Security Advisory — www.maiwp.gov.my

Penemuan Terperinci / Detailed Findings

Setiap penemuan disusun mengikut keterukan. Setiap kad memberikan: maksud praktikal dalam BM & EN, bukti yang dilihat, dan langkah pembaikan yang konkrit.

High · Tinggi 1 penemuan / findings

High

DMARC policy applies to only 10% of failing mail

Polisi DMARC hanya dikuatkuasakan ke atas 10% e-mel palsu

DMARC_PCT_LOW · email_auth

What this means

pct=10 means the published p=quarantine policy is only enforced on 10% of failing messages — the other 90% pass through as if there was no policy. This is typically a *staged-rollout* value; if it has been at 10 for more than a few weeks, the rollout is stalled.

Bagaimana memperbaiki

Setelah laporan aggregate menunjukkan tiada e-mel sah yang gagal, naikkan pct ke 100.

Apa maksudnya

pct=10 bermakna polisi p=quarantine hanya dikuatkuasakan ke atas 10% e-mel yang gagal pengesahan — baki 90% lulus seolah-olah tiada polisi. Nilai ini biasanya untuk pelancaran berperingkat; jika telah berada pada 10 lebih daripada beberapa minggu, pelancaran tersangkut.

How to fix

Once aggregate reports show no legitimate mail failing, raise pct to 100.

v=DMARC1; p=quarantine; sp=quarantine; pct=10; rua=mailto:rua.agensi@mygovuc.gov.my; ruf=mailto:ruf.agensi@mygovuc.gov.my; adkim=r; aspf=r; ri=86400

Medium · Sederhana 5 penemuan / findings

Medium

SPF policy ends with ~all (softfail)

Polisi SPF berakhir dengan ~all (softfail)

SPF_SOFTFAIL · email_auth

What this means

Softfail tells receivers to *accept but mark* spoofed mail. Most servers still deliver it.

Bagaimana memperbaiki

Tukar ~all kepada -all setelah anda pasti senarai SPF lengkap.

Apa maksudnya

Softfail meminta pelayan penerima *terima tetapi tandakan* e-mel palsu. Kebanyakan pelayan masih sampaikan ke peti masuk.

How to fix

Change ~all to -all once you are confident the SPF list is complete.

v=spf1 ip4:103.8.147.12/30 ip4:219.92.54.177/32 ip4:103.156.82.32/29 ip4:103.156.83.32/29 ip4:103.245.89.4 ip4:103.245.89.5 ip4:150.242.180.0/24 ip4:103.8.147.12/30 ip4:219.92.54.177/32 ip4:103.156.82.32/29 ip4:103.156.83.32/29 include:_spf.google.com ~all

Medium

DMARC policy is p=quarantine (not p=reject)

Polisi DMARC adalah p=quarantine (bukan p=reject)

DMARC_POLICY_QUARANTINE · email_auth

What this means

Quarantine sends spoofed mail to spam — better than none, but rejecting is stronger and what most government domains have moved to.

Bagaimana memperbaiki

Naikkan ke p=reject setelah yakin.

Apa maksudnya

Quarantine menghantar e-mel palsu ke spam — lebih baik daripada tiada, tetapi p=reject adalah lebih kukuh dan menjadi pilihan kebanyakan domain kerajaan.

How to fix

Raise to p=reject once confident.

v=DMARC1; p=quarantine; sp=quarantine; pct=10; rua=mailto:rua.agensi@mygovuc.gov.my; ruf=mailto:ruf.agensi@mygovuc.gov.my; adkim=r; aspf=r; ri=86400

Medium

DKIM not detected on common selectors

DKIM tidak ditemui pada selector lazim

DKIM_NOT_DETECTED · email_auth

What this means

Without DKIM signatures, mail-server-level DMARC alignment is much harder to achieve, weakening anti-spoofing.

Bagaimana memperbaiki

Konfigurasikan tandatangan DKIM di platform e-mel anda (Google Workspace / Microsoft 365) dan terbitkan kunci awam.

Apa maksudnya

Tanpa tandatangan DKIM, penjajaran DMARC di peringkat pelayan e-mel lebih sukar, melemahkan perlindungan terhadap penyamaran.

How to fix

Configure DKIM signing in your mail platform (Google Workspace / Microsoft 365) and publish the public key.

