named and SpamAssassin

Mark Andrews Mark_Andrews at isc.org
Mon Jul 18 02:20:43 UTC 2005 

> Barry Margolin wrote:
> 
> >> 
> >> What does the /NS/IN stand for?
> > 
> > NS means it's querying for a NameServer record, and IN means INternet
> > class (just about everything is in this class, so you can pretty much
> > ignore it).
> > 
> > So someone was trying to look up the nameservers for the love-walker.com
> > domain.  It's pretty unusual for applications to look up NS records
> > explicitly, it mostly comes from troubleshooting utilities.
> > 
> 
> Jul 17 11:49:20 cpollock spamd[15496]: processing message <20050718014838>
> for chris:501. 
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'love-walker.com/NS/IN': 212.118.243.118#53

	Looks like name-services.com is not running RFC compliant
	nameservers.

	The answer below is not correct.  It is authoritatively
	(aa=1) saying that there are no NS records yet returns the
	NS records in the authority section.  The NS records should
	have been in the ANSWER section.  Named has correctly flagged
	the answer as being malformed.

; <<>> DiG 9.3.2prerelease <<>> ns +norec love-walker.com @212.118.243.118
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20011
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;love-walker.com.		IN	NS

;; AUTHORITY SECTION:
love-walker.com.	3600	IN	NS	dns1.name-services.com.
love-walker.com.	3600	IN	NS	dns2.name-services.com.
love-walker.com.	3600	IN	NS	dns3.name-services.com.
love-walker.com.	3600	IN	NS	dns4.name-services.com.
love-walker.com.	3600	IN	NS	dns5.name-services.com.

;; ADDITIONAL SECTION:
dns1.name-services.com.	3600	IN	A	69.25.142.1
dns2.name-services.com.	3600	IN	A	216.52.184.230
dns3.name-services.com.	3600	IN	A	63.251.83.36
dns4.name-services.com.	3600	IN	A	64.74.96.242
dns5.name-services.com.	3600	IN	A	212.118.243.118

;; Query time: 331 msec
;; SERVER: 212.118.243.118#53(212.118.243.118)
;; WHEN: Mon Jul 18 12:13:07 2005
;; MSG SIZE  rcvd: 257

> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving 'maziai.com/NS/IN':
> 212.118.243.118#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'neo-celeb.com/NS/IN': 212.118.243.118#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'love-walker.com/NS/IN': 69.25.142.1#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving 'maziai.com/NS/IN':
> 69.25.142.1#53
> Jul 17 11:49:21 cpollock named[10429]: FORMERR resolving
> 'neo-celeb.com/NS/IN': 69.25.142.1#53
> Jul 17 11:49:26 cpollock spamd[15496]: identified spam (8.5/5.0) for
> chris:501 in 6.2 seconds, 4196 bytes. 
> 
> Barry, above is the complete syslog entry on this message from when spamd
> was called to the time it was identified as spam.  The url's that named is
> attempting to resolve are in the message.  However, it seems that not all
> spam messages with url's embeded are being resolved or attempting to. 
> Guess its just another mystery of life.  Of course it could be Razor,
> Pyzor, DCC or any of the other network checks I run that is actually
> calling named to do this. Its not hurting anything so as you suggested I'll
> just ignore it.  I just get curious when I see new things in my syslog.
> 
> Thanks
> 
> -- 
> Chris
> Registered Linux User 283774 http://counter.li.org
> 15:12:15 up 22:45, 2 users, load average: 0.66, 0.46, 0.46
> Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> A judge is a law student who marks his own examination papers
>                 -- H.L. Mencken on Murphy n°1
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list