[Rspamd-Users] Newbie: What does this log message mean?

Alexander Moisseev moiseev at mezonplus.ru
Tue Dec 24 09:00:58 UTC 2019


23.12.2019 15:53, Gerben Wierda пишет:
> On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com> wrote:
>>
>> On 05/11/2019 12:53, Gerben Wierda wrote:
>>> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>>>
>>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
>>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:25:00 GMT
>>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:31:25 GMT
>>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
>>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:36:27 GMT
>>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org after 2619.0 seconds of downtime, total downtime: 2619.0
>>>
>>> So, some config problem with rspamd, apparently. But what really caught my eye was
>>>
>>> when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>>>
>>> But these domains are not resolvable:
>>>
>>> albus:~ sysbh$ nslookup multi.uribl.com
>>> Server:		192.168.2.66
>>> Address:	192.168.2.66#53
>>>
>>> Non-authoritative answer:
>>> *** Can't find multi.uribl.com: No answer
>>>
>>> albus:~ sysbh$ nslookup dwl.dnswl.org
>>> Server:		192.168.2.66
>>> Address:	192.168.2.66#53
>>>
>>> Non-authoritative answer:
>>> *** Can't find dwl.dnswl.org: No answer
>>>
>>> So, why is rspamd reporting this? What does it mean?
>>
>> If you have Unbound set up on the same machine, add this:
>>
>> # local.d/options.inc
>> dns {
>>    nameserver = ["127.0.0.1"];
>> }
>>
>> Good luck,
>> Reio
> 
> Before I do something like this, I’d like to understand why this should help. As /etc/resolv.conf contains entries that let rspamd end up with the same unbound or another good DNS
> 
> search rna.nl
> nameserver 192.168.2.66
> nameserver 192.168.2.67
> nameserver 8.8.8.8
> 
> Gerben
> 

Do not use public resolvers.

https://rspamd.com/doc/faq.html#why-do-i-have-monitored-errors-in-my-log-files
https://rspamd.com/doc/faq.html#resolver-setup



More information about the Users mailing list