Public IP blacklisting is a silent but significant threat in today’s hyper-connected enterprise environments. When your organization’s WAN IP ends up on a DNS-based blocklist (DNSBL), it can lead to undelivered emails, disrupted communications, and eroded trust from clients. For Managed Service Providers (MSPs) and IT professionals, detecting and responding to such incidents before they impact operations is critical. Learning how to automate WAN IP blocklist check with PowerShell can serve as a powerful tool in the proactive cybersecurity toolkit.
Background
Many organizations don’t realize their WAN IP address has been blacklisted until they face email deliverability issues or receive client complaints. Blacklists are maintained by third-party services to flag IPs involved in spam or malicious activity. While these services are essential to global email hygiene, false positives are not uncommon—especially for dynamic IP addresses or shared hosting environments.
This PowerShell script was built to automate the process of checking a WAN IP address against dozens of common DNSBLs. It can be run manually or scheduled for periodic checks, making it an excellent fit for MSPs and internal IT operations teams who need to audit external IP health across multiple client environments.
The Script
#Requires -Version 5.1
<#
.SYNOPSIS
Checks several common blacklists to see if the device's WAN IP is currently being blacklisted. A private recursive DNS server is recommended, as it is not uncommon for DNS blocklists to block public DNS servers such as 1.1.1.1.
.DESCRIPTION
Checks several common blacklists to see if the device's WAN IP is currently being blacklisted. A private recursive DNS server is recommended, as it is not uncommon for DNS blocklists to block public DNS servers such as 1.1.1.1.
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.EXAMPLE
(No Parameters) - When found on blacklist
[Alert] The WAN IP '127.0.0.1' was found on 9 blacklist(s).
You may want to validate these results with 'https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a127.0.0.1'.
Name TTL ResponseCode
---- --- ------------
Blocklist.de 1269 127.0.0.14
Interserver RBL 903 127.0.0.2
Interserver Spam Assassin RBL 903 127.0.0.2
Mailspike Z 120 127.0.0.2
Mailspike BL 120 127.0.0.2
S5H 5, 86400, 86400, 86400, 30, 300, 30, 300, 300, 300 127.0.0.2, 85.119.82.99, 2001:ba8:1...
UCE Protect - L1 902 127.0.0.2
UCE Protect - L2 902 127.0.0.2
UCE Protect - L3 902 127.0.0.2
Blacklists Checked: 0Spam, 0Spam RBL, Anonmails DNSBL, Backscatterer, Blocklist.de, Cymru Bogons, Dan Tor, Dan Tor Exit, Drone BL, Fabel Sources, Host Karma, ImproWare (IMP) DNS RBL, ImproWare (IMP) Spam RBL, Interserver RBL, Interserver Spam Assassin RBL, JIPPG's Relay Blackhole List Project, Kempt.net DNS Black List, Mailspike Z, Mailspike BL, Nordspam BL, PSBL, S5H, Schulte, Spam Eating Monkey - Backscatter, Spam Eating Monkey - Black, SpamCop, Suomispam, Truncate, UCE Protect - L1, UCE Protect - L2, UCE Protect - L3, ZapBL
.EXAMPLE
(No Parameters) - When not found on blacklist
The WAN IP '127.0.0.1' was not found on any blacklists.
You may want to validate these results with 'https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a127.0.0.1'.
Blacklists Checked: 0Spam, 0Spam RBL, Anonmails DNSBL, Backscatterer, Blocklist.de, Cymru Bogons, Dan Tor, Dan Tor Exit, Drone BL, Fabel Sources, Host Karma, ImproWare (IMP) DNS RBL, ImproWare (IMP) Spam RBL, Interserver RBL, Interserver Spam Assassin RBL, JIPPG's Relay Blackhole List Project, Kempt.net DNS Black List, Mailspike Z, Mailspike BL, Nordspam BL, PSBL, S5H, Schulte, Spam Eating Monkey - Backscatter, Spam Eating Monkey - Black, SpamCop, Suomispam, Truncate, UCE Protect - L1, UCE Protect - L2, UCE Protect - L3, ZapBL
PARAMETER: -CustomField "ReplaceMeWithYourDesiredMultilineCustomField"
Optionally specify the name of a multiline custom field to store the results in.
.NOTES
Minimum OS Architecture Supported: Windows 10, Windows Server 2016
Release Notes: Initial Release
#>
[CmdletBinding()]
param (
[Parameter()]
[String]$CustomField
)
begin {
# If using script form variables, replace command line parameters with them.
if($env:multilineCustomFieldName -and $env:multilineCustomFieldName -notlike "null") { $CustomField = $env:multilineCustomFieldName }
# Local administrator privileges are required to set custom fields.
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
$p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}
function Set-NinjaProperty {
[CmdletBinding()]
Param(
[Parameter(Mandatory = $True)]
[String]$Name,
[Parameter()]
[String]$Type,
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
$Value,
[Parameter()]
[String]$DocumentName
)
$Characters = $Value | Out-String | Measure-Object -Character | Select-Object -ExpandProperty Characters
if ($Characters -ge 200000) {
throw [System.ArgumentOutOfRangeException]::New("Character limit exceeded: the value is greater than or equal to 200,000 characters.")
}
# If requested to set the field value for a Ninja document, specify it here.
$DocumentationParams = @{}
if ($DocumentName) { $DocumentationParams["DocumentName"] = $DocumentName }
# This is a list of valid fields that can be set. If no type is specified, assume that the input does not need to be changed.
$ValidFields = "Attachment", "Checkbox", "Date", "Date or Date Time", "Decimal", "Dropdown", "Email", "Integer", "IP Address", "MultiLine", "MultiSelect", "Phone", "Secure", "Text", "Time", "URL", "WYSIWYG"
if ($Type -and $ValidFields -notcontains $Type) { Write-Warning "$Type is an invalid type. Please check here for valid types: https://ninjarmm.zendesk.com/hc/en-us/articles/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality" }
# The field below requires additional information to set.
$NeedsOptions = "Dropdown"
if ($DocumentName) {
if ($NeedsOptions -contains $Type) {
# Redirect error output to the success stream to handle errors more easily if nothing is found or something else goes wrong.
$NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1
}
}
else {
if ($NeedsOptions -contains $Type) {
$NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1
}
}
# If an error is received with an exception property, exit the function with that error information.
if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }
# The types below require values not typically given to be set. The code below will convert whatever we're given into a format ninjarmm-cli supports.
switch ($Type) {
"Checkbox" {
# Although it's highly likely we were given a value like "True" or a boolean data type, it's better to be safe than sorry.
$NinjaValue = [System.Convert]::ToBoolean($Value)
}
"Date or Date Time" {
# Ninjarmm-cli expects the GUID of the option to be selected. Therefore, match the given value with a GUID.
$Date = (Get-Date $Value).ToUniversalTime()
$TimeSpan = New-TimeSpan (Get-Date "1970-01-01 00:00:00") $Date
$NinjaValue = $TimeSpan.TotalSeconds
}
"Dropdown" {
# Ninjarmm-cli expects the GUID of the option we're trying to select, so match the value we were given with a GUID.
$Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
$Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID
if (-not $Selection) {
throw [System.ArgumentOutOfRangeException]::New("Value is not present in dropdown options.")
