Live worker hosted at https://spamchannel.haxxx.workers.dev
UPDATE (Aug 13 2023): Two days after my DEFCON 31 talk, MailChannels silently decided to require a Domain Lockdown Record in order to send emails from Cloudflare Workers meaning this code doesn't work anymore. However, because they just addressed a "symptom" and not the underlying issue (lack of sender idenitity verification) anyone can still signup on their website (80$) and use their "normal" SMTP relay to spoof all of their customer domains 🤷🏻♂️
What is this
As of writing, This allows you to spoof emails from any of the +2 Million domains using MailChannels. It also gives you a slightly higher chance of landing a spoofed emails from any domain that doesn't have an SPF & DMARC due to ARC adoption.
It was released at the Defcon 31 talk SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan.
Slides for the talk are here
I'm a MailChannels customer, how do I stop people from impersonating my domain?
TL;DR set your Domain Lockdown Record ASAP.
Below are the demos from my Defcon talk demonstrating email spoofing using this Cloudflare Worker.
This video demonstrates spoofing an email from a domain configured with DMARC + DKIM:
This video demonstrates impersonating Satan (firstname.lastname@example.org):
How to deploy this yourself
- Signup and create a free account on Cloudflare (https://dash.cloudflare.com/sign-up)
- Clone this repo
- Install Wrangler CLI tool (
npm i -g wrangler)
wrangler loginand login to your account
- In the root of this repo run
Code was based on @ihsangan's gist.