PMC e-mail id: 4311
I think what you are seeing is the result of
logging by advanced resolver library routines in
libresolv+ (or such versions).
We often have something similar in my message files like:
Feb 11 04:52:13 sparc11 resolv: gethostbyaddr: spike.uniforum.org != 220.127.116.11, possible spoof attempt
Feb 11 04:52:13 sparc11 resolv: connect host=unknown/18.104.22.168
This is output by resolv+ library routines linked with sendmail
binary. What it boils down is that a given the hostname
(spike.uniforum.org), the library picked up a numeric IP address, but the hostname looked up by the
numeric address didn't match the original hostname, thus
there is a danger of DNS contamination by spoofers at worst, and
a simple DNS entry error at the problem site.
My /etc/host.conf looks like this.
You probably have to enable the nospoof switch to get this syslog
# comments start with a '#' at the beginning of line
# NIS taken out June 23, 1995
nospoof on <===== Here. No spoof check.
I am not sure how wise it is to turn off
this switch. In my crontab daily jobs, I pick up such messages
and already make a list of known sites that have bogus DNS entries so
that I can visually check if the messages are from the known
problematic sites, or new ones.
Chiaki Ishikawa ishikawa @
Personal Media Corp.
Shinagawa, Tokyo, Japan 142