projects / notmuch-archives.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Re: a DoS vulnerability associated with conflated Message-IDs?
[notmuch-archives.git] / 55 / 5507688fa6caa81c88a085f732c343a3db5681
1 Return-Path: <novalazy@gmail.com>\r
2 X-Original-To: notmuch@notmuchmail.org\r
3 Delivered-To: notmuch@notmuchmail.org\r
4 Received: from localhost (localhost [127.0.0.1])\r
5         by olra.theworths.org (Postfix) with ESMTP id 709BF431FBC\r
6         for <notmuch@notmuchmail.org>; Mon, 29 Oct 2012 04:15:23 -0700 (PDT)\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org\r
8 X-Spam-Flag: NO\r
9 X-Spam-Score: -0.799\r
10 X-Spam-Level: \r
11 X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5\r
12         tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,\r
13         FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled\r
14 Received: from olra.theworths.org ([127.0.0.1])\r
15         by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)\r
16         with ESMTP id IXRRbxqq3ZYE for <notmuch@notmuchmail.org>;\r
17         Mon, 29 Oct 2012 04:15:23 -0700 (PDT)\r
18 Received: from mail-pb0-f53.google.com (mail-pb0-f53.google.com\r
19         [209.85.160.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits))\r
20         (No client certificate requested)\r
21         by olra.theworths.org (Postfix) with ESMTPS id E5E0C431FAF\r
22         for <notmuch@notmuchmail.org>; Mon, 29 Oct 2012 04:15:22 -0700 (PDT)\r
23 Received: by mail-pb0-f53.google.com with SMTP id wz12so4497427pbc.26\r
24         for <notmuch@notmuchmail.org>; Mon, 29 Oct 2012 04:15:22 -0700 (PDT)\r
25 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;\r
26         h=date:message-id:from:to:subject:in-reply-to:references:mime-version\r
27         :content-type:content-disposition:content-transfer-encoding;\r
28         bh=mVwvvV/gvenCQk7iV3MpRPXYs6XCSh12JcvRv5YsHVg=;\r
29         b=qv/laTObkN+vHTeOiH8/mzcRKLwY1M1a6dLlzvKXqFzdKIhFwa6hdn3wlodW4FnuKz\r
30         iIzLLLLBZO/eIDbS6mg0Gfeas/6n4VR3bFP4ljcpTmqnD/a1YTgJ2R6wiMeiES3izF1W\r
31         5YfIxUwlXtz08xxaPL0uRvLfSX9i5sIF+Tr9y6BEehjWZz+LCNJEazKtZzcE441ghWSa\r
32         bLLgur1ipfHx78AuNfWl+81K2CqVo/dKvSLttKZ1Td1zSlF1H8IP5OcPTJn2Dm97Z2uz\r
33         KxnE1HwPjP5MJSrZqvclmcrYUokFfnftL4+/Olf51Hp6q5xoP9vonXWqlT2w74lfykpr\r
34         geYA==\r
35 Received: by 10.68.233.230 with SMTP id tz6mr91579591pbc.36.1351509322068;\r
36         Mon, 29 Oct 2012 04:15:22 -0700 (PDT)\r
37 Received: from localhost (215.42.233.220.static.exetel.com.au.\r
38         [220.233.42.215])\r
39         by mx.google.com with ESMTPS id bf6sm5807644pab.3.2012.10.29.04.15.19\r
40         (version=TLSv1/SSLv3 cipher=OTHER);\r
41         Mon, 29 Oct 2012 04:15:20 -0700 (PDT)\r
42 Date: Mon, 29 Oct 2012 22:15:16 +1100\r
43 Message-ID: <20121029221516.GB20292@hili.localdomain>\r
44 From: Peter Wang <novalazy@gmail.com>\r
45 To: notmuch mailing list <notmuch@notmuchmail.org>\r
46 Subject: Re: a DoS vulnerability associated with conflated Message-IDs?\r
47 In-Reply-To: <87k42vrqve.fsf@pip.fifthhorseman.net>\r
48 References: <87k42vrqve.fsf@pip.fifthhorseman.net>\r
49 MIME-Version: 1.0\r
50 Content-Type: text/plain; charset=utf-8\r
51 Content-Disposition: inline\r
52 Content-Transfer-Encoding: 8bit\r
53 X-BeenThere: notmuch@notmuchmail.org\r
54 X-Mailman-Version: 2.1.13\r
55 Precedence: list\r
56 List-Id: "Use and development of the notmuch mail system."\r
57         <notmuch.notmuchmail.org>\r
58 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,\r
59         <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
60 List-Archive: <http://notmuchmail.org/pipermail/notmuch>\r
61 List-Post: <mailto:notmuch@notmuchmail.org>\r
62 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
63 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,\r
64         <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
65 X-List-Received-Date: Mon, 29 Oct 2012 11:15:23 -0000\r
66 \r
67 On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:\r
68 > notmuch currently treats all messages with the same Message-ID as\r
69 > the same message.  I think this could be a vulnerability :(\r
70\r
71 > If two messages have the same Message-ID, is there a guarantee of which\r
72 > of these messages will be produced during a notmuch show?\r
73\r
74 > Either way, it seems to create a potential DoS attack on notmuch users.\r
75 \r
76 Yesterday I was expecting a confirmation message which, seemingly, never\r
77 came.  It turns out my maildir already contained a message from the\r
78 same system.  From three years ago.  With the same Message-ID.\r
79 \r
80 Malice has nothing on incompetence.\r
81 \r
82 Could we distinguish messages with identical Message-IDs based on\r
83 some header fields, e.g. Date, From?\r
84 \r
85 Peter\r
The notmuch archives as a ssoma repository.