Re: [Full-Disclosure] a PGP signed mail? Has to be spam!
From: Steffen Kluge (kluge_at_fujitsu.com.au)
Date: 11/12/03
- Previous message: Gregory A. Gilliss: "Re: [Full-Disclosure] a PGP signed mail? Has to be spam!"
- In reply to: Michael Gale: "Re: [Full-Disclosure] a PGP signed mail? Has to be spam!"
- Next in thread: Chris Ruvolo: "[Full-Disclosure] Re: a PGP signed mail? Has to be spam!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Wed, 12 Nov 2003 17:55:34 +1100
On Wed, 2003-11-12 at 15:39, Michael Gale wrote:
> But public keys are only valid if you trust them
No, they can be expired or revoked, but not invalid. And yes, you either
trust a key or you don't.
A signature can be valid or invalid, i.e. decrypting the signature with
the matching public key yields a number that either does or doesn't
match the hash of the message. This has nothing to do with whether or
not you trust the key used for signing. A message can have a valid
signature made with an untrusted key.
> -- the points in just
> because a person signs a e-mail with a PGP key and the key matches the
> from address does not mean it is NOT spam.
Correct. A good additional test would be to check whether you've got the
matching public key on your keyring, or even trust it. Even so, some
people may sign their emails regardless of whether they believe the
recipient is in possession of their public key, with makes this post
self-referential.
It's probably a good idea to raise the ham score for emails bearing a
sig from a known sender, and don't score emails based on the fact that
they are either not signed or signed by someone unknown.
> Also -- having a mail server check PGP sig's on e-mails it NOT an option
> -- think of the over head, the delay and time out if the server does not
> exist or no response.
I don't think that'll be much of an additional overhead in the grand
scheme of things. Think of all the tests spam filters are running, let
alone virus scanners. Think of on-line look-ups (a la Razor). I don't
understand the server not responding bit. Which server?
If the corporate (or whatever) mail gateway does the spam filtering it
would be the one checking the sigs. All you have to do is maintain a key
ring with public keys of your recipients' peers. If you miss one, no
problem, since you won't score as spam if you can't verify the sig.
> This would cause major mailq build up's and could easier crash a mail
> system.
Huh?
> Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis
> and then whitelist and blacklist.
>
> Not PGP checks.
Think about it.
Cheers
Steffen.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Gregory A. Gilliss: "Re: [Full-Disclosure] a PGP signed mail? Has to be spam!"
- In reply to: Michael Gale: "Re: [Full-Disclosure] a PGP signed mail? Has to be spam!"
- Next in thread: Chris Ruvolo: "[Full-Disclosure] Re: a PGP signed mail? Has to be spam!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
