Re: [security] (Bug Report)No valid SPF record.

Hello Team, Please give me response on this issue On Tue, Mar 1, 2022 at 9:26 PM Sakshi Patil &lt;sakshipatil017(a)gmail.com&gt; wrote: > sir any update? > > On Sun, Nov 22, 2020 at 8:22 PM Sakshi Patil &lt;sakshipatil017(a)gmail.com&gt; > wrote: > >> Vulnerability Name:No valid SPF record. >> >> DESCRIPTION: >> >> An SPF record is a type of Domain Name Service (DNS) record that >> identifies which mail servers are permitted to send email on behalf of your >> domain. The purpose of an SPF record is to prevent spammers from sending >> messages with forged From addresses at your domain. >> >> Vulnerable Domain :sparta.eu >> >> >> Steps To Reproduce: >> >> 1) Checking Missing SPF: >> There Are Various Ways of Checking Missing SPF Records on a website But >> the Most Common and Popular way is kitterman.com >> >> Steps to Check SPF Records on a website:- >> Go to http://www.kitterman.com/spf/validate.html >> >> Enter Target Website Ex:sparta.eu >> >> >> >> (Do Not Add https/http or www)Hit Check SPF (IF ANY) >> >> If You seem any SPF Record than Domain is Not Vulnerable But if you see >> no SPF >> record here,it is vulnerable >> >> >> 2) Attack Scenario & Poc: >> >> Once There is No SPF Records.An Attacker Can Spoof Email Via any Fake >> Mailer Like Emkei.cz.An <http://emkei.cz.an/> Attacker Can Send Email >> From name "Security" and Email: &quot;security(a)target.com&quot; With Social >> Engineering Attack He Can TakeOver User Account Let Victim Knows the >> Phishing Attack but When He See The Email from the Authorized Domain.He Got >> tricked Easily. >> >> >> Exploit: >> >> For testing i am forgering support(a)sparta.eu >> >> >> How to reproduce this >> >> 1.Go to https://emkei.cz/ >> >> 2. Fill all the details >> like >> >> Name - support sparta >> >> email - support(a)sparta.eu >> >> >> to - my email address >> etc >> >> send email >> >> 3. It will directly send a mail from support(a)sparta.eu >> to my email >> >> Impact : >> Attacker can use official mail for phishing attack. which can be used >> for phishing attack. At it is from official mail, user will definitely >> trust it and will be tricked in phishing trap. >> >> Attachment: >> >