From ta at geuka.net  Mon Jan  1 22:35:25 2024
From: ta at geuka.net (Andreas Tauscher)
Date: Mon, 1 Jan 2024 20:35:25 +0100
Subject: [ALUG] SMTP Smuggling a new way spoofing sender addresses
Message-ID: <57405efe-1cd0-47e3-8817-bf9c12078360@geuka.net>

Hello List!

Wishing you all a happy new year!

During the 37th Chaos Computing Congress in Hamburg a researcher group 
presented a new way how to spoof sender addresses of emails.
Even when using different sender addresses than the authenticated 
address is blocked it is possible to fake sender addresses during 
delivering mails.

This is possible because of the way in SMTP protocol the different 
possible end of data sequences are handled.

The major problem on this attack is that it can also fool security 
measurements like SPF, DKIM and DMARC.

So this is a new way to let pishing mails look really authentic!

The only correct END-OF-DATA sequence is <CR><LF>.<CR><LF> but for 
historic compatibility reasons also things like <LF>.<LF> or 
<LF>.<CR><LF> allowed.

A workaround for postfix is already published on the postfix homepage

https://www.postfix.org/smtp-smuggling.html

More details how this attack is working is available at

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

There you find also information when you are running Exim or Cisco 
Secure Email Gateway.

A video of the presentation at 37C3 is also available.

https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide

Have a look on this 30 minutes video!

Andreas