The GoPhish, Encryption, Red-Team, and all that else… what are they?

Stasy Hsieh
6 min readSep 9, 2024

--

As I am writing this post, I am attending Georgia Institute of Technology’s Cyber policy track master.

Feymann once said, if you cannot explain something to your granny so she understands, you’re not understanding it wholly. That’s what I told myself as well, tell myself again what I just learnt.

GoPhish, Red Teams, …I’ve never heard these terms before. And our first assignment is to make TA get phished our email. It’s a team assignment.

r-tec is a pioneer in GoPhish, this blog post elevated to a further scale on how r-tec’s technology could be further extended. And this Youtube video tells a guy’s respectful trial and error on bypassing Google’s censorship.

So here are some links and special introductions about GoPhish(https://github.com/gophish/python-api-documentation) and gophish(https://docs.getgophish.com/user-guide) in Python.

Terminology explained:

1. DMARC (Domain-based Message Authentication, Reporting & Conformance): This is a security tool that helps protect an email sender’s reputation by preventing email spoofing (where someone sends fake emails pretending to be you). It works by checking if the email really comes from the domain it claims to come from and provides rules for how to handle emails that fail the check (e.g., put them in spam).

2. DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to an email to prove that it was sent by an authorized server and hasn’t been tampered with during delivery. Think of it like a wax seal on a letter — if the seal is intact, you know the letter is genuine.

3. SPF (Sender Policy Framework): SPF is a list of authorized servers that are allowed to send emails for your domain. It helps email providers figure out whether an email from a domain (like @yourdomain.com) is really from that domain or from a spammer.

4. SMTP Relay (Simple Mail Transfer Protocol Relay): This is a service that forwards emails from your server to the recipient’s server. When using a trusted SMTP relay, it helps make sure your email gets delivered without being marked as spam.

5. IronPort Email Security: IronPort is a system used by organizations to filter and block unwanted or harmful emails, like spam or phishing attempts. It acts as a gatekeeper, protecting the email system from threats.

6. GoPhish: GoPhish is a tool used for creating phishing campaigns for testing purposes. It helps security teams send fake phishing emails to see how well their organization is at identifying and handling phishing attempts.

7. Mailgun: Mailgun is a service that helps you send large volumes of emails, often used for automated systems like newsletters or transactional emails. It’s commonly used in email testing and delivery to make sure messages don’t end up in spam folders.

8. Red Team: Red Team is a group of security professionals that simulate real-world cyberattacks on an organization to test its defenses. Their goal is to think like attackers, identify vulnerabilities, and exploit weaknesses in systems, networks, or human behavior to help improve overall security.

Here’s a breakdown of what a Red Team does:

Simulates Real Attacks: They use the same tools, techniques, and methods that actual hackers might use to break into systems. This can include phishing attacks, exploiting software vulnerabilities, and social engineering.

Tests Security Defenses: The purpose is to see how well an organization’s defenses hold up against an advanced and persistent threat.

Collaborates with a Blue Team: Often, a Red Team works in tandem with a Blue Team (the organization’s internal defense/security team). The Blue Team defends, while the Red Team attacks to find vulnerabilities.

Ethical Hacking: While they simulate attacks, the Red Team operates within agreed-upon ethical boundaries to ensure no real damage is done to the systems being tested.

In short, a Red Team is focused on offensive security — trying to break into systems to find weaknesses before real attackers do.

What we did so far:

1. Set Up a Trustworthy HTTPS Website:

• Ensure that the phishing website is secured with an SSL certificate, so it uses HTTPS and appears trustworthy to the target.

• Test the SSL certificate to make sure it doesn’t raise any security warnings.

• Create a realistic-looking login page, ensuring it mimics the VPN login page and avoids any suspicious elements that could raise flags.

2. Fine-Tune Email Settings:

• Continue adjusting SPF, DKIM, and DMARC records to further enhance email delivery success and avoid being flagged as spam.

• Experiment with different SPF configurations to ensure more consistent inbox placement.

3. Analyze Gatech.edu’s IronPort Security:

• Investigate more about IronPort’s email filtering rules to better understand how to bypass them.

• Review the Mailgun logs for patterns where emails were flagged as spam, and tweak the setup accordingly.

4. Test Different Email Content:

• Modify the email content (subject line, sender name, and body) to further avoid triggering spam filters.

• Ensure that emails appear realistic and professional to increase the chance of the recipient clicking on the link.

5. Continue Phishing Campaign Testing:

• Send more test emails to multiple gatech.edu accounts, tracking which emails land in spam and which make it to the inbox.

• Monitor email reputation scores over time to see if the changes improve inbox delivery.

6. Prepare for Demo Call:

• Be ready to demo the phishing website and email delivery during the upcoming call. Show successful results and discuss the challenges of bypassing IronPort.

• Highlight the strategy of using Mailgun and the HTTPS website as a key part of the phishing setup.

7. Reputation Monitoring:

• Track the reputation of the phishing website and email domain using monitoring tools to ensure they are not blacklisted or flagged by security systems.

8. Collaborate with Team:

• Share progress with teammates, including the website setup and email testing results.

  • Discuss potential alternative methods if needed, based on the feedback from your team and demo results.

Q&A

How to do “Reputation Monitoring” for your website and email domain?

Reputation monitoring helps ensure your domain and website are not flagged as malicious or blacklisted, which can negatively affect email deliverability and site accessibility. Here’s how to monitor reputation:

For the Phishing Website:

SSL Labs (Qualys): Use this tool to test your site’s SSL certificate and security configuration. It ensures your site’s HTTPS is properly set up.

• Website: https://www.ssllabs.com/ssltest/

Google Safe Browsing: Check whether your website is flagged by Google as unsafe or hosting malicious content.

• Website: https://transparencyreport.google.com/safe-browsing/search

VirusTotal: Scan your website URL to see if any security tools or databases have blacklisted your domain.

• Website: https://www.virustotal.com/

For the Email Domain:

Sender Score: This is a free tool by Validity that gives you a score based on how trustworthy your domain’s emails are. It helps you understand how mailbox providers view your domain’s reputation.

• Website: https://www.validity.com/senderscore/

MXToolbox: This tool checks if your domain is blacklisted by any email providers or spam filters. It also tests your SPF, DKIM, and DMARC settings.

• Website: https://mxtoolbox.com/

Mailgun Dashboard: Since you’re using Mailgun, their dashboard provides tools to monitor email deliverability, domain reputation, and logs showing why emails may be flagged.

Google Postmaster Tools: If you’re sending emails to Gmail users, this tool shows how your domain’s reputation affects email delivery.

• Website: https://postmaster.google.com/

Steps for Monitoring:

1. Check Regularly: Run your domain and website through these tools periodically to ensure you are not being blacklisted or flagged.

2. Review Logs: Use Mailgun’s dashboard or other email providers’ logs to see if emails are being blocked or marked as spam.

3. Analyze Results: If you notice any issues, adjust your SPF, DKIM, or DMARC settings, or address any security vulnerabilities on your website.

4. Take Action on Alerts: If any of these tools indicate that your domain or website is blacklisted, follow their guidelines for remediation, which might involve improving security, re-verifying your email domain, or filing a request for delisting.

1. What does “SPF p=reject” mean?
SPF (Sender Policy Framework) is a system that helps prevent email spoofing by allowing a domain to specify which mail servers are authorized to send emails on its behalf. The “p=reject” setting is part of the SPF policy, and it tells recipient mail servers to **reject** any email that doesn’t come from an authorized sender.

In more detail:
- SPF record is a DNS (Domain Name System) text record that contains a list of allowed IP addresses or mail servers for sending email from your domain.
- The p=reject policy enforces strict rejection of emails that do not match the authorized servers defined in the SPF record. This means if an email fails the SPF check, it is rejected outright, rather than going to the spam folder or being delivered with a warning.

How to configure SPF p=reject:
- Add an SPF record to your domain’s DNS settings.
- The SPF record might look like this: v=spf1 include:mailgun.org -all
Here, mailgun.org is authorized to send email on behalf of your domain. The -all part is key: it tells recipient servers to reject emails from servers not listed in the SPF record.

If your domain is hosted on a platform like Namecheap or Cloudflare, you would:
1. Log into your domain host (e.g., Namecheap, Cloudflare).
2. Navigate to the DNS management section.
3. Add or edit the SPF record, making sure to use the `-all` (reject) directive for any unauthorized servers.

--

--

Stasy Hsieh

Bare honest witness to the world as I have experienced with it.