Here's a blacklist check script written in PowerShell. You can use this to lookup an IP address in various blacklists (DNSBL, RBL). Such a check is a great indicator for an IP address' reputation. Basically this PowerShell blacklist checker is a port of my Bash script to check an IP address blacklist status in Linux.
How to check an IP Address blacklist status in PowerShell in Windows Server
Sometimes you need to be able to look up an IP address blacklist status in more than one blacklist. This is better done with a PS script than on your cmd.exe or PowerShell shell (typing in a reversed IP and a blacklist host address for nslookup can be a real pain...). On Linux we have a bash script to look up an IP address' blacklist status, and now here's one for Windows Server & PowerShell too.
The PowerShell script below is fully functional, except for the Project Honey Pot blacklist (httpBL). You'll need an API-key for this. Yes, httpBL is a HTTP blacklist, here's why I always like to see whether an IP address is listed there too: Simply because I wouldn't want to receive email from an server that's known to be a comment spammer or harvester. And I'm sure you wouldn't either. This is why I use blacklist checks like these to determine if I should block an IP address locally.
The script takes an IP address as command-line input, reverses it and adds the blacklist host name. This is then fed to [System.Net.Dns]::GetHostEntry. This is not a 100 percent PowerShell solution, but in my opinion gives the best results and output. You're free to substitute [System.Net.Dns]::GetHostEntry for PowerShell's Resolve-DnsName cmdlet or others.
Blacklistcheck.ps1, the PowerShell script
Here is the PS code, fully functional. Save the following code in a new file called blacklistcheck.ps1 (for example):
# blacklistcheck.ps1 - PowerShell script to check
# an IP address blacklist status
#
# Follow me on Twitter: @Jan_Reilink
#
# Steps:
# 1. IPv4 IP address input from the command-line:
# .\blacklistcheck.ps1 1.2.3.4
# 2. reverse the IP address: 1.2.3.4 becomes 4.3.2.1
# 3. append the blacklist zone, e.g .cbl.abuseat.org.
# to the reversed IP address
# 4. perform a DNS lookup
# 5. print out the result
param (
[string]$ip = $(throw "ip is required.")
)
# Project Honey Pot API-key, create a free account
# and get yours @
# https://www.projecthoneypot.org/create_account.php
[static]$httpBL = "[my-API-key]"
# Reverse IP address stored in $ip, let's hussle
# those IP octets around a bit
$ipParts = $ip.Split('.')
[array]::Reverse($ipParts)
$ipParts = [string]::Join('.', $ipParts)
# An array of blacklists to perform checks on
# You can add your own blacklists to this list
$blacklists = "dnsbl.httpbl.org", `
"cbl.abuseat.org", `
"dnsbl.sorbs.net", `
"bl.spamcop.net", `
"zen.spamhaus.org", `
"b.barracudacentral.org", `
"bad.psky.me"
foreach ( $blacklist in $blacklists ) {
if ( $blacklist -contains "dnsbl.httpbl.org" ) {
# Add your httpBL API-key from Project Honey Pot
$lookupAddress = $httpBL + "." + $ipParts + ".dnsbl.httpbl.org."
}
else {
$lookupAddress = $ipParts + ".$blacklist."
}
try {
[System.Net.Dns]::GetHostEntry($lookupAddress) | select-object HostName,AddressList
}
catch {
# The try{} catch{} is needed to catch DNS lookup
# errors when an IP address is not blacklisted.
# Yes, this is annoying
Write-Host "No blacklisting for $ip found in $blacklist"
}
}Blacklistcheck.ps1 usage - how to lookup IP blacklist status from the PowerShell command line
Call the blacklist-check-script from your PowerShell prompt, and feed it an IP address. For example:
PS C:\Users\jan> .\scripts\blacklistcheck.ps1 127.9.1.2
HostName AddressList
-------- -----------
[my-API-key].2.1.9.127.dnsbl.httpbl.org {127.3.5.1}
No blacklisting for 127.9.1.2 found in cbl.abuseat.org
No blacklisting for 127.9.1.2 found in dnsbl.sorbs.net
No blacklisting for 127.9.1.2 found in bl.spamcop.net
No blacklisting for 127.9.1.2 found in zen.spamhaus.org
No blacklisting for 127.9.1.2 found in b.barracudacentral.org
No blacklisting for 127.9.1.2 found in bad.psky.me
PS C:\Users\jan> .\scripts\blacklistcheck.ps1 127.0.0.2
No blacklisting for 127.0.0.2 found in dnsbl.httpbl.org
HostName AddressList
-------- -----------
2.0.0.127.cbl.abuseat.org {127.0.0.2}
2.0.0.127.dnsbl.sorbs.net {127.0.0.3, 127.0.0.4, 127.0.0.5, 127.0.0.6...}
2.0.0.127.bl.spamcop.net {127.0.0.2}
2.0.0.127.zen.spamhaus.org {127.0.0.2, 127.0.0.4, 127.0.0.10}
2.0.0.127.b.barracudacentral.org {127.0.0.2}
2.0.0.127.bad.psky.me {127.0.0.2}Please support projects like Project Honey Pot. Join them, add a honeypot to your site or donate an MX record.
