donald-king
commented
3 years ago Change "v=spf1 include:_spf.google.com ~all" to "v=spf1 include:_spf.google.com -all"
~ instructs the email server to soft fail, - instructs the email server to fail. Using - may cause more legitimate mail to be dropped, but will prevent email spoofing.
Please look into the following reported vulnerability from an Anonymous person. We do not know this person, however it seems to have merit. Investigate and fix.
On Sun, Sep 5, 2021 at 2:40 PM Hammad Chauhan hammadchauhan37@gmail.com wrote: Hi,
I'm an independent cyber security researcher and I have found multiple issues in your website.
Vulnerability : Missing SPF
I am just looking at your SPF records then found following. SPF Records missing safe check which can allow me to send mail and phish easily any victim.
PoC:
<?php
$to = "VICTIM@example.com";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From= https://www.asrg.io/
mail($to,$subject,$txt,$headers);
?>
The TXT records found for your domain are: v=spf1 include:_spf.google.com ~all @
Checking to see if there is a valid SPF record.
Found v=spf1 record for asrg.io: v=spf1 include:_spf.google.com ~all
Fix
The TXT records found for your domain are: v=spf1 include:_spf.google.com -all @
Checking to see if there is a valid SPF record.
Found v=spf1 record for asrg.io: v=spf1 include:_spf.google.com -all
Let me know if any further info is required. Regards, Hammad