A novel exploitation method known as Simple Mail Transfer Protocol (SMTP) smuggling has emerged, presenting a means for threat actors to manipulate vulnerable SMTP servers. This enables the sending of deceptive emails with falsified sender addresses, evading typical security protocols.
According to Timo Longin, a senior security consultant at SEC Consult, this technique empowers threat actors to utilize compromised SMTP servers globally, sending malicious emails from seemingly legitimate addresses. This method opens avenues for targeted phishing attacks, as highlighted in an analysis released last month.
SMTP, a TCP/IP protocol integral to email communication, facilitates the transmission of email messages across networks. By establishing an SMTP connection between an email client (referred to as the mail user agent) and a server, the actual content of the email is relayed.
This newfound exploitation technique poses significant risks due to its potential for creating deceptive emails, bypassing conventional security measures, and amplifying the threat of targeted phishing endeavors.
After receiving an email, the server relies on a mail transfer agent (MTA) to verify the recipient’s email domain. If it varies from the sender’s domain, the MTA consults the domain name system (DNS) to retrieve the MX (mail exchanger) record for the recipient’s domain. This process completes the mail exchange.
SMTP smuggling’s essence lies in the inconsistencies arising from how outbound and inbound SMTP servers handle end-of-data sequences. These disparities create opportunities for threat actors to exploit, potentially allowing them to breach the message data, insert unauthorized SMTP commands, and potentially execute separate email transmissions.
Drawing inspiration from the well-known attack method called HTTP request smuggling, SMTP exploitation similarly capitalizes on inconsistencies in interpreting the “Content-Length” and “Transfer-Encoding” HTTP headers. This allows appending an ambiguous request to the inbound request chain.
Exploiting vulnerabilities in messaging servers like Microsoft, GMX, and Cisco, this technique enables the sending of emails with falsified origins across numerous domains. It affects SMTP implementations in Postfix and Sendmail as well.
In the realm of cybersecurity, this method permits the creation of deceptive emails that appear legitimate, bypassing security measures like DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and Sender Policy Framework (SPF).
While Microsoft and GMX have addressed these issues, Cisco’s stance is different, regarding the findings not as a vulnerability but as a feature, and thus, they don’t intend to modify the default configuration. Consequently, inbound SMTP exploitation remains plausible with default settings in Cisco Secure Email instances.
To mitigate this, SEC Consult advises Cisco users to alter their settings from “Clean” to “Allow” to prevent receiving spoofed emails that pass valid DMARC checks.