a DoS vulnerability associated with conflated Message-IDs?

classic Classic list List threaded Threaded
8 messages Options
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

a DoS vulnerability associated with conflated Message-IDs?

notmuch currently treats all messages with the same Message-ID as
the same message.  I think this could be a vulnerability :(

If two messages have the same Message-ID, is there a guarantee of which
of these messages will be produced during a notmuch show?

Either way, it seems to create a potential DoS attack on notmuch users.

-------

The attack:

Let's say there is a public mailing list that Mallory knows
[hidden email] is subscribed to.  [hidden email] sends a message to
the public mailing list detailing some problem that Bob probably needs
to deal with.

Mallory can just craft a content-free e-mail (or a dozen?) with the same
Message-ID as Alice's message, and send it to [hidden email].

If Bob uses notmuch, he is much more likely to read one of Mallory's
bogus e-mails than to read Alice's original message.

Mallory's e-mail could also be crafted to look like spam, in the hopes
that Bob's spamfiltering scripts would mark the original message's
Message-ID as spam.

--------

I don't know how to fix this, and i'd be happy to hear if someone thinks
my analysis above is flawed and this isn't really a problem.

Any ideas on how to approach this?

       --dkg

_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch

attachment0 (983 bytes) Download Attachment
James Vasile-3 James Vasile-3
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <[hidden email]> wrote:
> Any ideas on how to approach this?

Treat messages with the same ID but different hashes as different?

_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch

attachment0 (499 bytes) Download Attachment
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

On 03/08/2012 12:04 PM, James Vasile wrote:
> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor<[hidden email]>  wrote:
>> Any ideas on how to approach this?
>
> Treat messages with the same ID but different hashes as different?

Given that a message hash would include all headers, including Received:
and other MTA-added stuff, i think that would remove all relevance of
the Message-ID field. in particular, it seems like we would just be
identifying messages by their digest.

If you're willing to ignore the headers and just look at a digest of the
body, that still doesn't provide any help for the common (legitimate)
case of a message jointly-delivered to a mailing list and to a specific
(already-subscribed) user.

That user will get two copies of the message, and since most mailing
lists modify the body of the message (usually by adding a footer section
with mailing list info) their bodies will also have different digests.

So i don't see how to make this suggestion work without giving up on
Message-IDs as the identifier entirely (and therefore accepting many
more spurious duplicates than users currently need to tolerate).

Any other suggestions or ideas?

        --dkg
_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch
Jeremy Nickurak Jeremy Nickurak
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor <[hidden email]> wrote:
> Any other suggestions or ideas?

What about representing the contents from both message in one apparent message?

- Aggregate the headers together, perhaps?
- Where headers disagree, display both
- If the bodies disagree, display both.
_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch
Tom Prince Tom Prince
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

On Thu, 8 Mar 2012 10:38:32 -0700, Jeremy Nickurak <[hidden email]> wrote:
> On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor <[hidden email]> wrote:
> > Any other suggestions or ideas?
>
> What about representing the contents from both message in one apparent message?
> - ...
> - If the bodies disagree, display both.

We'd probably need to do some like doing a diff. I find it annoying
enough displaying both text and html copies of a mail. Displaying two
copies of a message, just because one of them has a few extra lines as a
footer would be equally annoying.

Maybe it would be enough to ignore the signature too, when comparing messages?
_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch
Peter Wang-2 Peter Wang-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

In reply to this post by Daniel Kahn Gillmor
On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <[hidden email]> wrote:
> notmuch currently treats all messages with the same Message-ID as
> the same message.  I think this could be a vulnerability :(
>
> If two messages have the same Message-ID, is there a guarantee of which
> of these messages will be produced during a notmuch show?
>
> Either way, it seems to create a potential DoS attack on notmuch users.

Yesterday I was expecting a confirmation message which, seemingly, never
came.  It turns out my maildir already contained a message from the
same system.  From three years ago.  With the same Message-ID.

Malice has nothing on incompetence.

Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?

Peter
_______________________________________________
notmuch mailing list
[hidden email]
http://notmuchmail.org/mailman/listinfo/notmuch
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

Peter Wang <[hidden email]> writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <[hidden email]> wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>>
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>>
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).

d
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: a DoS vulnerability associated with conflated Message-IDs?

On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:

> Peter Wang <[hidden email]> writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor <[hidden email]> wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message.  I think this could be a vulnerability :(
>>>
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>>
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came.  It turns out my maildir already contained a message from the
>> same system.  From three years ago.  With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).

otoh, we now enable some additional (perhaps weirder) attacks, like:

 * i can make someone else's mail show up in your mailbox with a search
   term of my choosing by sending you a new mail co-opting their
   message-id.

we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.

   --dkg
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
Loading...