SMTP Smugglers Blues

How to stop SMTP Smuggling Attacks with F5 BIG-IP Advanced WAF

I desperately want to break away from the Miami Vice theme, but it keeps returning!  Now I have Glen Frey playing in my head.  He did play a pilot, so, of course, it gets some extra credit.

A few weeks back, there were announcements from The Hacker News and some mail vendors of a threat to the SMTP Protocol.  This attack isn’t new, but it’s reared its ugly head again.  We’re seeing potential cases where attackers try smuggling phishing emails into mail servers, piggybacking on seemingly ‘legitimate’ mail items.

Like my earlier article on HTTP Smuggling, SMTP Smuggling involves tricking a server into accepting an incoming message as legitimate but adding more to the message than the server expects.  In SMTP Smuggling, the trick is to make the mail server think the mail is done so that it’s queued to send, but there’s another email after it that will also be queued to send.

This is an example of an SMTP conversation between a client and server:

Client: EHLO mail.example.com 
Server: 250-mail.example.com Hello [Client IP Address], pleased to meet you 
Client: MAIL FROM: <root@example.com> 
Server: 250 2.1.0 <root@example.com>... Sender ok 
Client: RCPT TO: <mailowner@localhost> 
Server: 250 2.1.5 <mailowner@localhost>... Recipient ok 
Client: DATA Server: 354 Enter mail, end with "." on a line by itself 
Client: Date: Thur, 18 Jan 24 10:39:00 EST 
Client: From: Root <root@localhost> 
Client: To: <mailowner@localhost> 
Client: Cc: <peter@peterscheffler.com> 
Client: Subject: Update 
Client: 
Client: Mike: Cindy stubbed her toe. Bobby went to 
Client: baseball camp. Marsha made the cheerleading team. 
Client: Jan got glasses. Peter has an identity crisis. 
Client: Greg made dates with 3 girls and couldn't 
Client: remember their names. 
Client: <CR><LF>.<CR><LF> 
Server: 250 2.0.0 Message accepted for delivery 
Client: QUIT Server: 221 2.0.0 mail.example.com closing connection

The key is in the line that is a single period (.) which informs the mail server that the client is done.

What is not normally shown is the <CR><LF> around the period, which is important.  The server usually tells the client in response to the DATA client request.

The smuggling attack messes with the delimiter - <CR><LF>.<CR><LF> - by dropping the final <LF>, followed by a new email.  Below is an example of an email with a smuggled email after it:

Client: EHLO mail.example.com 
Server: 250-mail.example.com Hello [Client IP Address], pleased to meet you 
Client: MAIL FROM: <root@example.com> 
Server: 250 2.1.0 <root@example.com>... Sender ok 
Client: RCPT TO: <mailowner@localhost> 
Server: 250 2.1.5 <mailowner@localhost>... Recipient ok 
Client: DATA 
Server: 354 Enter mail, end with "." on a line by itself 
Client: Date: Thur, 18 Jan 24 10:39:00 EST 
Client: From: Root <root@localhost> 
Client: To: <mailowner@localhost> 
Client: Cc: <peter@peterscheffler.com> 
Client: Subject: Update 
Client: 
Client: Mike: Cindy stubbed her toe. Bobby went to 
Client: baseball camp. Marsha made the cheerleading team. 
Client: Jan got glasses. Peter has an identity crisis. 
Client: Greg made dates with 3 girls and couldn't 
Client: remember their names. 
Client: <CR><LF>.<CR> 
Server: 250 2.0.0 Message accepted for delivery 
Client: DATA 
Server: 354 Enter mail, end with "." on a line by itself 
Client: Date: Thur, 18 Jan 24 10:39:00 EST 
Client: From: Sneak <sneak@localhost> 
Client: To: <phisphyphishy@localhost> 
Client: Subject: A New CAR!!! Click here to get your new car delivered to you, act NOW http://malicious-car-dealers.ru 
Client: <CR><LF>.<CR><LF> 
Server: 250 2.0.0 Message accepted for delivery 
Client: QUIT 
Server: 221 2.0.0 mail.example.com closing connection 

Before I go any further, there’s a kudos for anyone who gets the reference in the emails; comment below if you get it.

So, back to the attack:
In this case, the line:

<CR><LF>.<CR>

is the trick used to fool the mail server into accepting the second email as part of the logged-in user’s email request, but the two emails, one with a subject line of "Update" and one with a subject line of "A New CAR!!" are queued individually, with different From: and To: emails.

Advanced Phishing 201

Welcome to your Advanced Phishing Class folks, I promise, there’s no math.

Using SMTP Smuggling allows a bad actor – no, not a Razzie Winner! – who has credentials to an email server, the ability to send email from a corporate mail server to anyone, impersonating anyone.

Remember, over the last ten or fifteen years, there has been an effort to strengthen the network of email servers with PKI and authentication.  This ensures that mail is being sent from known servers by legitimate users.  This is still the case here as the server itself is not compromised, but the user credentials are used by the bad actor on the legitimate server, thereby skirting the legitimacy of the mail server network.

Stopping the attacks

The good news is that the little hack the bad actor exploits in this attack – the lack of a completing <LF> - breaks the SMTP protocol.  This is an OLD protocol that has been in place for decades.  The email example I used in my attacks, er, “testing,” dates back to 1999 on the IBM website for the VMS operating system!

F5 has offered a product called “Protocol Compliance” for ages. It used to be a separate license that you needed to purchase.  It gave you protection for various protocols, including SMTP.  This is included in the Advanced WAF license, so if you have AWAF, you have this protection available.

I won’t go into the details of enabling it, it can vary from release to release, but you can see how it’s enabled on V17.0 here: Securing SMTP Traffic

Basically, you need to create an SMTP Security Profile (most likely under Security->Protocol Security->Security Profiles->SMTP) and enable profile items in Blocking.  There’s no actual setting for checking the protocol itself; that’s intrinsic to how this works.  You can enable other settings if you wish, but they are unnecessary for stopping our suave pilot smuggler.

 

You then enable this on a virtual server with your SMTP servers in the pool – remember to enable the SMTP Protocol as well.

Then you can play DEA Agent to those Smugglers!

The Power of a Full Proxy

The one thing I take away from all of this is how proxying anything can offer some fantastic benefits.  In this case, the proxy allows us to inspect the incoming SMTP request for valid formatting and protocol compliance.  But as you investigate the options, you can see you can limit the domains, add in rate limiting, or allow or disallow different commands.

 

Please note that this article contains some content generated by AI tools, sadly that's not me standing on the steps of my own private jet.

Published Mar 18, 2024
Version 1.0