Spamlists monitoring in Zabbix

Zabbix-monitoring-systemMost companies have a wide variety of services running, usually with public and private facing interfaces. If you are providing services like SMTP, DNS or similar to your customers, those services might be misused and you could end up getting your servers IP addresses blacklisted on various Domain Name System Blackhole Lists (DNSBL). This could hurt your reputation as a service provider and will certainly result in a bad experience for your customers.
You can check DNSBL manually but it’s better to do with Zabbix!

You will need to install DNS utility on your system:
CentOS/RedHat/Fedora
# yum install bind-utils

Debian/Ubuntu
# apt-get install dnsutils

How Zabbix monitors DNSBL

This template utilizes External Checks. The script “check_dnsbl.sh” is run with parameters for the hostname of the server you wish to check and which DNSBL you wish to check against. It simply returns “0” if the server is not listed and “1” if it is.

The template has 5 pre-made items and corresponding triggers. The items should be pretty self-explanatory. Example: check_dnsbl.sh[{HOST.DNS},zen.spamhaus.org]

You can change the existing DNSBL servers in the template or add your own, although the ones already added should cover most users quite well.

{HOST.DNS}” is a macro that uses the DNS name you have specified for your hosts on their interfaces. The script requires the use of DNS names for it to function, however the script and template can be modified to use IP addresses instead. I wouldn’t recommended this though, since not using hostnames is bad practice anyway.

The default DNSBL’s used are:

b.barracudacentral.org – A free DNSBL of IP addresses known to send spam
bl.spamcop.net – The SCBL is a fast and automatic list of sites sending reported mail, fueled by a number of sources, including automated reports and SpamCop user submissions.
cbl.abuseat.org – The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic, Kelihos etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.
dnsbl.sorbs.net – The SORBS (Spam and Open Relay Blocking System) provides free access to its DNS-based Block List (DNSBL) to effectively block email from more than 12 million host servers known to disseminate spam, phishing attacks and other forms of malicious email.
zen.spamhaus.org – ZEN is the combination of all Spamhaus IP-based DNSBL’s into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

You can find additional ones at: www.dnsbl.info

DNSBL queries explained

As an example, when a mail server receives a connection from a client, and wishes to check that client against a DNSBL (let’s say, dnsbl.example.net), it does more or less the following:

Take the client’s IP address—say, 192.168.54.32—and reverse the order of octets, yielding 32.54.168.192.
Append the DNSBL’s domain name: 32.54.168.192.dnsbl.example.net.
Look up this name in the DNS as a domain name (“A” record). This will return either an address, indicating that the client is listed; or an “NXDOMAIN” (“No such domain”) code, indicating that the client is not.
Optionally, if the client is listed, look up the name as a text record (“TXT” record). Most DNSBL’s publish information about why a client is listed as TXT records.

Looking up an address in a DNSBL is similar to looking it up in reverse-DNS. The differences are that a DNSBL lookup uses the “A” rather than “PTR” record type, and uses a forward domain (such as dnsbl.example.net above) rather than the special reverse domain in-addr.arpa.

Zabbix IP Blacklist Template installation

  1. Download the template and script.
  2. Copy “check_dnsbl.sh” to your Zabbix Servers and Proxies and place it in “/usr/local/share/zabbix/externalscripts” *
    * Check your server and proxy configuration file for the correct folder, look for the tag “ExternalScripts”
  3. Make the script executable: chmod +x /usr/local/share/zabbix/externalscripts/check_dnsbl.sh
  4. Create the following value map (Administration -> General -> Value mapping: Create value map)
    Name: IP Blacklist
    0 -> Not listed
    1 -> Listed
  5. Import the template and assign it to your host(s).

Host name should be the domain you want to check. Agent interface must have “DNS name” set and “Connect to” must be set to “DNS“.

If script does not return any data try to execute it manually under account of Zabbix server’s daemon. For example:

$ sudo -u zabbix ./check_dnsbl.sh example.com b.barracudacentral.org

Zabbix server will look in the directory defined as the location for external scripts (parameter ‘ExternalScripts’ in Zabbix server configuration file) and execute the command. The command will be executed as the user Zabbix server runs as, so any access permissions or environment variables should be handled in a wrapper script, if necessary, and permissions on the command should allow that user to execute it. Only commands in the specified directory are available for execution.

Script: check_dnsbl.sh

 

 

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com