# SMTP Smuggling

{{#include ../../banners/hacktricks-training.md}}

## Basic Information

This type of vulnerability was [**originally discovered in this post**](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) were it's explained that It's possible to **exploit discrepancies in how the SMTP protocol is interpreted** when finalising an email, allowing an attacker to smuggle more emails in the body of the legit one, allowing to impersonate other users of the affected domain (such as admin@outlook.com) bypassing defenses such as SPF.

### Why

This is because in the SMTP protocol, the **data of the message** to be sent in the email is controlled by a user (attacker) which could send specially crafted data abusing differences in parsers that will smuggle extra emails in the receptor. Take a look to this illustrated example from the original post:

<figure><img src="../../images/image (8) (1) (1) (1) (1).png" alt=""><figcaption><p><a href="https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png">https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png</a></p></figcaption></figure>

### How

In order to exploit this vulnerability an attacker needs to send some data that the **Outbound SMPT server thinks that it's just 1 email but the Inbound SMTP server thinks that there are several emails**.

The researchers discovered that different **Inboud servers considers different characters as the end of the data** of the email message that Outbound servers doesn't.\
For example, a regular end of the data is `\r\n.\r`. But if the Inbound SMTP server also supports `\n.`, an attacker could just add **that data in his email and start indicating the SMTP commands** of a new new ones to smuggle it just like in the previous image.

Ofc, this could only work if the **Outbound SMTP server doesn't also treat this data** as the end of the message data, because in that case it will see 2 emails instead of just 1, so at the end this is the desynchronization that is being abused in this vulnerability.

Potential desynchronization data:

- `\n.`
- `\n.\r`

Also note that the SPF is bypassed because if you smuggle an email from `admin@outlook.com` from an email from `user@outlook.com`, **the sender is still `outlook.com`.**

## **References**

- [https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/)

{{#include ../../banners/hacktricks-training.md}}