lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 Feb 2005 19:57:01 +0100
From: Adrian Bunk <bunk@...sta.de>
To: bugtraq@...urityfocus.com
Subject: Dangers of discarding duplicated messages


Some people use programs as part of their email delivery that 
automatically discard duplicate messages (e.g. sent to two mailing 
lists the receiver is both subscribed to) based on their Message-ID.

Currently, someone on linux-kernel automatically sends an email to 
everyone who sent an email to linux-kernel with the same Message-ID as 
the original email. If this email is faster than the original email 
(which happens quite often in this example), a program that 
automatically discards duplicate emails based on the message ID discards 
the original email.

But even more severe attacks are thinkable:

If you can guess the message ID (since many MUAs have predictable 
message IDs), an attacker C could use this to suppress a message from 
person A to person B by sending an email with the message ID to person B 
before person B gets the email from person A.

An example:

If person A uses a MUA that encodes only the current time in seconds 
plus a constant string (e.g. the hostname) in the Message-ID and
person B uses a spam filter after the discarding of the duplicate 
messages, attacker C could suppress any message person A would send to 
person B between 10 and 11 o'clock today by sending 3600 obvious [1] 
spam emails with all possible message IDs before 10 o'clock. Since the 
spam filter has catched the malicious emails it's quite possible that 
person B will not notice the 3600 emails.

It seems to be required that programs that automatically discard 
duplicate messages have to use a checksum over the body and part of the 
header of the emails instead of relying on the message ID.

cu
Adrian

[1] obvious for a spam filter

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