Researchers from the company SEC Consult published a new spoofing technique caused by discrepancies in following the specification in various implementations of the SMTP protocol.
The proposed attack technique allows for the splitting of one message into several different messages when it is transmitted by the initial SMTP server to another SMTP server. This occurs when the receiving server interprets a sequence for separation of letters transmitted through one connection. The method can be used to send fictitious letters on behalf of other senders in postal services that verify the original sender.
The problem arises due to the fact that different SMTP servers interpret the data end sequence differently. This can result in the separation of one letter into several within a single session to the SMTP server. According to the specification, the sequence ” r n. R n” is used to mark the end of the transmission of a letter. Commands can follow this sequence to transmit another letter without breaking the connection.
Some SMTP servers strictly follow this prescription, while others, in order to ensure compatibility with certain rare postal clients, process different sequences as separators. These alternative sequences include ” n. N”, ” n. R n”, ” r n. n”, ” r. r”, ” r n 0. r n”, and ” r n 0. r n”.
The attack involves sending a letter to the first server, which only processes the ” r n. r n” sequence, but it contains an alternative separator, such as ” r. R”, followed by commands for sending a second message. Since the first server strictly adheres to the specifications, it processes the resulting sequence as a single letter. However, if the letter is then sent to a transit server or the recipient’s server, which also considers the sequence ” r. R” as a separator, it will be processed as two separately sent letters.