SMTP Smuggling - Spoofing E-Mails Worldwide

Novel attacks in SMTP? Yes, you read that right - SMTP! 

Even though SMTP, the Simple Mail Transfer Protocol, is used for sending e-mails across the globe since the beginning of the Internet, it is still possible to find new ways of exploiting it even in 2023! So, fasten your seat belts, as we embark on an expedition beyond the known limits of SMTP, and venture into the uncharted territories of SMTP smuggling! 

TL;DR 

By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails - hence SMTP smuggling - while still passing SPF alignment checks. During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin@outlook.com) to millions of receiving SMTP servers (e.g., Amazon, PayPal, eBay). Identified vulnerabilities in Microsoft and GMX were quickly fixed, however, SEC Consult urges companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration (see Responsible Disclosure section below)! 

SMTP Basics 

Before getting into the juicy bits and details of SMTP smuggling, we must first have a basic understanding of the SMTP protocol, SMTP terminology and e-mailing in general. Let's learn by example! 

Here, in figure 1, we have an SMTP session between sender.example and receiver.example. 

So, what's exactly going on here? 

1. Initially, the receiving SMTP server mx.receiver.example sends a greeting, indicating that it is ready to accept incoming SMTP commands. 
2. The "client"/sender sender.example initiates the SMTP session by sending the EHLO (extended hello) SMTP command to the server, specifying its domain name. Note that all SMTP commands will be highlighted in red. 
3. mx.receiver.example responds with a 250 status code, indicating that the requested command (EHLO) was successful. It also provides supported SMTP capabilities. 
4. Then, sender.example specifies the sender e-mail address as well as the receiver e-mail address via "mail FROM" and "rcpt TO" in the mail envelope. mx.receiver.example confirms both of these SMTP commands with a 250 status code. 
5. Now, sender.example transmits the "data" command to signal its intention to start sending the message data/content. 
6. After receiving a "go ahead" response, sender.example sends messageheaders "Subject"/"From"/"To", a message body "lorem ipsum" and an end-of-data sequence"<CR><LF>.<CR><LF>" (Carriage-Return / Line-Feed, and a single dot in a line). Note that all message data will be highlighted in blue. 
7. mx.receiver.example reads the end-of-data sequence and responds with a 250 status code, implying that the message data was accepted. 
8. Lastly, sender.example closes the connection via the "quit" command. 

As you can see, there is a lot of back and forth in this SMTP session. To keep it simple and concise, SMTP sessions in this blog post only include the data transmitted by the sender as shown in figure 2. 

With this much knowledge about the SMTP protocol, we can put the training wheels aside and look at how SMTP is used to transfer e-mails across the Internet. For example, by sending an e-mail from user(at)outlook.com to user(at)receiver.example! 

When sending an e-mail via outlook.com, we generally have two options: 

1. Outlook's web interface 
2. Using SMTP 

Since this blog post is about SMTP smuggling and doesn't have to do anything with web applications (like SMTP header injection), we're opting for number two - SMTP! How this works is described in figure 3. 

If you are not sending from one of these IP ranges, the SPF check would fail and your e-mail most likely won't be forwarded or will be marked as spam. But which domain is actually getting checked? The problem with SPF by itself is that only the MAIL FROM domain from the mail envelope is checked. The From header in the message data, which is further displayed in the received e-mail, can have an arbitrary value, as shown in figure 4 (blue text). 

The same goes for DKIM (DomainKeys Identified Mail) as well. DKIM allows signing the message data, including the From header. This signature can then be verified by the receiver with a public key that resides in the DNS. However, it is not enforced, which domain holds the public key (see figure 5). 

SMTP Smuggling? 

The initial goal of this research was to test the SMTP protocol against some common and exotic attacks that work on other protocols, such as HTTP. Thanks to the contribution of many brilliant minds, there is a variety of HTTP attacks to choose from. However, in the context of SMTP, one of them just fit the bill. HTTP request smuggling!

If you want an in-depth explanation of HTTP request smuggling and all its facets, James Kettle (aka @albinowax) did a wonderful job on that. However, for now, we only need to understand the essentials! 

With HTTP request smuggling, we're basically trying to exploit different interpretations of the same thing. For example, with discrepancies in the interpretation and processing of the "Content-Length" and "Transfer-Encoding" HTTP headers, an arbitrary HTTP request can be smuggled to an otherwise unreachable back-end server like in figure 6. 

