On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote: > Peter Wang <novalazy@gmail.com> writes: > >> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: >>> notmuch currently treats all messages with the same Message-ID as >>> the same message. I think this could be a vulnerability :( >>> >>> If two messages have the same Message-ID, is there a guarantee of which >>> of these messages will be produced during a notmuch show? >>> >>> Either way, it seems to create a potential DoS attack on notmuch users. >> >> Yesterday I was expecting a confirmation message which, seemingly, never >> came. It turns out my maildir already contained a message from the >> same system. From three years ago. With the same Message-ID. >> >> Malice has nothing on incompetence. >> >> Could we distinguish messages with identical Message-IDs based on >> some header fields, e.g. Date, From? > > I wouldn't say this problem is fixed, but we are making some > progress. In master all copies of the file are now indexed. It still > needs various UI work before we can consider the problem really fixed, > but it is now technically possible to detect such an attack (since the > "good terms" are also indexed). otoh, we now enable some additional (perhaps weirder) attacks, like: * i can make someone else's mail show up in your mailbox with a search term of my choosing by sending you a new mail co-opting their message-id. we definitely need some UI for dealing with this, and perhaps some explicit de-duping logic or maintenance scripts would be useful too. --dkg