Set up and Configuration
Configuration requires three things.
- A domain you own.
- A server to host the Docker containers.
- A free Cloudflare account configured with your domain.
It's best to buy a semi-legitimate looking domain — personally, I use ichck.uk because it looks legitimately like an email integrity checker. It will also show up on the Google "via" message if accessed through the web client.
It's not highly noticeable either way, but make sure it looks genuine.
Mail Spoofer uses the Cloudflare API to configure DNS records. It's free and makes the setup process really easy. You could do this manually, but we thought, why not automate the boring stuff.
To learn more on how to add your domain name to Cloudflare read their Getting Started.
After registering a standard free trier account, you need to create an API Token. To do this, log in and head to https://dash.cloudflare.com/profile and select the API Tokens. Click on the Create Token button.
The next page shows the several types of API Token templates. Since we'll only be modifying DNS records, we can select the pre-configured Edit zone DNS template. The other templates can be ignored unless you have specific requirements.
Clicking the "Use Template" button takes you to the following page, which allows you to specify Token name, permissions, zone resources, and other settings. The two necessary settings are Permissions and Zone Resources. The Token name can be changed later.
For Permissions, set type as Zone> DNS and Edit. When selecting the Edit zone DNS template, the permissions are automatically set to Edit, which means they can update and view DNS records.
The Zone Resources should be set to a specific zone and point to your domain name. We tend to use one API token per domain name to limit access between zones (domain names). You could also allow access to one or more zones if needed, but in this case, we will only be using one Zone.
The rest of the options can be left as default. When you're finished, click the "Continue to summary" button and then the "Create Token" button. You will be presented with the following page, which shows your Cloudflare API Token and instructions on verifying.
Save the API token somewhere safe. It'll be used later in our Docker settings.env file.
Any server that can host Docker containers should work, although we've been using a Ubuntu 20.04 LTS host.
However, there are a couple of caveats to note.
First, setting a reverse DNS/PTR record for your domain is essential. Whether the entry exists will have a significant effect on the reputation of your IP address.
PTR records allow people to look up your IP address using your domain, hence reverse DNS.
Second, an awful lot of providers block outgoing SMTP connections. For example, I cannot send any emails from my home domain without being blocked.
We've chosen a cloud provider — Digital Ocean — to circumvent both problems. Digital Ocean is fantastic to use and supports reverse DNS/PTR records out of the box.
In the dashboard, create a new "Droplet" instance and use the following options.
- Ubuntu 20.04 (LTS) x64
- Basic Plan
- Regular Intel with SSD
- Add new SSH key (optional)
When entering your hostname, make sure it's identical to your domain configured in Cloudflare. It's this that allows the reverse DNS/PTR lookup. For example, if our Cloudflare domain is example.com then, then that's what we need to enter in the input box.
To ensure only specific IP addresses can gain access, create a simple firewall rule by going to Networking and Firewalls. Set the Inbound Rules to your own IP address for ports 22 (SSH), 80, 443 and 3333 (Gophish).
Scroll down to the bottom of the page and apply the firewall to your Droplet.
Before you're ready to start a Phishing campaign, you must allow inbound ports 80 and 443, so Gophish can collect user clicks information.
SSH to your newly created Digital Ocean droplet — you should find the server IP in the dashboard. Then install Docker and Docker Compose.
apt update
apt install docker.io docker-compose unzip
Get our latest mail-spoofer version.
Extract the mail-spoofer archive to your working directory, use either tar -xzv mail-spoofer.tar.gz or unzip mail-spoofer.zip. The only file you need to change is the settings.env file which contains the required configuration options for all Docker containers.
You must change the following options to match your own domain name and/or relay host.
For the Return-Path address, leave the username as "no-reply" and only change the domain name. Otherwise, the mail server may start to issue thousands of bounce messages and fill up your log files.
- You MUST change the root domain name: DOMAIN=example.com
- You MUST change the tracking subdomain for GoPhish: TRACK_DOMAIN=click.example.com
- You MUST change the Return-Path address: RETURN_PATH_ADDRESS=no-reply@example.com
- You MUST change the Cloudflare API for editing DNS: CLOUDFLARE_API_TOKEN={Cloudflare_API_Key}
If you are using a third-party (SendGrid) then change.
- Add your SendGrid API Key to: SENDGRID_API_KEY={Sendgrid_API_Key}
Example setting.env WITHOUT Sendgrid
DOMAIN=ichck.uk
TRACK_DOMAIN=click.ichck.uk
DKIM_TAG=default
RETURN_PATH_ADDRESS=no-reply@ichck.uk
RELAYHOST=[smtp.sendgrid.net]:587
# SENDGRID_API_KEY={Sendgrid_API_Key}
CLOUDFLARE_API_TOKEN={Cloudflare_API_Key}
ACME_AGREE=true
TZ='Europe/London'
MESSAGE_SIZE_LIMIT=0
MYNETWORKS=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Example setting.env WITH Sendgrid (Remove the # comment)
DOMAIN=ichck.uk
TRACK_DOMAIN=click.ichck.uk
DKIM_TAG=default
RETURN_PATH_ADDRESS=no-reply@ichck.uk
RELAYHOST=[smtp.sendgrid.net]:587
SENDGRID_API_KEY={Sendgrid_API_Key}
CLOUDFLARE_API_TOKEN={Cloudflare_API_Key}
ACME_AGREE=true
TZ='Europe/London'
MESSAGE_SIZE_LIMIT=0
MYNETWORKS=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Note — if you want to alter Mail Spoofer from/to using Sendgrid. You MUST delete the Docker containers and domain key record in Cloudflare. If you forget this step, the public/private keys — used to sign DKIM and ARC messages — break.
To start the mail-spoofer tool, type from the Mail Spoofer directory.
docker-compose up
It will download our custom-built images from Docker Hub, as well as some official Docker images too. And start all containers — in total, there should be five running.
To verify all containers are running type docker ps.
If everything works as it should, you will have several DNS records in your Cloudflare profile, your Digital Ocean PTR record will be configured, and you can log in to Gophish from https://example.com:3333.