SMTP Smuggling Status

A christmas tree with spam boxes instead of gifts

«SMTP Smuggling» is a vulnerability that allows to circumvent some mail checks at the receiver and therefore will allow additional spam and/or phishing messages through. Here is the list of what we currently know.

Interested in the full story? I have written a German 🇩🇪 article on SMTP Smuggling and SEC Consult’s selective (and untimely) disclosure.

The SEC Consult article contains information about the software they tested. However, the information is largely unstructured. Here is an attempt at structuring the information.

A link is provided when information not in the SEC Consult article is referenced. For all the question marks, I actively tried to find information on their web page (typically, the “blog” page, if any) and/or using a web search for their site («site:example.com "SMTP Smuggling"»). The question mark indicates that this process did not reveal any additional information.

The list is sortable, BTW.


SystemProblemSEC Consult knewInformedWorkaroundFixed
Outlook, ExchangeSender2023-07-26➡️2023-10-16
CiscoRecipient2023-07-27, 2023-08-17WONTFIX
GMX/IonosSender2023-07-29➡️2023-08-10
iCloudSender
PostfixSender, RecipientCERT/CC (see below)2023-12-202023-12-24
SendmailSender, Recipient
StartmailSender
FastmailSender, Recipient
RunboxSender, Recipient
ZohomailSender
EximRecipient➡️2023-12-24

Update 2023-12-26

In the night of December 22nd to 23rd (European time), Tim Weber started a discussion on the Postfix-Users maling list, with quick and active participation by Wietse Venema (author of the Postfix mail transport software), Vijay S Sarvepalli (from CERT/CC) and others. Here my attempt at a structured summary:

A possible interpretation of this discussion might be that SEC Consult became aware of the full impact of the vulnerability only later (maybe as part of the preparations for the talk on 2023-12-27?). Even though, informing vendors, providers, and CERT/CC with more information (possibly a draft of the blog post) at short notice would have been significantly better than what we have no, namely no notice.

Wietse Venema proposes that, «now that the attack is public, I do encourage reaching out to the rest of the world» and making everyone aware as quickly and prominently as possible. Also, the CERT/CC hopes, it will be able to further improve its workflows with multi-vendor vulnerabilities and Open Source projects.

,

Let’s stay in touch!

Receive a mail whenever I publish a new post.

About 1-2 Mails per month, no Spam.

Follow me on the Fediverse

Web apps


Leave a Reply

Only people in my network can comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.