bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]

[Mark H Weaver]

Ian Kelling  writes:

> We have a dmarc policy. It is called "none". we are not doing anything
> insecure or unusual, for example it is the same one that google uses:
>
> $ host -t txt _dmarc.gmail.com
> _dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine; 
> rua=mailto:mailauth-repo...@google.com;
> $ host -t txt _dmarc.gnu.org
> _dmarc.gnu.org descriptive text "v=DMARC1; p=none; 
> rua=mailto:dmarc-...@fsf.org;
>
> Someone can close this bug.

Agreed.  I'm closing this bug now.  Thanks, Ian.

  Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about .

bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]

[Ian Kelling]

We have a dmarc policy. It is called "none". we are not doing anything
insecure or unusual, for example it is the same one that google uses:

$ host -t txt _dmarc.gmail.com
_dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine; 
rua=mailto:mailauth-repo...@google.com;
$ host -t txt _dmarc.gnu.org
_dmarc.gnu.org descriptive text "v=DMARC1; p=none; rua=mailto:dmarc-...@fsf.org;

Someone can close this bug.

-- 
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org

bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]

[jahoti via bug-gnuzilla via GNUzilla bug reports]

Hi,

I'm not part of the "team" in any real sense. However, as was noted by 
Bill  in response to your previous e-mail, 
this is a public mailing list for a project with no direct connection to 
the group administering the e-mail server (the FSF, contact details at 
).


I've forwarded your concerns to people who can do something (CCing you 
in) just in case nobody else has; if you wish to follow up in future, 
the appropriate e-mail address is .


On 7/13/21 6:02 PM, Cyber Zeus wrote:

Hi team
Kindly update me with the bug that I have reported.
-Zeus

On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus  wrote:


Hi Team,
I am an independent security researcher and I have found a bug in your
website
The details of it are as follows:-

Description: This report is about a misconfigured Dmarc/SPF record flag,
which can be used for malicious purposes as it allows for fake mailing on
behalf of respected organizations.

About the Issue:
As i have seen the DMARC record for
gnu.org 

which is:
DMARC Policy Not Enabled
DMARC Not Found

As u can see that you Weak SPF record, a valid record should be like:-

DMARC Policy Enabled
What's the issue:
An SPF/DMARC record is a type of Domain Name Service (DNS) record that
identifies which mail servers are permitted to send an email on behalf of
your domain. The purpose of an SPF/DMARC record is to prevent spammers from
sending messages on the behalf of your organization.

Attack Scenario: An attacker will send phishing mail or anything malicious
mail to the victim via mail:

bug-gnuzilla@gnu.org


even if the victim is aware of a phishing attack, he will check the origin
email which came from your genuine mail id
bug-gnuzilla@gnu.org


so he will think that it is genuine mail and get trapped by the attacker.
The attack can be done using any PHP mailer tool like this:-



U can also check your Dmarc/ SPF record form: MXTOOLBOX

Reference:
https://support.google.com/a/answer/2466580?hl=en
have a look at the GOOGLE article for a better understanding!

[image: image.png]
[image: image.png]







OpenPGP_signature
Description: OpenPGP digital signature

bug#49260: Vulnerability Report [Misconfigured DMARC Record Flag]

[bill-auger]

that server is operated by the FSF - there is nothing that the
gnuzilla team could do about this

U may want to send this message to the sysadmins

https://www.fsf.org/about/contact/email