攻击者如何利用SMTP漏洞伪造电子邮件

A new exploitation technique called Simple Mail Transfer Protocol (SMTP) smuggling can be weaponized by threat actors to send spoofed emails with fake sender addresses while bypassing security measures.

一种称为简单邮件传输协议（SMTP）欺骗的新利用技术可以被威胁行为者武器化，以发送伪造发件人地址的欺骗性电子邮件，同时绕过安全措施。

"Threat actors could abuse vulnerable SMTP servers worldwide to send malicious emails from arbitrary email addresses, allowing targeted phishing attacks," Timo Longin, a senior security consultant at SEC Consult, said in an analysis published last month.

“威胁行为者可能滥用全球范围内的易受攻击的SMTP服务器，从任意电子邮件地址发送恶意电子邮件，从而进行有针对性的网络钓鱼攻击，”SEC Consult的高级安全顾问蒂莫·隆金在上个月发表的一项分析中说。

SMTP is a TCP/IP protocol used to send and receive email messages over a network. To relay a message from an email client (aka mail user agent), an SMTP connection is established between the client and server in order to transmit the actual content of the email.

SMTP是一种用于通过网络发送和接收电子邮件消息的TCP/IP协议。为了通过电子邮件客户端（也称为邮件用户代理）中继一条消息，必须在客户端和服务器之间建立SMTP连接，以便传输电子邮件的实际内容。

The server then relies on what's called a mail transfer agent (MTA) to check the domain of the recipient's email address, and if it's different from that of the sender, it queries the domain name system (DNS) to look up the MX (mail exchanger) record for the recipient's domain and complete the mail exchange.

然后，服务器依赖于所谓的邮件传输代理（MTA）来检查收件人电子邮件地址的域，如果与发件人的域不同，它会查询域名系统（DNS）以查找接收者域的MX（邮件交换器）记录并完成邮件交换。

The crux of SMTP smuggling is rooted in the inconsistencies that arise when outbound and inbound SMTP servers handle end-of-data sequences differently, potentially enabling threat actors to break out of the message data, "smuggle" arbitrary SMTP commands, and even send separate emails.

SMTP欺骗的关键在于当出站和入站SMTP服务器处理数据结束序列时出现的不一致性，这可能使威胁行为者能够打破消息数据，“走私”任意SMTP命令，甚至发送独立的电子邮件。

It borrows the concept from a known attack method referred to as HTTP request smuggling, which takes advantage of discrepancies in the interpretation and processing of the "Content-Length" and "Transfer-Encoding" HTTP headers to prepend an ambiguous request to the inbound request chain.

它借鉴了一个被称为HTTP请求走私的已知攻击方法的概念，后者利用了“Content-Length”和“Transfer-Encoding”HTTP标头的解释和处理存在差异的地方，从而在入站请求链中插入一个含糊不清的请求。

Specifically, it exploits security flaws in messaging servers from Microsoft, GMX, and Cisco to send emails spoofing millions of domains. Also impacted are SMTP implementations from Postfix and Sendmail.

具体来说，它利用了来自微软、GMX和思科的消息服务器的安全漏洞，以伪造数百万个域的电子邮件。受影响的还有来自Postfix和Sendmail的SMTP实现。

This allows for sending forged emails that seemingly look like they are originating from legitimate senders and defeat checks in place erected to ensure the authenticity of incoming messages – i.e., DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF).

这允许发送伪造的电子邮件，看起来好像是来自合法发件人，并且能够打败设置起来以确保传入消息的真实性的检查，即域键标识邮件（DKIM）、基于域的消息认证、报告和一致性（DMARC）和发件人策略框架（SPF）。

While Microsoft and GMX have rectified the issues, Cisco said the findings do not constitute a "vulnerability, but a feature and that they will not change the default configuration." As a result, inbound SMTP smuggling to Cisco Secure Email instances is still possible with default configurations.

尽管微软和GMX已经纠正了问题，思科表示这些发现并不构成"漏洞，而是一个功能，并且他们不会更改默认配置。"因此，默认配置下仍然可能在思科安全电子邮件实例中进行入站SMTP走私。

As a fix, SEC Consult recommends Cisco users change their settings from "Clean" to "Allow" in order to avoid receiving spoofed emails with valid DMARC checks.

为了解决这个问题，SEC Consult建议思科用户将其设置从“清洁”更改为“允许”，以避免接收到具有有效DMARC检查的伪造电子邮件。

原文始发于微信公众号（知机安全）：攻击者如何利用SMTP漏洞伪造电子邮件