Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Sep 2018
    Posts
    50

    Default 13.107.6.168 / sharepoint-df.com

    Hi everyone, recently my home Untangle has been logging web filter blocks for my significant other's iPhone:

    13.107.6.168 / sharepoint-df.com Phishing and Other Fraud

    It's happened a number of times, often in the morning when unlocking her iPhone from overnight -- this morning she did nothing other than unlock and send an email note to herself and it generated four blocks/alerts.

    If I browse to the IP above, I get:

    <h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>0kvOGXwAAAAD0jf9jsKJUTpHBYg6GzMAHQ0gxRURHRTEwMDYARWRnZQ==

    It appears this IP is associated with MS Azure. Looking up sharepoint-df.com, I get the above IP plus 13.107.9.168.

    I find it interesting that Untangle will allow me to browse to either IP, but blocks the FQDN. Is this perhaps a false negative from Untangle? Running 14.x.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,107

    Default

    IP is not the same as FQDN for web reputation lookups. As one IP can have hundreds of FQDN.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Sep 2018
    Posts
    50

    Default

    Quote Originally Posted by jcoffin View Post
    IP is not the same as FQDN for web reputation lookups. As one IP can have hundreds of FQDN.
    Good point -- especially if it's a cheap web hosting site using host headers.

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,523

    Default

    My experience is that these 'false alarms' will come and go.
    You best effort is to notify Apple. They have the muscle to set the record straight on a domain they own/are using.

    Apple on Azure?
    HUH.

    A little more digging might reveal the App that is triggering this.
    Last edited by Jim.Alles; 10-14-2020 at 10:18 AM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    Apple uses Azure for a ton of stuff. Apple also uses AWS for a ton of stuff...

    Heck portions of Azure run on GWS an AWS.

    This whole "cloud" thing is far more insane than anyone wants to give it credit.

    I would start by simply clearing the Web Filter's cache, beyond that... yeah it'll come and go. IP level controls are REALLY course in 2020.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Sep 2018
    Posts
    50

    Default

    Today, unlocking, and checking and deleting email (O365) using iOS Outlook generated two of the alerts. At roughly the same time, I did the same with my iPhone and it generated no alerts. She also has a gmail account in her iPhone Outlook whereas I do not have a gmail account.

    I have cleared the web filter category cache. Before putting the phone up for the night tonight, I'll ask her to close all apps.

  7. #7
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,057

    Default

    Quote Originally Posted by ntguru View Post
    ...I'll ask her to close all apps.
    Assuming you're both using the same instance of Web Filter, just an observation about closing apps. While doing some sleuthing earlier this year I had to restart an iPhone to stop traffic from a deleted shopping app (that traffic has not reappeared). I have since wondered about the absolute efficacy of closing an app with background refresh permissions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2