Source of spam

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Source of spam

Proxy
Hello,

I have a postfix mail server on the same server where is my website.
This website have some form for contacting me. Mail is sent to
[hidden email] (delivered localy) and it is than forwarded to
my gmail account (postifix.admin setup). I'm receiving spam sent to this
address and I'm trying to find out what is the entry point for these
messages. I think that my server is not open relay:

smtpd_relay_restrictions = reject_unauth_pipelining,
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_unauth_destination,
# check_policy_service inet:127.0.0.1:10023,
 permit

mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64

I tried to send emails using swaks and it is not allowing me to do that without
authentication.

Also, spam is only sent to my address (much better than spam other users), so I
think that the entry point have to be this web form, but I'm confused by logs:

May  4 04:02:03 hostname postfix/smtpd[15310]: warning: hostname triband-del-59.178.65.172.bol.net.in does not resolve to address 59.178.65.172: Name or service not known
May  4 04:02:03 hostname postfix/smtpd[15310]: connect from unknown[59.178.65.172]
May  4 04:02:04 hostname postfix/smtpd[15310]: B2DF28EE52: client=unknown[59.178.65.172]
May  4 04:02:05 hostname postfix/cleanup[15957]: B2DF28EE52: message-id=<[hidden email]>
May  4 04:02:05 hostname postfix/qmgr[29522]: B2DF28EE52: from=<[hidden email]>, size=492, nrcpt=2 (queue active)
May  4 04:02:05 hostname postfix/smtpd[15310]: disconnect from unknown[59.178.65.172]
May  4 04:02:07 hostname postfix/smtpd[15980]: connect from hostname.my.domain.com[127.0.0.1]
May  4 04:02:07 hostname postfix/smtpd[15980]: 4B0BC8EE54: client=hostname.my.domain.com[127.0.0.1]
May  4 04:02:07 hostname postfix/cleanup[15957]: 4B0BC8EE54: message-id=<[hidden email]>
May  4 04:02:07 hostname postfix/smtpd[15980]: disconnect from hostname.my.domain.com[127.0.0.1]
May  4 04:02:07 hostname postfix/qmgr[29522]: 4B0BC8EE54: from=<[hidden email]>, size=869, nrcpt=1 (queue active)
May  4 04:02:07 hostname postfix/smtpd[15980]: connect from hostname.my.domain.com[127.0.0.1]
May  4 04:02:07 hostname postfix/smtpd[15980]: 4EADD8EE55: client=hostname.my.domain.com[127.0.0.1]
May  4 04:02:07 hostname postfix/cleanup[15957]: 4EADD8EE55: message-id=<[hidden email]>
May  4 04:02:07 hostname postfix/smtp[15590]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400e:c00::1a]:25: Network is unreachable
May  4 04:02:07 hostname postfix/smtpd[15980]: disconnect from hostname.my.domain.com[127.0.0.1]
May  4 04:02:07 hostname postfix/qmgr[29522]: 4EADD8EE55: from=<[hidden email]>, size=1139, nrcpt=2 (queue active)
May  4 04:02:07 hostname amavis[1030]: (01030-15) Passed CLEAN {RelayedInbound,RelayedOpenRelay}, [59.178.65.172]:25072 [59.178.65.172] <[hidden email]> -> <[hidden email]>,<[hidden email]>, Queue-ID: B2DF28EE52,Message-ID: <[hidden email]>, mail_id: 3MsM13ORuq28, Hits: -1.9, size: 492, queued_as: 4B0BC8EE54/4EADD8EE55, 2287 ms
May  4 04:02:07 hostname postfix/smtp[15959]: B2DF28EE52: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=0.68/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:queued as 4B0BC8EE54)

Aisha is of course non existing email address on my server. It looks like the
client is connected from 59.178.65.172 (from outside) to the smtpd server, not
from the localhost what I think normally would happend if the sender is using
web form on the web server (sendmail command).

Here is the first Received line and few other header lines:

Received: from mail.my.domain.com ([my_server_ip])
        by localhost (hostname.my.domain.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 3MsM13ORuq28; Fri,  4 May 2018 04:02:05 -0500 (CDT)
Message-ID: <[hidden email]>
Date: Fri, 04 May 2018 14:36:51 +0530
From: "[hidden email]" <[hidden email]>
To: [hidden email]
Reply-To: "[hidden email]" <[hidden email]>
Subject: Best porno ever
Envelope-To: <[hidden email]>


Every spam message have the same Message-ID
([hidden email]) if that means anything.

