[Rspamd-Users] Newbie: What does this log message mean?

Gerben Wierda gerben.wierda at rna.nl
Tue Nov 5 10:53:02 UTC 2019 

I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:

2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:25:00 GMT
2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:31:25 GMT
2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:36:27 GMT
2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org after 2619.0 seconds of downtime, total downtime: 2619.0

So, some config problem with rspamd, apparently. But what really caught my eye was

when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)

But these domains are not resolvable:

albus:~ sysbh$ nslookup multi.uribl.com
Server:		192.168.2.66
Address:	192.168.2.66#53

Non-authoritative answer:
*** Can't find multi.uribl.com: No answer

albus:~ sysbh$ nslookup dwl.dnswl.org
Server:		192.168.2.66
Address:	192.168.2.66#53

Non-authoritative answer:
*** Can't find dwl.dnswl.org: No answer

So, why is rspamd reporting this? What does it mean?

Gerben Wierda
Chess and the Art of Enterprise Architecture <http://enterprisechess.com/>
Mastering ArchiMate <http://masteringarchimate.com/>
Architecture for Real Enterprises <https://www.infoworld.com/blog/architecture-for-real-enterprises/> at InfoWorld
On Slippery Ice <https://eapj.org/on-slippery-ice/> at EAPJ

More information about the Users mailing list