Hi all, On Fri, Apr 17, 2020 at 07:59:01PM -0500, Derek Martin wrote: > On Fri, Apr 17, 2020 at 02:24:22PM -0400, Remco Rijnders wrote: > > The Message-ID that mutt generates is supposed to be unique. Up till now > > mutt would generate this ID based on the current date and time, followed by > > ".G". followed by a letter A to Z (A for the 1st and 27th email sent, Z for > > the 26th, etc.), followed by the pid of the active mutt process, followed > > by "@" and the configured hostname. > > This is utterly pointless. This may come off as harsh but please > understand that's not intended. I just want to be completely clear > hee so there is no misunderstanding or equivocation.
Times are changing. In my impression subtleties can make a difference in special situations nowadays, although this point doesn't get much of my attention. But if there are people who care ... why not. There is a little room for improvement. But my approach would be different, as I'd keep the uniqueness of a sequence number but nevertheless maybe adding a random component, and after that send the part to the left of "@" through a hash algorithm. > None of the information you just listed is sensitive, and almost all > of it is already REQUIRED to be present in the message: > > - The "hostname" is usually the sender's domain, not their actual > hostname, unless left unconfigured in Mutt. Regardless of which > thing it is, it's going to be all over the message headers for the > vast majority of Mutt users. In those cases when it won't, the > user's IP address will be in them at least once (and might be > anyway, depending on how the user emits mail into the SMTP ether > and who it is talking to). REQUIRED. I found that if I sent with From: of another domain that it didn't affect the MessageId, so indeed leaking some small part of information. Maybe I'm lazy with my configuration, but as I'm not planning to spent much time to configure those details it appears better to always use the domain of From: (if not left out). > - the PID is the only thing that could possibly be vaguely useful to > an attacker, but only if they're already able to get onto the > user's system, in which case finding out the PID will be trivial > anyway. POINTLESS. With small probability it could indicate whether your system was recently started or Mutt is usually started right after system start. > - From the sequential letter portion, you can only determine that the > modulo 26 of the number of messages sent, not the number of > messages. That's not useful information for anything, and I doubt > the actual number of messages sent in a given mutt session reveals > anything useful either, even if it were available--you still have > no idea if the session has been running for 10 minutes or 10 years. > MEANINGLESS. With medium probability it could indicate whether it is among the first 26 messages of a session. > I haven't reviewed the patch, but it does nothing useful, so my main > objection is that taking the time to review it, let alone apply it, is > a waste of anyone's time. If touching this, I'd vote for completely eliminating even minor issues here to get it done forever. Kind regards, Gero
