DUHL ip addresses and false positives

In the last few weeks, multiple ip addresses of multiple users have ended up on the SORBS DUHL list. ShadowTrackr picked up on this and dutifully gave a blacklist warning. Now if the ip address is running a mailserver, a proper warning is in place. Unfortunately, in other cases this can be a false alert.

DUHL is short for Dynamic User/Host List. It contains ip addresses that are flagged by ISPs as residential or small business internet lines. These lines are used to browse the internet and should not have any servers running. Considering the SORBS blacklist is mainly used by mailservers looking to filter out SPAM, a DUHL list is quite useful. A mailserver on a home internet line that is sending email likely means the thing is hacked and sending SPAM.

The problem comes when you have your home or branch office internet lines in ShadowTrackr. This is a perfectly good idea since you'll be warned when you have security trouble. We encourage it. But your ISP might have flagged this as a DUHL connection and ShadowTrackr will alert on it. There was even a case where the ISP repurposed the ip range from Dynamic use to a server park and forgot to update the DUHL flag at SORBS. Again, this resulted in a false positive.

In order to prevent these false alerts, ShadowTrackr now uses only the relevant SORBS sublists instead of the main blacklist. The main blacklist included DUHL listings and this way we can avoid the false positives. We shouldn't be scaring you with false positives that can be avoided. Good riddance to this one :-)

You can find more information on the SORBS lists here

ShadowTrackr Android app available in Google Play Store

It's been on the planning for a while and now it is finally released: the ShadowTrackr Android app. It has the same functionality as the iOS app and the webversion of ShadowTrackr. There is still a way to go to improve the mobile user experience, but all the important functionality is there. The most handy thing of course are push notifications for your security problems.

It's a version 1.0, it's Android, and it's developed and tested on a Samsung device. The diversity in the Android world is huge and I expect there to be bugs on non-Samsung devices that don't show up on the test device. Please do not hesitate to submit your bugs and feedback. And while you're at it, send in any bugs or complaints you have on ShadowTrackr. For a developer nothing beats feedback from real users. Not everything might be solved straight away, but everything will end up on the list. The more users ask for something, the higher up on the list the item goes.

Tricky new feature: ignore some of your urls

If you have lots of urls, not all of them will be equally interesting. Some might be for testing, and some might not even be yours to worry about. I've been thinking about creating some form of order for assets, but haven't really figured out a good solution yet. You don't want to be hacked through a test server just because you missed a warning. If it's yours, and it has a problem, then ShadowTrackr should let you know.

There are some edge cases where you might want to ignore a url. Imagine you own and run the pay level domain shadowtrackr.com, but have one of your subdomains contracted out to another party (something like thirdparty.shadowtrackr.com). That other party runs the server for it, and you agreed that they do their own security and monitoring. Anything related to this subdomain is now just noise on your timeline, and if you have lots of these subdomains, you might not see the forest for the trees on your timeline.

For this specific problem, you can now ignore a url. The option is available on the url page (go to assets and click on the edit link next to the url). From the moment you set a url to ignore, no new data is logged for it and no alerts will be sent. The historical information will still be available but no longer be updated. If the ignored url pops up in search results it will be marked as 'ignored' in red letters. The ignored urls (if you have them) are shown at the bottom of the url tab on your assets page.

If you have lots of subdomains that you need to ignore , setting each and everyone to ignored by hand is no fun. For this, there is a shortcut called the ignore list. If you have more than 10 subdomains you will see a link "ignore list" next to the pay level domain when you click it open (with the +) on the assets page.

Before you go ignoring some of your urls, be warned: you should only ignore urls if you are absolutely sure they pose no risk or someone else is monitoring them. Even if it's just a historic url or currently nothing runs on it, someone could hijack or spoof the DNS record, put a website on it and start phishing you users or spamming the world. It wouldn't be the first time this happened.