}
$NinjaValue = $Selection
}
default {
# All the other types shouldn't require additional work on the input.
$NinjaValue = $Value
}
}
# Set the field differently depending on whether it's a field in a Ninja Document or not.
if ($DocumentName) {
$CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1
}
else {
$CustomField = $NinjaValue | Ninja-Property-Set-Piped -Name $Name 2>&1
}
if ($CustomField.Exception) {
throw $CustomField
}
}
# Blacklists we are going to check.
$BlackLists = @(
[PSCustomObject]@{
DisplayName = "0Spam"
DNSBLDomainName = "bl.0spam.org"
}
[PSCustomObject]@{
DisplayName = "0Spam RBL"
DNSBLDomainName = "rbl.0spam.org"
}
[PSCustomObject]@{
DisplayName = "Anonmails DNSBL"
DNSBLDomainName = "spam.dnsbl.anonmails.de"
}
[PSCustomObject]@{
DisplayName = "Backscatterer"
DNSBLDomainName = "ips.backscatterer.org"
}
[PSCustomObject]@{
DisplayName = "Blocklist.de"
DNSBLDomainName = "bl.blocklist.de"
}
[PSCustomObject]@{
DisplayName = "Cymru Bogons"
DNSBLDomainName = "bogons.cymru.com"
}
[PSCustomObject]@{
DisplayName = "Dan Tor"
DNSBLDomainName = "tor.dan.me.uk"
}
[PSCustomObject]@{
DisplayName = "Dan Tor Exit"
DNSBLDomainName = "torexit.dan.me.uk"
}
[PSCustomObject]@{
DisplayName = "Drone BL"
DNSBLDomainName = "dnsbl.dronebl.org"
}
[PSCustomObject]@{
DisplayName = "Fabel Sources"
DNSBLDomainName = "spamsources.fabel.dk"
}
[PSCustomObject]@{
DisplayName = "Host Karma"
DNSBLDomainName = "hostkarma.junkemailfilter.com"
}
[PSCustomObject]@{
DisplayName = "ImproWare (IMP) DNS RBL"
DNSBLDomainName = "dnsrbl.swinog.ch"
}
[PSCustomObject]@{
DisplayName = "ImproWare (IMP) Spam RBL"
DNSBLDomainName = "spamrbl.swinog.ch"
}
[PSCustomObject]@{
DisplayName = "Interserver RBL"
DNSBLDomainName = "rbl.interserver.net"
}
[PSCustomObject]@{
DisplayName = "Interserver Spam Assassin RBL"
DNSBLDomainName = "rblspamassassin.interserver.net"
}
[PSCustomObject]@{
DisplayName = "JIPPG's Relay Blackhole List Project"
DNSBLDomainName = "mail-abuse.blacklist.jippg.org"
}
[PSCustomObject]@{
DisplayName = "Kempt.net DNS Black List"
DNSBLDomainName = "dnsbl.kempt.net"
}
[PSCustomObject]@{
DisplayName = "Mailspike Z"
DNSBLDomainName = "z.mailspike.net"
}
[PSCustomObject]@{
DisplayName = "Mailspike BL"
DNSBLDomainName = "bl.mailspike.net"
}
[PSCustomObject]@{
DisplayName = "Nordspam BL"
DNSBLDomainName = "bl.nordspam.com"
}
[PSCustomObject]@{
DisplayName = "PSBL"
DNSBLDomainName = "psbl.surriel.com"
}
[PSCustomObject]@{
DisplayName = "S5H"
DNSBLDomainName = "all.s5h.net"
}
[PSCustomObject]@{
DisplayName = "Schulte"
DNSBLDomainName = "rbl.schulte.org"
}
[PSCustomObject]@{
DisplayName = "Spam Eating Monkey - Backscatter"
DNSBLDomainName = "backscatter.spameatingmonkey.net"
}
[PSCustomObject]@{
DisplayName = "Spam Eating Monkey - Black"
DNSBLDomainName = "bl.spameatingmonkey.net"
}
[PSCustomObject]@{
DisplayName = "SpamCop"
DNSBLDomainName = "bl.spamcop.net"
}
[PSCustomObject]@{
DisplayName = "Suomispam"
DNSBLDomainName = "bl.suomispam.net"
}
[PSCustomObject]@{
DisplayName = "Truncate"
DNSBLDomainName = "truncate.gbudb.net"
}
[PSCustomObject]@{
DisplayName = "UCE Protect - L1"
DNSBLDomainName = "dnsbl-1.uceprotect.net"
}
[PSCustomObject]@{
DisplayName = "UCE Protect - L2"
DNSBLDomainName = "dnsbl-2.uceprotect.net"
}
[PSCustomObject]@{
DisplayName = "UCE Protect - L3"
DNSBLDomainName = "dnsbl-3.uceprotect.net"
}
[PSCustomObject]@{
DisplayName = "ZapBL"
DNSBLDomainName = "dnsbl.zapbl.net"
}
)
if (!$ExitCode) {
$ExitCode = 0
}
}
process {
# Check if the script is running with elevated privileges (Administrator)
if (!(Test-IsElevated)) {
Write-Host -Object "[Error] Access Denied. Please run with Administrator privileges."
exit 1
}
# Try to retrieve the WAN IP using the ipify.org service
try {
$WanIP = (Invoke-WebRequest -Uri "api.ipify.org" -UseBasicParsing).Content
}
catch {
Write-Host -Object "[Error] Failed to retrieve WAN IP."
