Spoofing HTML/RTF mail

[ReonBrack]

Hi guys

I have made a mailer script in python that sends phishing emails with personalized links, to track who has taken the bait and who didn't. These people can then be further educated about phishing.

The only thing that's missing to start doing these tests is the email spoofing. I see alot of guides and tutorials with telnet, but that does not support HTML/RTF formatting.

There are some mailer websites that can send spoofed HTML like http://emkei.cz/.

So my question is; how do they do it and is it possible in Python?

EDIT: I have a Direct-To-MX mail feature, but the mail just ends up in the spamfolder.

Edited April 30, 2014 by ReonBrack

[cooper]

Who do you say it doesn't support HTML formatting?

What I typically see is that emails are MIME multipart with the one having a content type of text/plain and the other being text/html where the latter can be your complete HTML of whatever you want to present.

Note that mailers can be configured to either partially or completely ignore the HTML part of your email.

[ReonBrack]

You are right it does, but it's not a user/code friendly way of doing things.

My mails have HTML and RTF attached to them

Edited April 30, 2014 by ReonBrack

[cooper]

I think you're not understanding what I'm saying.

Email in and of itself is plain text. Always.

To get the client to display something other than regular text, you need to encapsulate your content using MIME, where the various parts of the MIME message can be interpreted and displayed by the client. You can make things more user-friendly by continuing to provide the low-end plain text message with your email, but there's no requirement for you to do so. If you want to include an RTF, DOC or whatever, you're allowed to do so because MIME doesn't care. Chances are you'll only see it as an email attachment but that's a completely different problem for you to solve (hint: You can reference the mime parts from HTML)

[ReonBrack]

With the SMTPlib in python you use the attach function to add a MIMEText to a message. That's why I said attach, which is totally different than an email attachement. (Excuse me for the confusion)

There is nothing wrong with my mails, other than I'd like to spoof the sender address (with python).

Edited April 30, 2014 by ReonBrack

[cooper]

Ha! Well, that's something different, yes.

Would this tutorial on SMTPLib suffice?

[ReonBrack]

Everything works other than the spoofing, so I can't do much with a basic tutorial on SMTPlib.
I've tried forging the headers and such, but to no avail.
Maybe smtp.send() does some checks? I don't know.
I have seen some PHP tutorials, and all they do is forge the header.

[cooper]

All you should need to do is change the "from" in both the text and the invocation. That's why I stopped at that (indeed very basic) tutorial.

You don't need to provide credentials to send mail to that server, or do you?

[ReonBrack]

This works if I use Direct-To-MX, but the mail gets flagged as spam.

EDIT: This might be because the default for smtp.ehlo() is localhost.
So if I do something like smtp.ehlo("taget_domain") I might get passed some spamfilters.

Edited April 30, 2014 by ReonBrack

[phpsystems]

Not that I really want to encourage spamming, but have you tried setting up a mail server with Spam Assassin on it, to see how that scores your email? Bear in mind, things like SPF may be out of your control

[cooper]

Since you're targetting your local mailserver with your emails (as you bloody well should) you should use either your current network IP or preferably, assuming you get one, the hostname of your system with in the network.

[ReonBrack]

This tool will not be used for spamming purposes, but for phishing education.
I'll check Spam Assassin out.
EDIT: SPF aims to prevent email forgery, but If the domain name in the sender address is bogus or controlled the sender, the SPF test will not be of any use. So if I use something like @secure.mycompany which does not have an SPF record, the check is skipped

Edited April 30, 2014 by ReonBrack