BUG:No Valid SPF Record Leading to Email Spoofing.

viper king kanakhanpago777 at gmail.com
Thu Mar 19 15:24:30 EDT 2020


 Hi,
Severity : High.
Introduction:
There is a email spoofing vulnerability.Email spoofing is the forgery of an
email header so that the message appears to have originated from someone or
somewhere other than the actual source. Email spoofing is a tactic used in
phishing and spam campaigns because people are more likely to open an email
when they think it has been sent by a legitimate source. The goal of email
spoofing is to get recipients to open, and possibly even respond to, a
solicitation.

Steps to Reproduce:

1.goto http://www.kitterman.com/spf/validate.html
2.Enter domain name:  http://pidgin.im/   and click spf record if any under
"Does my domain already have an SPF record? What is it? Is it valid?"
3.You will see that no valid spf protection.
4.So that why i try to send email using support at pidgin.im and i was
successfully delivered the messege to my email address.

In addition to above checking,

I used https://emkei.cz/ and send a test mail using  http://pidgin.im/domain
which was delivered successfully.This further confirms that the emails
spoofed.

Impact
An attacker would send a Fake email. The results can be more dangerous.


More information about the Support mailing list