From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 709BF431FBC for ; Mon, 29 Oct 2012 04:15:23 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: -0.799 X-Spam-Level: X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXRRbxqq3ZYE for ; Mon, 29 Oct 2012 04:15:23 -0700 (PDT) Received: from mail-pb0-f53.google.com (mail-pb0-f53.google.com [209.85.160.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by olra.theworths.org (Postfix) with ESMTPS id E5E0C431FAF for ; Mon, 29 Oct 2012 04:15:22 -0700 (PDT) Received: by mail-pb0-f53.google.com with SMTP id wz12so4497427pbc.26 for ; Mon, 29 Oct 2012 04:15:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:message-id:from:to:subject:in-reply-to:references:mime-version :content-type:content-disposition:content-transfer-encoding; bh=mVwvvV/gvenCQk7iV3MpRPXYs6XCSh12JcvRv5YsHVg=; b=qv/laTObkN+vHTeOiH8/mzcRKLwY1M1a6dLlzvKXqFzdKIhFwa6hdn3wlodW4FnuKz iIzLLLLBZO/eIDbS6mg0Gfeas/6n4VR3bFP4ljcpTmqnD/a1YTgJ2R6wiMeiES3izF1W 5YfIxUwlXtz08xxaPL0uRvLfSX9i5sIF+Tr9y6BEehjWZz+LCNJEazKtZzcE441ghWSa bLLgur1ipfHx78AuNfWl+81K2CqVo/dKvSLttKZ1Td1zSlF1H8IP5OcPTJn2Dm97Z2uz KxnE1HwPjP5MJSrZqvclmcrYUokFfnftL4+/Olf51Hp6q5xoP9vonXWqlT2w74lfykpr geYA== Received: by 10.68.233.230 with SMTP id tz6mr91579591pbc.36.1351509322068; Mon, 29 Oct 2012 04:15:22 -0700 (PDT) Received: from localhost (215.42.233.220.static.exetel.com.au. [220.233.42.215]) by mx.google.com with ESMTPS id bf6sm5807644pab.3.2012.10.29.04.15.19 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Oct 2012 04:15:20 -0700 (PDT) Date: Mon, 29 Oct 2012 22:15:16 +1100 Message-ID: <20121029221516.GB20292@hili.localdomain> From: Peter Wang To: notmuch mailing list Subject: Re: a DoS vulnerability associated with conflated Message-IDs? In-Reply-To: <87k42vrqve.fsf@pip.fifthhorseman.net> References: <87k42vrqve.fsf@pip.fifthhorseman.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Oct 2012 11:15:23 -0000 On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor wrote: > notmuch currently treats all messages with the same Message-ID as > the same message. I think this could be a vulnerability :( > > If two messages have the same Message-ID, is there a guarantee of which > of these messages will be produced during a notmuch show? > > Either way, it seems to create a potential DoS attack on notmuch users. Yesterday I was expecting a confirmation message which, seemingly, never came. It turns out my maildir already contained a message from the same system. From three years ago. With the same Message-ID. Malice has nothing on incompetence. Could we distinguish messages with identical Message-IDs based on some header fields, e.g. Date, From? Peter