Tuesday, 9 August 2011

Sending spoofed emails using O2 (why does this still work in 2011?)

I just blogged today about a simple but powerful O2 script that allows the sending of Spoofed emails by sending emails using SMTP: http://o2platform.wordpress.com/2011/08/09/o2-script-to-send-spoofed-emails-using-direct-smtp-connections (check out the API and GUI)

These emails are sent using an STMP API, and there are a number of variations/conner-cases that we will need to solve. For example:
  • Sending an email to a owasp-o2-platform@lists.owasp.org throws: No MX record found for the domain "lists.owasp.org". Check that the domain is correct and exists or specify a DNS server
  • On another server I got the following error (which could be solved by manipulating the provided hostname): ...failed : 504 5.5.2 <WIN-DR8DS3BT4V1>: Helo command rejected: need fully-qualified hostname
The key is to start mapping: :
  • the exact scenarios where it is still possible (in 2011) to send Spoofed emails,
  • the case where it is NOT possible, and
  • what mitigations work
I have to say that I have been surprised at the places where this still works. One of the scary scenarios is the case where one sends an spoofed email 'to email X' , 'from email Y' , 'both at company Z' (and if Y is X's boss, there is no way X will not read it and click on a provided link)

I would like to start a list of locations where this is still possible, for example it works for Gmail. So let me know if it works for you, and if you have any ideas on how/where to start mapping the data collected. On the topic of mapping this data, is there an online service to find if a email host/provider is vulnerable to this? (i.e. allow the easy spoofing of emails)

Final Question: What are the mitigations and where in OWASP should be put this information? (I could only find https://www.owasp.org/index.php/Phishing which is not 100% relevant)