• My latest project - "TipOff"

    From MeaTLoTioN@1337:1/101 to All on Thursday, July 02, 2026 23:52:24
    Hey y'all,

    Been quietly building "TipOff" - a self-hosted security monitoring tool for small businesses & home labs. Domain health, LAN discovery, uptime monitors, WordPress scanning & breach detection. One Docker container, your data never leaves your server.

    If you're interested in finding out more, please visit https://tipoff.cc - this is a tool that has made my life a lot easier recently, and I'm sure others will benefit also from it.

    Let me know if you use it and if it's useful to you =)

    Cheerio!

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... A SQL query walks into a bar and sees two tables. Asks: 'Can I join you?'

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Friday, July 03, 2026 17:14:56
    Re: My latest project - "TipOff"
    By: MeaTLoTioN to All on Thu Jul 02 2026 11:52 pm

    Howdy,

    Let me know if you use it and if it's useful to you =)

    Just had a play today - nice tool, well done.

    Be keen to see where you take this - I think there could be a few great things added.

    * I see from the mac address you can identify the vendor - be good to identify all VMs (from their mac)

    * Might be good to be able to group stuff, ie: seperate the appliance from the homelab, etc...

    * Could be helpful to have some lan topology if you can get it. ie: I dont use a /24 on the same wire - some devices I route to, so it could be useful to find out which devices are acting as a router

    * Wondering how you could do IP6?


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Friday, July 03, 2026 10:12:28
    On 03 Jul 2026, deon said the following...

    Re: My latest project - "TipOff"
    By: MeaTLoTioN to All on Thu Jul 02 2026 11:52 pm

    Howdy,

    Let me know if you use it and if it's useful to you =)

    Just had a play today - nice tool, well done.

    Thank you!

    Be keen to see where you take this - I think there could be a few great things added.

    * I see from the mac address you can identify the vendor - be good to identify all VMs (from their mac)

    Yes, this is already planned, it's a bit tricky as VM's often create mac addresses that don't follow a particular vendor, but I'm working on a better way to capture, perhaps even using multiple ways and then pinning the best fit per each mac address.

    * Might be good to be able to group stuff, ie: seperate the appliance
    from the homelab, etc...

    This is on the todo list already, when you have a long list, grouping would be pretty much a requirement.

    * Could be helpful to have some lan topology if you can get it. ie: I
    dont use a /24 on the same wire - some devices I route to, so it could
    be useful to find out which devices are acting as a router

    Yes this is also on the todo list =)

    * Wondering how you could do IP6?

    Good question, I think I can.

    I'll keep you posted as to what I find/manage to do.
    Thanks for trying. If you're wanting to give the reports and automatic rescanning a go, ping me in Matrix and I'll gen you a pro key.

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... A social life? Where can I download that!?

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From MeaTLoTioN@1337:1/101 to deon on Friday, July 03, 2026 14:09:12
    On 03 Jul 2026, deon said the following...

    * I see from the mac address you can identify the vendor - be good to identify all VMs (from their mac)

    * Might be good to be able to group stuff, ie: seperate the appliance
    from the homelab, etc...

    * Could be helpful to have some lan topology if you can get it. ie: I
    dont use a /24 on the same wire - some devices I route to, so it could
    be useful to find out which devices are acting as a router

    * Wondering how you could do IP6?

    Do a `docker compose pull && docker compose up -d` and you'll have all of these =)

    IPv6 address(es) are inside each host detail
    Network Topology has it's own menu item (top-right hamburger menu)
    Host list now has custom tags you can create
    MAC Address identify is a little better, can identify which hosts are VM's if the MAC address matches a known template.

    Let me know how it goes =)

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... User Error: Replace user and hit any key to continue...

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Saturday, July 04, 2026 17:30:18
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Fri Jul 03 2026 02:09 pm

    Howdy,

    Do a `docker compose pull && docker compose up -d` and you'll have all of these =)

    Awesome, I'll take a look...


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From deon@1337:2/101 to MeaTLoTioN on Saturday, July 04, 2026 19:59:16
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Fri Jul 03 2026 02:09 pm

    Howdy,

    * Could be helpful to have some lan topology if you can get it. ie: I dont use a /24 on the same wire - some devices I route to, so it could be useful to find out which devices are acting as a router
    Do a `docker compose pull && docker compose up -d` and you'll have all of these =)

    The network topology is not 100% fot me. To give you an example, at home, I use 10.1.3.0/25 for my homelab. Tipoff is running on 10.1.3.54.

    Thus everything on 10.1.3.0/25 you'll get a MAC address and know its "local", if you havent figured that out from quizzing 10.1.3.54 network routing table.

    10.1.3.192/28 is running inside an emulator off of 10.1.3.111 and you may be able to work that out via the same way traceroute does. Those addresses wont have a MAC address (from 10.1.3.54) - but they are grouped under 10.1.3.0/24 (even though I choose "network" from the network map).

    Simularly 10.1.3.240/29 is another network via my core router 10.1.3.1.