In this example, the vulnerable front-end server only sees one HTTP POST request, while the back-end server sees a POST request and a GET request to /admin! 

With SMTP, we also have a setup with two servers, being outbound and inbound SMTP servers. So, let's take a look at an SMTP session again in figure 7. 

Now tell me, what happens if outbound and inbound SMTP servers interpret the end-of-data sequence (<CR><LF>.<CR><LF>) differently? 

Exactly, SMTP smuggling! 

If SMTP servers have a different understanding of where the message data ends, an attacker can potentially break out of the message data. Even worse, this may allow to specify arbitrary SMTP commands and even to send separate e-mails (see figure 8)! 

So, that's the basic idea of SMTP smuggling! But does it actually work? 

<CR><LF>.<CR><LF> is a lie? 

To get a good understanding of how different kinds of SMTP software work, we can start our analysis as shown in figure 9: 

First, we register e-mail accounts at various public e-mail providers that support mail submissions via SMTP (unlike Tutanota and ProtonMail). We used the following providers for this research project: 

• outlook.com 
• gmail.com 
• gmx.net 
• icloud.com 
• zoho.com 
• fastmail.com 
• runbox.com 
• startmail.com 
• mailbox.org 
• aol.com 
• yahoo.com 
• web.de 

Then, by sending e-mails through the outbound SMTP servers of these providers and receiving them on an inbound SMTP analysis server, we can see first differences in the implementation of the SMTP protocol in these SMTP servers. 

When looking at the SMTP analysis client it becomes apparent straight away that some SMTP products do things "differently" than others. For example, here are some responses received from e-mail providers after sending the DATA SMTP command:

- 250 End data with <CR><LF>.<CR><LF> 
- 250 Start mail input; end with <CRLF>.<CRLF> 
- 250 Send data ending with <CRLF>.<CRLF> 

This doesn't look good for our plans to smuggle SMTP commands, since we're looking for different interpretations of SMTP, and not the same text written differently. Right? But, we're not going to back off just because of some text, are we? 

After further analysis, some SMTP servers returned the following responses, which looked a bit more promising: 

- Enter message, ending with "." on a line by itself 
- Enter mail, end with "." on a line by itself 

Why would that be more promising, though? Well, different operating systems have a different understanding of "a line by itself". A "." on a line by itself on Windows would be separated via two carriage return line feeds (<CR><LF>.<CR><LF> or \r\n.\r\n), while a "." on a line by itself on Linux would be separated with two line feeds (<LF>.<LF> or \n.\n). 

So, why don't we try to end the message data of an e-mail with <LF>.<LF>? This would therefore look like in figure 10.

Now, if an SMTP server doesn't consider <LF>.<LF> as the end-of-data sequence, the connection will be left hanging, since it's waiting for the actual <CR><LF>.<CR><LF>. Therefore, as shown in figure 11, we add the following. 

With this, whenever <LF>.<LF> is supported as end-of-data sequence by the inbound SMTP server, only "lorem ipsum" will be part of the message data, otherwise the message also includes "This server is ignoring line feeds as end-of-data sequence!". 

But, what can we actually achieve with this? Well, let's see how a message transfer could look like if <LF>.<LF> doesn't end the data section, like in figure 12. 

Depending on the receiving inbound SMTP server this may be completely harmless. However, what if the inbound SMTP server interprets <LF>.<LF> as end-of-data sequence? (see figure 13) 

In this case, the "harmless" <LF>.<LF> breaks out of the message data and "This server is ignoring line feeds as end-of-data sequence!" may now be interpreted as an SMTP command! Note that this requires the inbound server to accept multiple SMTP commands in a batch, or so-called SMTP pipelining. Luckily for us, most servers support this nowadays. 

However, outbound SMTP servers commonly handle such "troublesome" <LF>.<LF> sequences via different means: 

• Dot-stuffing (Escaping the single dot with another dot):  <LF>..<LF> 
• Replacing it with a <CR><LF> 
• Encoding it (e.g., via quoted-printable): =0A.=0A 
• Removing the entire sequence 
• Not sending the message 

But sometimes, they do nothing at all! 

So, essentially, we're looking for specific characteristics in outbound and inbound SMTP servers in terms of end-of-data sequence handling. More precisely, we're searching for what outbound SMTP servers ignore (e.g., <LF>.<LF>) and what inbound SMTP servers interpret (e.g., <LF>.<LF> as end-of-data). If we can find a correct combination, we can smuggle! 

