Differences

This shows you the differences between two versions of the page.

--- avoid_spam_issues [2018/05/18 09:04] – [Known Issues with Microsoft, Gmail etc.] lucy
+++ avoid_spam_issues [2020/04/03 13:15] – ["Deceptive site ahead". What can I do?] lucy
@@ Line 15: / Line 15: @@
 ===== How can I get pass the common email defenses like SPAM filters? =====
-The goal of a phishing campaign is people testing. So you don't want to spend too much time in creating a hack that allows you to bypass an external email filter (since most email filters are "black boxes" the only way of preventing you from being filtered is using some very time consuming trial & error methodology). Therefore we strongly recommend creating a **whitelist entry** on your SPAM/Email defense solution (whitelist either LUCY's domain or IP). If this is not possible you try a few other things to get a better SPAM score or bypass filters:
+The goal of a phishing campaign is people testing. So you don't want to spend too much time in creating a hack that allows you to bypass an external email filter (as most email filters are "black boxes" the only way of preventing you from being filtered is using some very time consuming trial & error methodology). Therefore we strongly recommend creating a **whitelist entry** on your SPAM/Email defense solution (whitelist either LUCY's domain or IP).
+===== What can I do, when my emails get filtered? =====
 **Use an external mail server**
-Using an external mail server with an existing domain configured could be the easiest and quickest workaround to prevent SPAM issues.
+Using an [[mail_delivery_methods_in_lucy|external mail server]] with an existing domain configured could be the easiest and quickest workaround to prevent SPAM issues.
-**Set helo/ehlo SMTP host name in LUCY**
+**Set helo/ehlo SMTP host name in LUCY (only required if you use LUCY's build in mail server)**
 It is recommended to create a SMTP server name (that is the server name of LUCY). Most SMTP servers will accept your mail if you simply have a reverse DNS entry. It does not have to match the domain name on your e-mail address. Some SMTP servers will reject mail if the reverse DNS doesn't match the HELO/EHLO hostname used in the connection. If your mail server's hostname is mail.example.com then your reverse DNS, MX record, HELO/EHLO, and SMTP greeting banner should all be mail.example.com as well. According to RFC 2821 the SMTP client MUST, if possible, ensure that the domain parameter to the EHLO command is a valid principal host name (not a CNAME or MX name) for its host. If this is not possible (e.g., when the client's address is dynamically assigned and the client does not have an obvious name), an address literal SHOULD be substituted for the domain name and supplemental information provided that will assist in identifying the client. An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. You can save this under the mail Settings:
@@ Line 38: / Line 41: @@
 {{ spam_test.png?600 }}
-**Use a Corporate Email Account as Your Sender Address**
+**Don't use a private account as your sender address**
 If you use a major ESP and send email using personal email addresses such as paul@yahoo.com or paul@aol.com, ISPs like Google will block your email. Why? Yahoo and AOL tell them to! The solution is to use your corporate email address or a domain owned by you. But please watch out: if your Company domain is "mycompany.com", you probably won't be able to use this domain as a sender as spoofing attempts are most likely detected if your domain has a SPF entry. You can validate this here: https://mxtoolbox.com/spf.aspx
@@ Line 69: / Line 72: @@
 Set an MX, A & a SPF record for the domain you use in the test that all point to LUCY for that domain. Enable [[dkim_support|LUCY's DKIM feature]] and save the corresponding DNS txt record.  Also check: Did you use an email address with a domain that points to a different MX record? If you use attacker@gmail.com as an example for the sender most email servers will block that email since LUCY is not the official email server for this service.
-**Does the sender domain exists?**
+**Does the sender domain even exist?**
 If you use a non-existing domain address as a sender or a domain which has no MX record, the mail will most likely be dropped by your mail server
-**Watch out when you spoof your own domain**
-Did you define your own company domain as a sender? Example: You try to phish your employees with the domain mycompany.com which is actually the official domain for your company? The problem is that there might be a DNS record (example SPF) that defines which mail server is allowed to send mails on behalf of this domain. If such a record exists your email server will deny emails coming from a different server using this domain. The solution is: If you still want to perform a phishing test, with a domain like the one from your company, we recommend reserving a similar domain like “my-company.com” or strategically place a typo like “myconpany.com”. Most users won’t recognize the difference and you'll have an additional feature to test awareness.