    Interestingly, my wifi is 172.31.20.0/24 and on it I have my home assistant VM, it shows as "infrastructure" at the top of the network diagram, next to 172.31.20.1 - what makes it "infrastructure" and not a "device"?

    It would be ideal if 10.1.3.1,172.31.20.1,10.1.3.246 were discovered as the same router.

    MAC Address identify is a little better, can identify which hosts are VM's if the MAC address matches a known template.

    How do I define a mac mask, so that all my proxmox and esx machines are discovered as a VM?


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Saturday, July 04, 2026 12:08:35
    On 04 Jul 2026, deon said the following...

    The network topology is not 100% fot me. To give you an example, at
    home, I use 10.1.3.0/25 for my homelab. Tipoff is running on 10.1.3.54.

    Thus everything on 10.1.3.0/25 you'll get a MAC address and know its "local", if you havent figured that out from quizzing 10.1.3.54 network routing table.

    10.1.3.192/28 is running inside an emulator off of 10.1.3.111 and you
    may be able to work that out via the same way traceroute does. Those addresses wont have a MAC address (from 10.1.3.54) - but they are
    grouped under 10.1.3.0/24 (even though I choose "network" from the
    network map).

    Simularly 10.1.3.240/29 is another network via my core router 10.1.3.1.

    Interestingly, my wifi is 172.31.20.0/24 and on it I have my home assistant VM, it shows as "infrastructure" at the top of the network diagram, next to 172.31.20.1 - what makes it "infrastructure" and not a "device"?

    It would be ideal if 10.1.3.1,172.31.20.1,10.1.3.246 were discovered as the same router.

    MAC Address identify is a little better, can identify which hosts are V if the MAC address matches a known template.

    How do I define a mac mask, so that all my proxmox and esx machines are discovered as a VM?

    Hey ëîåï,

    Thanks so much for the detailed feedback - really useful stuff!
    I've had a look at the issues you raised:

    Infrastructure classification - you're right, the heuristic is too aggressive. ASUS is in the vendor list which shouldn't be there (ASUS makes plenty of regular devices), and the "last octet is .1 or .254 = infrastructure" rule is catching your subnet gateways when they should actually be shown as gateways in their own tier.

    By network grouping - hosts that fall outside your entered discovery CIDRs (like 10.1.3.192/28 when you've only entered 10.1.3.0/25) have no CIDR context so they fall back to /24 grouping. The fix there is actually on your end - adding 10.1.3.192/28 and 10.1.3.240/29 as discovery CIDRs will get them grouped correctly. They can be comma separated in the settings page.

    Gateways - rather than guessing by last octet (.1/.254), we can read all routes directly from the container's routing table (/proc/net/route) which gives us every gateway IP authoritatively - so 10.1.3.1, 10.1.3.111, 172.31.20.1 etc. would all be correctly identified as gateways without any guesswork. That's the fix going in.

    Custom MAC OUI prefixes - good shout, adding a settings field so you can define your own OUI prefixes for Proxmox/ESX and anything else that doesn't match the built-in list.


    Really appreciate you taking the time to dig into it - this kind of real-world feedback is exactly what makes it better!

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... No one knows what's next, but everybody does it.

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From MeaTLoTioN@1337:1/101 to deon on Saturday, July 04, 2026 19:34:33
    On 04 Jul 2026, MeaTLoTioN said the following...

    I've had a look at the issues you raised:

    Do a `docker compose pull && docker compose up -d` now and hopefully you'll get some changes and they'll work a bit better for you.

    In the settings, you can now add a custom VM MAC filter(s) (comma separated). All gateways from routing table should now show correctly/better
    ASUS removed from infra
    Multiple gateway nodes in the topology gateway tier side-by-side

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... The shortest distance between two points is under construction

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From MeaTLoTioN@1337:1/101 to deon on Sunday, July 05, 2026 00:42:02
    On 04 Jul 2026, MeaTLoTioN said the following...

    On 04 Jul 2026, MeaTLoTioN said the following...

    I've had a look at the issues you raised:

    Do a `docker compose pull && docker compose up -d` now and hopefully you'll get some changes and they'll work a bit better for you.

    In the settings, you can now add a custom VM MAC filter(s) (comma separated). All gateways from routing table should now show correctly/better ASUS removed from infra
    Multiple gateway nodes in the topology gateway tier side-by-side

    Just made a few more changes, now released the tag v0.2.1 - so when you pull that, you'll now see the version in the settings card, and will get notified as and when a new version is pushed =)

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... Do device drivers need a chauffeur's license?

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Sunday, July 05, 2026 10:22:18
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Sat Jul 04 2026 12:08 pm

    Howdy,

    By network grouping - hosts that fall outside your entered discovery CIDRs (like 10.1.3.192/28 when you've only entered 10.1.3.0/25) have no CIDR context so they fall back to /24 grouping. The fix there is actually on your end - adding 10.1.3.192/28 and 10.1.3.240/29 as discovery CIDRs will get them grouped correctly. They can be comma separated in the settings page.

