Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability

Abstract

Email spoofing is a critical technique used in phishing attacks to impersonate a trusted sender. SMTP smuggling is a new vulnerability that allows adversaries to perform email spoofing while bypassing existing authentication protocols such as SPF and DMARC. While SMTP smuggling has been publicly disclosed since 2023, its impact has not been comprehensively evaluated and the effectiveness of the community’s mitigation strategies is yet unknown. In this paper, we present an in-depth study of SMTP smuggling vulnerabilities, supported by empirical measurements of public email services, open-source email software, and email security gateways. More importantly, for the first time, we explored how to perform measurements on private email services ethically, with new methodologies combining user studies, a DKIM side channel, and a non-intrusive testing method. Collectively, we found that 19 public email services, 1,577 private email services, five open-source email software, and one email gateway were still vulnerable to SMTP smuggling (and/or our new variants). In addition, our results showed that the centralization of email infrastructures (e.g., shared SFP records, commonly used email software/gateways) has amplified the impact of SMTP smuggling. Adversaries can spoof highly reputable domains through free-to-register email accounts while bypassing sender authentication. We provided suggestions on short-term and long-term solutions to mitigate this threat. To further aid email administrators, we developed an online service to help self-diagnosis of SMTP smuggling vulnerabilities.

Publication
In USENIX Security ‘25. Seattle, WA, August 13–15, 2025. (Acceptance rate: 407/2385=17.1%)
Chuhan Wang
Chuhan Wang
Associate Professor (Tenure-Track)

Chuhan Wang is a tenure-track Associate Professor in the School of Cyber Science and Engineering at Southeast University. He received the Ph.D. degree from the Network and Information Security Lab (NISL) at Tsinghua University, under the supervision of Prof. Haixin Duan and Prof. Jianjun Chen. His research interests include network security, protocol security, web security, email security and Internet measurement.