Looking for reputation of an IP address is one of the most frequent task of an SOC analyst. There are number of online tools and script that does the task.
However, I always used command line to identify whether a IP address is blacklisted on any blacklist. The reason is number of online tools still show the IP as blacklisted but actual blacklisting parties such as spamhaus has already removed the IP from their blacklist.
Analyst can use either scripts or command line to get the results. nslookup, dig and host can be used to check the IP address against known blacklisting vendors.To check analyst need to know that the information that they are looking should be available by using certain DNS records.
If an analyst is using online tools than he/she can enter actual IP address such as 1.2.3.4. However, for the command line one has to reverse the IP address to be able to match to the blacklists.
samples :
nslookup 4.3.2.1.zen.spamhaus.org
host 4.3.2.1.zen.spamhaus.org
dig -x 4.3.2.1.zen.spamhaus.org
More blacklists to check :
zen.spamhaus.org
xbl.spamhaus.org
pbl.spamhaus.org
spam.abuse.ch
cbl.abuseat.org
virbl.dnsbl.bit.nl
dnsbl.inps.de
ix.dnsbl.manitu.net
dnsbl.sorbs.net
bl.spamcannibal.org
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
db.wpbl.info
site to check 1 IP against multiple blacklisting : http://multirbl.valli.org/
