Wednesday, November 12, 2008

Blog Disclaimer

Due to unexpected corporate pressures, I feel compelled to add this disclaimer to my blog. All though it's nothing but a blatant restatement of the obvious, here it goes:

This is a personal blog. The opinions expressed here represent my own and not those of my employer, past or present. Additionally, this blog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion.

Feel free to challenge me, disagree with me, or tell me I’m completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever (abusive, profane, rude, or anonymous comments) - so keep it polite, please.

In addition, my thoughts and opinions change from time to time. I consider this a necessary consequence of having an open mind. This blog is intended to provide a semi-permanent point in time snapshot and manifestation of the various thoughts running around my brain (see banner graphic), and as such any thoughts and opinions expressed within out-of-date posts may not the same, nor even similar, to those I may hold today.

Additional disclaimer, most of the verbiage in this disclaimer has been borrowed from various other sources. :)


Monday, November 03, 2008

Barracuda RBL - Open to Public

Ran across this announcement from Barracuda on Mike Rothman's blog and a coworker also pointed it out to me. Barracuda has made their DNSRBL publicly available on the Barracuda Central website .

Basically the way it works is that queries are crafted as the inverse IP address following by So, for example, if you had a mail server with the IP address of if you wanted to check if your mail server with the IP address, was listed in the Barracuda RBL, you would reverse the IP address (, append (, and do an nslookup of that hostname.

If your server is NOT listed in the BRBL, nslookup would return similiar to:

** server can't find NXDOMAIN

If your server IS listed in the BRBL, nslookup would return similiar to:

Name: Address:

All IP's listed in the BRBL will return an A record of for the queried hostname.

So, to use this BRBL to help identify spam, all you need to do is visit the site, register for an account, provide a list of the DNS servers that your mailserver will use, and add it to the RBL configuration of you mailserver. Barracuda Central will send you an verification email with a link you must click

Example SpamAssassin configuration (unverified):

# URL:
header __RCVD_IN_BRBL eval:check_rbl('brbl', '')
describe __RCVD_IN_BRBL received via a relay in
header RCVD_IN_BRBL_RELAY eval:check_rbl_sub('brbl', '')
describe RCVD_IN_BRBL_RELAY received via a relay rated as poor by Barracuda

There are unconfirmed rumors that have been reserved for SpamAssassin users and that using "bb" in lieu of "b" does not require registration. I was able to use both without registration, so your mileage may vary.

Although the Barracuda Central site has some pretty decent lookup tools to check the status of IP addresses, they are limited to a single address and require a CAPTCHA challenge for every lookup.

So, I wrote a quick (and very dirty) perl script to enumerate a netblock and check each IP against the blacklist:



use strict;
use Net::DNS;
use Net::IP;

my $network = $ARGV[0];
if($network !~ /^\d+\.\d+\.\d+\.\d+\/\d+$/)
print "Usage: $0 x.x.x.x/x\n";
print "Where x.x.x.x/x is the network to examine\n";

my $res = Net::DNS::Resolver->new;

my $IP= new Net::IP($network) or die("Unable to create network object for $network\n");

my $target_IP = join('.', reverse split(/\./, $IP->ip()))."";
my $org_ip = $IP->ip();
my $query = $res->query("$target_IP", "A");

if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq "A";
print "ALERT!!! $org_ip is BLACKLISTED!!! - Returned ($target_IP : ", $rr->rdatastr, ")\n";
} else {
print "$org_ip = Not Listed. - ($target_IP : ", $res->errorstring.")\n";

} while (++$IP);


Because we know that is included in the list, we can run a simple test with the netblock. Expected output should look something like this:

$ ./ = Not Listed. - ( : NXDOMAIN) = Not Listed. - ( : NXDOMAIN)

ALERT!!! is BLACKLISTED!!! - Returned ( : = Not Listed. - ( : NXDOMAIN)

Hat's off to Barracuda for giving something back to the community.

Labels: , , ,