a DoS vulnerability associated with conflated Message-IDs?

David Bremner david at tethera.net
Fri Aug 4 13:42:54 PDT 2017


Peter Wang <novalazy at gmail.com> writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>> 
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>> 
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).

d


More information about the notmuch mailing list