<div dir="ltr">Hi,<br><br>I'm an independent cybersecurity researcher I have found multiple issues on your website.<br><br>Vulnerability: Missing SPF<br><br><br>I am just looking at your SPF records then found the following. SPF Records missing safe checks which can allow me to send mail and phish easily any victim.<br><br>PoC:<br><br><?php<br><br>$to = "<a href="mailto:VICTIM@example.com">VICTIM@example.com</a>";<br><br>$subject = "Password Change";<br><br>$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";<br><br>$headers = "From: <a href="https://www.alidropstore.com/">https://www.alidropstore.com/</a>";<br><br>mail($to,$subject,$txt,$headers);<br><br>?><br><br>paste your result here<br>SPF record lookup and validation for: <a href="http://ourproject.org">ourproject.org</a><br><br>SPF records are published in DNS as TXT records.<br><br>The TXT records found for your domain are:<br>v=spf1 mx ip4:<a href="http://168.119.136.67/32">168.119.136.67/32</a> ip4:<a href="http://159.69.75.86/32">159.69.75.86/32</a> ip4:<a href="http://159.69.75.87/32">159.69.75.87/32</a> ip4:<a href="http://168.119.136.88/32">168.119.136.88/32</a> ip4:<a href="http://168.119.136.79/32">168.119.136.79/32</a> ip4:<a href="http://80.81.122.32/27">80.81.122.32/27</a> a:<a href="http://snowden.comunes.org">snowden.comunes.org</a> a:<a href="http://snowden-02.comunes.org">snowden-02.comunes.org</a> a:<a href="http://howard.comunes.org">howard.comunes.org</a> a:<a href="http://ada.comunes.org">ada.comunes.org</a> a:<a href="http://stallman.comunes.org">stallman.comunes.org</a> a:<a href="http://rms.comunes.org">rms.comunes.org</a> a:<a href="http://selver.comunes.org">selver.comunes.org</a> a:<a href="http://ci.comunes.org">ci.comunes.org</a> a:<a href="http://mailhost.ourproject.org">mailhost.ourproject.org</a> ~all<br>google-site-verification=5X82i4YusPOi9SFgcLejX0p5zr-RVkAeMjIcKD6-11E<br>keybase-site-verification=6IadbJzgiOL0KIQiLqw_1e9vPEVXhXiOE1PrikgmhgY<br><br>Checking to see if there is a valid SPF record.<br><br>DNS: Truncated UDP Reply, SPF records should fit in a UDP packet, retrying TCP<br><br>Found v=spf1 record for <a href="http://ourproject.org">ourproject.org</a>:<br>v=spf1 mx ip4:<a href="http://168.119.136.67/32">168.119.136.67/32</a> ip4:<a href="http://159.69.75.86/32">159.69.75.86/32</a> ip4:<a href="http://159.69.75.87/32">159.69.75.87/32</a> ip4:<a href="http://168.119.136.88/32">168.119.136.88/32</a> ip4:<a href="http://168.119.136.79/32">168.119.136.79/32</a> ip4:<a href="http://80.81.122.32/27">80.81.122.32/27</a> a:<a href="http://snowden.comunes.org">snowden.comunes.org</a> a:<a href="http://snowden-02.comunes.org">snowden-02.comunes.org</a> a:<a href="http://howard.comunes.org">howard.comunes.org</a> a:<a href="http://ada.comunes.org">ada.comunes.org</a> a:<a href="http://stallman.comunes.org">stallman.comunes.org</a> a:<a href="http://rms.comunes.org">rms.comunes.org</a> a:<a href="http://selver.comunes.org">selver.comunes.org</a> a:<a href="http://ci.comunes.org">ci.comunes.org</a> a:<a href="http://mailhost.ourproject.org">mailhost.ourproject.org</a> ~all<br><br>evaluating...<br>SPF record passed validation test with pySPF (Python SPF library)!<br><br>Fix:<br>paste your result here<br>SPF record lookup and validation for: <a href="http://ourproject.org">ourproject.org</a><br><br>SPF records are published in DNS as TXT records.<br><br>The TXT records found for your domain are:<br>v=spf1 mx ip4:<a href="http://168.119.136.67/32">168.119.136.67/32</a> ip4:<a href="http://159.69.75.86/32">159.69.75.86/32</a> ip4:<a href="http://159.69.75.87/32">159.69.75.87/32</a> ip4:<a href="http://168.119.136.88/32">168.119.136.88/32</a> ip4:<a href="http://168.119.136.79/32">168.119.136.79/32</a> ip4:<a href="http://80.81.122.32/27">80.81.122.32/27</a> a:<a href="http://snowden.comunes.org">snowden.comunes.org</a> a:<a href="http://snowden-02.comunes.org">snowden-02.comunes.org</a> a:<a href="http://howard.comunes.org">howard.comunes.org</a> a:<a href="http://ada.comunes.org">ada.comunes.org</a> a:<a href="http://stallman.comunes.org">stallman.comunes.org</a> a:<a href="http://rms.comunes.org">rms.comunes.org</a> a:<a href="http://selver.comunes.org">selver.comunes.org</a> a:<a href="http://ci.comunes.org">ci.comunes.org</a> a:<a href="http://mailhost.ourproject.org">mailhost.ourproject.org</a> -all<br>google-site-verification=5X82i4YusPOi9SFgcLejX0p5zr-RVkAeMjIcKD6-11E<br>keybase-site-verification=6IadbJzgiOL0KIQiLqw_1e9vPEVXhXiOE1PrikgmhgY<br><br>Checking to see if there is a valid SPF record.<br><br>DNS: Truncated UDP Reply, SPF records should fit in a UDP packet, retrying TCP<br><br>Found v=spf1 record for <a href="http://ourproject.org">ourproject.org</a>:<br>v=spf1 mx ip4:<a href="http://168.119.136.67/32">168.119.136.67/32</a> ip4:<a href="http://159.69.75.86/32">159.69.75.86/32</a> ip4:<a href="http://159.69.75.87/32">159.69.75.87/32</a> ip4:<a href="http://168.119.136.88/32">168.119.136.88/32</a> ip4:<a href="http://168.119.136.79/32">168.119.136.79/32</a> ip4:<a href="http://80.81.122.32/27">80.81.122.32/27</a> a:<a href="http://snowden.comunes.org">snowden.comunes.org</a> a:<a href="http://snowden-02.comunes.org">snowden-02.comunes.org</a> a:<a href="http://howard.comunes.org">howard.comunes.org</a> a:<a href="http://ada.comunes.org">ada.comunes.org</a> a:<a href="http://stallman.comunes.org">stallman.comunes.org</a> a:<a href="http://rms.comunes.org">rms.comunes.org</a> a:<a href="http://selver.comunes.org">selver.comunes.org</a> a:<a href="http://ci.comunes.org">ci.comunes.org</a> a:<a href="http://mailhost.ourproject.org">mailhost.ourproject.org</a> -all<br><br>evaluating...<br>SPF record passed validation test with pySPF (Python SPF library)!<br>  <br>You can refer this <a href="https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability">https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability</a><br><br>Let me know if any further info is required.  <br>Regards.  <br>Found More bugs on your website reply to me so that I may disclose them further and tell me the payout for these responsible vulnerability disclosures.<br></div><div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top:1px solid #d3d4de">
        <tr>
        <td style="width:55px;padding-top:13px"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;"></a></td>
                <td style="width:470px;padding-top:12px;color:#41424e;font-size:13px;font-family:Arial,Helvetica,sans-serif;line-height:18px">Virus-free. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" target="_blank" style="color:#4453ea">www.avast.com</a>
                </td>
        </tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div>