    Bummer, I was hoping tipoff could work it out :) For example I'd forgotten about the 10.1.3.240/29 subnet, especially when I saw 10.1.3.246. I was further confused because 10.1.3.246 responded in 1 hop and as I mentioned, my subnet is a /25. I realised, its a gateway to a VPN, so off my router...

    As part of your ping probe, can you pluck the TTL out of the reply and it might be able to determine (relatively) how far away the address is from others. Using that you might be able to guess some of the network topology up front.

    eg:

    64 bytes from 10.1.3.111: seq=0 ttl=64 time=0.289 ms
    64 bytes from 10.1.3.194: seq=0 ttl=62 time=2.768 ms

    (its not fool proof, and I'll need to check why, because 193 which is the router here returns 59.. hmm...)

    64 bytes from 10.1.3.193: seq=0 ttl=59 time=1.254 ms

    Can you add ICMP to the monitor? I have one devices that doesnt expose any ports (I need to figure out what it is).

    Also my domains on the status page appear down. What makes a domain "up"?



    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Sunday, July 05, 2026 10:31:36
    On 05 Jul 2026, deon said the following...

    By network grouping - hosts that fall outside your entered discovery CI (like 10.1.3.192/28 when you've only entered 10.1.3.0/25) have no CIDR context so they fall back to /24 grouping. The fix there is actually on end - adding 10.1.3.192/28 and 10.1.3.240/29 as discovery CIDRs will ge them grouped correctly. They can be comma separated in the settings pag

    Bummer, I was hoping tipoff could work it out :) For example I'd
    forgotten about the 10.1.3.240/29 subnet, especially when I saw 10.1.3.246. I was further confused because 10.1.3.246 responded in 1 hop and as I mentioned, my subnet is a /25. I realised, its a gateway to a VPN, so off my router...

    As part of your ping probe, can you pluck the TTL out of the reply and
    it might be able to determine (relatively) how far away the address is from others. Using that you might be able to guess some of the network topology up front.

    eg:

    64 bytes from 10.1.3.111: seq=0 ttl=64 time=0.289 ms
    64 bytes from 10.1.3.194: seq=0 ttl=62 time=2.768 ms

    (its not fool proof, and I'll need to check why, because 193 which is the router here returns 59.. hmm...)

    64 bytes from 10.1.3.193: seq=0 ttl=59 time=1.254 ms

    Can you add ICMP to the monitor? I have one devices that doesnt expose
    any ports (I need to figure out what it is).

    Also my domains on the status page appear down. What makes a domain "up"?

    Funny you should say that - your TTL idea was too good not to build. Update to v0.2.6 (docker compose pull && docker compose up -d) and run a fresh LAN scan, because it now does pretty much exactly what you described:

    - The ping probe plucks the TTL out of every reply and estimates hop count from it (assuming the usual 64/128/255 initial values). Every host card shows a hop badge now.
    - Anything 1+ hops away gets automatically split out of the local network into its own "Remote / VPN" branch on the network map - no CIDR config needed. It also runs a short traceroute on those hosts to find which local gateway they exit through, and draws them hanging off it with a dashed line.
    - Better still: within a remote subnet, if exactly one host is a full hop closer than all the others, tipoff promotes it to a "VPN Peer" card and hangs the rest underneath it. So your 10.1.3.240/29 with 10.1.3.246 should render as: router -> dashed line -> VPN peer -> the hosts behind it. It would have told you about the subnet you'd forgotten :)

    On your TTL 59 mystery - remember the replying device never decrements its own reply; only routers forwarding it do. So 59 means either the reply genuinely crossed 5 routers on the way back to you, or the box originates packets with a non-standard initial TTL, or the reply is actually coming from inside a tunnel (which for a router that's also a VPN endpoint wouldn't surprise me). A traceroute to it should settle which. Tipoff's inference uses relative hop differences within a subnet rather than trusting absolute numbers, and falls back to a flat group when the evidence is messy, so oddballs like that won't wreck the map.

    ICMP monitor - added. Pick "ICMP (ping)" as the protocol and the port field disappears. Should sort your mystery portless device.

    Domains on the status page: "up" currently means an HTTP GET succeeds - it tries https://domain then falls back to http://, and counts anything below a 500 as up. So if a domain is mail-only with no web server behind it, it'll show down forever - that's a gap on my side, not an outage on yours. The status page now shows what the check actually did (e.g. "HTTPS/HTTP check ú HTTP 200" or "no response") so you can tell which case you're hitting. If yours are MX-only domains, tell me and I'll add a DNS-only check type.

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... A house is a place to keep your stuff while you go out and get more stuff

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From MeaTLoTioN@1337:1/101 to deon on Sunday, July 05, 2026 10:51:40
    On 05 Jul 2026, MeaTLoTioN said the following...

    with a dashed line. - Better still: within a remote subnet, if exactly
    one host is a full hop closer than all the others, tipoff promotes it to
    a "VPN Peer" card and hangs the rest underneath it. So your
    10.1.3.240/29 with 10.1.3.246 should render as: router -> dashed line -> VPN peer -> the hosts behind it. It would have told you about the subnet you'd forgotten :)

    The label of VPN was an overreach, I was basing that purely on what I have at home, but it could easily be just a distant subnet locally. Fixed in v0.2.7:

    - "Remote / VPN" -> "Routed subnet" and "VPN Peer" -> "Gateway". The map now only claims what the hop evidence proves.
    - Scans record each host's ping RTT alongside TTL now.
    - The "likely VPN/WAN" chip appears on a routed subnet when its median RTT is ò 3ms and ò 5x your local LAN's median. Hovering it explains the reasoning. My tunnel is clear-cut: local ~0.3ms vs ~8ms across the tunnel - so mine wears the chip. A routed VLAN or double-NAT segment at 0.4ms would stay unlabelled, which is exactly the honesty we need.
    - One heads-up for your setup: your 10.1.3.194 pinged at ~2.8ms - about 10x your baseline but just under the 3ms floor, so yours might not get chipped. If that annoys you I'll tune the threshold :)

    So on your next scan, you should see the routed subnets labelled properly in the network map either way.

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... Users come in two types: Those who have lost data, and those who will.

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From phigan@1337:3/201 to MeaTLoTioN on Sunday, July 05, 2026 06:10:28
    |15Ä|07Ä|04Ä MeaTLoTioN |08Start Quote
    forever - that's a gap on my side, not an outage on yours. The status page now shows what the check actually did (e.g. "HTTPS/HTTP check ú HTTP 200" or "no response") so you can tell which case you're hitting. If yours are MX-only |15Ä|07Ä|04Ä MeaTLoTioN|08 End Quote

    Might I suggest, since it's doing an https check already, to show when the
    SSL certificate expires or whether it's self signed.


    --- Oblivion/2 v2.40beta2
    * Origin: Hexedbbs.com:23999 (1337:3/201)
  • From MeaTLoTioN@1337:1/101 to phigan on Sunday, July 05, 2026 11:46:47
    On 05 Jul 2026, phigan said the following...

    Might I suggest, since it's doing an https check already, to show when
    the SSL certificate expires or whether it's self signed.

    It already does tell you when the SSL cert expires - if you look in the external checks, and go into one of your domains, you will see at the top the SSL check.

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... As a matter of fact, it IS a banana in my pocket!

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Sunday, July 05, 2026 20:48:22
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Sun Jul 05 2026 10:31 am

    On your TTL 59 mystery - remember the replying device never decrements its own reply; only routers forwarding it do. So 59 means either the reply genuinely crossed 5 routers on the way back to you, or the box originates packets with a non-standard initial TTL, or the reply is actually coming from inside a tunnel (which for a router that's also a VPN endpoint wouldn't surprise me).

    A traceroute to it should settle which. Tipoff's inference
    uses relative hop differences within a subnet rather than trusting absolute numbers, and falls back to a flat group when the evidence is messy, so

    So using a relative inference I think is right, I know some OS's start TTL at different numbers (I think linux is 64)...

    The TTL 59 actually does cross 5 devices, to get to 193 from 54, it would go

    54 -> 1 -> 111 -> 250 -> 193 -> 194

    tipoff wouldnt see 250, its a point to point link and a traceroute shows "*". Its not a linux device, so it could well be starting its TTL differently. (But it would be getting a reply from it.)

    The 194 is the next hop, is linux and technically is 6 hops away I guess.

    Ping -R finds it though:

    PING 10.1.3.194 (10.1.3.194) 56(124) bytes of data.
    64 bytes from 10.1.3.194: icmp_seq=1 ttl=62 time=3.20 ms
    RR: 10.1.3.54
    10.1.3.1
    10.1.3.250
    10.1.3.194
    10.1.3.194
    10.1.3.111
    10.1.3.54

    The "Routed Subnet" shows those two addresses from 192/28 but above it is 10.1.3.0/24. So while it would be difficult to figure out its a /28, in this case you could because you should be getting an ICMP redirect from 1 pinging anything from 192-207. (The redirect points to 111).

    It also used to be if you pinged the broadcast address (207 in this case), every device should respond but I'm not sure if that is reliable anymore...

    Also, so I thought I'd try scan my IPv6 subnet, and that was a bad idea. I scanned the /64 (I saw from the change log some references to IPv6), which pegged the CPU at 100% and while I left it go to see what happens I came back an hour or two and the VM was unresponsive. It ultimately consumed all memory and swap space and took me a good hour to kill it from the console :( Actually, I think the kernel finally killed it...

    I see in 0.2.7 you at least have link local addresses, which is sometimes useful though, and some hosts have the fd00:368:: address that I use.

    I think there is a rendering issue also. When you open a host card and click on the rescan, after the scan, the card is rendered inside the card (so you have two header lines and hamburger selection icons).

    Loving what you doing with this, its going to be a useful tool to everybody with a homelab...


