[conspire] (forw) Re: Email( spoofing)

paulz at ieee.org paulz at ieee.org
Fri Aug 19 11:19:44 PDT 2022 

 A bogus email is less annoying than spam phone calls.  A week or two ago, I received 8 phone calls all from "unavailable".  All left voice mail saying it was Amazon calling about an order for an iPhone.  Press #1 to confirm; Press #2 if I didn't place the order.

    On Thursday, August 18, 2022 at 12:25:27 PM PDT, Rick Moen <rick at linuxmafia.com> wrote:  
 
 Money-seeking ploy targeting mail admins.

----- Forwarded message from Sarmad Amin <aminsarmad719 at gmail.com> -----

Date: Wed, 17 Aug 2022 09:18:14 -0700
From: Sarmad Amin <aminsarmad719 at gmail.com>
To: rick at linuxmafia.com
Subject: Email( spoofing)

Hello Team,

I am a security researcher and I found some Vulnerabilities in your site
one of them is as following:

DESCRIPTION:

I just sent a forged email to my email address that appears to originate
from rick at linuxmafia.com I was able to do this because of the
following DMARC record:
DMARC record lookup and validation for:linuxmafia.com

"No DMARC Record found"
Or/And
"No DMARC Reject Policy"

FIX:
1) Publish DMARC Record. (If not already published)
2) Enable DMARC Quarantine/Reject policy
3) Your DMARC record should look like
"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:info at domain.com"

This can be done using any PHP mailer tool like this,
<?php
$to = "VICTIM at example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From:rick at linuxmafia.com"”
mail($to,$subject,$txt,$headers);?

You can check your DMARC record form here:
https://mxtoolbox.com/SuperTool.aspx?action=mx%3alition.io&run=toolpage

 Reference:
https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkimdmarc_records

Let me know if you need me to send another forged email, or if you have any
other questions. I’m hoping to Receive a bounty reward for my current
finding.
I will be looking forward to hearing from you on this and Will be reporting
other vulnerabilities accordingly.

Stay Safe & Healthy.

Snapshots.
[image: image.png]



----- End forwarded message -----
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 18 Aug 2022 12:21:25 -0700
From: Rick Moen <rick at linuxmafia.com>
To: Sarmad Amin <aminsarmad719 at gmail.com>
Subject: Re: Email( spoofing)
Organization: If you lived here, you'd be $HOME already.

Quoting Sarmad Amin (aminsarmad719 at gmail.com):

> Hello Team,
> 
> I am a security researcher and I found some Vulnerabilities in your site
> one of them is as following:
> 
> DESCRIPTION:
> 
> I just sent a forged email to my email address that appears to originate
> from rick at linuxmafia.com I was able to do this because of the
> following DMARC record:
> DMARC record lookup and validation for:linuxmafia.com
> 
> "No DMARC Record found"
> Or/And
> "No DMARC Reject Policy"

Bullshit.

One, DMARC incorporates SPF.  Having a strongly asserted SPF record
suffices to achieve forgery protection.  And all my domains have them.

:r! dig -t txt linuxmafia.com. +short
"v=spf1 ip4:96.95.217.99 -all"

Two, if you had _even_ actually checked _marc.linuxmafia.com, you would
have seen that the domain _does_ have a DMARC RR, that is deliberately 
non-compliant with the DMARC spec, because I consider DMARC a botched 
design, decline to participate, and declare publicly my
non-participation.  Which you'd have noticed if you _actually_ looked.

:r! dig -t txt _dmarc.linuxmafia.com. +short
"DMARC: tragically misdesigned since 2012.  Check our SPF RR, instead."

I deduce you are fibbing in claiming that you sent a (believable)
forged e-mail purporting to be from rick at linuxmafia.com, because if your
MTA _actually_ implemented DMARC, which requires implementing SPF, then
your MTA would have refused the mail as forged.  (If you are not
fibbing, the claim is incompetent.  Either way, not a good look.)

To sum up, I conclude, therefore, that you are simply running an
automated DMARC record checking script against many domains, and sending
out automated messages _falsely_ claiming a (credible) mail forgery
of those domains _solely_ if they don't return positive from your 
automated DNS-checking script.

You are, in brief, _not_ acting like a genuine security researcher. 
You are just another grifter running scripts, making false claims, and
wanting money.

You should be ashamed of yourself.  Get a real job.

And, please go away.  


----- End forwarded message -----

_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20220819/f5e5ce6f/attachment.html>

More information about the conspire mailing list