Please I need help am new to Miab. Some guy came over my place and he just set up and Smtp Using Miab. He installed it on an Ubuntu Server and just picked any a random domain that was existing online and set it up with the Miab and started sending out emails. I was shocked please how is this possible. Because he doesn’t own the domain. I really need to know how this happened. Kindly explain to me as I don’t understand.
It is called “email spoofing” and anyone can do it. Properly configured servers (like your MiaB) will reject spoofed emails at delivery assuming the real domain owner has configured their DNS correctly.
Oh, and please don’t hijack unrelated threads … there is absolutely no reason that you couldn’t start a specific topic for this. Actually, I have just done this.
Sorry for doing so that am new I was looking for where to write a direct message. Please could you please teach me how it been done so that I can take measures and also try it with my organization and see if we have also a loop hole. I was really shocked and surprised because those emails were been delivered to outlooks and office365 and it make me look like a fools seeing that I am not sure that my organization is even safe.
Thanks, could you please explain the Spoofing using Miab. Because this young man configured Miab using the random domain from the start. Please how is this done.and why was it possible to use that domain. Is there something he checks from the mxtools as he went there to check but I don’t know what he searched for using Mxtool but how’s it possible.
Anyone can setup a mail server (using any mail server software) with anyones domain. Is basically the honor system. What makes mail delivery happen is the DNS records for that domain. You wont “RECIEVE” mail, but you can send it all you want. This is why there were things implemented like DKIM see (What is DKIM? All about DomainKeys Identified Mail (DKIM) - DMARC Analyzer) for an explanation. As well as SPF see (What is SPF? All about the Sender Policy Framework (SPF) - DMARC Analyzer) for an explanation.
You cant prevent anyone from sending mail as your domain, what you can do is hopefully have the “spoofed” mail server reject it because of these DNS entries that control properly delivery (on the target mailserver)
1 Like
If the target mail server doesn’t check DKIM and SPF then it will likely deliver the mail (right to your inbox without adding some kind of SPAM tag) and it will seem “legitimate” without A PERSON looking at the headers of the mail it might be hard to tell that it was spoofed or not.
I really don’t understand how this is possible. Can I get a video example explanation please
I dont think anyone here is going to make a video for you. You need to talk the time to do your own homework and research “how email works”. Maybe there is a youtube already out there for it… I’ve tried to explain it but there is no way you even read the two external links in the amount of time it took for you to post again. 
I just need to know about the configuration been done on Miab that made this possible
Give me an example of how the regular domain was been set up in Miab to make it possible to send emails from the domain.
When someone runs
curl -s https://mailinabox.email/setup.sh | sudo bash
they put in a random domain ( example.com )
Once that domain (thats not owned is entered) then the setup will just work. BUT you will never be able to modify the glue records or dns to the actual domain. Again, email will send but what you’ve done is created a spoofed email server. The things I mentioned above prevent mail delivery if your email server is setup properly.
One would need to create a user. But, why are you so keen on learning HOW to spoof email? Are you a spammer?
No no no don’t get me wrong. I only want to know this to check my organizations domain. I am not a spammer please. Kindly do not tag me as such. If you don’t want to explain or share your knowledge then keep it. What one does with informations as these determines the kind of person he or she really is when it’s been applied either for good or bad. So please understand me with a Clean and clear mind. Thank you for your help and time
You simply can’t check your organizations domain for spammers because it’s impossible to know if there is a spammer out there trying to send messages with your domain or how many there are… you would have to get a copy of one of the spammers emails and then trace back the IP the server is coming from.
No video 
but basic email is very like physical mail.
There is nothing to stop me sending a letter and writing “From: The King Of England, Windsor Castle” on the envelope. The letter will be delivered, and the diligence/gullibility of the recipient is what determines if they think they got a letter from the king!
Substitute Patrician, President or Dictator-for-Life of your choice.
@JoshData - I could explain how your suspension was an exaggeration, but I will let you wear the pants without contest. Enjoy your hobby project.
Create a DMARC record with a RUA in it … what am I talking about? Read this: https://dmarcian.com/
Then sign up for an account.
You just sounded like a fool. Why the insult if you are that smart you would have been the first person who would have discovered the emailing system. Stop calling me a spammer you fool. And keep your dumb knowledge to yourself idiot. I warned and u categorically said I have no idea of how this works and u slave just opened up that trash called a mouth to start talking shit. If it’s against your life to help others or share knowledge then to respond you don’t have to make others feel the same way. Dirty animal.