[-- Attachment #1: Type: text/plain, Size: 1184 bytes --] notmuch currently treats all messages with the same Message-ID as the same message. I think this could be a vulnerability :( If two messages have the same Message-ID, is there a guarantee of which of these messages will be produced during a notmuch show? Either way, it seems to create a potential DoS attack on notmuch users. ------- The attack: Let's say there is a public mailing list that Mallory knows bob@example.org is subscribed to. alice@example.net sends a message to the public mailing list detailing some problem that Bob probably needs to deal with. Mallory can just craft a content-free e-mail (or a dozen?) with the same Message-ID as Alice's message, and send it to bob@example.org. If Bob uses notmuch, he is much more likely to read one of Mallory's bogus e-mails than to read Alice's original message. Mallory's e-mail could also be crafted to look like spam, in the hopes that Bob's spamfiltering scripts would mark the original message's Message-ID as spam. -------- I don't know how to fix this, and i'd be happy to hear if someone thinks my analysis above is flawed and this isn't really a problem. Any ideas on how to approach this? --dkg [-- Attachment #2: Type: application/pgp-signature, Size: 965 bytes --]
[-- Attachment #1: Type: text/plain, Size: 192 bytes --] On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > Any ideas on how to approach this? Treat messages with the same ID but different hashes as different? [-- Attachment #2: Type: application/pgp-signature, Size: 489 bytes --]
On 03/08/2012 12:04 PM, James Vasile wrote:
> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor<dkg@fifthhorseman.net> wrote:
>> Any ideas on how to approach this?
>
> Treat messages with the same ID but different hashes as different?
Given that a message hash would include all headers, including Received:
and other MTA-added stuff, i think that would remove all relevance of
the Message-ID field. in particular, it seems like we would just be
identifying messages by their digest.
If you're willing to ignore the headers and just look at a digest of the
body, that still doesn't provide any help for the common (legitimate)
case of a message jointly-delivered to a mailing list and to a specific
(already-subscribed) user.
That user will get two copies of the message, and since most mailing
lists modify the body of the message (usually by adding a footer section
with mailing list info) their bodies will also have different digests.
So i don't see how to make this suggestion work without giving up on
Message-IDs as the identifier entirely (and therefore accepting many
more spurious duplicates than users currently need to tolerate).
Any other suggestions or ideas?
--dkg
On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> Any other suggestions or ideas?
What about representing the contents from both message in one apparent message?
- Aggregate the headers together, perhaps?
- Where headers disagree, display both
- If the bodies disagree, display both.
On Thu, 8 Mar 2012 10:38:32 -0700, Jeremy Nickurak <not-much@trk.nickurak.ca> wrote:
> On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> > Any other suggestions or ideas?
>
> What about representing the contents from both message in one apparent message?
> - ...
> - If the bodies disagree, display both.
We'd probably need to do some like doing a diff. I find it annoying
enough displaying both text and html copies of a mail. Displaying two
copies of a message, just because one of them has a few extra lines as a
footer would be equally annoying.
Maybe it would be enough to ignore the signature too, when comparing messages?
On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> notmuch currently treats all messages with the same Message-ID as
> the same message. I think this could be a vulnerability :(
>
> If two messages have the same Message-ID, is there a guarantee of which
> of these messages will be produced during a notmuch show?
>
> Either way, it seems to create a potential DoS attack on notmuch users.
Yesterday I was expecting a confirmation message which, seemingly, never
came. It turns out my maildir already contained a message from the
same system. From three years ago. With the same Message-ID.
Malice has nothing on incompetence.
Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?
Peter
Peter Wang <novalazy@gmail.com> writes:
> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message. I think this could be a vulnerability :(
>>
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>>
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came. It turns out my maildir already contained a message from the
> same system. From three years ago. With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?
I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).
d
On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
> Peter Wang <novalazy@gmail.com> writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message. I think this could be a vulnerability :(
>>>
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>>
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came. It turns out my maildir already contained a message from the
>> same system. From three years ago. With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).
otoh, we now enable some additional (perhaps weirder) attacks, like:
* i can make someone else's mail show up in your mailbox with a search
term of my choosing by sending you a new mail co-opting their
message-id.
we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.
--dkg
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
>> Peter Wang <novalazy@gmail.com> writes:
>>
>>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>>> notmuch currently treats all messages with the same Message-ID as
>>>> the same message. I think this could be a vulnerability :(
>>>>
>>>> If two messages have the same Message-ID, is there a guarantee of which
>>>> of these messages will be produced during a notmuch show?
>>>>
>>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>>
>>> Yesterday I was expecting a confirmation message which, seemingly, never
>>> came. It turns out my maildir already contained a message from the
>>> same system. From three years ago. With the same Message-ID.
>>>
>>> Malice has nothing on incompetence.
>>>
>>> Could we distinguish messages with identical Message-IDs based on
>>> some header fields, e.g. Date, From?
>>
>> I wouldn't say this problem is fixed, but we are making some
>> progress. In master all copies of the file are now indexed. It still
>> needs various UI work before we can consider the problem really fixed,
>> but it is now technically possible to detect such an attack (since the
>> "good terms" are also indexed).
>
> otoh, we now enable some additional (perhaps weirder) attacks, like:
>
> * i can make someone else's mail show up in your mailbox with a search
> term of my choosing by sending you a new mail co-opting their
> message-id.
>
> we definitely need some UI for dealing with this, and perhaps some
> explicit de-duping logic or maintenance scripts would be useful too.
>
> --dkg
There is now a simple UI for dealing with duplicate messages in the
emacs UI (as of commit 1ef7c75111b84ea19af3186ddc12f2ba434c93de, which
should be part of 0.37).