named and SpamAssassin

[/dev/rob0]

> Barry Margolin wrote:
>>So someone was trying to look up the nameservers for the love-walker.com
>>domain.  It's pretty unusual for applications to look up NS records
>>explicitly, it mostly comes from troubleshooting utilities.

I wouldn't be surprised to hear that something like SpamAssassin does 
this. Spammers break many things, intentionally, and broken DNS is a 
likely sign of spam.

Chris wrote:
> Barry, above is the complete syslog entry on this message from when spamd
> was called to the time it was identified as spam.  The url's that named is
> attempting to resolve are in the message.  However, it seems that not all
> spam messages with url's embeded are being resolved or attempting to. 
> Guess its just another mystery of life.  Of course it could be Razor,
> Pyzor, DCC or any of the other network checks I run that is actually

Not a mystery at all. The answers are probably in the documentation or 
source code of these utilities. :)

FWIW much spam can be detected pre-queue and pre-DATA. Content filters 
like SpamAssassin are an inefficient first-line defense against spam. 
Most MTA's can do a good job without wasting so much of your resources 
(both CPU and bandwidth.)

I've nothing against SA and content filtering, but I don't use it 
myself. I concentrate my efforts on pre-DATA blocking of spam.

> calling named to do this. Its not hurting anything so as you suggested I'll
> just ignore it.  I just get curious when I see new things in my syslog.

Nothing wrong with that. It's good to keep in touch with syslog. :)
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header