PowerShell blacklist check script: find an IP address' blacklist status & reputation

Published on Thursday, 19 May 2016

Here's a blacklist check script written in PowerShell. You can use this to lookup an IP address in various blacklists (DNSBL, RBL). Such a check is a great indicator for an IP address' reputation. Basically this PowerShell blacklist checker is a port of my Bash script to check an IP address blacklist status in Linux.


How to check an IP Address blacklist status in PowerShell in Windows Server

Sometimes you need to be able to look up an IP address blacklist status in more than one blacklist. This is better done with a PS script than on your cmd.exe or PowerShell shell (typing in a reversed IP and a blacklist host address for nslookup can be a real pain...). On Linux we have a bash script to look up an IP address' blacklist status, and now here's one for Windows Server & PowerShell too.

The PowerShell script below is fully functional, except for the Project Honey Pot blacklist (httpBL). You'll need an API-key for this. Yes, httpBL is a HTTP blacklist, here's why I always like to see whether an IP address is listed there too: Simply because I wouldn't want to receive email from an server that's known to be a comment spammer or harvester. And I'm sure you wouldn't either. This is why I use blacklist checks like these to determine if I should block an IP address locally.

The script takes an IP address as command-line input, reverses it and adds the blacklist host name. This is then fed to [System.Net.Dns]::GetHostEntry. This is not a 100 percent PowerShell solution, but in my opinion gives the best results and output. You're free to substitute [System.Net.Dns]::GetHostEntry for PowerShell's Resolve-DnsName cmdlet or others.

Blacklistcheck.ps1, the PowerShell script

Here is the PS code, fully functional. Save the following code in a new file called blacklistcheck.ps1 (for example):

# blacklistcheck.ps1 - PowerShell script to check
# an IP address blacklist status
# 
# Follow me on Twitter: @Jan_Reilink
# 
# Steps:
# 1. IPv4 IP address input from the command-line:
#    .\blacklistcheck.ps1 1.2.3.4
# 2. reverse the IP address: 1.2.3.4 becomes 4.3.2.1
# 3. append the blacklist zone, e.g .cbl.abuseat.org. 
#    to the reversed IP address
# 4. perform a DNS lookup
# 5. print out the result

param (
  [string]$ip = $(throw "ip is required.")
 )

# Project Honey Pot API-key, create a free account 
# and get yours @ 
# https://www.projecthoneypot.org/create_account.php
[static]$httpBL = "[my-API-key]"
 
# Reverse IP address stored in $ip, let's hussle 
# those IP octets around a bit
$ipParts = $ip.Split('.')
[array]::Reverse($ipParts)
$ipParts = [string]::Join('.', $ipParts)

# An array of blacklists to perform checks on
# You can add your own blacklists to this list
$blacklists = "dnsbl.httpbl.org", `
	"cbl.abuseat.org", `
	"dnsbl.sorbs.net", `
	"bl.spamcop.net", `
	"zen.spamhaus.org", `
	"b.barracudacentral.org", `
	"bad.psky.me"

foreach ( $blacklist in $blacklists ) {
	if ( $blacklist -contains "dnsbl.httpbl.org" ) {
		# Add your httpBL API-key from Project Honey Pot
		$lookupAddress = $httpBL + "." + $ipParts + ".dnsbl.httpbl.org."
	}
	else {
		$lookupAddress = $ipParts + ".$blacklist."
	}
	try {
		[System.Net.Dns]::GetHostEntry($lookupAddress) | select-object HostName,AddressList
	}
	catch {
		# The try{} catch{} is needed to catch DNS lookup 
		# errors when an IP address is not blacklisted.
		# Yes, this is annoying
		Write-Host "No blacklisting for $ip found in $blacklist"
	}
}

Blacklistcheck.ps1 usage - how to lookup IP blacklist status from the PowerShell command line

Call the blacklist-check-script from your PowerShell prompt, and feed it an IP address. For example:

PS C:\Users\jan> .\scripts\blacklistcheck.ps1 127.9.1.2

HostName                                                    AddressList
-------- -----------
[my-API-key].2.1.9.127.dnsbl.httpbl.org                     {127.3.5.1}
No blacklisting for 127.9.1.2 found in cbl.abuseat.org
No blacklisting for 127.9.1.2 found in dnsbl.sorbs.net
No blacklisting for 127.9.1.2 found in bl.spamcop.net
No blacklisting for 127.9.1.2 found in zen.spamhaus.org
No blacklisting for 127.9.1.2 found in b.barracudacentral.org
No blacklisting for 127.9.1.2 found in bad.psky.me

