Something very weird started happening yesterday, and I have been trying to
figure out what it might be, and I was unable to narrow it down.
I have been running qmail with rbl/rss and also running dnscache on the
same machine for a while without any problems.
Yesterday my dnscache log started filling up with these error messages:
@400000003b574c21126fcb94 query 27874 7f000001:e77a:701d 1
150.68.39.208.relays.mail-abuse.org.
@400000003b574c21126ff2a4 cached nxdomain 150.68.39.208.relays.mail-abuse.org.
@400000003b574c2112700dfc sent 27874 53
@400000003b574c2113c47684 query 27875 7f000001:fccb:eebc 12
2.110.10.209.in-addr.arpa.
@400000003b574c2113c5ce44 cached 12 2.110.10.209.in-addr.arpa.
@400000003b574c2113c69d4c sent 27875 78
@400000003b574c2113eb6744 query 27876 7f000001:fccb:eebc 16
150.68.39.208.blackholes.mail-abuse.org.
@400000003b574c2113ecb734 cached nxdomain
150.68.39.208.blackholes.mail-abuse.org.
@400000003b574c2113ed72b4 sent 27876 57
@400000003b574c2113f087c4 query 27877 7f000001:e77a:701d 1
150.68.39.208.relays.mail-abuse.org.
@400000003b574c2113f16e3c cached nxdomain 150.68.39.208.relays.mail-abuse.org.
@400000003b574c2113f2124c sent 27877 53
about 20 or so requests like this a second... about 95% of them are for
150.68.39.208.relays.mail-abuse.org/150.68.39.208.blackholes.mail-abuse.org
which is (web01.dc.intira.com, not my server) and the other 5% are for
2.110.10.209.in-addr.arpa (my server)
my qmail-smtp and qmail-send logs don't show anything interesting...
My antivirus program (kaspersky's) didn't like this at all and was
generating this error:
Current object: <4>Jul 19 14:01:31:XXX
Sector Objects : 0 Known viruses : 0
Files : 0 Virus bodies : 0
Folders : 0 Disinfected : 0
Archives : 0 Deleted : 0
Packed : 0 Warnings : 0
Suspicious : 0
Speed (Kb/sec) : 0 Corrupted : 0
Scan time : 276546:01:31 I/O Errors : 0
Query for the tests: <4>Jul 19 14:01:31:XXX
I cant find object XXX (error string: No such file or directory).
And maillog was filling up with this error:
mail avpkeeper[23221]: Invalid message format
I have totally disabled the Anti-Virus program, since I though that maybe
it was the culprit. Turns out that my dnscache still continues to have the
same error and nothing else has any interesting error messages...
this is my /service/smtp/run
#!/bin/sh
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
export PATH
QMAILUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
exec softlimit -m 100000000 -t600 tcpserver -S -R -H -c100 -x
/home/vpopmail/etc/tcp.smtp.cdb -u $QMAILUID -g $NOFILESGID 0 smtp rblsmtpd \
-r blackholes.mail-abuse.org \
-r 'relays.mail-abuse.org:Open relay problem - see
http://www.mail-abuse.com/cgi-bin/nph-rss?%IP%' \
qmail-smtpd splogger smtpd 2>&1
My qmail setup is done according to Matt Simerson's qmail-vpopmail-freebsd
toaster.
RBL and RSS tests shows that everything is working fine... So the only
thing that I can think of that might be different is that MAPS changed
something? I know I haven't changed anything for over a month now (and this
is a fairly busy server). The thing that really freaks me out is that I
worked on Deloitte Consulting's web site around a year ago, and now my
dnscache is filling up with requests for
150.68.39.208.blackholes.mail-abuse.org which the IP address is for
web01.dc.intira.com... I hope the two are not related in anyway. But the
fact that it's there makes it at least strange.
Any help/info/ideas would be really appreciated.
Thanks!
__
Kris.
