SMTP Pentest Guide
SMTP Vulnerabilities Catalog

SMTP Vulnerabilities Catalog

A comprehensive database of SMTP vulnerabilities, attack vectors, and mitigation strategies for security professionals.

Email Authentication Vulnerabilities Research

Researchers from UC Berkeley and ICSI (Jianjun Chen, Vern Paxson, and Jian Jiang) identified 18 different attacks on email sender authentication mechanisms affecting major email providers and clients. Their research demonstrates how inconsistencies between different components in the email authentication process can be exploited to bypass security controls.

Black Hat Presentation USENIX Security Paper Email Spoofing Tester (espoofer)View Detailed Email Authentication Attacks

Vulnerability Catalog

Showing 12 of 42 vulnerabilities
Critical
SMTP Smuggling Attack
Exploits inconsistencies between email servers in the SMTP protocol, allowing attackers to bypass email authentication mechanisms.
Affected: 1,577 of Tranco Top 10,000 domains
Discovered: 2023

Authentication Bypass
Spoofing
Details
Critical
DKIM-DNS Inconsistency Attack
Exploits inconsistencies between how DKIM and DNS handle null bytes, allowing attackers to retrieve their own public key instead of the legitimate one.
Affected: Multiple email providers
Discovered: 2019

Authentication Bypass
DNS
Details
Critical
Multiple From Headers Attack
Exploits inconsistencies in how email servers and clients handle multiple From headers, with 19 of 29 tested systems accepting them despite RFC 5322 prohibitions.
Affected: 19 of 29 tested email systems
Discovered: 2019

Header Manipulation
Spoofing
Details
High
SPF-DMARC Inconsistency Attack
Exploits inconsistencies between how SPF and DMARC handle domains. SPF checks both HELO and MAIL FROM, while DMARC uses MAIL FROM for alignment tests.
Affected: Multiple email providers
Discovered: 2019

Authentication Bypass
Protocol
Details
High
Authentication Results Injection
Exploits how SPF/DKIM forwards results to DMARC by injecting malicious content into Authentication-Results headers using comment syntax.
Affected: Multiple email providers
Discovered: 2019

Injection
Authentication Bypass
Details
High
From/Sender Ambiguity Attack
Exploits how some email clients display the Sender or Resent-From header value when the From header is absent or malformed.
Affected: 7 of 19 tested email clients
Discovered: 2019

Header Manipulation
Client-Side
Details
High
Parsing Inconsistencies Attack
Exploits differences in how email servers and clients parse complex email headers with display names, comments, route portions, and encoded characters.
Affected: Multiple email providers and clients
Discovered: 2019

Parsing
Header Manipulation
Details
Critical
MS Exchange SMTP Service Privilege Escalation
A vulnerability in Microsoft Exchange Server SMTP service allowing an authenticated user to execute code with SYSTEM privileges.
Affected: Microsoft Exchange Server 2013, 2016, and 2019
CVE: CVE-2020-8913
Disclosed: 2020
Patched: Yes (KB4536987)
Privilege Escalation
RCE
High
Exim SMTP Mail Transfer Agent Buffer Overflow
A heap-based buffer overflow in Exim mail transfer agent allowing remote attackers to execute arbitrary code with exim privileges.
Affected: Exim 4.87 - 4.91
CVE: CVE-2019-5616
Disclosed: 2019
Patched: Yes (Exim 4.92+)
Buffer Overflow
RCE
High
STARTTLS Downgrade Attack
Attackers can prevent the STARTTLS command from being sent, forcing email transmission to occur in plaintext and enabling man-in-the-middle attacks.
Affected: SMTP servers without MTA-STS or DANE
Discovered: 2014

Encryption
MITM
Details
Medium
SMTP User Enumeration
Attackers can enumerate valid email addresses by analyzing different responses from SMTP servers to VRFY, EXPN, or RCPT TO commands.
Affected: Misconfigured SMTP servers
Known since: Early 2000s

Reconnaissance
Information Disclosure
Details
High
Email Service Account Spoofing
Attackers with legitimate email service accounts can exploit parsing inconsistencies to spoof other addresses within the same domain.
Affected: 7 of 8 tested email providers
Discovered: 2019
Authentication Bypass
Spoofing
Details
Showing 12 of 42 vulnerabilities

Email Authentication Overview

Email authentication relies on three main protocols that work together to verify the sender's identity:

SPF (RFC 7208)

Sender Policy Framework verifies the IP address of the sending domain. Domain owners publish authorized IP lists via DNS, and receiving servers check if the sender's IP matches these lists.

DKIM (RFC 6376)

DomainKeys Identified Mail verifies that the email is signed by the sending domain. Senders generate a DKIM signature with their private key, and receivers validate it with the public key retrieved from DNS.

DMARC (RFC 7489)

Domain-based Message Authentication, Reporting & Conformance provides a policy framework for SPF and DKIM. It checks alignment between the From header domain and the domains verified by SPF or DKIM.

Key Vulnerability: Inconsistent Processing

The fundamental issue identified by researchers is that inconsistencies between different components in the email authentication process can lead to security vulnerabilities. When an ambiguous input is processed differently by different components, attackers can exploit these differences.

For example, SPF might verify the HELO domain while DMARC uses the MAIL FROM domain, or DKIM might verify one From header while the email client displays another. These inconsistencies allow attackers to bypass authentication while still appearing legitimate to end users.

Return to Home