Cybersecurity is a dynamic landscape in which old threats evolve and new ones emerge, such threat as an SMTP smuggling is a stark reminder of the importance of staying up to date on cybersecurity threats and methods for defending against cyber attacks. But what exactly is SMTP smuggling, and how does it work?
What is SMTP?
Simple Mail Transfer Protocol (SMTP) is a TCP/IP network protocol that facilitates the transmission of emails between different computers and servers. The use of this protocol is so widespread that SMTP email clients include Gmail, Outlook, Yahoo, and Apple.
So, precisely what is SMTP in email? After an email is written in a client like Microsoft Outlook it is delivered to an SMTP server, which looks at the recipient’s domain to find the appropriate email server to deliver the email to. If the process runs smoothly, the SMTP server at the recipient’s domain processes the email, and either delivers the message or uses SMTP to forward it through another network before delivery.
One important thing to note about SMTP is that its ability to authenticate has historically been limited. As such, email spoofing became a serious concern. Attackers could simply choose the right tool—it might be another mail client, script, or utility—that allowed them to choose a sender’s name. They then commit targeted attacks with emails to impersonate a trusted sender and convince them to take a specified action, such as clicking phishing links or downloading files infected with malware.
Several safeguards were designed to patch this inherent vulnerability (CVE-2023-51766), including:
- Sender Policy Framework (SPF): This employs DNS records to indicate to the receiving mail serves which IP addresses have authorization to send emails from a specified domain.
- Domain Key Identified Mail (DKIM): This method uses a private key stored on the sender’s server to digitally sign outgoing emails, allowing recipient servers to validate senders with the sending server’s public key.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): This protocol verifies the email’s sending domain in the “From” header against SPF and/or DKIM – if there is a mismatch, the DMARC check fails. However, this protocol is not commonly used.
What is an SMTP Server?
An SMTP server in computer networks is a mail server that can send and receive emails using the SMTP protocol. Generally, these servers use TCP on port 25 or 587—the numbers tell the server which specific processes to employ with messages. Email clients connect directly with the email provider's SMTP server to send an email. Several different software programs run on an SMTP server:
- Mail Submission Agent (MSA): Receives messages from the email client
- Mail Transfer Agent (MTA): Transfers emails to the next server as appropriate – at this point, the server may initiate a DNS query for the recipient domain’s mail exchange (MX) DNS record
- Mail delivery agent (MDA): Receives emails for storage in the recipient’s inbox
What is SMTP Smuggling?
SMTP smuggling refers to cyberattacks that spoof email addresses so that their messages appear to have been sent from legitimate sources. The ultimate goal of these cyberattacks is to execute a form of phishing and encourage the target to take action such as clicking malicious links, opening infected attachments, or even sending sensitive information or money.
These attacks take advantage of the differences between how outbound and inbound email servers process end-of-data code sequences. The aim is to trick the recipient’s server into a different interpretation of the end of a message using “smuggled” SMTP commands so that the email appears as two separate messages.
How Does SMTP Smuggling Work?
To carry out the attacks, cybercriminals “smuggle” ambiguous SMTP commands to compromise the integrity of the email server communications—this is inspired by how HTTP request smuggling attacks work. More specifically, SMTP servers traditionally indicate the end of message data with the code <CR><LF>.<CR><LF> or \r\n.\r\n. These stand for “Carriage Return” and “Line Feed” respectively and are standard text delimiters.
By changing this code sequence, attackers can change the server’s understanding of where the message data ends. If they can tell the outgoing server that the message ends at one point while telling the inbound server that the message ends later, it creates a pocket for smuggling extra data.
Normally, these spoofed emails are part of targeted phishing attacks. Companies are particularly vulnerable to SMTP smuggling because it can be easier to spoof their domains and use social engineering to create phishing emails or spear-phishing attacks.
How to Avoid SMTP Smuggling Emails
Although manufacturers of the most popular and well-known mail servers Postfix, Exim, and Sendmail have released fixes and workarounds to counteract smuggling, several other steps can be taken to try and minimize the threat:
- Run regular security checks within the organization’s infrastructure to monitor possible attack vectors and vulnerabilities.
- Check the email routing software being used – if the software is known to be vulnerable, update it to the latest version and use settings that specifically reject unauthorized pipelining.
- Users of Cisco’s email products are advised to manually update their default configuration for “CR and LF Handling” to “Allow,” rather than “Clean,” so that the server only interprets and delivers emails with <CR><LF>.<CR><LF> as the end-of-data sequence code.
- Disallow <LF> without <CR> in code.
- Disconnect remote SMTP clients that send bare newlines.
- Implement regular security awareness training for employees, which may include, for example, verifying a sender’s email address before taking any further action.
What Does SMTP Email Spoofing Look Like?
To be alert to the threat of SMTP smuggling, it can be helpful to know what a spoof email might look like. A spoof email may take several forms:
- Legitimate domain spoofing: This is simply spoofing a company’s domain by inserting it into the emails “From” header. This is what the SPF, DKM, and DMARC authentication methods try to catch. Companies should configure their mail authentication appropriately to minimize the attackers’ ability to spoof their domains.
- Display Name Spoofing: In this case, the sender’s name—shown before the email address in the “From” header is spoofed, often using the real name of a company’s employee. Most email clients automatically hide the sender’s email address and simply show the display name, which is why users should check the address if the email seems suspicious. There are several forms of this, including Ghost Spoofing and AD Spoofing. Kaspersky Secure Mail Gateway (KSMG) provides powerful protection against AD Spoofing attacks by verifying sender authenticity and ensuring messages comply with established email authentication standards.
- Lookalike Domain Spoofing: This more complicated method requires the attacker to register a domain similar to that of the target organization, and set up mail, DKIM/SPF signatures, and DMARC authentication. Again, there are several types of this form of spoofing, including Primary Lookalike (for example, a misspelling of a legitimate company domain) and Unicode Spoofing (replacing an ASCII character in the domain name with a similar-looking character from Unicode). KSMG can help organizations defend against lookalike domain spoofing attacks by verifying sender identities and mitigating the risk of deceptive emails.
Kaspersky Endpoint Security received the Consumer “Product of the Year Award” from AV Comparatives https://www.av-comparatives.org/tests/summary-report-2023/.
Related Articles and Links:
- What is Spoofing – Definition and Explanation
- What is Spear Phishing
- Phishing Emails: How to Recognize and Avoid a Phishing Email
Related Products and Services:
