Re: a DoS vulnerability associated with conflated Message-IDs?

Subject: Re: a DoS vulnerability associated with conflated Message-IDs?

Date: Mon, 29 Oct 2012 22:15:16 +1100

Cc:

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> notmuch currently treats all messages with the same Message-ID as
> the same message.  I think this could be a vulnerability :(
> 
> If two messages have the same Message-ID, is there a guarantee of which
> of these messages will be produced during a notmuch show?
> 
> Either way, it seems to create a potential DoS attack on notmuch users.

Yesterday I was expecting a confirmation message which, seemingly, never
came.  It turns out my maildir already contained a message from the
same system.  From three years ago.  With the same Message-ID.

Malice has nothing on incompetence.

Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?

Peter

Previous message (by thread): Re: a DoS vulnerability associated with conflated Message-IDs?

Thread:

Daniel Kahn Gillmor—a DoS vulnerability associated with conflated Message-IDs? [inbox, signed, unread]
- James Vasile—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, signed, unread]
  - Daniel Kahn Gillmor—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, unread]
    - Jeremy Nickurak—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, unread]
      - Tom Prince—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, unread]
- Peter Wang—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, notmuch::bug, unread]
  - David Bremner—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, unread]
    - Daniel Kahn Gillmor—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, unread]
      - David Bremner—Re: a DoS vulnerability associated with conflated Message-IDs? [inbox, unread]