avoid_spam_issues
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
avoid_spam_issues [2018/05/18 09:04] – [Known Issues with Microsoft, Gmail etc.] lucy | avoid_spam_issues [2020/04/03 13:21] – ["Deceptive site ahead". What can I do?] lucy | ||
---|---|---|---|
Line 15: | Line 15: | ||
===== How can I get pass the common email defenses like SPAM filters? ===== | ===== How can I get pass the common email defenses like SPAM filters? ===== | ||
- | The goal of a phishing campaign is people testing. So you don't want to spend too much time in creating a hack that allows you to bypass an external email filter (since most email filters are "black boxes" the only way of preventing you from being filtered is using some very time consuming trial & error methodology). Therefore we strongly recommend creating a **whitelist entry** on your SPAM/Email defense solution (whitelist either LUCY's domain or IP). If this is not possible you try a few other things to get a better SPAM score or bypass filters: | + | The goal of a phishing campaign is people testing. So you don't want to spend too much time in creating a hack that allows you to bypass an external email filter (as most email filters are "black boxes" the only way of preventing you from being filtered is using some very time consuming trial & error methodology). Therefore we strongly recommend creating a **whitelist entry** on your SPAM/Email defense solution (whitelist either LUCY's domain or IP). |
+ | |||
+ | |||
+ | ===== What can I do, when my emails | ||
**Use an external mail server** | **Use an external mail server** | ||
- | Using an external mail server with an existing domain configured could be the easiest and quickest workaround to prevent SPAM issues. | + | Using an [[mail_delivery_methods_in_lucy|external mail server]] with an existing domain configured could be the easiest and quickest workaround to prevent SPAM issues. |
- | **Set helo/ehlo SMTP host name in LUCY** | + | **Set helo/ehlo SMTP host name in LUCY (only required if you use LUCY's build in mail server)** |
It is recommended to create a SMTP server name (that is the server name of LUCY). Most SMTP servers will accept your mail if you simply have a reverse DNS entry. It does not have to match the domain name on your e-mail address. Some SMTP servers will reject mail if the reverse DNS doesn' | It is recommended to create a SMTP server name (that is the server name of LUCY). Most SMTP servers will accept your mail if you simply have a reverse DNS entry. It does not have to match the domain name on your e-mail address. Some SMTP servers will reject mail if the reverse DNS doesn' | ||
Line 38: | Line 41: | ||
{{ spam_test.png? | {{ spam_test.png? | ||
- | **Use a Corporate Email Account | + | **Don't use a private account |
If you use a major ESP and send email using personal email addresses such as paul@yahoo.com or paul@aol.com, | If you use a major ESP and send email using personal email addresses such as paul@yahoo.com or paul@aol.com, | ||
Line 69: | Line 72: | ||
Set an MX, A & a SPF record for the domain you use in the test that all point to LUCY for that domain. Enable [[dkim_support|LUCY' | Set an MX, A & a SPF record for the domain you use in the test that all point to LUCY for that domain. Enable [[dkim_support|LUCY' | ||
- | **Does the sender domain | + | **Does the sender domain |
If you use a non-existing domain address as a sender or a domain which has no MX record, the mail will most likely be dropped by your mail server | If you use a non-existing domain address as a sender or a domain which has no MX record, the mail will most likely be dropped by your mail server | ||
- | **Watch out when you spoof your own domain** | + | |
- | Did you define your own company domain as a sender? Example: You try to phish your employees with the domain mycompany.com which is actually the official domain for your company? The problem is that there might be a DNS record (example SPF) that defines which mail server is allowed to send mails on behalf of this domain. If such a record exists your email server will deny emails coming from a different server using this domain. The solution is: If you still want to perform a phishing test, with a domain like the one from your company, we recommend reserving a similar domain like “my-company.com” or strategically place a typo like “myconpany.com”. Most users won’t recognize the difference and you'll have an additional feature to test awareness. | + | **Watch out when you spoof your own domain |
