> I'll profess some degree of ignorance about PGP signatures, but >does it matter if it's valid or not? Couldn't a spammer generate a >perfectly valid PGP signature and use it in their messages to get the >lower score?
Depends on how you define "valid": if it's just syntactical correctness you require, then, indeed, the PGP signature should't generate a significant negative score. on the other hand, if you take it to mean "a valid pgp signature by a trusted signer", it definitely deserves a strong negative score. The problem with the 2nd definitein is that it requres access to the readers pgp keyring, so it'd be very hard or impossible to implement on a system - wide scale. > IMHO, the PGP signature rule, like any the MTA rules and any >other rule that depends on everyone being "honest" in not monkeying >around with the message or adding stuff that could be legitmate by >"normal" users is one that shouldn't exist. Or at least not >have such a ridiculously negative score. Correct. This leaves us with two possible rules: a) take an INVALID PGP signature (syntacticaly not correct, checksums don't match..) as a very strong SPAM indication and b) even a syntacticaly correct PGP signature should only be given a negative score if the signer is known (pgp would output: good signature ...). At least for the moment we'r probably better off without both of them, actualy trying to verify the pgp stuff looks to be too expensive time-wise to be worth the trouble. Bye, Martin ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk