On 2022-02-03, Stephen Duppe <
shud...@REMOVE.yahoo.co.uk> wrote:
> In another thread I asked about the uniqueness of Message-ID headers and
> Jon R wrote:
>> Generally speaking, a Message-ID will usually be unique forever, not
>> least because there is no reason for an adversary to try and cause it
>> to be otherwise. But if you are thinking of creating a system which
>> would provide such a reason, then it would be wise include extra
>> safeguards (e.g. at a mimum also mention the date of the post).
>
> Sadly it sounds as though there may be some scope for an adversary to
> cause confusion by posting a message carrying an already-used Message-ID
> after a few weeks or months.
>
> What scope is there for an adversary who in addition would also use a
> misleading Date: header, backdated by weeks or months, perhaps
> carrying the same data as the original Date: header?
>
> Would a reference such as the following be likely to take someone reliably
> to the correct message for the foreseeable future?
>
> Date: Thu, 3 Feb 2022 10:25:40 -0000 (UTC)
> Message-ID: <
XnsAE336A13...@46.165.242.75>
I think so, yes. As time goes by they may find it harder to retrieve
the message, but I think they should always either find the correct
message or no message at all, never a different message. Deja News
used to have a function that allowed you to search its Usenet
archive by Message-ID, but since it got absorbed into Google Groups
I think that function has sadly disappeared.
> I'm wondering whether if someone were to post a different message carrying
> those same two headers a few weeks or months or years in the future it
> would get passed on by news servers or simply binned by reason of
> having an out of date Date: header?
Old Date headers cause the article to be rejected. Again this is
fundamental to how Usenet operates - if the server knows that it
keeps a log of all Message-IDs it has received in, say, the last
11 days, and also knows that it rejects all articles with a Date
header older than, say, 10 days, then it knows it will never get
in a situation whereby it accepts the same message twice.