Medium

CSP missing default-src and script-src

CSP tiada default-src dan script-src

WEAK_CSP · headers

What this means

Current CSP only restricts a few directives; the browser falls back to permissive defaults for scripts, styles, images, etc.

Bagaimana memperbaiki

Tambah default-src 'self' dan script-src yang ketat.

Apa maksudnya

CSP semasa hanya mengawal sedikit arahan; pelayar guna nilai lalai yang longgar untuk skrip, gaya, imej, dsb.

How to fix

Add default-src 'self' and a strict script-src.

object-src 'none'; form-action 'self'; frame-ancestors 'self';

Medium

Non-production subdomains visible in CT logs (6 found)

Subdomain bukan-produksi kelihatan dalam log CT (6 ditemui)

EXPOSED_NON_PROD_SUBDOMAINS · subdomains

What this means

Certificate Transparency logs are public. Subdomains containing 'dev', 'test', 'staging', 'admin' etc. are commonly targeted because they are often less hardened than production.

Bagaimana memperbaiki

Senaraikan setiap satu. Padamkan jika tidak digunakan. Jika perlu, hadkan akses kepada VPN / Cloudflare Access / senarai putih IP.

Apa maksudnya

Log Certificate Transparency adalah awam. Subdomain yang mengandungi 'dev', 'test', 'staging', 'admin' dsb. selalunya diserang kerana biasanya kurang terlindung berbanding produksi.

How to fix

Inventory each one. Take offline if unused. If needed, restrict to VPN / Cloudflare Access / IP allowlist.

epay-adm-staging.maiwp.gov.my epay-api-staging.maiwp.gov.my epay-staging.maiwp.gov.my intranet.maiwp.gov.my izakat-adm-staging.maiwp.gov.my izakat-staging.maiwp.gov.my

Info · Maklumat 2 penemuan / findings

Info

Deprecated X-XSS-Protection header present

Header X-XSS-Protection (sudah lapuk) digunakan

DEPRECATED_XSS_PROTECTION · headers

What this means

Modern browsers ignore this header; rely on CSP instead.

Bagaimana memperbaiki

Buang header X-XSS-Protection.

Apa maksudnya

Pelayar moden tidak guna header ini; gunakan CSP sebagai gantinya.

How to fix

Remove X-XSS-Protection header.

1; mode=block

Info

Deprecated Expect-CT header present

Header Expect-CT (sudah lapuk) digunakan

DEPRECATED_EXPECT_CT · headers

What this means

Expect-CT was deprecated in 2024 as CT is enforced by default in modern browsers.

Bagaimana memperbaiki

Buang header Expect-CT.

Apa maksudnya

Expect-CT telah dilapukkan pada 2024 kerana CT dikuatkuasakan secara lalai dalam pelayar moden.

How to fix

Remove Expect-CT header.

max-age=86400, enforce

Subdomain	Status
ap-guest.maiwp.gov.my	ok
asis.maiwp.gov.my	ok
asnafcare.maiwp.gov.my	ok
cloud.maiwp.gov.my	ok
ehartanah.maiwp.gov.my	ok
epay-adm-staging.maiwp.gov.my	tinjau · review
epay-adm.maiwp.gov.my	ok
epay-api-staging.maiwp.gov.my	tinjau · review
epay-api.maiwp.gov.my	ok
epay-staging.maiwp.gov.my	tinjau · review
epay.maiwp.gov.my	ok
hrmsconnect.maiwp.gov.my	ok
intranet.maiwp.gov.my	tinjau · review
ipermata.maiwp.gov.my	ok
izakat-adm-staging.maiwp.gov.my	tinjau · review
izakat-adm.maiwp.gov.my	ok
izakat-api.maiwp.gov.my	ok
izakat-meta.maiwp.gov.my	ok
izakat-pod.maiwp.gov.my	ok
izakat-staging.maiwp.gov.my	tinjau · review
izakat.maiwp.gov.my	ok
maiwp.gov.my	ok
pma.maiwp.gov.my	ok
smam.maiwp.gov.my	ok
spas.maiwp.gov.my	ok
vlp.maiwp.gov.my	ok
www.maiwp.gov.my	ok

