www server question
Gerald Combs
gerald at ethereal.com
Fri Sep 28 03:00:45 CDT 2001
On Tue, 25 Sep 2001, Brian Densmore wrote:
> Gerald,
>
> > > What is this?
> >
> > A "lame server" error indicates that a server that's supposed to be
> > authoritative for that domain isn't. In this case
> > ns{1|2|3}.anet.com are
> > all supposed to be authoritative for 208.92.198.in-addr.arpa (in other
> > words, they're supposed to be able to respond to reverse lookups for
> > 198.92.208.x), but aren't.
> Does that mean someone bounced a DNS lookup off of my server? No one was
> on my server at that time and there was no "authorized" mail going out
> (because I am the only who logs on). And the bind daemon running on the
> box is not a "known" authoritative server, it is used only for internal
> translations.
Any number of things can trigger a DNS lookup. Is anyone else using your
box as a DNS server? Do you have a web, ftp, or any other type of server
on the box?
> There is no other entry for that message ID. Does that mean my mail
> server dropped it? I also found one more of these from nobody e-mails in
> a week of logged data. I now think these are the spam that the users
> were getting. I did have one or two of the spams themselves in my box.
> So, I now think my box didn't generate the spam. It looks like this evil
> person is spamming certain "known mail addresses" and then sending more
> spam to the domain with some generic names.
>
> I also found this lone record (and 17 other to nobody records, some
> accompanied each other in addition to ):
> Sep 20 06:42:40 dunsmuir sendmail[23988]: GAA23987: to=, delay=00:00:10,
> xdelay=00:00:09, mailer=local, stat=Sent
> These entries I have confirmed were dropped in my mail box by the server
> (these are the requests for removal).
>
> Does that sound like a possibly correct interpretation?
Any "from" entry in your maillog should be accompanied by a subsequent
"to" entry with a matching message ID (assuming the message was accepted
by the server). The "to=," bugs me - if delivery was made using the
"local" mailer, shouldn't a user/mailbox name be listed?
> Thanks for all the great input,
> Brian
>
>
>
More information about the Kclug
mailing list