SMTP smuggling exploits the fact that emails can be split into multiple emails by the receiving server using certain encodings. If the newly created emails are not independently verified on the receiving server, effective authentication mechanisms such as SPM, DKIM or DMARC cannot be applied. This allows targeted phishing attacks to reach mailboxes that are supposed to be protected.
IKARUS mail.security is not and has never been vulnerable to SMTP smuggling.
SMTP smuggling bypasses authentication mechanisms
The vulnerability, disclosed in December 2023, allows attackers to exploit some SMTP implementations to “smuggle” emails with forged sender information. The method relies on the fact that the end of message (RFC) encoding is interpreted differently by different implementations.
A prepared email with non-RFC compliant encoding can be split into multiple emails by the receiving server. Attackers can add any header they like to the newly created emails – for example, the sender or recipient address – to spoof trusted domains. If these spoofed emails are not scanned and authenticated again, they become deceptively genuine phishing emails.
IKARUS mail.security detects SMTP smuggling
If IKARUS mail.security receives an email with a non-RFC compliant tag, it is not automatically accepted. All content is subjected to all the usual scans – from various authentication checks and malware checks to content and link analyses. Emails with forged sender data are blocked by IKARUS mail.security.
To protect their own identity, IKARUS mail.security users can also issue S/MIME certificates for their mailboxes. A missing or invalid certificate indicates to the recipient that the incoming message may not be authentic.
Protective measures against SMTP smuggling
Major companies such as GMX and Microsoft have already patched the vulnerability in their services. Cisco Secure Email users will need to update their settings manually.
As the vulnerability has only recently been discovered and has not yet been fully researched, researchers cannot rule out other vulnerabilities related to SMTP smuggling. Traditional warnings to never blindly trust emails therefore remain valid, even with protective measures in place.
IKARUS will continue to monitor developments and respond immediately to any new vulnerabilities.