1 Return-Path: <novalazy@gmail.com>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 709BF431FBC
\r
6 for <notmuch@notmuchmail.org>; Mon, 29 Oct 2012 04:15:23 -0700 (PDT)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5
\r
12 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
\r
13 FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
\r
14 Received: from olra.theworths.org ([127.0.0.1])
\r
15 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
16 with ESMTP id IXRRbxqq3ZYE for <notmuch@notmuchmail.org>;
\r
17 Mon, 29 Oct 2012 04:15:23 -0700 (PDT)
\r
18 Received: from mail-pb0-f53.google.com (mail-pb0-f53.google.com
\r
19 [209.85.160.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
\r
20 (No client certificate requested)
\r
21 by olra.theworths.org (Postfix) with ESMTPS id E5E0C431FAF
\r
22 for <notmuch@notmuchmail.org>; Mon, 29 Oct 2012 04:15:22 -0700 (PDT)
\r
23 Received: by mail-pb0-f53.google.com with SMTP id wz12so4497427pbc.26
\r
24 for <notmuch@notmuchmail.org>; Mon, 29 Oct 2012 04:15:22 -0700 (PDT)
\r
25 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
\r
26 h=date:message-id:from:to:subject:in-reply-to:references:mime-version
\r
27 :content-type:content-disposition:content-transfer-encoding;
\r
28 bh=mVwvvV/gvenCQk7iV3MpRPXYs6XCSh12JcvRv5YsHVg=;
\r
29 b=qv/laTObkN+vHTeOiH8/mzcRKLwY1M1a6dLlzvKXqFzdKIhFwa6hdn3wlodW4FnuKz
\r
30 iIzLLLLBZO/eIDbS6mg0Gfeas/6n4VR3bFP4ljcpTmqnD/a1YTgJ2R6wiMeiES3izF1W
\r
31 5YfIxUwlXtz08xxaPL0uRvLfSX9i5sIF+Tr9y6BEehjWZz+LCNJEazKtZzcE441ghWSa
\r
32 bLLgur1ipfHx78AuNfWl+81K2CqVo/dKvSLttKZ1Td1zSlF1H8IP5OcPTJn2Dm97Z2uz
\r
33 KxnE1HwPjP5MJSrZqvclmcrYUokFfnftL4+/Olf51Hp6q5xoP9vonXWqlT2w74lfykpr
\r
35 Received: by 10.68.233.230 with SMTP id tz6mr91579591pbc.36.1351509322068;
\r
36 Mon, 29 Oct 2012 04:15:22 -0700 (PDT)
\r
37 Received: from localhost (215.42.233.220.static.exetel.com.au.
\r
39 by mx.google.com with ESMTPS id bf6sm5807644pab.3.2012.10.29.04.15.19
\r
40 (version=TLSv1/SSLv3 cipher=OTHER);
\r
41 Mon, 29 Oct 2012 04:15:20 -0700 (PDT)
\r
42 Date: Mon, 29 Oct 2012 22:15:16 +1100
\r
43 Message-ID: <20121029221516.GB20292@hili.localdomain>
\r
44 From: Peter Wang <novalazy@gmail.com>
\r
45 To: notmuch mailing list <notmuch@notmuchmail.org>
\r
46 Subject: Re: a DoS vulnerability associated with conflated Message-IDs?
\r
47 In-Reply-To: <87k42vrqve.fsf@pip.fifthhorseman.net>
\r
48 References: <87k42vrqve.fsf@pip.fifthhorseman.net>
\r
50 Content-Type: text/plain; charset=utf-8
\r
51 Content-Disposition: inline
\r
52 Content-Transfer-Encoding: 8bit
\r
53 X-BeenThere: notmuch@notmuchmail.org
\r
54 X-Mailman-Version: 2.1.13
\r
56 List-Id: "Use and development of the notmuch mail system."
\r
57 <notmuch.notmuchmail.org>
\r
58 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
59 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
60 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
61 List-Post: <mailto:notmuch@notmuchmail.org>
\r
62 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
63 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
64 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
65 X-List-Received-Date: Mon, 29 Oct 2012 11:15:23 -0000
\r
67 On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
\r
68 > notmuch currently treats all messages with the same Message-ID as
\r
69 > the same message. I think this could be a vulnerability :(
\r
71 > If two messages have the same Message-ID, is there a guarantee of which
\r
72 > of these messages will be produced during a notmuch show?
\r
74 > Either way, it seems to create a potential DoS attack on notmuch users.
\r
76 Yesterday I was expecting a confirmation message which, seemingly, never
\r
77 came. It turns out my maildir already contained a message from the
\r
78 same system. From three years ago. With the same Message-ID.
\r
80 Malice has nothing on incompetence.
\r
82 Could we distinguish messages with identical Message-IDs based on
\r
83 some header fields, e.g. Date, From?
\r