Re: a DoS vulnerability associated with conflated Message-IDs?

Subject: Re: a DoS vulnerability associated with conflated Message-IDs?

Date: Fri, 04 Aug 2017 16:42:54 -0400

To: Peter Wang, notmuch mailing list


From: David Bremner

Peter Wang <> writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <> wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>> Either way, it seems to create a potential DoS attack on notmuch users.
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
> Malice has nothing on incompetence.
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).