Write-Host -Object "[Error] $($_.Exception.Message)"
exit 1
}
# Validate the retrieved WAN IP format
if ($WanIP -notmatch '\d+\.\d+\.\d+\.\d+') {
Write-Host -Object "[Error] The service ipify.org returned '$WanIp' which is not a valid IP."
exit 1
}
# Further validate the WAN IP by attempting to cast it as an IP address object
try {
[IPAddress]$WanIP | Out-Null
}
catch {
Write-Host -Object "[Error] The service ipify.org returned '$WanIp' which is not a valid IP."
Write-Host -Object "[Error] $($_.Exception.Message)"
exit 1
}
# Reverse the IP address octets for DNSBL query
$IPOctets = $WanIP -split '\.'
[array]::Reverse($IPOctets)
$ReversedIp = $IPOctets -join '.'
# Validate the reversed IP format
if ($ReversedIp -notmatch '\d+\.\d+\.\d+\.\d+') {
Write-Host -Object "[Error] '$ReversedIp' is not a valid reversed IP of '$WanIP'."
exit 1
}
# Further validate the reversed IP by attempting to cast it as an IP address object
try {
[IPAddress]$ReversedIp | Out-Null
}
catch {
Write-Host -Object "[Error] '$ReversedIp' is not a valid reversed IP of '$WanIP'."
Write-Host -Object "[Error] $($_.Exception.Message)"
exit 1
}
# Initialize a list to store blacklisted services
$BlackListedServices = New-Object System.Collections.Generic.List[object]
# Loop through each DNSBL to check if the IP is listed
$BlackLists | ForEach-Object {
try {
$Result = Resolve-DnsName -Name "$ReversedIp.$($_.DNSBLDomainName)" -NoHostsFile -DnsOnly -QuickTimeout -ErrorAction Stop
$BlockListIP = Resolve-DnsName -Name $($_.DNSBLDomainName) -NoHostsFile -DnsOnly -QuickTimeout -ErrorAction SilentlyContinue | Select-Object -ExpandProperty IPAddress -ErrorAction SilentlyContinue
foreach($IPAddress in $Result.IPAddress){
if($IPaddress -notmatch '^127\.0\.' -and $BlockListIP -and $BlockListIP -notcontains $IPAddress){
Write-Host -Object "[Error] A Response Code of '$IPaddress' was given by $($_.DisplayName)."
Write-Host -Object "[Error] Typically response codes start with '127.0.' you may want to use different DNS servers."
$ExitCode = 1
return
}
}
# If the result does not contain an IP address skip to next entry
if(!$($Result.IPAddress)){
return
}
$BlackListedServices.Add(
[PSCustomObject]@{
Name = $($_.DisplayName)
TTL = $($Result.TTL -join ', ')
ResponseCode = $($Result.IPAddress -join ', ')
}
)
}
catch {
return
}
}
# Create a custom field value to store the results
$CustomFieldValue = New-Object System.Collections.Generic.List[string]
$MXToolboxLink = "https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a$WanIP"
# Check if any blacklists contain the WAN IP and output the results
if($BlackListedServices.Count -gt 0){
Write-Host -Object "[Alert] The WAN IP '$WanIp' was found on $($BlackListedServices.Count) blacklist(s)."
Write-Host -Object "You may want to validate these results with '$MXToolboxLink'."
$CustomFieldValue.Add("[Alert] The WAN IP '$WanIp' was found on $($BlackListedServices.Count) blacklist(s).")
$CustomFieldValue.Add($MXToolboxLink)
($BlackListedServices | Format-Table | Out-String).Trim() | Write-Host
$CustomFieldValue.Add($($BlackListedServices | Format-List | Out-String))
}else{
Write-Host -Object "The WAN IP '$WanIp' was not found on any blacklists."
Write-Host -Object "You may want to validate these results with '$MXToolboxLink'."
$CustomFieldValue.Add("The WAN IP '$WanIp' was not found on any blacklists.")
