https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
1. whois
SMTP smuggling in theory Figure 8: SMTP smuggling in theory Now tell me, what happens if outbound and inbound SMTP servers interpret the end-of-data sequence (<CR><LF>.<CR><LF>) differently? Exactly, SMTP smuggling!
2. history
- Enter mail, end with "." on a line by itself Why would that be more promising, though? Well, different operating systems have a different understanding of "a line by itself". A "." on a line by itself on Windows would be separated via two carriage return line feeds (<CR><LF>.<CR><LF> or \r\n.\r\n), while a "." on a line by itself on Linux would be separated with two line feeds (<LF>.<LF> or \n.\n).
3. smuggling
But wait, if other domains also use the outbound SMTP server of GMX to send e-mails, can't we spoof them as well? Let's see! By analyzing the SPF record of web.de, we can see that the outbound SMTP IP address of GMX 212.227.15.15 is included as well!
SPF 同居の脆弱性ということか。