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From deon@1337:2/101 to MeaTLoTioN on Sunday, July 05, 2026 21:24:24
    Re: Re: My latest project - "TipOff"
    By: deon to MeaTLoTioN on Sun Jul 05 2026 08:48 pm

    Hey...

    Also, wanted to ask. I've got one host that was discovered with hostname cm5-3-0-2 and for the life of me I cant figure out how its got the "-2" on the end.

    The hostname should be cm5-3-0, how did it get discovered with the "-2" on the end. All my other CM5's were discoverd correctly (cm5-x-0).



    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Sunday, July 05, 2026 15:23:17
    On 05 Jul 2026, deon said the following...

    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Sun Jul 05 2026 10:31 am

    On your TTL 59 mystery - remember the replying device never decrements own reply; only routers forwarding it do. So 59 means either the reply genuinely crossed 5 routers on the way back to you, or the box originat packets with a non-standard initial TTL, or the reply is actually comin from inside a tunnel (which for a router that's also a VPN endpoint wou surprise me).

    A traceroute to it should settle which. Tipoff's inference
    uses relative hop differences within a subnet rather than trusting abso numbers, and falls back to a flat group when the evidence is messy, so

    So using a relative inference I think is right, I know some OS's start
    TTL at different numbers (I think linux is 64)...

    The TTL 59 actually does cross 5 devices, to get to 193 from 54, it
    would go

    54 -> 1 -> 111 -> 250 -> 193 -> 194

    tipoff wouldnt see 250, its a point to point link and a traceroute shows "*". Its not a linux device, so it could well be starting its TTL differently. (But it would be getting a reply from it.)

    The 194 is the next hop, is linux and technically is 6 hops away I guess.

    Ping -R finds it though:

    PING 10.1.3.194 (10.1.3.194) 56(124) bytes of data.
    64 bytes from 10.1.3.194: icmp_seq=1 ttl=62 time=3.20 ms
    RR: 10.1.3.54
    10.1.3.1
    10.1.3.250
    10.1.3.194
    10.1.3.194
    10.1.3.111
    10.1.3.54

    The "Routed Subnet" shows those two addresses from 192/28 but above it is 10.1.3.0/24. So while it would be difficult to figure out its a /28, in this case you could because you should be getting an ICMP redirect from
    1 pinging anything from 192-207. (The redirect points to 111).

    It also used to be if you pinged the broadcast address (207 in this
    case), every device should respond but I'm not sure if that is reliable anymore...

    Also, so I thought I'd try scan my IPv6 subnet, and that was a bad idea.
    I scanned the /64 (I saw from the change log some references to IPv6), which pegged the CPU at 100% and while I left it go to see what happens
    I came back an hour or two and the VM was unresponsive. It ultimately consumed all memory and swap space and took me a good hour to kill it
    from the console :( Actually, I think the kernel finally killed it...

    I see in 0.2.7 you at least have link local addresses, which is sometimes useful though, and some hosts have the fd00:368:: address that I use.

    I think there is a rendering issue also. When you open a host card and click on the rescan, after the scan, the card is rendered inside the
    card (so you have two header lines and hamburger selection icons).

    Loving what you doing with this, its going to be a useful tool to everybody with a homelab...

    Mate, your feedback keeps paying off. v0.2.8 is up, and you'll want this one:

    The IPv6 scan - sorry about your VM! That was a genuine bug and a nasty one. The ping sweep builds one task per address in the range, and a /64 is 2^64 addresses, so it ate all your RAM and swap until the kernel put it out of its misery. Discovery CIDRs are now validated before any scan starts: IPv6 ranges are rejected with a proper message (IPv6 hosts are found via NDP neighbor discovery after each IPv4 scan, which is the only sane way - you can't sweep a /64), and IPv4 is capped at /16. Failures also now tell you WHY in the UI instead of "check the container logs".

    The nested card render - found it. Rescan (and acknowledge, and wpscan) were swapping a full page, nav bar and all, into the current page. All fixed, they reload the page cleanly now. Bonus: single-host rescan was silently dropping the TTL/hop/gateway data and only full LAN scans stored it. Also fixed.

    Your cm5-3-0-2 mystery: that's not tipoff mangling it - it's mDNS name-conflict renaming (RFC 6762). When a device registers cm5-3-0.local and something already claims that name, avahi appends -2 and carries on. The classic cause is the device colliding with its own stale registration - it dropped off the network and rejoined before its old mDNS record expired. Restart avahi on that CM5 (or reboot it) and it should reclaim its proper name. Tipoff just reports what the device itself answered.

    The ICMP redirect idea for sniffing out the /28 - genuinely clever, and I went down the rabbit hole on it. Trouble is catching redirects needs a raw ICMP listener, half the world disables them outright (accept_redirects=0, they're a spoofing vector), and modern kernels rate-limit sending them. A lot of machinery for a signal that's frequently switched off, so I've parked it for now.

    Broadcast ping - your instinct is right, that trick died with the Smurf attack. Everything ignores broadcast ICMP by default these days.

