[Rspamd-Users] Newbie: What does this log message mean?

Reio Remma reio at mrstuudio.ee
Tue Nov 5 11:01:01 UTC 2019 

On 05/11/2019 12:53, Gerben Wierda wrote:
> I am new to rspamd. I was busy installing rspamd on a machine where I have unbound set up. In the rspamd log I noticed:
>
> 2019-11-03 16:14:28 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
> 2019-11-03 16:17:29 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
> 2019-11-03 16:20:00 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:25:00 GMT
> 2019-11-03 16:26:25 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:31:25 GMT
> 2019-11-03 16:27:31 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for dwl.dnswl.org while 'no records with this name' was expected when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
> 2019-11-03 16:29:50 #63290(controller) <3nxzfe>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
> 2019-11-03 16:31:27 #63290(controller) <9i1dgi>; map; http_map_finish: data is not modified for server www.openphish.com, next check at Sun, 03 Nov 2019 15:36:27 GMT
> 2019-11-03 16:37:14 #63290(controller) <k7m6sm>; monitored; rspamd_monitored_propagate_success: restoring dwl.dnswl.org after 2619.0 seconds of downtime, total downtime: 2619.0
>
> So, some config problem with rspamd, apparently. But what really caught my eye was
>
> when querying for '1.0.0.127.dwl.dnswl.org'(likely DNS spoofing or BL internal issues)
>
> But these domains are not resolvable:
>
> albus:~ sysbh$ nslookup multi.uribl.com
> Server:		192.168.2.66
> Address:	192.168.2.66#53
>
> Non-authoritative answer:
> *** Can't find multi.uribl.com: No answer
>
> albus:~ sysbh$ nslookup dwl.dnswl.org
> Server:		192.168.2.66
> Address:	192.168.2.66#53
>
> Non-authoritative answer:
> *** Can't find dwl.dnswl.org: No answer
>
> So, why is rspamd reporting this? What does it mean?

If you have Unbound set up on the same machine, add this:

# local.d/options.inc
dns {
   nameserver = ["127.0.0.1"];
}

Good luck,
Reio

More information about the Users mailing list