> >> I could almost bet my left index finger on the fact that 99% > >> of those PGP-signatures are invalid. This is something that > >> SA could exploit. [..] > I too have large gaps in the operation of PGP, but is it not tied to an > email address or some other publicly available validation of the senders > identity? > What is the point of using a key for non-repudiation if you can't identify > who sent the message?
I did not mean verifying the authenticity of the sender or the message, but just a simple check to see if the data inside the PGP-signature is actually a some sort of valid signature, or just some random ascii-crap. As I mentioned earlier, battling this I guess can only be done by checking if the PGP-data is valid (if it is a signature at all, or if it contains stuff like HTML-tags etc). What Chris had done (changing the PGP-scoring to 0) also works, practically making the PGP-faking useless. :-) ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk