Hi,
I see things reported in logwatch that I don't expect. For instance, named reports resolving addresses that are part of spams I'm receiving. However, I'm not using spam filtering, I'm not loading HTML with images that might contain web bugs (and these spams were plain text, anyway), so I didn't expect Evolution to go checking on the addresses.
Anybody else see the same thing, or can explain it?
Thanks.
Who sais its evolution?
You are running your own dns server, fair enough, are you also running your own email server? In that case, the email server performs lookups to verify hostname of the sender.
HTH
Andy
On Sunday 13 November 2005 23:33, Tim wrote:
Hi,
I see things reported in logwatch that I don't expect. For instance, named reports resolving addresses that are part of spams I'm receiving. However, I'm not using spam filtering, I'm not loading HTML with images that might contain web bugs (and these spams were plain text, anyway), so I didn't expect Evolution to go checking on the addresses.
Anybody else see the same thing, or can explain it?
Thanks.
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
Tim:
I see things reported in logwatch that I don't expect. For instance, named reports resolving addresses that are part of spams I'm receiving. However, I'm not using spam filtering, I'm not loading HTML with images that might contain web bugs (and these spams were plain text, anyway), so I didn't expect Evolution to go checking on the addresses.
Andy Pieters:
Who sais its evolution?
Because on that machine, there's nothing else that touches the mail. The mail server runs on a different machine, and this one gets it via IMAP.
If I switch machine to run evolution elsewhere, that machine does the same thing:
e.g. Nov 12 18:14:12 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53
Neither machine has been set up to do any sort of junk mail filtering, so I don't expect evolution to do any sort of checkups on the mail it's handling.
NB: That address seems to be associated with someone trying to commit a fraud, in particular it seems like money laundering.
--On Monday, November 14, 2005 9:03 AM +1030 Tim ignored_mailbox@yahoo.com.au wrote:
I see things reported in logwatch that I don't expect. For instance, named reports resolving addresses that are part of spams I'm receiving.
Logwatch is supposed to tell you what's unusual in your logs. The next step is to look at the raw logs and find out where they're coming from. Grep the /var/log directory for the log line to see what files it's in, and then inspect those files for details.
Tim:
I see things reported in logwatch that I don't expect. For instance, named reports resolving addresses that are part of spams I'm receiving.
Kenneth Porter:
Logwatch is supposed to tell you what's unusual in your logs. The next step is to look at the raw logs and find out where they're coming from.
I know that. As I said, named. What the logs don't show is what application is involved with named. But the process of elimination, points the finger squarely at evolution (as I said). Leading back to my original questions of whether anybody gets the same behaviour (evolution doing some sort of checkup on addresses in the mail, when it's not set to do so).
Grep the /var/log directory for the log line to see what files it's in, and then inspect those files for details.
Set of examples:
Nov 12 18:14:07 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53 Nov 12 18:14:07 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 67.85.180.207#53 Nov 12 18:14:08 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53 Nov 12 18:14:09 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 67.85.180.207#53 Nov 12 18:14:10 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 67.85.180.207#53 Nov 12 18:14:11 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53 Nov 12 18:14:12 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 67.85.180.207#53 Nov 12 18:14:12 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53
(Be warned, the domain is involved with a fraud spam, one looking like money laundering.)
Tim wrote:
I know that. As I said, named. What the logs don't show is what application is involved with named. But the process of elimination, points the finger squarely at evolution (as I said). Leading back to my
Nov 12 18:14:07 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53
Maybe it's an idea to bust out tcpdump
tcpdump -s0 -X port 53
and see what is happening when it attempts the lookup.
Perhaps these guys are sending HTML mails with IMG tags or IFRAMEs with URLs involving education-russia, hence the attempt to resolve?
Or IIRC evolution uses spamd/spamassassin? It may well be doing 'research' on its own to assess the spamfulness of the email.
-Andy
Tim wrote:
I know that. As I said, named. What the logs don't show is what application is involved with named. But the process of elimination, points the finger squarely at evolution (as I said). Leading back to my
Nov 12 18:14:07 mongrel named[1415]: FORMERR resolving 'education-russia.com/AAAA/IN': 68.105.15.143#53
Andy Green:
Maybe it's an idea to bust out tcpdump
tcpdump -s0 -X port 53
and see what is happening when it attempts the lookup.
Looks like I'm going to have to do that.
Perhaps these guys are sending HTML mails with IMG tags or IFRAMEs with URLs involving education-russia, hence the attempt to resolve?
Shouldn't make any difference, I'm not loading images in mail from the WWW. Evolution shouldn't being doing any such lookups.
Or IIRC evolution uses spamd/spamassassin? It may well be doing 'research' on its own to assess the spamfulness of the email.
While it "can" I don't allow the option. Spamassassin didn't get allowed to do its tricks anything more than a few days after initial tests, it makes Evolution even slower than it usually is (quite awful, to begin with).
By the way: This message is finally being replied to, now, because my mail host (an external service, which makes poor use of spamassassin) thought it was spam, thanks to the URI mentioned in the log entry, and I haven't seen the message until today.