Vulnerability Disclosure[No DMARC Record]
Hello Team, I hope this message finds you well. I am reaching out to you as an ethical hacker, bug bounty hunter, and security researcher. My expertise lies in identifying bugs in websites and providing vulnerability assessments for the issues discovered. Recently, I came across an email spoofing issue on your website that I would like to bring to your attention. This issue allows anyone to send emails from the address ai4csm.eu to other users. Please find the details of the bug below. I am seeking a bug bounty reward for responsibly disclosing this issue and look forward to reporting any further bugs once this matter is addressed. Vulnerability: No DMARC Record Found Description: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect email domain owners from unauthorized use, commonly known as email spoofing. Implementing DMARC helps prevent business email compromise attacks, phishing emails, email scams, and other cyber threats. A DMARC record contains the policy that determines how unauthenticated or forged emails should be handled. The absence of a DMARC record can allow attackers to abuse the domain name. In this case, I was able to send a forged email to my own address, making it appear as if it originated from hello@ai4csm.eu The issue lies with the following DMARC record: DMARC record lookup and validation for: ai4csm.eu Attachments: i) Screenshot of the affected domain ii) Screenshot of the forged email iii) This can be done using any PHP mailer tool, such as: Fix: To address this issue, please follow these steps: Publish your SPF and DKIM records if you haven't already. Note that DMARC records rely on SPF and DKIM records to either quarantine spoofed emails to the spam folder or reject them based on the DMARC policy and SPF pass/fail status. It is important that your SPF and DMARC records align with each other before the DMARC record can work effectively. Publish a DMARC Record. Enable DMARC Quarantine/Reject policy. Use the following syntax in the DMARC TXT record: v=DMARC1; p=none; fo=1; rua=mailto:enter your email address; ruf=enter your email address For example: v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@auth.sampledomain.net; ruf=mailto:dmarc_ruf@auth.sampledomain.net Make sure to replace "enter your email address" with the appropriate email addresses. These addresses are where the reports will be sent. If you are working with an ESP or other third party who will receive the DMARC reports on your behalf, please consult your account representative to determine the email addresses to be used. You can check your DMARC record here: [insert link to DMARC record check tool] References: 1.Redsift [https://blog.redsift.com/email/the-resurgence-of-email-marketing-how-to-run-...] 2.Easydmarc how to fix no dmarc record [https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/] Impact: This email spoofing vulnerability can be exploited for phishing purposes. An attacker could send forged emails from your domain, posing as an official representative of your company, and deceive your website users into providing money or credentials. The importance of DMARC and SPF is highlighted by the following statistics: On average, organizations suffer losses of $1.6 million due to a single spear-phishing attack. Phishing attacks result in an annual loss of $500 million. Only 3% of users report phishing emails to their management. BEC scams target over 400 businesses daily. 76% of organizations have been victims of phishing attacks. 1 in 3 companies has fallen victim to CEO fraud emails. 70% of all global emails are malicious. Fake invoice messages are the most common type of phishing lure. Please let me know if you require further assistance or if you have any additional questions. Thank you and best regards, Haris Ahmed
Dear team, I hope this email finds you well. I am writing to follow up on the bug report I submitted on Tuesday 11 Feb 2025 to your website ai4csm.eu. I would be grateful if you could provide me with an update on the status of my report. In particular, I would like to know if my reported issue has been validated and if I will be receiving the bug bounty reward for my responsible disclosure. Thank you for your time and consideration. Sincerely, Haris Ahmed On Tue 11 Feb 2025, 09:11 AM Haris Ahmed <webethicalhacker101@gmail.com> wrote:>Hello Team,
I hope this message finds you well. I am reaching out to you as an ethical hacker, bug bounty hunter, and security researcher. My expertise lies in identifying bugs in websites and providing vulnerability assessments for the issues discovered. Recently, I came across an email spoofing issue on your website that I would like to bring to your attention. This issue allows anyone to send emails from the address ai4csm.eu to other users. Please find the details of the bug below. I am seeking a bug bounty reward for responsibly disclosing this issue and look forward to reporting any further bugs once this matter is addressed.
Vulnerability:
No DMARC Record Found
Description: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect email domain owners from unauthorized use, commonly known as email spoofing. Implementing DMARC helps prevent business email compromise attacks, phishing emails, email scams, and other cyber threats. A DMARC record contains the policy that determines how unauthenticated or forged emails should be handled. The absence of a DMARC record can allow attackers to abuse the domain name.
In this case, I was able to send a forged email to my own address, making it appear as if it originated from hello@ai4csm.eu The issue lies with the following DMARC record:
DMARC record lookup and validation for: ai4csm.eu
Attachments: i) Screenshot of the affected domain
ii) Screenshot of the forged email
iii) This can be done using any PHP mailer tool, such as:
Fix: To address this issue, please follow these steps:
Publish your SPF and DKIM records if you haven't already. Note that DMARC records rely on SPF and DKIM records to either quarantine spoofed emails to the spam folder or reject them based on the DMARC policy and SPF pass/fail status. It is important that your SPF and DMARC records align with each other before the DMARC record can work effectively.
Publish a DMARC Record.
Enable DMARC Quarantine/Reject policy.
