How to spoof a sender’s email address
| March 8, 2024Understanding how to spoof email addresses is an essential part of running any successful red-team exercise or phishing simulation, particularly when a majority of domains are vulnerable to spoofing in some way, shape, or form!
We’ll provide a detailed walkthrough on what email authentication protocols are vulnerable to spoofing, how to identify these vulnerabilities at scale, and how to spoof an email address while passing email authentication checks.
Understanding The Basics
Before we delve straight into vulnerability exploitation, let’s cover some fundamentals.
What Is Email Address Spoofing?
Email address spoofing is where someone forges an email address and email display name to appear as though it’s from a trusted entity or individual.
Under normal circumstances, email address spoofing shouldn’t be possible. If you’ve heard the acronyms SPF, DKIM, or DMARC, you probably know why. These are all email authentication protocols meant to prevent email spoofing.
It’s crucial to acknowledge this because by understanding how these protocols work, we can understand how they can be abused and even bypassed if not configured correctly. To this effect, let’s delve into what SPF and DMARC are and how they work together.
What is the Sender Policy Framework (SPF)?
SPF is an email authentication protocol, which is essentially a large list of IP addresses that are published through a public DNS record (known as an SPF record). Each IP address in an SPF record is considered an email sender who is authorized to deliver emails on behalf of a given domain.
Let’s say I wanted to deliver an email from an email address at the xxxxx.com domain. To do this, I need to send the email from a server with a public IP address listed in the xxxxx.com SPF record. If I used an IP address that’s not in the SPF record, then the receiver of that email would fail the email authentication check and reject the email as a likely spoofing attempt.
So, now that we know what SPF is, let’s answer the following question.
How Is SPF Bypassed?
To answer this, we need to deep-dive into how emails are sent and received.
When an email is received by an email client such as Gmail or Outlook, only a portion of the email is visible to the recipient. The visible portion of an email is called the email content, while the email envelope, which is predominantly used for routing purposes, is hidden from plain view (only visible by viewing the message headers).
It’s important to make this distinction between visible and hidden information because this is where there’s an inherent vulnerability in the way SPF operates. Cybercriminals can exploit this vulnerability through an attack known as SPF-bypass.
As can be seen in the screenshot above, there are two locations where the from address is specified. The first “mail from:” address located in the email envelope is where SPF authentication checks occur. But as mentioned earlier, everything in the email envelope is hidden from plain view. The second “from:” address located in the email content is what the recipient of the email actually sees in their email client.
Naturally, this raises a question. What if we misalign the “mail from” address in the email envelope with the “from” address in the email content?
This is exactly how an SPF-bypass attack occurs. Cybercriminals will use a domain that they control in the email envelope “mail from” address (that passes SPF checks); they then use the domain of an entity they want to spoof in the email content “from” address.
This is a glaring weakness in the way SPF operates, and it’s something that the maintainers of the SPF protocol noticed shortly after its creation, so to prevent spoofing attacks of this nature, a new superseding protocol was created, DMARC.
What is Domain-based Message Authentication, Reporting & Conformance (DMARC)?
DMARC is an email authentication protocol that has a range of functionality, and like SPF, it’s a public DNS record. Importantly, it’s meant to protect against SPF-bypass attacks.
It does this by enforcing an alignment check against the email from addresses listed in both the email envelope and the email content. If there’s a misalignment, the DMARC authentication check will fail, which then causes the email client to reject the email in its entirety.
The problem is that knowledge of how this protocol protects against SPF-bypass attacks is poorly understood on a global scale. A scan conducted in 2022 against 1.7 million Australian domains showed that nearly 60% of all domains were vulnerable to an SPF-bypass attack because their DMARC record either didn’t exist or was configured in a non-enforcement mode.
Now that we know how email addresses can be spoofed and what’s meant to prevent said spoofing let’s delve into how you discover these vulnerabilities and ultimately spoof an email address.
How To Spoof An Email Address
Step 1. Identify A Vulnerable Domain
To spoof an email address, we need to identify a domain that either doesn’t have a DMARC record set up or is configured in a way where the DMARC record ‘p’ qualifier is set in a ‘None’ non-enforcement configuration.
There are a variety of manual and automated ways to perform these scans, namely running manual searches using the ‘dig’ command line utility, the email domain scanning tool or the CanIBeSpoofed open-source project.
As an example, we can see that wikipedia[.]org doesn’t have an adequately configured DMARC record, so we’ll use this example for the remainder of the walkthrough.
