Closed damluk closed 9 months ago
The general issue with SMTP smuggling is the violation of exactly these rules/RFCs. Exchange Online and GMX violated RFC 5322 since they let <LF>.<CR><LF>
through unfiltered, even though the RFC states "CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body." Therefore, it might still be possible that outbound servers letting <CR><LF>.whatever
sequences through unfiltered exist.
However, it is unlikely that outbound SMTP servers let <CR><LF>.whatever
through, based on the previous research. For now, I've removed <CR><LF>.whatever
test cases to reduce false positives.
From https://www.mail-archive.com/postfix-users@postfix.org/msg101084.html:
Tested
eod_sequences
like\r\n.\r
cannot be provoked by an attacker, because an RFC conforming SMTP client will dot-stuff\r\n.<non-crlf>
into\r\n..<non-crlf>
, rendering the injected sequence useless for the attack.