[WBEL-users] Re: /var/log/messages - Interesting Entry

[Kirby Bohling]

On Wed, Aug 18, 2004 at 07:01:12PM -0700, Ben Mohilef wrote:
> A spammer probably happened to use wap.pangia.biz as a reply 
> address, and sendmail asked the nameserver to get the IP 
> corresponding to it. The rdns of that IP didn't match 
> "wap.pangia.biz" and a message was generated. 

	That's not a sendmail error.  The error was generated by glibc.
Sendmail probably never even saw the result of that lookup.  Surely
not enough to print that error message (it could have seen a later
result, but not that one).

	I've had some time to read the code a bit closer since my
earlier response.  You can also get this error on both a forward and
a reverse lookup.  Which makes everything make more sense.

	It appears that it was a forward lookup that failed.  Go grab
ethereal, do a DNS Lookup.

	You'll find that the client sends who it's requesting, and the
DNS server responds with what the query was, and the answer.
Something isn't lining up.

DNS Client says: "What is the A record for wap.pangia.biz"

A DNS server's response is:
The A record for smtp.pangia.biz is "xxx.xxx.xxx.xxx"

The DNS Client examines that answer and logs: "Asked for
wap.pangia.biz, got smtp.pangia.biz".

	It's a broken DNS transaction.  Either the client or the server
lost track of who asked for what, or the packets being received
aren't lining up.

	Now if it's a UDP thing, so it might just be that he received
the response for a different query that was just out of order.  Thus
the whole problem.  He asked first for "smtp.pangia.biz", didn't get
an answer, and moved on to looking up "wap.pangia.biz", then the UDP
packet for the answer for "smtp.pangia.biz" came in.  Confused the
resolver, it logs the error and moves on.  I don't know enough to
say for certain that's the problem, but that's my seems the most
likely scenerio to me.  There's nothing there that's compelling to
say it's a spammer or a forged address.  Just that there was a
failed DNS transaction.

	Thanks,
		Kirby