SPAM, Phish and Other Things Good to Eat presented at CarolinaCon11 2015

by Joshua Schroeder,

Summary : Have you ever wondered how to design a campaign for your organization to see what users click on links or open spam emails? Or if you are on the offense, would you like to gain access to attribution to those spamming your email or other virtual accounts? In this presentation I will demo and release the source code for FeelingPhishy, a PHP tool I created after getting several complaints from people in the industry that existing open source spam campaign solutions were too difficult to setup, had incomplete instructions or didn't work effectively. Some of the features that are included in the tool are: a hashed database of victim data, header modification for time information (allowing some clients to show emails from the past or future), visualization of clicked and viewed emails (realtime), simple port scanning and 20 minute setup time with no need for special libraries and supported by many anonymous free hosting providers.
In the second part of my talk I will tell the story about how I learned how to track people using email and fake websites through an email campaign that was undetected for 5 years. The tools built from that campaign (partly released in FeelingPhishy) proved useful when I was approached by a scammer while trying to sell an Xbox One online. It was those techniques and tools that allowed me trick him via text message into revealing his real IP Address and eventually figuring out other profiles and sites that were used by him or his organization to facilitate spamming.