Use the following syntax in the DMARC TXT record:
v=DMARC1; p=none; fo=1; rua=mailto:enter your email address; ruf=enter your email address
For example: v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@auth.sampledomain.net; ruf=mailto:dmarc_ruf@auth.sampledomain.net
Make sure to replace "enter your email address" with the appropriate email addresses. These addresses are where the reports will be sent. If you are working with an ESP or other third party who will receive the DMARC reports on your behalf, please consult your account representative to determine the email addresses to be used.
You can check your DMARC record here: [insert link to DMARC record check tool]
References:
1.Redsift [https://blog.redsift.com/email/the-resurgence-of-email-marketing-how-to-run-...] 2.Easydmarc how to fix no dmarc record [https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/]
Impact: This email spoofing vulnerability can be exploited for phishing purposes. An attacker could send forged emails from your domain, posing as an official representative of your company, and deceive your website users into providing money or credentials. The importance of DMARC and SPF is highlighted by the following statistics:
On average, organizations suffer losses of $1.6 million due to a single spear-phishing attack.
Phishing attacks result in an annual loss of $500 million.
Only 3% of users report phishing emails to their management.
BEC scams target over 400 businesses daily.
76% of organizations have been victims of phishing attacks.
1 in 3 companies has fallen victim to CEO fraud emails.
70% of all global emails are malicious.
Fake invoice messages are the most common type of phishing lure.
Please let me know if you require further assistance or if you have any additional questions.
Thank you and best regards,
Haris Ahmed
Hi team, I hope my reported issue would have been validated, is there any update regarding my reported bug and bounty reward for responsible disclosure? Regards Haris Ahmed On Tue 18 Feb 2025, 11:21 AM Haris Ahmed <webethicalhacker101@gmail.com> wrote:>Dear team,
I hope this email finds you well.
I am writing to follow up on the bug report I submitted on Tuesday 11 Feb 2025 to your website ai4csm.eu. I would be grateful if you could provide me with an update on the status of my report.
In particular, I would like to know if my reported issue has been validated and if I will be receiving the bug bounty reward for my responsible disclosure.
Thank you for your time and consideration.
Sincerely, Haris Ahmed On Tue 11 Feb 2025, 09:11 AM Haris Ahmed <webethicalhacker101@gmail.com> wrote:>Hello Team,
I hope this message finds you well. I am reaching out to you as an ethical hacker, bug bounty hunter, and security researcher. My expertise lies in identifying bugs in websites and providing vulnerability assessments for the issues discovered. Recently, I came across an email spoofing issue on your website that I would like to bring to your attention. This issue allows anyone to send emails from the address ai4csm.eu to other users. Please find the details of the bug below. I am seeking a bug bounty reward for responsibly disclosing this issue and look forward to reporting any further bugs once this matter is addressed.
Vulnerability:
No DMARC Record Found
Description: DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect email domain owners from unauthorized use, commonly known as email spoofing. Implementing DMARC helps prevent business email compromise attacks, phishing emails, email scams, and other cyber threats. A DMARC record contains the policy that determines how unauthenticated or forged emails should be handled. The absence of a DMARC record can allow attackers to abuse the domain name.
In this case, I was able to send a forged email to my own address, making it appear as if it originated from hello@ai4csm.eu The issue lies with the following DMARC record:
DMARC record lookup and validation for: ai4csm.eu
Attachments: i) Screenshot of the affected domain
ii) Screenshot of the forged email
iii) This can be done using any PHP mailer tool, such as:
Fix: To address this issue, please follow these steps:
Publish your SPF and DKIM records if you haven't already. Note that DMARC records rely on SPF and DKIM records to either quarantine spoofed emails to the spam folder or reject them based on the DMARC policy and SPF pass/fail status. It is important that your SPF and DMARC records align with each other before the DMARC record can work effectively.
Publish a DMARC Record.
Enable DMARC Quarantine/Reject policy.
Use the following syntax in the DMARC TXT record:
v=DMARC1; p=none; fo=1; rua=mailto:enter your email address; ruf=enter your email address
For example: v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@auth.sampledomain.net; ruf=mailto:dmarc_ruf@auth.sampledomain.net
Make sure to replace "enter your email address" with the appropriate email addresses. These addresses are where the reports will be sent. If you are working with an ESP or other third party who will receive the DMARC reports on your behalf, please consult your account representative to determine the email addresses to be used.
You can check your DMARC record here: [insert link to DMARC record check tool]
References:
1.Redsift [https://blog.redsift.com/email/the-resurgence-of-email-marketing-how-to-run-...] 2.Easydmarc how to fix no dmarc record [https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/]
Impact: This email spoofing vulnerability can be exploited for phishing purposes. An attacker could send forged emails from your domain, posing as an official representative of your company, and deceive your website users into providing money or credentials. The importance of DMARC and SPF is highlighted by the following statistics:
On average, organizations suffer losses of $1.6 million due to a single spear-phishing attack.
Phishing attacks result in an annual loss of $500 million.
Only 3% of users report phishing emails to their management.
BEC scams target over 400 businesses daily.
76% of organizations have been victims of phishing attacks.
1 in 3 companies has fallen victim to CEO fraud emails.
70% of all global emails are malicious.
Fake invoice messages are the most common type of phishing lure.
Please let me know if you require further assistance or if you have any additional questions.
Thank you and best regards,
Haris Ahmed
participants (1)
-
Haris Ahmed