Any idea what is happening and how this spam is sent to me?


Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

@lbutlr
On May 4, 2018, at 12:33, Proxy <[hidden email]> wrote:
> This website have some form for contacting me

This is almost certainly where the fault lies. How is this form protected? How does it authenticate with your server? How ancient is the code used for the form? How do you verify a human?

--
My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.


Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-04 13:22, LuKreme wrote:
> On May 4, 2018, at 12:33, Proxy <[hidden email]> wrote:
> > This website have some form for contacting me
>
> This is almost certainly where the fault lies. How is this form protected? How does it authenticate with your server? How ancient is the code used for the form? How do you verify a human?

I'm using Google reCAPTCHA to protect the form. No authentication,
$myorigin is allowed to send mails (via mail() function). I think very
old jquery is used here.

Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-04 22:03, Proxy wrote:
> On 2018-May-04 13:22, LuKreme wrote:
> > On May 4, 2018, at 12:33, Proxy <[hidden email]> wrote:
> > > This website have some form for contacting me
> >
> > This is almost certainly where the fault lies. How is this form protected? How does it authenticate with your server? How ancient is the code used for the form? How do you verify a human?
>
> I'm using Google reCAPTCHA to protect the form. No authentication,
> $myorigin is allowed to send mails (via mail() function). I think very
> old jquery is used here.

I wanted to say, mynetworks is allowed to send mails.
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Viktor Dukhovni
In reply to this post by Proxy


> On May 4, 2018, at 2:33 PM, Proxy <[hidden email]> wrote:
>
> May  4 04:02:03 hostname postfix/smtpd[15310]: connect from unknown[59.178.65.172]
> May  4 04:02:04 hostname postfix/smtpd[15310]: B2DF28EE52: client=unknown[59.178.65.172]
> May  4 04:02:05 hostname postfix/smtpd[15310]: disconnect from unknown[59.178.65.172]

The message arrives from outside with client IP 59.178.65.172 exactly as logged.

> May  4 04:02:05 hostname postfix/cleanup[15957]: B2DF28EE52: message-id=<[hidden email]>

Your cleanup(8) process probably has header_checks(5) that remove the locally
added Received header.

> May  4 04:02:05 hostname postfix/qmgr[29522]: B2DF28EE52: from=<[hidden email]>, size=492, nrcpt=2 (queue active)

The envelope sender is as above.  Note that the message has two recipients.

> May  4 04:02:07 hostname postfix/smtp[15959]: B2DF28EE52: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=0.68/0/0/2.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:queued as 4B0BC8EE54)

Your logging only shows the handling of one of the recipients, where is the other
one?  The reported recipient is external and handed off to amavis.

> May  4 04:02:07 hostname amavis[1030]: (01030-15) Passed CLEAN {RelayedInbound,RelayedOpenRelay}, [59.178.65.172]:25072 [59.178.65.172] <[hidden email]> -> <[hidden email]>,<[hidden email]>, Queue-ID: B2DF28EE52,Message-ID: <[hidden email]>, mail_id: 3MsM13ORuq28, Hits: -1.9, size: 492, queued_as: 4B0BC8EE54/4EADD8EE55, 2287 ms

Amavis logs receiving mail for two recipients:

