[Bug 218272] New: something tries to lookup libraries (libimf.so, liblua.so, ...) via nameserver
https://bugzilla.novell.com/show_bug.cgi?id=218272 Summary: something tries to lookup libraries (libimf.so, liblua.so, ...) via nameserver Product: SUSE Linux 10.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de I noticed that something[tm] tries to lookup various libraries by calling the nameserver(!). I'm not sure what causes these lookups. I guess the mail system (postfix, amavisd, spamassassin) is a good candidate because it does DNS lookups regularly. Other running services are apache, courier-pop3/imap, mysql, ssh, mailman and some perlscripts that feed rrd databases for status graphs and named (bind) itsself. Unfortunately, /var/log/messages doesn't contain other entries that I could connect with the strange nameserver lookups. Is there a way to find out which process contacted the nameserver? Example entries from /var/log/messages: # grep named messages |grep '\.so' | sed 's/.* named/named/' named[3035]: unexpected RCODE (SERVFAIL) resolving 'liblua.so/NS/IN': 213.133.100.100#53 named[3035]: lame server resolving 'liblua.so' (in 'so'?): 205.166.226.38#53 named[3035]: unexpected RCODE (REFUSED) resolving 'liblua.so/NS/IN': 209.68.0.85#53 named[3035]: unexpected RCODE (SERVFAIL) resolving '4.so/NS/IN': 213.133.100.100#53 named[3035]: lame server resolving '4.so' (in 'so'?): 205.166.226.38#53 named[3035]: unexpected RCODE (SERVFAIL) resolving '4.so/NS/IN': 213.133.100.100#53 named[3035]: lame server resolving '4.so' (in 'so'?): 205.166.226.38#53 named[3035]: unexpected RCODE (SERVFAIL) resolving 'libimf.so/NS/IN': 213.133.100.100#53 named[3035]: lame server resolving 'libimf.so' (in 'so'?): 205.166.226.38#53 named[3035]: unexpected RCODE (REFUSED) resolving 'libimf.so/NS/IN': 209.68.0.85#53 named[3035]: unexpected RCODE (SERVFAIL) resolving 'libimf.so/NS/IN': 213.133.100.100#53 named[3035]: lame server resolving 'libimf.so' (in 'so'?): 205.166.226.38#53 named[3035]: unexpected RCODE (REFUSED) resolving 'libimf.so/NS/IN': 209.68.0.85#53 named[3035]: unexpected RCODE (SERVFAIL) resolving 'libimf.so/NS/IN': 213.133.100.100#53 named[3035]: unexpected RCODE (REFUSED) resolving 'libimf.so/NS/IN': 209.68.0.85#53 named[3035]: unexpected RCODE (SERVFAIL) resolving 'y.so/NS/IN': 213.133.100.100#53 named[3035]: lame server resolving 'y.so' (in 'so'?): 205.166.226.38#53 named[3035]: unexpected RCODE (REFUSED) resolving 'y.so/NS/IN': 209.68.0.85#53 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |mt@novell.com |screening@forge.provo.novell| |.com | Severity|Normal |Major Platform|Other |x86 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 ------- Comment #1 from suse-beta@cboltz.de 2006-11-23 18:23 MST -------
From what I have seen in the last days, only non-existant *.so files seem to be requested via nameserver.
(I didn't check the *.so names in the initial comment if they match this pattern - but on a quick look it seems so.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 mt@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mt@novell.com |ug@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 ug@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #2 from ug@novell.com 2006-11-27 02:08 MST ------- do you have spamassassin running on the machine? Can you turn it off for testing and observe the log then? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|suse-beta@cboltz.de | ------- Comment #3 from suse-beta@cboltz.de 2006-11-27 05:03 MST ------- (In reply to comment #2)
do you have spamassassin running on the machine?
Yes, spamassassin is running (via amavisd).
Can you turn it off for testing and observe the log then?
