SMTP Pentest Guide
Back to Email Authentication Attacks

Parsing Inconsistencies

This attack exploits inconsistencies in how different email systems parse and interpret email headers and content, allowing attackers to craft emails that appear differently to different systems.

Attack Summary: Exploiting inconsistencies in email parsing to create emails that bypass security checks but appear legitimate to recipients.

Background: Email Parsing Inconsistencies

Email standards like RFC 5322 define how email messages should be structured and parsed. However, different email systems implement these standards differently, leading to inconsistencies in how they interpret the same email message.

These inconsistencies can occur in various parts of the email:

  • Header parsing: How headers are parsed and interpreted
  • Character encoding: How different character encodings are handled
  • Whitespace handling: How whitespace characters are interpreted
  • Line folding: How line folding in headers is handled
  • Comment handling: How comments in headers are handled

Attackers can exploit these inconsistencies to craft emails that appear differently to different systems, potentially bypassing security checks while still appearing legitimate to recipients.

Attack Methodology

This attack involves crafting emails that exploit parsing inconsistencies to bypass security checks while still appearing legitimate to recipients.

Header Parsing Inconsistencies
Exploiting inconsistencies in header parsing

This variant exploits inconsistencies in how different systems parse email headers.

Header Parsing Example

Exploiting header parsing inconsistencies

# Send an email with a malformed From header telnet mail.example.com 25 HELO attacker.com MAIL FROM: attacker@attacker.com RCPT TO: victim@example.com DATA From: ceo@trusted-company.com(comment) To: victim@example.com Subject: Urgent Wire Transfer Please process this wire transfer immediately. . QUIT
Explanation: In this example, the attacker sends an email with a From header that includes a comment. Some email systems may ignore the comment and display the sender as 'ceo@trusted-company.com', while others may include the comment or handle it differently. This inconsistency can be exploited to bypass security checks that look for specific patterns in the From header.

Common Header Parsing Inconsistencies

  • Comments: Some systems ignore comments in headers, while others include them
  • Quoted strings: Systems handle quoted strings in headers differently
  • Multiple headers: Systems handle multiple instances of the same header differently
  • Malformed headers: Systems handle malformed headers differently
  • Header order: Systems may prioritize headers differently based on their order
Character Encoding Inconsistencies
Exploiting inconsistencies in character encoding

This variant exploits inconsistencies in how different systems handle character encodings.

Character Encoding Example

Exploiting character encoding inconsistencies

# Send an email with encoded characters in the From header telnet mail.example.com 25 HELO attacker.com MAIL FROM: attacker@attacker.com RCPT TO: victim@example.com DATA From: =?UTF-8?B?Y2VvQHRydXN0ZWQtY29tcGFueS5jb20=?= To: victim@example.com Subject: Urgent Wire Transfer Please process this wire transfer immediately. . QUIT
Explanation: In this example, the attacker sends an email with a From header that uses UTF-8 Base64 encoding. The encoded value is 'ceo@trusted-company.com'. Some email systems may decode this correctly, while others may display the encoded form or handle it differently. This inconsistency can be exploited to bypass security checks that look for specific patterns in the From header.

Character Encoding Techniques

Attackers can use various character encoding techniques:

  • UTF-8 encoding: Using UTF-8 encoded characters
  • Base64 encoding: Using Base64 encoded strings
  • Quoted-printable encoding: Using quoted-printable encoded strings
  • HTML entities: Using HTML entity references
  • Unicode homoglyphs: Using Unicode characters that look similar to ASCII characters
Whitespace and Line Folding Inconsistencies
Exploiting inconsistencies in whitespace handling

This variant exploits inconsistencies in how different systems handle whitespace and line folding.

Whitespace Example

Exploiting whitespace inconsistencies

# Send an email with unusual whitespace in the From header telnet mail.example.com 25 HELO attacker.com MAIL FROM: attacker@attacker.com RCPT TO: victim@example.com DATA From: ceo@trusted-company.com (comment) To: victim@example.com Subject: Urgent Wire Transfer Please process this wire transfer immediately. . QUIT
Explanation: In this example, the attacker sends an email with a From header that includes a line fold followed by a comment. Some email systems may ignore the line fold and comment, while others may include them or handle them differently. This inconsistency can be exploited to bypass security checks that look for specific patterns in the From header.

Whitespace and Line Folding Techniques

Attackers can use various whitespace and line folding techniques:

  • Line folding: Using line folding in headers
  • Unusual whitespace: Using tabs, form feeds, or other unusual whitespace characters
  • Multiple spaces: Using multiple spaces where a single space is expected
  • No spaces: Omitting spaces where they are expected
  • Line breaks: Using line breaks in unexpected places

Impact

This attack allows attackers to:

  • Bypass email security checks that rely on specific patterns
  • Create emails that appear differently to different systems
  • Exploit inconsistencies in how email clients display messages
  • Conduct more effective phishing and business email compromise attacks

Detection

Organizations can detect these attacks by:

  • Implementing email security solutions that normalize headers before analysis
  • Using multiple parsing engines to identify inconsistencies
  • Monitoring for unusual patterns in email headers
  • Checking for encoded or obfuscated content in headers

Mitigation

To protect against these attacks, organizations should:

  • Normalize headers: Normalize email headers before analysis
  • Implement strict parsing: Use strict parsing rules for email headers
  • Use multiple engines: Use multiple parsing engines to identify inconsistencies
  • Implement authentication: Implement SPF, DKIM, and DMARC for all domains
  • Train users: Educate users about the risks of email spoofing and phishing

Testing

Security professionals can test for this vulnerability using the following approach:

  1. Create test emails with various parsing inconsistencies
  2. Send the test emails to different email systems
  3. Check how each system parses and displays the emails
  4. Document the inconsistencies and recommend appropriate mitigations

References

  • RFC 5322: "Internet Message Format." https://tools.ietf.org/html/rfc5322
  • RFC 2047: "MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text." https://tools.ietf.org/html/rfc2047
  • Chen, J., Duan, H., Weaver, N., Paxson, V., & Jiang, J. (2021). "Measuring and Mitigating Email Sender Spoofing Attacks." In Proceedings of the 30th USENIX Security Symposium.
  • Foster, I. D., Larson, J., Masich, M., Snoeren, A. C., Savage, S., & Levchenko, K. (2015). "Security by Any Other Name: On the Effectiveness of Provider Based Email Security." In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.
Previous: Authentication Results InjectionNext: Service Account Spoofing