One way to deal with rogue virus spamming client machines is to do what AOL does. In our case this is not an acceptable choice. Therefore we redirect all rogue port 25/tcp traffic to a relay server¹ where we simply check for virii in the outgoing email messages. Such a method has the side effect that this server sometimes ends up in bl.spamcop.net. In order to know when this happens I wrote this simple Nagios plugin, check_dnsbl:

#!/usr/bin/perl -w
#
# yiorgos, Fri Oct 13 16:09:52 EEST 2006
# Normally this *must* follow the Nagios plugin guidelines:
# http://nagiosplug.sourceforge.net/developer-guidelines.html
#

# Yes these three lines are needed because of the embedded Perl interpreter
use vars;
use strict;
my($revip, $dnsbl, $ans);

$revip = shift or die "you must give a reversed IP address";
$dnsbl = shift or die "you must give a DNSBL";

open DNSBL, "/usr/bin/dig -4 $revip.$dnsbl a |" or die;
while(<DNSBL>) {
  chop;
  if (m/^;; ANSWER SECTION:/) {
    $ans = <DNSBL>
    close DNSBL;
    print "$dnsbl STATUS: ", $ans;
    exit 2;
  }
}
close DNSBL;

print "$dnsbl STATUS: OK";
exit 0;

Of course you can hack check_dnsbl to include more DNSBLs. This is simply a proof-of-concept that does the job fine. It is not a complete plugin. If you want to make a more complete plugin you have to read through the Nagios plugin developer guidelines.

Update: A final version of the check_dnsbl plugin can be downloaded from here.  The final version checks for $HOSTNAME$ being listed in various DNSBLs specified in an array (Yes @dnsbl_list is specified inside the source.  You can use an external file to specify the array and have the Perl interpreter require it if you don’t like it this way).  It also uses Net::DNS instead of opening a pipe to dig which makes it considerably faster.

[1] in Greek