Hello Team,

I hope this message finds you well. I am reaching out to you as an ethical hacker, bug bounty hunter, and security researcher. My expertise lies in identifying bugs in websites and providing vulnerability assessments for the issues discovered. Recently, I came across an email spoofing issue on your website that I would like to bring to your attention. This issue allows anyone to send emails from the address hello@ai4csm.eu to other users. Please find the details of the bug below. I am seeking a bug bounty reward for responsibly disclosing this issue and look forward to reporting any further bugs once this matter is addressed.

Vulnerability:

No DMARC Record Found

Description:
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect email domain owners from unauthorized use, commonly known as email spoofing. Implementing DMARC helps prevent business email compromise attacks, phishing emails, email scams, and other cyber threats. A DMARC record contains the policy that determines how unauthenticated or forged emails should be handled. The absence of a DMARC record can allow attackers to abuse the domain name.

In this case, I was able to send a forged email to my own address, making it appear as if it originated from hello@ai4csm.eu. The issue lies with the following DMARC record:

DMARC record lookup and validation for: ai4csm.eu

Attachments:

• Screenshot of the forged email

• This can be done using any PHP mailer tool, such as:

        
        <?php
        $to = "VICTIM@example.com";$subject = "Password Change";
        $txt = "Change your password by visiting here - [Malicious link here]";
        $headers = "From:   info@ai4csm.eu";
        mail($to,$subject,$txt,$headers);
        ?>
        
        

Fix:
To address this issue, please follow these steps:

1. Publish your SPF and DKIM records if you haven't already. Note that DMARC records rely on SPF and DKIM records to either quarantine spoofed emails to the spam folder or reject them based on the DMARC policy and SPF pass/fail status. It is important that your SPF and DMARC records align with each other before the DMARC record can work effectively.
2. Publish a DMARC Record.
3. Enable DMARC Quarantine/Reject policy.
4. Use the following syntax in the DMARC TXT record:
   v=DMARC1; p=none; fo=1; rua=mailto:enter your email address; ruf=enter your email address

For example:
v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@auth.sampledomain.net; ruf=mailto:dmarc_ruf@auth.sampledomain.net

Make sure to replace "enter your email address" with the appropriate email addresses. These addresses are where the reports will be sent. If you are working with an ESP or other third party who will receive the DMARC reports on your behalf, please consult your account representative to determine the email addresses to be used.

You can check your DMARC record here.

References:

1. Reference 1
2. Reference 2

Impact:

This email spoofing vulnerability can be exploited for phishing purposes. An attacker could send forged emails from your domain, posing as an official representative of your company, and deceive your website users into providing money or credentials. The importance of DMARC and SPF is highlighted by the following statistics:

• On average, organizations suffer losses of $1.6 million due to a single spear-phishing attack.
• Phishing attacks result in an annual loss of $500 million.
• Only 3% of users report phishing emails to their management.
• BEC scams target over 400 businesses daily.
• 76% of organizations have been victims of phishing attacks.
• 1 in 3 companies has fallen victim to CEO fraud emails.
• 70% of all global emails are malicious.
• Fake invoice messages are the most common type of phishing lure.

Please let me know if you require further assistance or if you have any additional questions.

Thank you and best regards,

Haris Ahmed