Sorry, this is a production server and stopping spamassassin/amavisd will break mail delivery. And since these lookups only happen randomly (not reproducable - or I didn't find the pattern yet) I would need to have a larger downtime :-( If you have an idea how to reproduce the strange lookups within some minutes (to avoid larger spamassassin downtime), I'll happily test it. I just spot checked the mail log against /var/log/messages - at least some *.so lookups have timestamps that are nearby mail log entries. OTOH, there are lots of mail deliveries without *.so lookups. If you are interested, I can send you the logs via mail. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 ug@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #4 from ug@novell.com 2006-11-27 05:12 MST ------- do you use the URIDNSBL Plugin in spamassassin? Can you turn that off? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 ------- Comment #5 from suse-beta@cboltz.de 2006-11-27 09:34 MST ------- Yes, I use this plugin. It's acceptable to disable it for some days. Done: root@server:/etc/mail/spamassassin> grep URI * init.pre:# URIDNSBL - look up URLs found in the message against several DNS init.pre:#loadplugin Mail::SpamAssassin::Plugin::URIDNSBL I'll report back in some days if there are more *.so lookups and let this bug report in NEEDINFO until then. For the records: URIDNSBL plugin disabled on Nov 27 17:27:26 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|suse-beta@cboltz.de | Summary|something tries to lookup |SpamAssassin URIDNSBL plugin tries to lookup |libraries (libimf.so, |libraries (libimf.so, liblua.so, ...) via |liblua.so, ...) via |nameserver |nameserver | ------- Comment #6 from suse-beta@cboltz.de 2006-11-29 15:33 MST ------- I had no more *.so lookups in the last two days (compared to 10-100 the days before). -> The SpamAssassin URIDNSBL is really the cause of these strange lookups. (updating the summary to get rid of this "something" ;-)) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 ------- Comment #7 from suse-beta@cboltz.de 2006-11-29 18:32 MST ------- double confirmation: 5 minutes after re-enabling the URIDNSBL plugin, I got several *.so lookups again. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 varkoly@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #9 from varkoly@novell.com 2006-12-08 04:55 MST ------- can you provide me your configuration for URIDNSBL -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|suse-beta@cboltz.de | ------- Comment #10 from suse-beta@cboltz.de 2006-12-08 13:04 MST ------- It's the default configuration from SUSE Linux 10.1, I did not set any special parameters in /etc/mail/spamassassin/ and do not use any per-user configuration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 varkoly@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |INVALID ------- Comment #11 from varkoly@novell.com 2006-12-21 05:17 MST ------- The problem ist, that by default, the URIDNSBL plugin is activated but not configured. The URIDNSBL plugin functions the following way: 1. The eMail will be scanned for URLs and IP-addresses. 2. These will be checked by DNSBL and RHSBL server. The check is a lookup for the DNS-entry: <the-url>.<name-of-the-DNSBL/RHSBL-server>. If there is no DNSBL/RHSBL-server configured, the spamd make lookups for <the-url>. Yes it may be a bug, but it is sensless to use URIDNSBL without to configure it. 3. Solution: 3.1 Configure URIDNSBL befor use it. 3.2 Deaktivate URIDNSBL 4. I'll change the default configuration so that URIDNSBL is not activated. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Comment #12 from suse-beta@cboltz.de 2006-12-21 13:03 MST ------- (In reply to comment #11)
The problem ist, that by default, the URIDNSBL plugin is activated but not configured. [...] 3. Solution: 3.1 Configure URIDNSBL befor use it.
Hmm, after some research I found the file /usr/share/spamassassin/25_uribl.cf which looks like a valid configuration for the URIDNSBL module. I must admit not to be an spamassassin expert, but for me it looks like there _is_ a configuration already.
4. I'll change the default configuration so that URIDNSBL is not activated.
The better way would be to provide a working default configuration (if the above one is not enough). [this is the main reason to reopen this report] -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 varkoly@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #13 from varkoly@novell.com 2006-12-22 00:50 MST ------- The configuration looks god, but you have to enhance it in the file /etc/mail/spamassassin/local.cf with following entries: uridnsbl_skip_domain liblua.so libimf.so 4.so y.so Library names in text or HTML will be detected as URL. Please test it if this helps you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 varkoly@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Major |Enhancement -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|suse-beta@cboltz.de | ------- Comment #14 from suse-beta@cboltz.de 2006-12-22 08:01 MST ------- You are right, library names are detected as URLs and looked up via DNS. I could easily reproduce the problem by sending a mail containing "libfoobar.so" - it instantly triggered a (failing) DNS lookup. Dec 22 15:50:01 server named[1940]: unexpected RCODE (SERVFAIL) resolving 'libfoobar.so/NS/IN': 213.133.100.100#53 Dec 22 15:50:01 server named[1940]: lame server resolving 'libfoobar.so' (in 'so'?): 205.166.226.38#53 Dec 22 15:50:01 server named[1940]: unexpected RCODE (REFUSED) resolving 'libfoobar.so/NS/IN': 209.68.0.85#53 Then I added uridnsbl_skip_domain libfoobarbaz.so to local.cf and tested with a mail containing libfoobarbaz.so - no more DNS lookup for this one. Summary: Yes, uridnsbl_skip_domain helps. But the problem is that people write about lots of different *.so libraries in the opensuse mailinglists, so whitelisting some of them doesn't really help ;-) (And I still wonder why "libsomething.so" is looked up and not "libsomething.so.dnsbl.tld") -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 varkoly@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |suse-beta@cboltz.de ------- Comment #15 from varkoly@novell.com 2006-12-28 15:58 MST ------- man Mail::SpamAssassin::Plugin::URIDNSBL say: " This works by analysing message text and HTML for URLs, extracting the domain names from those, querying their NS records in DNS, resolving the hostnames used therein, and querying various DNS blocklists for those IP addresses. This is quite effective. " This means first the domain name will be looked up. Please insert following line into /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Plugin/URIDNSBL.pm at the line 210 (after the line next if ($uri =~ /^mailto:/); ) next if ($uri =~ /\.so$/); and report if it helps. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|suse-beta@cboltz.de | ------- Comment #16 from suse-beta@cboltz.de 2006-12-29 05:02 MST ------- Thanks for the manpage pointer - this explains why it looks up the domain. (In reply to comment #15)
Please insert following line into [...] next if ($uri =~ /\.so$/);
Good catch - it helps :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 asemen@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|varkoly@novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 thomas@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #22 from thomas@novell.com 2007-02-07 03:34 MST ------- packages approved -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=218272 suse-beta@cboltz.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED ------- Comment #23 from suse-beta@cboltz.de 2007-03-09 11:34 MST ------- VERIFIED - the *.so lookups do not happen with the updated SpamAssassin packages on 10.2. (Yes, I have seen that you have chosen a different solution, but it works ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com