The point of the GPG sig check is to verify the authenticity of the source of the rules you're downloading. To get in the frame of mind as to what it means to skip this, consider what it would mean to have an unknown (obviously malicious) person masquerade as your wife/husband for a while. What might happen? If it goes undetected, there's probably very little you wouldn't reveal to them, little you wouldn't do for them, and they could do almost anything to you.
Let's see... worst case scenario... Someone poisons the DNS caches near you (given the fairly recently announced huge vulnerability here, it would be a good idea security-wise to consider this "trivial"). Alternatively, someone cracks one of the channel servers directly, or fools them into accepting illicit rules. Your sa-update downloads the bad rules (either from the right server that has been compromised, or from the wrong server altogether). You're not checking the GPG key, so it happily downloads and installs the tainted rules. These rules do a few things: 1) They deliberately score all emails with big negative scores, thus destroying your spam filtering completely until you sort it out. This might be a bit too detectable for them, so instead maybe they settle for altering the scores on all the stock rules, making all sorts of things wrong. Either way, your filtering is going to be bad for a while. Really bad. Maybe they invert all the scores... scoring spam low and ham high. 2) Since you're basically downloading code that SA will run, let's say they've discovered a vulnerability in SA or Perl that allows them to run arbitrary perl code from these rules. They do so, and the arbitrary code they run downloads a rootkit and opens a reverse shell on a random port. The attacker connects to it and is logged in as root on your SA server. They use this hole to listen in on all traffic flowing through this box and in a short while have acquired all sorts of private information. They exploit any IP-based trust relationships it has with your other workstations/servers. Your whole network (or at least the part containing the SA server) is rootkitted, botnetted, and initiates mass spamming and worm propagation to the Internet. A few systems are completely destroyed (formatted, registries corrupted, whatever). In short, your entire IT infrastructure is completely hosed because you weren't checking the authenticity of code you were downloading and running on a regular basis. Okay, so (2) is a bit far-fetched. There's nothing there that isn't doable by anyone who cared enough to do it though. This might be fun to do on a honeypot machine, but it's not something I'd do willingly on any machine I was actually using for a legitimate purpose. Downloading and running unknown/untrusted code is just... a bad idea. :) Jake On Fri, Dec 26, 2008 at 2:44 PM, <jida...@jidanni.org> wrote: > So what's the worst thing that could happen to me with sa-update > --nogpg? Just a little more spam getting through? Ha! > >> If you would just follow instructions, you wouldn't need --nogpg > > Yes, well, let's just say things didn't work out, and we want to use > --nogpg just for that risky feel. Like smoking cigarettes or > something. So what's the worst thing that could happen, our mailbox > getting cancer? >
