dnsbl-client 0.1.0

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011 Chris Lee
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,24 @@
+= dnsbl-client
+
+This library queries DNS Blacklists for listings. Currently this only does IP lookups, but the next version will handle domains.
+
+	require "dnsbl-client"
+	c = DNSBL::Client.new 
+	c.lookup("203.150.14.85")
+	=> [#<struct DNSBL::DNSBLResult dnsbl="UCEPROTECT1", query="85.14.150.203.dnsbl-1.uceprotect.net", result="127.0.0.2", meaning="Blacklisted", timing=0.0247988700866699>, #<struct DNSBL::DNSBLResult dnsbl="BARRACUDA", query="85.14.150.203.b.barracudacentral.org", result="127.0.0.2", meaning="Listed", timing=0.0266849994659424>]
+	
+== Contributing to dnsbl-client
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2011 Chris Lee. See LICENSE.txt for
+further details.
+

data/bin/dnsbl-client

@@ -0,0 +1,26 @@
+#!/usr/bin/env ruby
+require 'dnsbl-client'
+
+c = DNSBL::Client.new
+if ARGV.length > 0
+	c.lookup(ARGV).each do |res|
+		sep = ""
+		res.members.each do |member|
+			print sep
+			print res[member]
+			sep = "\t"
+		end
+	end
+else
+	$stdin.each_line do |ip|
+		ip.chomp!
+		c.lookup(ip).each do |res|
+			sep = ""
+			res.members.each do |member|
+				print sep
+				print res[member]
+				sep = "\t"
+			end
+		end
+	end
+end

data/lib/dnsbl-client.rb

@@ -0,0 +1 @@
+require 'dnsbl-client/dnsbl-client'

data/lib/dnsbl-client/dnsbl-client.rb

@@ -0,0 +1,83 @@
+# DESCRIPTION: is a module that queries dnsbls.  The configuration is in a YAML file.
+require 'resolv'
+require 'socket'
+require 'thread'
+require 'yaml'
+
+module DNSBL
+	class DNSBLResult < Struct.new(:dnsbl,:query,:result,:meaning,:timing); end
+	class Client
+		def initialize(configfile = File.dirname(__FILE__)+"/dnsbl.yaml")
+			@dnsbls = YAML.load(File.open(configfile).read)
+			nameservers = Resolv::DNS::Config.new.nameserver_port
+			sock = UDPSocket.new
+			sock.connect(nameservers[0][0],nameservers[0][1])
+			@sockets = [sock]
+			@socket_index = 0
+		end
+		def add_dnsbl(name,domain,type='ip',codes={"0"=>"OK","127.0.0.2"=>"Blacklisted"})
+			@dnsbls[name] = codes
+			@dnsbls[name]['domain'] = domain
+			@dnsbls[name]['type'] = type
+		end
+		def dnsbls
+			@dnsbls.keys
+		end
+		def _encode_query(ip,domain)
+			revip = ip.split(/\./).reverse.join(".")
+			lookup = "#{revip}.#{domain}"
+			txid = lookup.sum
+			message = Resolv::DNS::Message.new(txid)
+			message.rd = 1
+			message.add_question(lookup,Resolv::DNS::Resource::IN::A)
+			message.encode
+		end
+		def _decode_response(buf)
+			reply = Resolv::DNS::Message.decode(buf)
+			results = []
+			reply.each_answer do |name,ttl,data|
+				if name.to_s =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(.+)$/
+					ip = [$4,$3,$2,$1].join(".")
+					domain = $5
+					@dnsbls.each do |dnsblname,config|
+						if domain == config['domain']
+							meaning = config[data.address.to_s] || data.address.to_s
+							results << DNSBLResult.new(dnsblname,name.to_s,data.address.to_s,meaning,Time.now.to_f - @starttime)
+							break
+						end
+					end
+				end
+			end
+			results
+		end
+		def lookup(ip)
+			ips = ip
+			if ip.is_a? String
+				ips = [ip]
+			end
+			results = []
+			ips.each do |ip|
+				sent = 0
+				@starttime = Time.now.to_f
+				@dnsbls.each do |name,config|
+					next unless config['type'] == 'ip'
+					msg = _encode_query(ip,config['domain'])
+					@sockets[@socket_index].send(msg,0)
+					@socket_index += 1
+					@socket_index %= @sockets.length
+					sent += 1
+				end
+				while sent > 0
+					r,_,_ = IO.select(@sockets,nil,nil,1.5)
+					break unless r
+					r.each do |s|
+						response = _decode_response(s.recv(4096))
+						results += response
+						sent -= 1
+					end
+				end
+			end
+			results
+		end
+	end
+end

