[ALUG] SMTP Smuggling a new way spoofing sender addresses
Andreas Tauscher
ta at geuka.net
Mon Jan 1 22:35:25 EAT 2024
Hello List!
Wishing you all a happy new year!
During the 37th Chaos Computing Congress in Hamburg a researcher group
presented a new way how to spoof sender addresses of emails.
Even when using different sender addresses than the authenticated
address is blocked it is possible to fake sender addresses during
delivering mails.
This is possible because of the way in SMTP protocol the different
possible end of data sequences are handled.
The major problem on this attack is that it can also fool security
measurements like SPF, DKIM and DMARC.
So this is a new way to let pishing mails look really authentic!
The only correct END-OF-DATA sequence is <CR><LF>.<CR><LF> but for
historic compatibility reasons also things like <LF>.<LF> or
<LF>.<CR><LF> allowed.
A workaround for postfix is already published on the postfix homepage
https://www.postfix.org/smtp-smuggling.html
More details how this attack is working is available at
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
There you find also information when you are running Exim or Cisco
Secure Email Gateway.
A video of the presentation at 37C3 is also available.
https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide
Have a look on this 30 minutes video!
Andreas
More information about the Linux
mailing list