unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* a DoS vulnerability associated with conflated Message-IDs?
@ 2012-03-08 16:37 Daniel Kahn Gillmor
  2012-03-08 17:04 ` James Vasile
  2012-10-29 11:15 ` Peter Wang
  0 siblings, 2 replies; 9+ messages in thread
From: Daniel Kahn Gillmor @ 2012-03-08 16:37 UTC (permalink / raw)
  To: notmuch mailing list

[-- Attachment #1: Type: text/plain, Size: 1184 bytes --]

notmuch currently treats all messages with the same Message-ID as
the same message.  I think this could be a vulnerability :(

If two messages have the same Message-ID, is there a guarantee of which
of these messages will be produced during a notmuch show?

Either way, it seems to create a potential DoS attack on notmuch users.

-------

The attack:

Let's say there is a public mailing list that Mallory knows
bob@example.org is subscribed to.  alice@example.net sends a message to
the public mailing list detailing some problem that Bob probably needs
to deal with.

Mallory can just craft a content-free e-mail (or a dozen?) with the same
Message-ID as Alice's message, and send it to bob@example.org.

If Bob uses notmuch, he is much more likely to read one of Mallory's
bogus e-mails than to read Alice's original message.

Mallory's e-mail could also be crafted to look like spam, in the hopes
that Bob's spamfiltering scripts would mark the original message's
Message-ID as spam.

--------

I don't know how to fix this, and i'd be happy to hear if someone thinks
my analysis above is flawed and this isn't really a problem.

Any ideas on how to approach this?

       --dkg

[-- Attachment #2: Type: application/pgp-signature, Size: 965 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2012-03-08 16:37 a DoS vulnerability associated with conflated Message-IDs? Daniel Kahn Gillmor
@ 2012-03-08 17:04 ` James Vasile
  2012-03-08 17:16   ` Daniel Kahn Gillmor
  2012-10-29 11:15 ` Peter Wang
  1 sibling, 1 reply; 9+ messages in thread
From: James Vasile @ 2012-03-08 17:04 UTC (permalink / raw)
  To: notmuch mailing list

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> Any ideas on how to approach this?

Treat messages with the same ID but different hashes as different?

[-- Attachment #2: Type: application/pgp-signature, Size: 489 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2012-03-08 17:04 ` James Vasile
@ 2012-03-08 17:16   ` Daniel Kahn Gillmor
  2012-03-08 17:38     ` Jeremy Nickurak
  0 siblings, 1 reply; 9+ messages in thread
From: Daniel Kahn Gillmor @ 2012-03-08 17:16 UTC (permalink / raw)
  To: James Vasile; +Cc: notmuch mailing list

On 03/08/2012 12:04 PM, James Vasile wrote:
> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor<dkg@fifthhorseman.net>  wrote:
>> Any ideas on how to approach this?
>
> Treat messages with the same ID but different hashes as different?

Given that a message hash would include all headers, including Received: 
and other MTA-added stuff, i think that would remove all relevance of 
the Message-ID field. in particular, it seems like we would just be 
identifying messages by their digest.

If you're willing to ignore the headers and just look at a digest of the 
body, that still doesn't provide any help for the common (legitimate) 
case of a message jointly-delivered to a mailing list and to a specific 
(already-subscribed) user.

That user will get two copies of the message, and since most mailing 
lists modify the body of the message (usually by adding a footer section 
with mailing list info) their bodies will also have different digests.

So i don't see how to make this suggestion work without giving up on 
Message-IDs as the identifier entirely (and therefore accepting many 
more spurious duplicates than users currently need to tolerate).

Any other suggestions or ideas?

	--dkg

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2012-03-08 17:16   ` Daniel Kahn Gillmor
@ 2012-03-08 17:38     ` Jeremy Nickurak
  2012-03-10 17:38       ` Tom Prince
  0 siblings, 1 reply; 9+ messages in thread
From: Jeremy Nickurak @ 2012-03-08 17:38 UTC (permalink / raw)
  To: notmuch

On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> Any other suggestions or ideas?

What about representing the contents from both message in one apparent message?

- Aggregate the headers together, perhaps?
- Where headers disagree, display both
- If the bodies disagree, display both.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2012-03-08 17:38     ` Jeremy Nickurak
@ 2012-03-10 17:38       ` Tom Prince
  0 siblings, 0 replies; 9+ messages in thread
From: Tom Prince @ 2012-03-10 17:38 UTC (permalink / raw)
  To: Jeremy Nickurak, notmuch

On Thu, 8 Mar 2012 10:38:32 -0700, Jeremy Nickurak <not-much@trk.nickurak.ca> wrote:
> On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> > Any other suggestions or ideas?
> 
> What about representing the contents from both message in one apparent message?
> - ...
> - If the bodies disagree, display both.

We'd probably need to do some like doing a diff. I find it annoying
enough displaying both text and html copies of a mail. Displaying two
copies of a message, just because one of them has a few extra lines as a
footer would be equally annoying.

Maybe it would be enough to ignore the signature too, when comparing messages?

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2012-03-08 16:37 a DoS vulnerability associated with conflated Message-IDs? Daniel Kahn Gillmor
  2012-03-08 17:04 ` James Vasile
@ 2012-10-29 11:15 ` Peter Wang
  2017-08-04 20:42   ` David Bremner
  1 sibling, 1 reply; 9+ messages in thread
From: Peter Wang @ 2012-10-29 11:15 UTC (permalink / raw)
  To: notmuch mailing list

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> notmuch currently treats all messages with the same Message-ID as
> the same message.  I think this could be a vulnerability :(
> 
> If two messages have the same Message-ID, is there a guarantee of which
> of these messages will be produced during a notmuch show?
> 
> Either way, it seems to create a potential DoS attack on notmuch users.

Yesterday I was expecting a confirmation message which, seemingly, never
came.  It turns out my maildir already contained a message from the
same system.  From three years ago.  With the same Message-ID.

Malice has nothing on incompetence.

Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?

Peter

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2012-10-29 11:15 ` Peter Wang
@ 2017-08-04 20:42   ` David Bremner
  2017-08-04 22:15     ` Daniel Kahn Gillmor
  0 siblings, 1 reply; 9+ messages in thread
From: David Bremner @ 2017-08-04 20:42 UTC (permalink / raw)
  To: Peter Wang, notmuch mailing list

Peter Wang <novalazy@gmail.com> writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>> 
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>> 
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).

d

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2017-08-04 20:42   ` David Bremner
@ 2017-08-04 22:15     ` Daniel Kahn Gillmor
  2022-07-30 12:41       ` David Bremner
  0 siblings, 1 reply; 9+ messages in thread
From: Daniel Kahn Gillmor @ 2017-08-04 22:15 UTC (permalink / raw)
  To: David Bremner, Peter Wang, notmuch mailing list

On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
> Peter Wang <novalazy@gmail.com> writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message.  I think this could be a vulnerability :(
>>> 
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>> 
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came.  It turns out my maildir already contained a message from the
>> same system.  From three years ago.  With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).

otoh, we now enable some additional (perhaps weirder) attacks, like:

 * i can make someone else's mail show up in your mailbox with a search
   term of my choosing by sending you a new mail co-opting their
   message-id.

we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.

   --dkg

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: a DoS vulnerability associated with conflated Message-IDs?
  2017-08-04 22:15     ` Daniel Kahn Gillmor
@ 2022-07-30 12:41       ` David Bremner
  0 siblings, 0 replies; 9+ messages in thread
From: David Bremner @ 2022-07-30 12:41 UTC (permalink / raw)
  To: Daniel Kahn Gillmor, Peter Wang, notmuch mailing list

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
>> Peter Wang <novalazy@gmail.com> writes:
>>
>>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>>> notmuch currently treats all messages with the same Message-ID as
>>>> the same message.  I think this could be a vulnerability :(
>>>> 
>>>> If two messages have the same Message-ID, is there a guarantee of which
>>>> of these messages will be produced during a notmuch show?
>>>> 
>>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>>
>>> Yesterday I was expecting a confirmation message which, seemingly, never
>>> came.  It turns out my maildir already contained a message from the
>>> same system.  From three years ago.  With the same Message-ID.
>>>
>>> Malice has nothing on incompetence.
>>>
>>> Could we distinguish messages with identical Message-IDs based on
>>> some header fields, e.g. Date, From?
>>
>> I wouldn't say this problem is fixed, but we are making some
>> progress. In master all copies of the file are now indexed. It still
>> needs various UI work before we can consider the problem really fixed,
>> but it is now technically possible to detect such an attack (since the
>> "good terms" are also indexed).
>
> otoh, we now enable some additional (perhaps weirder) attacks, like:
>
>  * i can make someone else's mail show up in your mailbox with a search
>    term of my choosing by sending you a new mail co-opting their
>    message-id.
>
> we definitely need some UI for dealing with this, and perhaps some
> explicit de-duping logic or maintenance scripts would be useful too.
>
>    --dkg

There is now a simple UI for dealing with duplicate messages in the
emacs UI (as of commit 1ef7c75111b84ea19af3186ddc12f2ba434c93de, which
should be part of 0.37). 

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2022-07-30 12:41 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-03-08 16:37 a DoS vulnerability associated with conflated Message-IDs? Daniel Kahn Gillmor
2012-03-08 17:04 ` James Vasile
2012-03-08 17:16   ` Daniel Kahn Gillmor
2012-03-08 17:38     ` Jeremy Nickurak
2012-03-10 17:38       ` Tom Prince
2012-10-29 11:15 ` Peter Wang
2017-08-04 20:42   ` David Bremner
2017-08-04 22:15     ` Daniel Kahn Gillmor
2022-07-30 12:41       ` David Bremner

Code repositories for project(s) associated with this inbox:

	notmuch.git.git (no URL configured)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).