Full Disclosure mailing list archives
Re: a PGP signed mail? Has to be spam!
From: Steffen Kluge <kluge () fujitsu com au>
Date: Wed, 12 Nov 2003 17:55:34 +1100
On Wed, 2003-11-12 at 15:39, Michael Gale wrote:
But public keys are only valid if you trust them
No, they can be expired or revoked, but not invalid. And yes, you either trust a key or you don't. A signature can be valid or invalid, i.e. decrypting the signature with the matching public key yields a number that either does or doesn't match the hash of the message. This has nothing to do with whether or not you trust the key used for signing. A message can have a valid signature made with an untrusted key.
-- the points in just because a person signs a e-mail with a PGP key and the key matches the from address does not mean it is NOT spam.
Correct. A good additional test would be to check whether you've got the matching public key on your keyring, or even trust it. Even so, some people may sign their emails regardless of whether they believe the recipient is in possession of their public key, with makes this post self-referential. It's probably a good idea to raise the ham score for emails bearing a sig from a known sender, and don't score emails based on the fact that they are either not signed or signed by someone unknown.
Also -- having a mail server check PGP sig's on e-mails it NOT an option -- think of the over head, the delay and time out if the server does not exist or no response.
I don't think that'll be much of an additional overhead in the grand scheme of things. Think of all the tests spam filters are running, let alone virus scanners. Think of on-line look-ups (a la Razor). I don't understand the server not responding bit. Which server? If the corporate (or whatever) mail gateway does the spam filtering it would be the one checking the sigs. All you have to do is maintain a key ring with public keys of your recipients' peers. If you miss one, no problem, since you won't score as spam if you can't verify the sig.
This would cause major mailq build up's and could easier crash a mail system.
Huh?
Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis and then whitelist and blacklist. Not PGP checks.
Think about it. Cheers Steffen.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- a PGP signed mail? Has to be spam! onedo (Nov 11)
- Re: a PGP signed mail? Has to be spam! Peter Moody (Nov 11)
- Re: a PGP signed mail? Has to be spam! Damian Gerow (Nov 11)
- Re: a PGP signed mail? Has to be spam! Ciro (Nov 11)
- Re: a PGP signed mail? Has to be spam! Nick FitzGerald (Nov 12)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Scott Taylor (Nov 11)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Daniel (Nov 11)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Steffen Kluge (Nov 11)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Chris Ruvolo (Nov 12)
- Re: PGP signed mail? Has to be spam! onedo (Nov 12)
- Re: PGP signed mail? Has to be spam! Shawn McMahon (Nov 13)
- Re: a PGP signed mail? Has to be spam! Peter Moody (Nov 11)
- Re: a PGP signed mail? Has to be spam! Valdis . Kletnieks (Nov 12)
- <Possible follow-ups>
- RE: a PGP signed mail? Has to be spam! allan . vanleeuwen (Nov 12)