there's a very good chance the GPG signature in this case was fake -- ie. a cut-and-paste job.
--j. On Sat, Jun 27, 2009 at 19:05, Matt Kettler<mkettler...@verizon.net> wrote: > RobertH wrote: >> i was reading at >> >> http://www.karan.org/blog/ >> >> specifically >> >> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam >> >> that he recv'd a "gpg signed spam email" >> >> ive never heard of that before yet i havent thought much about it or studied >> it... >> >> Q: is this unheard of, or common? >> >> near as i can quickly investigate, it doesnt appear to be common as per >> "papa google" [sic]. >> >> comments? feedback? >> >> just trying to get up on the curve now. > > Well, let's put it this way: > > A long, long time ago, SA had a rule in the default set, giving negative > score to PGP and GPG signed messages. Quickly, spammers started adding > enough fragments of a signature to match the rule. This was very > obvious, as the rule only matched the begin clause, and the spams had a > begin clause dropped at the bottom of the message, with no end clause. > > The rule could have been modified to validate the signature, but of > course, anyone can GPG sign a message and have it be valid, and the > spammers probably would have done so if the rule changed. Therefore, the > rule was dropped from the set entirely. > > GPG signatures only validate that the sender has the private key that > matches the public one signing the email. Like SPF, and many other > "authentication only" technologies, this doesn't tell you anything about > the sender. Even perfect authentication at best only provides > confirmation of who the sender is, and most of these technologies only > prove a sender is the proper owner holder of some abstract identity like > a key or domain. > > Authentication needs to be paired with recognition to be meaningful. If > a sender proves who they are, will you immediately accept the email > without further question? What if they just proved they were Alan Ralsky? > > http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky > > > Moral of the story: don't assign negative scores to systems that only > provide authentication, unless you're somehow pairing it with proof the > sender is someone you actually trust (or at least is trusted by a > service you trust, etc). > > Ever notice that the negative score of SPF_PASS is insignificantly > small, there's a reason for that.. Spammers can pass SPF too, so by > itself, it's meaningless. But paired with your explicit trust of a > domain or sender, it provides forgery resistant whitelisting > (whitelist_from_spf). > > > > > > > > > > >