-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Justin,
Friday, June 27, 2003, 7:21:47 PM, you wrote: JM> BTW, I have seen spam using a real person's PGP sig, cut and pasted from JM> one of their messages. Yes, and that's why just having a syntactically correct PGP sig shouldn't get any significant negative score. It's too easy to put > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 at the beginning of a message, and > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0 > > iQA/AwUBPvzyvpebK8E4qh1HEQKOogCfbLNsP2wT8cFIgN4L/ktnqv5I30cAn259 > y1tJ540sGzsrY3zJrkexff8V > =wf1J > -----END PGP SIGNATURE----- at the end. That's why I'd suggest actually calling PGP and getting verification that the signature is valid (its internal checksum matches the contents of the message signed) before giving the message any negative score. And, since a spammer could then create a valid PGP key, create a spam, sign the spam, and send it out, that score should be low, not very strong. (Identical messages would trip other tests, as pointed out in another message, but spammers apparently don't mind sending out 10 or 15 versions of the same message, hoping some will bypass tests others fail.) The only strong negative would be for validated *and*identified* senders. >> If we added the ability to include lines in local.cf or user_prefs >> like >> > validpgp 0x38AA1D47 >> (a list of space-separated hex numbers), then THOSE specific >> signatures could score strong negatives, similar to a whitelist. (I'd >> like to see the ability for each user to set their score, perhaps with >> a >> > SCORE VALIDPGP -2.0 >> line in local.cf or user_prefs. JM> Would you (or anyone else) really edit your config for each new JM> correspondent who sends you a PGP-signed message? I doubt it, JM> I'm afraid. No, I wouldn't edit for each and every new PGP correspondent. But I would for my major ones, six or seven people from whom I always want to receive messages without delay. If they send me messages no matter how spammy, their PGP signature would let the message through, without my putting them into a whitelist. JM> For PGP/GPG to be useful as an unforgeable bonus-points mechanism, it JM> needs key distribution. We can no longer just say "it has *some* JM> PGP signature" -- because spammers are actively forging them, cutting JM> them from other mails, etc. as far as I know the only way to really JM> validate the sig is to (a) ensure the public key is on the keyring JM> and (b) run pgp/gpg at that point. The emphasis is to *really* validate the sig. Just getting a checksum (which can be done by using PGP without having the public key) is sufficient to identify the great majority of bogus PGP signatures. And yes, that should be only a small negative score. I probably won't care about having the public key on a public keyring -- all I need is to know the hex codes of the few people I want to register as "always valid" -- a whitelist which is harder for a spammer to work through. Bob Menschel -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPvz+a5ebK8E4qh1HEQLjnQCePV75jMetUgmXWd8m9t4EZWO5k+0AoK5o +yqhN3ALnZ8yJwsdkuzkIx/I =9OT7 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
