GoPhish Powers RSVP for Pentester Nepal’s 12th Anniversary

Pentester Nepal, a leading cybersecurity community in Nepal, recently celebrated its 12th anniversary on August 16, 2025, at Ullens College in Lalitpur. The free event featured expert talks on bug bounty hunting, AI governance, OAuth attacks, and more. For the event, we required an accurate headcount estimation as it was critical for logistics planning and ensuring we could accommodate everyone comfortably. For this, we initially began collecting email addresses using Google Forms; however, due to a miscommunication from the team, we needed to send out formal RSVP requests afterwards.

For this, we opted to use GoPhish for its campaign-style infrastructure, allowing us to efficiently distribute RSVP emails at scale and track engagement, offering a level of flexibility that tools like Google Forms or Eventbrite couldn’t match. To handle this, we creatively repurposed GoPhish, an open-source phishing simulation toolkit, not for its intended security training but as a robust tool for mass emailing and click-based RSVP tracking.

This approach enabled us to send personalised invitations to hundreds of community members and monitor responses in real-time via a custom landing page at rsvp.pentesternepal.com.

Sample Email

Why GoPhish? A Quick Overview of the Tool

GoPhish is a free, open-source framework designed primarily for phishing awareness simulations. Built in Go, it's lightweight, easy to deploy, and runs a web-based admin interface alongside a phishing server. Its key features include:

• Campaign Orchestration: Combines email templates, landing pages, user groups, and sending profiles into automated workflows.

• Tracking Mechanisms: Pixel-based open tracking, URL-based click tracking, and form submission capture.

• Reporting Dashboard: Real-time timelines, per-user results, and exportable reports in CSV/JSON.

• Scalability: Handles thousands of emails with minimal resources, using SMTP for delivery.

While typically used for red-team exercises (e.g., simulating credential-harvesting attacks), its modular design supports creative repurposing. For our event, we leveraged it to send RSVP invites, track engagement, and confirm attendance via clicks, and treating each interaction as a "confirmed" participant. This gave us a rough attendee estimate without requiring complex integrations and paid services.

We launched the campaign, linking the template, landing page, user group, and sending profile. Emails were sent by scheduling within the period of 3-hour period, with throttling to avoid spam flags. Each click on the RSVP link logged a unique Recipient ID (RID), ensuring accurate tracking.

For Transparency:

To maintain trust and compliance, we adhered to strict privacy practices:

• All data within GoPhish is cleared after the campaign, and no information is retained

• No personal information was reused or repurposed outside of the RSVP process

• No sensitive data was captured

• DKIM/SPF were configured on our domain to avoid spam folders

• Emails and RSVPs were handled securely and flawlessly

• Only invited participants were emailed

• Access to the collected information was restricted to internal organisers only

• GoPhish was used purely for logistics, not to simulate phishing or test security awareness

This setup took ~30 minutes, far quicker than custom scripting and over-complicating things. By repurposing GoPhish, we not only estimated attendees accurately but also demonstrated cybersecurity tools' versatility, fitting for a community event. It also showcased how cybersecurity tools can solve real-world problems beyond their intended scope.

A Note on Ethical Use and Experimentation

GoPhish is a powerful tool, but it must be used responsibly. Never deploy it for malicious purposes, such as unauthorised phishing or data collection, as this violates ethical and legal boundaries. Instead, embrace its versatility for legitimate use cases like ours, whether for event management, internal training, or other creative applications. The cybersecurity community thrives on experimentation, so explore tools like GoPhish to solve problems innovatively, but always prioritise user trust and data protection.

Using GoPhish for RSVP tracking was a success, enabling us to manage a large-scale event with precision and minimal overhead. Its analytics helped us allocate resources effectively, ensuring a seamless experience for attendees enjoying talks, networking, and the CTF. For organisers planning similar events, GoPhish offers a free, scalable solution. Check out its source on GitHub and experiment responsibly!

Stay curious, keep hacking (ethically), and join us at future Pentester Nepal events to connect with Nepal’s growing infosec community.