    And nice work running the TTL 59 to ground - a real 5-router path with a silent point-to-point hop in the middle. Good validation of the relative-inference approach too; trusting absolute TTLs would have misclassified that router badly. The ping -R output is a nice touch as well, though record-route only fits 9 hops and most gear strips it, so you got lucky there :)

    docker compose pull && docker compose up -d as usual.

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... A PC a day keeps the Apple away!

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Monday, July 06, 2026 08:33:44
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Sun Jul 05 2026 03:23 pm

    Howdy,

    The ping sweep builds one task per address in the range, and a /64 is 2^64 addresses, so it ate all your RAM and swap until the kernel put it out of its misery. Discovery CIDRs are now validated before any scan starts: IPv6 ranges are rejected with a proper message (IPv6 hosts are found via NDP neighbor discovery after each IPv4 scan, which is the only sane way - you can't sweep a /64), and IPv4 is capped at /16. Failures also now tell you WHY in the UI instead of "check the container logs".

    Yeah, not falling for that again, I've put a memory constraint on the container so Mr Kernel should get to it before I need too... As a general rule, I normally do, but since this was my dev server I didnt that time...

    There's a container log? Assume you mean the containers stdout as seen by docker log tipoff? I've just seen that as HTTP traffic between the browser and tipoff, but if there is other stuff there, I'll look there more often.

    Your cm5-3-0-2 mystery: that's not tipoff mangling it - it's mDNS name-conflict renaming (RFC 6762).

    I've never paid attention to mDNS - so I've learnt something new :)

    The ICMP redirect idea for sniffing out the /28 - genuinely clever, and I went down the rabbit hole on it. Trouble is catching redirects needs a raw ICMP listener, half the world disables them outright (accept_redirects=0,

    Yeah, and it really only helps if the subnet is local (this side of the router), which most wouldnt be. Bummer this one. I've even done some research myself, it used to be easy but now not so...

    A suggestion or 2 for consideration:

    * The "Add Domain" I genuinely thought it was a "domain name" that you would do some validation on (Expiry, DNS, SMTP, etc) and it was useful. I think its presumptious to assume that folks have a HTTP server for a domain. I guess most do, and the trend these days is to (ie: no www), but I have a couple that are mail only or admin only, so no http server - no point checking for a response.

    Perhaps change it to "URI monitor" (yuk), "host monitor" (what about the domain goodness above?)...

    * Assuming every IP address is wordpress host might be overkill as well. Maybe off of a domain its more likely, but off of an IP?, and especially if the host (or ip) doesnt respond to a HTTP probe its not going to be a wordpress host?

    * Assuming every monitored host is an SMTP host so marking DMARC/SPF as critical if its a plain old web host is too much? DMARC/SPF is normally off of the domain not a host, unless the host provides a sub domain email, but then there should be MX records for that... (eg: my bbs.dege.au I use for the BBS)

    You might be able to draw some conclusions from the SPF record on the domain though if this host does originate mail.


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Monday, July 06, 2026 00:56:12
    On 06 Jul 2026, deon said the following...

    Howdy,

    There's a container log? Assume you mean the containers stdout as seen by docker log tipoff? I've just seen that as HTTP traffic between the
    browser and tipoff, but if there is other stuff there, I'll look there more often.

    Yep, that's the one. It's mostly uvicorn HTTP chatter, but discovery failures, scheduler errors and full Python tracebacks land there too. As of 0.2.8 the UI shows you the real error message anyway, so you shouldn't need to dig in there as often.

    Glad the mDNS thing was useful - I only learnt the chapter and verse myself when we dug into your cm5 mystery.

    Yeah, and it really only helps if the subnet is local (this side of the router), which most wouldnt be. Bummer this one. I've even done some research myself, it used to be easy but now not so...

    Agreed, parked. Nice idea though, shame the modern world nailed that door shut years ago.

    Now your two suggestions - you're right on both, and they turn out to be the same underlying sin: tipoff assumes every domain is a web server AND a mail server. I went through the code and here's the actual state of it:

    * The security scan side is gentler than you feared. If HTTPS doesn't answer, the header checks bail out with a neutral "website unreachable" note that costs no score, and the DNS, SPF, DMARC and expiry checks all run fine without a web server. So the domain goodness you wanted is already in there.

    * The real damage is the status page: every domain gets an HTTP/HTTPS probe every 5 minutes, so your mail-only domains would show as permanently DOWN. That's not noise, that's just wrong.

    * WordPress is never scanned automatically - it's a manual button - but the section is drawn on every host page including your switch, which is admittedly silly.

    On DMARC/SPF for non-mail domains, one counterpoint before I concede the rest: current best practice (NCSC and friends) is that even a domain that never sends mail should publish "v=spf1 -all" plus a DMARC p=reject, otherwise spammers can spoof it freely. So the check stays for every domain. What's wrong is the framing - today you get the same red CRITICAL whether you're a mail domain missing SPF (urgent) or a web-only domain (housekeeping).

