Email Spoofing due to Invalid SPF Record Vulnerability

Ferdi Riansyah

Published in

System Weakness

3 min readMay 8, 2022

Supp Folks!

It’s me Rian with another bug bounty write-up.

I’ll describe how I found Invalid SPF Record and be able to spoof an email, without further ado, let’s jump into it.

What’s SPF Record

So SPF stands for Sender Policy Framework is a type of DNS TXT record that lists all the servers authorized to send emails from a particular domain, it’s one of many DNS-based mechanisms that can help email servers confirm whether an email comes from a trusted source.

Backstory

Lately, I’ve been hunting on a private bug bounty program on a company that I can’t disclose its name so we can just call its domain with redacted.com, first thing i do was basic recon like subdomain enumeration, directory finding, and reviewing the source code, after that, i try some possible vulnerability including SQL Injection, XSS, API key leaks, Logical Flaws, BAC, etc. But i got nothing, and yeah i was going to give up until….

Jumping Into The Bug

I randomly think about missing SPF Vulnerability, then i packed my sadness up and going to https://www.kitterman.com/spf/validate.html, it’s SPF Record testing tool, after that i just enter my target domain (redacted.com) in there, and i got interesting response.

As you can see there’s error says “SPF Permanent Error: Too many DNS lockups”, what a luck, so redacted.com has SPF Record but it’s invalid or has error in it.

Exploiting

After i found out what is the vulnerablity i jumped on https://emkei.cz which is Anonymous Mailer tool, I crafted email in there, filling it with some nice html for poc, set redacted.com as the sender and my email as a victim email, as soon as I hit the send button, something popped up on my email.

Which mean Jackpot!!, I able to send email with sender as their company domain.

After that i just reported it to their security team asap and now they working to fix it.

Impact

If there are no or invalid SPF Records, An attacker can spoof email with any fake mailer Like https://emkei.cz, An attacker can send email name “Company Name” and email: “security@redacted.com” with social engineering attack they can takeover user account, in some cases victim knows about phishing attacks but when the victim sees the email from the authorized domain, victim will more likely be tricked easily.

Conclusion

Always make sure there are valid SPF Records attached to our domain, or else irresponsible people will use this vulnerability for their own purpose.

That’s for now my fellow partners, see you in the next bug bounty write-ups.

Cheers…!!!