True, it likely is. But it would also be trivial for the spammer to generate a valid one.
Given what we've seen with the image spams in the past (custom generated image for *every* email with random font, size, color, offset, and randomized dots added on), computational power is hardly an obstacle. As before, you might be able to write a plugin to check the signature and assign positive points if it is invalid, but I don't know if that would work long enough to be worthwhile. Justin Mason wrote: > there's a very good chance the GPG signature in this case was fake -- > ie. a cut-and-paste job. > > --j. > > On Sat, Jun 27, 2009 at 19:05, Matt Kettler<mkettler...@verizon.net> wrote: > >> RobertH wrote: >> >>> i was reading at >>> >>> http://www.karan.org/blog/ >>> >>> specifically >>> >>> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam >>> >>> that he recv'd a "gpg signed spam email" >>> >>> ive never heard of that before yet i havent thought much about it or studied >>> it... >>> >>> Q: is this unheard of, or common? >>> >>> near as i can quickly investigate, it doesnt appear to be common as per >>> "papa google" [sic]. >>> >>> comments? feedback? >>> >>> just trying to get up on the curve now. >>> >> Well, let's put it this way: >> >> A long, long time ago, SA had a rule in the default set, giving negative >> score to PGP and GPG signed messages. Quickly, spammers started adding >> enough fragments of a signature to match the rule. This was very >> obvious, as the rule only matched the begin clause, and the spams had a >> begin clause dropped at the bottom of the message, with no end clause. >> >> The rule could have been modified to validate the signature, but of >> course, anyone can GPG sign a message and have it be valid, and the >> spammers probably would have done so if the rule changed. Therefore, the >> rule was dropped from the set entirely. >> >> GPG signatures only validate that the sender has the private key that >> matches the public one signing the email. Like SPF, and many other >> "authentication only" technologies, this doesn't tell you anything about >> the sender. Even perfect authentication at best only provides >> confirmation of who the sender is, and most of these technologies only >> prove a sender is the proper owner holder of some abstract identity like >> a key or domain. >> >> Authentication needs to be paired with recognition to be meaningful. If >> a sender proves who they are, will you immediately accept the email >> without further question? What if they just proved they were Alan Ralsky? >> >> http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky >> >> >> Moral of the story: don't assign negative scores to systems that only >> provide authentication, unless you're somehow pairing it with proof the >> sender is someone you actually trust (or at least is trusted by a >> service you trust, etc). >> >> Ever notice that the negative score of SPF_PASS is insignificantly >> small, there's a reason for that.. Spammers can pass SPF too, so by >> itself, it's meaningless. But paired with your explicit trust of a >> domain or sender, it provides forgery resistant whitelisting >> (whitelist_from_spf). >> >> >> >> >> >> >> >> >> >> >> >> > > >