data/lib/dnsbl-client/dnsbl.yaml

@@ -0,0 +1,207 @@
+--- 
+VIRBL: 
+  domain: virbl.dnsbl.bit.nl
+  type: ip
+  "0": OK
+  127.0.0.2: List of malware or phishing email sources
+SPAMHAUS: 
+  127.0.0.3: Illegal 3rd party exploits, including proxies, worms and trojan exploits
+  127.0.0.4: Illegal 3rd party exploits, including proxies, worms and trojan exploits
+  127.0.0.5: Illegal 3rd party exploits, including proxies, worms and trojan exploits
+  127.0.0.6: Illegal 3rd party exploits, including proxies, worms and trojan exploits
+  domain: zen.spamhaus.org
+  type: ip
+  "0": OK
+  127.0.0.2: Direct UBE sources, verified spam services and ROKSO spammers
+  127.0.0.10: ISP Maintained Policy Block List
+  127.0.0.11: SpamHaus Maintained Policy Block List
+URIBL: 
+  127.0.0.4: Address found in UBE/UCE, and probably honour opt-out requests
+  domain: multi.uribl.com
+  type: ip
+  "0": OK
+  127.0.0.8: Address not listed on black and are either very young (domain age via whois), or use whois privacy features to protect their identity.
+  127.0.0.2: Address belonging to and used by spammers
+SURBL: 
+  127.0.0.64: jwSpamSpy + Prolocation data source
+  127.0.0.32: AbuseButler spamvertised sites
+  127.0.0.4: sa-blacklist and other sources
+  domain: multi.surbl.org
+  type: ip
+  "0": OK
+  127.0.0.8: Phishing data source
+  127.0.0.16: Outblaze spamvertised sites
+  127.0.0.2: SpamCop message-body URI domains
+NJABL: 
+  127.0.0.3: Dial-up/dynamic IP range
+  127.0.0.4: Spam source
+  127.0.0.5: Multi-stage open relays
+  domain: dnsbl.njabl.org
+  type: ip
+  "0": OK
+  127.0.0.8: Insecure CGI web server, possible spam source
+  127.0.0.9: Open proxy servers
+  127.0.0.2: Open relay
+SPAMCOP: 
+  domain: bl.spamcop.net
+  type: ip
+  "0": OK
+  127.0.0.2: Spam source
+SORBS: 
+  127.0.0.3: List of Open SOCKS Proxy Servers
+  127.0.0.10: List of Dial Up Users
+  127.0.0.11: List of domain names where the A or MX records point to bad address space
+  127.0.0.4: List of Misc Open Proxy Servers
+  127.0.0.12: List of domain names where the owners have indicated no mail should ever be sent with these domains
+  127.0.0.5: List of Open SMTP Relays
+  127.0.0.6: List of Spam Sources
+  domain: dnsbl.sorbs.net
+  127.0.0.7: List of web (WWW) server which have spammer abused vulnerabilities (e.g. FormMail scripts)
+  type: ip
+  "0": OK
+  127.0.0.8: List of List of hosts demanding they are never tested by SORBS
+  127.0.0.9: List of Botnet/DDoS Zombies
+  127.0.0.2: List of Open HTTP Proxy Servers
+AHBL: 
+  127.0.0.20: Blog/Wiki/Comment Spammer
+  127.0.0.3: Open Proxy
+  127.0.0.10: Shoot On Sight
+  127.0.0.11: Non-RFC Compliant (missing postmaster or abuse)
+  127.0.0.4: Spam Source
+  127.0.0.12: Does not properly handle 5xx errors
+  127.0.0.5: Provisional Spam Source Listing block (will be removed if spam stops)
+  127.0.0.127: Other
+  127.0.0.13: Other Non-RFC Compliant
+  127.0.0.6: Formmail Spam
+  domain: dnsbl.ahbl.org
+  127.0.0.14: Compromised System => DDoS
+  127.0.0.7: Spam Supporter
+  type: ip
+  "0": OK
+  127.0.0.15: Compromised System => Relay
+  127.0.0.8: Spam Supporter (indirect)
+  127.0.0.16: Compromised System => Autorooter/Scanner
+  127.0.0.9: End User (non mail system)
+  127.0.0.17: Compromised System => Worm or mass mailing virus
+  127.0.0.18: Compromised System => Other virus
+  127.0.0.19: Open Proxy
+  127.0.0.2: Open Relay
+DRONEBL:
+  domain: dnsbl.dronebl.org
+  type: ip
+  "0": OK
+  127.0.0.1: Host listed in DroneBL
+  127.0.0.2: Sample
+  127.0.0.3: IRC Drone
+  127.0.0.5: Bottler
+  127.0.0.6: Unknown spambot or drone
+  127.0.0.7: DDOS Drone
+  127.0.0.8: SOCKS Proxy
+  127.0.0.9: HTTP Proxy
+  127.0.0.10: ProxyChain
+  127.0.0.13: Brute force attackers
+  127.0.0.14: Open Wingate Proxy
+  127.0.0.15: Compromised router / gateway
+  127.0.0.255: Unknown
+BARRACUDA:
+  domain: b.barracudacentral.org
+  type: ip
+  "0": OK
+  127.0.0.2: Listed
+DRONE_ABUSE_CH:
+  domain: drone.abuse.ch
+  type: ip
+  "0": OK
+  127.0.0.2: Spam related FastFlux Bot
+  127.0.0.3: Malware related FastFlux Bot
+  127.0.0.4: Phish related FastFlux Bot
+  127.0.0.5: Scam related FastFlux Bot
+HTTPBL_ABUSE_CH:
+  domain: httpbl.abuse.ch
+  type: ip
+  "0": OK
+  127.0.0.2: Hacking activities
+  127.0.0.3: Hijacked server automated scanning drone
+  127.0.0.4: Referrer spam
+SPAM_ABUSE_CH:
+  domain: spam.abuse.ch
+  type: ip
+  0: OK
+  127.0.0.1: Sends spam to spamtrap
+MAILSHELL:
+  domain: dnsbl.mailshell.net
+  type: ip
+  0: OK
+  127.0.0.2: Blacklisted
+  127.0.0.188: Blacklisted
+  127.0.0.190: Blacklisted
+CBL:
+  domain: cbl.abuseat.org
+  type: ip
+  0: OK
+  127.0.0.2: Blacklisted
+RHSBL:
+  domain: rhsbl.ahbl.org
+  type: domain
+  0: OK
+  127.0.0.2: Blacklisted
+FIVETENSG:
+  domain: blackholes.five-ten-sg.com
+  type: ip
+  127.0.0.2: Spam
+  127.0.0.3: Dialup
+  127.0.0.4: Bulk
+  127.0.0.5: Multistage
+  127.0.0.6: Singlestage
+  127.0.0.7: Spam-support
+  127.0.0.8: Webform
+  127.0.0.9: Misc
+  127.0.0.10: klez
+  127.0.0.11: tcpa
+  127.0.0.12: free
+  127.0.0.13: cr
+INPS:
+  domain: dnsbl.inps.de
+  type: ip
+  127.0.0.2: Blacklisted
+MANITU:
+  domain: ix.dnsbl.manitu.net
+  type: ip
+  127.0.0.2: Blacklisted
+NOMOREFUN:
+  domain: no-more-funn.moensted.dk
+  type: ip
+  127.0.0.2: Direct spam sources
+  127.0.0.3: Dynamic IP or generic rDNS.
+  127.0.0.4: Bulk mailers
+  127.0.0.5: Multi stage open relay
+  127.0.0.6: single stage open relay
+  127.0.0.7: Ignoring complaints of spamming by customers
+  127.0.0.8: Please update your formmail.pl script
+  127.0.0.9: See http://moensted.dk/spam/no-more-funn/?addr=$
+  127.0.0.10: posible open proxies
+  127.0.0.11: Please stop testing our servers
+SPAMCANNIBAL:
+  domain: bl.spamcannibal.org
+  type: ip
+  127.0.0.2: Blacklisted
+UCEPROTECT1:
+  domain: dnsbl-1.uceprotect.net
+  type: ip
+  127.0.0.2: Blacklisted
+UCEPROTECT2:
+  domain: dnsbl-2.uceprotect.net
+  type: ip
+  127.0.0.2: Blacklisted
+UCEPROTECT3:
+  domain: dnsbl-3.uceprotect.net
+  type: ip
+  127.0.0.2: Blacklisted
+WHITELIST:
+  domain: ips.whitelisted.org
+  type: ip
+  127.0.0.2: Whitelisted
+BACKSCATTERER:
+  domains: ips.backscatterer.org
+  type: ip
+  127.0.0.2: Backscatterer

