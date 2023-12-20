Security researchers have found inconsistencies in how some Simple Mail Transfer Protocol (SMTP) servers handle end-of-data sequences. This allows the injection of SMTP commands into email messages in a way that causes receiving servers to treat them as two separate messages with one of them having its “From” headers spoofed. Furthermore, because the main message’s envelope successfully passes security checks like SPF, DKIM, and DMARC, the spoofed message is delivered to inboxes with no warnings.

The new attack, dubbed SMTP smuggling, was devised by Timo Longin, a senior security consultant at SEC Consult, and it affected millions of domains that used Microsoft Exchange Online or Ionos, a large German web and cloud hosting company, for email services. While both Microsoft and Ionos fixed the issue, domains that use Cisco Secure Email Gateway in default configuration might still be affected.

Longin borrowed the main concept for SMTP smuggling from another class of attacks known as HTTP request smuggling where attackers trick a front-facing load balancer or reverse-proxy to forward specifically crafted requests to a back-end application server in a way where the back-end server processes it as two separate requests instead of one. This is achieved by modifying request headers in a way that gives conflicting information to servers about where the request ends. If the front-end and back-end servers have different interpretations of the header values and therefore the end of the request, rogue requests can be smuggled past the front-end server without subjecting them to the normal security checks.

Similarly, at least two servers are involved when sending email across the internet: the SMTP server used by the sender (outbound) and the SMTP server of the recipient (inbound). If they have different interpretations about where a message ends, an attacker can slip rogue messages past security checks.

How SMTP works

SMTP is the communications protocol used to relay email messages across the internet from one domain to another. When you want to send messages from an email client, also known as a mail user agent (MUA), the application connects to your domain’s SMTP server, also known as a mail transfer agent (MTA), and passes the message to it. The server then looks up the SMTP server for the recipient’s domain name and relays the message to it. In other words, an SMTP server will deal with both outbound and inbound connections depending on whether it’s sending or receiving email for the domain names they’re configured to serve. One SMTP server can handle email for multiple domain names.

A connection from an MUA to an MTA will begin with an extended hello (EHLO) command that communicates the user’s email domain to the server. The server checks if it’s supposed to handle email for that domain and responds with its SMTP capabilities, or supported features, which can differ depending on how it was configured. The client then sends the STARTTLS command to enable encryption if the server supports it, followed by AUTH LOGIN to send the user’s credentials for authentication. The next commands is “mail FROM” and “rcpt TO” to define the sending email address and the receiving address, followed by the DATA command, which indicates to the server the beginning of the actual email message.