Closed Bug 1217545 Opened 9 years ago Closed 10 months ago

SPF Records are not enforced for some domains of Mozilla

Categories

(Infrastructure & Operations :: Infrastructure: Mail, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Mail
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: shailesh4594, Unassigned)

References

Details

(Keywords: reporter-external, sec-want)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20150910171927 Steps to reproduce: 1. Use any technique of mail spoofing (online sites or own code). 2. Use any of following as senders and spoofed message: anything@oneanddone.mozilla.org bugzilla-daemon@mozilla.org anything@bugzilla.mozilla.org anything@getfirefox.com anything@addons.mozilla.org anything@services.addons.mozilla.org anything@versioncheck.addons.mozilla.org anything@pfs.mozilla.org anything@download.mozilla.org 3. Victim will get email 4. Done Actual results: Hello, For some domains of mozilla, SPF records are not configured means SPF records are not found for following domains : oneanddone.mozilla.org bugzilla.mozilla.org getfirefox.com addons.mozilla.org services.addons.mozilla.org versioncheck.addons.mozilla.org pfs.mozilla.org download.mozilla.org Attacker can use any of above domains because there is no SPF records. You may not use any of above domains for mailing purpose but victim doesn't know about this and easily can be made fool. Also , FOr main domain "mozilla.org" SPF Records are established but it's configured incorrectly. So attacker can use this main domain for spoofing purposes. ex... bugzilla-daemon@mozilla.org Current SPF Records : v=spf1 record for mozilla.org: v=spf1 include:_spf.mozilla.com include:_spf.google.com ~all Recommended SPF records : v=spf1 record for mozilla.org: v=spf1 include:_spf.mozilla.com include:_spf.google.com -all Replace ~(tilde) with (-)minus. Expected results: SPF Records should be configured properly for mentioned domains.
Assignee: website → infra
Group: bugzilla-security → infra
Component: bugzilla.org → Infrastructure: Mail
Product: Bugzilla → Infrastructure & Operations
QA Contact: default-qa → limed
Version: unspecified → other
We have hundreds of hosts, and dozens of dupes/variations of this bug. Even though we obviously don't care about SPF all that much (not all recipients will check spf) we'd save ourselves a lot of hassle if we just made the policy not permissive.
Status: UNCONFIRMED → NEW
Ever confirmed: true
@byron, Kindly update status of this bug report. Best, Shailesh
This is one of the most commonly reported issue from Bug Bounty seekers. I'm unhiding this.
Group: infra
Keywords: sec-want
Assignee: infra → jhayashi
Assignee: jhayashi → infra
QA Contact: limed
Duplicate of this bug: 1893681
Status: NEW → RESOLVED
Closed: 10 months ago
Duplicate of bug: 240169
Flags: sec-bounty-
Resolution: --- → DUPLICATE

Actually, let's call this "FIXED". bug 240169 was about adding the SPF entries in the first place, but we did so in permissive mode because mozilla's distributed nature (including community projects and 3rd-party services) made it extremely hard to enforce. This has finally been enabled at the end of April 2024. I'd make this a duplicate of the actual work but I can't find it and it's likely now tracked in some internal-only JIRA ticket. If someone knows we could add that to the "See Also" field, although it wouldn't do any good for anyone but Mozilla employees.

No longer duplicate of bug: 240169
Resolution: DUPLICATE → FIXED
Summary: SPF Records are missing for some domains of Mozilla → SPF Records are not enforced for some domains of Mozilla
Duplicate of this bug: 1893691
See Also: → 1285023
You need to log in before you can comment on or make changes to this bug.