SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan

Presented at DEF CON 31 (2023), Aug. 11, 2023, 11 a.m. (45 minutes).

Ever wake up and ask yourself: “Damn, how could I make email security suck even more today”? Tired of your Red Teams phishing emails not landing in your targets inbox? Do you dislike Boston (the city) and love Satan? If you answered yes to any of those questions you should come to this talk! I'll be showing you how to spoof emails from 2 million+ domains (while also “bypassing” SPF & DMARC!) by (ab)using a partnership between Cloudflare and the “biggest transactional email service” on the interwebs. We'll be diving into "edge" serverless applications and the magical world of email security where everything is (still) held up by duct tape, pasta, and marinara sauce. Finally, I’ll be dropping code and releasing a tool that demonstrates how to impersonate emails from 2million+ domains. REFERENCES: * https://blog.mailchannels.com/mailchannels-enables-free-email-sending-for-cloudflare-workers-customers * https://trends.builtwith.com/mx/transactional-email/traffic/Entire-Internet * https://blog.cloudflare.com/sending-email-from-workers-with-mailchannels/ * https://trends.builtwith.com/websitelist/MailChannels * https://www.rapid7.com/research/project-sonar/ * https://gist.github.com/ihsangan/6111b59b9a7b022b5897d28d8454ad8d * https://community.cloudflare.com/t/send-email-from-workers-using-mailchannels-for-free/361973/11 * WWW'22 Talk: Revisiting Email Forwarding Security under the Authenticated Received Chain Protocol (https://www.youtube.com/watch?v=V9kajr5dESs) * http://arc-spec.org/ * https://www.rfc-editor.org/rfc/rfc8617.html

Presenters:

  • Marcello Salvati / byt3bl33d3r - Hacker & Entrepreneur   as Marcello "byt3bl33d3r" Salvati
    Marcello Salvati (byt3bl33d3r) is a hacker & entrepreneur with over a decade of experience as an Offensive Security Researcher, Blue/Purple/Red Teamer and Open Source developer. Marcello is known for creating a number of Open Source tools such as CrackMapExec and weaponizing unorthodox programming languages for malware purposes.

Links:

Similar Presentations: