Monday, November 03, 2008

Barracuda RBL - Open to Public

Ran across this announcement from Barracuda on Mike Rothman's blog and a coworker also pointed it out to me. Barracuda has made their DNSRBL publicly available on the Barracuda Central website .

Basically the way it works is that queries are crafted as the inverse IP address following by .b.barracudacentral.org. So, for example, if you had a mail server with the IP address of if you wanted to check if your mail server with the IP address 131.107.1.71, was listed in the Barracuda RBL, you would reverse the IP address (71.1.107.131), append .b.barracudacentral.org (71.1.107.131.b.barracudacentral.org), and do an nslookup of that hostname.

If your server is NOT listed in the BRBL, nslookup would return similiar to:

** server can't find 71.1.107.131.b.barracudacentral.org: NXDOMAIN

If your server IS listed in the BRBL, nslookup would return similiar to:

Name: 71.1.107.131.b.barracudacentral.org Address: 127.0.0.2

All IP's listed in the BRBL will return an A record of 127.0.0.2 for the queried hostname.

So, to use this BRBL to help identify spam, all you need to do is visit the site, register for an account, provide a list of the DNS servers that your mailserver will use, and add it to the RBL configuration of you mailserver. Barracuda Central will send you an verification email with a link you must click

Example SpamAssassin configuration (unverified):

# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY net
describe RCVD_IN_BRBL_RELAY received via a relay rated as poor by Barracuda
score RCVD_IN_BRBL_RELAY 1.00


There are unconfirmed rumors that bb.barracudacentral.org have been reserved for SpamAssassin users and that using "bb" in lieu of "b" does not require registration. I was able to use both without registration, so your mileage may vary.

Although the Barracuda Central site has some pretty decent lookup tools to check the status of IP addresses, they are limited to a single address and require a CAPTCHA challenge for every lookup.

So, I wrote a quick (and very dirty) perl script to enumerate a netblock and check each IP against the blacklist:

--------CUT---------

#!/usr/bin/perl

use strict;
use Net::DNS;
use Net::IP;

my $network = $ARGV[0];
if($network !~ /^\d+\.\d+\.\d+\.\d+\/\d+$/)
{
print "Usage: $0 x.x.x.x/x\n";
print "Where x.x.x.x/x is the network to examine\n";
exit;
}

my $res = Net::DNS::Resolver->new;

my $IP= new Net::IP($network) or die("Unable to create network object for $network\n");

do
{
my $target_IP = join('.', reverse split(/\./, $IP->ip())).".b.barracudacentral.org";
my $org_ip = $IP->ip();
my $query = $res->query("$target_IP", "A");

if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq "A";
print "ALERT!!! $org_ip is BLACKLISTED!!! - Returned ($target_IP : ", $rr->rdatastr, ")\n";
}
} else {
print "$org_ip = Not Listed. - ($target_IP : ", $res->errorstring.")\n";
}

} while (++$IP);

--------CUT---------

Because we know that 127.0.0.2 is included in the list, we can run a simple test with the 127.0.0.0/30 netblock. Expected output should look something like this:

$ ./BRBL.pl 127.0.0.0/30
127.0.0.0 = Not Listed. - (0.0.0.127.b.barracudacentral.org : NXDOMAIN)

127.0.0.1 = Not Listed. - (1.0.0.127.b.barracudacentral.org : NXDOMAIN)

ALERT!!! 127.0.0.2 is BLACKLISTED!!! - Returned (2.0.0.127.b.barracudacentral.org : 127.0.0.2)

127.0.0.3 = Not Listed. - (3.0.0.127.b.barracudacentral.org : NXDOMAIN)


Hat's off to Barracuda for giving something back to the community.

Labels: , , ,

2 Comments:

Anonymous Kim said...

Dude your captcha doesn't work in IE, is this some sort of anti-MS statement?

Regardless: Three cheers for Kanokwan B and her keen googling skills, though I have no idea why she was googling this stuff anyhow.

PS: because I'm old I clicked on the handicapped icon.

Monday, November 03, 2008 6:55:00 AM  
Blogger Mestizo said...

@kim RE: Captcha ...that's Google/Blogger for ya!

Monday, November 03, 2008 6:58:00 AM  

Post a Comment

Links to this post:

Create a Link

<< Home