unexpected RCODE REFUSED -- named going nuts because of spam

Discussion in 'Linux VPS/Dedicated - cPanel' started by petersconsult, Oct 18, 2017.

  1. petersconsult

    petersconsult Member

    Hello to all,

    Over 1/2 of the lines in my messages log (/var/log/messages) are as follows:
    Code:
    Oct 17 19:09:50 host named[1002]: error (unexpected RCODE REFUSED) resolving 'cha131.profexpert.pw/A/IN': 188.214.192.131#53
    i understand that these errors come, in part, from non-existent or malformed PTR records when a reverse-lookup happens..
    However, it seems like named just keeps trying the same IP addresses hundreds of times before giving up...

    My question is this:
    Is there any way to tell named to give up quicker, or stop trying so hard?

    Thank You!

    EDIT: i forgot to mention that, a lot of the times, the IP addresses and/or domains in question are already on RBLs used by my server!!
     
  2. KH-JonathanKW

    KH-JonathanKW Technical Support Staff Member

    If named is reporting the same error for the same IP over and over, then that IP is constantly making a connection towards your server that's causing named to perform the required look up

    The service named only performs look ups when an IP connects(email, typically), so if there are hundreds of them being logged, then that IP is constantly connecting.

    These are usually the caused by spammers hitting the mail server with bogus domains. If they're in the RBL, they're being dropped anyway, but the connection still gets made.

    There appears to be a way to disable their logging; it requires manual modification of the named.conf. However, I'm not really sure if that's worth the trouble as it may or may not work on a server where exim is not native(non-panel provided exim).
     
  3. phpAddict

    phpAddict Active Member

    188.214.192.131 is in Romania, certainly has no need to be on your server unless you're doing things internationally. If it's the same IPs over and over, just block them in ConfigServer. That'll stop them from trying completely.
     
  4. petersconsult

    petersconsult Member

    Thank you both for your answers!
    There is, indeed a way to stop reporting these errors in the log, but that is not what i'm looking for..

    i guess my best solution if to create some Fail2Ban or CSF rules to block these IPs after the same one shows up in 10 such consecutive errors or something...

    Thank You!

    PS: to hide those messages, you add the following to the /etc/named.conf file:
    Code:
    category lame-servers { null; };
     
  5. Dan

    Dan Moderator

    You could just tell CSF to block the IP completely...

    csf -d 188.214.192.131
     
  6. petersconsult

    petersconsult Member

    @Dan: i've tried doing that before, but it's basically useless..
    Spammers change IP's every 6 hours or so, and they don't use them again Mostly, they just switch between AWS instances..
    I've tried so many things before..
    For example, i've set up my own blacklists (both IP and domain based) in exim, by adding the following in the custom_begin_check_message_pre section:
    Code:
    # My Domain BlackList
    deny sender_domains = /etc/exim_blacklist
        log_message = Sender $sender_address [$sender_host_address] rcpt: $recipients matches domain on My Custom Domain BlackList
    # My IP BlackList
    deny hosts = /etc/exim_blacklistIP
        log_message = Sender $sender_address [$sender_host_address] rcpt: $recipients matches IP on My Custom IP BlackList
    But spammers hardly ever reuse domains and/or IPs...
     

Share This Page