Inflection: Fake mailing reports using mail service on [URL :]

ID H1:280803
Type hackerone
Reporter namansahore
Modified 2017-10-25T19:30:46


Researcher discovered an unused subdomain that served as an alias for Mandrill's third-party transactional email service. Mandrill's relay server could be used to send bounceback/failed delivery messages to an arbitrary "sender", although the contents of the message itself are limited to Mandrill's pre-set bounceback template. As the vulnerability is not in a service that we operate, we removed the unused subdomain.