37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide

SMTP Smuggling: Spoofing Emails Worldwide

• SMTP smuggling is a novel technique for spoofing emails, allowing the sender to send emails from any domain with a single HTTP vulnerability.
• The attack involves using a non-RFC conform end of data sequence, such as a carriage return dot carriage return line feed, to confuse the SMTP server and allow for spoofing.
• The vulnerability was first discovered on June 1st, 2019, and was found to affect over 1.35 million domains worldwide.
• The vulnerability was initially disclosed to Microsoft, GMX, and Postfix, but others, including Cisco, refused to acknowledge it as a vulnerability.
• The attack works by sending an email with a fake end of data sequence, which is then interpreted as an SMTP command, allowing the attacker to send additional emails from the spoofed domain.
• The vulnerability affects all versions of Postfix and Sendmail, and can be exploited by sending a single HTTP request.
• The impact of the vulnerability is global, with potential victims including sysadmins, security researchers, and anyone using email services.
• Researcher Timo Longin discovered the vulnerability and published a blog post detailing the attack.
• The vulnerability was confirmed by CertCC, a German institute for cybersecurity.
• The attack can be prevented by checking for non-RFC conform end of data sequences in SMTP traffic.