Aug 5, 2024: iRedMail-1.7.1 has been released.

km · 2022-02-11 03:32:33

km
Member
Offline

Registered: 2022-02-11
Posts: 3

Topic: Mysterious scheduled DNS lookup

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version: 1.1 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer?: installer
- Linux/BSD distribution name and version: CentOS Linux release 7.8.2003 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, having a bit of mystery here.

I'm trying to investigate alerts a client is getting from their IDS about strange DNS lookups coming from their iRedMail server. Trying to track this down I setup tcpdump to capture DNS and every night, at about 03:30 with 10 minute variance, I see these same lookups (there's maybe 3 times these in total):

2022-02-04 03:21:34.369875 IP 192.168.1.38.33089 > 10.7.1.45.53: 39014+ [1au] A? fetch-liveupdate.sh.multi.surbl.org. (64)
2022-02-04 03:21:34.370526 IP 192.168.1.38.33089 > 10.7.1.45.53: 14614+ [1au] A? fetch-liveupdate.sh.dob.sibl.support-intelligence.net. (82)
2022-02-04 03:21:34.370891 IP 192.168.1.38.33089 > 10.7.1.45.53: 11798+ [1au] A? fetch-liveupdate.sh.dbl.spamhaus.org. (65)
2022-02-04 03:21:34.371701 IP 192.168.1.38.33089 > 10.7.1.45.53: 55412+ [1au] A? lvm_scan.sh.multi.surbl.org. (56)
2022-02-04 03:21:34.371913 IP 192.168.1.38.33089 > 10.7.1.45.53: 30884+ [1au] A? lvm_scan.sh.multi.uribl.com. (56)
2022-02-04 03:21:34.372151 IP 192.168.1.38.33089 > 10.7.1.45.53: 53307+ [1au] A? lvm_scan.sh.dob.sibl.support-intelligence.net. (74)
2022-02-04 03:21:34.372457 IP 192.168.1.38.33089 > 10.7.1.45.53: 39899+ [1au] A? lvm_scan.sh.dbl.spamhaus.org. (57)
2022-02-04 03:21:34.372832 IP 192.168.1.38.33089 > 10.7.1.45.53: 34583+ [1au] NS? lvm_scan.sh. (40)
2022-02-04 03:21:34.373002 IP 192.168.1.38.33089 > 10.7.1.45.53: 49196+ [1au] A? lvm_scan.sh. (40)
2022-02-04 03:21:34.373208 IP 192.168.1.38.33089 > 10.7.1.45.53: 23569+ [1au] A? write-ifcfg.sh.multi.surbl.org. (59)
2022-02-04 03:21:34.373406 IP 192.168.1.38.33089 > 10.7.1.45.53: 48746+ [1au] A? write-ifcfg.sh.multi.uribl.com. (59)
2022-02-04 03:21:34.373698 IP 192.168.1.38.33089 > 10.7.1.45.53: 57977+ [1au] A? write-ifcfg.sh.dob.sibl.support-intelligence.net. (77)
2022-02-04 03:21:34.374025 IP 192.168.1.38.33089 > 10.7.1.45.53: 33126+ [1au] A? write-ifcfg.sh.dbl.spamhaus.org. (60)
2022-02-04 03:21:34.374366 IP 192.168.1.38.33089 > 10.7.1.45.53: 15120+ [1au] NS? write-ifcfg.sh. (43)
2022-02-04 03:21:34.374556 IP 192.168.1.38.33089 > 10.7.1.45.53: 6130+ [1au] A? write-ifcfg.sh. (43)
2022-02-04 03:21:34.374762 IP 192.168.1.38.33089 > 10.7.1.45.53: 17611+ [1au] A? parse-keydev.sh.multi.surbl.org. (60)
2022-02-04 03:21:34.374964 IP 192.168.1.38.33089 > 10.7.1.45.53: 7997+ [1au] A? parse-keydev.sh.multi.uribl.com. (60)
2022-02-04 03:21:34.375193 IP 192.168.1.38.33089 > 10.7.1.45.53: 17890+ [1au] A? parse-keydev.sh.dob.sibl.support-intelligence.net. (78)
2022-02-04 03:21:34.375512 IP 192.168.1.38.33089 > 10.7.1.45.53: 52272+ [1au] A? parse-keydev.sh.dbl.spamhaus.org. (61)
2022-02-04 03:21:34.376036 IP 192.168.1.38.33089 > 10.7.1.45.53: 54367+ [1au] A? parse-keydev.sh. (44)
2022-02-04 03:21:34.376239 IP 192.168.1.38.33089 > 10.7.1.45.53: 5727+ [1au] A? parse-dasd-mod.sh.multi.surbl.org. (62)
2022-02-04 03:21:34.376452 IP 192.168.1.38.33089 > 10.7.1.45.53: 64428+ [1au] A? parse-dasd-mod.sh.multi.uribl.com. (62)
2022-02-04 03:21:34.376744 IP 192.168.1.38.33089 > 10.7.1.45.53: 50027+ [1au] A? parse-dasd-mod.sh.dob.sibl.support-intelligence.net. (80)
2022-02-04 03:21:34.377054 IP 192.168.1.38.33089 > 10.7.1.45.53: 25004+ [1au] A? parse-dasd-mod.sh.dbl.spamhaus.org. (63)
2022-02-04 03:21:34.377384 IP 192.168.1.38.33089 > 10.7.1.45.53: 53854+ [1au] NS? parse-dasd-mod.sh. (46)

These are names of system scripts in CentOS and they do not show up if I search the content of every file on the system so they're not in any log - which I presume they'd be if they were coming from an external source.

Since it's just these lookups it feels like a bug, something seeing {filename.sh} mistakenly thinking it's a domain name and trying to look it up against a spam list. But as the names are not in any log I'm at a loss of what the cause could be.

Any ideas on what it could be or how to find out where it comes from?

Regards,

-David

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

km · 2022-02-11 03:48:29

km
Member
Offline

Registered: 2022-02-11
Posts: 3

Re: Mysterious scheduled DNS lookup

This doesnt feel like a coincidence:

$ sudo crontab -l | grep mysql
30   3   *   *   *   /bin/bash /var/vmail/backup/backup_mysql.sh
$ grep backup_mysql.sh tcpdump.out | head -n5
2022-02-04 03:30:02.294124 IP 192.168.1.38.14214 > 10.7.1.45.53: 25664+ [1au] A? backup_mysql.sh.multi.surbl.org. (60)
2022-02-04 03:30:02.294545 IP 192.168.1.38.14214 > 10.7.1.45.53: 52297+ [1au] A? backup_mysql.sh.multi.uribl.com. (60)
2022-02-04 03:30:02.294849 IP 192.168.1.38.14214 > 10.7.1.45.53: 2235+ [1au] A? backup_mysql.sh.dob.sibl.support-intelligence.net. (78)
2022-02-04 03:30:02.295206 IP 192.168.1.38.14214 > 10.7.1.45.53: 27611+ [1au] A? backup_mysql.sh.dbl.spamhaus.org. (61)
2022-02-04 03:30:02.296044 IP 192.168.1.38.14214 > 10.7.1.45.53: 44833+ [1au] NS? backup_mysql.sh. (44)

km · 2022-02-11 04:14:26

km
Member
Offline

Registered: 2022-02-11
Posts: 3

Re: Mysterious scheduled DNS lookup

I'm going to continue answer my own question here, it's definitely spamassassin as it's config files matches all of the RBL lookup sites: support-intelligence.net|multi.surbl.org|multi.uribl.com|spamhaus etc.

Maybe a configuration issue/bug in spamassassin or some underlying perl module?

rpm -qi spamassassin | egrep 'Version|Release|Signature'
Version     : 3.4.0
Release     : 6.el7
Signature   : RSA/SHA256, Wed 14 Oct 2020 09:01:18 PM CEST, Key ID 24c6a8a7f4a80eb5

**thedethwalker** · 2022-02-11 16:01:11

thedethwalker
Member
Offline

Registered: 2022-02-08
Posts: 34

Re: Mysterious scheduled DNS lookup

I have no idea what the cause could be. This is just a suggestion that could help you track the cause.

If you execute the backup_mysql.sh script manually (or if you change the cron job for like after 1 minute) does it make the same DNS lookups?

**ZhangHuangbin** · 2022-02-17 13:53:43

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,082

Re: Mysterious scheduled DNS lookup

Root user has a cron job to query DNS or whitelisting, used by iRedAPD.

Aug 5, 2024: iRedMail-1.7.1 has been released.

Mysterious scheduled DNS lookup

Posts: 5

1 Topic by km 2022-02-11 03:32:33

Topic: Mysterious scheduled DNS lookup

2 Reply by km 2022-02-11 03:48:29

Re: Mysterious scheduled DNS lookup

3 Reply by km 2022-02-11 04:14:26 (edited by km 2022-02-11 04:16:13)

Re: Mysterious scheduled DNS lookup

4 Reply by thedethwalker 2022-02-11 16:01:11

Re: Mysterious scheduled DNS lookup

5 Reply by ZhangHuangbin 2022-02-17 13:53:43

Re: Mysterious scheduled DNS lookup

Posts: 5