    Your MX record idea is exactly the right signal, so here's the plan:

    1. Domains get capability flags: "monitor website" and "check mail security", with DNS and expiry always on. When you add a domain, tipoff probes ports 443/80 and looks up MX records to pre-tick the boxes, and you can override it. A mail-only domain gets no HTTP uptime probe and no SSL/header checks, and the status page shows a DNS-resolves check instead of a fake DOWN.

    2. SPF/DMARC severity becomes MX-aware: no MX records and it drops to a low warning whose remediation says "publish the null records above and you're done". With MX it stays critical.

    3. The WordPress section only appears when the host or domain actually has a web port open.

    Your SPF-content idea (working out if a host originates mail from the record) is clever but parked for now - MX presence gets 95% of the value for none of the parsing pain.

    All of that will be v0.2.11, the "stop assuming everything is a web and mail server" release. Keep the feedback coming, it's exactly this stuff that makes it better.

    Cheers,
    Christian

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... Hard work never killed anyone but why take a risk?

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From MeaTLoTioN@1337:1/101 to deon on Monday, July 06, 2026 01:07:50
    On 06 Jul 2026, MeaTLoTioN said the following...

    All of that will be v0.2.11, the "stop assuming everything is a web and mail server" release. Keep the feedback coming, it's exactly this stuff that makes it better.

    Okay v0.2.11 now pushed live, your existing domains will keep full web checks until their next scheduled scan run or until you manually hit the scan all button to make them get scanned immediately.

    Let me know how that goes, and thank you again for all the feedback, you're a legend!

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... Do vegetarians eat animal crackers?

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Monday, July 06, 2026 14:48:48
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Mon Jul 06 2026 12:56 am

    Howdy,

    On DMARC/SPF for non-mail domains, one counterpoint before I concede the rest: current best practice (NCSC and friends) is that even a domain that never sends mail should publish "v=spf1 -all" plus a DMARC p=reject, otherwise spammers can spoof it freely. So the check stays for every domain. What's wrong is the framing - today you get the same red CRITICAL whether you're a mail domain missing SPF (urgent) or a web-only domain (housekeeping).

    I'm with you on this. The "domain" (eg: example.com) that doesnt send email should have that SPF record agree.

    A "host" (website.example.com) should result on the lookup of example.com for SPF record to confirm with it applies. If the host has its own MX record it should have its own SPF record (or the "domain" one should cover sub domains [I think that's an option - but I dont recall 100%]).

    I dont think the "Mail security" (on a "host") needs to be an option at all (?) if it doesnt have any MX records (on the "host"), and the "domain" SPF is appropriate covering the domain or the suggested -ALL.

    Also a "Domain Expiry Unknown" on the "host" (website.example.com) - especially when the domain (example.com) is listed as a "domain" doesnt need the answer to this question.

    On that, .AU domains dont publically list the expiry date, so instead of "Acknowledging the issue" it might also good to ask "When does it expire" and you can report when that expiry is close :)

    Given that you also know when certificates expire, perhaps its warrants a new view of "upcoming events" that show the expiry dates of things so that you can be proactive?

    I see on the IP addresses it mentions "Agent not installed", what agent is that? If I run snmp on my routers, perhaps that could help with topology?

    I'm going to connect with you on matrix - I have some ideas for the map that are better explained with a picture of what it is rendering now ...


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Monday, July 06, 2026 09:54:00
    On 06 Jul 2026, deon said the following...

    Howdy,

    Howdy,

    Big batch this time, thanks for the detail - went through all of it.

    A "host" (website.example.com) should result on the lookup of
    example.com for SPF record to confirm with it applies. If the host has

    Close, but one correction: SPF authentication happens against the exact From-domain, so a spoofed mail claiming to be from website.example.com would NOT be caught by example.com's SPF record - only one published at that exact name (or a wildcard) covers it. So I didn't want to silently borrow the parent's record, that would be a false sense of coverage.

    What you're really after still stands though: if tipoff sees that a monitored domain is a subdomain of another domain you're also monitoring, and that subdomain has no MX of its own, it now skips the mail-security checks entirely rather than nagging about them. Same subdomain detection also kills the "Domain Expiry Unknown" noise you flagged - only the registrable domain has a WHOIS expiry, so a subdomain doesn't get checked for one at all now.

    On that, .AU domains dont publically list the expiry date, so instead of "Acknowledging the issue" it might also good to ask "When does it
    expire" and you can report when that expiry is close :)

    Done - when WHOIS comes back empty, the domain page now offers a date field so you can enter it yourself. Same day-count warnings apply after that, just labelled "manually entered" so it's clear where the date came from.

    Given that you also know when certificates expire, perhaps its warrants
    a new view of "upcoming events" that show the expiry dates of things so that you can be proactive?

    Also done - theres a new Events page listing every domain's registration and SSL expiry, soonest first, across the whole install. Renewals should show up there well before they turn into a red alert.

    I see on the IP addresses it mentions "Agent not installed", what agent
    is that? If I run snmp on my routers, perhaps that could help with topology?

    Good catch - that was dead scaffolding from early development, never wired to anything. Pulled it off the screen. The SNMP idea for topology is a good one though, parked it on the backlog since its a bigger project on its own.

