Re: a DoS vulnerability associated with conflated Message-IDs?

[David Bremner]

Daniel Kahn Gillmor  writes:

> On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
>> Peter Wang  writes:
>>
>>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
>>>  wrote:
 notmuch currently treats all messages with the same Message-ID as
 the same message.  I think this could be a vulnerability :(
 
 If two messages have the same Message-ID, is there a guarantee of which
 of these messages will be produced during a notmuch show?
 
 Either way, it seems to create a potential DoS attack on notmuch users.
>>>
>>> Yesterday I was expecting a confirmation message which, seemingly, never
>>> came.  It turns out my maildir already contained a message from the
>>> same system.  From three years ago.  With the same Message-ID.
>>>
>>> Malice has nothing on incompetence.
>>>
>>> Could we distinguish messages with identical Message-IDs based on
>>> some header fields, e.g. Date, From?
>>
>> I wouldn't say this problem is fixed, but we are making some
>> progress. In master all copies of the file are now indexed. It still
>> needs various UI work before we can consider the problem really fixed,
>> but it is now technically possible to detect such an attack (since the
>> "good terms" are also indexed).
>
> otoh, we now enable some additional (perhaps weirder) attacks, like:
>
>  * i can make someone else's mail show up in your mailbox with a search
>term of my choosing by sending you a new mail co-opting their
>message-id.
>
> we definitely need some UI for dealing with this, and perhaps some
> explicit de-duping logic or maintenance scripts would be useful too.
>
>--dkg

There is now a simple UI for dealing with duplicate messages in the
emacs UI (as of commit 1ef7c75111b84ea19af3186ddc12f2ba434c93de, which
should be part of 0.37). 
___
notmuch mailing list -- notmuch@notmuchmail.org
To unsubscribe send an email to notmuch-le...@notmuchmail.org

Re: a DoS vulnerability associated with conflated Message-IDs?

[Daniel Kahn Gillmor]

On Fri 2017-08-04 16:42:54 -0400, David Bremner wrote:
> Peter Wang  writes:
>
>> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
>>  wrote:
>>> notmuch currently treats all messages with the same Message-ID as
>>> the same message.  I think this could be a vulnerability :(
>>> 
>>> If two messages have the same Message-ID, is there a guarantee of which
>>> of these messages will be produced during a notmuch show?
>>> 
>>> Either way, it seems to create a potential DoS attack on notmuch users.
>>
>> Yesterday I was expecting a confirmation message which, seemingly, never
>> came.  It turns out my maildir already contained a message from the
>> same system.  From three years ago.  With the same Message-ID.
>>
>> Malice has nothing on incompetence.
>>
>> Could we distinguish messages with identical Message-IDs based on
>> some header fields, e.g. Date, From?
>
> I wouldn't say this problem is fixed, but we are making some
> progress. In master all copies of the file are now indexed. It still
> needs various UI work before we can consider the problem really fixed,
> but it is now technically possible to detect such an attack (since the
> "good terms" are also indexed).

otoh, we now enable some additional (perhaps weirder) attacks, like:

 * i can make someone else's mail show up in your mailbox with a search
   term of my choosing by sending you a new mail co-opting their
   message-id.

we definitely need some UI for dealing with this, and perhaps some
explicit de-duping logic or maintenance scripts would be useful too.

   --dkg
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Re: a DoS vulnerability associated with conflated Message-IDs?

[David Bremner]

Peter Wang  writes:

> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
>  wrote:
>> notmuch currently treats all messages with the same Message-ID as
>> the same message.  I think this could be a vulnerability :(
>> 
>> If two messages have the same Message-ID, is there a guarantee of which
>> of these messages will be produced during a notmuch show?
>> 
>> Either way, it seems to create a potential DoS attack on notmuch users.
>
> Yesterday I was expecting a confirmation message which, seemingly, never
> came.  It turns out my maildir already contained a message from the
> same system.  From three years ago.  With the same Message-ID.
>
> Malice has nothing on incompetence.
>
> Could we distinguish messages with identical Message-IDs based on
> some header fields, e.g. Date, From?

I wouldn't say this problem is fixed, but we are making some
progress. In master all copies of the file are now indexed. It still
needs various UI work before we can consider the problem really fixed,
but it is now technically possible to detect such an attack (since the
"good terms" are also indexed).

d
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

a DoS vulnerability associated with conflated Message-IDs?

