|
|
|
|
|
|
by throwaway2346mg
1067 days ago
|
|
|
> Is that not identical to "if a company runs an SMTP server, you send a spoofed email, and they don't do any validation then phishing is trivial"? Yes. Except in this case, the company is paying Mailgun to process inbound mail and attach SPF/DKIM/DMARC headers, which they don't do. And this is counter to their own API spec. If you are running your own SMTP server, then you wouldn't be relying on headers from Mailgun. Essentially though you are right, using Mailgun is akin to having an SMTP server without any spam protection in place, and limited ability to put that spam protection in place. You are better off running the server yourself. The point here is that Mailgun customers won't be aware of this, and as such, it's a vulnerability. |
|
|