a DoS vulnerability associated with conflated Message-IDs?

Subject: a DoS vulnerability associated with conflated Message-IDs?

Date: Thu, 08 Mar 2012 11:37:09 -0500

To: notmuch mailing list


From: Daniel Kahn Gillmor

notmuch currently treats all messages with the same Message-ID as
the same message.  I think this could be a vulnerability :(

If two messages have the same Message-ID, is there a guarantee of which
of these messages will be produced during a notmuch show?

Either way, it seems to create a potential DoS attack on notmuch users.


The attack:

Let's say there is a public mailing list that Mallory knows
bob@example.org is subscribed to.  alice@example.net sends a message to
the public mailing list detailing some problem that Bob probably needs
to deal with.

Mallory can just craft a content-free e-mail (or a dozen?) with the same
Message-ID as Alice's message, and send it to bob@example.org.

If Bob uses notmuch, he is much more likely to read one of Mallory's
bogus e-mails than to read Alice's original message.

Mallory's e-mail could also be crafted to look like spam, in the hopes
that Bob's spamfiltering scripts would mark the original message's
Message-ID as spam.


I don't know how to fix this, and i'd be happy to hear if someone thinks
my analysis above is flawed and this isn't really a problem.

Any ideas on how to approach this?

part-000.sig (application/pgp-signature)