PS Script check IP against blacklist & email results?

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Richard Siddaway Richard Siddaway 3 years, 6 months ago.

  • Author
    Posts
  • #10543
    Profile photo of Jake Sully
    Jake Sully
    Participant

    Greetings POSH experts! I've been learning quite a bit on this forum as well as a couple others and I just am starting a trial of the Don Jones training vids next week 🙂

    I'm doing Ok learning, but I'm trying to write a script that I can run as a scheduled task. I want the script to check an IP against 2 or 3 blacklist sites and then if the ip is blacklisted email an alert with the results of which site it's blacklisted on. But also if I run the task multiple times a day, I want 1 instance where if the time is 9:00am (PST) then regardless of whether the result is positive or negative I want an email to verify the task is running, sanity check basically.

    Here's what I've been able to do so far with 1 that I found, but this isn't working and if anyone can help me finish it up that would be great!!

    param
    (
    #this would be the IP I want to check – is this the right variable?
    $ip = 10.0.0.172 #this would be the IP I want to check – is this the right variable and should it be entered normally here or in reverse?

    )
    # Reverse IP – this should take the IP above and reverse it?
    $reverseIP = ($ip.split("."))[3..0]
    [string[]]$newIP = [string]::join(".",$reverseIP)

    # Define Hashtable List of DNSBL sites to check
    [string[]]$dnsbl = @(
    "b.barracudacentral.org";
    "spam.rbl.msrbl.net";
    "zen.spamhaus.org";
    )
    # Create DNSBL Strings for each member in DNSBL Array
    [string[]]$newDNSBL =@()
    foreach ($hash in $dnsbl)
    {
    $newDNSBL += [string]$newIP+'.'+$hash
    } # Enf of ForEach

    # DNS check against this IP (10.0.0.172) to determine if it's blacklisted?
    [String]$temp = @()

    for ($i=1;$i -lt $newDNSBL.Count; $i++) {
    $temp = [System.Net.Dns]::GetHostAddresses($newDNSBL[$i]) | select-object IPAddressToString -expandproperty IPAddressToString

    switch($temp){

    #172.0.0.10 indicates $IP is listed in DNSBL
    '172.0.0.10'{
    Write-Host "IP $ip is listed in DNSBL " , ($newDNSBL[$i]).Replace("$newIP","") -foregroundcolor "Red"
    } # End of "172.0.0.10 check

    #Blank returns not listed in DNSBL
    "{
    "IP $ip is NOT listed in DNSBL " + ($newDNSBL[$i]).Replace("$newIP","")
    } # End of "" Check
    }
    # End of Switch Block (not sure what the "switch block" is?
    # End of For Loop to check DNSBL Listing
    }

  • #10545
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    That script was fairly cluttered, including (in my opinion) way too many comments. I've revised it a bit, and hopefully this will make a good starting point for you. You'll still need to add code to send out the emails you mentioned. See Get-Help Send-MailMessage -Full for details on how you can do that.

    param
    (
        $IP = '10.0.0.172' 
    )
    
    $reversedIP = ($IP -split '\.')[3..0] -join '.'
    
    $blacklistServers = @(
        'b.barracudacentral.org'
        'spam.rbl.msrbl.net'
        'zen.spamhaus.org'
    )
    
    $blacklistedOn = @()
    
    foreach ($server in $blacklistServers)
    {
        $fqdn = "$reversedIP.$server"
    
        try
        {
            $null = [System.Net.Dns]::GetHostEntry($fqdn)
            $blacklistedOn += $server
        }
        catch { }
    }
    
    if ($blacklistedOn.Count -gt 0)
    {
        # The IP was blacklisted on one or more servers; send your email here.  $blacklistedOn is an array of the servers that returned positive results.
        Write-Host "$IP is blacklisted on the following servers: $($blacklistedOn -join ', ')"
    }
    else
    {
        Write-Host "$IP is not currently blacklisted on any server."
    
        if ((Get-Date).Hour -eq 9)
        {
            # The IP was not blacklisted, but it's between 9:00 and 10:00 AM (local time); you can send your sanity email here
        }
    }
    
    

    The code's pretty much self-documenting, so I took out all of the comments except for the two notes for where you can add email code. It reverses the octets of the IP address, and tries to resolve (for example) 172.0.0.10.b.barracudacentral.org , etc. If that name resolves, it's blacklisted on that server. There's one bit of code that might look funny if you're not used to using try/catch blocks:

        try
        {
            $null = [System.Net.Dns]::GetHostEntry($fqdn)
            $blacklistedOn += $server
        }
        catch { }
    

    If the hostname doesn't exist, GetHostEntry will throw an exception. If that happens, the "$blacklistedOn += $server" line doesn't execute; you jump straight into the empty catch block, which does nothing. If GetHostEntry succeeds (meaning the IP is blacklisted on this server), then the server gets appended to the $blacklistedOn array, which is checked later to determine if you need to send out an email.

  • #10549
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    Rather than using comments try this.

    Add

    [CmdletBinding()]

    to the top of your script.

    Replace

    # my comment

    with

    write-verbose "my comment"

    You can then invoke your script with a -verbose switch and you get all the messages telling you whats happening. if you run it without -verbose it runs quietly – just like a cmdlet. Comments and progress messages in one go.

    Comments are very useful – especially when you are trying something new so that you understand what you are trying to achieve.

You must be logged in to reply to this topic.