Re: a DoS vulnerability associated with conflated Message-IDs?

Subject: Re: a DoS vulnerability associated with conflated Message-IDs?

Date: Fri, 04 Aug 2017 18:15:13 -0400

To: David Bremner, Peter Wang, notmuch mailing list

Cc:

From: Daniel Kahn Gillmor

On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
> Peter Wang <novalazy@gmail.com> writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message.  I think this could be a vulnerability :(
>>> 
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>> 
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came.  It turns out my maildir already contained a message from the
>> same system.  From three years ago.  With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).

otoh, we now enable some additional (perhaps weirder) attacks, like:

 * i can make someone else's mail show up in your mailbox with a search
   term of my choosing by sending you a new mail co-opting their
   message-id.

we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.

   --dkg

Thread: