SPF Protection not used, I can hijack your email server

Description Companies like Twiter,Facebook and even Hackerone implemented a strict email security policy (combining SPF, DKIM, and DMARC) but I don't see that from gratipay You should apply strict SMPT policy to stop spoofed email sending from your domain. POC is attached. Exploit scenario: An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees that the mail originated from [email protected] , He has no other way than to believe it. Clicking on the link takes him to a website where certain JavaScript is executed which steals his gratipay.com id and password (SESSION COOKIE). The results can be more dangerous. Code to Exploit: <?php $to = "[email protected]"; $subject = "Password Change"; $txt = "Change your password by visiting here - [VIRUS LINK HERE]l"; $headers = "From: [email protected]"; mail($to,$subject,$txt,$headers); ?> You should do the fix (see the fix below) To prevent misunderstanding and to protect your users. FIX Replace ~all with -all to prevent fake email. POC IS ATTACHED HERE Read why i am saying you to replace ~ with - : http://www.howtoforge.com/forums/archive/index.php/t-9007.html