CF Abuse no longer possible as of today (14 Aug 23) ?

[P4l1ndr0m]

Hello byt3bl33d3r. What an awesome research and great presentation ! Thank you for sharing.

Just a quick question, is this technique still viable today using CF workers ? Asking because the doc for Domain Lockdown Record, now states : "Note that participation in Domain Lockdown is now mandatory for Cloudflare Workers users."

This would imply that only authorized Cloudflare accounts would be able to abuse the technique you documented ? Is that a valid assumption ? Thank you in advance, and looking forward to more amazing research from you.

[byt3bl33d3r]

it does indeed look like they silently made it mandatory to have the domain lockdown record now so spoofing emails through CF workers is no longer possible. However you can still spoof emails by just signing up to Mailchannels through their website (80$) and use their normal SMTP relay.

Will update the README accordingly.

[dvnscr]

Could you provide an example how is it possible to spoof emails through their "normal" SMTP relay ? As far as i understand the Domain lockdown prevents it in any form, since as a domain owner i would insert txt record with my own authid which you (as a 'spoofer') do not have access to.