Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id 22525431FB6 for ; Thu, 8 Mar 2012 08:37:22 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=disabled Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHiNhyuEIUJm for ; Thu, 8 Mar 2012 08:37:21 -0800 (PST) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by olra.theworths.org (Postfix) with ESMTP id AC05C431FAE for ; Thu, 8 Mar 2012 08:37:21 -0800 (PST) Received: from pip.fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id B8334F970 for ; Thu, 8 Mar 2012 11:37:17 -0500 (EST) Received: by pip.fifthhorseman.net (Postfix, from userid 1000) id D8DA211898; Thu, 8 Mar 2012 11:37:18 -0500 (EST) From: Daniel Kahn Gillmor To: notmuch mailing list Subject: a DoS vulnerability associated with conflated Message-IDs? User-Agent: Notmuch/0.11.1 (http://notmuchmail.org) Emacs/23.3.1 (i486-pc-linux-gnu) Date: Thu, 08 Mar 2012 11:37:09 -0500 Message-ID: <87k42vrqve.fsf@pip.fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2012 16:37:22 -0000 --=-=-= Content-Type: text/plain notmuch currently treats all messages with the same Message-ID as the same message. I think this could be a vulnerability :( If two messages have the same Message-ID, is there a guarantee of which of these messages will be produced during a notmuch show? Either way, it seems to create a potential DoS attack on notmuch users. ------- The attack: Let's say there is a public mailing list that Mallory knows bob@example.org is subscribed to. alice@example.net sends a message to the public mailing list detailing some problem that Bob probably needs to deal with. Mallory can just craft a content-free e-mail (or a dozen?) with the same Message-ID as Alice's message, and send it to bob@example.org. If Bob uses notmuch, he is much more likely to read one of Mallory's bogus e-mails than to read Alice's original message. Mallory's e-mail could also be crafted to look like spam, in the hopes that Bob's spamfiltering scripts would mark the original message's Message-ID as spam. -------- I don't know how to fix this, and i'd be happy to hear if someone thinks my analysis above is flawed and this isn't really a problem. Any ideas on how to approach this? --dkg --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJPWOA2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwRUU1QkU5NzkyODJEODBCOUY3NTQwRjFD Q0QyRUQ5NEQyMTczOUU5AAoJEMzS7ZTSFznprvMP/Rkf+D3t2py0au1NdLu6211c 9VFtgxnmBI+W0IlwB8V81AMzwfIFDvQZnzHVtvr9hgyauVz5Fno1bE1Yma0g2ha/ K6EocrfX+8Gs1DGJB8QY/1hiSzhx1IAKe5llgVZcrLxJcy2fVxKkLFKCtgJwBNmH Tam3+Hsbt8EWTyXtxRXVpX3TVxyIZeGXkO3VB1QotJ2OMXFAzi6ulpT/ygTMO5yh DFRDba0VuE3H/tdpZ+mm+w3fziTzfAsVWtdXD/6X4fK6aFBPOIM0Izga+QzpkeRE 2qGbFrq1pi817qT/so+KlvIXghja+HUd8NGfFoF7cA7g/6JLjvc0HaArgBrscbxi 4ZvuPeRikJl9toDExpjywbeTs22pHVClzt6oLYyfQ4zhbT0ViWnUQpFPh7+/u6he p6Cwj0KDfYMkzr1JX069+up7pzS1ijQanflrU0XDcxSWf8ItwOZ603dSh7vig5Ce 8x5ZtAHoHnMG22EvNlbaYwKgTejSOcLESYl3N4B8rcjLMIh1SVlIyaZpEp+0Ub6I GbE6R6osRGEYGiyAoZVPB8L9mox0MG3HPaPpsT2YYvOak/P9EMseJbq1X4+sf1Te 1z7eSXPGr4GVemN4MLiLrI/xq6QRGj0/ORR60HYvM/Sb3IeUPLJRaaNQ8fk6sqzu 1UfKCZ2Wpza+DY7hTc+w =6XGU -----END PGP SIGNATURE----- --=-=-=--