DNS Blacklist Checker · Mar 12, 19:31 by Shannon Wynter

Is it just me or is the amount of spam increasing at an unreasonable rate?

You join channels on IRC and get spammed by half a dozen trojin bots to download “free porn” and the likes (which usualy are trojins designed to turn your pc into YAZ

Well, later I might deal with the PM side of the spam, but today I’m going to give you a script that will help identify and remove these bots/hosts from your channel.

While it’s fair to say not every host that has an open proxy spams, and not every spammer is an open proxy.

It is also fair to say that a large number of attack drones from large botnets go unreported

The idea is not to catch every one, you’d go insane – but every one that you can catch, that’s one less for you to deal with.

As an added bonus, this script can back end into mysql for reporting and analysis if you chose to enable that feature.

1. ## DNS Blacklist Checker-       Version 1.0
2.  
3. ## INSTRUCTIONS
4. ###############################################################################
5.  
6. # This script will check the hosts of people joining channels against one or
7. # RBLs. Choose your RBLs wisely, some of them list DIALUP &/or DYNAMIC IP SPACE
8. # and that would be a bad thing to be matching your IRC users against
9. #
10. # Enable the 'dnsblcheck' flag for channels you want the script active on
11. # --> .chanset #somechannel +dnsblcheck
12. #
13. # To enable manual queries enable the 'dnsblmanual' flag
14. # --> .chanset #somechannel +dnsblmanual  
15. #
16. # Users who are +o, +v, or +f in your bot (local or global) won't be checked.
17. #
18. # Turn on console level d on the partyline to see some debug from the script
19. # --> .console +d (to enable)
20. # --> .console -d (to disable)
21.  
22. ## Mysql Table Creation (if you choose to use mysql. Default OFF)
23. ###############################################################################
24.  
25. # CREATE TABLE `DNSBLLog` (
26. #   `Stamp` timestamp(14) NOT NULL,
27. #   `Nick` char(15) default NULL,
28. #   `Hostmask` char(255) NOT NULL default '',
29. #   `Chan` char(201) default NULL,
30. #   `IP` int(10) unsigned default NULL,
31. #   `DNSBL` char(60) default NULL,
32. #   `Response` int(10) unsigned default NULL,
33. #   KEY `Nick` (`Nick`),
34. #   KEY `Chan` (`Chan`),
35. #   KEY `DNSBL` (`DNSBL`)
36. # ) TYPE=MyISAM;
37.  
38. ## Contact
39. ##############################################################################
40.  
41. # You'll see me (Freman) floating around IRC
42. #
43. # Undernet:
44. ##australia, #freak, #ozchat, #brisbane, #gentoo, #mysql, #php, #xchat
45. #
46. # EnterTheGame:
47. ##ign
48. #
49. # Or you can send me email via the contact form at http://fremnet.net/contact
50.  
51. ## CONFIG
52. ###############################################################################
53.  
54. # Space-separated list of RBLs to look in
55. set dnsblcheck("RBLs")       { "cbl.abuseat.org" "opm.blitzed.org" "dnsbl.ahbl.org" }
56.  
57. # Space-seperated list of domains to ignore
58. set dnsblcheck("Ignore")     { "undernet.org" }
59.  
60. # Time in minutes to ban for
61. set dnsblcheck("Bantime")    15
62.  
63. # Flags we don't match
64. set dnsblcheck("SafeFlags")  "fov"
65.  
66. # MySQL Details
67. # - Set UseMySQL to 1 if you intend to use mysql for logging and reporting
68. set dnsblcheck("UseMySQL")   0
69. set dnsblcheck("MySQLHost")  "hostname"
70. set dnsblcheck("MySQLUser")  "username"
71. set dnsblcheck("MySQLPass")  "password"
72. set dnsblcheck("MySQLDB")    "database"
73. set dnsblcheck("MySQLTable") "DNSBLLog"
74.  
75. # Now would be a good time to turn back
76.  
77. ## CODE
78. ###############################################################################
79.  
80. # Add our channel flags
81. setudef flag dnsblcheck
82. setudef flag dnsblmanual
83.  
84. # Bind our events
85. bind join - *!*@* dnsblcheck_join
86. bind pub - "!dnsblcheck" dnsblcheck_manual
87.  
88. # Process Manual Requests
89. proc dnsblcheck_manual { nick host handle chan rest } {
