Bug Bounty Tip: MailFlow scans campaign links for safety. An IP blacklist prevents internal scanning, but alternative representations (octal IPs, DNS rebinding, IPv6) may bypass the filter and reach internal services.
Campaign: Summer Sale 2024 Draft
Links in this campaign
—
http://127.0.0.1:8080/admin · 2024-06-01 14:23:02
Blocked: Internal IP
10 Tips for Summer Marketing
https://blog.example.com/tips · 2024-06-01 14:22:45
Safe
Summer Sale — Up to 50% Off
https://shop.example.com/sale · 2024-06-01 14:22:11
Safe
MailFlow will fetch and scan the URL for safety before adding it to the campaign.
Security Policy
The following destinations are blocked from scanning:
  • localhost
  • 127.0.0.0/8 (any 127.x.x.x)
  • kzlabs.in
  • 142.93.35.49
Where Bug Hunters Find This
  • Email marketing link scanners (Mailchimp, SendGrid)
  • URL safety checkers (Google Safe Browsing)
  • Anti-virus URL scanners
  • Content moderation bots
  • Penetration testing report validators
Common Bypass Techniques
Alternative IP Formats
http://0177.0.0.1 (octal)
http://2130706433 (decimal)
http://0x7f000001 (hex)
http://[::ffff:127.0.0.1] (IPv6)
DNS Rebinding
http://attacker.com resolves to 127.0.0.1 with low TTL
Redirect Chains
http://allowed.com → 302 → http://127.0.0.1