{
  "id": "DlmtdnHx6mOhXjok",
  "meta": {
    "templateCredsSetupCompleted": true
  },
  "name": "Automated Domain/IP Blacklist Monitor with Slack",
  "tags": [],
  "nodes": [
    {
      "id": "d27bbd40-6b95-422c-8312-4e3a4b861497",
      "name": "Scheduled Check",
      "type": "n8n-nodes-base.scheduleTrigger",
      "position": [
        0,
        0
      ],
      "parameters": {
        "rule": {
          "interval": [
            {}
          ]
        }
      },
      "typeVersion": 1.2
    },
    {
      "id": "b4c57e0b-be8a-4e60-a5ef-99ef2fff399e",
      "name": "Define Domains/IPs",
      "type": "n8n-nodes-base.code",
      "position": [
        224,
        0
      ],
      "parameters": {
        "jsCode": "const assetsToCheck = [\n    \"your-company.com\",\n    \"mail.your-company.com\",\n    \"0.0.0.0\" // Example public IP\n];\n\nreturn assetsToCheck.map(asset => ({\n    json: { asset: asset }\n}));"
      },
      "typeVersion": 2
    },
    {
      "id": "67a1c4d1-4a3f-48a9-a923-9bfa00a86014",
      "name": "Query Blacklist API",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        448,
        0
      ],
      "parameters": {
        "url": "=https://api.abuseipdb.com/api/v2/check?ipAddress={{ $json.asset }} ",
        "options": {}
      },
      "typeVersion": 4.2
    },
    {
      "id": "7a5ba1a0-efdf-4398-a489-a9fdfdfbc8ff",
      "name": "Is on Blacklist?",
      "type": "n8n-nodes-base.if",
      "position": [
        672,
        0
      ],
      "parameters": {
        "options": {},
        "conditions": {
          "options": {
            "version": 2,
            "leftValue": "",
            "caseSensitive": true,
            "typeValidation": "strict"
          },
          "combinator": "and",
          "conditions": [
            {
              "id": "30182fcb-5f61-460c-a444-c1e1feecc245",
              "operator": {
                "type": "number",
                "operation": "gt"
              },
              "leftValue": "={{ $json.abuseConfidenceScore }}",
              "rightValue": 50
            }
          ]
        }
      },
      "typeVersion": 2.2
    },
    {
      "id": "b111cb69-17d7-42b7-8d45-6744e77209e9",
      "name": "Send High-Priority Alert",
      "type": "n8n-nodes-base.slack",
      "position": [
        896,
        0
      ],
      "parameters": {
        "text": "=\ud83d\udea8 *URGENT: Blacklist Alert!* \ud83d\udea8\\nAsset *{{ $json.asset }}* has a confidence score of *{{ $json.abuseConfidenceScore }}*. Immediate action is required!",
        "user": {
          "__rl": true,
          "mode": "id",
          "value": "123qa"
        },
        "select": "user",
        "otherOptions": {}
      },
      "credentials": {
        "slackApi": {
          "name": "<your credential>"
        }
      },
      "typeVersion": 2.3
    },
    {
      "id": "5c802353-4127-461d-88f3-bd58d55bb118",
      "name": "Sticky Note",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -48,
        -80
      ],
      "parameters": {
        "width": 1152,
        "height": 272,
        "content": "## Flow"
      },
      "typeVersion": 1
    },
    {
      "id": "306508a4-bdbc-449f-83c5-c61173df78c7",
      "name": "Sticky Note1",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        -48,
        224
      ],
      "parameters": {
        "color": 3,
        "width": 1152,
        "height": 1680,
        "content": "# Automated Domain/IP Blacklist Monitor\n\n## \ud83d\udcdd Problem\n\n*The core problem we're solving:** Our email deliverability and sender reputation are at risk if our domain or IP addresses are listed on spam blacklists. Manual, ad-hoc checks are inefficient and often reactive, meaning we only discover a problem after emails are already bouncing or being marked as spam. This can lead to a loss of customer trust and business.\n\n---\n\n## \u2705 Solution\n\n*How this workflow addresses the problem:** This automated workflow proactively monitors our key domains and IP addresses against major blacklists. It will automatically check for new listings on a set schedule and send immediate alerts to the appropriate team members if a blacklisting is detected. This allows us to react quickly, identify the root cause, and initiate the delisting process before our reputation is severely impacted.\n\n---\n\n## \ud83d\udc65 For Whom\n\n**Who will use this system:**\n* *System Administrators:** To monitor the health of our email servers and network infrastructure.\n* *Marketing Team:** To ensure email campaigns reach their audience and maintain a high sender reputation.\n* *Security Team:** To quickly identify potential compromised systems or malicious activity on our network that could be causing the blacklisting.\n* *IT Support:** To respond to support tickets from customers about email delivery issues.\n\n---\n\n## \ud83c\udf10 Scope\n\n**What is included:**\n* Automatic, scheduled checks of all specified domains and IP addresses against a list of major blacklists (e.g., Spamhaus, Barracuda, SpamCop).\n* Real-time notifications (e.g., via email, Slack, or a ticket system) upon detection of a blacklisting event.\n* A centralized dashboard or log for viewing the status of all monitored assets.\n\n**What is out of scope:**\n* *Automatic delisting:** This workflow does not automatically request delisting. Delisting requires a manual investigation to address the underlying problem and a formal request to the blacklist provider.\n* *Root cause analysis:** The system will not automatically determine why an IP or domain was blacklisted. This requires human investigation.\n* *Internal mail server log analysis:** While the monitor can point to a problem, it does not analyze internal email logs to find the source of the spam.\n\n---\n\n## \ud83d\udee0\ufe0f How to Set Up\n\nFollow these steps to set up the automated blacklist monitor:\n\n1.  **Choose a Monitoring Service:** Select a reliable blacklist monitoring service (e.g., HetrixTools, MXToolBox, or a similar platform).\n2.  **Create an Account:** Sign up for the service and set up your organization's account.\n3.  **Add Monitored Assets:**\n    * Navigate to the \"Monitors\" or \"Assets\" section.\n    * Add each of our core domains (e.g., `ourcompany.com`) and all relevant outbound mail server IP addresses.\n4.  **Configure Notifications:**\n    * Set up notification channels for alerts. This could be an email to `security@ourcompany.com` or a dedicated Slack channel (`#blacklist-alerts`).\n    * Customize the notification frequency and details to ensure the alerts are actionable.\n5.  **Review the Dashboard:** Familiarize yourself with the system's dashboard. This will be your central point for reviewing the status of all monitored assets and viewing historical data.\n6.  **Set an Action Plan:** Document the steps to take when an alert is received, including:\n    * Immediately notifying the security and IT teams.\n    * Opening an incident ticket.\n    * Beginning the root cause analysis.\n    * Documenting the delisting process."
      },
      "typeVersion": 1
    }
  ],
  "active": false,
  "settings": {
    "executionOrder": "v1"
  },
  "versionId": "973431a8-144d-44ca-b031-eea4794565a3",
  "connections": {
    "Scheduled Check": {
      "main": [
        [
          {
            "node": "Define Domains/IPs",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Is on Blacklist?": {
      "main": [
        [
          {
            "node": "Send High-Priority Alert",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Define Domains/IPs": {
      "main": [
        [
          {
            "node": "Query Blacklist API",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Query Blacklist API": {
      "main": [
        [
          {
            "node": "Is on Blacklist?",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  }
}