GNU bug report logs - #49260
Vulnerability Report [Misconfigured DMARC Record Flag]

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49260 in the body.
You can then email your comments to 49260 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Cyber Zeus <cyberzeus111 <at> gmail.com>
To: bug-gnuzilla <at> gnu.org
Subject: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Mon, 28 Jun 2021 22:28:23 +0500

[Message part 1 (text/plain, inline)]

Hi Team,
I am an independent security researcher and I have found a bug in your
website
The details of it are as follows:-

Description: This report is about a misconfigured Dmarc/SPF record flag,
which can be used for malicious purposes as it allows for fake mailing on
behalf of respected organizations.

About the Issue:
As i have seen the DMARC record for
gnu.org <bug-gnuzilla <at> gnu.org>

which is:
DMARC Policy Not Enabled
DMARC Not Found

As u can see that you Weak SPF record, a valid record should be like:-

DMARC Policy Enabled
What's the issue:
An SPF/DMARC record is a type of Domain Name Service (DNS) record that
identifies which mail servers are permitted to send an email on behalf of
your domain. The purpose of an SPF/DMARC record is to prevent spammers from
sending messages on the behalf of your organization.

Attack Scenario: An attacker will send phishing mail or anything malicious
mail to the victim via mail:

bug-gnuzilla <at> gnu.org


even if the victim is aware of a phishing attack, he will check the origin
email which came from your genuine mail id
bug-gnuzilla <at> gnu.org


so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-

<?php
$to = "VICTIM <at> example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:

bug-gnuzilla <at> gnu.org

";mail($to,$subject,$txt,$headers);
?>

U can also check your Dmarc/ SPF record form: MXTOOLBOX

Reference:
https://support.google.com/a/answer/2466580?hl=en
have a look at the GOOGLE article for a better understanding!

[image: image.png]
[image: image.png]

[Message part 2 (text/html, inline)]

[image.png (image/png, inline)]

[image.png (image/png, inline)]

Message #8 received at 49260 <at> debbugs.gnu.org (full text, mbox):

From: bill-auger <bill-auger <at> peers.community>
To: Cyber Zeus <cyberzeus111 <at> gmail.com>
Cc: 49260 <at> debbugs.gnu.org
Subject: Re: bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Tue, 29 Jun 2021 01:00:35 -0400

that server is operated by the FSF - there is nothing that the
gnuzilla team could do about this

U may want to send this message to the sysadmins

https://www.fsf.org/about/contact/email

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Cyber Zeus <cyberzeus111 <at> gmail.com>
To: bug-gnuzilla <at> gnu.org
Subject: Re: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Tue, 13 Jul 2021 23:02:39 +0500

[Message part 1 (text/plain, inline)]

Hi team
Kindly update me with the bug that I have reported.
-Zeus

On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus <cyberzeus111 <at> gmail.com> wrote:

> Hi Team,
> I am an independent security researcher and I have found a bug in your
> website
> The details of it are as follows:-
>
> Description: This report is about a misconfigured Dmarc/SPF record flag,
> which can be used for malicious purposes as it allows for fake mailing on
> behalf of respected organizations.
>
> About the Issue:
> As i have seen the DMARC record for
> gnu.org <bug-gnuzilla <at> gnu.org>
>
> which is:
> DMARC Policy Not Enabled
> DMARC Not Found
>
> As u can see that you Weak SPF record, a valid record should be like:-
>
> DMARC Policy Enabled
> What's the issue:
> An SPF/DMARC record is a type of Domain Name Service (DNS) record that
> identifies which mail servers are permitted to send an email on behalf of
> your domain. The purpose of an SPF/DMARC record is to prevent spammers from
> sending messages on the behalf of your organization.
>
> Attack Scenario: An attacker will send phishing mail or anything malicious
> mail to the victim via mail:
>
> bug-gnuzilla <at> gnu.org
>
>
> even if the victim is aware of a phishing attack, he will check the origin
> email which came from your genuine mail id
> bug-gnuzilla <at> gnu.org
>
>
> so he will think that it is genuine mail and get trapped by the attacker.
> The attack can be done using any PHP mailer tool like this:-
>
> <?php
> $to = "VICTIM <at> example.com";
> $subject = "Password Change";
> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
> $headers = "From:
>
> bug-gnuzilla <at> gnu.org
>
> ";mail($to,$subject,$txt,$headers);
> ?>
>
> U can also check your Dmarc/ SPF record form: MXTOOLBOX
>
> Reference:
> https://support.google.com/a/answer/2466580?hl=en
> have a look at the GOOGLE article for a better understanding!
>
> [image: image.png]
> [image: image.png]
>

