Hi Ross, On Sun, Nov 11, 2007 at 10:47:13AM -0800, Ross Boylan wrote: > A few days ago I received a message with a return path of > berendbrothers.com@palmcoastcondo.com. > exim4's data ACL rejected the message. [...] > Since then, every hour at 2 minutes after the hour I get the > named[xxxx]: unexpected RCODE (REFUSED) resolving > 'palmcoastcondo.com/TXT/IN': ::1#53 > message. > > Googling indicates this means that a DNS query is going to ::1, which I > think is IPv6 for localhost, and the DNS server (which is mine) is > rejecting the query. I believe that your DNS server is reporting an error code it is receiving from the auth. servers for palmcoastcondo.com. > Why is this happening? That is, > 1. why is the query being generated every hour? The timing seems to > coincide with hourly runs of logcheck. It is probably being checked by spamassassin's URIBL module as it appears in email going to you. > 2. why is it looking for ::1#53 as the DNS server? I have not > configured bind9 to accept queries on ::1. So the question isn't why > it's being rejected, but why that location is being queried. I imagine that your named is listening on all interfaces. What is in /etc/resolv.conf? > 3. How can I stop these queries? There are several ways. For example you could: - stop receiving email with that domain name in it. - Turn off URIBL queries but instead I would recommend ignoring it, and taking steps to make ignoring it easier. > Also, my logcheck rules aren't filtering th unexpected RCODE messages > out. I suspect they should, but the reason will probably be clear by > inspecting them. Usually when I have problems like this with logcheck it is because the message also matches something in the "violations" files, which are positive matches. I would take a guess at "REFUSED" being in /etc/logcheck/violations.d/logcheck. Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting Encrypted mail welcome - keyid 0x604DE5DB
Attachment:
signature.asc
Description: Digital signature