lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200502182257.j1IMvtc18416@frodo.mcs.anl.gov>
Date: Fri, 18 Feb 2005 16:57:55 -0600
From: Gene Rackow <rackow@....anl.gov>
To: Maciej Soltysiak <maciej@...tysiak.com>
Cc: bugtraq@...urityfocus.com, rackow@....anl.gov
Subject: Re: Dangers of discarding duplicated messages


There are lots of other things that may need to be done to handle 
dealing with duplicated message-id's as well.  Note that the RFC's
mandate that the message-id is unique per message.

A number of IMAP packages use the message-id as a way of keeping
track of the message in the various folders.
Having messages with the message-id breaks the standards, may
cause problems in message handling, etc.

The problem is bigger than just the anti-spam packages out there.

>From the original message it was indicated that these many dups 
might be picked up by the AV/AS software on the server.  If it is,
the blocking of the message should happen before the message-id
gets entered into the users cache of delivered messages.  Therefore
the 1st non-spam message should still be able to get through to the
end user.

-_Gene


Maciej Soltysiak made the following keystrokes:
 >Hello Adrian,
 >
 >Thursday, February 17, 2005, 7:57:01 PM, you wrote:
 >
 >> It seems to be required that programs that automatically discard
 >> duplicate messages have to use a checksum over the body and part of the
 >> header of the emails instead of relying on the message ID.
 >Very interesting indeed Adrian.
 >So to sum it all up just for now, the advisories are two.
 >One for users, one for developers of MUAs.
 >
 >Users: Beware of the fact that automatic discarding of duplicated messages
 >       may result in you not getting the original mail in case someone exploi
 >  ts
 >       the effect Adrian depicted.
 >
 >Developers: Consider using checksum of the email messages, not only the
 >            Message-ID to distinguish between duplicated messages.
 >
 >Am I correct?
 >            
 >Fortunately I was never using this MUA feature - I just take care of the
 >duppies manually, which is not a big chore for me I must say.
 >
 >
 >-- 
 >Best regards,
 >Maciej Soltysiak
 >
 >
 >


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