Housekeeping and a lesson in SPF

Besides fixing quite a few bugs, I’ve been working on the timeline in recent weeks. The thing is, for larger organisations there are a lot of events and it can get messy real quick. ShadowTrackr is supposed to provide you with situational awareness and messy just doesn’t cut it.

Two things have changed that should improve the timeline. The first is that similar events are now grouped. If for instance 10 ports open on a machine simultaneously they are grouped in to one event 10 ports opened on X. You can click show details to find out which ports exactly. Other messy changes like changing public key pins or certificate fingerprints are also hidden behind show details .

The second change is that the events that should worry you now jump out because of a red warning sign. Think of bad ports like SMB ports opening on an internet facing machine, certificates that just got a protocol or encryption downgrade and website security headers that are removed. Note that the bad events will never be grouped and can’t accidentally disappear behind a show details.

I also got a lesson in SPF this week and it was a bit of humbling moment. We’re currently testing a SIEM use case that has something to do with mailservers, and the new API endpoint supporting it is supposed to list all emails servers. At some point I got the question why the endpoint showed a mailserver with the ip 14. Yes, just 14.

I looked into it and found this SPF record for the Dutch ncsc.nl:


I thought this was a mistake and joked that someone at the NCSC must be really fond of quotes. Well, the NCSC reacted swiftly and told me this was intended and quite normal for long SPF records. I checked RFC1305 and they are right.

The maximum string length for SPF is 255 and if you want a longer SPF record you can add several of these strings (separated by spaces) in a DNS TXT record. The SPF parser in ShadowTrackr is now fixed and concatenates these strings before parsing the record. Thank you NCSC.