Again, fascinating project and would love to learn more about it. If you can share your techniques of identifying Vulnerable Mail Receivers in the wild I would be over the moon.

Thanks once again.

Hi, sorry for the late reply! The easiest way to identify vulnerable mail receivers is to simply email a non-existent address at a target domain and see if a bounce message is received. Once received, you can inspect the headers to identify whether sensitive information is being leaked. I've also created a tool which makes this identification a bit simpler (https://caniphish.com/free-phishing-tools/email-spoofing-test) but there is rate limiting in-place to prevent widespread use.

In terms of narrowing things down, I've found that larger organisations that have been around for 10+ years are typically vulnerable to this type of attack.

Closing as answered