Greetings. Has anyone considered the utility of having SpamAssassin score based partly on the presence and validity of an OpenPGP signature, and on the trust of the OpenPGP key?
Here are some ideas: 1) So far I've never received any spam which has been digitally signed; on the other hand, I do receive some legitimate OpenPGP-signed mail. Therefore SA could decrease the score on the mere presence of a digital signature. (But see below.) 2) Because it's easy for spammers to generate an invalid signature, then instead of just checking for a signature, SA could verify it by piping the message to the appropriate program (e.g., GnuPG). This would require some configuration on the part of the user. However, it would allow for more fine-tuned testing: the score could be decreased for a valid signature, and increased for an invalid one. We still have the problem that digital signatures are simply proof of identity and not proof of not being a spammer, so even a message with a valid signature might be spam. However, I think that in practice spammers are unlikely to sign their mails, for the following reasons: a) at the moment, most spammers don't know how to use OpenPGP tools; b) using the same OpenPGP ID for all mails makes it easy for blacklists and law enforcement authorities to positively identify them as coming from the same source; and c) generating a new OpenPGP ID for each spam is too time-consuming to be cost-effective (à la Hashcash). 3) One instance where checking a signature is probably always effective at stopping unwanted mail is in the case where the key has been revoked. Signing mail with a revoked key pretty much always signifies that the sender is not who he claims to be. Practically nobody wants to receive a message where the sender admits he is impersonating someone else. 4) Another instance where checking a signature is always effective is with whitelists and blacklists. Any spammer can forge a "From:" header to bypass a SA whitelist, but no spammer can produce a digital signature from a specific key unless he himself is the owner of that key. Therefore it would be good if SpamAssassin allowed the user to specify a set of trusted OpenPGP key IDs for which validly signed mail should be whitelisted. Likewise, if any spammer is stupid enough to use the same ID to sign all his spam, his key could be added to a blacklist. Anyone care to discuss? Has anyone else prepared some SA rulesets which implement any of the above checks? Regards, Tristan -- _ _V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited / |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard (7_\\ http://www.nothingisreal.com/ >< To finish what you
