A few Python programs designed to help penetration testers with email spoofing.
This Project is Retired
Due to improvements in email protections and anti-spam techniques, it is no longer effective to attempt to spoof emails simply because they do not have a proper DMARC record or from arbitrary email servers. This project is retired and will not be maintained.
Email servers do not accept connections from normal computers. In an effort to limit the amount of spam, most MTAs will only accept connections from relays that have a fully-qualified domain name (FQDN). As such, the easiest way to use this project is from a Linux Virtual Private Server. There are several free or cheap options available, such as Digital Ocean, Linode, and Amazon EC2.
Once the server is set up, the next step is to install and start an SMTP server. This is required to actually send the spoofed emails. I personally use Postfix, though any will do. This script defaults to using localhost:25 for the mail server.
On Kali Linux, the easiest method of doing this is:
sudo apt-get install postfix
sudo service postfix start
When installing postfix, specify
Internet-facing and provide the correct FQDN when prompted.
This script has two dependencies:
These can be installed using pip:
pip install -r requirements.txt
Add the desired contents of the email in HTML format to an HTML file. Then, execute the following command:
./SimpleEmailSpoofer.py -e [Path to Email file] -t [To address] -f [From address] -n [From name] -j [Email subject]
Additional flags can be found by running
Email Spoofing 101
Email spoofing has been an issue since the earliest days of the SMTP protocol. The root cause of email spoofing is that SMTP does not require authentication between mail relays. An attacker can stand up or find an "Open Relay" (i.e. an SMTP server that can send from arbitrary domains), which is the default configuration for SMTP servers, and use that to send arbitrary emails from arbitrary email addresses.
In an effort to combat spam, many SMTP servers now block any mail relay that does not have a Fully-qualified Domain Name (FQDN). An FQDN is a DNS A record that points to the relay's IP address. This can be either a domain purchased from a domain registrar, or by using a domain automatically associated with a virtual private server.
As email spoofing is a serious and widespread issue, over the years several protection mechanisms have been added to combat it. However, all of these protections are opt-in and require significant configuration. As such, as much as 98% of the internet is still vulnerable. For additional information, please see the Bishop Fox blog post on the subject.
To determine if a domain is vulnerable to email spoofing, Bishop Fox has created two tools:
- A web interface that produces a report with analysis and recommendations
- A command line utility that only performs analysis
Only use this tool for education, research, or in the course of approved social engineering assessments. While email spoofing is a powerful tool in the social engineer's arsenal, it is also trivial to identify the server that sent any email. Furthermore, this tool makes no claims to bypass any products such as Barracuda or ForcePoint email protections suites. Please use responsibly.
The Spoofcheck program, which allows users to identify whether or not domains are vulnerable to email spoofing, has moved to the following repository: