top | item 46993618

(no title)

fweimer | 17 days ago

The Gmail requirement is actually slightly different: the header must be present and unique. Gmail only keeps one copy of a message per user and message ID. Combined with a mail source that uses predictable message IDs (such as Github), you can abuse this to suppress delivery of certain messages to Gmail users.

discuss

realusername|17 days ago

Interesting, but what do you gain to send an email which you know will not land?

ZoneZealot|17 days ago

They mean to send an email in advance, with a message ID that would later be used in the target email. First email gets ignored, moved to spam, or not read yet. Then the target email gets sent with the predicable message ID, and gets bounced.

Comments on issues use the format <[OrgName]/[RepoName]/issues/[IssueNumber]/[CommentID]@github.com>

A mitigation to this would be to take the combination of message ID and the sending domain and use that as the unique value, because message ID is not guaranteed to actually contain a domain label that's owned by the sender.

For example SendGrid's message IDs are <[RandomValue]@geopod-ismtpd-[Integer]>.

fweimer|17 days ago

If I send it first, the real message won't get delivered. The real message could be be a newly reported security issue.