{"guid":"1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","title":"SMTP Smuggling – Spoofing E-Mails Worldwide","subtitle":null,"slug":"37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide","link":"https://events.ccc.de/congress/2023/hub/event/smtp_smuggling_spoofing_e-mails_worldwide/","description":"Introducing a novel technique for e-mail spoofing.\n\nSMTP, the Simple Mail Transfer Protocol, allows e-mailing since 1982. This easily makes it one of the oldest technologies amongst the Internet. However, even though it seems to have stood the test of time, there was still a trivial but novel exploitation technique just waiting to be discovered – SMTP smuggling!\nIn this talk, we’ll explore how SMTP smuggling breaks the interpretation of the SMTP protocol in vulnerable server constellations worldwide, allowing some more than unwanted behavior. Sending e-mails as admin@microsoft.com to fortune 500 companies – while still passing SPF checks – will be the least of our problems!\nFrom identifying this novel technique to exploiting it in one of the most used e-mail services on the Internet, we’ll dive into all the little details this attack has to offer. Therefore, in this talk, we’ll embark on an expedition beyond the known limits of SMTP, and venture into the uncharted territories of SMTP smuggling!","original_language":"eng","persons":["Timo Longin"],"tags":["37c3","11782","2023","Security",""],"view_count":26968,"promoted":false,"date":"2023-12-27T22:05:00.000+01:00","release_date":"2023-12-28T00:00:00.000+01:00","updated_at":"2026-04-14T09:45:04.805+02:00","length":1899,"duration":1899,"thumb_url":"https://static.media.ccc.de/media/congress/2023/11782-1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2.jpg","poster_url":"https://static.media.ccc.de/media/congress/2023/11782-1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2023/11782-1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2023/11782-1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide","url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_title":"37C3: Unlocked","conference_url":"https://api.media.ccc.de/public/conferences/37c3","related":[],"recordings":[{"size":28,"length":1899,"mime_type":"audio/mpeg","language":"deu","filename":"37c3-11782-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_mp3-2.mp3","state":"new","folder":"mp3-translated","high_quality":false,"width":0,"height":0,"updated_at":"2023-12-28T03:26:43.461+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/mp3-translated/37c3-11782-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_mp3-2.mp3","url":"https://api.media.ccc.de/public/recordings/72202","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":19,"length":1899,"mime_type":"audio/opus","language":"deu","filename":"37c3-11782-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_opus-2.opus","state":"new","folder":"opus-translation","high_quality":false,"width":0,"height":0,"updated_at":"2023-12-28T03:24:54.969+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/opus-translation/37c3-11782-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_opus-2.opus","url":"https://api.media.ccc.de/public/recordings/72198","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.en_DRAFT.srt","state":"state-4","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2025-01-02T15:17:01.624+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/DRAFT_37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/74781","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":null,"length":null,"mime_type":"application/x-subrip","language":"fin","filename":"37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.fi.srt","state":"translated","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2024-03-09T11:56:02.606+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.fi.srt","url":"https://api.media.ccc.de/public/recordings/75193","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":183,"length":1899,"mime_type":"video/webm","language":"eng-deu","filename":"37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-12-28T04:55:04.093+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/webm-hd/37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/72222","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":101,"length":1899,"mime_type":"video/webm","language":"eng-deu","filename":"37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2023-12-28T03:53:30.304+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/webm-sd/37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/72209","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":90,"length":1899,"mime_type":"video/mp4","language":"eng-deu","filename":"37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2023-12-28T03:24:36.838+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/h264-sd/37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_sd.mp4","url":"https://api.media.ccc.de/public/recordings/72197","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":28,"length":1899,"mime_type":"audio/mpeg","language":"eng","filename":"37c3-11782-eng-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2023-12-28T03:20:53.976+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/mp3/37c3-11782-eng-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/72187","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":20,"length":1899,"mime_type":"audio/opus","language":"eng","filename":"37c3-11782-eng-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2023-12-28T03:18:36.461+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/opus/37c3-11782-eng-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_opus.opus","url":"https://api.media.ccc.de/public/recordings/72182","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":168,"length":1899,"mime_type":"video/mp4","language":"eng-deu","filename":"37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-12-28T03:16:59.150+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/h264-hd/37c3-11782-eng-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide_hd.mp4","url":"https://api.media.ccc.de/public/recordings/72177","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":139,"length":1899,"mime_type":"video/mp4","language":"deu","filename":"37c3-11782-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-12-28T03:16:55.075+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/h264-hd/37c3-11782-deu-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.mp4","url":"https://api.media.ccc.de/public/recordings/72176","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"},{"size":139,"length":1899,"mime_type":"video/mp4","language":"eng","filename":"37c3-11782-eng-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2023-12-28T03:16:50.928+01:00","recording_url":"https://cdn.media.ccc.de/congress/2023/h264-hd/37c3-11782-eng-SMTP_Smuggling_-_Spoofing_E-Mails_Worldwide.mp4","url":"https://api.media.ccc.de/public/recordings/72175","event_url":"https://api.media.ccc.de/public/events/1154a1e3-c7fd-404d-8cab-0d3a8a9b7fc2","conference_url":"https://api.media.ccc.de/public/conferences/37c3"}]}