gophish / gophish

Open-Source Phishing Toolkit
https://getgophish.com
Other
11.71k stars 2.26k forks source link

Emails appear as opened and as Clicked Link (after some seconds), although no user opened the email or clicked on the link. #2646

Closed joseraeiro closed 1 year ago

joseraeiro commented 2 years ago

What version of Gophish are you using?:

v0.12.0

Brief description of the issue:

When sending emails to a specific domain all emails appear as opened and as Clicked Link (after some seconds), although no user opened the email or clicked on link. In the example below, only jose.xxxxxxx@winprovit.pt appears as if it clicked the link.

Please provide any terminal output that may be relevant below:

time="2022-10-28T18:18:21+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:21 +0100] \"POST /api/campaigns/ HTTP/2.0\" 400 82 \"https://172.16.99.13/campaigns\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" 2022/10/28 18:18:38 http: TLS handshake error from 10.10.4.76:3519: remote error: tls: unknown certificate time="2022-10-28T18:18:38+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:38 +0100] \"POST /api/campaigns/ HTTP/2.0\" 201 52651 \"https://172.16.99.13/campaigns\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:40+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:40 +0100] \"GET /campaigns/112 HTTP/2.0\" 200 2094 \"https://172.16.99.13/campaigns\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:40+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:40 +0100] \"GET /css/dist/gophish.css HTTP/2.0\" 200 52514 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:40+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:40 +0100] \"GET /js/dist/app/campaign_results.min.js HTTP/2.0\" 200 5239 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:40+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:40 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 1397 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:40+01:00" level=info msg="Email sent" email="\"jose raeiro\" xxxxxxx@gmail.com" envelope_from="=?UTF-8?q?Gest=C3=A3o_RH?= gestaorh@winprovlt.pt" smtp_from=gestaorh@winprovlt.pt time="2022-10-28T18:18:41+01:00" level=info msg="Email sent" email="\"jose raeiroo\" jose.xxxxxxx@next-it.pt" envelope_from="=?UTF-8?q?Gest=C3=A3o_RH?= gestaorh@winprovlt.pt" smtp_from=gestaorh@winprovlt.pt time="2022-10-28T18:18:42+01:00" level=info msg="Email sent" email="\"jose rae\" jose.xxxxxxx@winprovit.pt" envelope_from="=?UTF-8?q?Gest=C3=A3o_RH?= gestaorh@winprovlt.pt" smtp_from=gestaorh@winprovlt.pt 2022/10/28 18:18:44 http: TLS handshake error from 10.10.4.76:3529: remote error: tls: unknown certificate time="2022-10-28T18:18:44+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:44 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 465 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:46+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:46 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 465 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:48+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:48 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 465 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:48+01:00" level=info msg="35.88.131.70 - - [28/Oct/2022:18:18:48 +0100] \"GET /?rid=x7TQ4ra HTTP/1.1\" 200 106312 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:49+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:49 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 668 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:50+01:00" level=info msg="35.90.124.194 - - [28/Oct/2022:18:18:50 +0100] \"GET /track?rid=x7TQ4ra HTTP/1.1\" 200 95 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:51+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:51 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 703 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:18:52+01:00" level=info msg="10.10.4.76 - - [28/Oct/2022:18:18:52 +0100] \"GET /api/campaigns/112/results?{} HTTP/2.0\" 200 703 \"https://172.16.99.13/campaigns/112\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36\"" time="2022-10-28T18:19:16+01:00" level=info msg="40.94.89.8 - - [28/Oct/2022:18:19:16 +0100] \"GET /?rid=x7TQ4ra HTTP/1.1\" 200 31189 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:17+01:00" level=info msg="40.94.89.8 - - [28/Oct/2022:18:19:17 +0100] \"GET /assets/landing-watermark-16f13e16a7ef02fb6f94250aa1931ded83dbee5d9fad278e33dd5792d085194f.css HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:17+01:00" level=info msg="40.94.89.23 - - [28/Oct/2022:18:19:17 +0100] \"GET /assets/modernizr-654222debe8018b12f1993ceddff30dc163a7d5008d79869c399d6d167321f97.js HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:17+01:00" level=info msg="40.94.89.21 - - [28/Oct/2022:18:19:17 +0100] \"GET /assets/application-3ab7c63a41a8761925d45817a71fb79e0ef7208b59de505ac640c8a2a183ec19.js HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:17+01:00" level=info msg="40.94.89.21 - - [28/Oct/2022:18:19:17 +0100] \"GET /packs/js/vendor-69f70dd3792dc7287ac8.js HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:19+01:00" level=info msg="40.94.89.19 - - [28/Oct/2022:18:19:19 +0100] \"GET /packs/js/vendor-69f70dd3792dc7287ac8.js HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:19+01:00" level=info msg="40.94.89.19 - - [28/Oct/2022:18:19:19 +0100] \"GET /assets/modernizr-654222debe8018b12f1993ceddff30dc163a7d5008d79869c399d6d167321f97.js HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\"" time="2022-10-28T18:19:25+01:00" level=info msg="40.94.89.19 - - [28/Oct/2022:18:19:25 +0100] \"GET /favicon.ico HTTP/1.1\" 404 19 \"http://winprovlt.pt/?rid=x7TQ4ra\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\""

ConstantinTi commented 2 years ago

I actually do have the very same issue, which can get annoying sometimes.

Renizmy commented 2 years ago

Which mail client is used? It is not impossible that there is an automatic inspection of the links contained in the mails

mokkabca commented 1 year ago

I also have the same issues

do anyone have solution atleast temporary solution

image

glennzw commented 1 year ago

Unfortunately this is quite a common problem (if you search the issues you'll see lots of people experiencing the same). It's typically due to some appliance on the emails' journey inspecting them for suspicious content (e.g Antivirus software).

See these threads for a discussion:

https://github.com/gophish/gophish/issues/2177 https://github.com/gophish/gophish/issues/1555 https://github.com/gophish/gophish/issues/1559

Three solutions that are discussed in the threads:

(1) Disable / whitelist the appliances (2) Use some reverse proxy software to only allow target IPs to view the landing pages (e.g nginx / Caddy) (3) Use some hacky JavaScript to disable basic viewing of the page (see my code here https://github.com/gophish/gophish/issues/1559#issuecomment-526602895)

Also in those threads you'll see sample SQL code to check exactly which IPs are "clicking" the links - this might help you figure out which appliance is doing the inspection (https://github.com/gophish/gophish/issues/2177#issuecomment-827710746):

SELECT details FROM events WHERE message = "Clicked Link" and details like "%IdF3XbB%"