[Owasp-o2-platform] Sending spoofed emails using O2 (why does this still work in 2011?)

Dinis Cruz dinis at ddplus.net
Tue Aug 9 08:56:21 EDT 2011


I just blogged today about a simple but powerful O2 script that allows the
sending of Spoofed emails by sending emails using SMTP:
http://o2platform.wordpress.com/2011/08/09/o2-script-to-send-spoofed-emails-using-direct-smtp-connections(check
out the API and GUI)

These emails are sent using an STMP API, and there are a number of
variations/conner-cases that we will need to solve. For example:

   - Sending an email to a owasp-o2-platform at lists.owasp.org throws:  *No MX
   record found for the domain "lists.owasp.org". Check that the domain is
   correct and exists or specify a DNS server*
   - On another server I got the following error (which could be solved by
   manipulating the provided hostname): *...failed : 504 5.5.2
   <WIN-DR8DS3BT4V1>: Helo command rejected: need fully-qualified *hostname

The key is to start mapping: :

   - the exact scenarios where it is still possible (in 2011) to send
   Spoofed emails,
   - the case where it is NOT possible, and
   - what mitigations wor


I have to say that I have been surprised at the places where this still
works. One of the scary scenarios is the case where one sends an spoofed
email 'to email X'  ,  'from email Y'  ,  'both at company Z'  (and if Y is
X's boss, there is no way X will not read it and click on a provided link)

I would like to start a list of locations where this is still possible, for
example it works for Gmail. So let me know if it works for you, and if you
have any ideas on how/where to start mapping the data collected. On the
topic of mapping this data, is there an online service to find if a email
host/provider is vulnerable to this? (i.e. allow the easy spoofing of
emails)

Final Question: What are the mitigations and where in OWASP should be put
this information? (I could only find
https://www.owasp.org/index.php/Phishing which is not 100% relevant)

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110809/3891b9e3/attachment.html 


More information about the Owasp-o2-platform mailing list