Re: repeated rejection of lookups of bad name [DIAGNOSED/SOLVED]
[my original post had an incorrect debian-userS as the list name, which
then migrated to the cc of the reply]
-------- Forwarded Message --------
From: Ross Boylan <RossBoylan@stanfordalumni.org>
To: Michael Shuler <michael@pbandjelly.org>
Cc: RossBoylan@stanfordalumni.org, debian-users@lists.debian.org
Subject: Re: repeated rejection of lookups of bad name
Date: Sun, 11 Nov 2007 12:40:13 -0800
On Sun, 2007-11-11 at 13:05 -0600, Michael Shuler wrote:
> On 11/11/2007 12:47 PM, Ross Boylan wrote:
> > Why is this happening? That is,
> > 1. why is the query being generated every hour? The timing seems to
> > coincide with hourly runs of logcheck.
> > 2. why is it looking for ::1#53 as the DNS server? I have not
> > configured bind9 to accept queries on ::1. So the question isn't why
> > it's being rejected, but why that location is being queried.
> > 3. How can I stop these queries?
>
> 1. The mail server queue is likely to be running every hour and just
> reprocessing.
>
There's nothing in the queue, consistent with the message having been
rejected anyway. I ran logcheck from the console and verified that doing
so produces the error. I think I know why. The spamassassin report of
the mail from logcheck is
X-Spam_report: (-1.1 points, 5.0 required) pts rule name
description ---- ----------------------
-------------------------------------------------- -0.0
NO_RELAYS
Informational: message was not relayed via SMTP -2.6
BAYES_00
BODY: Bayesian spam probability is 0 to 1% [score: 0.0000]
2.0
URIBL_BLACK Contains an URL listed in the URIBL
blacklist [URIs:
palmcoastcondo.com] -0.4 AWL AWL: From:
address is in
the auto white-list
So spamassasin is looking in the body of the message and sees the URL.
It must then do a lookup of it. This causes an error, which then
happens again when logcheck runs again, ad infinitum.
> 2. Because the palmcoastcondo.com domain owner has borked authoritative
> servers of ns1./ns2.nameserver.com..
>
> mshuler@ares:~$ host ns1.nameserver.com.
> ns1.nameserver.com has address 204.77.64.1
> ns1.nameserver.com has IPv6 address ::1
> mshuler@ares:~$ host ns2.nameserver.com.
> ns2.nameserver.com has address 127.0.0.1
> ns2.nameserver.com has IPv6 address ::1
>
Ah, so it does a DNS lookup of palmcoastcondo and is told to try ::1,
which sends it back to my machine.
> You can also 'dig any ns1.nameserver.com.' and 'dig any
> ns2.nameserver.com.' for more detail - AAAA records of ::1..
>
> DNS amateurs. And probably UCB, unless you want the condo sales spew..
>
> 3. I would ignore it, and/or remove the messages from the queue, and/or
> blacklist the domain.
I think I'll investigate why logcheck is not filtering out this message,
and add something so that it does, at least temporarily. That should
put an end to it.
[new in this message]
The bind patterns for logcheck do not match IPv6 IPs, which looks like an oversight. I'll file a bug.
Another approach would be to stop spamassin from checking my internal
mails.
Thanks for your help.
Ross
Reply to: