www server question

Brian Densmore DensmoreB at ctbsonline.com
Wed Sep 26 00:09:57 CDT 2001 

Gerald,

> > What is this?
> 
> A "lame server" error indicates that a server that's supposed to be
> authoritative for that domain isn't.  In this case 
> ns{1|2|3}.anet.com are
> all supposed to be authoritative for 208.92.198.in-addr.arpa (in other
> words, they're supposed to be able to respond to reverse lookups for
> 198.92.208.x), but aren't.
Does that mean someone bounced a DNS lookup off of my server? No one was
on my server at that time and there was no "authorized" mail going out
(because I am the only who logs on). And the bind daemon running on the
box is not a "known" authoritative server, it is used only for internal
translations.

> According to 'dig', ns0.verio.net (the SOA for 
> 243.17.198.in-addr.arpa)
> lists b.ns.verio.net as the SOA for 188.243.17.198.in-addr.arpa.
> B.ns.verio.net lists itself as the SOA for 
> 243.17.198.in-addr.arpa but not
> for 188.243.17.198.in-addr.arpa.  Confused yet?
> 
> Verio appears to have their DNS servers misconfigured.  If my
> experiences with them is any indication, this isn't unusual.
Same question here. Why would my computer be surfing the internet?

> 
> 
> > Did someone crack into my mail-server to spam?!
> 
> It depends.  There should be another (adjacent) line in the 
> log file that
> lists the message ID (CAA22719) along with the recipient.  
> What does it
> say?
There is no other entry for that message ID. Does that mean my mail
server dropped it? I also found one more of these from nobody e-mails in
a week of logged data. I now think these are the spam that the users
were getting. I did have one or two of the spams themselves in my box.
So, I now think my box didn't generate the spam. It looks like this evil
person is spamming certain "known mail addresses" and then sending more
spam to the domain with some generic names.

I also found this lone record (and 17 other to nobody records, some
accompanied each other in addition to ):
Sep 20 06:42:40 dunsmuir sendmail[23988]: GAA23987: to=, delay=00:00:10,
xdelay=00:00:09, mailer=local, stat=Sent 
These entries I have confirmed were dropped in my mail box by the server
(these are the requests for removal).

Does that sound like a possibly correct interpretation?

Thanks for all the great input,
Brian

More information about the Kclug mailing list