www server question

Gerald Combs gerald at ethereal.com
Tue Sep 25 20:17:25 CDT 2001 

On Tue, 25 Sep 2001, Brian Densmore wrote:

> Checking my mail today, I found several remove requests in my admin
> mailbox. This I found quite  odd as I don't maintain a newsletter, or
> spam anyone from my server.
> 
> checking my logs I discovered this:
> 
> Sep 19 11:30:30 dunsmuir named[356]: Lame server on
> '137.208.92.198.in-addr.arpa' (in '208.92.198.IN-ADDR.ARPA'?):
> [207.112.196.69].53 'ns3.anet.com'
> Sep 19 11:30:30 dunsmuir named[356]: Lame server on
> '137.208.92.198.in-addr.arpa' (in '208.92.198.IN-ADDR.ARPA'?):
> [207.7.4.66].53
> 'ns1.anet.com'
> Sep 19 11:30:30 dunsmuir named[356]: Lame server on
> '137.208.92.198.in-addr.arpa' (in '208.92.198.IN-ADDR.ARPA'?):
> [207.7.4.67].53
> 'ns2.anet.com'
> 
> What is this?

A "lame server" error indicates that a server that's supposed to be
authoritative for that domain isn't.  In this case ns{1|2|3}.anet.com are
all supposed to be authoritative for 208.92.198.in-addr.arpa (in other
words, they're supposed to be able to respond to reverse lookups for
198.92.208.x), but aren't.

> And this one (happened five times, as noted in second message):
> 
> Sep 19 23:05:33 dunsmuir named[356]: bad referral
> (243.17.198.in-addr.arpa !< 188.243.17.198.IN-ADDR.ARPA) from
> [129.250.35.32].53
> Sep 19 23:05:33 dunsmuir last message repeated 4 times 

According to 'dig', ns0.verio.net (the SOA for 243.17.198.in-addr.arpa)
lists b.ns.verio.net as the SOA for 188.243.17.198.in-addr.arpa.
B.ns.verio.net lists itself as the SOA for 243.17.198.in-addr.arpa but not
for 188.243.17.198.in-addr.arpa.  Confused yet?

Verio appears to have their DNS servers misconfigured.  If my
experiences with them is any indication, this isn't unusual.

> AND THIS ONE!
> 
> Sep 20 02:42:07 dunsmuir sendmail[22719]: CAA22719:
> from=<owner-nolist-136_1*BOB**AMASON*-NET at LISTSERV.NETWORKPROMOTION.COM>
> , size=0, class=0, pri=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP,
> relay=glmail4.networkpromotion.com [142.166.168.174]
> 
> Did someone crack into my mail-server to spam?!

It depends.  There should be another (adjacent) line in the log file that
lists the message ID (CAA22719) along with the recipient.  What does it
say?

> 
> Any help on how to stop these crackers would be appreciated.
> 
> Brian Densmore
> Associate
> mailto:densmoreb at ctbsonline.com
> CompuTech Business Solutions, Inc.
> http://www.ctbsonline.com/
> 
> 
> 
>

More information about the Kclug mailing list