there's a very good chance the GPG signature in this case was fake --
ie. a cut-and-paste job.

--j.

On Sat, Jun 27, 2009 at 19:05, Matt Kettler<mkettler...@verizon.net> wrote:
> RobertH wrote:
>> i was reading at
>>
>> http://www.karan.org/blog/
>>
>> specifically
>>
>> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam
>>
>> that he recv'd a "gpg signed spam email"
>>
>> ive never heard of that before yet i havent thought much about it or studied
>> it...
>>
>> Q: is this unheard of, or common?
>>
>> near as i can quickly investigate, it doesnt appear to be common as per
>> "papa google" [sic].
>>
>> comments? feedback?
>>
>> just trying to get up on the curve now.
>
> Well, let's put it this way:
>
> A long, long time ago, SA had a rule in the default set, giving negative
> score to PGP and GPG signed messages. Quickly, spammers started adding
> enough fragments of a signature to match the rule. This was very
> obvious, as the rule only matched the begin clause, and the spams had a
> begin clause dropped at the bottom of the message, with no end clause.
>
> The rule could have been modified to validate the signature, but of
> course, anyone can GPG sign a message and have it be valid, and the
> spammers probably would have done so if the rule changed. Therefore, the
> rule was dropped from the set entirely.
>
> GPG signatures only validate that the sender has the private key that
> matches the public one signing the email. Like SPF, and many other
> "authentication only" technologies, this doesn't tell you anything about
> the sender. Even perfect authentication at best only provides
> confirmation of who the sender is, and most of these technologies only
> prove a sender is the proper owner holder of some abstract identity like
> a key or domain.
>
> Authentication needs to be paired with recognition to be meaningful.  If
> a sender proves who they are, will you immediately accept the email
> without further question? What if they just proved they were Alan Ralsky?
>
> http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky
>
>
> Moral of the story: don't assign negative scores to systems that only
> provide authentication, unless you're somehow pairing it with proof the
> sender is someone you actually trust (or at least is trusted by a
> service you trust, etc).
>
> Ever notice that the negative score of SPF_PASS is insignificantly
> small, there's a reason for that.. Spammers can pass SPF too, so by
> itself, it's meaningless. But paired with your explicit trust of a
> domain or sender, it provides forgery resistant whitelisting
> (whitelist_from_spf).
>
>
>
>
>
>
>
>
>
>
>

Reply via email to