Jenis / Type	Nilai / Value
A	104.20.22.237 172.66.162.204
AAAA	2606:4700:10::6814:16ed 2606:4700:10::ac42:a2cc
MX	1 aspmx.l.google.com. 10 alt3.aspmx.l.google.com. 10 alt4.aspmx.l.google.com. 5 alt1.aspmx.l.google.com. 5 alt2.aspmx.l.google.com.
NS	clyde.ns.cloudflare.com. jessica.ns.cloudflare.com.
TXT	"google-site-verification=rlYe7zEjlKxrQYGgy9AcCdnO_AW3xZni0Szh_fNnaJc" "google-site-verification=s6TQc68ULeL4nYcc0yuiaftDFqboTx_1EWaFZii9W5E" "v=spf1 ip4:103.8.147.12/30 ip4:219.92.54.177/32 ip4:103.156.82.32/29 ip4:103.156.83.32/29 ip4:103.245.89.4 ip4:103.245.89.5 ip4:150.242.180.0/24 ip4:103.8.147.12/30 ip4:219.92.54.177/32 ip4:103.156.82.32/29 ip4:103.156.83.32/29 include:_spf.google.com ~al" "l" "google-site-verification=r3gB6Fr5Y1qjdh3Wf0naanXI2GSts3Oog4HYeU1ff5Y"
CAA	0 issue "ssl.com" 0 issuewild "comodoca.com" 0 issuewild "digicert.com; cansignhttpexchanges=yes" 0 issuewild "entrust.net" 0 issuewild "letsencrypt.org" 0 issuewild "pki.goog; cansignhttpexchanges=yes" 0 issuewild "sectigo.com" 0 issuewild "ssl.com" 0 issue "comodoca.com" 0 issue "digicert.com; cansignhttpexchanges=yes" 0 issue "entrust.net" 0 issue "letsencrypt.org" 0 issue "pki.goog; cansignhttpexchanges=yes" 0 issue "sectigo.com"
SOA	clyde.ns.cloudflare.com. dns.cloudflare.com. 2404080410 10000 2400 604800 1800

#	Pemeriksaan / Check	Status	Penemuan / Findings
1	HTTP security headers Header keselamatan HTTP	ok	3
2	TLS certificate & chain Sijil TLS & rantaian	ok	0
3	DNS records Rekod DNS	ok	0
4	Email authentication (SPF/DKIM/DMARC) Pengesahan e-mel (SPF/DKIM/DMARC)	ok	4
5	Subdomain exposure (CT logs) Pendedahan subdomain (log CT)	ok	1
6	Technology fingerprint Cap jari teknologi	ok	0
7	Historical exposure (Wayback) Pendedahan sejarah (Wayback)	skipped	0
8	urlscan.io public history Sejarah awam urlscan.io	ok	0

TinjauanKeselamatan Pasif

Ringkasan Eksekutif / Executive Summary

Bahasa Malaysia

English

Profil Risiko / Risk Profile

Tiga Penemuan Utama / Top 3 Findings

Penemuan Terperinci / Detailed Findings

High · Tinggi 1 penemuan / findings

DMARC policy applies to only 10% of failing mail

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

Medium · Sederhana 5 penemuan / findings

SPF policy ends with ~all (softfail)

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

DMARC policy is p=quarantine (not p=reject)

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

DKIM not detected on common selectors

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

CSP missing default-src and script-src

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

Non-production subdomains visible in CT logs (6 found)

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

Info · Maklumat 2 penemuan / findings

Deprecated X-XSS-Protection header present

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

Deprecated Expect-CT header present

What this means

Bagaimana memperbaiki

Apa maksudnya

How to fix

Pengesahan E-mel / Email Authentication Deep-Dive

Mengapa ini penting

Why this matters

Status Polisi / Policy Status

SPF

DMARC

DKIM

Cara Membaca / How to Read

Bahasa Malaysia

English

Peta Pendedahan / Attack Surface Map

Subdomain (27)

Rekod DNS / DNS Records

Sijil TLS / TLS Certificate

Cap Jari Teknologi / Technology

urlscan.io

Pelan Tindakan / Remediation Roadmap

Minggu Ini / This Week

Bulan Ini / This Month

Suku Tahun Ini / This Quarter

Kaedah & Skop / Methodology & Scope

Apa yang DIUJI

Apa yang TIDAK DIUJI

What WAS tested

What was NOT tested

Pemeriksaan Dijalankan / Checks Run

Glosari / Glossary

Tinjauan
Keselamatan Pasif