+ | Did you define your own company domain as a sender? Example: You try to phish your employees with the domain mycompany.com which is actually the official domain for your company? The problem is that there might be a DNS record (example SPF) that defines which mail server is allowed to send mails on behalf of this domain. You can check this here: https:// | ||
**Set a PTR (reverse DNS)** | **Set a PTR (reverse DNS)** | ||
Line 82: | Line 86: | ||
Tracking images (the small size) lead to a higher SPAM score. So try to uncheck this option in case you get filtered. | Tracking images (the small size) lead to a higher SPAM score. So try to uncheck this option in case you get filtered. | ||
- | **Avoid using advanced LUCY Features like BeEF Framework** | + | **Avoid using advanced LUCY Features like " |
- | The [[beef_integration|BeEF Framework]] | + | The advanced information gathering |
**Test your IP & Domain reputation** | **Test your IP & Domain reputation** | ||
Line 91: | Line 95: | ||
**Don' | **Don' | ||
If you send hundreds of mails without throttling down the delivery you might get flagged as SPAM very quickly. Please use the [[scheduler|scheduler]] to slow down mail delivery. | If you send hundreds of mails without throttling down the delivery you might get flagged as SPAM very quickly. Please use the [[scheduler|scheduler]] to slow down mail delivery. | ||
+ | |||
+ | |||
+ | **Avoid potentially dangerous attachments** | ||
+ | Certain attachment types (e.g. exe within a zip) or word files with Macro' | ||
===== What is the best test procedure with LUCY to identify the source of SPAM issues? ===== | ===== What is the best test procedure with LUCY to identify the source of SPAM issues? ===== | ||
**Step 1 - TEST MAIL** | **Step 1 - TEST MAIL** | ||
- | Send to the desired recipient a [[test_mail|test mail]] using a sender with a 3rd party domain name that has no SPF (e.g. " | + | Send to the desired recipient a [[test_mail|test mail]] using a sender with a 3rd party domain name **that has no SPF** (e.g. " |
{{ tstmail.png? | {{ tstmail.png? | ||
- | The test mail is always a text only mail with no suspicious content. If the test mail does not arrive it is possible that the email filter is blocking any mail communication from an unknown IP (if there is no known activity log about that IP in the internet). In such a case you can either | + | The test mail is always a text only mail with no suspicious content. |
+ | |||
+ | If the test mail does not arrive it is possible that the email filter is blocking any mail communication from an unknown IP or an server with a neutral mail reputation | ||
+ | |||
+ | {{ mailhttpse.png? | ||
+ | |||
+ | |||
+ | This will force all communication through the external mail relay from sendgrid. You can change this setting later on a campaign level (under "Base Settings/ | ||
**Step 2 - IDENTIFY THE ISSUE THAT TRIGGERS THE EMAIL FILTER** | **Step 2 - IDENTIFY THE ISSUE THAT TRIGGERS THE EMAIL FILTER** | ||
- | Start altering the message & domain settings: it is very important that you slowly start altering | + | If the test email arrives, you can start altering the message & domain settings: it is very important that you change |
+ | |||
+ | One of the first changes you might want to try is playing around with different domain names (e.g. a different domain as a [[http:// | ||
**Step 3 - TEST RUN** | **Step 3 - TEST RUN** | ||
After you identified and removed the issues that caused the mails to get filtered we recommend doing a test run. The test run should be done with one target email accounts to see if the email gets filtered and how the link is accessed (sometimes a SPAM filter can automatically access the link in the email before the user can. This will make it impossible for LUCY to know if the link was really clicked). | After you identified and removed the issues that caused the mails to get filtered we recommend doing a test run. The test run should be done with one target email accounts to see if the email gets filtered and how the link is accessed (sometimes a SPAM filter can automatically access the link in the email before the user can. This will make it impossible for LUCY to know if the link was really clicked). | ||
+ | |||
**Step4 - REAL CAMPAIGN** | **Step4 - REAL CAMPAIGN** | ||
Line 120: | Line 140: | ||
There are three possible message scenarios in case mails are still being filtered: | There are three possible message scenarios in case mails are still being filtered: | ||
- | * a) No mails send: then you won’t see anything in the message log | + | * a) [[mail_communication_issues_-_mails_do_not_get_send_at_all|No mails send]]: then you won’t see anything in the message log |
- | * b) Mails send – but with error: then you will see an error in “Errors” | + | * b) Mails send – but with error: then you will see an error in " |
* c) Mail send – no error: mail communication has been established and mails have been accepted for delivery | * c) Mail send – no error: mail communication has been established and mails have been accepted for delivery | ||
Line 132: | Line 152: | ||
* 2) Investigate your [[: | * 2) Investigate your [[: | ||
+ | * 3) In some cases there is a email threshold that limits the amount of emails you are allowed to send in a certain time frame. Amazon, Google & Microsoft have such limits. When you do a test run you might not experience any difficulties, | ||
Line 155: | Line 176: | ||
In case you rent a VPS through LUCY Security, we kindly ask you first to contact the the blacklist site and request a de-listing. If you cannot get delisted in a reasonable time, please get in contact with us and we can request an IP address change. | In case you rent a VPS through LUCY Security, we kindly ask you first to contact the the blacklist site and request a de-listing. If you cannot get delisted in a reasonable time, please get in contact with us and we can request an IP address change. | ||
+ | |||
+ | ===== " | ||
+ | {{ : | ||
+ | |||
+ | If you are seeing a message like this, it means that the domain name was blacklisted by Google. | ||
+ | Unfortunately, | ||
+ | |||
+ | The fastest and easiest option is to abandon the current domain name and register a new one. | ||
+ | In case if LUCY administration domain got blacklisted, | ||
+ | - Open Chrome | ||
+ | - Go to Settings > Privacy. | ||
+ | - Toggle off Chrome' | ||
+ | |||
+ | After the actions above, the Deceptive Site message won't appear in your browser and the LUCY administration panel is available again. | ||
+ | |||
+ | You can check if your domain got blacklisted by Google via the link below: | ||
+ | https:// | ||
===== Whitelisting in different products ===== | ===== Whitelisting in different products ===== | ||
**GSuite/ | **GSuite/ | ||
- | * This is the recommend setting if you do not have a cloud-based spam filter in front of GSuite. | + | |
- | * Login to https:// | + | Please review [[gsuite_whitelisting|this]] article. |
- | * Select GSuite. | + | |
- | * Select Gmail. | + | |
- | * Select Advanced Settings. | + | |
- | * In the Organizations section, highlight your Domain (Not an OU). Note: GSuite does not allow whitelisting by IP Address for individual OUs, only the entire domain. | + | |
- | * In the Email whitelist section, enter the LUCY IP address | + | |
- | * Scroll to the bottom and click Save. The setting may take up to an hour to propagate to all users. | + | |
Line 180: | Line 212: | ||
* Select "Set the spam confidence level (SCL) to...", | * Select "Set the spam confidence level (SCL) to...", | ||
* Click Save | * Click Save | ||
+ | * If emails with certain attachements get blocked, setup a safe attachement policy: https:// | ||
+ | |||
+ | **O365 Advanced Threat Protection** | ||
+ | * Go to https:// | ||
+ | * In the left navigation, under Threat management > Policy > Safe Links. | ||
+ | * In the Policies that apply to specific recipients section, choose New (the New button resembles a plus sign ( +)) to create a new policy. (Alternatively, | ||
+ | * Choose New to add a Safe Links policy for specific email recipients | ||
+ | * Specify a name and description for your policy. | ||
+ | * In the Do not rewrite the following URLs section, select the Enter a valid URL box, and then type a URL, and then choose the plus sign (+). | ||
+ | * In the Applied To section, choose The recipient is a member of, and then choose the group(s) you want to include in your policy. Choose Add, and then choose OK. | ||
+ | * When you are finished adding URLs, in the lower right corner of the screen, choose Save. | ||
Line 218: | Line 261: | ||
* Click Save. | * Click Save. | ||
+ | |||
+ | **MessageLabs or Symantec** | ||
+ | |||
+ | To add a global Approved Sender: | ||
+ | 1.Select Services > Email Services > Anti-Spam. | ||
+ | 2.Ensure that Global Settings is selected in the domains drop-down list. | ||
+ | 3.Click the Approved Senders tab. | ||
+ | 4.Click the Add Entry option. | ||
+ | 5.The Domain/ | ||
+ | 6.In the Domain/ | ||
+ | 7.In the Description field, enter brief details about the new entry. | ||
+ | 8.To add the entry to the list, click Update. | ||
+ | |||
+ | This new policy will allow any inbound mail flow originating from LUCY's IPs to reach your users. |
avoid_spam_issues.txt · Last modified: 2021/12/14 07:04 by lucysecurity