Keybase: SMTP protection not used

ID H1:77060
Type hackerone
Reporter test-123
Modified 2015-08-28T21:02:16



I'm checking your website found spf record there. You should apply strict SMPT policy to stop spoofed email sending from your domain.

An attacker would send a Fake email from saying that Please change your password, The victim is aware of phishing attacks, But when he sees that the mail originated from , He has no other way than to believe it. Clicking on the link takes him to a website where certain JavaScript is executed which steals his id and password (SESSION COOKIE). The results can be more dangerous. <?php $to = ""; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From:"; mail($to,$subject,$txt,$headers); ?>

Fix :

Your SPF record is v=spf1 mx ~all

It should be v=spf1 mx -all I strongly recommend you to read this article :

The problem :

The article clearly shows difference between softmail and fail you should be using fail as Softmail allows anyone to send spoofed emails from your domains. in your SPF record you should replace ~ with - at last before all , - is strict which prevents all spoofed emails except if you are sending. Your bug is that you are using ~ , you should use -

Best Regard Alisa