[Message part 2 (text/html, inline)]

[image.png (image/png, inline)]

[image.png (image/png, inline)]

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Gary <gdriggs <at> gmail.com>
To: Cyber Zeus <cyberzeus111 <at> gmail.com>
Cc: 49260 <at> debbugs.gnu.org, bug-gnuzilla <bug-gnuzilla <at> gnu.org>
Subject: Re: bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Tue, 13 Jul 2021 16:22:49 -0700

[Message part 1 (text/plain, inline)]

The mailing list server not implementing strict SPF & DKIM is a choice and
not necessarily a security risk as dire as you seem to indicate — and may
actually cause more problems than it fixes. The server in question is
definitely not an open relay. I am a participant on a list, however, and
not a sysadmin, so continuing to spam mailing lists on this subject matter
instead of tracking down a sysadmin is more annoying than it is helpful.


On Tue, Jul 13, 2021 at 11:46 AM Cyber Zeus <cyberzeus111 <at> gmail.com> wrote:

> Hi team
> Kindly update me with the bug that I have reported.
>
> -Zeus
>
> On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus <cyberzeus111 <at> gmail.com>
> wrote:
>
>> Hi Team,
>> I am an independent security researcher and I have found a bug in your
>> website
>> The details of it are as follows:-
>>
>> Description: This report is about a misconfigured Dmarc/SPF record flag,
>> which can be used for malicious purposes as it allows for fake mailing on
>> behalf of respected organizations.
>>
>> About the Issue:
>> As i have seen the DMARC record for
>> gnu.org <bug-gnuzilla <at> gnu.org>
>>
>> which is:
>> DMARC Policy Not Enabled
>> DMARC Not Found
>>
>> As u can see that you Weak SPF record, a valid record should be like:-
>>
>> DMARC Policy Enabled
>> What's the issue:
>> An SPF/DMARC record is a type of Domain Name Service (DNS) record that
>> identifies which mail servers are permitted to send an email on behalf of
>> your domain. The purpose of an SPF/DMARC record is to prevent spammers from
>> sending messages on the behalf of your organization.
>>
>> Attack Scenario: An attacker will send phishing mail or anything
>> malicious mail to the victim via mail:
>>
>> bug-gnuzilla <at> gnu.org
>>
>>
>> even if the victim is aware of a phishing attack, he will check the
>> origin email which came from your genuine mail id
>> bug-gnuzilla <at> gnu.org
>>
>>
>> so he will think that it is genuine mail and get trapped by the attacker.
>> The attack can be done using any PHP mailer tool like this:-
>>
>> <?php
>> $to = "VICTIM <at> example.com";
>> $subject = "Password Change";
>> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
>> $headers = "From:
>>
>> bug-gnuzilla <at> gnu.org
>>
>> ";mail($to,$subject,$txt,$headers);
>> ?>
>>
>> U can also check your Dmarc/ SPF record form: MXTOOLBOX
>>
>> Reference:
>> https://support.google.com/a/answer/2466580?hl=en
>> have a look at the GOOGLE article for a better understanding!
>>
>> [image: image.png]
>> [image: image.png]
>>
>

[Message part 2 (text/html, inline)]

[image.png (image/png, inline)]

[image.png (image/png, inline)]

Message #20 received at 49260 <at> debbugs.gnu.org (full text, mbox):

From: jahoti <jahoti <at> envs.net>
To: Cyber Zeus <cyberzeus111 <at> gmail.com>
Cc: 49260 <at> debbugs.gnu.org
Subject: Re: bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Tue, 13 Jul 2021 22:11:00 +0000

[Message part 1 (text/plain, inline)]

Hi,

I'm not part of the "team" in any real sense. However, as was noted by 
Bill <bill-auger <at> peers.community> in response to your previous e-mail, 
this is a public mailing list for a project with no direct connection to 
the group administering the e-mail server (the FSF, contact details at 
<https://www.fsf.org/about/contact/email>).

