Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

PowerShell blacklist check script: find an IP address’ blacklist status & reputation

Here’s a blacklist check script written in PowerShell. You can use this to lookup an IP address in various blacklists (DNSBL, RBL). Such a check is a great indicator for an IP address’ reputation. Basically this PowerShell blacklist checker is a translation of my Bash script to check an IP address blacklist status in Linux.

How to check an IP Address blacklist status in PowerShell on Windows Server

Sometimes you need to be able to lookup an IP address blacklist status in more than one blacklist. This is better done with a PS script than on your cmd.exe or PowerShell shell (typing in a reversed IP and a blacklist host address for nslookup can be a real pain…). On Linux we have a bash script to lookup an IP address’ blacklist status, and now here’s one for Windows Server too.

The PS script below is fully functional, except for the Project Honey Pot blacklist (httpBL). You’ll need an API-key for this. Yes, httpBL is a HTTP blacklist, here’s why I always like to see whether an IP address is listed there too: Simply because I wouldn’t want to receive email from an server that’s known to be a comment spammer or harvester. And I’m sure you wouldn’t either. This is why I use blacklist checks like these to determine if I should block an IP address locally.

The Powershell blacklist check script takes an IP address as command-line input, reverses it and adds the blacklist hostname. This is then fed to [System.Net.Dns]::GetHostEntry. This is not a 100 percent PowerShell solution, but in my opinion gives the best results and output. You’re free to substitute [System.Net.Dns]::GetHostEntry for PowerShell’s Resolve-DnsName cmdlet or others.

Blacklistcheck.ps1, the PowerShell script

Here is the PS code, fully functional. Save the following code in a new file called blacklistcheck.ps1 (for example):

# blacklistcheck.ps1 - PowerShell script to check
# an IP address blacklist status
# 
# Follow me on Twitter: @HertogJanR
# 
# Steps:
# 1. IPv4 IP address input from the command-line:
#    .\blacklistcheck.ps1 1.2.3.4
# 2. reverse the IP address: 1.2.3.4 becomes 4.3.2.1
# 3. append the blacklist zone, e.g .cbl.abuseat.org. 
#    to the reversed IP address
# 4. perform a DNS lookup
# 5. print out the result

param (
  [string]$ip = $(throw "ip is required.")
 )

# Project Honey Pot API-key, create a free account 
# and get yours @ 
# https://www.projecthoneypot.org/create_account.php
[static]$httpBL = "[my-API-key]"
 
# Reverse IP address stored in $ip, let's hussle 
# those IP octets around a bit
$ipParts = $ip.Split('.')
[array]::Reverse($ipParts)
$ipParts = [string]::Join('.', $ipParts)

# An array of blacklists to perform checks on
# You can add your own blacklists to this list
$blacklists = "dnsbl.httpbl.org", `
	"cbl.abuseat.org", `
	"dnsbl.sorbs.net", `
	"bl.spamcop.net", `
	"zen.spamhaus.org", `
	"b.barracudacentral.org", `
	"bad.psky.me"

foreach ( $blacklist in $blacklists ) {
	if ( $blacklist -contains "dnsbl.httpbl.org" ) {
		# Add your httpBL API-key from Project Honey Pot
		$lookupAddress = $httpBL + "." + $ipParts + ".dnsbl.httpbl.org."
	}
	else {
		$lookupAddress = $ipParts + ".$blacklist."
	}
	try {
		[System.Net.Dns]::GetHostEntry($lookupAddress) | select-object HostName,AddressList
	}
	catch {
		# The try{} catch{} is needed to catch DNS lookup 
		# errors when an IP address is not blacklisted.
		# Yes, this is annoying
		Write-Host "No blacklisting for $ip found in $blacklist"
	}
}

Blacklistcheck.ps1 usage – how to lookup IP blacklist status from the PowerShell command line

Call the script from your PowerShell prompt, and feed it an IP address. For example:

PS C:\Users\jan> .\scripts\blacklistcheck.ps1 127.9.1.2

HostName                                                    AddressList
--------                                                    -----------
[my-API-key].2.1.9.127.dnsbl.httpbl.org                     {127.3.5.1}
No blacklisting for 127.9.1.2 found in cbl.abuseat.org
No blacklisting for 127.9.1.2 found in dnsbl.sorbs.net
No blacklisting for 127.9.1.2 found in bl.spamcop.net
No blacklisting for 127.9.1.2 found in zen.spamhaus.org
No blacklisting for 127.9.1.2 found in b.barracudacentral.org
No blacklisting for 127.9.1.2 found in bad.psky.me

PS C:\Users\jan> .\scripts\blacklistcheck.ps1 127.0.0.2
No blacklisting for 127.0.0.2 found in dnsbl.httpbl.org

