Closed Bug 1326072 Opened 8 years ago Closed 8 years ago

Email Spoofing using domain @mozilla.org

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1285023

People

(Reporter: dodi.ara, Unassigned)

References

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(1 file)

Email spoofing uccessfully sent to my Inbox
158.21 KB, image/png
Details
Hi All, Email spoofing can pretend to be someone email that can do phising, send link malware, ilegal promotion, fraud, wanted to destroy someone's reputation, etc. When I tried sent an email used http://emkei.cz from chris.b@mozilla.org to my email GMail, it was successfuly sent to my inbox! In this POC (see pictures below), i tried sent email pretend became CEO of mozilla.org to my email GMail. This can be very dangerous, as attacker can send anything email using domain @mozilla.org to emails people in the world, so it can lead to reputation loss for mozilla too. Mitigations: The configurations DNS of DKIM, SPF, DMARC, etc. of domain must have right value. Thanks. Ara (sorry if my english language still not good/clearly)
Flags: sec-bounty?
Ara: Can you please provide more clear steps to replicate the spoof? Perhaps a script or telnet steps so we can easily reproduce? We've seen some similar reports before, but I believe they were inconclusive or determined to be working as designed and I want to give you and opportunity to clarify exactly where you think the problem is so we can consider this again.
Flags: needinfo?(dodi.ara)
mozilla.org has SPF, and mozilla.com has SPF/DKIM/DMARC. We want to get DKIM/DMARC on @mozilla.org, but we're currently resource constrained on it. I've added you to the bug so that you can track its (hopeful) progress over time.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
@Jonathan, I'm sorry, the spoof still exist not resolved, please send again with this: https://emkei.cz The problem now maybe with SPF. Mozilla SPF record is v=spf1 include:_spf.mozilla.com include:_spf.google.com ~all It should be v=spf1 mx include:_spf.mozilla.com include:_spf.google.com -all Not ~all but -all. I strongly recommend you to read this article : https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
Flags: needinfo?(dodi.ara)
Contrary to common knowledge, SPF only protects against the envelope being spoofed, not the From: field, which is what DMARC does. We can change it to -all, but it won't solve this particular issue.
Flags: sec-bounty? → sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: