search

andreasf / check-dnsbl

Check DNS blocklists for hostnames or IPs
GNU General Public License v3.0
13 stars 8 forks source link

false positives #2

Closed BustedSec closed 4 years ago

BustedSec commented 4 years ago

This returns that every IP it scans is on every blacklist. Something is wrong in the logic. Example output below:

havok@Revenge:~/check-dnsbl$ ./check-dnsbl.py 255.255.255.0 WARNING: 255.255.255.0 found in spam blocklist web.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist virus.rbl.msrbl.net! WARNING: 255.255.255.0 found in spam blocklist relays.bl.gweep.ca! WARNING: 255.255.255.0 found in spam blocklist tor.dan.me.uk! WARNING: 255.255.255.0 found in spam blocklist short.rbl.jp! WARNING: 255.255.255.0 found in spam blocklist spamrbl.imp.ch! WARNING: 255.255.255.0 found in spam blocklist spam.rbl.msrbl.net! WARNING: 255.255.255.0 found in spam blocklist bogons.cymru.com! WARNING: 255.255.255.0 found in spam blocklist blacklist.woody.ch! WARNING: 255.255.255.0 found in spam blocklist omrs.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist wormrbl.imp.ch! WARNING: 255.255.255.0 found in spam blocklist url.rbl.jp! WARNING: 255.255.255.0 found in spam blocklist drone.abuse.ch! WARNING: 255.255.255.0 found in spam blocklist dnsbl.inps.de! WARNING: 255.255.255.0 found in spam blocklist bsb.spamlookup.net! WARNING: 255.255.255.0 found in spam blocklist bl.deadbeef.com! WARNING: 255.255.255.0 found in spam blocklist smtp.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist dob.sibl.support-intelligence.net! WARNING: 255.255.255.0 found in spam blocklist cbl.anti-spam.org.cn! WARNING: 255.255.255.0 found in spam blocklist rbl.efnetrbl.org! WARNING: 255.255.255.0 found in spam blocklist blackholes.five-ten-sg.com! WARNING: 255.255.255.0 found in spam blocklist forbidden.icm.edu.pl! WARNING: 255.255.255.0 found in spam blocklist rbl.interserver.net! WARNING: 255.255.255.0 found in spam blocklist combined.rbl.msrbl.net! WARNING: 255.255.255.0 found in spam blocklist multi.uribl.com! WARNING: 255.255.255.0 found in spam blocklist residential.block.transip.nl! WARNING: 255.255.255.0 found in spam blocklist bl.spamcannibal.org! WARNING: 255.255.255.0 found in spam blocklist rmst.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist opm.tornevall.org! WARNING: 255.255.255.0 found in spam blocklist netblock.pedantic.org! WARNING: 255.255.255.0 found in spam blocklist all.spamblock.unit.liu.se! WARNING: 255.255.255.0 found in spam blocklist ricn.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist ips.backscatterer.org! WARNING: 255.255.255.0 found in spam blocklist rbl.suresupport.com! WARNING: 255.255.255.0 found in spam blocklist dialups.mail-abuse.org! WARNING: 255.255.255.0 found in spam blocklist access.redhawk.org! WARNING: 255.255.255.0 found in spam blocklist db.wpbl.info! WARNING: 255.255.255.0 found in spam blocklist sorbs.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist ubl.lashback.com! WARNING: 255.255.255.0 found in spam blocklist korea.services.net! WARNING: 255.255.255.0 found in spam blocklist spam.spamrats.com! WARNING: 255.255.255.0 found in spam blocklist images.rbl.msrbl.net! WARNING: 255.255.255.0 found in spam blocklist dnsbl.kempt.net! WARNING: 255.255.255.0 found in spam blocklist dnsbl.dronebl.org! WARNING: 255.255.255.0 found in spam blocklist zen.spamhaus.org! WARNING: 255.255.255.0 found in spam blocklist spamlist.or.kr! WARNING: 255.255.255.0 found in spam blocklist duinv.aupads.org! WARNING: 255.255.255.0 found in spam blocklist bl.emailbasura.org! WARNING: 255.255.255.0 found in spam blocklist ksi.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist misc.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist cdl.anti-spam.org.cn! WARNING: 255.255.255.0 found in spam blocklist ix.dnsbl.manitu.net! WARNING: 255.255.255.0 found in spam blocklist dynip.rothen.com! WARNING: 255.255.255.0 found in spam blocklist uribl.swinog.ch! WARNING: 255.255.255.0 found in spam blocklist dyndns.rbl.jp! WARNING: 255.255.255.0 found in spam blocklist bl.spamcop.net! WARNING: 255.255.255.0 found in spam blocklist phishing.rbl.msrbl.net! WARNING: 255.255.255.0 found in spam blocklist blackholes.mail-abuse.org! WARNING: 255.255.255.0 found in spam blocklist pbl.spamhaus.org! WARNING: 255.255.255.0 found in spam blocklist mail.people.it! WARNING: 255.255.255.0 found in spam blocklist query.senderbase.org! WARNING: 255.255.255.0 found in spam blocklist cblless.anti-spam.org.cn! WARNING: 255.255.255.0 found in spam blocklist dnsbl-1.uceprotect.net! WARNING: 255.255.255.0 found in spam blocklist rbl.spamlab.com! WARNING: 255.255.255.0 found in spam blocklist relays.nether.net! WARNING: 255.255.255.0 found in spam blocklist httpbl.abuse.ch! WARNING: 255.255.255.0 found in spam blocklist orvedb.aupads.org! WARNING: 255.255.255.0 found in spam blocklist ubl.unsubscore.com! WARNING: 255.255.255.0 found in spam blocklist socks.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist rdts.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist multi.surbl.org! WARNING: 255.255.255.0 found in spam blocklist dnsbl-2.uceprotect.net! WARNING: 255.255.255.0 found in spam blocklist cbl.abuseat.org! WARNING: 255.255.255.0 found in spam blocklist dyna.spamrats.com! WARNING: 255.255.255.0 found in spam blocklist spam.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist psbl.surriel.com! WARNING: 255.255.255.0 found in spam blocklist dynablock.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist dnsbl-3.uceprotect.net! WARNING: 255.255.255.0 found in spam blocklist dul.ru! WARNING: 255.255.255.0 found in spam blocklist relays.mail-abuse.org! WARNING: 255.255.255.0 found in spam blocklist osrs.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist dul.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist zombie.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist rbl-plus.mail-abuse.org! WARNING: 255.255.255.0 found in spam blocklist dnsbl.abuse.ch! WARNING: 255.255.255.0 found in spam blocklist probes.dnsbl.net.au! WARNING: 255.255.255.0 found in spam blocklist sbl.spamhaus.org! WARNING: 255.255.255.0 found in spam blocklist xbl.spamhaus.org! WARNING: 255.255.255.0 found in spam blocklist b.barracudacentral.org! WARNING: 255.255.255.0 found in spam blocklist relays.bl.kundenserver.de! WARNING: 255.255.255.0 found in spam blocklist virbl.bit.nl! WARNING: 255.255.255.0 found in spam blocklist blacklist.sci.kun.nl! WARNING: 255.255.255.0 found in spam blocklist dsn.rfc-ignorant.org! WARNING: 255.255.255.0 found in spam blocklist noptr.spamrats.com! WARNING: 255.255.255.0 found in spam blocklist cblplus.anti-spam.org.cn! WARNING: 255.255.255.0 found in spam blocklist virus.rbl.jp! WARNING: 255.255.255.0 found in spam blocklist http.dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist dnsbl.sorbs.net! WARNING: 255.255.255.0 found in spam blocklist rot.blackhole.cantv.net! WARNING: 255.255.255.0 found in spam blocklist dnsbl.njabl.org! WARNING: 255.255.255.0 found in spam blocklist combined.njabl.org! WARNING: 255.255.255.0 found in spam blocklist dul.blackhole.cantv.net!

