search

MattKeeley / Spoofy

Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.
Other
636 stars 58 forks source link

Spoofing not possible without SPF or DMARC record. #26

Closed gnunez88 closed 3 months ago

gnunez88 commented 3 months ago

Since I do not have the knowledge, time or resources to test it I cannot confirm it, but I have found some situations where I think spoofy should either test harder or return a different result.

I have been using spoofy for some time (thank you), and since I have very little knowledge, I trusted kind of blindly, but I have come across (at least) two common situations where I think spoofy is not giving the correct answer.

The SPF record was created for a domain to say what IPs are allowed to send emails on behalf of it. So, if there is no SPF record, I understand the domain should be spoofable. The DMARC has been introduced to patch some SPF holes, and it needs either SPF and/or DKIM to specify how a receiving email is classified.

I have come across some SPF records without the all directive, which, according to the standard is treated as ?all, which is neutral (pass). To my surprise the domain was not spoofable acording to spoofy, even though there was no DMARC. I started to pay more attention to this detail and there has always been a redirect, example:

[*] Domain: redacted.com
[*] Is subdomain: False
[*] DNS Server: 1.1.1.1
[*] SPF record: v=spf1 redirect=spf.dominioabsoluto.net
[*] SPF does not contain an `All` items.
[*] SPF include count: 0
[?] No DMARC record found.
[-] Spoofing not possibel for redacted.com

Reviewing some auditories I have performed, I came across another example which also makes no sense:

[*] Domain: sub.redacted.com
[*] Is subdomain: True
[*] DNS Server: 1.1.1.1
[?] No SPF record found.
[*] DMARC record: v=DMARC1; p=none; rua=mailto:another@domain.net
[*] Found DMARC policy: none
[*] No DMARC pct found.
[*] No DMARC aspf found.
[*] No DMARC subdomain policy found.
[*] No DMARC forensics report location found.
[*] Aggregate reports will be sent to: mailto:another@domain.net
[-] Spoofing not possible for sub.redacted.com

I have also checked them with caniphish, which stated that both were spoofable with a high risk pointing out the lack of one protocol, either SPF or DMARC.

MattKeeley commented 3 months ago

Hi there! Thank you very much for bringing this up!

First Issue:

You're right, but for a different reason than you might think.

While the SPF record might not have an "ALL" mechanism directly, the redirect points to where the actual SPF record is located. And in that real location, there is indeed an "ALL" mechanism.

This also means that Spoofy is right but for the wrong reason. Spoofy should follow the redirect and parse the actual SPF location. Doing this would enable Spoofy to properly handle redirects.

Regarding the neutral "ALL" mechanisms, I don't have enough test data to confirm the findings.

Second Issue:

You might be right here.

I tested this on a domain without an SPF record (kt.com), which has a DMARC policy of "none." I was able to spoof to ProtonMail but not Outlook. To spoof to Outlook, I had to use a subdomain of the test domain (xroshot.plus.kt.com), which does have an SPF record with a softfail "ALL" mechanism.

To fix this, I would update the result for this situation in the master table and modify Spoofy’s logic to be "mailbox dependent" for domains without an SPF record and a DMARC policy of "none."

All in all, great finds!!!