True, it likely is. But it would also be trivial for the spammer to
generate a valid one.

Given what we've seen with the image spams in the past (custom generated
image for *every* email with random font, size, color, offset, and
randomized dots added on), computational power is hardly an obstacle.

As before, you might be able to write a plugin to check the signature
and assign positive points if it is invalid, but I don't know if that
would work long enough to be worthwhile.

Justin Mason wrote:
> there's a very good chance the GPG signature in this case was fake --
> ie. a cut-and-paste job.
>
> --j.
>
> On Sat, Jun 27, 2009 at 19:05, Matt Kettler<mkettler...@verizon.net> wrote:
>   
>> RobertH wrote:
>>     
>>> i was reading at
>>>
>>> http://www.karan.org/blog/
>>>
>>> specifically
>>>
>>> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam
>>>
>>> that he recv'd a "gpg signed spam email"
>>>
>>> ive never heard of that before yet i havent thought much about it or studied
>>> it...
>>>
>>> Q: is this unheard of, or common?
>>>
>>> near as i can quickly investigate, it doesnt appear to be common as per
>>> "papa google" [sic].
>>>
>>> comments? feedback?
>>>
>>> just trying to get up on the curve now.
>>>       
>> Well, let's put it this way:
>>
>> A long, long time ago, SA had a rule in the default set, giving negative
>> score to PGP and GPG signed messages. Quickly, spammers started adding
>> enough fragments of a signature to match the rule. This was very
>> obvious, as the rule only matched the begin clause, and the spams had a
>> begin clause dropped at the bottom of the message, with no end clause.
>>
>> The rule could have been modified to validate the signature, but of
>> course, anyone can GPG sign a message and have it be valid, and the
>> spammers probably would have done so if the rule changed. Therefore, the
>> rule was dropped from the set entirely.
>>
>> GPG signatures only validate that the sender has the private key that
>> matches the public one signing the email. Like SPF, and many other
>> "authentication only" technologies, this doesn't tell you anything about
>> the sender. Even perfect authentication at best only provides
>> confirmation of who the sender is, and most of these technologies only
>> prove a sender is the proper owner holder of some abstract identity like
>> a key or domain.
>>
>> Authentication needs to be paired with recognition to be meaningful.  If
>> a sender proves who they are, will you immediately accept the email
>> without further question? What if they just proved they were Alan Ralsky?
>>
>> http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky
>>
>>
>> Moral of the story: don't assign negative scores to systems that only
>> provide authentication, unless you're somehow pairing it with proof the
>> sender is someone you actually trust (or at least is trusted by a
>> service you trust, etc).
>>
>> Ever notice that the negative score of SPF_PASS is insignificantly
>> small, there's a reason for that.. Spammers can pass SPF too, so by
>> itself, it's meaningless. But paired with your explicit trust of a
>> domain or sender, it provides forgery resistant whitelisting
>> (whitelist_from_spf).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>     
>
>
>   

Reply via email to