CoordMail: Exploiting SMTP Timeout and Command Interaction to Coordinate Email Middleware for Convergence Amplification Attack
Ruixuan Li
Network and Distributed System Security (NDSS) Symposium 2026 · Day 3 · Messaging Security
CoordMail is a novel **email amplification attack** that coordinates thousands of email middleware (bounce servers, open relays, and email forwarders) to deliver reflected emails to a victim simultaneously, creating explosive traffic convergence. By exploiting two inherent features of SMTP -- **client-controlled session state** and **long session timeouts** (RFC-recommended 5 minutes, typically 10+ minutes in practice) -- an attacker can maintain thousands of long-lived SMTP connections and trigger them to release reflected emails in a coordinated burst.
AI review
An elegant amplification attack that achieves 33,000x bandwidth concentration by coordinating SMTP sessions across 20,000 email middleware. The exploitation of SMTP's client-controlled state machine and generous timeouts to maintain and synchronize thousands of connections is technically clean, and the real-world validation with 3,000x BCE from just 20 middleware proves the concept works. This is a practical, deployable attack against email infrastructure.