I am a security researcher and I have found this vulnerability on your website https://www.haproxy.org/ .
Description : This report is about a misconfigured spf record flag , which can be used to abuse the organization by posing the identity , which allows for fake mailing on behalf of respected organizations . About the Issue : as i seen the SPF and TXT record for the haproxy.org which is : v=spf1 mx ~all as u can see the symbol at last which Tilde (~all) is the issue , which should be replaced by Hyphen (-all) symbol . so valid record will be look like : v=spf1 mx -all What's the issue : As you can see in the article difference between Softmail and fail you should be using fail as Softmail allows anyone to send spoofed emails from your domains. In the current SPF record you should replace ~ with - at last before all , - is strict which prevents all spoofed emails except if you are sending . Attack Scenario : an attacker will send phishing mail or anything malicious mail to the victim via mail : haproxy@formilux.org , even if the victim is aware of a phishing attack , he will check the Origin email which will be haproxy@formilux.org , so he will be sure that its not fake mail and get trapped by attacker ! This can be done using any php mailer tool like this , <?php $to = "vic...@example.com"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From: haproxy@formilux.org "; mail($to,$subject,$txt,$headers); ?> *Regards,* *Muhammad Umar* [image: image.png][image: image.png]
