BTW, I have seen spam using a real person's PGP sig, cut and pasted from one of their messages.
> If we added the ability to include lines in local.cf or user_prefs like > > validpgp 0x38AA1D47 > (a list of space-separated hex numbers), then THOSE specific signatures > could score strong negatives, similar to a whitelist. (I'd like to see > the ability for each user to set their score, perhaps with a > > SCORE VALIDPGP -2.0 > line in local.cf or user_prefs. Would you (or anyone else) really edit your config for each new correspondent who sends you a PGP-signed message? I doubt it, I'm afraid. For PGP/GPG to be useful as an unforgeable bonus-points mechanism, it needs key distribution. We can no longer just say "it has *some* PGP signature" -- because spammers are actively forging them, cutting them from other mails, etc. as far as I know the only way to really validate the sig is to (a) ensure the public key is on the keyring and (b) run pgp/gpg at that point. --j. ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
