The protection's implemented in https://github.com/python/cpython/blob/master/Lib/email/header.py to prevent Email Header injection can be bypassed by specifying an injected additional header in the following format:
example@python.org\ncc :injected@python.org

The white space bypasses the current regex protection (_embedded_header = re.compile(r'\n[^ \t]+:')) and is still accepted by the smtp server. 

Attached is a proof of concept script

RFC 5322[1] says that header field's name can't have space in it and the must be immediately followed by the ':' character.

Is it common for SMTP servers to accept messages with ' ' before ':'?


[1] https://tools.ietf.org/html/rfc5322#section-2.2

Yes.

There's this thing called Postel's Law that says you should be generous in what you accept and careful in what you emit.  So most MTAs and MUAs try very hard to guess what a non-RFC-compliant email is trying to say, which includes allowing spaces between the label and the colon (which I believe was legal at least in RFC 822, though I haven't checked).  If there's a space in the label, the handling for that is less predictable.  The email library's default is to treat that as a non-header line and therefor the start of the body (even if not followed by a blank line).

Should this be closed as 'not a bug'?