20 Million Trusted Domains Vulnerable to Email Hosting Exploits

Three newly discovered SMTP smuggling attack techniques can exploit misconfigurations and design decisions made by at least 50 email-hosting providers.

Three novel attack techniques that chain together vulnerabilities found in numerous email-hosting platforms are allowing threat actors to spoof emails from more than
20 million domains
of trusted organizations.
The flaws — discovered by several security researchers at PayPal — allow attackers to use
simple mail transfer protocol (SMTP) smuggling
to bypass SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
security protocols to
deliver malicious emails
from domains owned by reputable Fortune 500 companies and government agencies.
The findings include vulnerabilities in email verification processes used by numerous large email service providers, specifically domain-authentication issues, request for comments (RFC) violations, and the abuse of valid DKIM signatures and SPF records.
The researchers — Hao Wang, offensive security senior manager; Caleb Sargent, offensive security engineer; and Harrison Pomeroy, lead threat detection engineer — plan to disclose how chaining these vulnerabilities together creates the new attack patterns
in a session
at the forthcoming Black Hat USA conference during first week in August, entitled Into the Inbox: Novel Email Spoofing Attack Patterns.
They also will reveal the affected vendors, which could number more than 50. The lag is due to the responsible disclosure timeline, as the researchers allow time for the issues to be addressed, Wang says.
The issue we want to emphasize is that email gateway vendors remain vulnerable to
SMTP smuggling
in their default configuration, Wang tells Dark Reading in an interview. This vulnerability can have a significant impact, especially if the outbound SMTP server of large email or hosting providers is permitted to send emails on behalf of multiple domains.
While some email gateway vendors include a setting to reject spoofed emails and thus mitigate the issue, enabling this feature may inadvertently block legitimate emails. Consequently, many large customers continue to use the default, vulnerable setting, he says, creating a wide avenue for attacker abuse.
The teams research was informed by two previous works from other researchers: a SpamChannel talk presented by Marcello Salvati at DefCon 2023, and an innovative
SMTP smuggling attack
unveiled by Timo Longin in December, Wang says.
The first attack technique involves SPF abuse and is due to the fact that several large email and hosting service providers fail to verify domains properly when sending emails, which violates RFC requirements.
Their domains often have overly permissive SPF records, enabling attackers to bypass SPF/DMARC security controls and deliver fraudulent emails, Wang explains, adding that the attack has a high success rate due to the large number of affected domains and the broad reach of email spoofing.
The second attack pattern abuses DKIM due to improper domain verification when utilizing feedback loop (FBL) features from major mailbox providers, allowing large-scale email spoofing campaigns.
The third attack pattern is one that expands upon
Longins SMTP smuggling attack
discovery, and will be revealed in more detail during the Black Hat USA session. Longin discovered that attackers can exploit SMTP on vulnerable servers to send scores of malicious emails with fake sender addresses based on the
exploit of existing flaws
on messaging servers from Microsoft, GMX, and Cisco.
Most of the attacks do not directly circumvent SPF, DKIM, and DMARC controls in place, but instead leverage misconfigurations and design decisions made by the affected vendors, Wang says. The result of these attacks are emails with valid SPF and DKIM records that will pass the DMARC check.
As part of their session, the researchers plan to reveal a method for detecting SMTP smuggling attacks that involves the Message-ID identifier that email servers add when they send someones email. The method correlates the difference between the Message-IDs added by the outbound and inbound SMTP servers when an attacker attempts to send multiple emails within a short period through a single SMTP connection.
This difference would serve as a strong indicator of an SMTP smuggling attack, enabling the development of custom detection rules, Wang says. At the very least, organizations can incorporate this technique as part of their compensating controls for mitigating this type of attack.
Indeed, while the attack patterns discovered can allow
email spoofing
by bypassing DMARC, DKIM, and SPF security controls, the researchers still highly recommended that organizations
enforce these measures
for their domains as a foundational security baseline.
Implementing these controls significantly enhances email security by providing mechanisms for verifying the authenticity of email messages, reducing the risk of phishing and email spoofing attacks, Wang says.
Organizations also should use email-filtering solutions that leverage heuristic and content-based analysis in addition to validating messages through DMARC, DKIM, and SPF security controls for a multilayered approach that helps identify and block potential spoofing and phishing emails more effectively, he says.
Wang adds that enforcing RFC standards for authentication and authorization across all email service providers also is critical for maintaining the security and reliability of email communications, and preventing various forms of email-based attacks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
20 Million Trusted Domains Vulnerable to Email Hosting Exploits