Lawri-van-Buel
commented
8 years ago I would like to add that your claim. "He has no other way than to believe it." is not entirely accurate. The mail system that receives the mail will record when he got it from (as in from what IP) this would show a different system then the one you would expect it to be normally.
Like:
From VICTIM@example.com Mon Dec 7 09:29:24 2015
X-Original-To: VICTIM@example.com
Delivered-To: VICTIM@example.com
Received: by MyAttackMachine.ld (Postfix, from userid 1008)
id 5250FF719B7; Mon, 7 Dec 2015 09:29:24 +0100 (CET)
To: VICTIM@example.com
Subject: Password Change
X-PHP-Originating-Script: 1008:phising.php
From: papers@bimserver.org
Message-Id: <20151207482924.5250FF219B7@MyAttackMachine.ld>
Date: Mon, 7 Dec 2015 09:29:24 +0100 (CET)These are part of the same header information as your listing in Yahoo.
rubendel
Hi
I'm checking your website found spf record there. You should apply strict SMPT policy to stop spoofed email sending from your domain.
An attacker would send a Fake email from papers@bimserver.org saying that Please change your password, The victim is aware of phishing attacks, But when he sees that the mail originated from papers@bimserver.org , He has no other way than to believe it. Clicking on the link takes him to a website where certain JavaScript is executed which steals his Id and password (SESSION COOKIE). The results can be more dangerous.
<?php $to = "VICTIM@example.com"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]"; $headers = "From: papers@bimserver.org"; mail($to,$subject,$txt,$headers); ?> Fix :
Your SPF record is
No valid SPF record found of either type TXT or type SPF
It should be
Fail with - sign
I strongly recommend you to read this article :
https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
You can check your SPF here:
http://www.kitterman.com/spf/validate.html
POC: Find Attachment