First Blood 

As previously mentioned, we've created e-mail accounts at various e-mail providers. Shortly after sending potential end-of-data sequences (e.g., <LF>.<LF>) from outbound provider SMTP servers to the SMTP analysis server, a promising candidate emerged! 

GMX, established in 1997, is one of the old-school e-mail providers in the DACH region with roughly 20 million users. When sending an <LF>.<CR><LF> sequence to the outbound GMX SMTP server, it is passed unfiltered to the inbound SMTP server, as shown in figure 14! 

Therefore, we can now break out of the message data at the inbound SMTP server, if <LF>.<CR><LF> is interpreted as an end-of-data sequence. So, how do we find such servers? 

We simply send an e-mail with the following message data (see figure 15) to all the e-mail addresses we've registered. 

For a lot of them, we receive a very suspicious looking e-mail like in figure 16, since <LF>.<CR><LF> did not end the message data. 

But for some of them, we hit the jackpot! 

This proof of concept (figure 17) was the first sign that SMTP smuggling actually works! 

By inspecting the message headers, we can see that the SPF check passes with domain alignment for gmx.net! This is because the smuggled message actually came from the legitimate GMX SMTP server. 

Received-SPF: pass 

    (gmx.net: 212.227.15.15 is authorized to use 'admin@gmx.net' in 'mfrom' identity (mechanism 'ip4:212.227.15.0/25' matched)) 

    receiver=mx4.messagingengine.com; 

    identity=mailfrom; 

    envelope-from="admin@gmx.net"; 

    helo=mout.gmx.net; 

    client-ip=212.227.15.15 

Since we've achieved domain alignment for gmx.net, this e-mail will most likely pass spam filters, even with strict DMARC policies! But wait, if other domains also use the outbound SMTP server of GMX to send e-mails, can't we spoof them as well? Let's see! By analyzing the SPF record of web.de, we can see that the outbound SMTP IP address of GMX 212.227.15.15 is included as well! 

v=spf1 ip4:212.227.126.128/25 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:217.72.192.248/29 ip4:82.165.159.0/26 ip4:217.72.207.0/27 ip4:217.72.192.64/26 ip4:82.165.229.130 ip4:82.165.230.22 ~all 

Now, we can change the SMTP smuggling message data accordingly, like in figure 18. 

To simulate a real-life scenario, we specify a different receiver e-mail address for the first message and only send the smuggled message (figure 19) to the target. 

In this case, our target would even see the associated profile picture (in this case of the real 'admin@web.de' user), like in figure 20! 

And again, the SPF verification checks out! 

Received-SPF: pass 

    (web.de: 212.227.17.22 is authorized to use 'admin@web.de' in 'mfrom' identity (mechanism 'ip4:212.227.17.0/27' matched)) 

    receiver=mx4.messagingengine.com; 

    identity=mailfrom; 

    envelope-from="admin@web.de"; 

    helo=mout.gmx.net; 

    client-ip=212.227.17.22 

Now, you might think that this was already cool, but we're just getting started! 

Even though we initially only analyzed GMX, the problem is far worse than it seemed at first. Like many big e-mail providers, GMX is using a custom SMTP server called NemesisSMTPd. Since GMX is part of Ionos, e-mailing services provided by Ionos are also using Nemesis SMTPd. By putting 1 and 1 together, we register an e-mail domain at Ionos and check if SMTP smuggling works. And it does! However, smuggling via a custom e-mail domain doesn't even seem to be necessary. The SPF record for the registered e-mail domain includes "_spf-eu.ionos.com" and the SPF record for gmx.net includes "_spf.gmx.net". Looking at the permitted IP ranges reveals "some" collisions: 

$ dig _spf-eu.ionos.com TXT 
"v=spf1 ip4:212.227.126.128/25 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:82.165.159.0/26 ip4:217.72.192.64/26 ?all" 
 
$ dig _spf.gmx.net TXT 
"v=spf1 ip4:212.227.126.128/25 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:82.165.159.0/24 ip4:74.208.4.192/26  ip4:217.72.207.0/27 ip4:82.165.229.31 ip4:82.165.230.21 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ~all" 

So, either way, this allowed spoofing not only gmx.net and web.de, but also around a million other domains hosted at Ionos! But more on the details later!  

