dnsbl.io

Fail2Ban Reporting Hub

Centralized abuse feed aggregator. Accept reports from Fail2Ban, Postfix, Exim, Rspamd, and other mail security systems. Automatically correlate reputation and update blocklists in real-time.

System Overview

Accept Reports

Ingest abuse reports from Fail2Ban, Postfix, Exim, OpenSMTPD, Rspamd, Mailcow, Mailu, and custom integrations.

Aggregate Data

Correlate reported IPs and domains across multiple sources. Calculate reputation scores based on frequency and severity.

Auto-Update

Automatically update DNSBL zones when reputation thresholds are exceeded. Real-time blocklist synchronization.

Report API Endpoint

POST /api/fail2ban/report
Submit abuse reports from your infrastructure

Request Headers

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

Request Body

{
  "reported_ip": "2001:db8::bad:actor",
  "service": "fail2ban",
  "jail_name": "sshd",
  "reason": "Multiple failed SSH login attempts",
  "log_lines": "Jan 15 10:23:45 sshd[1234]: Failed password...",
  "metadata": {
    "ban_time": 3600,
    "max_retry": 5,
    "find_time": 600
  }
}

Response

{
  "success": true,
  "report_id": "550e8400-e29b-41d4-a716-446655440000",
  "reputation_score": 45,
  "auto_blacklisted": true,
  "message": "Report accepted and processed"
}

Integration Examples

Fail2Ban Action
Custom action to report banned IPs to dnsbl.io

Create /etc/fail2ban/action.d/dnsbl-report.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = curl -X POST https://api.dnsbl.io/fail2ban/report \
            -H "Authorization: Bearer <YOUR_API_KEY>" \
            -H "Content-Type: application/json" \
            -d '{"reported_ip":"<ip>","service":"fail2ban","jail_name":"<name>","reason":"<failures> failures"}'
actionunban =

[Init]
name = default

Enable in /etc/fail2ban/jail.local

[sshd]
enabled = true
action = %(action_)s
         dnsbl-report
Postfix Policy Service
Report spam sources during SMTP transaction
#!/usr/bin/env python3
import sys
import requests

API_KEY = "your_api_key_here"
API_URL = "https://api.dnsbl.io/fail2ban/report"

def report_ip(client_address):
    payload = {
        "reported_ip": client_address,
        "service": "postfix",
        "reason": "Spam source detected by policy service"
    }
    headers = {"Authorization": f"Bearer {API_KEY}"}
    requests.post(API_URL, json=payload, headers=headers)

# Postfix policy protocol implementation
for line in sys.stdin:
    if line.startswith("client_address="):
        ip = line.split("=")[1].strip()
        report_ip(ip)
    if line.strip() == "":
        print("action=DUNNO\n")
        sys.stdout.flush()
Rspamd Lua Module
Direct integration with Rspamd spam filter
-- /etc/rspamd/plugins.d/dnsbl_report.lua
local rspamd_http = require "rspamd_http"
local rspamd_logger = require "rspamd_logger"

local function dnsbl_report(task)
  local ip = task:get_from_ip()
  if not ip or not ip:is_valid() then return end
  
  local score = task:get_metric_score('default')
  if score[1] > 10 then -- Report if spam score > 10
    rspamd_http.request({
      url = 'https://api.dnsbl.io/fail2ban/report',
      headers = {
        ['Authorization'] = 'Bearer YOUR_API_KEY',
        ['Content-Type'] = 'application/json'
      },
      body = string.format('{"reported_ip":"%s","service":"rspamd","reason":"Spam score: %.2f"}',
        tostring(ip), score[1])
    })
  end
end

rspamd_config:register_symbol({
  name = 'DNSBL_REPORT',
  type = 'postfilter',
  callback = dnsbl_report
})
Python SDK / CLI Tool
Manual reporting via command line or Python script

Installation

pip install dnsblctl

CLI Usage

# Configure API key
dnsblctl config --api-key YOUR_API_KEY

# Report an IP
dnsblctl report 2001:db8::bad:actor --reason "Brute force attack" --service custom

# Report with metadata
dnsblctl report 192.0.2.100 --reason spam --service postfix --metadata '{"attempts":50}'

Python API

from dnsblctl import DNSBLClient

client = DNSBLClient(api_key="YOUR_API_KEY")

# Report an IP
response = client.report(
    reported_ip="2001:db8::bad:actor",
    service="custom",
    reason="Multiple failed login attempts",
    metadata={"attempts": 25, "timespan": "5m"}
)

print(f"Report ID: {response['report_id']}")
print(f"Reputation Score: {response['reputation_score']}")
print(f"Auto-blacklisted: {response['auto_blacklisted']}")

Reputation Scoring Algorithm

MetricImpact
Total reports from unique sources-5 points per report
Report frequency (reports/day)-10 points if > 5/day
Service diversity (different reporters)-3 points per service
Time since first report+1 point per day (decay)
Auto-blacklist threshold< 30 points

Rate Limits & Authentication

This service is completely free for all users. API keys are provided to cybersecurity professionals for advanced features and automated reporting.

Rate Limits

  • • 50,000 reports per day
  • • 100 requests per minute
  • • Full access to all features

All API requests require authentication via API key in the Authorization header. Request your API key at /api-key.