SMTP Smuggling: New Flaw Lets Attackers Bypass Security and Spoof Emails

A new exploitation technique called Simple Mail Transfer Protocol (SMTP) smuggling can be weaponized by threat actors to send spoofed emails with fake sender addresses while bypassing security measures.

“Threat actors could abuse vulnerable SMTP servers worldwide to send malicious emails from arbitrary email addresses, allowing targeted phishing attacks,” Timo Longin, a senior security consultant at SEC Consult, said in an analysis published last month.

SMTP is a TCP/IP protocol used to send and receive email messages over a network. To relay a message from an email client (aka mail user agent), an SMTP connection is established between the client and server in order to transmit the actual content of the email.

The server then relies on what’s called a mail transfer agent (MTA) to check the domain of the recipient’s email address, and if it’s different from that of the sender, it queries the domain name system (DNS) to look up the MX (mail exchanger) record for the recipient’s domain and complete the mail exchange.

The crux of SMTP smuggling is rooted in the inconsistencies that arise when outbound and inbound SMTP servers handle end-of-data sequences differently, potentially enabling threat actors to break out of the message data, “smuggle” arbitrary SMTP commands, and even send separate emails.

It borrows the concept from a known attack method referred to as HTTP request smuggling, which takes advantage of discrepancies in the interpretation and processing of the “Content-Length” and “Transfer-Encoding” HTTP headers to prepend an ambiguous request to the inbound request chain.

Specifically, it exploits security flaws in messaging servers from Microsoft, GMX, and Cisco to send emails spoofing millions of domains. Also impacted are SMTP implementations from Postfix and Sendmail.

This allows for sending forged emails that seemingly look like they are originating from legitimate senders and defeat checks in place erected to ensure the authenticity of incoming messages – i.e., DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF).

While Microsoft and GMX have rectified the issues, Cisco said the findings do not constitute a “vulnerability, but a feature and that they will not change the default configuration.” As a result, inbound SMTP smuggling to Cisco Secure Email instances is still possible with default configurations.

As a fix, SEC Consult recommends Cisco users change their settings from “Clean” to “Allow” in order to avoid receiving spoofed emails with valid DMARC checks.