Spoof-proof Emails: Hackers’ Latest SMTP Smuggling Attack Unveiled

December 19, 2023
1 min read

SMTP (Simple Mail Transfer Protocol) smuggling is a technique that allows hackers to send spoofed emails by exploiting inconsistencies in how proxy servers or firewalls analyze and handle SMTP traffic. This technique makes it difficult for security systems to accurately diagnose the email transfer process and can lead to potential security vulnerabilities.

– New SMTP smuggling attack allows hackers to send spoofed emails by exploiting inconsistencies in how proxy servers or firewalls handle SMTP traffic.
– The attack can be used to send malicious emails from any address and can be used for phishing attacks.
– Two types of SMTP smuggling have been discovered: outbound and inbound.
– The attack exploits SMTP protocol interpretation differences and bypasses SPF checks to spoof emails from various domains.
– Vulnerable servers globally can be exploited for phishing attacks by sending malicious emails from any address.
– Multiple 0-day flaws have been found and vendors have been notified in a 2023 responsible disclosure.
– Microsoft, GMX, and Cisco Secure Email have released updates to address the vulnerabilities.

SMTP smuggling is made possible by the differences in how SMTP commands are interpreted by different servers. By sending a sequence of SMTP commands, attackers can bypass security measures and send spoofed emails while passing SPF checks.

– SMTP smuggling is made possible by differences in how SMTP commands are interpreted by different servers.
– The attack allows hackers to send spoofed emails while passing SPF checks.
– Microsoft and GMX have released updates to address vulnerabilities, but manual updates are required for Cisco Secure Email users.
– The attack targets inbound SMTP servers that verify sender authenticity using SPF, DKIM, and DMARC.
– SPF checks only the MAIL FROM domain, not the arbitrary value in the From header, which poses a limitation.
– DKIM signs message data, including the From header, but does not enforce the key’s domain.
– DMARC checks if the “From” domain aligns with SPF and/or DKIM, and rejects messages failing DMARC.

Inbound SMTP servers that do not properly handle unconventional end-of-data sequences can be vulnerable to SMTP smuggling attacks. Despite patches from Microsoft and GMX, default-configured Cisco Secure Email instances remain vulnerable to inbound SMTP smuggling.

– Insecure inbound SMTP servers can be vulnerable to SMTP smuggling attacks.
– Unconventional end-of-data sequences can bypass security measures.
– Cisco Secure Email instances remain vulnerable to inbound SMTP smuggling despite patches.
– Changing default configurations is strongly recommended.

Overall, SMTP smuggling is a technique that allows hackers to send spoofed emails by exploiting inconsistencies in how proxy servers and firewalls handle SMTP traffic. The attack can be used to send malicious emails from any address and bypasses SPF checks to spoof emails from various domains. Vulnerable servers globally can be exploited for phishing attacks and multiple 0-day flaws have been identified and reported to vendors. Updates have been released to address the vulnerabilities, but manual updates may be required for certain email providers.

Latest from Blog

Top VPN’s privacy claims confirmed by independent auditors

TLDR: Independent auditors from Deloitte Romania confirmed CyberGhost VPN’s privacy claims through a detailed audit of their systems. Auditors found that CyberGhost’s no-logs infrastructure works as expected, ensuring user data privacy. Independent