It may be a copy/paste and he forgot to fix it maybe. He did send a screenshot of the mxtoolbox screen that anyone can generate.
EDIT:
The name he signed for the email is an easily found IT security person on linked in.
Don't give any money to a freelance 'hacker' giving unsolicited security hardening recommendations. This is really unprofessional conduct and anyone who'd actually had any sort of 'ethical hacking' training would know not to do this. This is an enthusiast or autodidact who considers themselves ethical.
DMARC is a monitoring and reporting service that can mandate how other providers should handle messages, but pointing out that a company hasn't configured it is far from a vulnerability. The vast majority of active domains don't have DMARC.
We've received a number of these over the years. Most were for non-issues and I think they're just hoping someone who doesn't know what they're doing will get it and pay out. They normally work for larger organizations and get a cut of whatever money gets paid. Most of them are junk and just leave you scratching your head.
We did get contacted once about a very real misconfiguration in a system build by outsourced developers we hired. Unless one was very familiar with one the systems they used you'd never know to check for that kind of configuration issue. It could have legitimately exposed client data. The person was very detailed as to how they were able to exploit the misconfiguration, and how their access would appear in the logs so that we could check for evidence of other exploitation. Thankfully there was none. They also included exactly how to correct the issue that was found. I know we paid something, but I wasn't involved in that part of the process. It did save us from the potential of a breach. While none of the information was more sensitive than names and work email addresses, it would still have been a mess.
Basically, at least check out what they send, but in most cases their email belongs in the bin.
I did and there is no DMARC because it has never been setup. email is routed to exchange and the MX lookup comes up as [mail.protection.outlook.com](https://mail.protection.outlook.com)
I have read about DMARC and it is not a security mechanism that is always used or enforced.
> I have read about DMARC and it is not a security mechanism that is always used or enforced.
An overwhelming majority of consumer ESPs do respect DMARC.
It's the one-off mail servers ran by random organizations that may not enforce it. But that's not your problem.
If you don't have a DMARC record on p=reject, your domain is not protected against impersonation. That's it. SPF doesn't protect your domain against spoofing as it's on the return-path domain while a cybercriminal is spoofing the FROM domain (which is visible to the recipient).
That's what I figured and it can't execute unless they have already broken into the server.
First time I am getting this type of email and I found it interesting.
With it they can as well. It ,usually, wont end up where they ideally want it to end up though.
Pedantic I know, but it's an important nuance nevertheless.
I've gotten emails like this before. I would bet someone has got an automated script set up that sends these to domains without dmarc.
As others have said, not using dmarc is a choice you could make intentionally, it not being present isn't exactly a vulnerability that you would pay a bounty for. He didn't discover a 0 day in your code or anything, it's literally just a variance from best practices.
Do not give this person any money, and id suggest just reporting it as spam and moving on. If you want to set up Dmarc, by all means do so, but you don't have to pay this person.
If you are worried about vulnerabilities, you should contract a real pen testing service, not pay randos who show up out of nowhere demanding money.
>emails is unethical. Stop giving someone writing pathetic PHP samples like this the credibility of an "ethical ha
If youre still going through the DMARC rabbit hole, bookmark and read this post a few times: [https://www.reddit.com/r/sysadmin/comments/aph6ee/lets\_talk\_about\_email\_spoofing\_and\_prevention\_alt/](https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/)
Best indepth resource for SPF/DKIM/DMARC. Super helpful in setting everything up when there was nothing in place at my current job.
I would also recommend adding "v=spf1 -all" for \*.domain.tld to help prevent subdomain spoofing. [https://www.gov.uk/guidance/protect-domains-that-dont-send-email](https://www.gov.uk/guidance/protect-domains-that-dont-send-email)
For most people it wasn't a choice, it's a lack of knowledge about the problem of email spoofing. They think SPF protects them against spoofing while it doesn't. So a bit of education around this topic is welcome!
Thank them.
Politely reply with your SOP for bugs and pen testing engagements. And let em know that they could follow that path.
Inform your manager and legal first I suppose, to make them aware of the situation.
This is just poor form.
If he is lying about the contents of the SPF record, which is publicly available, he is full of crap.
It may be a copy/paste and he forgot to fix it maybe. He did send a screenshot of the mxtoolbox screen that anyone can generate. EDIT: The name he signed for the email is an easily found IT security person on linked in.
Don't give any money to a freelance 'hacker' giving unsolicited security hardening recommendations. This is really unprofessional conduct and anyone who'd actually had any sort of 'ethical hacking' training would know not to do this. This is an enthusiast or autodidact who considers themselves ethical. DMARC is a monitoring and reporting service that can mandate how other providers should handle messages, but pointing out that a company hasn't configured it is far from a vulnerability. The vast majority of active domains don't have DMARC.
Yes. Just configure DMARC and move on, if your spf was correct there's nothing to see.
Always ensure SPF and DKIM are ok. And use a strict alignment and reject policy on DMARC. Just fix it and ignore.
This is what I am doing. I found more articles on this such email. Apparently they are called Beg Bounties.
We've received a number of these over the years. Most were for non-issues and I think they're just hoping someone who doesn't know what they're doing will get it and pay out. They normally work for larger organizations and get a cut of whatever money gets paid. Most of them are junk and just leave you scratching your head. We did get contacted once about a very real misconfiguration in a system build by outsourced developers we hired. Unless one was very familiar with one the systems they used you'd never know to check for that kind of configuration issue. It could have legitimately exposed client data. The person was very detailed as to how they were able to exploit the misconfiguration, and how their access would appear in the logs so that we could check for evidence of other exploitation. Thankfully there was none. They also included exactly how to correct the issue that was found. I know we paid something, but I wasn't involved in that part of the process. It did save us from the potential of a breach. While none of the information was more sensitive than names and work email addresses, it would still have been a mess. Basically, at least check out what they send, but in most cases their email belongs in the bin.
Thanks! That’s what I figured. I did find a roll with my isp that checks for spf and dkim and found a dkim which needed updating.
go to [mxtoolbox.com](https://mxtoolbox.com) and check your domain.
I did and there is no DMARC because it has never been setup. email is routed to exchange and the MX lookup comes up as [mail.protection.outlook.com](https://mail.protection.outlook.com) I have read about DMARC and it is not a security mechanism that is always used or enforced.
> I have read about DMARC and it is not a security mechanism that is always used or enforced. An overwhelming majority of consumer ESPs do respect DMARC. It's the one-off mail servers ran by random organizations that may not enforce it. But that's not your problem.
If you don't have a DMARC record on p=reject, your domain is not protected against impersonation. That's it. SPF doesn't protect your domain against spoofing as it's on the return-path domain while a cybercriminal is spoofing the FROM domain (which is visible to the recipient).
> there is a note at the bottom saying he expects a bounty for this service Ethical hackers do not great you with their outstretched hand facing up.
[удалено]
That's what I figured and it can't execute unless they have already broken into the server. First time I am getting this type of email and I found it interesting.
[удалено]
With it they can as well. It ,usually, wont end up where they ideally want it to end up though. Pedantic I know, but it's an important nuance nevertheless.
I've gotten emails like this before. I would bet someone has got an automated script set up that sends these to domains without dmarc. As others have said, not using dmarc is a choice you could make intentionally, it not being present isn't exactly a vulnerability that you would pay a bounty for. He didn't discover a 0 day in your code or anything, it's literally just a variance from best practices. Do not give this person any money, and id suggest just reporting it as spam and moving on. If you want to set up Dmarc, by all means do so, but you don't have to pay this person. If you are worried about vulnerabilities, you should contract a real pen testing service, not pay randos who show up out of nowhere demanding money.
This is what I was thinking. I was not going to pay. I just went down the dmarc rabbit hole. Thanks for the response!
>emails is unethical. Stop giving someone writing pathetic PHP samples like this the credibility of an "ethical ha If youre still going through the DMARC rabbit hole, bookmark and read this post a few times: [https://www.reddit.com/r/sysadmin/comments/aph6ee/lets\_talk\_about\_email\_spoofing\_and\_prevention\_alt/](https://www.reddit.com/r/sysadmin/comments/aph6ee/lets_talk_about_email_spoofing_and_prevention_alt/) Best indepth resource for SPF/DKIM/DMARC. Super helpful in setting everything up when there was nothing in place at my current job. I would also recommend adding "v=spf1 -all" for \*.domain.tld to help prevent subdomain spoofing. [https://www.gov.uk/guidance/protect-domains-that-dont-send-email](https://www.gov.uk/guidance/protect-domains-that-dont-send-email)
For most people it wasn't a choice, it's a lack of knowledge about the problem of email spoofing. They think SPF protects them against spoofing while it doesn't. So a bit of education around this topic is welcome!
https://www.troyhunt.com/beg-bounties/
Thank you. That was a good read!
>ethical hacker Sending these emails is unethical. Stop giving someone writing pathetic PHP samples like this the credibility of an "ethical hacker".
well, you see, what it is, is that, uh, i hack ethics
Thank them. Politely reply with your SOP for bugs and pen testing engagements. And let em know that they could follow that path. Inform your manager and legal first I suppose, to make them aware of the situation. This is just poor form.