Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability

  • Gang Wang, University of Illinois Urbana-Champaign

Email spoofing is a critical technique used in phishing attacks to impersonate a trusted sender. SMTP smuggling is a new vulnerability that allows adversaries to perform email spoofing while bypassing existing authentication protocols such as SPF and DMARC. While SMTP smuggling has been publicly disclosed since 2023, its impact has not been comprehensively evaluated and the effectiveness of the community’s mitigation strategies is yet unknown. In this paper, we present an in-depth study of SMTP smuggling vulnerabilities, supported by empirical measurements of public email services, open-source email software, and email security gateways. More importantly, for the first time, we explored how to perform measurements on private email services ethically, with new methodologies combining user studies, a DKIM side channel, and a non-intrusive testing method. Collectively, we found that 19 public email services, 1,577 private email services, five open-source email software, and one email gateway were still vulnerable to SMTP smuggling (and/or our new variants). In addition, our results showed that the centralization of email infrastructures (e.g., shared SFP records, commonly used email software/gateways) has amplified the impact of SMTP smuggling. Adversaries can spoof highly reputable domains through free-to-register email accounts while bypassing sender authentication. We provided suggestions on short-term and long-term solutions to mitigate this threat. To further aid email administrators, we developed an online service to help self-diagnosis of SMTP smuggling vulnerabilities.

Speaker bio

Gang Wang is an Associate Professor of Computer Science at the University of Illinois Urbana-Champaign. He obtained his Ph.D. from UC Santa Barbara in 2016 and a B.E. from Tsinghua University in 2010. His research interests are Security and Privacy, Machine Learning, and Internet Measurement. His recent work aims to build explainable and robust machine learning solutions to safeguard Internet systems, uncover novel security and privacy threats, and augment humans’ ability to perform security tasks. He is a recipient of the NSF CAREER Award (2018), Amazon Research Award (2021), Google Faculty Research Award (2017), and Best Paper Awards from IMWUT 2019, ACM CCS 2018, and SIGMETRICS 2013. He is a core member of the recent NSF AI Institute for Agent-based Cyber Threat Intelligence and Operation (ACTION) and the NSF Expedition Project for Learning Directed Operating System (LDOS). His projects have been covered by media outlets such as MIT Technology Review, The New York Times, Boston Globe, and ACM TechNews.

Watch Next