HostName                                                    AddressList
--------                                                    -----------
2.0.0.127.cbl.abuseat.org                                   {127.0.0.2}
2.0.0.127.dnsbl.sorbs.net                                   {127.0.0.3, 127.0.0.4, 127.0.0.5, 127.0.0.6...}
2.0.0.127.bl.spamcop.net                                    {127.0.0.2}
2.0.0.127.zen.spamhaus.org                                  {127.0.0.2, 127.0.0.4, 127.0.0.10}
2.0.0.127.b.barracudacentral.org                            {127.0.0.2}
2.0.0.127.bad.psky.me                                       {127.0.0.2}

Check multiple IP addresses from a text file input

For when you want to check multiple IP addresses for their blacklisting status: there is more than one way to feed a text file with IP addresses as input to blacklistcheck.ps1. You may use cmd.exe with FOR loop:

C:\Users\jan>FOR /F %I IN (ips.txt) DO @powershell .\scripts\blacklistcheck.ps1 %I

HostName                                AddressList
--------                                -----------
[my-API-key].88.110.118.87.dnsbl.htt... {127.1.10.1}
No blacklisting for 87.118.110.88 found in cbl.abuseat.org
No blacklisting for 87.118.110.88 found in dnsbl.sorbs.net
No blacklisting for 87.118.110.88 found in bl.spamcop.net
No blacklisting for 87.118.110.88 found in zen.spamhaus.org
88.110.118.87.b.barracudacentral.org    {127.0.0.2}
No blacklisting for 87.118.110.88 found in bad.psky.me



HostName                                AddressList
--------                                -----------
[my-API-key].201.129.110.64.dnsbl.ht... {127.5.31.1}
No blacklisting for 64.110.129.201 found in cbl.abuseat.org
No blacklisting for 64.110.129.201 found in dnsbl.sorbs.net
No blacklisting for 64.110.129.201 found in bl.spamcop.net
No blacklisting for 64.110.129.201 found in zen.spamhaus.org
201.129.110.64.b.barracudacentral.org   {127.0.0.2}
201.129.110.64.bad.psky.me              {127.0.0.3}

And a more PowerShell solution is to read the file and execute blacklistcheck.ps1 for every line read:

PS C:\Users\jan> foreach ( $line in Get-Content .\ips.txt ) { .\scripts\blacklistcheck.ps1 $line }

HostName                                                    AddressList
--------                                                    -----------
[my-API-key].88.110.118.87.dnsbl.httpbl.org                 {127.1.10.1}
No blacklisting for 87.118.110.88 found in cbl.abuseat.org
No blacklisting for 87.118.110.88 found in dnsbl.sorbs.net
No blacklisting for 87.118.110.88 found in bl.spamcop.net
No blacklisting for 87.118.110.88 found in zen.spamhaus.org
88.110.118.87.b.barracudacentral.org                        {127.0.0.2}
No blacklisting for 87.118.110.88 found in bad.psky.me
[my-API-key].201.129.110.64.dnsbl.httpbl.org                {127.5.31.1}
No blacklisting for 64.110.129.201 found in cbl.abuseat.org
No blacklisting for 64.110.129.201 found in dnsbl.sorbs.net
No blacklisting for 64.110.129.201 found in bl.spamcop.net
No blacklisting for 64.110.129.201 found in zen.spamhaus.org
201.129.110.64.b.barracudacentral.org                       {127.0.0.2}
201.129.110.64.bad.psky.me                                  {127.0.0.3}

(these are some random IP’s I found in a local blacklist of mine)

I hope this helps someone who wants to, or has to do, blacklist checking in PowerShell. Have a look at my other PowerShell posts for maintaining Windows Server, IIS 7, 7.5, 8.0 or 8.5.

This may interest you:   MySQL query caching using PHP/Zend_Cache

If you enjoyed this post, I’d be very grateful if you’d help it spread by sharing it on Twitter or Facebook. Thank you!

6 Comments

  1. Its alright i got everything working, thanks for the script and your help :).

  2. Hi,

    I was able to get it working but was wondering if there is a way to get unique values without editing in the script?

    Thanks,

    Also there is no captcha when trying to reply to a comment.

    • Can’t help you any further unfortunately. The script is as-is, it does its job for me and gives me the information I need. Given the aforementioned MSDN reference for the Dns.GetHostEntry method, I’m sure you can do the works yourself.

  3. Hi Phish,
    The reversed IP address is requierd for the nslookup. So you want to print out `$ip` in the `try { }` block, if it finds a listing. You can find more information at https://msdn.microsoft.com/en-us/library/ms143998(v=vs.110).aspx.

  4. Hi,

    I was wondering how to just have the output as 1.2.3.4 instead of 4.3.2.1-bl.list.org.
    I do not want the ip to be output as reversed.

  5. In the output i want to filter the hostname to show only the ip address. I also want to the output to reverse the ip back ( An example of this is the original ip ./blacklistcheck 1.2.3.4 but in the output it will come out as 4.3.2.1, is there anyway to make the ip output as 1.2.3.4.

    Basically to summarize this all i want is to just grab the ips in their original format that they were inputted.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

40 queries, 0.714 seconds running PHP version 7.2.9
shares