Timo Longin @login introduces SMTP smuggling, a novel technique to spoof fully SPF-validated emails from various popular domains including @microsoft.com.

Wow. It's incredible nobody found this before. It's the first of its kind. Probably not the last...!

https://youtu.be/V8KPV96g1To

Related:
https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide
https://www.postfix.org/smtp-smuggling.html
https://www.malwarebytes.com/blog/news/2024/01/explained-smtp-smuggling

#SmtpSmuggling #37C3 #SMTP #vulnerability #infosec #TimoLongin #security

SPF-valid spoofed mail from [email protected] 😈 ?

Timo Longin @login stumbled upon SMTP Smuggling while looking for vulnerabilities in the Simple Mail Transfer Protocol.

Great work and great talk!

#Smtp #SmtpSmuggling #TimoLongin #37c3

https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide

Nice talk by @login at #37c3

Scary! #security #timolongin #ccc

SMTP Smuggling – Spoofing E-Mails Worldwide

UPDATE your servers!

https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide

Okay, now I'm a bit sad that I won't be at #37C3, and it's because of this talk:
https://events.ccc.de/congress/2023/hub/en/event/smtp_smuggling_spoofing_e-mails_worldwide/

Presenter #TimoLongin found an exploit in SMTP, notified commercial vendors GMX, Microsoft & Cisco in July, then published a blog post in the week before Christmas that describes how the attack works. Free software maintainers and admins were not warned in advance and had to rush to build workarounds.

Would've loved to talk to him about his idea of "responsible disclosure".

#SMTPSmuggling