a DoS vulnerability associated with conflated Message-IDs?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Aug 4 15:15:13 PDT 2017
On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
> Peter Wang <novalazy at gmail.com> writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message. I think this could be a vulnerability :(
>>>
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>>
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came. It turns out my maildir already contained a message from the
>> same system. From three years ago. With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).
otoh, we now enable some additional (perhaps weirder) attacks, like:
* i can make someone else's mail show up in your mailbox with a search
term of my choosing by sending you a new mail co-opting their
message-id.
we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.
--dkg
More information about the notmuch
mailing list