$CustomFieldValue.Add($MXToolboxLink)
}
# Output the list of blacklists checked
Write-Host -Object "`nBlacklists Checked: $($BlackLists.DisplayName -join ', ')"
# Optionally set a custom field with the results
if($CustomField){
try {
Write-Host "`nAttempting to set Custom Field '$CustomField'."
Set-NinjaProperty -Name $CustomField -Value $CustomFieldValue
Write-Host "Successfully set Custom Field '$CustomField'!"
}
catch {
Write-Host "[Error] $($_.Exception.Message)"
exit 1
}
}
exit $ExitCode
}
end {
}
Detailed Breakdown
At a high level, the script performs the following:
- Environment Preparation
- Requires PowerShell 5.1 and administrator privileges.
- Optionally integrates with NinjaOne’s custom fields for reporting.
- Retrieve WAN IP
- Uses ipify.org to fetch the current WAN IP.
- Reverse IP Formatting
- Formats the IP for DNSBL queries (e.g., 1.2.3.4 becomes 4.3.2.1).
- DNSBL Query Execution
- Loops through 30+ predefined blocklists.
- Uses Resolve-DnsName to check for blocklist entries.
- Identifies if the IP is listed and captures TTL and response codes.
- Results Logging and Output
- Outputs blocklist findings in a human-readable format.
- Generates a link to validate results via MXToolbox.
- Optionally writes to a NinjaOne multiline custom field using a built-in Set-NinjaProperty function.
- Exit Code
- Sets an appropriate exit code based on blacklist presence, allowing easy integration into automation pipelines.
Potential Use Cases
Imagine a scenario where an MSP receives reports that client emails are being rejected. Instead of manually verifying the WAN IP against multiple DNSBLs, the technician executes this script remotely via NinjaOne. Within moments, the script identifies that the client’s IP is on four blacklists. The technician uses the output to initiate delisting procedures while documenting the result in a NinjaOne custom field for future reference.
This level of rapid response significantly reduces downtime and provides transparency for both internal stakeholders and clients.
Comparisons
Traditionally, blocklist checks are performed manually via web tools like MXToolbox or through premium monitoring platforms. While effective, these methods are reactive and require manual initiation. By contrast, this PowerShell script:
- Enables automation and scheduling,
- Scales across multiple endpoints, and
- Integrates natively with NinjaOne’s custom fields for reporting and documentation.
Other scripting approaches may exist, but few offer this level of built-in error handling, multi-list coverage, and output formatting tailored for MSP workflows.
FAQs
Q: What happens if the WAN IP cannot be retrieved?
A: The script gracefully exits and notifies the user with an error message if ipify.org is unreachable or returns an invalid format.
Q: Can I use a public DNS server like 8.8.8.8?
A: It’s not recommended. Many DNSBLs block queries from public resolvers. Use a private recursive DNS server for accurate results.
Q: How is this integrated with NinjaOne?
A: If a custom field name is provided, the script writes results to that field using NinjaOne’s CLI. This is ideal for audit trails and documentation.
Q: Will this script change my network configuration?
A: No, the script is read-only except when writing to NinjaOne fields (if configured).
Implications
If a WAN IP is found on even a single DNSBL, it can lead to outbound emails being silently discarded or bounced. This can damage business reputation and disrupt operations. Automating blocklist detection empowers IT teams to react swiftly—preventing small issues from becoming major incidents.
Moreover, repeated blocklist entries may signal deeper issues such as compromised internal devices or misconfigured email relays. Regular checks can help detect such anomalies early.
Recommendations
- Run the script weekly across critical devices or clients with static IPs.
- Use a secure, recursive DNS server to ensure reliable results.
- Leverage NinjaOne fields to log and trend blocklist history.
- Follow up on any blacklist detection by consulting the blocklist provider for remediation steps.
- Incorporate the script into RMM or CI/CD pipelines for continuous monitoring.
Final Thoughts
Conducting a WAN IP blocklist check with PowerShell gives IT teams visibility into external reputation risks before they become critical. This script, especially when combined with NinjaOne’s automation and documentation features, enables a proactive stance on email deliverability and security hygiene. It empowers MSPs and IT admins with a scalable, auditable solution to manage and maintain WAN IP integrity across their fleet.
If you’re looking to operationalize your network health checks or streamline client reporting, integrating this script into your NinjaOne workflows is a practical, high-impact starting point.