Re: repeated rejection of lookups of bad name [DIAGNOSED/SOLVED]

To: debian-user@lists.debian.org
Cc: RossBoylan@stanfordalumni.org
Subject: Re: repeated rejection of lookups of bad name [DIAGNOSED/SOLVED]
From: Ross Boylan <RossBoylan@stanfordalumni.org>
Date: Sun, 11 Nov 2007 12:48:27 -0800
Message-id: <[🔎] 1194814107.29632.42.camel@corn.betterworld.us>

[my original post had an incorrect debian-userS as the list name, which
then migrated to the cc of the reply]
-------- Forwarded Message --------
From: Ross Boylan <RossBoylan@stanfordalumni.org>
To: Michael Shuler <michael@pbandjelly.org>
Cc: RossBoylan@stanfordalumni.org, debian-users@lists.debian.org
Subject: Re: repeated rejection of lookups of bad name
Date: Sun, 11 Nov 2007 12:40:13 -0800

On Sun, 2007-11-11 at 13:05 -0600, Michael Shuler wrote:
> On 11/11/2007 12:47 PM, Ross Boylan wrote:
> > Why is this happening?  That is,
> > 1. why is the query being generated every hour?  The timing seems to
> > coincide with hourly runs of logcheck.
> > 2. why is it looking for ::1#53 as the DNS server?  I have not
> > configured bind9 to accept queries on ::1.  So the question isn't why
> > it's being rejected, but why that location is being queried.
> > 3. How can I stop these queries?
> 
> 1. The mail server queue is likely to be running every hour and just
> reprocessing.
> 
There's nothing in the queue, consistent with the message having been
rejected anyway. I ran logcheck from the console and verified that doing
so produces the error.  I think I know why.  The spamassassin report of
the mail from logcheck is
X-Spam_report: (-1.1 points, 5.0 required) pts rule name             
        description ---- ----------------------
        -------------------------------------------------- -0.0
NO_RELAYS          
           Informational: message was not relayed via SMTP -2.6
BAYES_00           
           BODY: Bayesian spam probability is 0 to 1% [score: 0.0000]
2.0
        URIBL_BLACK            Contains an URL listed in the URIBL
blacklist [URIs:
        palmcoastcondo.com] -0.4 AWL                    AWL: From:
address is in
        the auto white-list

So spamassasin is looking in the body of the message and sees the URL.
It must then do a lookup of it.  This causes an error, which then
happens again when logcheck runs again, ad infinitum.

> 2. Because the palmcoastcondo.com domain owner has borked authoritative
> servers of ns1./ns2.nameserver.com..
> 
> mshuler@ares:~$ host ns1.nameserver.com.
> ns1.nameserver.com has address 204.77.64.1
> ns1.nameserver.com has IPv6 address ::1
> mshuler@ares:~$ host ns2.nameserver.com.
> ns2.nameserver.com has address 127.0.0.1
> ns2.nameserver.com has IPv6 address ::1
> 
Ah, so it does a DNS lookup of palmcoastcondo and is told to try ::1,
which sends it back to my machine.
> You can also 'dig any ns1.nameserver.com.' and 'dig any
> ns2.nameserver.com.' for more detail - AAAA records of ::1..
> 
> DNS amateurs.  And probably UCB, unless you want the condo sales spew..
> 
> 3. I would ignore it, and/or remove the messages from the queue, and/or
> blacklist the domain.
I think I'll investigate why logcheck is not filtering out this message,
and add something so that it does, at least temporarily.  That should
put an end to it.

[new in this message]
The bind patterns for logcheck do not match IPv6 IPs, which looks like an oversight.  I'll file a bug.

Another approach would be to stop spamassin from checking my internal
mails.

Thanks for your help.
Ross

Reply to:

Prev by Date: XFree86 limiting dot-clock to 125MHz when chip goes to 230MHz
Next by Date: Re: Kppp
Previous by thread: XFree86 limiting dot-clock to 125MHz when chip goes to 230MHz
Next by thread: Is etc/Net a file or directory? Ans: Yes
Index(es):
- Date
- Thread