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'dnsbl-client'
+
+class Test::Unit::TestCase
+end

data/test/test_dnsbl-client.rb

@@ -0,0 +1,14 @@
+require 'helper'
+
+class TestDnsblClient < Test::Unit::TestCase
+	should "return no hits for 127.0.0.255" do
+		c = DNSBL::Client.new
+		res = c.lookup("127.0.0.255")
+		assert_equal(0,res.length)
+	end
+	should "return all lists for 127.0.0.2" do
+		c = DNSBL::Client.new
+		res = c.lookup("127.0.0.2")
+		assert(res.length >= c.dnsbls.length)
+	end
+end

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification 
+name: dnsbl-client
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: 
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Chris Lee
+autorequire: 
+bindir: bin
+cert_chain: 
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
+  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
+  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
+  NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
+  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
+  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
+  vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
+  ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
+  IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
+  ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
+  Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
+  PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
+  RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
+  OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
+  W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
+  hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
+  AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
+  /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
+  6yhklP75
+  -----END CERTIFICATE-----
+
+date: 2011-03-14 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id001
+  prerelease: false
+  name: shoulda
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  requirement: *id002
+  prerelease: false
+  name: bundler
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 1
+        - 5
+        - 2
+        version: 1.5.2
+  requirement: *id003
+  prerelease: false
+  name: jeweler
+  type: :development
+- !ruby/object:Gem::Dependency 
+  version_requirements: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id004
+  prerelease: false
+  name: rcov
+  type: :development
+description: simple interface to lookup blacklists results
+email: rubygems@chrislee.dhs.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- bin/dnsbl-client
+- lib/dnsbl-client.rb
+- lib/dnsbl-client/dnsbl-client.rb
+- lib/dnsbl-client/dnsbl.yaml
+- LICENSE.txt
+- README.rdoc
+- test/helper.rb
+- test/test_dnsbl-client.rb
+has_rdoc: true
+homepage: http://github.com/chrislee35/dnsbl-client
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.1
+signing_key: 
+specification_version: 3
+summary: queries various DNS Blacklists
+test_files: 
+- test/helper.rb
+- test/test_dnsbl-client.rb