From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id ENmwOAwn5WJ1QAAAbAwnHQ (envelope-from ) for ; Sat, 30 Jul 2022 14:41:48 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id sFO0OAwn5WLBCQEA9RJhRA (envelope-from ) for ; Sat, 30 Jul 2022 14:41:48 +0200 Received: from mail.notmuchmail.org (yantan.tethera.net [135.181.149.255]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A0A4329885 for ; Sat, 30 Jul 2022 14:41:48 +0200 (CEST) Received: from yantan.tethera.net (localhost [127.0.0.1]) by mail.notmuchmail.org (Postfix) with ESMTP id 556CC5F384; Sat, 30 Jul 2022 12:41:46 +0000 (UTC) Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197]) by mail.notmuchmail.org (Postfix) with ESMTP id 1E58A5F379 for ; Sat, 30 Jul 2022 12:41:43 +0000 (UTC) Received: by fethera.tethera.net (Postfix, from userid 1001) id 305835FBC0; Sat, 30 Jul 2022 08:41:42 -0400 (EDT) Received: (nullmailer pid 2394621 invoked by uid 1000); Sat, 30 Jul 2022 12:41:41 -0000 From: David Bremner To: Daniel Kahn Gillmor , Peter Wang , notmuch mailing list Subject: Re: a DoS vulnerability associated with conflated Message-IDs? In-Reply-To: <87tw1nugi6.fsf@fifthhorseman.net> References: <87k42vrqve.fsf@pip.fifthhorseman.net> <20121029221516.GB20292@hili.localdomain> <87d18bcbe9.fsf@rocinante.cs.unb.ca> <87tw1nugi6.fsf@fifthhorseman.net> Date: Sat, 30 Jul 2022 09:41:41 -0300 Message-ID: <874jyy7oxm.fsf@tethera.net> MIME-Version: 1.0 Message-ID-Hash: BKDOV5XZ4O53NW75ZNWBTPQM5GY7AJWD X-Message-ID-Hash: BKDOV5XZ4O53NW75ZNWBTPQM5GY7AJWD X-MailFrom: david@tethera.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: DE ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659184908; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-owner:list-unsubscribe:list-subscribe:list-post; bh=v6ZYQmd7o702ou7DvQlDFTwKv/2NpYMPbu7eLa2dCc0=; b=fS2WAr0Wl5EQdR+Q5xlFlfpTIbVl/GrpLN/LTMfPu1szURNTtod+oDrxhBFQ290XXy8toI 6B/82Y1YeSWxHqxi+sqgUS1fpNxK3caR9PZWWln0RuI9kyQo4bBSaJoFceqUX/Llrs4CeA J6HmoRdNX5J2GgXCNDpAEiaON8lRl1YyVTT7MKYxcYEoTJvWp7BSi05QAx0GKOSUEjVwLX vVUuDZhFIdIsCSwPKDTa+iqxtm6TDjf77v0y+bmCoiSnfCV/9YdMmo1lwgCpPjpDFWMBbT AEQXfr6MH2WerHJnqLCAjpcUKI5AqR1I0e4i7g7CAntlOY3zexJA4mIJhq5djA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659184908; a=rsa-sha256; cv=none; b=s73gmsawTIe6UELSqQi+u3cMPb4wza/Dck5LRM3zgBpBKHqyRWPI6ADRH7+Buzakuh2UGK jyzZH/3xmGbmBA1C7O+sii3Sl3gNZpTC7YpCIs1lBqHAoHiOz3DKFMXpQ8KWSWtqeUpjNW KU50SZE7Ohb3ubvLllO+sbTP3LT9gxJ2Mt+DuTMU73ZJ6hKM7F2+he9/MRkuewBkVtYn1F fVYAs56Ab9nUjN07A26O9Zwz4tGkLEJ6ifNzGXEJYJGlO8IqNBg5nc6G6HINbepmO2isIl 2w0J9gq+EZj4WkoNZWZCdkvBX8lKZJOsrVwdxCCGDWpw6jlbwIWw1WKBO67gug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 135.181.149.255 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Spam-Score: -1.79 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 135.181.149.255 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Queue-Id: A0A4329885 X-Spam-Score: -1.79 X-Migadu-Scanner: scn0.migadu.com X-TUID: R5tbnJMaAY/L Daniel Kahn Gillmor writes: > On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote: >> Peter Wang writes: >> >>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor wrote: >>>> notmuch currently treats all messages with the same Message-ID as >>>> the same message. I think this could be a vulnerability :( >>>> >>>> If two messages have the same Message-ID, is there a guarantee of which >>>> of these messages will be produced during a notmuch show? >>>> >>>> Either way, it seems to create a potential DoS attack on notmuch users. >>> >>> Yesterday I was expecting a confirmation message which, seemingly, never >>> came. It turns out my maildir already contained a message from the >>> same system. From three years ago. With the same Message-ID. >>> >>> Malice has nothing on incompetence. >>> >>> Could we distinguish messages with identical Message-IDs based on >>> some header fields, e.g. Date, From? >> >> I wouldn't say this problem is fixed, but we are making some >> progress. In master all copies of the file are now indexed. It still >> needs various UI work before we can consider the problem really fixed, >> but it is now technically possible to detect such an attack (since the >> "good terms" are also indexed). > > otoh, we now enable some additional (perhaps weirder) attacks, like: > > * i can make someone else's mail show up in your mailbox with a search > term of my choosing by sending you a new mail co-opting their > message-id. > > we definitely need some UI for dealing with this, and perhaps some > explicit de-duping logic or maintenance scripts would be useful too. > > --dkg There is now a simple UI for dealing with duplicate messages in the emacs UI (as of commit 1ef7c75111b84ea19af3186ddc12f2ba434c93de, which should be part of 0.37).