90.     global dnsblcheck
91.     # Check that we are active on this channel
92.     if {![channel get $chan dnsblmanual]} {
93. return 0
94.     }
95.  
96.     # Fill out the rest of the hostmask
97.     if {![string match "*\@*" $rest]} {
98. set rest "manual@$rest"
99.     }
100.  
101.     # Off to our first set of checks
102.     dnsblcheck_check1 $nick $rest $chan 1
103. }
104.  
105. # Catch joins
106. proc dnsblcheck_join { nick host handle chan } {
107.     global dnsblcheck
108.     # Check that we are active on this channel
109.     if {![channel get $chan dnsblcheck]} {
110. return 0
111.     }
112.  
113.     # Check that the joiner doesn't match our flags
114.     if {[matchattr $handle $dnsblcheck("SafeFlags")|$dnsblcheck("SafeFlags") $chan]} {
115. return 0
116.     }
117.  
118.     dnsblcheck_check1 $nick $host $chan 0
119. }
120.  
121. # First check (Makes sure we get an IP Address)
122. proc dnsblcheck_check1 {nick host chan manual} {
123.     global dnsblcheck
124.  
125.     # Check to see if it's an ignored domain
126.     foreach ignore $dnsblcheck("Ignore") {
127. if [string match "*$ignore" $host] {
128.      if {$manual == 1} {
129.   putchan $chan "\[DNSBL\] Unable to check host, ignored by $ignore"
130.      }
131.          return 0
132. }
133.      }
134.  
135.     # Get the actual host
136.     regexp ".+@(.+)" $host matches newhost
137.     if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {
138. # It's an IP Address, we don't need to do a lookup on this
139. dnsblcheck_check2 $newhost $newhost 1 $nick $newhost $chan $manual $host
140.     } else {
141. putloglev d * "dnsblcheck: doing dns lookup on $newhost to get IP"
142. dnslookup $newhost dnsblcheck_check2 $nick $newhost $chan $manual $host
143.     }
144. }
145.  
146. # Second check (runs RBL checks)
147. proc dnsblcheck_check2 { ip host status nick orighost chan manual hostmask} {
148.     global dnsblcheck
149.  
150.     if {$status} {
151. putloglev d * "dnsblcheck: $host resolves to $ip"
152.  
153. # Reverse the IP Address
154. regexp {([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})} $ip matches a b c d
155. set newip "$d.$c.$b.$a"
156.  
157. # Look it up in the blacklists
158. foreach rbl $dnsblcheck("RBLs") {
159.          putloglev d * "dnsblcheck: looking up $newip.$rbl"
160.          dnslookup "$newip.$rbl" dnsblcheck_check3 $nick $host $chan $rbl $manual $hostmask $ip
161. }
162.     } else {
163. if {$manual == 1} {
164.      putchan $chan "\[DNSBL\] Couldn't resolve $host."
165. } else {
166.      putlog "dnsblcheck: Couldn't resolve $host. (No further action taken.)"
167. }
168.     }
169. }
170.  
171. # Third check (catches RBL results)
172. proc dnsblcheck_check3 { ip host status nick orighost chan rbl manual hostmask origip} {
173.     global dnsblcheck
174.  
175.     if {$status} {
176. if {$manual == 1} {
177.      putchan $chan "\[DNSBL\] RBL $rbl returned $ip for $host (This means it's bannable)"
178. } else {
179.      putlog "dnsblcheck: got host $host = ip $ip from RBL $rbl ... banning"
180.      newchanban $chan "*@$orighost" "dnsbl" "Failed DNSBL Check: $rbl" $dnsblcheck("Bantime")
181.      if {$dnsblcheck("UseMySQL")} {
182.       set h [ mysqlconnect -host $dnsblcheck("MySQLHost") -user $dnsblcheck("MySQLUser") -password $dnsblcheck("MySQLPass") -db $dnsblcheck("MySQLDB") ]
183.   mysqlexec $h "INSERT INTO $dnsblcheck("MySQLTable") VALUES (NOW(),'$nick','$hostmask','$chan',inet_aton('$host'),'$rbl',inet_aton('$ip'))"
184.       mysqlclose $h
185.      }
186. }
187.     } else {
188. if {$manual == 1} {
189.      putchan $chan "\[DNSBL\] RBL $rbl did not return for $host (Either DNS failure, or host is clean)"
190. }
191.     }
192.     #if we didn't get a host, they're not in RBL
193. }
194.  
195. putlog "DNSBLCheck 1.0 by Freman loaded"
196. if {$dnsblcheck("UseMySQL")} {
197.     package require mysqltcl
198.     putlog "DNSBLCheck 1.0 - Using MySQL for Logging and Reporting"
199. }
200.  
201. Download this code: dnsblcheck.tcl (Downloaded 274 time(s))

Comments