About ircbl
Introduction
Ircbl is a dns blacklist created by Hidden (hidden at ircbl.org) to help IRC networks fight network abuse in 2018. Hundreds of new ip addresses are added to ircbl every day: mostly open proxies and ips that are used for abuse on large IRC networks like DALnet, Undernet and Quakenet.
Anyone can use it. I would appreciate a "hey Hidden, I am now using ircbl for this specific purpose", but this is not mandatory.
To check if an ip address is listed in ircbl's DB, issue a dns request on <reversed_ip>.rbl.ircbl.org
Ex. 1: Is 1.2.3.4 listed in ircbl.org?
Ex. 2: Is 6.7.8.9 listed in ircbl.org?
Ircbl has proven to be very effective on Undernet and later on DALnet. DALnet started using ircbl in June 2020 and uses multiple external RBLs (efnetrbl, dronebl, ircbl and others). Here’s a comment from one of dalnet’s coders written in early August 2020:
Note: an AKILL on DALnet is a ban from the whole network
If you are an IRC server administrator and are thinking about using an (additional) RBL on your server(s), ircbl is perfect for that. It offers unique multi-network features and was designed with this specific goal in mind.
Who can use ircbl?
How to use ircbl?
- A reply of 127.0.0.* indicates that the IP is listed in the RBL.
- No reply indicates that the IP is not blacklisted in ircbl.org
Ex. 1: Is 1.2.3.4 listed in ircbl.org?
$ host 4.3.2.1.rbl.ircbl.org
4.3.2.1.rbl.ircbl.org has address 127.0.0.21
Result: yes, 1.2.3.4 is listed as type 21.4.3.2.1.rbl.ircbl.org has address 127.0.0.21
Ex. 2: Is 6.7.8.9 listed in ircbl.org?
$ host 9.8.7.6.rbl.ircbl.org
Host 9.8.7.6.rbl.ircbl.org not found: 3(NXDOMAIN)
Result: No, 6.7.8.9 is not listed.Host 9.8.7.6.rbl.ircbl.org not found: 3(NXDOMAIN)
IRC networks
<DALnet-coder> From Oct 2019 to Mar 2020, we were averaging about 11k AKILLs per month for
suspected compromised floodbot IPs.
<DALnet-coder> In April and May, we saw a large uptick to about 33k AKILLs a month for those types of connections. We started rolling out IRCBL in June and the
AKILLs fell to 11k.
<DALnet-coder> July came in at 7k AKILLs, which is our lowest month in years for floodbot AKILLs.
<DALnet-coder> It's hard to scientifically prove causation, but even if it's only partially related to ircbl ...
<DALnet-coder> thank you, it helps :)
<DALnet-coder> In April and May, we saw a large uptick to about 33k AKILLs a month for those types of connections. We started rolling out IRCBL in June and the
AKILLs fell to 11k.
<DALnet-coder> July came in at 7k AKILLs, which is our lowest month in years for floodbot AKILLs.
<DALnet-coder> It's hard to scientifically prove causation, but even if it's only partially related to ircbl ...
<DALnet-coder> thank you, it helps :)
Note: an AKILL on DALnet is a ban from the whole network
If you are an IRC server administrator and are thinking about using an (additional) RBL on your server(s), ircbl is perfect for that. It offers unique multi-network features and was designed with this specific goal in mind.
- Each IRC network determines which IRC networks it trusts. Only the ips from sources they trust will appear in their *.<network>.rbl.ircbl.org dns lookups.
- If a network trusts other IRC networks, it is possible for the network to "locally" deactivate an entry without affecting other networks.
Ex: 1.2.3.100 is listed in ircbl by network Undernet, but network DALnet has deactivated the entry. - The self-removal option exists and allows a user to self-delist his ip address instantly without any other human action.
$ host 100.3.2.1.dalnet.rbl.ircbl.org
Host 100.3.2.1.dalnet.rbl.ircbl.org not found: 3(NXDOMAIN)
$ host 100.3.2.1.rbl.ircbl.org
100.3.2.1.rbl.ircbl.org has address 127.0.0.11
Host 100.3.2.1.dalnet.rbl.ircbl.org not found: 3(NXDOMAIN)
$ host 100.3.2.1.rbl.ircbl.org
100.3.2.1.rbl.ircbl.org has address 127.0.0.11
Useful links to IRC bots
- BOPM - https://github.com/blitzed-org/bopm
- HOPM - https://github.com/ircd-hybrid/hopm
- Armour - https://github.com/empus/armour
