[LOGO]

False vulnerability claims based on non-viable attack patterns

[An updated version of this text may be found at https://www.postfix.org/false-smuggling-claims.html]

Author: Wietse Venema

Last update: January 8, 2024

Summary

People have developed tools to detect if an SMTP server may be vulnerable to an email spoofing attack based on SMTP smuggling.

Some tools may send a fake End-of-DATA pattern like <CR><LF>.<CR><CR><LF>. This is not a viable attack pattern, because there is no way that an attacker can make an email service send patterns like this. Vulnerability claims based on such patterns are therefore false.

Details

To understand why, recall that an authenticated attacker sends an email message to email service A, that contains a non-standard End-of-DATA in the middle followed by attempted spoofed SMTP commands and message content (shown as indented text below).

    mail from:<attacker><CR><LF>
    rcpt to:<someone><CR><LF>
    data<CR><LF>
    message content
    non-standard End-of-DATA
        mail from:<spoofed><CR><LF>
        rcpt to:<victim><CR><LF>
        data<CR><LF>            // or BDAT if available
        message content
    real End-of-DATA

The attacker's goal is that email service A delivers the message to <someone> at email service B. That service confuses the non-standard End-of-DATA with a real End-of-DATA, and delivers a message from <spoofed> to <victim> at service B.

When the attack is successful, the attacker can impersonate any sender in any email domain that is hosted at email service A, and still pass the sender domain's SPF-based DMARC policy at email service B.

Coming back to the attack pattern <CR><LF>.<CR><CR><LF>, or more generally, <CR><LF>.<non-CRLF>. Note that this has '.' at the beginning of a line.

Email service A, as required by RFC 5321, prepends a '.' to each email message line that begins with '.'. What it sends to email service B is (attempted spoofed commands and message are again shown indented):

    mail from:<attacker><CR><LF>
    rcpt to:<someone><CR><LF>
    data<CR><LF>
    message content
    <CR><LF>..<non-CRLF>        // note the '..' here
        mail from:<spoofed><CR><LF>
        rcpt to:<victim><CR><LF>
        data<CR><LF>            // or BDAT if available
        message content
    real End-of-DATA

When email service B receives the <CR><LF>..<non-CRLF>, there is no confusion whether this is End-of-DATA. This process of "dot stuffing" before transmission (and "dot stripping" after arrival) is something that all production SMTP implementations agree on. If they didn't, then email would be broken all the time.

The result: no message is delivered from <spoofed> to <victim>. Instead, <someone> receives an email message with SMTP commands in the middle.

Conclusion

In summary, this class of attack patterns does not work. To silence test tools, I will of course update Postfix releases, but silencing test tools is not as urgent as solving real problems.

Meanwhile, I request that tool developers and users avoid making vulnerability claims that are based on non-viable attack patterns.