I found this paper a bit difficult to grasp due to the terminology being used. I kept thinking of completely different attack scenarios (communicating with port 25 directly, somehow MITM an SMTP session) and had to re-read it several times. It seems all we're doing here is just bypassing validation used by common libraries behind email forms on websites. You attack by using malicious input (full spam email message) in the "email address" section of the sign-up form and it successfully lands in the MTA's queue and sends out.<p>It wasn't clear if this can be defeated simply by disabling pipelining? If so, that seems like a sane fix if you don't feel you can trust your application.
I actually saw this attack used in the wild just over 10 years ago – so I guess it's one that spammers have long since been aware of.<p>In my case we had a server that was running Adobe Coldfusion suddenly start misbehaving itself. After digging around a little we discovered all the outgoing email. I can't remember the exact form but it was something like a forgot password mechanism.<p>As described in the article the attackers were just exploiting the non-validation of the recipient so they could inject an smtp payload. I remember at the time thinking that it was a) clever of the hackers and b) sloppy of the entire pipeline to not be doing some sense checking.