Re: Fixed Message-ID trouble

Subject: Re: Fixed Message-ID trouble

Date: Mon, 25 Sep 2023 18:45:21 -0400

To: Teemu Likonen, notmuch@notmuchmail.org

Cc:

From: Daniel Kahn Gillmor


On Mon 2023-09-25 11:54:07 +0300, Teemu Likonen wrote:
> Some person on debian-user mailing list seems to be sending messages
> with fixed Message-ID field: the same ID in different messages. In
> Notmuch it is creating trouble because it connects unrelated threads to
> one. The person has different messages in different threads but Notmuch
> thinks they are the same message because the Message-ID is the same.
>
> This is potentially a "denial of service" for Notmuch. Well, not quite,
> but is harmful nonetheless. How would a Notmuch user fix the mess or
> protect himself against it?

fwiw, the duplicate message-id attack vector a long-recognized problem:

  https://nmbug.notmuchmail.org/nmweb/show/87k42vrqve.fsf%40pip.fifthhorseman.net

yikes, over a decade ago ☹

With recent versions of notmuch, if the problem is a message-id
collision, you can at least *see* the different variant forms of a given
message by cycling through the list of duplicates (e.g. via
notmuch-show-choose-duplicate in notmuch-emacs), thanks to excellent
work by David Bremner:

https://nmbug.notmuchmail.org/nmweb/show/20220701214548.461943-1-david%40tethera.net

As for thread splitting/re-joining based on References: and In-Reply-To:
headers, you might be interested in these oldies-but-goodies from the
mailing list archives, which as far as i know we have never managed to
resolve:

https://nmbug.notmuchmail.org/nmweb/show/AANLkTimDjk_-Xjpf6uovGXgyG_3j-ySLWQR%2B0UvdVjjT%40mail.gmail.com
https://nmbug.notmuchmail.org/nmweb/show/87mvp9uwi4.fsf%40alice.fifthhorseman.net

Sorry to only have archival references here and not robust/complete
fixes.

        --dkg
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-leave@notmuchmail.org

Thread: