From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david@tethera.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id CDCDC6DE0962
 for <notmuch@notmuchmail.org>; Fri,  4 Aug 2017 13:43:00 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[AWL=0.011,
 SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id TL98NMSA7O7y for <notmuch@notmuchmail.org>;
 Fri,  4 Aug 2017 13:42:59 -0700 (PDT)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
 by arlo.cworth.org (Postfix) with ESMTPS id B52A16DE00C6
 for <notmuch@notmuchmail.org>; Fri,  4 Aug 2017 13:42:59 -0700 (PDT)
Received: from remotemail by fethera.tethera.net with local (Exim 4.89)
 (envelope-from <david@tethera.net>)
 id 1ddjNY-0007G7-Ar; Fri, 04 Aug 2017 16:39:28 -0400
Received: (nullmailer pid 23161 invoked by uid 1000);
 Fri, 04 Aug 2017 20:42:54 -0000
From: David Bremner <david@tethera.net>
To: Peter Wang <novalazy@gmail.com>,
 notmuch mailing list <notmuch@notmuchmail.org>
Subject: Re: a DoS vulnerability associated with conflated Message-IDs?
In-Reply-To: <20121029221516.GB20292@hili.localdomain>
References: <87k42vrqve.fsf@pip.fifthhorseman.net>
 <20121029221516.GB20292@hili.localdomain>
Date: Fri, 04 Aug 2017 16:42:54 -0400
Message-ID: <87d18bcbe9.fsf@rocinante.cs.unb.ca>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 20:43:00 -0000

Peter Wang <novalazy@gmail.com> writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>> 
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>> 
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).

d