Hello everyone!

I wanted to take a moment to let you know about some important upcoming changes to Gophish and to hear your feedback before implementing these changes.

The goal behind all of these changes is simple: We can do a better job of running friendly phishing simulations.

The Problem

Over the past few months, I've heard from service providers having to investigate phishing exercises conducted with Gophish. The scenario is usually straightforward - an organization launches a phishing simulation that spoofs the service provider's brand, sending out fake phishing emails to employees. These emails are reported back to the service provider using standard spam feedback loops/tools, and the service provider must now investigate if this is an authorized exercise or a legitimate phishing campaign targeting users.

Unfortunately, the way Gophish is current set up, it's difficult for service providers to make this call. They have to try and figure out who and what is generating these emails, which causes them more time, energy, and money than necessary.

This isn't ok. It's my fault things are this way. We can do better.

The Goals

I think with a few simple changes, we can make it much easier for service providers to respond to these incidents, quickly determining that the emails were generated with Gophish, and who to contact about these emails to verify it was a legitimate exercise.

However, when considering what changes to make, it's equally important to me to preserve your privacy.

That said, here's my proposal:

The Solution

• Add a contact address - I will add a contact_address configuration parameter to config.json that can include an email address you would like to receive abuse reports at. This is the address service providers can use to contact you about potential phishing emails the detect. This will not be required, but Gophish will give a warning in the terminal every time it is started without one.

• Show Information When Requested with "+" - I will add an endpoint similar to the one used by Bitly wherein a "+" added to the end of a valid rid parameter will return the contact address, if configured, as well as a simple message indicating the email was generated by Gophish.

• Add an X-Mailer Header - I will add an X-Mailer header that will default to the value "Gophish" to indicate to service providers that the email was generated with Gophish. You can replace this by specifying your own X-Mailer header in your sending profile.

• Add an X-Gophish-Contact Header to Outgoing Emails - If the contact address is configured, I will add an X-Gophish-Contact header with this address to all outgoing emails to let service providers know who to contact about the emails they are investigating.

• Add a "First Run" Modal with Tips on Friendly Campaigns - These changes are just one step towards running friendly campaigns. I plan to add a modal that pops up the first time (and only the first time) you run Gophish that gives other helpful tips on running good, friendly phishing simulations such as setting up proper WHOIS records, how to avoid directly spoofing brands, and more.

Final Thoughts

As you can see, the (optional but recommended!) contact address and the fact you're using Gophish is only accessible with a valid email or a valid Gophish link (with the rid parameter), helping preserve your privacy.

I can almost certainly assure you these changes will not influence the success rate of your campaigns. In fact, if you have an astute user who reports an email based on these traits, reward them! This would be an incredible thing and a sign that your users care about suspicious emails.

Finally, please remember: we're the "good guys". We don't want service providers to be spending their time looking into the well-intentioned, authorized exercises being conducted and instead focus their efforts on the actual people trying to phish our users and spoof their brand. These changes will help us be more transparent about what we're doing, saving them time and helping us run more friendly campaigns.

Please let me know if you have any questions / comments / other feedback!