3

I have been trying to learn about phishing emails. I have read up quite a bit on it. I setup a domain somthing.tk (free domain), hosted a website on a VPS (Digital Ocean). Set up my own mail transfer agent (Postfix).

Now I have set up:

  1. DKIM
  2. DMARC
  3. SPF

All pass in GMail when I send the mail, but still the mails send by me are flagged as spam by GMail spam filter. What am I doing wrong?

Also I am using GNUMail to send emails via this command:

echo "anything" | mail -s "subject" anything@gmail.com

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
yeah_well
  • 3,699
  • 1
  • 13
  • 30
  • 1
    When Gmail puts a message in Spam, there's a giant banner at the top that says "Why is this message in spam?" followed by the answer. What does that say for your emails? – Joseph Sible-Reinstate Monica Mar 10 '19 at 17:57
  • Why is this message in Spam? It's similar to messages that were detected by our spam filters. – yeah_well Mar 10 '19 at 18:04
  • then it is not the transport layer that it is detecting but the content – schroeder Mar 10 '19 at 18:22
  • should i not use gnu mail?should i use it but increase my content? – yeah_well Mar 10 '19 at 18:35
  • 1
    I bet using `.tk` has something to do with this. The same setup with `.icu` seemed to work fine. [Not anymore!](https://blocked.icu/) TLD reputation matters. – Esa Jokinen Mar 10 '19 at 18:52
  • To see if your mail server has a problem (that you may have overlooked) that would cause other mail servers to think it's a spammer, try sending a message from your mail server to check-auth@verifier.port25.com. This service will do a bunch of checks, and you'll get a report back with ton of information, such weather or not your mail server's DNS is setup correctly, whether your mail server's IP is on any black lists, etc. – mti2935 Dec 06 '19 at 10:42

1 Answers1

1

Unfortunately, .tk is one of the TLDs that are notoriously associated with certain threat actors and are used by malware to establish C2 channels (malware home-calling).

SNORT and Suricata (two most widely-used opensource IDS/IPS solutions) even have detection rules written for .tk, .pw and .ru URLs, it would generate an alert for the SOC analysts every time a hit is recorded against them in the network.

I'd suggest using a purchased domain name to get past the email filters. GL!

BONUS: You might want to check your URL/domain names at https://www.urlvoid.com to see if they're marked malicious or suspicious by security vendors/spam databases.

KeyboardMonkey
  • 29
  • 5