Check multiple IP addresses from a text file input
For when you want to check multiple IP addresses for their blacklisting status: there is more than one way to feed a text file with IP addresses as input to blacklistcheck.ps1. You may use cmd.exe with FOR loop:
C:\Users\jan>FOR /F %I IN (ips.txt) DO @powershell .\scripts\blacklistcheck.ps1 %I
HostName AddressList
-------- -----------
[my-API-key].88.110.118.87.dnsbl.htt... {127.1.10.1}
No blacklisting for 87.118.110.88 found in cbl.abuseat.org
No blacklisting for 87.118.110.88 found in dnsbl.sorbs.net
No blacklisting for 87.118.110.88 found in bl.spamcop.net
No blacklisting for 87.118.110.88 found in zen.spamhaus.org
88.110.118.87.b.barracudacentral.org {127.0.0.2}
No blacklisting for 87.118.110.88 found in bad.psky.me
HostName AddressList
-------- -----------
[my-API-key].201.129.110.64.dnsbl.ht... {127.5.31.1}
No blacklisting for 64.110.129.201 found in cbl.abuseat.org
No blacklisting for 64.110.129.201 found in dnsbl.sorbs.net
No blacklisting for 64.110.129.201 found in bl.spamcop.net
No blacklisting for 64.110.129.201 found in zen.spamhaus.org
201.129.110.64.b.barracudacentral.org {127.0.0.2}
201.129.110.64.bad.psky.me {127.0.0.3}And a more PowerShell solution is to read the file and execute blacklistcheck.ps1 for every line read:
PS C:\Users\jan> foreach ( $line in Get-Content .\ips.txt ) { .\scripts\blacklistcheck.ps1 $line }
HostName AddressList
-------- -----------
[my-API-key].88.110.118.87.dnsbl.httpbl.org {127.1.10.1}
No blacklisting for 87.118.110.88 found in cbl.abuseat.org
No blacklisting for 87.118.110.88 found in dnsbl.sorbs.net
No blacklisting for 87.118.110.88 found in bl.spamcop.net
No blacklisting for 87.118.110.88 found in zen.spamhaus.org
88.110.118.87.b.barracudacentral.org {127.0.0.2}
No blacklisting for 87.118.110.88 found in bad.psky.me
[my-API-key].201.129.110.64.dnsbl.httpbl.org {127.5.31.1}
No blacklisting for 64.110.129.201 found in cbl.abuseat.org
No blacklisting for 64.110.129.201 found in dnsbl.sorbs.net
No blacklisting for 64.110.129.201 found in bl.spamcop.net
No blacklisting for 64.110.129.201 found in zen.spamhaus.org
201.129.110.64.b.barracudacentral.org {127.0.0.2}
201.129.110.64.bad.psky.me {127.0.0.3}(these are some random IP's I found in a local blacklist of mine)
Conclusion blacklist checking in PowerShell
I hope this helps someone who wants to, or has to do, blacklist checking in PowerShell. Have a look at my PowerShell introduction post for maintaining Windows Server, IIS 7, 7.5, 8.0, 8.5 or IIS 10.
If you enjoyed this post, I'd be very grateful if you'd help it spread by sharing it on Twitter or Facebook. Thank you!
Thank you very much! <3 ❤️
Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.
Its alright i got everything working, thanks for the script and your help :).
Hi,
I was able to get it working but was wondering if there is a way to get unique values without editing in the script?
Thanks,
Also there is no captcha when trying to reply to a comment.
Can’t help you any further unfortunately. The script is as-is, it does its job for me and gives me the information I need. Given the aforementioned MSDN reference for the
Dns.GetHostEntrymethod, I’m sure you can do the works yourself.Hi Phish,
The reversed IP address is requierd for the nslookup. So you want to print out `$ip` in the `try { }` block, if it finds a listing. You can find more information at https://msdn.microsoft.com/en-us/library/ms143998(v=vs.110).aspx.
Hi,
I was wondering how to just have the output as 1.2.3.4 instead of 4.3.2.1-bl.list.org.
I do not want the ip to be output as reversed.
In the output i want to filter the hostname to show only the ip address. I also want to the output to reverse the ip back ( An example of this is the original ip ./blacklistcheck 1.2.3.4 but in the output it will come out as 4.3.2.1, is there anyway to make the ip output as 1.2.3.4.
Basically to summarize this all i want is to just grab the ips in their original format that they were inputted.