Three NameServer DOSing my <dns1>

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Jul 29 17:37:50 UTC 2010 

> Am 2010-07-29 14:12:54, hacktest Du folgendes herunter:
> > On 28.07.10 23:24, Michelle Konzack wrote:
> > > But why do they query my server 3 times per second?

> Hello Matus UHLAR - fantomas,
> > deep parsing of e-mail headers by spam filtering software, I guess.

On 29.07.10 19:16, Michelle Konzack wrote:
> Which is the last crap!
> 
> Spamassassin does this too and I had to whitelist more then 2000 E-Mails
> do to the high amount of false-positives.

apparently internal_networks set up incorrectly?

> > Apparently because of your fake ssmtp header.
> 
> Which "fake ssmtp" header?

I see the name "michelle1.private.tamay-dogan.net" in two headers:

Received: from michelle1.private.tamay-dogan.net
        (router.private.tamay-dogan.net [::ffff:192.168.0.65])
        (AUTH: LOGIN michelle.konzack)
        by mail.tamay-dogan.net with esmtp; Thu, 29 Jul 2010 19:16:29 +0200
        id 0002C6F8.4C51B76D.000055D9
Received: by michelle1.private.tamay-dogan.net (sSMTP sendmail emulation);
        Thu, 29 Jul 2010 19:16:28 +0200

since the former contains IP address, I guess it's the latter that causes
some kind of spam filters try to resolve the IP.

Note that I'm just guessing and it's apparently not spamassassin. However
there are many spam filters deeply parsing headers and some qute
incorrectly.

I think you are on spamassassin-users mailing list and you could remember
that problems with deeply parsed headers on some mailservers are mentioned
there quite often.

> How do you thinkI can send mails?
> 
> My workstation has "ssmtp" for securtity reason installed like all of
> my machines which do not receive any mails but have only to send  out
> messages like logs or alarms...

I'm not objecting against ssmtp, I know what's that (and I use it in some
situations although I prefer msmtp ) but it's possible that the inserted
header causes some filters try to resolve your hostname. You can try using
msmtp or similar smtp client to see if it helps.

> "courier" is my official Relay which is used by more then 8000 users.

I know because I've seen your posts on courier-users mailing list too.
Actually I even know you are debian user, guess why :-)

HOWEVER!

To return to this ML's topic:

Your hostname is private and inaccessible from the outside. The requesters
get SERVFAIL reply which apparently makes them retry. If you provided them
any IP address (e.g. 127.0.0.1) they could be satisfied and stop trying
(until the cached record expires). You can try this if it makes you angry.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors

More information about the bind-users mailing list