How to Spoof 97% of Email Accounts

Great work! Shared it on

This was great, really informative and interesting.

Great Content Chris

Really nice presentation, thank you

Thank you for the informational video, this was incredibly valuable!

I got this to work pretty quickly! Thank you so much! One issue that I ran into was that I need to also spoof the IP address that I'm sending from because the SPF record is set to a certain IP range. Gmail allows the mail to go through, but my organization catches the mail and it does not get delivered. I was thinking about using scapy to try and write a python program, but it isn't working. Do you have any solution for this?

Hey, which is better.
Sending email using self written normal python script or using gophish.

How does mimecast & proofpoint handle spoof emails. Will the emails get through to the inbox?

Hey man thank you so much! This was super informative both in the explanation at the beginning and in the demo at the end. I learned a lot and can't thank you enough!! As I was following along with the demo when it finally came to sending the test email, all the connections timed out and nothing was sent. Everything up to then was setup perfectly, my cloudflare was automatically completed with the DNS entries, and I could access the gophish portal perfectly. Just wondering if you know of any fix to this problem or if you have any ideas? Once again thank you for the great work and great lecture!!

You just left someone hanging if you know you wont help you shouldn’t have built this wonderful application you made me changed my project in school i choose the email marketing as my project defense , its just a waste of time when you can’t help

Hi, so basically to protect my domain, all I need to do is add p=reject into my DMARC? Shoul I add sp=reject too or is that not necessary? Thanks, gained a subscriber :-)

Lol I had a look at the Collage I am currently studying at and found they don't even have a DMARC record.

Also using Mac OS how do I get mail spoofer to my server the scp code doesn’t seem to work

where can i get the mail-spoofer tmp?

Hello Powell, just a question, I made authentication with a password not with a ssh key, what is the command to install mail-spoofing on digital ocean becuase "scp -r .\Deskptop\mail-spoofer\ spoof:/tmp" doesn't work to me, I hope you can answer me :) (min 46:36 of the video)

This is a holy grail if my African friend found this video!! this is kinda out of the topic of the awareness its more to from small spammer become guru of the email spoofer BUT!! this is must people know about it so they know how degerous is the Phishing don't always belive what you seeing and don't ever click on what you see on your email its 95% security patch 5% human error this kinda of human error that never can be patched! SALUTE FOR THE VIDEO!

Where did Chris post the tool that summarized the entire exercise?

I’m trying to send a test email but after a while getting an error that says “Max connection attempts exceeded - EOF” anyone know why?

sorry, just a noob here! when you pushed all your files to the digital ocean, it means you setup gophish in your machine in docker first then you pushed that or you just pushed the mail-spoofer file to the digital ocean?

Digital ocean blocks port 25. Any solution for this

Does this still work? I think I have rebuild on digital ocean about 10 times now... Still no sent email

Amazing 👏🏼

If I get my domain and do everything what you did. Hypothetically speaking, if I am to forge from scratch or just copy x company's mail content to make it look like it's theirs, when it's not. Will it then immediately be recognized by gmail for example and sent to spam.
I.e. Facebook's logo inside the mail

This is nice, but can you reply to the emails after sending it? it seems it will only be sent once, but cant actually have a conversation in email

Do you know how could I possibly resolve postfix timing out? It shows email sent, but the ubuntu says postfix keeps timing out and no email is received.

still works took many hours of trail and error but is legit

THANK YOU

My mails not inboxing non of them how is that possible?

how did you end up getting a domain from go daddy? and is there any free alternatives if possible?

Hi
thanks for sharing such an important information
As you said your team worked on spoofed emails. I need help from you as I am doing project on spoofed email detection using ML. I cant find a data for spoofed emails to train my model . if you have spoofed email dataset can you share it with me, I can explain my project to you. thank you.

I did all the steps above and managed to spoof the emails but all landed in junk folder flagged as spam.

hello, i keep getting an error when trying to send a test mail "Max connection attempts exceeded - dial tcp: lookup postfix25: Temporary failure in name resolution"....any solution?

What are your thoughts on dmarc?

Does it still work in 2024 what are the best ways to defend an attack like this

What does it mean when it shows fo=1 ?

hi chris did gmail updated their filters i tried to forge dmark with your setup but i get A fail !

Can you please answer my question Chris, my landing page does not display even viewing page source doesn’t show

How do i boost my reputation?

Does this only work on Linux ?

You know this exact vulnerability has been available for mobile phone numbers as long as it has for email? 😂
I love how sincere you sound when saying you don't know why this vulnerability exists 😂
By the way, if you think number 10, or the cia leave this low hanging fruit misconfigured by mistake, you are very naive 😅

is this illegal!!!

Video too long

Why is it that when I put the sendgrid Api key in your tool it don’t work the mails are sent through the smtp port 25 ?

Please I’ll like to speak to you personally. Maybe you could find a way to contact me, thanks and I hope you consider my plea

cia.gov has a p=none and rua setup now 😂

Digital ocean blocks port 25 🥲🥲🥲.
Is there any way we can use any other port