GNU bug report logs -
#49260
Vulnerability Report [Misconfigured DMARC Record Flag]
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49260 in the body.
You can then email your comments to 49260 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Mon, 28 Jun 2021 17:32:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Cyber Zeus <cyberzeus111 <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-gnuzilla <at> gnu.org
.
(Mon, 28 Jun 2021 17:32:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Team,
I am an independent security researcher and I have found a bug in your
website
The details of it are as follows:-
Description: This report is about a misconfigured Dmarc/SPF record flag,
which can be used for malicious purposes as it allows for fake mailing on
behalf of respected organizations.
About the Issue:
As i have seen the DMARC record for
gnu.org <bug-gnuzilla <at> gnu.org>
which is:
DMARC Policy Not Enabled
DMARC Not Found
As u can see that you Weak SPF record, a valid record should be like:-
DMARC Policy Enabled
What's the issue:
An SPF/DMARC record is a type of Domain Name Service (DNS) record that
identifies which mail servers are permitted to send an email on behalf of
your domain. The purpose of an SPF/DMARC record is to prevent spammers from
sending messages on the behalf of your organization.
Attack Scenario: An attacker will send phishing mail or anything malicious
mail to the victim via mail:
bug-gnuzilla <at> gnu.org
even if the victim is aware of a phishing attack, he will check the origin
email which came from your genuine mail id
bug-gnuzilla <at> gnu.org
so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-
<?php
$to = "VICTIM <at> example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:
bug-gnuzilla <at> gnu.org
";mail($to,$subject,$txt,$headers);
?>
U can also check your Dmarc/ SPF record form: MXTOOLBOX
Reference:
https://support.google.com/a/answer/2466580?hl=en
have a look at the GOOGLE article for a better understanding!
[image: image.png]
[image: image.png]
[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]
[image.png (image/png, inline)]
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Tue, 29 Jun 2021 05:03:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 49260 <at> debbugs.gnu.org (full text, mbox):
that server is operated by the FSF - there is nothing that the
gnuzilla team could do about this
U may want to send this message to the sysadmins
https://www.fsf.org/about/contact/email
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Tue, 13 Jul 2021 18:46:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi team
Kindly update me with the bug that I have reported.
-Zeus
On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus <cyberzeus111 <at> gmail.com> wrote:
> Hi Team,
> I am an independent security researcher and I have found a bug in your
> website
> The details of it are as follows:-
>
> Description: This report is about a misconfigured Dmarc/SPF record flag,
> which can be used for malicious purposes as it allows for fake mailing on
> behalf of respected organizations.
>
> About the Issue:
> As i have seen the DMARC record for
> gnu.org <bug-gnuzilla <at> gnu.org>
>
> which is:
> DMARC Policy Not Enabled
> DMARC Not Found
>
> As u can see that you Weak SPF record, a valid record should be like:-
>
> DMARC Policy Enabled
> What's the issue:
> An SPF/DMARC record is a type of Domain Name Service (DNS) record that
> identifies which mail servers are permitted to send an email on behalf of
> your domain. The purpose of an SPF/DMARC record is to prevent spammers from
> sending messages on the behalf of your organization.
>
> Attack Scenario: An attacker will send phishing mail or anything malicious
> mail to the victim via mail:
>
> bug-gnuzilla <at> gnu.org
>
>
> even if the victim is aware of a phishing attack, he will check the origin
> email which came from your genuine mail id
> bug-gnuzilla <at> gnu.org
>
>
> so he will think that it is genuine mail and get trapped by the attacker.
> The attack can be done using any PHP mailer tool like this:-
>
> <?php
> $to = "VICTIM <at> example.com";
> $subject = "Password Change";
> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
> $headers = "From:
>
> bug-gnuzilla <at> gnu.org
>
> ";mail($to,$subject,$txt,$headers);
> ?>
>
> U can also check your Dmarc/ SPF record form: MXTOOLBOX
>
> Reference:
> https://support.google.com/a/answer/2466580?hl=en
> have a look at the GOOGLE article for a better understanding!
>
> [image: image.png]
> [image: image.png]
>
[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]
[image.png (image/png, inline)]
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Tue, 13 Jul 2021 23:24:02 GMT)
Full text and
rfc822 format available.
Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The mailing list server not implementing strict SPF & DKIM is a choice and
not necessarily a security risk as dire as you seem to indicate — and may
actually cause more problems than it fixes. The server in question is
definitely not an open relay. I am a participant on a list, however, and
not a sysadmin, so continuing to spam mailing lists on this subject matter
instead of tracking down a sysadmin is more annoying than it is helpful.
On Tue, Jul 13, 2021 at 11:46 AM Cyber Zeus <cyberzeus111 <at> gmail.com> wrote:
> Hi team
> Kindly update me with the bug that I have reported.
>
> -Zeus
>
> On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus <cyberzeus111 <at> gmail.com>
> wrote:
>
>> Hi Team,
>> I am an independent security researcher and I have found a bug in your
>> website
>> The details of it are as follows:-
>>
>> Description: This report is about a misconfigured Dmarc/SPF record flag,
>> which can be used for malicious purposes as it allows for fake mailing on
>> behalf of respected organizations.
>>
>> About the Issue:
>> As i have seen the DMARC record for
>> gnu.org <bug-gnuzilla <at> gnu.org>
>>
>> which is:
>> DMARC Policy Not Enabled
>> DMARC Not Found
>>
>> As u can see that you Weak SPF record, a valid record should be like:-
>>
>> DMARC Policy Enabled
>> What's the issue:
>> An SPF/DMARC record is a type of Domain Name Service (DNS) record that
>> identifies which mail servers are permitted to send an email on behalf of
>> your domain. The purpose of an SPF/DMARC record is to prevent spammers from
>> sending messages on the behalf of your organization.
>>
>> Attack Scenario: An attacker will send phishing mail or anything
>> malicious mail to the victim via mail:
>>
>> bug-gnuzilla <at> gnu.org
>>
>>
>> even if the victim is aware of a phishing attack, he will check the
>> origin email which came from your genuine mail id
>> bug-gnuzilla <at> gnu.org
>>
>>
>> so he will think that it is genuine mail and get trapped by the attacker.
>> The attack can be done using any PHP mailer tool like this:-
>>
>> <?php
>> $to = "VICTIM <at> example.com";
>> $subject = "Password Change";
>> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
>> $headers = "From:
>>
>> bug-gnuzilla <at> gnu.org
>>
>> ";mail($to,$subject,$txt,$headers);
>> ?>
>>
>> U can also check your Dmarc/ SPF record form: MXTOOLBOX
>>
>> Reference:
>> https://support.google.com/a/answer/2466580?hl=en
>> have a look at the GOOGLE article for a better understanding!
>>
>> [image: image.png]
>> [image: image.png]
>>
>
[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]
[image.png (image/png, inline)]
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Tue, 13 Jul 2021 23:24:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Wed, 14 Jul 2021 01:11:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 49260 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I'm not part of the "team" in any real sense. However, as was noted by
Bill <bill-auger <at> peers.community> in response to your previous e-mail,
this is a public mailing list for a project with no direct connection to
the group administering the e-mail server (the FSF, contact details at
<https://www.fsf.org/about/contact/email>).
I've forwarded your concerns to people who can do something (CCing you
in) just in case nobody else has; if you wish to follow up in future,
the appropriate e-mail address is <sysadmin <at> gnu.org>.
On 7/13/21 6:02 PM, Cyber Zeus wrote:
> Hi team
> Kindly update me with the bug that I have reported.
> -Zeus
>
> On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus <cyberzeus111 <at> gmail.com> wrote:
>
>> Hi Team,
>> I am an independent security researcher and I have found a bug in your
>> website
>> The details of it are as follows:-
>>
>> Description: This report is about a misconfigured Dmarc/SPF record flag,
>> which can be used for malicious purposes as it allows for fake mailing on
>> behalf of respected organizations.