[Peter Wang]

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor  wrote:
> notmuch currently treats all messages with the same Message-ID as
> the same message.  I think this could be a vulnerability :(
> 
> If two messages have the same Message-ID, is there a guarantee of which
> of these messages will be produced during a notmuch show?
> 
> Either way, it seems to create a potential DoS attack on notmuch users.

Yesterday I was expecting a confirmation message which, seemingly, never
came.  It turns out my maildir already contained a message from the
same system.  From three years ago.  With the same Message-ID.

Malice has nothing on incompetence.

Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?

Peter

Re: a DoS vulnerability associated with conflated Message-IDs?

[Peter Wang]

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
d...@fifthhorseman.net wrote:
 notmuch currently treats all messages with the same Message-ID as
 the same message.  I think this could be a vulnerability :(
 
 If two messages have the same Message-ID, is there a guarantee of which
 of these messages will be produced during a notmuch show?
 
 Either way, it seems to create a potential DoS attack on notmuch users.

Yesterday I was expecting a confirmation message which, seemingly, never
came.  It turns out my maildir already contained a message from the
same system.  From three years ago.  With the same Message-ID.

Malice has nothing on incompetence.

Could we distinguish messages with identical Message-IDs based on
some header fields, e.g. Date, From?

Peter
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

a DoS vulnerability associated with conflated Message-IDs?

[Tom Prince]

On Thu, 8 Mar 2012 10:38:32 -0700, Jeremy Nickurak  wrote:
> On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor  
> wrote:
> > Any other suggestions or ideas?
> 
> What about representing the contents from both message in one apparent 
> message?
> - ...
> - If the bodies disagree, display both.

We'd probably need to do some like doing a diff. I find it annoying
enough displaying both text and html copies of a mail. Displaying two
copies of a message, just because one of them has a few extra lines as a
footer would be equally annoying.

Maybe it would be enough to ignore the signature too, when comparing messages?

Re: a DoS vulnerability associated with conflated Message-IDs?

[Tom Prince]

On Thu, 8 Mar 2012 10:38:32 -0700, Jeremy Nickurak not-m...@trk.nickurak.ca 
wrote:
 On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor d...@fifthhorseman.net 
 wrote:
  Any other suggestions or ideas?
 
 What about representing the contents from both message in one apparent 
 message?
 - ...
 - If the bodies disagree, display both.

We'd probably need to do some like doing a diff. I find it annoying
enough displaying both text and html copies of a mail. Displaying two
copies of a message, just because one of them has a few extra lines as a
footer would be equally annoying.

Maybe it would be enough to ignore the signature too, when comparing messages?
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

a DoS vulnerability associated with conflated Message-IDs?

[Daniel Kahn Gillmor]

On 03/08/2012 12:04 PM, James Vasile wrote:
> On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor fifthhorseman.net>  wrote:
>> Any ideas on how to approach this?
>
> Treat messages with the same ID but different hashes as different?

Given that a message hash would include all headers, including Received: 
and other MTA-added stuff, i think that would remove all relevance of 
the Message-ID field. in particular, it seems like we would just be 
identifying messages by their digest.

If you're willing to ignore the headers and just look at a digest of the 
body, that still doesn't provide any help for the common (legitimate) 
case of a message jointly-delivered to a mailing list and to a specific 
(already-subscribed) user.

That user will get two copies of the message, and since most mailing 
lists modify the body of the message (usually by adding a footer section 
with mailing list info) their bodies will also have different digests.

So i don't see how to make this suggestion work without giving up on 
Message-IDs as the identifier entirely (and therefore accepting many 
more spurious duplicates than users currently need to tolerate).

Any other suggestions or ideas?

--dkg

a DoS vulnerability associated with conflated Message-IDs?

[James Vasile]

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor  wrote:
> Any ideas on how to approach this?

Treat messages with the same ID but different hashes as different?
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: 

a DoS vulnerability associated with conflated Message-IDs?

[Daniel Kahn Gillmor]

notmuch currently treats all messages with the same Message-ID as
the same message.  I think this could be a vulnerability :(

If two messages have the same Message-ID, is there a guarantee of which
of these messages will be produced during a notmuch show?