PS C:\Users\jan> .\scripts\blacklistcheck.ps1 127.0.0.2
No blacklisting for 127.0.0.2 found in dnsbl.httpbl.org

HostName                                                    AddressList
-------- -----------
2.0.0.127.cbl.abuseat.org                                   {127.0.0.2}
2.0.0.127.dnsbl.sorbs.net                                   {127.0.0.3, 127.0.0.4, 127.0.0.5, 127.0.0.6...}
2.0.0.127.bl.spamcop.net                                    {127.0.0.2}
2.0.0.127.zen.spamhaus.org                                  {127.0.0.2, 127.0.0.4, 127.0.0.10}
2.0.0.127.b.barracudacentral.org                            {127.0.0.2}
2.0.0.127.bad.psky.me                                       {127.0.0.2}

Please support projects like Project Honey Pot. Join them, add a honeypot to your site or donate an MX record.

Check multiple IP addresses from a text file input

For when you want to check multiple IP addresses for their blacklisting status: there is more than one way to feed a text file with IP addresses as input to blacklistcheck.ps1. You may use cmd.exe with FOR loop:

C:\Users\jan>FOR /F %I IN (ips.txt) DO @powershell .\scripts\blacklistcheck.ps1 %I

HostName                                AddressList
-------- -----------
[my-API-key].88.110.118.87.dnsbl.htt... {127.1.10.1}
No blacklisting for 87.118.110.88 found in cbl.abuseat.org
No blacklisting for 87.118.110.88 found in dnsbl.sorbs.net
No blacklisting for 87.118.110.88 found in bl.spamcop.net
No blacklisting for 87.118.110.88 found in zen.spamhaus.org
88.110.118.87.b.barracudacentral.org    {127.0.0.2}
No blacklisting for 87.118.110.88 found in bad.psky.me



HostName                                AddressList
-------- -----------
[my-API-key].201.129.110.64.dnsbl.ht... {127.5.31.1}
No blacklisting for 64.110.129.201 found in cbl.abuseat.org
No blacklisting for 64.110.129.201 found in dnsbl.sorbs.net
No blacklisting for 64.110.129.201 found in bl.spamcop.net
No blacklisting for 64.110.129.201 found in zen.spamhaus.org
201.129.110.64.b.barracudacentral.org   {127.0.0.2}
201.129.110.64.bad.psky.me              {127.0.0.3}

And a more PowerShell solution is to read the file and execute blacklistcheck.ps1 for every line read:

PS C:\Users\jan> foreach ( $line in Get-Content .\ips.txt ) { .\scripts\blacklistcheck.ps1 $line }

HostName                                                    AddressList
-------- -----------
[my-API-key].88.110.118.87.dnsbl.httpbl.org                 {127.1.10.1}
No blacklisting for 87.118.110.88 found in cbl.abuseat.org
No blacklisting for 87.118.110.88 found in dnsbl.sorbs.net
No blacklisting for 87.118.110.88 found in bl.spamcop.net
No blacklisting for 87.118.110.88 found in zen.spamhaus.org
88.110.118.87.b.barracudacentral.org                        {127.0.0.2}
No blacklisting for 87.118.110.88 found in bad.psky.me
[my-API-key].201.129.110.64.dnsbl.httpbl.org                {127.5.31.1}
No blacklisting for 64.110.129.201 found in cbl.abuseat.org
No blacklisting for 64.110.129.201 found in dnsbl.sorbs.net
No blacklisting for 64.110.129.201 found in bl.spamcop.net
No blacklisting for 64.110.129.201 found in zen.spamhaus.org
201.129.110.64.b.barracudacentral.org                       {127.0.0.2}
201.129.110.64.bad.psky.me                                  {127.0.0.3}

(these are some random IP's I found in a local blacklist of mine)

Conclusion blacklist checking in PowerShell

I hope this helps someone who wants to, or has to do, blacklist checking in PowerShell. Have a look at my PowerShell introduction post for maintaining Windows Server, IIS 7, 7.5, 8.0, 8.5 or IIS 10.

If you enjoyed this post, I'd be very grateful if you'd help it spread by sharing it on Twitter or Facebook. Thank you!