Attackers Manage to Bypass Security and Spoof Emails with SMTP Smuggling

by Dan Goodin
04 Feb 2024

"Proxy & VPN Virtuoso. With a decade in the trenches of online privacy, Dan is your go-to guru for all things proxy and VPN. His sharp insights and candid reviews cut through the digital fog, guiding you to secure, anonymous browsing."

A finger pointing at an email icon
SMTP smuggling is a new threat that allows spoofed emails

New year — new risks. 2024 has only started but it’s already clear that one of the threats we’ll be facing is SMTP smuggling. The technique lets attackers sneak malicious emails past security checks by messing with email headers. It’s a clever hack that dupes systems into delivering fake messages straight to your inbox, ignoring the usual guards like SPF, DKIM, and DMARC.

More on SMTP Smuggling: How It Works

SMTP smuggling is a fairly sophisticated trick. Attackers craft an email and tinker with the SMTP headers — those bits of code that tell the server where the email is from and where it’s going. They insert extra commands within these headers and trick the receiving server into treating one email as two.

Here’s how it all unfolds. The crafted email hits the server, which, misled by the smuggled commands, splits the email in two. The first part is the decoy, perfectly normal. It passes all security checks without raising any alarms. The second part, however, carries the malicious payload. It smuggles past the usual defenses like SPF, DKIM, and DMARC and lands directly in the target’s inbox.

The crux of this technique lies in exploiting discrepancies in how different servers interpret when an email message ends. Attackers create a situation where the sender’s server sees one continuous message, but the recipient’s server is duped into seeing two separate messages. The result? A dangerous email skirts around security measures that businesses commonly have in place to protect their employees. It delivers the harmful content right where attackers want it.

Major Vulnerabilities: What’s Known So Far

Reports say that SMTP servers of major platforms such as Microsoft, GMX, and Cisco are vulnerable to SMTP smuggling attacks. The attackers can launch stealthier phishing attacks by bypassing the aforementioned security protections.

Microsoft and GMX have addressed these concerns and implemented fixes for the vulnerabilities identified in their SMTP servers. Cisco says they do not view it as a vulnerability. The thing is that the vulnerable feature in their Secure Email solution can be disabled. You only need to change the CR and LF Handling to “Reject” (instead of “Clean”). This can be done in Listener Settings.

Any Solutions Available?

An email icon on a screen
Proper configuration of your SMTP server can offer protection against SMTP smuggling

Security experts recommend several protection methods against SMTP smuggling attacks.

  • Proper Configuration and Updates

Keep your SMTP server configurations up to date and ensure they are properly configured to handle SMTP commands securely. Servers must correctly interpret end-of-data sequences to prevent smuggling.

  • Advanced Email Security Solutions

Deploy email security solutions that offer advanced protection features, including the ability to detect and block SMTP smuggling attempts. Solutions that can perform deep inspection of email headers and payloads may be the most effective.

  • Multi-layered Security Measures

Do not rely solely on SPF, DKIM, and DMARC. Combine them with additional layers of security such as endpoint protection and intrusion detection systems.

We use cookies on our site to ensure that we give you the best browsing experience. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.

Got IT

We added this proxy to compare list