SMTP Smuggling: The New Threat to Email Security

In the ever-evolving landscape of cybersecurity, a new attack technique named “SMTP Smuggling” has emerged, posing a significant threat to the integrity of email communications. Discovered by Timo Longin, in collaboration with SEC Consult, SMTP Smuggling targets the fundamental protocol used by mail servers, revealing vulnerabilities even in the most trusted domains.

SMTP, or Simple Mail Transfer Protocol, is the backbone of email transmission, handling the sending, receiving, and relaying of emails. SMTP Smuggling exploits a critical weakness in this system: differences in how outbound and inbound SMTP servers interpret the end of message data.

Sending a phishing e-mail from admin@outlook.com via SMTP smuggling | Image Credit: SEC Consult

Longin and SEC Consult demonstrated how an attacker could abuse these differences to send spoofed emails from seemingly trusted domains, effectively bypassing established authentication mechanisms like SPF, DKIM, and DMARC. These mechanisms are designed to prevent spoofing and combat spam and phishing attacks. The alarming aspect of this technique is its potential to spoof emails from major brands like Microsoft, Amazon, PayPal, and many others.

An analysis revealed that millions of domains could be spoofed using SMTP Smuggling. Notably, the attack was successfully demonstrated with an email appearing to originate from ‘admin(at)outlook.com’. The root cause lies in how major email service providers, including GMX (Ionos), Microsoft, and Cisco, have configured their SMTP servers.

Upon notification in late July, GMX addressed the issue within approximately ten days. Microsoft, categorizing it as a moderate severity issue, released a patch in mid-October. Cisco, however, does not consider it a vulnerability, and SMTP Smuggling remains effective against the default configuration of Cisco Secure Email instances. Changing the product’s configuration can prevent these attacks.

SEC Consult warns that other vulnerable servers might exist, as not all SMTP software has been analyzed. They highlight that while SMTP Smuggling can bypass email authentication mechanisms, spam filters may still intercept spoofed emails based on content or other indicators.

Some widely used free and open-source mail transfer agents are susceptible to SMTP Smuggling attacks, including Postfix, sendmail, and exim. Specific CVEs have been assigned to these vulnerabilities:

  • CVE-2023-51764 (Postfix): Affects versions up to 3.8.4, allowing SMTP smuggling unless configured with specific restrictions. Attackers can inject emails appearing to originate from the Postfix server.
  • CVE-2023-51765 (sendmail): Affects versions up to at least 8.14.7, permitting SMTP smuggling in certain configurations.
  • CVE-2023-51766 (Exim): Affects versions up to 4.97, with similar vulnerabilities.

SMTP Smuggling attack represents a significant shift in the threat landscape, underscoring the need for continuous vigilance and adaptation in cybersecurity practices. System administrators and security professionals must stay informed and proactive in implementing protective measures, updating systems, and reconfiguring vulnerable software to safeguard against such sophisticated attack techniques.