Either way, it seems to create a potential DoS attack on notmuch users.

---

The attack:

Let's say there is a public mailing list that Mallory knows
bob at example.org is subscribed to.  alice at example.net sends a message to
the public mailing list detailing some problem that Bob probably needs
to deal with.

Mallory can just craft a content-free e-mail (or a dozen?) with the same
Message-ID as Alice's message, and send it to bob at example.org.

If Bob uses notmuch, he is much more likely to read one of Mallory's
bogus e-mails than to read Alice's original message.

Mallory's e-mail could also be crafted to look like spam, in the hopes
that Bob's spamfiltering scripts would mark the original message's
Message-ID as spam.



I don't know how to fix this, and i'd be happy to hear if someone thinks
my analysis above is flawed and this isn't really a problem.

Any ideas on how to approach this?

   --dkg
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: 

a DoS vulnerability associated with conflated Message-IDs?

[Jeremy Nickurak]

On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor  
wrote:
> Any other suggestions or ideas?

What about representing the contents from both message in one apparent message?

- Aggregate the headers together, perhaps?
- Where headers disagree, display both
- If the bodies disagree, display both.

a DoS vulnerability associated with conflated Message-IDs?

[Daniel Kahn Gillmor]

notmuch currently treats all messages with the same Message-ID as
the same message.  I think this could be a vulnerability :(

If two messages have the same Message-ID, is there a guarantee of which
of these messages will be produced during a notmuch show?

Either way, it seems to create a potential DoS attack on notmuch users.

---

The attack:

Let's say there is a public mailing list that Mallory knows
b...@example.org is subscribed to.  al...@example.net sends a message to
the public mailing list detailing some problem that Bob probably needs
to deal with.

Mallory can just craft a content-free e-mail (or a dozen?) with the same
Message-ID as Alice's message, and send it to b...@example.org.

If Bob uses notmuch, he is much more likely to read one of Mallory's
bogus e-mails than to read Alice's original message.

Mallory's e-mail could also be crafted to look like spam, in the hopes
that Bob's spamfiltering scripts would mark the original message's
Message-ID as spam.



I don't know how to fix this, and i'd be happy to hear if someone thinks
my analysis above is flawed and this isn't really a problem.

Any ideas on how to approach this?

   --dkg


pgp6mSrl7Bu7a.pgp
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Re: a DoS vulnerability associated with conflated Message-IDs?

[James Vasile]

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmor 
d...@fifthhorseman.net wrote:
 Any ideas on how to approach this?

Treat messages with the same ID but different hashes as different?


pgpjtq6bzoxfs.pgp
Description: PGP signature
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Re: a DoS vulnerability associated with conflated Message-IDs?

[Daniel Kahn Gillmor]

On 03/08/2012 12:04 PM, James Vasile wrote:

On Thu, 08 Mar 2012 11:37:09 -0500, Daniel Kahn Gillmord...@fifthhorseman.net 
 wrote:

Any ideas on how to approach this?


Treat messages with the same ID but different hashes as different?


Given that a message hash would include all headers, including Received: 
and other MTA-added stuff, i think that would remove all relevance of 
the Message-ID field. in particular, it seems like we would just be 
identifying messages by their digest.


If you're willing to ignore the headers and just look at a digest of the 
body, that still doesn't provide any help for the common (legitimate) 
case of a message jointly-delivered to a mailing list and to a specific 
(already-subscribed) user.


That user will get two copies of the message, and since most mailing 
lists modify the body of the message (usually by adding a footer section 
with mailing list info) their bodies will also have different digests.


So i don't see how to make this suggestion work without giving up on 
Message-IDs as the identifier entirely (and therefore accepting many 
more spurious duplicates than users currently need to tolerate).


Any other suggestions or ideas?

--dkg
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch

Re: a DoS vulnerability associated with conflated Message-IDs?

[Jeremy Nickurak]

On Thu, Mar 8, 2012 at 10:16, Daniel Kahn Gillmor d...@fifthhorseman.net 
wrote:
 Any other suggestions or ideas?

What about representing the contents from both message in one apparent message?

- Aggregate the headers together, perhaps?
- Where headers disagree, display both
- If the bodies disagree, display both.
___
notmuch mailing list
notmuch@notmuchmail.org
http://notmuchmail.org/mailman/listinfo/notmuch