Skip to content

byt3bl33d3r/SpamChannel

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
December 20, 2022 14:28
September 21, 2023 05:25
December 20, 2022 15:49
December 20, 2022 14:28

SpamChannel

Live worker hosted at https://spamchannel.haxxx.workers.dev

UPDATE (Aug 13 2023): Two days after my DEFCON 31 talk, MailChannels silently decided to require a Domain Lockdown Record in order to send emails from Cloudflare Workers meaning this code doesn't work anymore. However, because they just addressed a "symptom" and not the underlying issue (lack of sender idenitity verification) anyone can still signup on their website (80$) and use their "normal" SMTP relay to spoof all of their customer domains 🤷🏻‍♂️

What is this

As of writing, This allows you to spoof emails from any of the +2 Million domains using MailChannels. It also gives you a slightly higher chance of landing a spoofed emails from any domain that doesn't have an SPF & DMARC due to ARC adoption.

It was released at the Defcon 31 talk SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan.

Slides for the talk are here

I'm a MailChannels customer, how do I stop people from impersonating my domain?

TL;DR set your Domain Lockdown Record ASAP.

Defcon Talk

Defcon 31 Talk

Demos

Below are the demos from my Defcon talk demonstrating email spoofing using this Cloudflare Worker.

This video demonstrates spoofing an email from a domain configured with DMARC + DKIM:

SpamChannel Demo 1

This video demonstrates impersonating Satan (satan@churchofsatan.com):

SpamChannel Demo 2

How to deploy this yourself

  1. Signup and create a free account on Cloudflare (https://dash.cloudflare.com/sign-up)
  2. Clone this repo
  3. Install Wrangler CLI tool (npm i -g wrangler)
  4. Run wrangler login and login to your account
  5. In the root of this repo run wrangler publish

Credits

Code was based on @ihsangan's gist.

About

Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published