DUHL ip addresses and false positives

In the last few weeks, multiple ip addresses of multiple users have ended up on the SORBS DUHL list. ShadowTrackr picked up on this and dutifully gave a blacklist warning. Now if the ip address is running a mailserver, a proper warning is in place. Unfortunately, in other cases this can be a false alert.

DUHL is short for Dynamic User/Host List. It contains ip addresses that are flagged by ISPs as residential or small business internet lines. These lines are used to browse the internet and should not have any servers running. Considering the SORBS blacklist is mainly used by mailservers looking to filter out SPAM, a DUHL list is quite useful. A mailserver on a home internet line that is sending email likely means the thing is hacked and sending SPAM.

The problem comes when you have your home or branch office internet lines in ShadowTrackr. This is a perfectly good idea since you'll be warned when you have security trouble. We encourage it. But your ISP might have flagged this as a DUHL connection and ShadowTrackr will alert on it. There was even a case where the ISP repurposed the ip range from Dynamic use to a server park and forgot to update the DUHL flag at SORBS. Again, this resulted in a false positive.

In order to prevent these false alerts, ShadowTrackr now uses only the relevant SORBS sublists instead of the main blacklist. The main blacklist included DUHL listings and this way we can avoid the false positives. We shouldn't be scaring you with false positives that can be avoided. Good riddance to this one :-)

You can find more information on the SORBS lists here