andreasf commented 4 years ago

Hey, this is really old code but it used to work.

From a quick glance at the code it seems that the blocklists simply work via DNS, e.g. for the first match of 255.255.255.0 in web.dnsbl.sorbs.net it would look up the concatenation: 255.255.255.0.web.dnsbl.sorbs.net

On my machine, the result is:

$ nslookup 255.255.255.0.web.dnsbl.sorbs.net
Server:     192.168.42.1
Address:    192.168.42.1#53

** server can't find 255.255.255.0.web.dnsbl.sorbs.net: NXDOMAIN

Some ISPs return a DNS A record for every host in order to send browsers to a catch-all page.

My recommendation is to check the DNS response and try again with a different DNS server or connection.

andreasf commented 4 years ago

I verified that this works as expected by comparing the tool output to packet captures.

$ python check-dnsbl.py 255.255.255.0
WARNING: 255.255.255.0 found in spam blocklist bogons.cymru.com!
WARNING: 255.255.255.0 found in spam blocklist bl.emailbasura.org!
WARNING: 255.255.255.0 found in spam blocklist multi.uribl.com!
WARNING: 255.255.255.0 found in spam blocklist bl.spamcannibal.org!

All of these blocklists returned an A record for the request. Contrary to my first reply, the IP is not simply concatenated, but reversed before. Here's a positive response, note the A record in the answer section:

$ dig A 0.255.255.255.multi.urlbl.com @8.8.8.8

; <<>> DiG 9.10.6 <<>> A 0.255.255.255.multi.urlbl.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36980
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;0.255.255.255.multi.urlbl.com. IN  A

;; ANSWER SECTION:
0.255.255.255.multi.urlbl.com. 599 IN   A   160.124.2.32

;; Query time: 348 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 04 20:49:39 CEST 2020
;; MSG SIZE  rcvd: 74

Here's a negative response without an A record in the answer section:

$ dig A 0.255.255.255.web.dnsbl.sorbs.net @8.8.8.8

; <<>> DiG 9.10.6 <<>> A 0.255.255.255.web.dnsbl.sorbs.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52658
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;0.255.255.255.web.dnsbl.sorbs.net. IN  A

;; AUTHORITY SECTION:
dnsbl.sorbs.net.    1799    IN  SOA rbldns0.sorbs.net. dns.isux.com. 1591294153 7200 7200 604800 3600

;; Query time: 55 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 04 20:50:07 CEST 2020
;; MSG SIZE  rcvd: 118

As you are seeing false positives for everything, I would assume your DNS server is returning a made-up A record for the previous example.