From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 5BD5F6DE0AF4 for ; Fri, 4 Aug 2017 15:23:24 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.052 X-Spam-Level: X-Spam-Status: No, score=-0.052 tagged_above=-999 required=5 tests=[AWL=-0.052] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj5Xodd0M-TU for ; Fri, 4 Aug 2017 15:23:23 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by arlo.cworth.org (Postfix) with ESMTP id 7C5F26DE098B for ; Fri, 4 Aug 2017 15:23:23 -0700 (PDT) Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 899C3F99B; Fri, 4 Aug 2017 18:23:20 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 4A6481FD81; Fri, 4 Aug 2017 18:15:13 -0400 (EDT) From: Daniel Kahn Gillmor To: David Bremner , Peter Wang , notmuch mailing list Subject: Re: a DoS vulnerability associated with conflated Message-IDs? In-Reply-To: <87d18bcbe9.fsf@rocinante.cs.unb.ca> References: <87k42vrqve.fsf@pip.fifthhorseman.net> <20121029221516.GB20292@hili.localdomain> <87d18bcbe9.fsf@rocinante.cs.unb.ca> Date: Fri, 04 Aug 2017 18:15:13 -0400 Message-ID: <87tw1nugi6.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2017 22:23:24 -0000 On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote: > Peter Wang writes: > >> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor wrote: >>> notmuch currently treats all messages with the same Message-ID as >>> the same message. I think this could be a vulnerability :( >>> >>> If two messages have the same Message-ID, is there a guarantee of which >>> of these messages will be produced during a notmuch show? >>> >>> Either way, it seems to create a potential DoS attack on notmuch users. >> >> Yesterday I was expecting a confirmation message which, seemingly, never >> came. It turns out my maildir already contained a message from the >> same system. From three years ago. With the same Message-ID. >> >> Malice has nothing on incompetence. >> >> Could we distinguish messages with identical Message-IDs based on >> some header fields, e.g. Date, From? > > I wouldn't say this problem is fixed, but we are making some > progress. In master all copies of the file are now indexed. It still > needs various UI work before we can consider the problem really fixed, > but it is now technically possible to detect such an attack (since the > "good terms" are also indexed). otoh, we now enable some additional (perhaps weirder) attacks, like: * i can make someone else's mail show up in your mailbox with a search term of my choosing by sending you a new mail co-opting their message-id. we definitely need some UI for dealing with this, and perhaps some explicit de-duping logic or maintenance scripts would be useful too. --dkg