Smuggling via Microsoft Exchange Online 

After a deeper analysis of outbound SMTP servers, a peculiarity in Microsoft Outlook's (outlook.com) SMTP server was observed. When trying to send an <LF>.<LF> sequence, the message does not get transmitted, and the following error message is returned: 

Remote server returned '550 5.6.11 SMTPSEND.BareLinefeedsAreIllegal; message contains bare linefeeds, which cannot be sent via DATA and receiving system does not support BDAT' 

However, same as with GMX, Outlook doesn't filter <LF>.<CR><LF> sequences. 

Still, it wasn't possible to smuggle to the same receivers (e.g., Fastmail) as with GMX. Reason for this is Outlook's usage of the optional BDAT SMTP command. BDAT is an alternative to the DATA command to transfer the message data. It works by specifying the message length with the BDAT command, instead of relying on an end-of-data sequence. For example, to transfer 72 bytes of message data, we can do it like in figure 21. 

Even though that stops us from smuggling to some inbound SMTP servers, the BDAT command can only be used by Outlook, if the inbound SMTP server supports it. If the inbound SMTP server doesn't indicate BDAT support by returning the CHUNKING capability, DATA is used as fallback. 

Therefore, we're looking for an inbound SMTP server that interprets <LF>.<CR><LF> as an end-of-data sequence and doesn't support BDAT.  

Funnily enough, the sec-consult.com SMTP server supports just that! Note that LOTS of servers on the Internet support this, but since we've got to make sure that our own systems are secure anyways, we'll be using sec-consult.com. So, what's the first thing to do with our newly gained power? Sending spoofed e-mails to co-workers to make sure it actually works! (see figure 22) 

Based on their reaction (figure 23), the message from admin(at)outlook.com definitely got delivered and didn't end up in spam. 

The actual e-mail is shown in figure 24: 

We can once more confirm SPF alignment by looking at the message headers: 

Received-SPF: Pass (mx3.atos.net: domain of admin(at)outlook.com designates 40.92.75.68 as permitted sender) 
  identity=mailfrom; client-ip=40.92.75.68; 
  receiver=mx3.atos.net; envelope-from="admin@outlook.com"; 
  x-sender="admin@outlook.com"; x-conformance=spf_only; 
  x-record-type="v=spf1"; x-record-text="v=spf1 
  ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 
  ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 
  ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 
  ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all" 

Since the previous examples were only text-based, attackers could also use HTML, for some more convincing phishing e-mails (figure 25). 

However, to keep it simple, we'll stick to just text. 

So, this is cool, but again, that's not everything! Since the outbound Outlook SMTP server is not only used for e-mails by outlook.com, but for the entirety of Exchange Online, we can now send e-mails from every domain which uses Exchange Online to send e-mails! 

Since this affects LOTS of companies (as later discussed in SMTP Smuggling Impact section), we can choose our sender domain freely. We can even use sec-consult.com itself! (see figure 26) 

As before, the SPF check succeeds with domain alignment, since sec-consult.com is using Exchange Online and the SPF record includes the respective Exchange Online SPF domain spf.protection.outlook.com. 

Received-SPF: Pass (mx4.atos.net: domain of ceo(at)sec-consult.com 
  designates 40.92.48.103 as permitted sender) 
  identity=mailfrom; client-ip=40.92.48.103; 
  receiver=mx4.atos.net; envelope-from="ceo@sec-consult.com"; 
  x-sender="ceo@sec-consult.com"; x-conformance=spf_only; 
  x-record-type="v=spf1"; x-record-text="v=spf1 
  ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 
  ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 
  ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 
  ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all" 

With GMX and Exchange Online out of the way, we're now approaching our last target! 

Smuggling to Amazon, PayPal, eBay, ..., on the road to Cisco 

GMX and Exchange Online allow SMTP smuggling due to insufficient sanitization at their outbound SMTP servers, but what about insecure inbound SMTP servers? What if there are inbound SMTP servers that allow such non-restrictive end-of-data sequences that even the most restrictive outbound SMTP servers would let such sequences through? 

To get to the bottom of this, we can use a scanner that sends e-mails to inbound SMTP servers, but uses exotic end-of-data sequences. If the connection to the inbound SMTP server times out, the exotic end-of-data sequence was ignored. Otherwise, we most likely found something interesting! 

So, what exactly is "exotic"? Exotic end-of-data sequences could for example be: 

• Interrupted end-of-data sequences:   
  • <CR><LF>\x00.<CR><LF> 
  • <CR><LF>.\x00<CR><LF> 
• End-of-data sequences using incomplete CRLFs:  
  • <LF>.<LF> 
  • <CR><LF>.<CR> 
  • <CR>.<LF> 
• End-of-data sequences in the message header 

The message data of such an "exotic" e-mail could look like in figure 27.