+**Watch out when you spoof your own domain or use a domain which is SPF protected**
+Did you define your own company domain as a sender? Example: You try to phish your employees with the domain mycompany.com which is actually the official domain for your company? The problem is that there might be a DNS record (example SPF) that defines which mail server is allowed to send mails on behalf of this domain. You can check this here: https://mxtoolbox.com/spf.aspx. If such a record exists your email server will deny emails coming from a different server using this domain. The solution is: If you still want to perform a phishing test, with a domain like the one from your company, we recommend reserving a similar domain like “my-company.com” or strategically place a typo like “myconpany.com”. Most users won’t recognize the difference and you'll have an additional feature to test awareness.
 **Set a PTR (reverse DNS)**
@@ Line 82: / Line 86: @@
 Tracking images (the small size) lead to a higher SPAM score. So try to uncheck this option in case you get filtered.
-**Avoid using advanced LUCY Features like BeEF Framework**
+**Avoid using advanced LUCY Features like "advanced information gathering"**
-The [[beef_integration|BeEF Framework]] is often detected by scanners that follow the links. This will raise the chance your mail gets flagged as SPAM.
+The advanced information gathering is often detected by scanners that follow the links. This will raise the chance your mail gets flagged as SPAM.
 **Test your IP & Domain reputation**
@@ Line 91: / Line 95: @@
 **Don't send too much at the same time**
 If you send hundreds of mails without throttling down the delivery you might get flagged as SPAM very quickly. Please use the [[scheduler|scheduler]] to slow down mail delivery.
+**Avoid potentially dangerous attachments**
+Certain attachment types (e.g. exe within a zip) or word files with Macro's are automatically classified as dangerous and most likely will end up in SPAM. Rather provide such files as a download on the LUCY landing page than attaching it to an email.
 ===== What is the best test procedure with LUCY to identify the source of SPAM issues? =====
 **Step 1 - TEST MAIL**
-Send to the desired recipient a [[test_mail|test mail]] using a sender with a 3rd party domain name that has no SPF (e.g. "test@gaga.com) or a valid domain configured on LUCY.
+Send to the desired recipient a [[test_mail|test mail]] using a sender with a 3rd party domain name **that has no SPF** (e.g. "test@gaga.com; you can test the SPF here: https://mxtoolbox.com/spf.aspx) or a valid domain (valid means, that the domain has a MX record) configured on LUCY.
 {{ tstmail.png?600 }}
-The test mail is always a text only mail with no suspicious content. If the test mail does not arrive it is possible that the email filter is blocking any mail communication from an unknown IP (if there is no known activity log about that IP in the internet). In such a case you can either try to configure an [[using_an_external_mail_server_or_web_proxy|external mail]] server.
+The test mail is always a text only mail with no suspicious content.
+If the test mail does not arrive it is possible that the email filter is blocking any mail communication from an unknown IP or an server with a neutral mail reputation (if there is no known activity log about that IP in the internet). In such a case you can try to configure an [[using_an_external_mail_server_or_web_proxy|external mail]] server. If you don't have a mail relay you can use, please set for the test the mail delivery method to (1) "HTTP Proxy" in the "settings/mail settings" menu and use one of the predefined domains (2):
+{{ mailhttpse.png?600 }}
+This will force all communication through the external mail relay from sendgrid. You can change this setting later on a campaign level (under "Base Settings/Scenario Settings/Mail Settings").
 **Step 2 - IDENTIFY THE ISSUE THAT TRIGGERS THE EMAIL FILTER**
-Start altering the message & domain settings: it is very important that you slowly start altering the settings in order to identify the reason for getting filtered. One of the first changes you might want to try is playing around with different domain names (e.g. a different domain as a [[http://phishing-server.com/PS/doc/dokuwiki/doku.php?id=mail_settings&s[]=domain|sender mail]], the  using a different domain for the landing page and maybe also just use a link with an IP address only). If there is no effect in using different domain names make sure that the domain settings are correct. Keep the mail & landing page as simple as possible in the beginning and then start adding content.
+If the test email arrives, you can start altering the message & domain settings: it is very important that you change the settings step by step, in order to identify the reason for getting filtered.
+One of the first changes you might want to try is playing around with different domain names (e.g. a different domain as a [[http://phishing-server.com/PS/doc/dokuwiki/doku.php?id=mail_settings&s[]=domain|sender mail]], the  using a different domain for the landing page and maybe also just use a link with an IP address only). If there is no effect in using different domain names make sure that the domain settings are correct. Keep the mail & landing page as simple as possible in the beginning and then start adding content.
