[sanesecurity] Re: clamav-unofficial-sigs.sh IP errors in cron
- From: Alster <alster@xxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Thu, 16 Jul 2009 16:28:47 +0200
Hi,
Micah Anderson <micah@...> writes:
>
> I'm running the latest clamav-unofficial-sigs.sh script, and
> periodically I am seeing this in my cron error output:
>
> 193.158.37.141 does not exist, try again
[..]
I'm experiencing this problem as well, it shows up as cron errors.
I started looking more into the problem, and I'm not convinced that it
has to do with a connection limit blocking problem, rather it has to do
with the fact that 193.158.37.141 does not have a proper DNS reverse
PTR record associated with it, which causes this error.
The clamav-unofficial-sigs script seems to expect 'host' to return an
actual hostname from the reverse lookup of the IP. If you look at line
900 and 987 (of the latest released script):
line 900:
ss_mirror_name=`host $ss_mirror_ip | awk '{print $NF}' | cut -d "(" -f2
| sed 's/\(.*\)./\1/'`
line 987:
msrbl_mirror_name=`host $msrbl_mirror_ip | awk '{print $NF}' | cut -d
"(" -f2 | sed 's/\(.*\)./\1/'`
using the ISC 'host' package, this ends up looking like this:
$ host 193.158.37.141 | awk '{print $NF}' | cut -d "(" -f2 | sed
's/\(.*\)./\1/'
193.158.37.141 does not exist, try again
$
Ok, so let us look a little further back. The host line is operating on
$ss_mirror_ip, which comes from a few lines previous:
ss_mirror_ips=`host -T $ss_url | awk '{print $NF}'`
and $ss_url is defined as: ss_url="rsync.sanesecurity.net"
So the $ss_mirror_ips gets the result of: 'host -T
rsync.sanesecurity.net | awk '{print $NF}' which produces a set
including '193.158.37.141 does not exist, try again'
I believe the problem is that 193.158.37.141 does *not* have a reverse
DNS setup, and the script does not handle that properly.
Try any tool on the internet to do a reverse lookup:
http://remote.12dt.com/lookup.php produces:
Results
(unable to resolve 193.158.37.141)
http://www.kloth.net/services/nslookup.php produces:
** server can't find 141.37.158.193.in-addr.arpa: NXDOMAIN
http://codeflux.com/exec/tools/?method=nslookup&query=193.158.37.141
provides:
** server can't find 141.37.158.193.in-addr.arpa: NXDOMAIN
http://www.zonecut.net/dns/ provides:
No nameservers found for 193.158.37.141
http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl?submit=Search+by+IP+Address&q=193.158.37.141&mode=2&qtype=PTR&persist=1&.cgifields=persist&.cgifields=log
produces:
Sorry, no results found for 193.158.37.141.
You will see that 193.158.37.141 conclusively does not have a valid PTR
record, and the the script is expecting one to formulate its queries.
An interesting aside, unrelated to this problem, but perhaps something
Bill should be aware of, is that the 'working' IPs in the round-robin
produces different results from the different 'host' programs:
1. using the ISC 'host':
$ host 69.63.144.20 | awk '{print $NF}' | cut -d "(" -f2 | sed
's/\(.*\)./\1/'
update2.fslupdate.co
69.63.144.2
2. using the 'bind9-host':
$ host 69.63.144.20 | awk '{print $NF}' | cut -d "(" -f2 | sed
's/\(.*\)./\1/'
update2.fslupdate.com
Notice that the ISC 'host' produces two lines, including the IP, and the
bind9-host produces only one line.
If I use the 'bind9-host' package, the ss_mirror_name query looks like this:
$ host 193.158.37.141 | awk '{print $NF}' | cut -d "(" -f2 | sed
's/\(.*\)./\1/'
NXDOMAIN
If I perform a DNS lookup of the IP address in question on Debian, which
is running bind9-host 1:9.6.1.dfsg-2, I get the following:
$ host 193.158.37.141
Host 141.37.158.193.in-addr.arpa. not found: 3(NXDOMAIN)
That is because there is no reverse PTR record.
If you do this same lookup with the ISC 'host' package, you get the
error we are talking about:
193.158.37.141 does not exist, try again
When doing the ss_mirror_ips=`host -T $ss_url | awk '{print $NF}'` the
results using bind9-host look like this:
www01.masbytes.es
odin.kozstyle.org
spamcop03.sentechsa.net
NXDOMAIN
update1.fslupdate.com
....
(notice the NXDOMAIN)
When using the ISC 'host', they look like this:
$ for ip in `host -T rsync.sanesecurity.net|awk '{print $NF}'`; do host
$ip | awk '{print $NF}' | cut -d "(" -f2 | sed 's/\(.*\)./\1/'; done
update1.fslupdate.co
69.63.144.1
update2.fslupdate.co
69.63.144.2
mail.us.tx1.zoidial.co
72.249.91.12
mx0.roessner-net.d
78.46.253.22
sanesecurity.retrosnub.co.u
78.129.234.1
193.158.37.141 does not exist, try again
resolv3.vianetworks.d
194.77.111.2
www01.masbytes.e
213.194.159.3
...
Again, notice the '193.158.37.141 does not exist, try again'.
Please also note that two attempts to post through gmane failed.
Although I have been informed that I have successfully verified my
sender address.
Thanks,
Al Sterman
Other related posts:
