• SMTP-Smuggling Schutz mit NoSpamProxy

SMTP Smuggling: Stay protected with NoSpamProxy

Stefan Cink | Director Business and Professional Services
Author: Stefan CinkDirector Business and Professional ServicesConnnect on LinkedIn

On December 18, 2023, Timo Longin from the SEC Consult Group in Vienna published an article in which he reports on a new threat in the field of email security that challenges traditional security measures: SMTP Smuggling. Let’s take a closer look at the dangers of SMTP smuggling to find out what level of protection NoSpamProxy offers.

18.01.2024|Last edited:16.08.2024

What is SMTP smuggling?

In simple terms, SMTP smuggling is the process by which emails from supposedly trustworthy senders can be planted on vulnerable systems, which can then be used for CEO fraud or other phishing attacks. SPF and DMARC checks do not offer any effective protection and the recipient really believes to have received an email from Microsoft, PayPal or other legitimate senders.

How does SMTP Smuggling work?

First of all, it is important to know that RFC 5322 clearly states that a line break must always be indicated by a <cr><lf> (Carriage Return Line Feed). A single <cr> or <lf> is not permitted! Furthermore, the end of an email must always be indicated by the delivering server using the character combination <cr><lf>.<cr><lf> (two <cr><lf> separated by a single dot) Mail server software on some Unix derivatives only use a single <cr> or <lf> - contrary to the RFC - which in recent years has meant that receiving servers have handled this generously or simply ignored it when interpreting an email. This behavior has now been exploited for SMTP smuggling. In a very simplified explanation, this involves sending a suitably prepared message body to a vulnerable email server, which turns the one message body into two emails with different content and different recipients.

Trustworthiness poses a problem

However, the attack only achieves its full effect when these messages are sent to the target server via trusted servers. For example, it was possible for the security researchers to send an email from a Microsoft account to a web.de account.

To the recipient, it actually looked as if the email came from a Microsoft admin account. SPF and DMARC also confirmed the authenticity of the email.

Details on SMTP Smuggling are described on the SEC Consult website: SMTP Smuggling – A new method for forging senders in emails. The Federal Office for Information Security (BSI) has also published a warning.

NoSpamProxy customers are protected

After the vulnerability became known, we also tested NoSpamProxy for the vulnerability and can give the all-clear at this point. Although NoSpamProxy ignores individually transmitted <cr> and <lf> characters, it does not split a manipulated e-mail into two emails. If all subsequent systems are also not vulnerable, you are therefore still well protected. It is also important to mention that NoSpamProxy also fully checks manipulated emails and reliably rejects the email if phishing or other malicious content is suspected.

You can also find a detailed explanation of SMTP Smuggling on www.msxfaq.de (German only).

Reliable protection against SMPT smuggling – with NoSpamProxy

With NoSpamProxy you can reliably protect your company against SMTP smuggling. Request your free trial version now!

Get your free NoSpamProxy trial now
Increased error detection from realtime blocklistsInfo IconNoSpamProxy wird erneut mit VBSpam-Award ausgezeichnet PreviewNoSpamProxy again honored with VBSpam+ Award