Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source.
I found this vulnerability checking the MX records in MxToolBox.
- $URL
- Go to https://emkei.cz/.
- Write down XXX in
From Emailfield - Add Support in the
From Namefield. - Write down the test address (where you want to check the spoofed email) in the
Tofield. (I used my personal email pdelteil@gmail.com) - Add a subject and body test messages.
- Click en send.
An email will be send to your test address from $EMAIL
- Gmail
Users can be triggered to click into links controlled by the attacker. Even though in my case the email was received in the spam folder, this problem can be overcame by reaching the user and make him/her to check for a urgent message that might not have been received.