Mailsploit is a Metasploit-like toolkit targeting vulnerabilities in email programs as a means of compromising an endpoint:
Now one researcher has dug up a new collection of bugs in email programs that in many cases strip away even the existing, imperfect protections against email impersonation, allowing anyone to undetectably spoof a message with no hint at all to the recipient.
On Tuesday, security researcher and programmer Sabri Haddouche revealed Mailsploit, an array of methods for spoofing email in more than a dozen common email clients, including Apple Mail for iOS and macOS, Mozilla’s Thunderbird, Microsoft Mail, and Outlook 2016, as well as a long list of less common clients including Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail.
Over the years, administrators of email servers have increasingly adopted authentication systems, most recently one known as Domain-based Message Authentication, Reporting and Conformance, which blocks spoofed emails by carefully filtering out those whose headers pretend to come from a different source than the server that sent them.
By crafting email headers to take advantage of flawed implementation of a 25-year-old system for coding ASCII characters in email headers known as RFC-1342, and the idiosyncrasies of how Windows, Android, iOS, and macOS handle text, Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.
Haddouche’s full list of affected email clients and their responses to his Mailsploit research is here.1.
Blaming the server, rather than the email client, may be more than just a lazy dodge: Haddouche tells WIRED that email providers and firewalls can also be set to filter out his attack, even if email clients remain vulnerable.
Beyond the specific bugs Mailsploit highlights, Haddouche’s research points to a more fundamental problem with email authentication, says Kaminsky.