We received the following report via security@. SMTP smuggling is a legitimate vulnerability and this does appear to be a legitimate research team affiliated with the University of Illinois. I'm personally a bit unsure as to how serious this issue is and whether SRE would find it of any significant priority to address (or if it would possibly be addressed in part via T370011 or similar).
Original email:
We are research teams from Tsinghua University and University of Illinois at Urbana-Champaign. We found that your email service may be vulnerable to a new kind of email spoofing attack, SMTP smuggling attack. This technique allows attackers to forge email sender addresses and bypass email authentication protocols. Attackers can send a spoofing email to your email service by combining the spoofing email with a normal email. If you would like to know more technical details about the SMTP smuggling attack, please refer to this link. https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ We suspect the root cause of the problem is that your email service interpreted '\n.\n' as the end symbol of the SMTP data command. It was just a preliminary test. If you would like to identify whether your email services are influenced by SMTP smuggling attacks, you may consider authorizing us to conduct a complete test by filling out this questionnaire (https://illinois.qualtrics.com/jfe/form/SV_2rhSc4H5WbKb7Se). We will send multiple emails to check which kind of SMTP smuggling attacks your email services are vulnerable to. This vulnerability allows attackers to conduct email spoofing attacks and expose your organization to malicious email attacks (e.g., phishing). Please consider fixing the issue in time. If you need more information, please do not hesitate to contact us. Best Regards, Security Research Team from Tsinghua University and University of Illinois at Urbana-Champaign. admin@breakspf.cloud