Discovering Hidden Email Gateways with OSINT Techniques by Gabor Szathmari

January 31, 2019

In this article, we elaborate how we managed to identify hidden internal email gateways by relying on various open-source intelligence (OSINT) data sources for our direct email spool attack research.

Prerequisites of the Direct Email Spool Attack

Normally, direct email spool attacks should not work as the major email security solution vendors advise customers to lock down their local email services and publish network ranges belonging to their service to enable administrators to lock down local email services. Local email servers should only accept emails from the upstream email security solution.

Bad actors can circumvent email security solutions by feeding emails directly to the local email server 

As the diagram shows, the list of requirements to carry out a successful direct email spool attack is relatively short. We only need three things:

  • The hostname of the local email server running behind the email security solution;
  • An email server feeding the emails directly to the local email server by ignoring the MX records; and
  • A misconfigured local email server accepting emails from other servers than the upstream email security solution.

Read the rest of this story with a free account.

Already have an account? Sign in

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.

What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4


We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.