Added check for spoofable SPF records

2020-11-11 22:27:34 +01:00 · 2020-11-11 22:27:34 +01:00 · 4f4797ceb4
parent cdfb537623
commit 4f4797ceb4
1 changed files with 25 additions and 0 deletions
--- a/dns/spoofable-spf-records-ptr.yaml
+++ b/dns/spoofable-spf-records-ptr.yaml
@ -0,0 +1,25 @@
+id: spoofable-spf-records-ptr
+
+info:
+  name: Find spoofable SPF records containing the PTR mechanism
+  author: binaryfigments
+  severity: info
+  description: Check if TXT records in DNS for SPF records that have the PTR mechanism that is spoofable.
+
+  # The PTR mechanism in an SPF records is spoofable. A bad actor can create a VPS with a mailserver and 
+  # give it any PTR record that it wants an most VPS providers.
+
+dns:
+  - name: "{{FQDN}}"
+    type: TXT
+    class: inet
+    recursion: true
+    retries: 3
+    matchers:
+      - type: word
+        words:
+          # Must contain SPF record
+          - "v=spf1"
+          # and must contain PTR option
+          - " ptr "
+        condition: and