<<< Date Index >>>     <<< Thread Index >>>

Dangers of discarding duplicated messages



Some people use programs as part of their email delivery that 
automatically discard duplicate messages (e.g. sent to two mailing 
lists the receiver is both subscribed to) based on their Message-ID.

Currently, someone on linux-kernel automatically sends an email to 
everyone who sent an email to linux-kernel with the same Message-ID as 
the original email. If this email is faster than the original email 
(which happens quite often in this example), a program that 
automatically discards duplicate emails based on the message ID discards 
the original email.

But even more severe attacks are thinkable:

If you can guess the message ID (since many MUAs have predictable 
message IDs), an attacker C could use this to suppress a message from 
person A to person B by sending an email with the message ID to person B 
before person B gets the email from person A.

An example:

If person A uses a MUA that encodes only the current time in seconds 
plus a constant string (e.g. the hostname) in the Message-ID and
person B uses a spam filter after the discarding of the duplicate 
messages, attacker C could suppress any message person A would send to 
person B between 10 and 11 o'clock today by sending 3600 obvious [1] 
spam emails with all possible message IDs before 10 o'clock. Since the 
spam filter has catched the malicious emails it's quite possible that 
person B will not notice the 3600 emails.

It seems to be required that programs that automatically discard 
duplicate messages have to use a checksum over the body and part of the 
header of the emails instead of relying on the message ID.

cu
Adrian

[1] obvious for a spam filter

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed