OWASP O2 Platform Blog

O2 script to Send Spoofed Emails (using direct SMTP connections)

Note: Use this script to test if email servers (namely yours) are able to detect spoofed emails (be careful since this can be VERY distressing for the receiving party).

These scripts are a variation of a PoC that I wrote a couple months ago while delivering a training class. I wanted to show how SMTP worked and how it is easy it was to get a user to click on a link.

The Util – Send Spoofed email.h2 script (screenshot below) allows the easy sending of emails using user provided TO, FROM, Subject and Body values)

So how does this work? Using a couple powerful networking APIs from http://mailsystem.codeplex.com , It is possible to send emails using:

                _message.From = new Address(From_Email,From_Name);
                foreach(var item in To)           
                    _message.To.Add(new Address(item.Key,item.Value)); //syntax: (email, name)
       
                _message.Subject = Subject;
                _message.BodyText.Text = Body.line().line() + Body_SpoofEmailAlertFooter;
                "about to send message".info();
                SmtpClient.DirectSend(_message);

Basically the SmtpClient.DirectSend method sends raw SMTP message to the specified server. SMTP is a clear text protocol, just like HTTP.

Since we are able to define both TO and FROM addresses, the interesting question is: “can we define ANY email address in the TO field”? Unfortunately, in 2011, the answer is still YES, for most email servers this is  still posible (so much of email authentication and verifiablity).

I’ve tested this in a number of places and it worked perfectly (including gmail), so let me know if you find cases/servers where it doesn’t work (and the reasons why not) 

To help testing this, I added an API to O2 that helps to do send spoofed emails.

You can use it like this:

var spoofEmail = new API_ActiveUp_SendEmail();
 
spoofEmail.From_Email = "<a href="mailto:me@thisDomainDoesntExist.com">me@thisDomainDoesntExist.com</a>";
spoofEmail.From_Name = "me (at no Domain)";
spoofEmail.To.add("<a href="mailto:myEmail@myDomain.net">myEmail@myDomain.net</a>", "My Email");
spoofEmail.Subject = "Spoof test"; 
spoofEmail.Body = "If all worked OK, this email will look like it was sent from an thisDomainDoesnExist.com. Check out the from address :)";</pre>
&nbsp;

return  spoofEmail.sendEmail();

or like this:

var spoofEmail = new API_ActiveUp_SendEmail();
spoofEmail.sendEmail("<a href="mailto:me@thisDomainDoesnExist.com">me@thisDomainDoesnExist.com</a>", 
                    "me (at no Domain)" ,
                    "<a href="mailto:myEmail@myDomain.net">myEmail@myDomain.net</a>",
                    "My Email" ,
                    "Spoof test",
                    "If all worked OK, this email will look like it was sent from an thisDomainDoesnExist.com. Check out the from address :)");

Here is the Full Script of the API (note the import of the ActiveUp Smtp,Dns and Common dlls):

using System;
using System.Linq;
using System.Collections.Generic;
using System.Windows.Forms;
using System.Text;
using ActiveUp.Net.Mail;
using O2.Kernel.ExtensionMethods;
using O2.DotNetWrappers.ExtensionMethods;
//O2Ref:ActiveUp.Net.Smtp.dll
//O2Ref:ActiveUp.Net.Dns.dll
//O2Ref:ActiveUp.Net.Common.dll</pre>
&nbsp;

namespace O2.XRules.Database.APIs
{
    public class API_ActiveUp_SendEmail
    {       
        public Dictionary<string,string> To { get; set; }//syntax: (email, name)
        public string From_Name { get; set; }
        public string From_Email { get; set; }
        public string Subject { get; set; }
        public string Body { get; set; }
        public string Body_SpoofEmailAlertFooter { get; set; }
        public ActiveUp.Net.Mail.Message _message { get; set; }
       
        public API_ActiveUp_SendEmail()
        {
            To = new Dictionary<string,string>();           
            _message = new ActiveUp.Net.Mail.Message();
           
            Body_SpoofEmailAlertFooter = "NOTE: this is a spoofed email, i.e. this was not sent by the current contact show in the To field.".line() +
                                         "      this email was sent using an O2 Platform (<a href="http://o2platform.com/">http://o2platform.com</a>) script that is designed to show".line() +
                                         "      how easy it is to send spoofed emails ";
        }
       
        public bool sendEmail()
        {       
            "In send email".info();
            try
            {
                _message.From = new Address(From_Email,From_Name);
                foreach(var item in To)           
                    _message.To.Add(new Address(item.Key,item.Value)); //syntax: (email, name)
       
                _message.Subject = Subject;
                _message.BodyText.Text = Body.line().line() + Body_SpoofEmailAlertFooter;
                "about to send message".info();
                SmtpClient.DirectSend(_message);
                "message sent".info();
                return true;
            }
            catch(Exception ex)
            {
                ex.log();
                return false;
            }
        }
       
        public bool sendEmail(string fromEmail, string fromName, string toEmail, string toName, string subject ,string body)
        {
            this.From_Email = fromEmail;
            this.From_Name = fromName;
            this.To.add(toEmail, toName);
            this.Subject = subject;
            this.Body = body;
            return  this.sendEmail();
        }
    }
}

You can find the GUI and API script in C:\O2\O2Scripts_Database\_Scripts\APIs\ActiveUp_SMTP  folder.

 

August 9, 2011 - Posted by | Network Security

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: