[Full-Disclosure] a PGP signed mail? Has to be spam!
Michael Gale
michael at bluesuperman.com
Wed Nov 12 04:39:26 GMT 2003
Hello,
But public keys are only valid if you trust them -- the points in just
because a person signs a e-mail with a PGP key and the key matches the
from address does not mean it is NOT spam.
E-mail from spammers do not usually have valid from addresses - so the
PGP key can match the fake from addresses with out a problem.
So again -- a PGP signed message is as trust worthy as the from address
of the spammer is. The only reason my from address did not match my PGP
key is because I can not post to the list if my from address is not
michael at bluesuperman.com
Also -- having a mail server check PGP sig's on e-mails it NOT an option
-- think of the over head, the delay and time out if the server does not
exist or no response.
This would cause major mailq build up's and could easier crash a mail
system.
Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis
and then whitelist and blacklist.
Not PGP checks.
Michael.
On Wed, 12 Nov 2003 04:24:11 +0000
"Daniel" <dan at lockedbox.net> wrote:
> Michael Gale <michael at bluesuperman.com> wrote:
>
> > Hello,
> >
> > Do you know how PGP signatures work, you need to have the person
> > who
> > signed it / created the PGP sig to somehow securely provide you with
> > their key to validate it.
>
> Ummm, no, that is why we have public/private keys. The private key can
> be used to sign and the public key used to verify. Yes you can create
> a key from an address that is not your own. But if you recieve a
> message from bill at microsoft.com you would exspect a key to say the
> same.
>
> Regards,
> Daniel B.
>
> ----------------------------------------
> Please do not send me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html
>
>
Full-Disclosure is hosted and sponsored by Secunia.