Now, by scanning the former Alexa Top 1000, various inbound SMTP servers accepting such sequences were identified! However, only one of those sequences seems to be working for lots of SMTP servers: <CR>.<CR> 

This sequence gets accepted by the inbound e-mail servers of some really high-value targets: 

• Amazon 
• PayPal 
• eBay 
• Cisco 
• The IRS 

The one thing that they all have in common is that they're using Cisco Secure Email, with on-prem Cisco Secure Email Gateway or cloud-based Cisco's Secure Email Cloud Gateway. And again, for some odd reason, sec-consult.com is using Cisco Secure Email Gateway as well! 

As a proof of concept (figure 28), we can now send an e-mail from admin(at)icloud.com to our target at sec-consult.com, since, like with many other outbound SMTP servers (further discussed in SMTP Smuggling Impact), <CR>.<CR> doesn't get filtered: 

Like before, the e-mail goes through unscathed, as shown in figure 29. 

SPF checks pass with domain alignment and without any issues. 

Received-SPF: Pass (mx4.atos.net: domain of admin(at)icloud.com 
  designates 17.57.155.23 as permitted sender) 
  identity=mailfrom; client-ip=17.57.155.23; 
  receiver=mx4.atos.net; envelope-from="admin@icloud.com"; 
  x-sender="admin@icloud.com"; x-conformance=spf_only; 
  x-record-type="v=spf1"; x-record-text="v=spf1 
  ip4:17.58.0.0/16 ip4:17.57.155.0/24 ip4:17.57.156.0/24 
  ip4:144.178.36.0/24 ip4:144.178.38.0/24 ip4:112.19.199.64/29 
  ip4:112.19.242.64/29 ip4:222.73.195.64/29 ip4:157.255.1.64/29 
  ip4:106.39.212.64/29 ip4:123.126.78.64/29 
  ip4:183.240.219.64/29 ip4:39.156.163.64/29 ~all" 

Hence, DMARC passes as well: 

Authentication-Results-Original: mx4.atos.net; dkim=none (message not signed) 
 header.i=none; spf=Pass smtp.mailfrom=admin@icloud.com; spf=None 
 smtp.helo=postmaster@qs51p00im-qukt01080502.me.com; dmarc=pass (p=quarantine 
 dis=none) d=icloud.com 

With Cisco's Secure Email covered, we can now go on and take a look at the global impact! 

SMTP Smuggling Impact 

At this point we've covered lots of outbound and inbound SMTP smuggling. But, speaking globally, how bad is it? 

GMX and Ionos 

SMTP smuggling via GMX and Ionos e-mail services allowed SMTP smuggling from roughly 1.35 million different domains, as indicated by the domains pointing their MX record to Ionos (figure 30). 

Checking the SPF record of these domains confirms that they are most likely all permitting _spf-eu.ionos.com for sending e-mails. 

However, as already mentioned, SMTP smuggling doesn't work for every receiving inbound SMTP server and, in this case, requires inbound SMTP servers to accept <LF>.<CR><LF> as end-of-data sequence. So, who's affected? 

Only few of the bigger e-mail providers that were tested are affected. These include: 

• Fastmail 

• Runbox 

This might not seem bad at first, but looking at affected SMTP software on the Internet is a different story. After testing some popular e-mail software in their default configuration, it turned out that Postfix and Sendmail fulfil the requirements, are affected and can be smuggled to. Speaking globally, this is a lot (figure 31)! 

These numbers from Shodan might not paint the whole picture though, as many servers maybe running postfix, but are hiding their identification banner. Also, other smaller SMTP servers are affected as well, again including Cisco Secure Email (Cloud) Gateway. 

We did not analyze all SMTP software out there, hence it might be possible that other vulnerable servers exist as well. 

Cisco Secure Email (Cloud) Gateway 

The Cisco Secure Email Gateway and its cloud counterpart, the Cisco Secure Email Cloud Gateway, are both "vulnerable" to inbound SMTP smuggling. The quotes are necessary in this case, since, according to lengthy discussions with Cisco, this is not a bug, but a feature (see Responsible Disclosure section)! 

By default, Cisco Secure Email (Cloud) Gateway accepts <CR>.<CR> as end-of-data sequence, which does not get filtered by the following SMTP servers when sending outbound: 

• Outlook/Exchange Online 
• Icloud 
• On-premise exchange server 
• Postfix 
• Sendmail 
• Startmail 
• Fastmail 
• Zohomail 

This would allow inbound SMTP smuggling to around 40k domains using Cisco's Secure Email Cloud Gateway, if they're using the default configuration (like we did). These domains can be determined by checking a passive DNS database like SecurityTrails for iphmx.com subdomains. Identifying on-premise Cisco Secure Email Gateways on the other hand is a difficult task, since lots of Internet-wide scanners (e.g., Shodan) seem to get blocked when conducting service scans. However, to get a better feeling for the usage of this product, we scanned the former Alexa Top 1000, and discovered at least the following 32 domains. 

• amazon.com 
• amazon.co.jp 
• amazon.co.uk 
• amazon.it 
• amazon.fr 
• marriott.com 
• cisco.com 
• amazon.in 
• paypal.com 
• amazon.ca 
• goodreads.com 
• webex.com 
• custhelp.com 
• imdb.com 
• intuit.com 
• ndtv.com 
• amazon.cn 
• makemytrip.com 
• amazon.com.au 
• amazonaws.com 
• primevideo.com 
• amazon.es 
• irs.gov 
• amazon.com.br 
• aastocks.com 
• ebay.com 
• amazon.de 
• ebay.de 
• ebay.co.uk 
• ebay.com.au 
• mayoclinic.org 
• audible.com 

Note that this doesn't take into account servers that don't have an MX record let alone an SMTP server. 

Further vulnerabilities 

During the research we've also discovered some exotic inbound SMTP servers that interpret end-of-data sequences like <CR><LF>\x00.<CR><LF>, with "\x00" representing a null byte. With proprietary SMTP components and lots of different e-mail services intertwined it's hard to tell what is possible until an e-mail reaches its final destination. 

Even though SMTP smuggling might still be hiding in some places, we hopefully eliminated some big targets. 
 

Responsible Disclosure 

How do we report a vulnerability that is based on protocol interpretation? Who is right, who is wrong? Let's take a look at some RFCs! 

In general, RFC 5321 from 2008 states the following: 

"The custom of accepting lines ending only in <LF>, as a concession to non-conforming behavior on the part of some UNIX systems, has proven to cause more interoperability problems than it solves, and SMTP server systems MUST NOT do this, even in the name of improved robustness.  In particular, the sequence "<LF>.<LF>" (bare line feeds, without carriage returns) MUST NOT be treated as equivalent to <CRLF>.<CRLF> as the end of mail data indication." 

So, it's the inbound SMTP server's fault! But wait, RFC 5322, also from 2008, says the following about the body of a message: 

"CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body."

This essentially means that both sides (outbound and inbound) are at fault! Also, this shows us that inconsistent interpretation of the end-of-data sequence is not a novel issue. Now, what do the affected parties think about this? We have thus initiated our responsible disclosure process around end of July 2023 (see Timeline further below). 

GMX 

The responsible disclosure process with GMX was pure bliss. After immediately receiving a response, the issue was fixed in roughly ten days. Aside from paying a bounty, they even added Timo to their bug bounty hall of fame. All-in-all a great experience! Huge props to GMX for such a professional and quick reaction. 

Microsoft 

The outbound SMTP smuggling vulnerability was submitted via the Microsoft Security Response Center (MSRC). Roughly a month later, Microsoft replied: 

"Thank you again for submitting this issue to Microsoft. Currently, MSRC prioritizes vulnerabilities that are assessed as “Important” or “Critical'’ severities for immediate servicing. After careful investigation, this case has been assessed as moderate severity and does not meet MSRC’s bar for immediate servicing since the attack only works if the mail server of the recipient treats a non-standard EOD sequence as EOD . However, we have shared the report with the team responsible for maintaining the product or service. They will take appropriate action as needed to help keep customers protected"  

Fair enough, they got bigger fish to fry! After retesting the issue every now and then, they seem to have fixed it roughly in the middle of October 2023. 

Cisco 

As previously mentioned, the "vulnerability" in Cisco Secure Email (Cloud) Gateway is not a bug, but a feature. And, unlike in most cases, this is actually somewhat true. 

Cisco Secure Email (Cloud) Gateway can be configured to handle carriage returns and line feeds in a special manner, as seen here.