a DoS vulnerability associated with conflated Message-IDs?
Peter Wang
novalazy at gmail.com
Mon Oct 29 04:15:16 PDT 2012
On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> notmuch currently treats all messages with the same Message-ID as
> the same message. I think this could be a vulnerability :(
>
> If two messages have the same Message-ID, is there a guarantee of which
> of these messages will be produced during a notmuch show?
>
> Either way, it seems to create a potential DoS attack on notmuch users.
Yesterday I was expecting a confirmation message which, seemingly, never
came. It turns out my maildir already contained a message from the
same system. From three years ago. With the same Message-ID.
Malice has nothing on incompetence.
Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?
Peter
More information about the notmuch
mailing list