When email messages flow over the Internet today, it is almost certainly the Simple Mail Transfer Protocol (SMTP) that is involved. It is used by the majority of email clients and servers to deliver messages, whether to local or remote recipients. The servers responsible for the transfer use it among themselves. The protocol is outdated and many of today's annoying email issues, from spam to phishing, can be traced back to the fact that it has essentially never been reviewed at all.
Even more surprisingly, researchers from SEC Consult discovered another unpleasant feature only in June: with slightly different input data, they were able to impersonate email senders, for example, pretending to be user moderators. This would not be news if the feature that the discoverers called “SMTP smuggling” had not been able to surprise all methods designed for security. SPF, DKIM, and DMARC, which are supposed to detect such things through intent declarations, signatures, and header verification, fail under “ideal” conditions.
The attacks were based on implementation vulnerabilities in web servers: they were able to impose additional requests on backend servers by presenting them as free riders with an unclear request to the frontend. Security researchers at SEC Consult found that something similar also happens in SMTP dialogue between servers because they treat the agreed-upon signature at the end of the data portion of the email differently (a line containing only a period). This allowed them to attach a second message containing fake sender addresses to an unsuspicious message.
They are labeled as original because they are from the same server
Researchers used these results to examine the behavior of the servers of several large email providers. They also found variations through which the vulnerability could be exploited: it depends on the line endings used, for example only line feed characters, combinations with carriage returns or scattered empty characters. However, since the fake email comes from the same server in question, technologies that have already been invented to combat counterfeiting, such as SPF, DKIM and DMARC, may confirm its supposed authenticity.
As part of responsible disclosure, SEC Consult researchers shared their discovery with Microsoft, Cisco, and GMX at the end of July. GMX responded about two weeks later and fixed the issue on their servers. It took Microsoft over two months to shut down the tampering capability of Exchange Online (Hotmail etc.). According to security researchers, the widely used Cisco Secure Email Gateway can only be hardened against smuggling attacks through manual intervention.
Due to a misunderstanding in coordination with the CERT Coordination Center (CERT/CC), SEC Consult reported that independent projects like Postfix were surprised by the discovery being revealed in the blog shortly before Christmas. In the meantime, there are tips that mail server operators can implement. The discoverer used this year's Chaos Communications Conference (37C3) to apologize to Postfix maintainers and explain his discovery.
Mailsever Postfix contains information about the workaround and patches.
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.