Re: New SMTP smuggling attack

[Steffen Nurpmeso <steffen () sdaoden eu>]

Mark Esler wrote in
 <ZjBHOEHylGAaIo57@moon>:
 |To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
 |should comply with RFC 5321 section 4.1.1.4 [0] to strip control
 |characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of
 |SMTP messages.

Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel
this entire thread is exaggerating.

The smuggling problem solely was rooted in the LF / CRLF "wars"
from at minimum the early 70s (Unix and more), with terminal
drivers doing auto-translation on-the-fly etc etc etc.
The internet history list may be worthwhile for this, or examining
the history of Unix programs.  Ie, in January i also (funny)
talked to John Klensin on an IETF list saying

  [.]The CR/LF "problem" seems to have been "addressed" in
  UNIX as early as 1972, ie "6/12/72 STTY (II)" gives

    020  map CR into LF; echo LF or CR as LF-CR
    ...
    Mode 020 causes input carriage returns to be turned into new-lines;
    input of either CR or LF causes LF-CR both to be echoed
    (used for GE TermiNet 300's and other terminals without the
    newline function).

  In 1974 it became

    -nl allow carriage return for new-line,
        and output CR-LF for carriage return or new-line
    nl  accept only new-line to end lines

  Which makes me *think* that "Houston, we have a problem" was
  ACKnowledged, and in order not to be a crook something would have
  been done about it, saving even a byte per line.  But i do not
  know, this was all military and other high sphere academics by
  then.  Interesting, by the way, that "so many" expensive decisions
  were deemed necessary[.]

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)