Email Server misconfiguration #2167
Labels
Comments
wakawakathedev
added
the
security vulnerability
|
Would you please let me know an update? It's been more than 40 days since I have reported that vulnerability. Thank you |
|
Hi @MrDottt There's another issue (for doing email) but need to link it |
|
Any update? |
|
@MrDottt we don't use emails in the website - I've escalated this to whoever maintains/owns the domain |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
There is another Email Server misconfiguration which is No valid SPF record
Vulnerable Domain: https://thenewboston.com
Vulnerability: No Valid SPF Records
Description:
There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation.
Step to reproduce:
SPF record lookup and validation
Now the attacker can target some users - by sending some fake offers money bonus to claim the BTC or reward add PayPal card to following phishing site, or others trap what an attacker want, which can be harmful to users, so it needs to fix.
The attacker can easily send fake mail from the official @thenewboston.com thenewboston.com mail address https://emkei.cz/?reCAPTCHAv2
Impact: An attacker can send Fake mails to the thenewboston.com users. The results can be more dangerous.
Remediation: Replace ~all with -all to prevent fake email.
Reference:
https://hackerone.com/reports/629087
https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
Thank you.
The text was updated successfully, but these errors were encountered: