There’s spam going around where a “security researcher” will try to claim a security bounty due to you not having a reject dmarc record per below

Greetings Team,

I hope this finds you well!

I am a professional freelance security researcher. I have taken the liberty of performing a cursory audit of your website’s public security configuration (the public-facing information for domain.com and associated services), and have discovered a vulnerability that I believe you would appreciate being made aware of.

In the spirit of responsible disclosure, I have included a report for one of the issues below, detailing the exact nature of the vulnerability, and would greatly appreciate consideration for a bounty reward from your department if such is available. If I do not receive a response I may attempt to contact you again once or twice in an effort to ensure my message has reached you.

DESCRIPTION:
The issue I’m going to discuss here is Domain Impersonation (Email- Spoofing). To demonstrate the authenticity of the issue I just sent a forged email to [email protected] that appears to originate from [email protected] . I was able to do this because of the following:

DMARC record lookup and validation for domain.com 

“No DMARC Record found”
And / Or
“DMARC Quarantine/Reject policy not enabled”

Recommended Fix:

·         Publish DMARC Record. (If not already published)

·         Enable DMARC Quarantine/Reject policy

·         Your DMARC record should look like

“v=DMARC1; p=reject; sp=none; pct=100; ri=86400; rua=mailto:[email protected]“

This can be done using any PHP mailer tool like this,

<?php

$to = “[email protected]“;

$subject = “Password Change”;

$txt = “Change your password by visiting here – [VIRUS LINK HERE]”;

$headers = “From: info@domain.com

mail($to,$subject,$txt,$headers);

?>

Impact:
These attacks may be used to launch phishing attacks so as to get information from users. In addition, these may be used to spam users with emails. Spoofed emails are also used to carry infections like Trojans to do harm to victim systems.

You can check your DMARC record at: “https://mxtoolbox.com” If you need any reference link to support this reported vulnerability, let us know and I will share It with you.

In the end, kindly keep me informed if you require me to send a forged email just when you relieve any doubts.

In addition to this, let me tell you that this is not a scam, and please don’t narrate this with fishing tactics, I am here suggesting certain changes that will save you from numerous forgeries.

Conclusion: Wishing to receive a bounty for this responsible disclosure as a reward and I would like to serve you further reports in the near future if only you also wish the same.

Many thanks!