skip to content

System: Expanding IPv6 Addresses for DNSBL Checks

A DNSBL is a DNS-based spam blocking list which can be used, for example, to bock emails originating from known spam servers. There are a number of DNSBL in existence, with some of the more popular being SORBS, Spamhaus and SpamCop.

Use of DNSBL is sometimes controversial as it can result in legitimate emails being blocked through no fault of the sender. Also because removal from some lists requires up-front payment.

RBL check for IPv4 addresses

To query a DNSBL to check an IPv4 address (e.g. 74.XXX.254.254) we first reverse the address, and then append the DNSBL domain. For example, we want to check if the preceding address appears in the Spamhaus Zen DNSBL we end up with 254.254.XXX.74.zen.spamhaus.org.

To query the blacklist directly we can use any number of command-line tools, including host and dig.

If the address is ok to accept emails from you will receive a null response:

# host 254.254.XXX.74.zen.spamhaus.org Host 254.254.XXX.74.zen.spamhaus.org not found: 3(NXDOMAIN) # dig 254.254.XXX.74.zen.spamhaus.org a ;; AUTHORITY SECTION: zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1804051006 3600 600 432000 10

While if there is a problem you will receive one or more addresses in response indicating that the address is currently blacklisted:

# host 243.XXX.240.183.zen.spamhaus.org 243.XXX.240.183.zen.spamhaus.org has address 127.0.0.11 243.XXX.240.183.zen.spamhaus.org has address 127.0.0.3 243.XXX.240.183.zen.spamhaus.org has address 127.0.0.4 # dig 243.XXX.240.183.zen.spamhaus.org a ;; ANSWER SECTION: 243.XXX.240.183.zen.spamhaus.org. 23 IN A 127.0.0.11 243.XXX.240.183.zen.spamhaus.org. 23 IN A 127.0.0.4 243.XXX.240.183.zen.spamhaus.org. 23 IN A 127.0.0.3 # dig 243.XXX.240.183.zen.spamhaus.org txt ;; ANSWER SECTION: 243.XXX.240.183.zen.spamhaus.org. 60 IN TXT "https://www.spamhaus.org/query/ip/183.240.XXX.243" 243.XXX.240.183.zen.spamhaus.org. 60 IN TXT "https://www.spamhaus.org/sbl/query/SBLCSS"

Each 127.0.0.* address returned represents a different sub-list or reason that the ip address has been black-listed. To find the meaning of these return values you need to refer to the DNSBL website as they vary across services.

Querying the TXT record is often more useful as it can return more detailed information or a link, as shown above.

Here is the same ip address run through SORBS:

# host 243.XXX.240.183.dnsbl.sorbs.net 243.XXX.240.183.dnsbl.sorbs.net has address 127.0.0.7 243.XXX.240.183.dnsbl.sorbs.net has address 127.0.0.6 # dig 243.XXX.240.183.dnsbl.sorbs.net txt ;; ANSWER SECTION: 243.XXX.240.183.dnsbl.sorbs.net. 3600 IN TXT "Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?183.240.XXX.243" 243.XXX.240.183.dnsbl.sorbs.net. 3600 IN TXT "Exploitable Server See: http://www.sorbs.net/lookup.shtml?183.240.XXX.243"

And through SpamCop:

# host 243.XXX.240.183.bl.spamcop.net 243.XXX.240.183.bl.spamcop.net has address 127.0.0.2 # dig 243.XX.240.183.bl.spamcop.net txt ;; ANSWER SECTION: 243.XXX.240.183.bl.spamcop.net. 2100 IN TXT "Blocked - see http://www.spamcop.net/bl.shtml?183.240.XXX.243"

As you can see that this particular IPv4 address appears in all three of the DNSBL tested.

RBL check for IPv6 addresses

Working with IPv6 address is more difficult for two reasons. Firstly, because they are often abbreviated, and secondly, because all 32 digits of the address need to be reversed.

For example, starting with: 2600:XXXX::f03c:91ff:fe50:d2

We first need to expand the address to its full length:

2600:XXXX:0000:0000:f03c:91ff:fe50:00d2

Then reverse the individual digits, ignoring the colons, and append the DNSBL domain as before:

# host 2.d.0.0.0.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.X.X.X.X.0.0.6.2.zen.spamhaus.org 2.d.0.0.0.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.X.X.X.X.0.0.6.2.zen.spamhaus.org has address 127.0.0.3 # dig 2.d.0.0.0.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.X.X.X.X.0.0.6.2.zen.spamhaus.org txt ;; ANSWER SECTION: 2.d.0.0.0.5.e.f.f.f.1.9.c.3.0.f.0.0.0.0.0.0.0.0.X.X.X.X.0.0.6.2.zen.spamhaus.org. 60 IN TXT "https://www.spamhaus.org/sbl/query/SBLCSS"

In this case the IPv6 address appears in the Spamhaus CSS Component of the SBL meaning that it has been blocked for belonging to a larger network of addresses, some of which are sending spam.

Preparing IP addresses for DNSBL checking

Here we've created a couple of useful tools which take an IPv4 or IPv6 address and convert it into the required format for a DNSBL lookup. First for IPv4:

IPv4 DNSBL Converter

And this form will work for IPv6 addresses:

IPv6 DNSBL Converter

These forms are JavaScript-only so you don't need to worry about the input values being exposed.

See the link under References below for a more comprehensive list of available DNSBL.

Enabling DNSBL checks in sendmail

In sendmail you just need to add the following to your sendmail.mc make/reload and restart:

FEATURE(dnsbl, `dnsbl.sorbs.net', `Your outgoing mail server $&{client_addr} has been blacklisted by SORBS - see Database Check - http://www.sorbs.net/')dnl FEATURE(dnsbl, `zen.spamhaus.org', `Your outgoing mail server $&{client_addr} has been blacklisted by Spamhaus - see Blocklist Removal Center - https://www.spamhaus.org/zen/')dnl FEATURE(dnsbl, `bl.spamcop.net', `Your outgoing mail server $&{client_addr} has been blacklisted by SpamCop - see https://www.spamcop.net/bl.shtml')dnl

References

< System

Post your comment or question
top