RobertH wrote:
> i was reading at
>
> http://www.karan.org/blog/
>
> specifically
>
> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam
>
> that he recv'd a "gpg signed spam email"
>
> ive never heard of that before yet i havent thought much about it or studied
> it...
>
> Q: is this unheard of, or common?
>
> near as i can quickly investigate, it doesnt appear to be common as per
> "papa google" [sic].
>
> comments? feedback?
>
> just trying to get up on the curve now.

Well, let's put it this way:

A long, long time ago, SA had a rule in the default set, giving negative
score to PGP and GPG signed messages. Quickly, spammers started adding
enough fragments of a signature to match the rule. This was very
obvious, as the rule only matched the begin clause, and the spams had a
begin clause dropped at the bottom of the message, with no end clause.

The rule could have been modified to validate the signature, but of
course, anyone can GPG sign a message and have it be valid, and the
spammers probably would have done so if the rule changed. Therefore, the
rule was dropped from the set entirely.

GPG signatures only validate that the sender has the private key that
matches the public one signing the email. Like SPF, and many other
"authentication only" technologies, this doesn't tell you anything about
the sender. Even perfect authentication at best only provides
confirmation of who the sender is, and most of these technologies only
prove a sender is the proper owner holder of some abstract identity like
a key or domain.

Authentication needs to be paired with recognition to be meaningful.  If
a sender proves who they are, will you immediately accept the email
without further question? What if they just proved they were Alan Ralsky?

http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky


Moral of the story: don't assign negative scores to systems that only
provide authentication, unless you're somehow pairing it with proof the
sender is someone you actually trust (or at least is trusted by a
service you trust, etc).

Ever notice that the negative score of SPF_PASS is insignificantly
small, there's a reason for that.. Spammers can pass SPF too, so by
itself, it's meaningless. But paired with your explicit trust of a
domain or sender, it provides forgery resistant whitelisting
(whitelist_from_spf).








 

Reply via email to