Dangers of discarding duplicated messages
Some people use programs as part of their email delivery that
automatically discard duplicate messages (e.g. sent to two mailing
lists the receiver is both subscribed to) based on their Message-ID.
Currently, someone on linux-kernel automatically sends an email to
everyone who sent an email to linux-kernel with the same Message-ID as
the original email. If this email is faster than the original email
(which happens quite often in this example), a program that
automatically discards duplicate emails based on the message ID discards
the original email.
But even more severe attacks are thinkable:
If you can guess the message ID (since many MUAs have predictable
message IDs), an attacker C could use this to suppress a message from
person A to person B by sending an email with the message ID to person B
before person B gets the email from person A.
An example:
If person A uses a MUA that encodes only the current time in seconds
plus a constant string (e.g. the hostname) in the Message-ID and
person B uses a spam filter after the discarding of the duplicate
messages, attacker C could suppress any message person A would send to
person B between 10 and 11 o'clock today by sending 3600 obvious [1]
spam emails with all possible message IDs before 10 o'clock. Since the
spam filter has catched the malicious emails it's quite possible that
person B will not notice the 3600 emails.
It seems to be required that programs that automatically discard
duplicate messages have to use a checksum over the body and part of the
header of the emails instead of relying on the message ID.
cu
Adrian
[1] obvious for a spam filter
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed