Mail server, domain, phishing, mass mailing
#1
Good evening Everyone,

I don't know if I'm in the right section, but I'm going for it.

I am preparing to create a mail server for phishing campaigns, mass-mailing and others.
I would need some advice please, I'm thinking of starting on an Ubuntu server OS with Postfix, Dovecot, Dovecot-sieve, Postgrey, PostfixAdmin and Roundcube for the webmail interface.

However, I can't figure out what will make my emails not be considered as spam or something else?
Is it the server ip or rather the domain (young, old, verified..)
What will make the emails not fall into spam or even blocked?

I've also heard about a technique on this site or elsewhere, I don't know, which is domain fronting (makes it look like the victim computer's traffic is calling highly trusted domains, but it actually calls the attacker's server domain), would that be a good thing too please?

Thanks in advance! Big Grin
Reply
#2
From my experience and research:
- Avoid spoofing domain. Use typo-domains or homoglyph-domains.
* You can still spoof other domains if for example the target domain has bad SPF records and stuff like that. See Corvo's thread: https://greysec.net/showthread.php?tid=8052 Just beware that having bad SPF records can still be reason enough for emails to get put into trash or the spam filter. There is still of course phishing gangs with a lot of resources who have spoofed reputable domains too but it usually involves BGP hijacking. Which require you to hack into different ISP routers first.

- Use a top-level domain: https://en.wikipedia.org/wiki/List_of_In...el_domains
- If possible: Use whitelisted domain providers to host your content or phising pages. For example: Google Cloud, Google Drive, Microsoft Azure, Use a compromised sharepoint site, Amazon AWS etc.

You can get some more tips from microsoft warning people of sneaky phising gangs bypassing their filters :p https://www.zdnet.com/article/microsoft-...ng-attack/
Reply
#3
(08-09-2021, 05:18 PM)Insider Wrote: [...]
- Avoid spoofing domain. Use typo-domains or homoglyph-domains.
[...]

To complement: if for some reason you have difficulties with any generator results, you can check this repository and create your own. In it there is a very useful file with homoglyphs for each character separately. If you're lucky, you'll find a provider that isn't properly filtering the domains field, and you might be able to register something like ցooցӏе.com.
Reply
#4
Thank you for your answer @Insider and @Corvo  Big Grin (it's still me but I lost the access to my first account) and it's really a very good way that you provide me there, very complete! I will study all that.

Indeed, one of my problem is to find a provider who does not filter the domains and that's why I wanted to try the technique of domain fronting, I think I read that on the forum:

https://bigb0ss.medium.com/redteam-c2-re...bedbd28305

Do you think that this could be beneficial please?
Reply
#5
I've never tried this technique, I can't tell you how effective it is, but every technique that works is good. About filters, you can always test on any provider. Whether they [the filters] are on the client side, in a .js file, or in the page's own code, you can simply open the developer tools in your browser [F12] and get rid of those functions. If they are being done server-side, you can still test by sending the domain encoding the extra characters, for example:

Code:
ցooցӏе : %D6%81oo%D6%81%D3%8F%D0%B¹

You can do this coding on any developer tools site. Some search engines (duckduckgo, etc) will even do this right in your search. Or, offline, I usually use the quote()¹ function in Python which does exactly the same thing. But always remember to check the final url before closing the domain purchase. It doesn't always work.


¹ Here I made a mistake. I don't know if it would be ideal to use so many special characters, the result seems very unlikely to be accepted. It might be better to use only the necessary characters. Just one if possible.
² From the urllib.parse lib.
Reply
#6
(08-15-2021, 11:48 AM)smoky1 Wrote: Thank you for your answer @Insider and @Corvo  Big Grin (it's still me but I lost the access to my first account) and it's really a very good way that you provide me there, very complete! I will study all that.

Indeed, one of my problem is to find a provider who does not filter the domains and that's why I wanted to try the technique of domain fronting, I think I read that on the forum:

https://bigb0ss.medium.com/redteam-c2-re...bedbd28305

Do you think that this could be beneficial please?

Just read your link, yeah very smart idea. This is probably a great way to bypass spam filters and such. Especially in MS enviroments like outlook. The key is to make your domain/site look/feel as legit as possible.
Reply
#7
(08-15-2021, 12:34 PM)Corvo Wrote: I've never tried this technique, I can't tell you how effective it is, but every technique that works is good. About filters, you can always test on any provider. Whether they [the filters] are on the client side, in a .js file, or in the page's own code, you can simply open the developer tools in your browser [F12] and get rid of those functions. If they are being done server-side, you can still test by sending the domain encoding the extra characters, for example:

Code:
ցooցӏе : %D6%81oo%D6%81%D3%8F%D0%B¹

You can do this coding on any developer tools site. Some search engines (duckduckgo, etc) will even do this right in your search. Or, offline, I usually use the quote()¹ function in Python which does exactly the same thing. But always remember to check the final url before closing the domain purchase. It doesn't always work.


¹ Here I made a mistake. I don't know if it would be ideal to use so many special characters, the result seems very unlikely to be accepted. It might be better to use only the necessary characters. Just one if possible.
² From the urllib.parse lib.
Thanks for these details Corvo, I finally have a very good way to explore!

(08-15-2021, 12:40 PM)Insider Wrote:
(08-15-2021, 11:48 AM)smoky1 Wrote: Thank you for your answer @Insider and @Corvo  Big Grin (it's still me but I lost the access to my first account) and it's really a very good way that you provide me there, very complete! I will study all that.

Indeed, one of my problem is to find a provider who does not filter the domains and that's why I wanted to try the technique of domain fronting, I think I read that on the forum:

https://bigb0ss.medium.com/redteam-c2-re...bedbd28305

Do you think that this could be beneficial please?

Just read your link, yeah very smart idea. This is probably a great way to bypass spam filters and such. Especially in MS enviroments like outlook. The key is to make your domain/site look/feel as legit as possible.
Thanks Insider, yes I find it too, I will make a feedback if it is well functional and that it bypasses, then I will surely make a well detailed tutorial of this technique
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  The Ultimate Guide to Phishing Insider 2 225 01-26-2022, 08:26 PM
Last Post: Insider
  Need help exploiting CVE-2010-4345 using exim4_string_format on a virtual server 3thos 1 981 01-17-2022, 07:45 PM
Last Post: mendax
  Exchange Server Honeypot Set-up Resources? ironman0x23 0 4,690 09-02-2021, 04:49 PM
Last Post: ironman0x23
  How do I make a Debian server support IP spoofing daxia 1 6,442 07-04-2021, 03:23 PM
Last Post: Insider