        <[hidden email]>
        <[hidden email]>

which it delivers in two separate envelopes: 4B0BC8EE54/4EADD8EE55

> May  4 04:02:07 hostname postfix/smtpd[15980]: connect from hostname.my.domain.com[127.0.0.1]
> May  4 04:02:07 hostname postfix/smtpd[15980]: 4B0BC8EE54: client=hostname.my.domain.com[127.0.0.1]
> May  4 04:02:07 hostname postfix/cleanup[15957]: 4B0BC8EE54: message-id=<[hidden email]>
> May  4 04:02:07 hostname postfix/smtpd[15980]: disconnect from hostname.my.domain.com[127.0.0.1]
> May  4 04:02:07 hostname postfix/qmgr[29522]: 4B0BC8EE54: from=<[hidden email]>, size=869, nrcpt=1 (queue active)
> May  4 04:02:07 hostname postfix/smtpd[15980]: connect from hostname.my.domain.com[127.0.0.1]
> May  4 04:02:07 hostname postfix/smtpd[15980]: 4EADD8EE55: client=hostname.my.domain.com[127.0.0.1]
> May  4 04:02:07 hostname postfix/cleanup[15957]: 4EADD8EE55: message-id=<[hidden email]>
> May  4 04:02:07 hostname postfix/smtp[15590]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400e:c00::1a]:25: Network is unreachable
> May  4 04:02:07 hostname postfix/smtpd[15980]: disconnect from hostname.my.domain.com[127.0.0.1]
> May  4 04:02:07 hostname postfix/qmgr[29522]: 4EADD8EE55: from=<[hidden email]>, size=1139, nrcpt=2 (queue active)

Some of the logging (again incomplete) of the downstream processing.

For actual help:

        http://www.postfix.org/DEBUG_README.html#mail

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-04 17:09, Viktor Dukhovni wrote:
> For actual help:
>
> http://www.postfix.org/DEBUG_README.html#mail
>

I'm sending postconf -n, postconf -Mf and relevant logs in attachments.



postconf-n.txt (2K) Download Attachment
postconf-Mf.txt (4K) Download Attachment
postfix.log (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Viktor Dukhovni
On Sat, May 05, 2018 at 12:31:12PM +0200, Proxy wrote:

> I'm sending postconf -n, postconf -Mf and relevant logs in attachments.

> content_filter = amavis:[127.0.0.1]:10024
> enable_original_recipient = no
> gmail_destination_rate_delay = 1s
> mydestination =
> smtpd_recipient_restrictions =
>   reject_unauth_pipelining,
>   permit_mynetworks,
>   permit_sasl_authenticated,
>   reject_non_fqdn_recipient,
>   reject_unknown_recipient_domain,
>   reject_unauth_destination,
>   permit
> transport_maps = hash:/etc/postfix/transport
> virtual_alias_maps =
>   mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
>   mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
> virtual_mailbox_domains =
>  mysql:/etc/postfix/mysql_virtual_domains_maps.cf

The complete first contact logging is:

    May  4 04:02:03 AAAAA postfix/smtpd[15310]: connect
      from unknown[59.178.65.172]
    May  4 04:02:04 AAAAA postfix/smtpd[15310]: B2DF28EE52:
      client=unknown[59.178.65.172]
    May  4 04:02:05 AAAAA postfix/cleanup[15957]: B2DF28EE52:
      message-id=<[hidden email]>
    May  4 04:02:05 AAAAA postfix/qmgr[29522]: B2DF28EE52:
      from=<[hidden email]>, size=492, nrcpt=2 (queue active)
    May  4 04:02:05 AAAAA postfix/smtpd[15310]: disconnect
      from unknown[59.178.65.172]
    May  4 04:02:07 AAAAA postfix/smtp[15959]: B2DF28EE52:
      to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024,
      delay=3, delays=0.68/0/0/2.3, dsn=2.0.0, status=sent
      (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4B0BC8EE54)
    May  4 04:02:07 AAAAA postfix/smtp[15959]: B2DF28EE52:
      to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10024,
      delay=3, delays=0.68/0/0/2.3, dsn=2.0.0, status=sent
      (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4B0BC8EE54)
    May  4 04:02:07 AAAAA postfix/qmgr[29522]: B2DF28EE52: removed

I don't see any "orig_to=" in the logs, so it seems that this
address was in the original envelope (unless that's a side-effect
of "enable_original_recipient = no" that I'm not familiar with).

Since you have "reject_unauth_destination", one can only conclude that
"gmail.com" matches either some entry in "$virtual_alias_maps" (since you
don't have an explicit empty setting for virtual_alias_domains) or it
matches some entry in "$virtual_mailbox_domains".

Report the output of:

   $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains)

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-05 12:19, Viktor Dukhovni wrote:
 
> Report the output of:
>
>    $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains)
>

virtual_alias_domains and virtual_mailbox_domains are in mysql database.
That command gives:

postmap: fatal: open /etc/postfix/mysql_virtual_alias_maps.cf,: No such
file or directory

Anyway, I have aliases that are forwarded to my gmail address. Maybe
that's why it is considered auth_destination. I also have one setting
regarding gmail:

 gmail_destination_rate_delay = 1s

and in /etc/postfix/transport:
 gmail.com gmail:

And in master.cf:
 gmail unix - - n - - smtp

but I guess that it is not related.
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Viktor Dukhovni


> On May 5, 2018, at 11:55 AM, Proxy <[hidden email]> wrote:
>
>> Report the output of:
>>
>>  $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains)
>>
>
> virtual_alias_domains and virtual_mailbox_domains are in mysql database.
> That command gives:
>
> postmap: fatal: open /etc/postfix/mysql_virtual_alias_maps.cf,: No such
> file or directory

My mistake, please change the command to:

 $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains | tr ',' ' ')

--
        Viktor.



--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Viktor Dukhovni
In reply to this post by Proxy


> On May 5, 2018, at 11:55 AM, Proxy <[hidden email]> wrote:
>
> Anyway, I have aliases that are forwarded to my gmail address. Maybe
> that's why it is considered auth_destination. I also have one setting
> regarding gmail:

Aliases don't have that effect, only address classes do, which is why
I am asking for the postmap output.  Your mydestination and relay_domains
settings are empty, leaving just virtual alias domains and virtual mailbox
domains.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
In reply to this post by Viktor Dukhovni
On 2018-May-05 12:03, Viktor Dukhovni wrote:

>
>
> > On May 5, 2018, at 11:55 AM, Proxy <[hidden email]> wrote:
> >
> >> Report the output of:
> >>
> >>  $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains)
> >>
> >
> > virtual_alias_domains and virtual_mailbox_domains are in mysql database.
> > That command gives:
> >
> > postmap: fatal: open /etc/postfix/mysql_virtual_alias_maps.cf,: No such
> > file or directory
>
> My mistake, please change the command to:
>
>  $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains | tr ',' ' ')

Empty output.
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Viktor Dukhovni


> On May 5, 2018, at 4:21 PM, Proxy <[hidden email]> wrote:
>
>>>> $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains)
>>>>
>>>
>>> virtual_alias_domains and virtual_mailbox_domains are in mysql database.
>>> That command gives:
>>>
>>> postmap: fatal: open /etc/postfix/mysql_virtual_alias_maps.cf,: No such
>>> file or directory
>>
>> My mistake, please change the command to:
>>
>> $ postmap -q gmail.com $(postconf -hx virtual_alias_domains virtual_mailbox_domains | tr ',' ' ')
>
> Empty output.

Well, you should now try with "enable_original_recipient = yes" and wait
for another message to come in.  Then report logging  for that.  Perhaps
the second recipient is just local alias expansion, despite the lack
of "orig_to=" in the log entries.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-05 17:08, Viktor Dukhovni wrote:
>
> Well, you should now try with "enable_original_recipient = yes" and wait
> for another message to come in.  Then report logging  for that.  Perhaps
> the second recipient is just local alias expansion, despite the lack
> of "orig_to=" in the log entries.

Set to yes and I will report logging. Local alias expansion would
explain relaying to gmail, but not why those emails are even accepted.
Coming to port 25, this client doesn't fulfill requirements needed to be
talked to at all if I'm not mistaken (generally, you would need to be
another valid email server). Did I miss something?
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-05 23:20, Proxy wrote:

> On 2018-May-05 17:08, Viktor Dukhovni wrote:
> >
> > Well, you should now try with "enable_original_recipient = yes" and wait
> > for another message to come in.  Then report logging  for that.  Perhaps
> > the second recipient is just local alias expansion, despite the lack
> > of "orig_to=" in the log entries.
>
> Set to yes and I will report logging. Local alias expansion would
> explain relaying to gmail, but not why those emails are even accepted.
> Coming to port 25, this client doesn't fulfill requirements needed to be
> talked to at all if I'm not mistaken (generally, you would need to be
> another valid email server). Did I miss something?

Or maybe I should set reject_unknown_client_hostname in
smtpd_sender_restrictions and remove permit from the end to achive that.
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Bill Cole-3
On 5 May 2018, at 17:33, Proxy wrote:

> On 2018-May-05 23:20, Proxy wrote:
>> On 2018-May-05 17:08, Viktor Dukhovni wrote:
>>>
>>> Well, you should now try with "enable_original_recipient = yes" and
>>> wait
>>> for another message to come in.  Then report logging  for that.  
>>> Perhaps
>>> the second recipient is just local alias expansion, despite the lack
>>> of "orig_to=" in the log entries.
>>
>> Set to yes and I will report logging. Local alias expansion would
>> explain relaying to gmail, but not why those emails are even
>> accepted.
>> Coming to port 25, this client doesn't fulfill requirements needed to
>> be
>> talked to at all if I'm not mistaken (generally, you would need to be
>> another valid email server). Did I miss something?
>
> Or maybe I should set reject_unknown_client_hostname in
> smtpd_sender_restrictions and remove permit from the end to achive
> that.

Try reject_unknown_reverse_client_hostname first. It is safer than
reject_unknown_client_hostname. It won't catch the specific miscreant in
your log but unlike reject_unknown_client_hostname it won't block random
outbound IPs of major mailbox providers.

I'm not sure why this specific mail is getting through but looking at
your config I have a few suggestions:

1. Configure postscreen to run in front of smtpd with main.cf settings
something like this:

postscreen_access_list = permit_mynetworks
postscreen_disable_vrfy_command = yes
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
     zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
     zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
     psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = drop

(Adjust the postscreen_dnsbl_sites to taste...)

2. If you don't enable postscreen, AT LEAST fix this:

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl

The "blackholes.easynet.nl" DNSBL has been dead for many years, so you
should remove it.  Also, while "sbl.spamhaus.org" is a fine DNSBL, there
is usually no reason for a MTA that has a separate submission service to
not use the "zen.spamhaus.org" which includes many more problem mail
sources including the one you've logged.

3. To tell Aisha and other bogus "local" senders to go away:

smtpd_reject_unlisted_sender = yes


Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Proxy
On 2018-May-05 20:54, Bill Cole wrote:
> Try reject_unknown_reverse_client_hostname first. It is safer than
> reject_unknown_client_hostname. It won't catch the specific miscreant in
> your log but unlike reject_unknown_client_hostname it won't block random
> outbound IPs of major mailbox providers.

I set reject_unknown_reverse_client_hostname and will see how that goes.

> I'm not sure why this specific mail is getting through but looking at your
> config I have a few suggestions:
>
> 1. Configure postscreen to run in front of smtpd with main.cf settings
> something like this:
>
> postscreen_access_list = permit_mynetworks
> postscreen_disable_vrfy_command = yes
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
>     zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
>     zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
>     psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
> postscreen_dnsbl_threshold = 2
> postscreen_dnsbl_ttl = 10m
> postscreen_greet_action = drop
>
> (Adjust the postscreen_dnsbl_sites to taste...)
>
> 2. If you don't enable postscreen, AT LEAST fix this:
>
> smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client blackholes.easynet.nl
>
> The "blackholes.easynet.nl" DNSBL has been dead for many years, so you
> should remove it.  Also, while "sbl.spamhaus.org" is a fine DNSBL, there is
> usually no reason for a MTA that has a separate submission service to not
> use the "zen.spamhaus.org" which includes many more problem mail sources
> including the one you've logged.
>
> 3. To tell Aisha and other bogus "local" senders to go away:
>
> smtpd_reject_unlisted_sender = yes

As advised, turned on postscreen, fixed DNSBL and set smtpd_reject_unlisted_sender to yes.
 
Reply | Threaded
Open this post in threaded view
|

Re: Source of spam

Viktor Dukhovni


> On May 6, 2018, at 5:19 AM, Proxy <[hidden email]> wrote:
>
>
> I set reject_unknown_reverse_client_hostname and will see how that goes.

Unlikely to make a difference in this case:

  May  4 04:02:03 AAAAA postfix/smtpd[15310]: warning: hostname triband-del-59.178.65.172.bol.net.in does not resolve to address 59.178.65.172: Name or service not known

The host has a reverse address -> name mapping, that name does not match any forward address.

--
        Viktor.