Step 2. Obtain An Email Server
This part is easier said than done. Most cloud infrastructure providers prevent the ability to send outbound SMTP emails over TCP port 25 due to the risk of cyber criminals abusing their infrastructure with malicious intent. While saying this, there are various means of legitimately gaining access to infrastructure that supports this, particularly if you work with a large business or institution.
We can proceed with the next step once you have an email server, ideally with a Linux-based operating system that can communicate outbound over TCP port 25.
Step 3. Obtain An Attacker Domain
Earlier, we talked about how SPF-bypass attacks abuse a misalignment between the email envelope and email content from addresses. To take advantage of this misalignment, we must provide a domain we control (i.e., an attacker domain) in the email envelope “mail from” address, which is where SPF authentication is performed, while providing the domain we’re spoofing in the email content “from” address.
In preparation for sending an email with a spoofed email address, we need to procure an attacker domain and set up its SPF record so the public IP address attached to the email server setup in Step 2 is listed as an authorized sender.
Accordingly, we need to purchase a domain from a domain registrar such as GoDaddy, Amazon Route 53, or any of the hundreds of registrars out there. This can be any domain you choose (ideally, one that’s non-descript and generic).
Once purchased, we need to set the SPF record as follows (replacing <IP-ADDRESS> with the public IP address of your email server):
Step 4. Prepare The Email Spoofing Script
Now that we’ve identified a vulnerable target domain, we have our email server, our attacker domain, and the corresponding SPF record all set up; we’re ready to send out our email with a spoofed email address!
To send this email, we’ll be modifying the below script to suit our needs. So copy it out and paste it into your favorite text editor.
This is a test
.
Note: The script above is a slightly modified version from the SPF-Bypass GitHub Project.
Step 4.1. Specify The Target Email Server
To find the email server of our intended target, we’ll need to run an MX dig command against the target domain (replacing <target-domain> with the domain of our target recipient). Once run, extract the relevant mail server and update the script by replacing <target-mail-server> on line 1 with the mail server address.
Image Reference: Example depicting a dig MX query against the domain.
Step 4.2. Specify The Attacker Domain
Replace <attacker-domain> on line 2 with your attacker domain and <attacker-email-address> on line 3 with an email address at your attacker domain.
Note: The local-part address (i.e. everything before the @ symbol) doesn’t have to be real, we just need the domain to be real.
Step 4.3. Specify The Target Email Address
Replace <target-email-address> on lines 4 and 7 with the email address of your intended target.
Step 4.4. Specify The Spoofed Email Address
On line 6, replace <spoofed-display-name> with your preferred display name, and %spoofed-email-address% with the email address that you intend to spoof.
Note: Make sure %spoofed-email-address% still has angle brackets around the email address (e.g. <[email protected]>). This is a formatting requirement for delivering SMTP emails.
Step 4.5. Personalize The Email Body
Replace the subject on line 8 with your preferred subject. Ideally, it should be something for demonstration purposes, and then enter any text you wish below the subject for the email body.
You’re now ready to send the email with a spoofed email address!
Step 5. Send An Email With A Spoofed Email Address
Step 5 builds from step 4; please keep your modified script open in your text editor.
Step 5.1. Connect To The Target Email Server
Copy line 1 to your clipboard. Paste and then submit the command to your email server’s console.
Note: You may need to install telnet on your email server.
Step 5.2. Input The Email Envelope
Copy lines 2-4 to your clipboard. Paste and then submit the sequence of commands to your email server’s console.
Note: You will need to press enter twice, as the email server will acknowledge the sender and recipient addresses.
Step 5.3. Transition From The Email Envelope To The Email Content
Copy line 5 to your clipboard. Paste and then submit the command to your email server’s console.
Step 5.4 Input The Email Content
Copy lines 6-11 to your clipboard. Paste and then submit the sequence of commands to your email server’s console.
Step 5.5 Send The Email
Enter a full-stop “.” to notify the target email server that your email is complete and ready for processing. You should receive an immediate notification that the email has been queued for delivery!
Note: If you experience any difficulties with sending the email while following steps 4.6 to 4.10, it could be because your email server doesn’t have a trusted IP address or that the target email server needs the commands to be processed in a slightly different format (e.g., surrounding all domains and email addresses with angle brackets).
Step 5.6 Check Your Email Client
After a minute or so, you should receive the email in your inbox. When analyzing the email headers, you should notice the mismatch between the SMTP.MailFrom (i.e., Mail Envelope From) and email content from address.