>>
>> About the Issue:
>> As i have seen the DMARC record for
>> gnu.org <bug-gnuzilla <at> gnu.org>
>>
>> which is:
>> DMARC Policy Not Enabled
>> DMARC Not Found
>>
>> As u can see that you Weak SPF record, a valid record should be like:-
>>
>> DMARC Policy Enabled
>> What's the issue:
>> An SPF/DMARC record is a type of Domain Name Service (DNS) record that
>> identifies which mail servers are permitted to send an email on behalf of
>> your domain. The purpose of an SPF/DMARC record is to prevent spammers from
>> sending messages on the behalf of your organization.
>>
>> Attack Scenario: An attacker will send phishing mail or anything malicious
>> mail to the victim via mail:
>>
>> bug-gnuzilla <at> gnu.org
>>
>>
>> even if the victim is aware of a phishing attack, he will check the origin
>> email which came from your genuine mail id
>> bug-gnuzilla <at> gnu.org
>>
>>
>> so he will think that it is genuine mail and get trapped by the attacker.
>> The attack can be done using any PHP mailer tool like this:-
>>
>> <?php
>> $to = "VICTIM <at> example.com";
>> $subject = "Password Change";
>> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
>> $headers = "From:
>>
>> bug-gnuzilla <at> gnu.org
>>
>> ";mail($to,$subject,$txt,$headers);
>> ?>
>>
>> U can also check your Dmarc/ SPF record form: MXTOOLBOX
>>
>> Reference:
>> https://support.google.com/a/answer/2466580?hl=en
>> have a look at the GOOGLE article for a better understanding!
>>
>> [image: image.png]
>> [image: image.png]
>>
>
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Fri, 16 Jul 2021 15:12:02 GMT)
Full text and
rfc822 format available.
Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):
We have a dmarc policy. It is called "none". we are not doing anything
insecure or unusual, for example it is the same one that google uses:
$ host -t txt _dmarc.gmail.com
_dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports <at> google.com"
$ host -t txt _dmarc.gnu.org
_dmarc.gnu.org descriptive text "v=DMARC1; p=none; rua=mailto:dmarc-rua <at> fsf.org"
Someone can close this bug.
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org
Information forwarded
to
bug-gnuzilla <at> gnu.org
:
bug#49260
; Package
gnuzilla
.
(Fri, 16 Jul 2021 15:12:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Mark H Weaver <mhw <at> netris.org>
:
You have taken responsibility.
(Sat, 17 Jul 2021 06:14:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Cyber Zeus <cyberzeus111 <at> gmail.com>
:
bug acknowledged by developer.
(Sat, 17 Jul 2021 06:14:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 49260-done <at> debbugs.gnu.org (full text, mbox):
Ian Kelling <iank <at> fsf.org> writes:
> We have a dmarc policy. It is called "none". we are not doing anything
> insecure or unusual, for example it is the same one that google uses:
>
> $ host -t txt _dmarc.gmail.com
> _dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports <at> google.com"
> $ host -t txt _dmarc.gnu.org
> _dmarc.gnu.org descriptive text "v=DMARC1; p=none; rua=mailto:dmarc-rua <at> fsf.org"
>
> Someone can close this bug.
Agreed. I'm closing this bug now. Thanks, Ian.
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 14 Aug 2021 11:24:05 GMT)
Full text and
rfc822 format available.
bug unarchived.
Request was from
Glenn Morris <rgm <at> fencepost.gnu.org>
to
control <at> debbugs.gnu.org
.
(Mon, 04 Apr 2022 19:49:02 GMT)
Full text and
rfc822 format available.
Forcibly Merged 49260 54714.
Request was from
Glenn Morris <rgm <at> fencepost.gnu.org>
to
control <at> debbugs.gnu.org
.
(Mon, 04 Apr 2022 19:49:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 05 May 2022 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 349 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.