[conspire] (forw) Re: Vulnerability Report (DMARC RECORD)

Rick Moen rick at linuxmafia.com
Thu Jul 1 15:41:43 PDT 2021 

Correspondent is one of many white-hat freelance security researchers,
checking systems for site vulnerabiities and hoping to receive bug
bounties for helping the site spot and correct security problems.

This correspondent seemingly didn't _actually_ check ability to forge
mail purporting to come from linuxmafia.com, but rather relied on the
test CGI at https://mxtoolbox.com/DMARC.aspx -- a CGI that doesn't
actually test ability to send forged mail, only check a site's DMARC
record for errors.

Contrary to the correspondent's claim, linuxmafia.com's DNS _does_ 
publish a DMARC record -- one that is deliberately non-compliant with
Yahoo's DMARC specification, as a public gesture of disapproval of DMARC
as a whole.  I politely explain this, in my response (below).


----- Forwarded message from ethical.security.researcher at inbox.eu -----

Date: Thu,  1 Jul 2021 14:54:13 +0300 (EEST)
From: ethical.security.researcher at inbox.eu
To: rick at linuxmafia.com
Subject: Vulnerability Report (DMARC RECORD)

Hello Team, 
I am a security researcher and I founded this vulnerability.
I just sent a forged email to my email address that appears to originate from  rick at linuxmafia.com
I was able to do this because of the following DMARC record:

DMARC record lookup and validation for: linuxmafia.com

" No DMARC Record found "

How To Reproduce(POC-ATTACHED IMAGE):-
1.Go To- mxtoolbox.com/DMARC.aspx
2.Enter the Website.CLICK GO.
3.You Will See the fault(DMARC Quarantine/Reject policy not enabled)

Fix:
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info at domain.com"

For more information you can use this blog 
(https://sendgrid.com/blog/what-is-dmarc/).

<?php
$to = "VICTIM at example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:rick at linuxmafia.com
";
mail($to,$subject,$txt,$headers);

?>

Reference : https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkim-dmarc_records


Let me know if you need me to send another forged email, or if have any other questions.


Hoping for the bounty for my ethical Disclosure.
Best Regards
Security Researcher




----- End forwarded message -----
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 1 Jul 2021 15:33:19 -0700
From: Rick Moen <rick at linuxmafia.com>
To: ethical.security.researcher at inbox.eu
Subject: Re: Vulnerability Report (DMARC RECORD)
Organization: If you lived here, you'd be $HOME already.

Quoting ethical.security.researcher at inbox.eu (ethical.security.researcher at inbox.eu):

> Hello Team, 
> I am a security researcher and I founded this vulnerability.
> I just sent a forged email to my email address that appears to originate from  rick at linuxmafia.com
> I was able to do this because of the following DMARC record:
> 
> DMARC record lookup and validation for: linuxmafia.com
> 
> " No DMARC Record found "

Hi again!  I really appreciate your taking the trouble.  

It should be impossible to believably forge my domain's SMTP because
since 2001 my domain has published a strongly asserted (hardfail) SPF
record that declares any mail originating from an IP other than mine 
forged, and recommending rejecting it:


$ dig -t txt linuxmafia.com +short
"v=spf1 ip4:96.95.217.99 -all"
$


The existence of that record means that my domain is also technically
DMARC-compliant, since DMARC's criteria are satisifed if SPF is
functional for the SMTP-sending domain.  DMARC, as a metastandard, also
can and usually does include DKIM signing/authentication of message body 
text and included headers, but DKIM is _not mandated_ by DMARC.  

As further detail, my domain _deliberately_ does not implement DKIM, as
I consider Yahoo, Inc.'s design for the draft DKIMprotocol fatally
flawed, in that its operation is unfixably hostile to all Internet
mailing lists.  Yahoo, Inc. was likewise responsible for DMARC as a
superset of DKIM.  Therefore, I also have an unfavourable opinion of
DMARC, and don't implement DMARC, either.

I signal this intention (to deliberately avoid DMARC, as I consider it 
an actively bad idea) in an explanatory note published at the DNS FQDN 
where a DMARC reference record would be:


$ dig -t txt _dmarc.linuxmafia.com +short
"DMARC: tragically misdesigned since 2012.  Check our SPF RR, instead."
$



Nonetheless, I really do appreciate your public service in checking
these matters.  My only suggestion, so that your help becomes (in the
future) slightly better, is to check for SPF before reporting that you
"were able to send a forged e-mail to my email address that appears to
originate from [the administrator's e-mail address]".

Why?  Because, if your SMTP host respects SPF (as it is required to do, to be
DMARC-compliant), then your attempt at forged mail should have been 
categorically rejected because it didn't originate at my IP address,
96.95.217.99 , the only authorised SMTP-sending IP for my domain.

If your testing script indeed claims it successfully originated a forgery 
of linuxmafia.com mail that passed SPF (and thus DMARC) testing, then I
think your script has a bug.  Perhaps your test platform needs to
include testing of SPF compliance, before claiming success.

Thank you again.


Best Regards,
Rick Moen, owner/sysadmin
linuxmafia.com


----- End forwarded message -----

More information about the conspire mailing list