-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Robert,
Friday, June 27, 2003, 8:33:17 AM, you wrote: >>> I could almost bet my left index finger on the fact that 99% >>> of those PGP-signatures are invalid. ... >>I'll profess some degree of ignorance about PGP signatures, but does >>it matter if it's valid or not? Couldn't a spammer generate a >>perfectly valid PGP signature and use it in their messages to get the >>lower score? RS> I too have large gaps in the operation of PGP, but is it not tied to RS> an email address or some other publicly available validation of the RS> senders identity? RS> What is the point of using a key for non-repudiation if you can't RS> identify who sent the message? Most definitely -- anyone who has a current PGP or equivalent installation can verify my signature, ensuring that a) it is a valid signature, b) it identifies my current email addresses (not the one I use most often for this list), and c) if you know the people who have signed/validated my key, then you can have a good confidence level this message really came from me. It shouldn't be too hard to identify a syntactically correct PGP signature. Those that are wrong or incomplete should get a high score (they might be the cause of human error, but are most likely forged). Verifying the checksum of the signature (is the signature correct for the message) would most likely require a local PGP or equivalent installation, but it shouldn't be too hard for SA to call PGP, feed it the message, and get a response back. If invalid, give it a middling high score, and if valid give it maybe a -0.5 (extremely unlikely for spam, but technically not all that hard to incorporate). Slightly more complex but certainly not hard should be to allow users to incorporate their recognized/confirmed identity checksums in local.cf or user_prefs. For instance, I believe if you use PGP to verify my signature for this message, you'll find in the verification a line that looks like > *** Signer: Robert Menschel <[EMAIL PROTECTED]> (0x38AA1D47) The format, name, and even email address would be easily forged, but only someone who actually has my public key should be able to forge the hexadecimal identification. If we added the ability to include lines in local.cf or user_prefs like > validpgp 0x38AA1D47 (a list of space-separated hex numbers), then THOSE specific signatures could score strong negatives, similar to a whitelist. (I'd like to see the ability for each user to set their score, perhaps with a > SCORE VALIDPGP -2.0 line in local.cf or user_prefs. We'd need to have an installation option, or a local.cf option, which allows this PGP overhead to be turned on or off (default off, assuming the installation doesn't have PGP). It seems like this should be feasible. Any chance something like the syntax validation might be incorporated into 2.7, and the actual PGP interface into 3.0? Bob Menschel -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPvzyvpebK8E4qh1HEQKOogCfbLNsP2wT8cFIgN4L/ktnqv5I30cAn259 y1tJ540sGzsrY3zJrkexff8V =wf1J -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk