[Rspamd-Users] Newbie: What does this log message mean?

Reio Remma reio at mrstuudio.ee
Tue Dec 24 10:01:54 UTC 2019


On 23.12.2019 14:53, Gerben Wierda wrote:
> On 5 Nov 2019, at 12:01, Reio Remma via Users <users at lists.rspamd.com 
> <mailto:users at lists.rspamd.com>> wrote:
>>
>> On 05/11/2019 12:53, Gerben Wierda wrote:
>>> I am new to rspamd. I was busy installing rspamd on a machine where 
>>> I have unbound set up. In the rspamd log I noticed:
>>>
>>> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; 
>>> rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com 
>>> <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high 
>>> volume
>>> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; 
>>> rspamd_monitored_dns_cb: DNS reply returned 'no error' for 
>>> dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this 
>>> name' was expected when querying for '1.0.0.127.dwl.dnswl.org 
>>> <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; 
>>> http_map_finish: data is not modified for server www.openphish.com 
>>> <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:25:00 GMT
>>> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; 
>>> http_map_finish: data is not modified for server www.openphish.com 
>>> <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:31:25 GMT
>>> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; 
>>> rspamd_monitored_dns_cb: DNS reply returned 'no error' for 
>>> dwl.dnswl.org <http://dwl.dnswl.org> while 'no records with this 
>>> name' was expected when querying for '1.0.0.127.dwl.dnswl.org 
>>> <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; 
>>> rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com 
>>> <http://multi.uribl.com> (127.0.0.1 returned), possibly due to high 
>>> volume
>>> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; 
>>> http_map_finish: data is not modified for server www.openphish.com 
>>> <http://www.openphish.com>, next check at Sun, 03 Nov 2019 15:36:27 GMT
>>> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; 
>>> rspamd_monitored_propagate_success: restoring dwl.dnswl.org 
>>> <http://dwl.dnswl.org> after 2619.0 seconds of downtime, total 
>>> downtime: 2619.0
>>>
>>> So, some config problem with rspamd, apparently. But what really 
>>> caught my eye was
>>>
>>> when querying for '1.0.0.127.dwl.dnswl.org 
>>> <http://dwl.dnswl.org>'(likely DNS spoofing or BL internal issues)
>>>
>>> But these domains are not resolvable:
>>>
>>> albus:~ sysbh$ nslookup multi.uribl.com <http://multi.uribl.com>
>>> Server:192.168.2.66
>>> Address:192.168.2.66#53
>>>
>>> Non-authoritative answer:
>>> *** Can't find multi.uribl.com <http://multi.uribl.com>: No answer
>>>
>>> albus:~ sysbh$ nslookup dwl.dnswl.org <http://dwl.dnswl.org>
>>> Server:192.168.2.66
>>> Address:192.168.2.66#53
>>>
>>> Non-authoritative answer:
>>> *** Can't find dwl.dnswl.org <http://dwl.dnswl.org>: No answer
>>>
>>> So, why is rspamd reporting this? What does it mean?
>>
>> If you have Unbound set up on the same machine, add this:
>>
>> # local.d/options.inc
>> dns {
>>   nameserver = ["127.0.0.1"];
>> }
>>
>> Good luck,
>> Reio
>
> Before I do something like this, I’d like to understand why this 
> should help. As /etc/resolv.conf contains entries that let rspamd end 
> up with the same unbound or another good DNS
>
> search rna.nl <http://rna.nl>
> nameserver 192.168.2.66
> nameserver 192.168.2.67
> nameserver 8.8.8.8

You started with: " I was busy installing rspamd on a machine where I 
have unbound set up."

Assuming you have unbound set up locally, you need to let Rspamd know 
about it by setting the local nameserver in options.inc.

Good luck,
Reio


More information about the Users mailing list