Penetration Testing Mail Server with Email Spoofing – Exploiting Open Relay configured Public Mail Servers

Email spoofing

Email spoofing is the way of delivering forged emails to recipients.These methods are used by criminals to launch attacks like phishing or spams to provide persistent backdoors with legitimate behavior.

Publicly available email servers can be used for spoofing attack. If you have configured your mail server with OPEN RELAY, this dangerous email spoofing attack can be performed by attackers.

An open relay is an SMTP server configured in such a way that allows a third party to relay (send/receive email messages that are neither from nor for local users). Therefore, such servers are usually targeted by spam senders to send spoofed emails to victims inbox.

Searching the vulnerable mail server in public network with open relay configured might be the task to do this email spoofing.

Also Read Email Header Analysis – Received Email is Genuine or Spoofed

Discovery of Vulnerable Mailserver- Email spoofing

  • The attacker will be trying to find mail server with subdomain enumeration tools like Dig, Nslookup or else straightforward of using the legitimate website like VirusTotal to find the subdomains of your target.

Telnet or Netcat Client:

  • Many ISPs will block or restrict SMTP connections on port 25.Why blocking port 25?
  • According to  Internet Engineering Task Force (IETF).Request For Comments (RFC) 821 was published, establishing port 25 as the default transmission channel for internet email.We still use port 25 as the primary means of transmitting email between two mail servers.
  • Later RFC 2476 submitted in support of adding a new specification for internet email communications.The RFC proposed a split of the traditional message submission and message relay concept.
  • The RFC 2476 defined that message submission should occur over port 587 to ensure new policy and security requirements.
  • Finally, the RFC 2487 defined STARTTLS protocol which is Extension for Secure SMTP over TLS as encrypting communications over the internet.
  • To check this, we can use Telnet or Netcat client.
  • Above figure shows you’re on the external mail server.It should not connect.Here we should get an error.

SMTP Commands:

Whatever you do with Email such as Composing of mail, sending to the recipient, etc. every action will be performed with SMTP commands with Codes which is behind the scene.So understanding the SMTP commands is the better way to understand open mail relay.

  • HELO It’s the very first SMTP welcome command to start the conversation and identifying the sender server and is followed by its domain name.
  • EHLO Same like HELO command or An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
  • EMAIL FROM The sender states the source email address in the “From” field and starts the email transfer.
  • RCPT TO It identifies the recipient of the email
  • DATA Sending your body of mail by the DATA command the email content begins to be transferred.
  • VRFY The server is asked to verify whether a particular email address or username exists.
  • AUTH Authentication command, the client authenticates itself to the server, giving its username and password.
  • HELP client’s request for some information that can be useful for the successful transfer of the email.
  • EXPN asks for confirmation about the identification of a mailing list.
  • RSET Client communicates the server to stop the ongoing email transmission or terminating the continuous mail from the server.
  • ETRN or TURN changes roles between the client and the server.Client will be acting as SMTP Server
  • QUIT It terminates the SMTP conversation.

Mailserver User Enumeration

  • Attacker finds out the present mail addresses in the server with VRFY SMTP Command.
  • Above figure shows mail server replies with 250 code that tells us the usernames are found on the mail server.

Composing the spoofing mail

  • Here we have enumerated two usernames in the mail server.
  • Above figure shows SMTP Commands MAIL FROM and RCPT TO are utilized to send the forged mail to the receiver.
  • Syntax for sender:      mail from:[email protected]
  • Syntax for receiver:    rcpt to:[email protected]
  • Mailserver will reply with 250 code as sender and receiver are ok!

Sending Forge mail

  • Now its final step to use this open relay to send spoofed emails to receivers.
  • Utilize SMTP command DATA to compose the mail in the command line.
  • executing DATA command will receive a 354 code to compose our mail to target.
  • Above figure shows mail is forged from to subject: with the body of mail with some message to the receiver.
  • Enter . after composing the mail on the new line and hit enter to fire the spoofed mail to target.
  • Now the spoofed mail is sent to the receiver.

Never configure your mail server with the open relay.Implement security controls with authentication with user accounts and encryption with STARTTLS.Configure email gateway allow only authorized IP addresses to send.Happy Hacking !!!


This article is only for an Educational purpose. Any actions and or activities related to the material contained on this Website is solely your responsibility.The misuse of the information on this website can result in criminal charges brought against the persons in question. The authors and  will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.


Leave a Reply