www server question
Gerald Combs
gerald at ethereal.com
Tue Sep 25 20:17:25 CDT 2001
On Tue, 25 Sep 2001, Brian Densmore wrote:
> Checking my mail today, I found several remove requests in my admin
> mailbox. This I found quite odd as I don't maintain a newsletter, or
> spam anyone from my server.
>
> checking my logs I discovered this:
>
> Sep 19 11:30:30 dunsmuir named[356]: Lame server on
> '137.208.92.198.in-addr.arpa' (in '208.92.198.IN-ADDR.ARPA'?):
> [207.112.196.69].53 'ns3.anet.com'
> Sep 19 11:30:30 dunsmuir named[356]: Lame server on
> '137.208.92.198.in-addr.arpa' (in '208.92.198.IN-ADDR.ARPA'?):
> [207.7.4.66].53
> 'ns1.anet.com'
> Sep 19 11:30:30 dunsmuir named[356]: Lame server on
> '137.208.92.198.in-addr.arpa' (in '208.92.198.IN-ADDR.ARPA'?):
> [207.7.4.67].53
> 'ns2.anet.com'
>
> What is this?
A "lame server" error indicates that a server that's supposed to be
authoritative for that domain isn't. In this case ns{1|2|3}.anet.com are
all supposed to be authoritative for 208.92.198.in-addr.arpa (in other
words, they're supposed to be able to respond to reverse lookups for
198.92.208.x), but aren't.
> And this one (happened five times, as noted in second message):
>
> Sep 19 23:05:33 dunsmuir named[356]: bad referral
> (243.17.198.in-addr.arpa !< 188.243.17.198.IN-ADDR.ARPA) from
> [129.250.35.32].53
> Sep 19 23:05:33 dunsmuir last message repeated 4 times
According to 'dig', ns0.verio.net (the SOA for 243.17.198.in-addr.arpa)
lists b.ns.verio.net as the SOA for 188.243.17.198.in-addr.arpa.
B.ns.verio.net lists itself as the SOA for 243.17.198.in-addr.arpa but not
for 188.243.17.198.in-addr.arpa. Confused yet?
Verio appears to have their DNS servers misconfigured. If my
experiences with them is any indication, this isn't unusual.
> AND THIS ONE!
>
> Sep 20 02:42:07 dunsmuir sendmail[22719]: CAA22719:
> from=<owner-nolist-136_1*BOB**AMASON*-NET at LISTSERV.NETWORKPROMOTION.COM>
> , size=0, class=0, pri=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP,
> relay=glmail4.networkpromotion.com [142.166.168.174]
>
> Did someone crack into my mail-server to spam?!
It depends. There should be another (adjacent) line in the log file that
lists the message ID (CAA22719) along with the recipient. What does it
say?
>
> Any help on how to stop these crackers would be appreciated.
>
> Brian Densmore
> Associate
> mailto:densmoreb at ctbsonline.com
> CompuTech Business Solutions, Inc.
> http://www.ctbsonline.com/
>
>
>
>
More information about the Kclug
mailing list