Penetration Testing Mail Server with Email Spoofing – Exploiting Open Relay configured Public Mail Servers

Email spoofing is a way of delivering forged emails to recipients.

These methods are used by criminals to launch attacks like phishing or spam to provide persistent backdoors with legitimate behavior.

Publicly available email servers can be used for spoofing attacks. If you have configured your mail server with OPEN RELAY, this dangerous email spoofing attack can be performed by attackers.

An open relay is an SMTP server configured in such a way that allows a third party to relay (send/receive email messages that are neither from nor for local users).

Therefore, such servers are usually targeted by spam senders to send spoofed emails to victims’ inboxes.

Searching the vulnerable mail server in a public network with an open relay configured might be the task to do this email spoofing.

Discovery of Vulnerable Mailserver – Email spoofing

• The attacker will be trying to find a mail server with subdomain enumeration tools like Dig, Nslookup, or else straightforward using a legitimate website like VirusTotal to find the subdomains of your target.

Telnet or Netcat Client:

• Many ISPs will block or restrict SMTP connections on port 25. Why block port 25?
• According to  Internet Engineering Task Force (IETF). Request For Comments (RFC) 821 was published, establishing port 25 as the default transmission channel for Internet email.
• We still use port 25 as the primary means of transmitting email between two mail servers.
• Later RFC 2476 was submitted in support of adding a new specification for internet email communications. The RFC proposed a split of the traditional message submission and message relay concept.
• The RFC 2476 defined that message submission should occur over port 587 to ensure new policy and security requirements.
• Finally, RFC 2487 defined STARTTLS protocol which is an Extension for Secure SMTP over TLS as encrypting communications over the internet.
• To check this, we can use Telnet or Netcat client.

• The above figure shows you’re on the external mail server. It should not connect. Here we should get an error.

SMTP Commands:

Whatever you do with Email such as Composing of mail, sending to the recipient, etc. every action will be performed with SMTP commands with Codes which is behind the scene. So understanding the SMTP commands is the better way to understand open mail relay.

• HELO It’s the very first SMTP welcome command to start the conversation and identify the sender server and is followed by its domain name.
• EHLO Same as the HELO command or An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
• EMAIL FROM The sender states the source email address in the “From” field and starts the email transfer.
• RCPT TO It identifies the recipient of the email
• DATA Sending your body of mail by the DATA command the email content begins to be transferred.
• VRFY The server is asked to verify whether a particular email address or username exists.
• AUTH Authentication command, the client authenticates itself to the server, giving its username and password.
• HELP with the client’s request for some information that can be useful for the successful transfer of the email.
• EXPN asks for confirmation about the identification of a mailing list.
• RSET Client communicates with the server to stop the ongoing email transmission or terminate the continuous mail from the server.
• ETRN or TURN changes roles between the client and the server. The client will be acting as SMTP Server
• QUIT terminates the SMTP conversation.

Mailserver User Enumeration

• The attacker finds out the present mail addresses in the server with VRFY SMTP Command.

• The above figure shows mail server replies with 250 code that tells us the usernames are found on the mail server.

Composing the spoofing mail

• Here we have enumerated two usernames in the mail server.

• The above figure shows SMTP Commands MAIL FROM and RCPT TO are utilized to send the forged mail to the receiver.
• The syntax for the sender:      mail from:balaji@123.com
• The syntax for receiver:    rcpt to:gurubaran@123.com
• Mailserver will reply with a 250 code as the sender and receiver are ok!

Sending Forge mail

• Now the final step is to use this open relay to send spoofed emails to receivers.
• Utilize SMTP command DATA to compose the mail in the command line.

• Executing DATA command will receive a 354 code to compose our mail to target.
• The above figure shows mail is forged from to subject: with the body of mail with some message to the receiver.
• Enter. After composing the mail on the new line and hitting enter to fire the spoofed mail to the target.
• Now the spoofed mail is sent to the receiver.

Never configure your mail server with the open relay. Implement security controls with authentication with user accounts and encryption with STARTTLS.

Configure the email gateway to allow only authorized IP addresses to send. Happy Hacking !!!