Version Nichts ist wahr. Alles ist erlaubt.
Lecture: SMTP Smuggling – Spoofing E-Mails Worldwide
Introducing a novel technique for e-mail spoofing.
SMTP, the Simple Mail Transfer Protocol, allows e-mailing since 1982. This easily makes it one of the oldest technologies amongst the Internet. However, even though it seems to have stood the test of time, there was still a trivial but novel exploitation technique just waiting to be discovered – SMTP smuggling!
In this talk, we’ll explore how SMTP smuggling breaks the interpretation of the SMTP protocol in vulnerable server constellations worldwide, allowing some more than unwanted behavior. Sending e-mails as email@example.com to fortune 500 companies – while still passing SPF checks – will be the least of our problems!
From identifying this novel technique to exploiting it in one of the most used e-mail services on the Internet, we’ll dive into all the little details this attack has to offer. Therefore, in this talk, we’ll embark on an expedition beyond the known limits of SMTP, and venture into the uncharted territories of SMTP smuggling!