SpamChannel
Live worker hosted at https://spamchannel.haxxx.workers.dev
UPDATE (Aug 13 2023): Two days after my DEFCON 31 talk, MailChannels silently decided to require a Domain Lockdown Record in order to send emails from Cloudflare Workers meaning this code doesn't work anymore. However, because they just addressed a "symptom" and not the underlying issue (lack of sender idenitity verification) anyone can still signup on their website (80$) and use their "normal" SMTP relay to spoof all of their customer domains 🤷🏻♂️
What is this
As of writing, This allows you to spoof emails from any of the +2 Million domains using MailChannels. It also gives you a slightly higher chance of landing a spoofed emails from any domain that doesn't have an SPF & DMARC due to ARC adoption.
It was released at the Defcon 31 talk SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan.
Slides for the talk are here
I'm a MailChannels customer, how do I stop people from impersonating my domain?
TL;DR set your Domain Lockdown Record ASAP.
Defcon Talk
Demos
Below are the demos from my Defcon talk demonstrating email spoofing using this Cloudflare Worker.
This video demonstrates spoofing an email from a domain configured with DMARC + DKIM:
This video demonstrates impersonating Satan ([email protected]):
How to deploy this yourself
- Signup and create a free account on Cloudflare (https://dash.cloudflare.com/sign-up)
- Clone this repo
- Install Wrangler CLI tool (
npm i -g wrangler) - Run
wrangler loginand login to your account - In the root of this repo run
wrangler publish
Credits
Code was based on @ihsangan's gist.