Closed Bug 972206 Opened 11 years ago Closed 11 years ago

Missing SPF Records for Mozilla.org

Categories

(Infrastructure & Operations :: Infrastructure: Mail, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: Mail
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 240169

People

(Reporter: pbssubhash, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(1 file)

mozilla.png
199.34 KB, image/png
Details
Attached image mozilla.png
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36 Steps to reproduce: Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators. For example if you use google mail apps or outlook mail then you can specify that particular server spf ip and you can avoid email spoofing ! The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain. Recipients can refer to the SPF record to determine whether a message purporting to be from your domain comes from an authorized mail server. For example, suppose that your domain example.com uses Gmail. You create an SPF record that identifies the Google Apps mail servers as the authorized mail servers for your domain. When a recipient's mail server receives a message from user@example.com, it can check the SPF record for example.com to determine whether it is a valid message. If the message comes from a server other than the Google Apps mail servers listed in the SPF record, the recipient's mail server can reject it as spam. If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server. Please check the Dns TXT Records here :- http://www.all-nettools.com/toolbox/nslookup.php In this search for TXT(Used for Spf ) you can see an error which says query failed which means there are no spf records for your mail server.! Actual results: I observed that there is no sender policy framework dns record for your website mozilla.org Expected results: I expected that there would be spf records for the website !
Flags: sec-bounty?
Assignee: nobody → infra
Group: mozilla-services-security
Component: General → Infrastructure: Mail
Product: Mozilla Services → Infrastructure & Operations
QA Contact: limed
Version: unspecified → other
removing bounty flag as this is not a security sensitive issue and thus not eligible for a bounty
Flags: sec-bounty? → sec-bounty-
Curtis I dont think you got ir.. this is indeed a security sensitive issue.. I dont know on what grounds your denying a bounty.. spf records are to be present but they are not.. and it is even clearly suggested by google to have it . It is an extra safety for email against email spoofing. Pleasebsee comment 1 of mine
Flags: needinfo?
(In reply to Curtis Koenig [:curtisk] from comment #2) > removing bounty flag as this is not a security sensitive issue and thus not > eligible for a bounty Curtis I dont think you got ir.. this is indeed a security sensitive issue.. I dont know on what grounds your denying a bounty.. spf records are to be present but they are not.. and it is even clearly suggested by google to have it . It is an extra safety for email against email spoofing. Pleasebsee comment 1 of mine
While mail spoofing can be an issue in this particular case this is more of a good suggestion and not an issue that is currently affecting users of Mozilla products or Mozilla employees. As well in our current security classification this would likely be classified as a sec-low or sec-moderate. To be bounty eligible an issue must be sec-high or sec-critical on that scale. As well SPF is a recommended but not required action for mail hosts nor is an SPF record a perfect protection it only makes the domain less attractive to spammers as the mail is more likely to be caught by spam filters. So while this may be a recommended setting for mail systems it is by no means required and does not pose an immediate risk, and as such makes the issue ineligible for a bounty.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Note (in the original bug) that we actually had this at one time and it got backed out because it broke things.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: