Hello, We are aware that our email system currently does not support DKIM/DMARC. Because of our heavy use of mailinglists supporting DKIM/DMARC would be nontrivial.
We appreciate you taking the time to notify us of this issue, but as a non profit volunteer-based open source organization we don't have any bounty programme at this time. Kind regards, ASF Security On Sat, Mar 23, 2024 at 3:49 PM Phillip John < philliipjohn.offic...@gmail.com> wrote: > Hello Team, > > > I am a security researcher and I found some Vulnerabilities in your site > one of them is as following: > > > *DESCRIPTION:* > > > I just sent a forged email to my email address that appears to originate > from priv...@pulsar.apache.org I was able to do this because of the > following DMARC record: > DMARC record lookup and validation for: pulsar.apache.org > > > "No DMARC Record found" > Or/And > "No DMARC Reject Policy" > > > > *FIX:*1) Publish DMARC Record. (If not already published) > 2) Enable DMARC Quarantine/Reject policy > 3) Your DMARC record should look like > "v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto: > i...@domain.com" > > > This can be done using any PHP mailer tool like this, > <?php > $to = "vic...@example.com"; > $subject = "Password Change"; > $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; > $headers = "From: priv...@pulsar.apache.org” > mail($to,$subject,$txt,$headers); > > ?> > > > You can check your DMARC record form here: > https://mxtoolbox.com/SuperTool.aspx?action=mx%3alition.io&run=toolpage > > > > Reference: > https://www.knownhost.com/wiki/email/troubleshooting/setting-up_spf-dkimdmarc_records > > > Let me know if you need me to send another forged email, or if you have > any other questions. I’m hoping to Receive a bounty reward for my current > finding. > > I will be looking forward to hearing from you on this and Will be > reporting other vulnerabilities accordingly. > > > Stay Safe & Healthy. > > *Phillip* > > > *Snapshot:* > [image: image.png] > > >