1 Return-Path: <dkg@fifthhorseman.net>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 22525431FB6
\r
6 for <notmuch@notmuchmail.org>; Thu, 8 Mar 2012 08:37:22 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
\r
13 Received: from olra.theworths.org ([127.0.0.1])
\r
14 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
15 with ESMTP id oHiNhyuEIUJm for <notmuch@notmuchmail.org>;
\r
16 Thu, 8 Mar 2012 08:37:21 -0800 (PST)
\r
17 Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])
\r
18 by olra.theworths.org (Postfix) with ESMTP id AC05C431FAE
\r
19 for <notmuch@notmuchmail.org>; Thu, 8 Mar 2012 08:37:21 -0800 (PST)
\r
20 Received: from pip.fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98])
\r
21 by che.mayfirst.org (Postfix) with ESMTPSA id B8334F970
\r
22 for <notmuch@notmuchmail.org>; Thu, 8 Mar 2012 11:37:17 -0500 (EST)
\r
23 Received: by pip.fifthhorseman.net (Postfix, from userid 1000)
\r
24 id D8DA211898; Thu, 8 Mar 2012 11:37:18 -0500 (EST)
\r
25 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
\r
26 To: notmuch mailing list <notmuch@notmuchmail.org>
\r
27 Subject: a DoS vulnerability associated with conflated Message-IDs?
\r
28 User-Agent: Notmuch/0.11.1 (http://notmuchmail.org) Emacs/23.3.1
\r
30 Date: Thu, 08 Mar 2012 11:37:09 -0500
\r
31 Message-ID: <87k42vrqve.fsf@pip.fifthhorseman.net>
\r
33 Content-Type: multipart/signed; boundary="=-=-=";
\r
34 micalg=pgp-sha512; protocol="application/pgp-signature"
\r
35 X-BeenThere: notmuch@notmuchmail.org
\r
36 X-Mailman-Version: 2.1.13
\r
38 List-Id: "Use and development of the notmuch mail system."
\r
39 <notmuch.notmuchmail.org>
\r
40 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
41 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
42 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
43 List-Post: <mailto:notmuch@notmuchmail.org>
\r
44 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
45 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
46 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
47 X-List-Received-Date: Thu, 08 Mar 2012 16:37:22 -0000
\r
50 Content-Type: text/plain
\r
52 notmuch currently treats all messages with the same Message-ID as
\r
53 the same message. I think this could be a vulnerability :(
\r
55 If two messages have the same Message-ID, is there a guarantee of which
\r
56 of these messages will be produced during a notmuch show?
\r
58 Either way, it seems to create a potential DoS attack on notmuch users.
\r
64 Let's say there is a public mailing list that Mallory knows
\r
65 bob@example.org is subscribed to. alice@example.net sends a message to
\r
66 the public mailing list detailing some problem that Bob probably needs
\r
69 Mallory can just craft a content-free e-mail (or a dozen?) with the same
\r
70 Message-ID as Alice's message, and send it to bob@example.org.
\r
72 If Bob uses notmuch, he is much more likely to read one of Mallory's
\r
73 bogus e-mails than to read Alice's original message.
\r
75 Mallory's e-mail could also be crafted to look like spam, in the hopes
\r
76 that Bob's spamfiltering scripts would mark the original message's
\r
81 I don't know how to fix this, and i'd be happy to hear if someone thinks
\r
82 my analysis above is flawed and this isn't really a problem.
\r
84 Any ideas on how to approach this?
\r
89 Content-Type: application/pgp-signature
\r
91 -----BEGIN PGP SIGNATURE-----
\r
92 Version: GnuPG v1.4.12 (GNU/Linux)
\r
94 iQJ8BAEBCgBmBQJPWOA2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
\r
95 ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwRUU1QkU5NzkyODJEODBCOUY3NTQwRjFD
\r
96 Q0QyRUQ5NEQyMTczOUU5AAoJEMzS7ZTSFznprvMP/Rkf+D3t2py0au1NdLu6211c
\r
97 9VFtgxnmBI+W0IlwB8V81AMzwfIFDvQZnzHVtvr9hgyauVz5Fno1bE1Yma0g2ha/
\r
98 K6EocrfX+8Gs1DGJB8QY/1hiSzhx1IAKe5llgVZcrLxJcy2fVxKkLFKCtgJwBNmH
\r
99 Tam3+Hsbt8EWTyXtxRXVpX3TVxyIZeGXkO3VB1QotJ2OMXFAzi6ulpT/ygTMO5yh
\r
100 DFRDba0VuE3H/tdpZ+mm+w3fziTzfAsVWtdXD/6X4fK6aFBPOIM0Izga+QzpkeRE
\r
101 2qGbFrq1pi817qT/so+KlvIXghja+HUd8NGfFoF7cA7g/6JLjvc0HaArgBrscbxi
\r
102 4ZvuPeRikJl9toDExpjywbeTs22pHVClzt6oLYyfQ4zhbT0ViWnUQpFPh7+/u6he
\r
103 p6Cwj0KDfYMkzr1JX069+up7pzS1ijQanflrU0XDcxSWf8ItwOZ603dSh7vig5Ce
\r
104 8x5ZtAHoHnMG22EvNlbaYwKgTejSOcLESYl3N4B8rcjLMIh1SVlIyaZpEp+0Ub6I
\r
105 GbE6R6osRGEYGiyAoZVPB8L9mox0MG3HPaPpsT2YYvOak/P9EMseJbq1X4+sf1Te
\r
106 1z7eSXPGr4GVemN4MLiLrI/xq6QRGj0/ORR60HYvM/Sb3IeUPLJRaaNQ8fk6sqzu
\r
107 1UfKCZ2Wpza+DY7hTc+w
\r
109 -----END PGP SIGNATURE-----
\r