Hi list, Having read this for long I thought it could be my time to contribute something. :-)
> A message just slipped through, no text, just an image. It slipped through > with a ridiculously low score, minus .6 > > When I expanded the headers, I found that the message got through mostly > because of the following. > > USER_AGENT_MSN (-2.3 points) Headers indicate valid mail from MSN > PGP_SIGNATURE (-2.3 points) Contains a PGP-signed message > > I looked at the message, and found a fake PGP signature buried in the > HTML! (See below!) > > <br><br> > <p><font size="2" color=white> > -----BEGIN PGP SIGNATURE----- > i3A/A9UAPmf7ZbesiT+lEZdqEQJJ6QCeJcBgl19C3ErrfhM3h7z5Kg49xU89oKHG > L79MJrvpvQ0ofECdfGbuRfwe > =u41Z > -----END PGP SIGNATURE----- > <br> [..] > The fake signature was a cute idea. I think it has to be incorporated into > the scoring. I'm worried about the gibberish though. I could almost bet my left index finger on the fact that 99% of those PGP-signatures are invalid. This is something that SA could exploit. I tested some I found from my spam-collection, I extracted 10 PGP-signatures, and ran them all through OpenPGP and PGP, none of them were accepted not either as signatures or public keys (they seem to send out also public PGP-keys). How about adding a simple check that runs gpg or pgp to see if the signature is valid at all? It could ignore the rest of the message, and just concentrate on the PGP-data -- about just like SA runs DCC if found etc. I think valid signatures are always detected atleast being valid, even if they are detached from the original context; take a look at this: [EMAIL PROTECTED]:~/pgptest$ gpg --verbose valid_sig gpg: armor header: Version: GnuPG v1.2.1 (GNU/Linux) Detached signature. Please enter name of data file: ^C gpg: Interrupt caught ... exiting [EMAIL PROTECTED]:~/pgptest$ gpg --verbose spam_sig gpg: armor header: version: pgpfreeware 6.5.2 for non-commercial use <http://www.pgp.com> gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: invalid radix64 character 2d skipped gpg: onepass_sig with unknown version 56 gpg: no valid OpenPGP data found. [Sidenote, PGPFreeware seems to do its signature like this: Version: PGPfreeware 6.5.2 for non-commercial use according to a quick Google-search] Also, to add to the PGP-checking, to sign something, the signed part must start with a string like "-----BEGIN PGP SIGNED MESSAGE-----". I found this to be missing from every spam: [EMAIL PROTECTED]:~/mail$ grep -- "-----BEGIN PGP SIGNED MESSAGE" spam|wc -l 0 [EMAIL PROTECTED]:~/mail$ ls -la spam -rw------- 1 eran eran 22455452 Jun 26 17:26 spam I think this is quite promising. Then again, the spammers will invent this quite quickly and add the BEGIN -statement rendering this useless. Also trying to find HTML-tags within the signature-data might also prove working (I think you cannot embed html into the signature)? Another trick that might work, or that could be used to lower the score, is to see if there is a </html> or similar tag after the --END PGP SIG -statement. When a clearsign is ran on the message, I think the whole message is inside signed, and no HTML-gibberish is left outside. Adding the signature-checking to SA using external utilities might prove difficult though, due to the variety of pgp/gpg/etc programs out there :-/ I'm not a perl-guru, but there might be some interfaces to PGP already available. Just my 2c. ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
