repeated rejection of lookups of bad name
A few days ago I received a message with a return path of
berendbrothers.com@palmcoastcondo.com.
exim4's data ACL rejected the message. At the same time, my logs show
--------------------------------------
Nov 7 22:11:12 corn check[6264]: spamd: got connection
over /var/run/spamd/socket
Nov 7 22:11:12 corn check[6264]: spamd: checking message <000701c821ce
$22bf4880$0100007f@pmiit> for mail:8
Nov 7 22:11:17 corn check[6264]: [ 2] [bootup] Logging initiated
LogDebugLevel=3 to sys-syslog
Nov 7 22:11:18 corn named[3831]: unexpected RCODE (REFUSED) resolving
'palmcoastcondo.com/TXT/IN': ::1#53
Nov 7 22:11:19 corn cyrus/imap[23341]: open: user ross opened INBOX
Nov 7 22:11:21 corn check[6264]: [ 3] mail 1 is known spam.
-----------------------------------------
Since then, every hour at 2 minutes after the hour I get the
named[xxxx]: unexpected RCODE (REFUSED) resolving
'palmcoastcondo.com/TXT/IN': ::1#53
message.
Googling indicates this means that a DNS query is going to ::1, which I
think is IPv6 for localhost, and the DNS server (which is mine) is
rejecting the query.
Why is this happening? That is,
1. why is the query being generated every hour? The timing seems to
coincide with hourly runs of logcheck.
2. why is it looking for ::1#53 as the DNS server? I have not
configured bind9 to accept queries on ::1. So the question isn't why
it's being rejected, but why that location is being queried.
3. How can I stop these queries?
Also, my logcheck rules aren't filtering th unexpected RCODE messages
out. I suspect they should, but the reason will probably be clear by
inspecting them.
I'm running logcheck, exim4, spamassassin, and cyrus on Debian testing.
I had no upgrades/installs immediately preceding the start of this
behavior.
Thanks.
Ross
Reply to: