SpamAssassin uses DNS to test messages against various blacklists and
such; so my guess is that these ports are open and awaiting DNS
responses.
Ah, hadn't thought of that. I'd been thinking of spamassassin applying rules locally and having no business opening up network connections. As you quite rightly point out, that's nonsense when you consider network tests.
I assume that these ports were closed again very quickly, but you are
only checking them every four hours... is that correct?
While tiger runs much more frequently it only applies this rule every few hours. So, as you suggest, these seem to have been two consecutive runs.
Tiger setting:
# Get a list of listening processes every day at different hours
#
0,4,6,10,14,18,20 * * check_listeningprocs
Does this make sense?
It does indeed. My knowledge of DNS is pretty limited but I'm sure you're right in that it uses UDP. If that list looks to contain likely connect-back ports then I'm happy to believe that was what was causing the report.
I do still think it is a bit odd that this mail server has been running for years without any of these false positives. Perhaps these lookups were taking longer than usual or failing for some reason?
At any rate thanks for the help with this. If you are sure the ports show legitimate DNS traffic then I'm happy for this bug to be closed.
Andrew.
