Ran across
this announcement from Barracuda on
Mike Rothman's blog and a coworker also pointed it out to me. Barracuda has made their DNSRBL publicly available on the
Barracuda Central website .
Basically the way it works is that queries are crafted as the inverse IP address following by .b.barracudacentral.org. So, for example, if you had a mail server with the IP address of if you wanted to check if your mail server with the IP address 131.107.1.71, was listed in the Barracuda RBL, you would reverse the IP address (71.1.107.131), append .b.barracudacentral.org (71.1.107.131.b.barracudacentral.org), and do an nslookup of that hostname.
If your server is NOT listed in the BRBL, nslookup would return similiar to:
** server can't find 71.1.107.131.b.barracudacentral.org: NXDOMAINIf your server IS listed in the BRBL, nslookup would return similiar to:
Name: 71.1.107.131.b.barracudacentral.org Address: 127.0.0.2All IP's listed in the BRBL will return an A record of 127.0.0.2 for the queried hostname.
So, to use this BRBL to help identify spam, all you need to do is visit
the site, register for an account, provide a list of the DNS servers that your mailserver will use, and add it to the RBL configuration of you mailserver. Barracuda Central will send you an verification email with a link you must click
Example SpamAssassin configuration (
unverified):
# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY net
describe RCVD_IN_BRBL_RELAY received via a relay rated as poor by Barracuda
score RCVD_IN_BRBL_RELAY 1.00There are unconfirmed rumors that bb.barracudacentral.org have been reserved for SpamAssassin users and that using "bb" in lieu of "b" does not require registration. I was able to use both without registration, so your mileage may vary.
Although the Barracuda Central site has some pretty decent
lookup tools to check the status of IP addresses, they are limited to a single address and require a CAPTCHA challenge for every lookup.
So, I wrote a quick (and
very dirty) perl script to enumerate a netblock and check each IP against the blacklist:
--------CUT---------
#!/usr/bin/perl
use strict;
use Net::DNS;
use Net::IP;
my $network = $ARGV[0];
if($network !~ /^\d+\.\d+\.\d+\.\d+\/\d+$/)
{
print "Usage: $0 x.x.x.x/x\n";
print "Where x.x.x.x/x is the network to examine\n";
exit;
}
my $res = Net::DNS::Resolver->new;
my $IP= new Net::IP($network) or die("Unable to create network object for $network\n");
do
{
my $target_IP = join('.', reverse split(/\./, $IP->ip())).".b.barracudacentral.org";
my $org_ip = $IP->ip();
my $query = $res->query("$target_IP", "A");
if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq "A";
print "ALERT!!! $org_ip is BLACKLISTED!!! - Returned ($target_IP : ", $rr->rdatastr, ")\n";
}
} else {
print "$org_ip = Not Listed. - ($target_IP : ", $res->errorstring.")\n";
}
} while (++$IP);
--------CUT---------Because we know that 127.0.0.2 is included in the list, we can run a simple test with the 127.0.0.0/30 netblock. Expected output should look something like this:
$ ./BRBL.pl 127.0.0.0/30
127.0.0.0 = Not Listed. - (0.0.0.127.b.barracudacentral.org : NXDOMAIN)
127.0.0.1 = Not Listed. - (1.0.0.127.b.barracudacentral.org : NXDOMAIN)
ALERT!!! 127.0.0.2 is BLACKLISTED!!! - Returned (2.0.0.127.b.barracudacentral.org : 127.0.0.2)
127.0.0.3 = Not Listed. - (3.0.0.127.b.barracudacentral.org : NXDOMAIN)Hat's off to Barracuda for giving something back to the community.
