ShadowTrackr

Log in >
RSS feed

UCEPROTECT blacklists removed due to bad behavior

31 January 2021
ShadowTrackr uses a lot of OSINT blacklists. This is not something you want to do in your internal SIEM without proper tuning. Any reasonably large organization will have users occasionally hitting blacklisted websites, resulting in quite a few false positives.

The purpose of the OSINT blacklists in ShadowTrackr is different: it’s to check if your public websites or mailservers appear on them. That is something you should always want to know.

Last two weeks, a lot of assets of several different clients turned up on UCEPROTECT blacklists. Often, if the ip or url is really showing bad behavior, you’ll see it listed on multiple blacklists from mutliple organizations. The funny thing about the ip’s showing up on UCEPROTECT was that almost all of them did not show up at other blacklists. That is odd.

When I looked in to the details, UCEPROTECT showed that entire ip ranges and ASNs we’re blocked. These ASNs are all owned by decent providers, and it seemed a bit like throwing out the baby with the bathwater.

I contacted one of the ISPs, and they told me that they were on it and trying to work with UCEPROTECT. Problem was that UCEPROTECT charges a hefty fee to get your ASN de-listed. That is, in the words of the ISP, predatory behavior that they will not put up with. And they are right. So, as of now ShadowTrackr has dropped checking assets againts UCEPROTECT blacklists.

We still use more than 100 other blacklists, and you’re assets will very likely show up on those if they misbehave. So, you should notice any real difference.

New: JARM hashes, and some phishy stuff

17 January 2021
There are some major updates to the phishy url detection under way. You’ll have to be patient for the full details because it’s not all ready for production yet. Some stuff has already made it through as you can see on the phishy url report page. ShadowTrackr now has better tracking of whois, certificate and ISP data for your phishy urls.

I also plan to use JARM hashes for better profiling of your existing servers against possible phishy servers. JARM hashes are already found on the phishy url page and on all your existing webpages. You can click on the hashes to pivot and find related infrastructure.

Dark mode support

31 December 2020
It’s that time of the year with darkness in the Northern hemisphere. We’re just past the shortest day of the year and I should have mentioned this 3 weeks earlier, but … ShadowTrackr now has dark mode!

Most development time in the busy December month was spent fixing bugs and writing tests, and the white background really started to hurt my eyes in the evenings. So while it sounds like a cool extra, it really was a necessary feature.

You can find dark mode under Settings > My profile > User interface settings
Older posts >

Overview
Use cases
Plans and pricing
FAQ
Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI
Company
About
Contact us
Legal & Policy