The mailing list server not implementing strict SPF & DKIM is a choice and not necessarily a security risk as dire as you seem to indicate — and may actually cause more problems than it fixes. The server in question is definitely not an open relay. I am a participant on a list, however, and not a sysadmin, so continuing to spam mailing lists on this subject matter instead of tracking down a sysadmin is more annoying than it is helpful. On Tue, Jul 13, 2021 at 11:46 AM Cyber Zeus wrote: > Hi team > Kindly update me with the bug that I have reported. > > -Zeus > > On Mon, Jun 28, 2021 at 10:28 PM Cyber Zeus > wrote: > >> Hi Team, >> I am an independent security researcher and I have found a bug in your >> website >> The details of it are as follows:- >> >> Description: This report is about a misconfigured Dmarc/SPF record flag, >> which can be used for malicious purposes as it allows for fake mailing on >> behalf of respected organizations. >> >> About the Issue: >> As i have seen the DMARC record for >> gnu.org >> >> which is: >> DMARC Policy Not Enabled >> DMARC Not Found >> >> As u can see that you Weak SPF record, a valid record should be like:- >> >> DMARC Policy Enabled >> What's the issue: >> An SPF/DMARC record is a type of Domain Name Service (DNS) record that >> identifies which mail servers are permitted to send an email on behalf of >> your domain. The purpose of an SPF/DMARC record is to prevent spammers from >> sending messages on the behalf of your organization. >> >> Attack Scenario: An attacker will send phishing mail or anything >> malicious mail to the victim via mail: >> >> bug-gnuzilla@gnu.org >> >> >> even if the victim is aware of a phishing attack, he will check the >> origin email which came from your genuine mail id >> bug-gnuzilla@gnu.org >> >> >> so he will think that it is genuine mail and get trapped by the attacker. >> The attack can be done using any PHP mailer tool like this:- >> >> > $to = "VICTIM@example.com"; >> $subject = "Password Change"; >> $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; >> $headers = "From: >> >> bug-gnuzilla@gnu.org >> >> ";mail($to,$subject,$txt,$headers); >> ?> >> >> U can also check your Dmarc/ SPF record form: MXTOOLBOX >> >> Reference: >> https://support.google.com/a/answer/2466580?hl=en >> have a look at the GOOGLE article for a better understanding! >> >> [image: image.png] >> [image: image.png] >> >