>       I'll profess some degree of ignorance about PGP signatures, but
>does it matter if it's valid or not?  Couldn't a spammer generate a
>perfectly valid PGP signature and use it in their messages to get the
>lower score?

Depends on how you define "valid": if it's just syntactical correctness you
require, then, indeed, the PGP signature should't generate a significant
negative score.

on the other hand, if you take it to mean "a valid pgp signature by a trusted
signer", it definitely deserves a strong negative score. The problem with the
2nd definitein is that it requres access to the readers pgp keyring, so it'd
be very hard or impossible to implement on a system - wide scale.

>       IMHO, the PGP signature rule, like any the MTA rules and any
>other rule that depends on everyone being "honest" in not monkeying
>around with the message or adding stuff that could be legitmate by
>"normal" users is one that shouldn't exist.  Or at least not 
>have such a ridiculously negative score.

Correct. This leaves us with two possible rules: a) take an INVALID PGP
signature (syntacticaly not correct, checksums don't match..) as a very
strong SPAM indication and b) even a syntacticaly correct PGP signature
should only be given a negative score if the signer is known (pgp would
output: good signature ...). At least for the  moment we'r probably better
off without both of them, actualy trying to verify the pgp stuff looks to be
too expensive time-wise to be worth the trouble.

Bye, Martin





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to