phishing-frenzy icon indicating copy to clipboard operation
phishing-frenzy copied to clipboard

Published 20 hours ago verified publisher icon pentestgeek

Distinguish load embedded picture and open email

Open fraf0 opened this issue 8 years ago • 4 comments

Hi,

The code flag an email "opened" if the embedded link is open. This is logical : to click on the link, an user must have open the email.

The same flag "opened" is used if the user loads embedded image (pixel tracking).

It would be great to distinguish the 2 actions because they not have the same meaning in analyze for a client and can drive to different messages in future sensibilisation actions.

Regards, fraf

fraf0 avatar Sep 23 '16 12:09 fraf0

The opened metric is a tough one. We have decided that any user that clicks on the phishing link will automatically increment the opened metric as well. We also will increment the opened metric if the user has loaded all the remote content.

This really isn't an accurate metric because it all depends on the email client that people are viewing with. Some clients will automatically load remote content where some will not. So really the metric is going to be inaccurate to some extent for the most part no matter how you look at it.

zeknox avatar Sep 28 '16 15:09 zeknox

Hi,

I understand this.

As I work on professional phishing simulation, I think in most case, I will have a certain insurance for the mua and his configuration. Maybe some time I will recalculate the statistics directly on Apache log, so I can use appropriate rules according to my client situation. In my opinion, it's valuable for a client to understand if the embedded email content is loaded or not.

Thanks you for your answer.

Regards,

Fraf

Le 28 sept. 2016 à 17:13, Brandon McCann [email protected] a écrit :

The opened metric is a tough one. We have decided that any user that clicks on the phishing link will automatically increment the opened metric as well. We also will increment the opened metric if the user has loaded all the remote content.

This really isn't an accurate metric because it all depends on the email client that people are viewing with. Some clients will automatically load remote content where some will not. So really the metric is going to be inaccurate to some extent for the most part no matter how you look at it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

fraf0 avatar Sep 28 '16 22:09 fraf0

You bring up a good point. Perhaps it makes sense to have two separate metrics. 1 for Emails Opened Explicitly, and one that is an Assumed Opened Metric using clicks to factor in the result.

zeknox avatar Sep 28 '16 22:09 zeknox

I would rather say 1 for embedded content loaded and 1 for email assumed opened.

fraf0 avatar Sep 29 '16 07:09 fraf0