    Now the map, from your screenshots:

    * 10.1.3.246 getting clipped off the edge - real bug, the local device row had no way to scroll to content that didnt fit. Fixed.

    * The complementary /25 idea - exactly right, and now thats what happens. If a configured range doesnt cover an address but a sibling range does, tipoff works out the actual complementary block (eg 10.1.3.128/25) instead of lumping it into a misleading full /24.

    * The dual-homed 172.31.20.0/24 thing - also a good spot. The map now flags when the same range shows up both as direct local devices and as a routed subnet, since that usually means a host is bridging two segments. Fine for a homelab, but worth a second look on a network that expects proper segmentation.

    * IPv6 segments are now drawn on the map too, pulled from whatever ND gives us (link-local addresses excluded, since every host has one of those and it's not a real segment).

    All of that just went out as v0.2.12. Give it a pull when you get a chance and let me know how it looks on your setup.

    Cheers,
    Christian

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... As I said before, I never repeat myself

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)
  • From deon@1337:2/101 to MeaTLoTioN on Monday, July 06, 2026 20:29:42
    Re: Re: My latest project - "TipOff"
    By: MeaTLoTioN to deon on Mon Jul 06 2026 09:54 am

    Hmm...

    Close, but one correction: SPF authentication happens against the exact From-domain, so a spoofed mail claiming to be from website.example.com would NOT be caught by example.com's SPF record - only one published at that exact name (or a wildcard) covers it. So I didn't want to silently borrow the parent's record, that would be a false sense of coverage.

    Hmm.. I dont think you are right on this one, or we are talking to different things?

    An SPF record says "which host can send mail using my domain name", so mail received from "host.example.com" would check the SPF record at example.com to see if that host is authorised to send mail on it's behalf.

    But wait, the penny just dropped. Mail from "@host.example.com" would check "host.example.com" for an SPF record to see if the sending host (possibly a different hostname) was authorised to use that domain name.

    So, most homelabs have many "hosts" "hosta.example.com", "hostb.example.com" and probably only 1 or few sending email "domains": "@example.com", "@subdomain.example.com".

    When monitoring "hosta.example.com" it is less likely (still possible I guess) to be a mail domain "@hosta.example.com", just like "@bbs.dege.au" is not a host with that name, its an email domain.

    Given the intent of your tool "something is wrong unless you tell me otherwise", it might be valid to assume an entered "name" is an email domain until the admin de-selects it to assert its just a host.

    It might nice to check that "if that hosts sends email" for "my domain" to check that the SPF record covers it, but I'm not sure you would know that it sends email. Maybe you could mark it as such, and then warn that the SPF doesnt include this host.

    Saying that allowed, that might be problematic, because it might send mail for mulitple domains, might use multiple IPs and you may not know which IP it uses - or it's record is covered by a heirachy of "include:" statements in the SPF record...

    We're good :)


    ...ëîåï
    --- SBBSecho 3.37-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (1337:2/101)
  • From MeaTLoTioN@1337:1/101 to deon on Monday, July 06, 2026 16:44:05
    On 06 Jul 2026, deon said the following...

    We're good :)

    Howdy,

    Been mulling over your SPF message and think you actually talked yourself into being right, even though you signed off unsure :)

    You had it: mail from "user@host.example.com" checks the SPF record at "host.example.com" specifically - the parent's record doesn't cover it. Where I want to correct myself is the conclusion I drew from that. I'd assumed "no MX record" was a safe signal that a name never sends mail, so I could skip the check entirely. It isn't - MX only says whether a name receives mail, not whether it sends any. Loads of setups (SendGrid, Mailgun, that kind of thing) use a send-only subdomain with an SPF record but deliberately no MX, since nothing ever needs to reply there. So "no MX" proving "safe to skip" was wrong, and skipping the check outright would have been a false sense of coverage, not just less noise.

    One more precision point while I'm at it: DMARC actually does cascade to subdomains automatically (the "sp=" tag on the parent's DMARC record covers any subdomain without its own), but SPF has no such inheritance - every exact name needs its own record. So my original "it's the parent's job" reasoning was half right, just for the wrong half of the two.

    Fixed now: subdomains get the same treatment as normal domains again - SPF/DMARC always checked, just softened to a low-priority warning instead of a critical when there's no MX, same as before. The "check mail" toggle on a domain is the one real override now, for when you actually know for certain it never sends mail. DKIM stays skipped without MX though - unlike SPF/DMARC there's no sensible "publish this defensively anyway" advice for DKIM if you're not already running mail through that name, so checking it broadly would just be noise for no benefit.

    That's out now as v0.2.13. Cheers for catching it - this is exactly the kind of thing that matters most to get right.

    Cheers,
    Christian

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N // @meatlotion:erb.pw |10S|02SBBSS|08-|10M|08-|100|020001 |10C|02ertified |10B|02BS |10S|02YSOP

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    ... That's not a bug, it's an undocumented feature

    --- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
    * Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (1337:1/101)