Python's email parser consumes a lot of resources (CPU and memory) when parsing emails with a large amount of MIME parts. Attackers can probably exploit this behavior to perform denial-of-service (DoS) attacks. A potentially malicious email has the following structure: ============================================= From: sender@example.com To: recipient@example.com Subject: Mutlipart DoS Attack MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="n" This is a multi-part message in MIME format. --n b --n ... a lot of parts here... --n b --n-- ============================================= On my machine parsing an email with 1 million MIME parts takes around 20 seconds and with 10 million MIME parts over 3 minutes. In my opinion, the number of MIME parts should be limited to some reasonable value to mitigate this kind of attack. The bug report contains a Python script with a proof-of-concept.
10 million mime parts? That sounds like the kind of thing rfc 1870 was designed to address in a more general fashion (ie: the SMTP server should be enforcing maximum message size if you are worried about DOS attacks). 1 million = 3 seconds, 10 million = "over three minutes" sounds like a linear increase, so I don't see that there is anything special about "mime parts" in this scenario. I have no objection to PRs making the parsing more efficient, though :)
