Security Vulnerability - SMTP protection not used

Ketankumar Godhani ketan.kt21 at
Wed Jan 27 06:26:22 EST 2016


I'm checking your website found SPF record there.
You should apply strict SMPT policy to stop spoofed email sending from your

An attacker would send a Fake email from security at saying that
Please change your password, The victim is aware of phishing attacks, But
when he sees that the mail originated from security at , He has no
other way than to believe it. Clicking on the link takes him to a website
where certain JavaScript is executed which steals his Id and password
(SESSION COOKIE). The results can be more dangerous.

$to = "VICTIM at";
$subject = "Password Change";
$txt = "Change your password by visiting here -
$headers = "From: security at";

Fix :

Your SPF record is
No valid SPF record found of either type TXT or type SPF.

I strongly recommend you to read this article :

You can check your SPF here:
*POC: *Find Attachment

*Ketankumar B. Godhani*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p_1.PNG
Type: image/png
Size: 186307 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p_2.PNG
Type: image/png
Size: 122589 bytes
Desc: not available
URL: <>

More information about the security mailing list