I've forwarded your concerns to people who can do something (CCing you 
in) just in case nobody else has; if you wish to follow up in future, 
the appropriate e-mail address is <sysadmin <at> gnu.org>.

On 7/13/21 6:02 PM, Cyber Zeus wrote:
> Hi team
> Kindly update me with the bug that I have reported.
> -Zeus
> 
> On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus <cyberzeus111 <at> gmail.com> wrote:
> 
>> Hi Team,
>> I am an independent security researcher and I have found a bug in your
>> website
>> The details of it are as follows:-
>>
>> Description: This report is about a misconfigured Dmarc/SPF record flag,
>> which can be used for malicious purposes as it allows for fake mailing on
>> behalf of respected organizations.
>>
>> About the Issue:
>> As i have seen the DMARC record for
>> gnu.org <bug-gnuzilla <at> gnu.org>
>>
>> which is:
>> DMARC Policy Not Enabled
>> DMARC Not Found
>>
>> As u can see that you Weak SPF record, a valid record should be like:-
>>
>> DMARC Policy Enabled
>> What's the issue:
>> An SPF/DMARC record is a type of Domain Name Service (DNS) record that
>> identifies which mail servers are permitted to send an email on behalf of
>> your domain. The purpose of an SPF/DMARC record is to prevent spammers from
>> sending messages on the behalf of your organization.
>>
>> Attack Scenario: An attacker will send phishing mail or anything malicious
>> mail to the victim via mail:
>>
>> bug-gnuzilla <at> gnu.org
>>
>>
>> even if the victim is aware of a phishing attack, he will check the origin
>> email which came from your genuine mail id
>> bug-gnuzilla <at> gnu.org
>>
>>
>> so he will think that it is genuine mail and get trapped by the attacker.
>> The attack can be done using any PHP mailer tool like this:-
>>
>> <?php
>> $to = "VICTIM <at> example.com";
>> $subject = "Password Change";
>> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
>> $headers = "From:
>>
>> bug-gnuzilla <at> gnu.org
>>
>> ";mail($to,$subject,$txt,$headers);
>> ?>
>>
>> U can also check your Dmarc/ SPF record form: MXTOOLBOX
>>
>> Reference:
>> https://support.google.com/a/answer/2466580?hl=en
>> have a look at the GOOGLE article for a better understanding!
>>
>> [image: image.png]
>> [image: image.png]
>>
> 

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ian Kelling <iank <at> fsf.org>
To: Cyber Zeus <cyberzeus111 <at> gmail.com>
Cc: 49260 <at> debbugs.gnu.org, bug-gnuzilla <at> gnu.org
Subject: Re: bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Fri, 16 Jul 2021 11:10:53 -0400

We have a dmarc policy. It is called "none". we are not doing anything
insecure or unusual, for example it is the same one that google uses:

$ host -t txt _dmarc.gmail.com
_dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports <at> google.com"
$ host -t txt _dmarc.gnu.org
_dmarc.gnu.org descriptive text "v=DMARC1; p=none; rua=mailto:dmarc-rua <at> fsf.org"

Someone can close this bug.

-- 
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org

Message #31 received at 49260-done <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Ian Kelling <iank <at> fsf.org>, Cyber Zeus <cyberzeus111 <at> gmail.com>
Cc: 49260-done <at> debbugs.gnu.org
Subject: Re: bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]
Date: Sat, 17 Jul 2021 02:11:51 -0400

Ian Kelling <iank <at> fsf.org> writes:

> We have a dmarc policy. It is called "none". we are not doing anything
> insecure or unusual, for example it is the same one that google uses:
>
> $ host -t txt _dmarc.gmail.com
> _dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports <at> google.com"
> $ host -t txt _dmarc.gnu.org
> _dmarc.gnu.org descriptive text "v=DMARC1; p=none; rua=mailto:dmarc-rua <at> fsf.org"
>
> Someone can close this bug.

Agreed.  I'm closing this bug now.  Thanks, Ian.

      Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.