacklistcurrent.txt to blacklistold.txt to see if there is now a difference in file size and reports based on that info
2 */1 * * * sh sizecheck.sh
#This updates blacklistold.txt for use in comparison with the new information that will be gathered in the next hour
3 */1 * * * sh blacklistcheck.sh | awk '$0 !~ /NXDOMAIN/' | awk '$0 !~ /SERVFAIL/' | awk '$0 !~ /alias/' > blacklistold.txt
#The above are all run on the hour, one minute apart. So 12:01, 12:02, 12:03 - then 1:01, 1:02, 1:03 - etc. 
#This below is a weekly (sunday at 8am) status check to report any current blacklistings in the instance that we were notified of them previously but no action has been taken by either us or the blacklister.
0 8 * * Sun sh weekly.sh