 **Step 3 - TEST RUN**
 After you identified and removed the issues that caused the mails to get filtered we recommend doing a test run. The test run should be done with one target email accounts to see if the email gets filtered and how the link is accessed (sometimes a SPAM filter can automatically access the link in the email before the user can. This will make it impossible for LUCY to know if the link was really clicked).
 **Step4 - REAL CAMPAIGN**
@@ Line 120: / Line 140: @@
 There are three possible message scenarios in case mails are still being filtered:
-  * a) No mails send: then you won’t see anything in the message log
+  * a) [[mail_communication_issues_-_mails_do_not_get_send_at_all|No mails send]]: then you won’t see anything in the message log
-  * b) Mails send – but with error: then you will see an error in “Errors”
+  * b) Mails send – but with error: then you will see an error in "[[resend_mails_that_previously_generated_an_error|Errors]]"
   * c) Mail send – no error: mail communication has been established and mails have been accepted for delivery
@@ Line 132: / Line 152: @@
   * 2) Investigate your [[:i_started_my_campaign_-_but_no_mails_get_send_and_i_see_no_error|settings]]
+  * 3) In some cases there is a email threshold that limits the amount of emails you are allowed to send in a certain time frame. Amazon, Google & Microsoft have such limits. When you do a test run you might not experience any difficulties, but once you start sending out mass emails, the communication might get dropped by the remote mail server.
@@ Line 155: / Line 176: @@
 In case you rent a VPS through LUCY Security, we kindly ask you first to contact the the blacklist site and request a de-listing. If you cannot get delisted in a reasonable time, please get in contact with us and we can request an IP address change.
+===== "Deceptive site ahead". What can I do? =====
+{{ :deceptive_site.jpg?600 |}}
+If you are seeing a message like this, it means that the domain name was blacklisted by Google.
+Unfortunately, domain won't be unblocked, because Google bans these domains for phishing.
+The fastest and easiest option is to abandon the current domain name and register a new one.
+In case if LUCY administration domain got blacklisted, please do the following:
+.Open Chrome
+.Go to Settings > Privacy.
+.Toggle off Chrome's Safe Browsing mode.
+After the actions above, the Deceptive Site message won't appear in your browser and the LUCY administration panel is available again.
+You can check if your domain got blacklisted by Google via the link below:
+https://transparencyreport.google.com/safe-browsing/search
 ===== Whitelisting in different products =====
 **GSuite/Google Apps**
-  * This is the recommend setting if you do not have a cloud-based spam filter in front of GSuite.
-  * Login to https://admin.google.com and select Apps.
+Please review [[gsuite_whitelisting|this]] article.
-  * Select GSuite.
-  * Select Gmail.
-  * Select Advanced Settings.
-  * In the Organizations section, highlight your Domain (Not an OU). Note: GSuite does not allow whitelisting by IP Address for individual OUs, only the entire domain.
-  * In the Email whitelist section, enter the LUCY IP address
-  * Scroll to the bottom and click Save. The setting may take up to an hour to propagate to all users.
@@ Line 180: / Line 212: @@
   * Select "Set the spam confidence level (SCL) to...", then select "Bypass spam filtering".
   * Click Save
+  * If emails with certain attachements get blocked, setup a safe attachement policy: https://support.office.com/en-us/article/set-up-office-365-atp-safe-attachments-policies-078eb946-819a-4e13-8673-fe0c0ad3a775
+**O365 Advanced Threat Protection**
+  * Go to https://protection.office.com and sign in with your work or school account.
+  * In the left navigation, under Threat management > Policy > Safe Links.
+  * In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign ( +)) to create a new policy. (Alternatively, you can edit an existing policy.)
+  * Choose New to add a Safe Links policy for specific email recipients
+  * Specify a name and description for your policy.
+  * In the Do not rewrite the following URLs section, select the Enter a valid URL box, and then type a URL, and then choose the plus sign (+).
+  * In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK.
+  * When you are finished adding URLs, in the lower right corner of the screen, choose Save.
@@ Line 218: / Line 261: @@
   * Click Save.
+**MessageLabs or Symantec**
+To add a global Approved Sender:
+.Select Services > Email Services > Anti-Spam.
+.Ensure that Global Settings is selected in the domains drop-down list.
+.Click the Approved Senders tab.
+.Click the Add Entry option.
+.The Domain/Email/IP and Description fields become editable.
+.In the Domain/Email/IP field enter the IP address of the LUCY server.
+.In the Description field, enter brief details about the new entry.
+.To add the entry to the list, click Update.
+This new policy will allow any inbound mail flow originating from LUCY's IPs to reach your users.