On Mon, 4 Mar 2002, dman wrote:
> On Mon, Mar 04, 2002 at 09:01:45PM -0500, Duncan Findlay wrote:
>| On Tue, Mar 05, 2002 at 08:49:10AM +0700, Olivier Nicole wrote:
>| > Me thinks it would even be a good thing is SA could verify the
>| > signature :)
[...]
> As I haven't figured out how to use gpg yet, what does mutt do with a
> message that doesn't verify?
If it's sane, display it and tell you that verification failed.
> The nice part of having SA verify the signature is that bad messages
> are dropped before you look at them.
That's a really bad idea. There are still a lot of pieces of software
out there that feel free to arbitrarily modify the body of messages,
especially mailing list software.
This means that many signed messages are invalid when they reach the end
user. Dropping them means losing an arbitrarily large number of false
positives.[1]
This, as an aside, is another reason why I think it's a /really/ bad
idea for SpamAssassin to rewrite messages because it feels like it. It
means that there is another piece of software arbitrarily corrupting
things...
Daniel
Footnotes:
[1] I have /never/ actually seen a true negative with a PGP signed
mail. Has /anyone/ had their messages tampered with like that?
--
A pedestal is as much a prison as any small space.
-- Gloria Steinem
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
