RobertH wrote: > i was reading at > > http://www.karan.org/blog/ > > specifically > > http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam > > that he recv'd a "gpg signed spam email" > > ive never heard of that before yet i havent thought much about it or studied > it... > > Q: is this unheard of, or common? > > near as i can quickly investigate, it doesnt appear to be common as per > "papa google" [sic]. > > comments? feedback? > > just trying to get up on the curve now.
Well, let's put it this way: A long, long time ago, SA had a rule in the default set, giving negative score to PGP and GPG signed messages. Quickly, spammers started adding enough fragments of a signature to match the rule. This was very obvious, as the rule only matched the begin clause, and the spams had a begin clause dropped at the bottom of the message, with no end clause. The rule could have been modified to validate the signature, but of course, anyone can GPG sign a message and have it be valid, and the spammers probably would have done so if the rule changed. Therefore, the rule was dropped from the set entirely. GPG signatures only validate that the sender has the private key that matches the public one signing the email. Like SPF, and many other "authentication only" technologies, this doesn't tell you anything about the sender. Even perfect authentication at best only provides confirmation of who the sender is, and most of these technologies only prove a sender is the proper owner holder of some abstract identity like a key or domain. Authentication needs to be paired with recognition to be meaningful. If a sender proves who they are, will you immediately accept the email without further question? What if they just proved they were Alan Ralsky? http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky Moral of the story: don't assign negative scores to systems that only provide authentication, unless you're somehow pairing it with proof the sender is someone you actually trust (or at least is trusted by a service you trust, etc). Ever notice that the negative score of SPF_PASS is insignificantly small, there's a reason for that.. Spammers can pass SPF too, so by itself, it's meaningless. But paired with your explicit trust of a domain or sender, it provides forgery resistant whitelisting (whitelist_from_spf).
