Full Disclosure mailing list archives
Re: a PGP signed mail? Has to be spam!
From: Michael Gale <michael () bluesuperman com>
Date: Tue, 11 Nov 2003 20:54:11 -0700
Hello, Do you know how PGP signatures work, you need to have the person who signed it / created the PGP sig to somehow securely provide you with their key to validate it. For example look at this message - it have a PGP signature that my mail client says it very good. It trusts it - but according to the PGP signature this e-mail is from Bill Gates, from bill () microsoft com PGP is NOT secure AT ALL unless we all start trading keys via a secure means. That is why it has never taken off. Michael. On Tue, 11 Nov 2003 20:15:56 -0700 Scott Taylor <security () 303underground com> wrote:
On Tue, 2003-11-11 at 19:22, onedo () gmx net wrote:Hi everyone I had to notice something today that really disturbed me. A friend of mine(working for a very big company) complained, that she doesn't get any mails from me anymore. It turned out, that apparently my mails went straight into the spam filter, as I signed everyone of them. When I sent unsigned mails, she got them. What do we learn? Crypto is bad m'kay? But for real, does that mean that we won't be able to sign any mails anymore soon, due to the spam problem(and stupid admins)?'EGovernment' is the big word everywhere nowadays. The electronic signature is mentioned as a way to ensure the credidibility of sender and receiver. Now what? Guys(and girls), the situation sucks. What do you think? And, most important of all, do you see any way to fight this behaviour? Because honestly, I don't. Greets $meQuite the opposite. My bayesian filter is learning to love signed messages. I'd probably start rejecting any non-signed messages just on principle if I didn't have so many friends that paid for their operating system. Your friend's company probably overpaid for their spam filter too. She should send a note to her boss, the mail admin, etc. saying that *business contacts* are being blocked due to poor filtering. They tend to pay a little more attention if they think its affecting their sales. I don't know any spammers that actually sign with valid gpg signatures. And even if they did, their fingerprint would give us something to specifically blacklist. It would be worth the effort to have the mailserver itself verify signatures if enough people used them. Decent mail clients make signing and checking signatures easy, and they do a good job now of turning otherwise ugly blocks of random text into a nice little 'valid signature' icon. Its not so much that I think someone is going to spoof a friend's email account although with all the poser viruses out there, a message claiming to be from me but unsigned should raise concern among the people I regularly email. -- Scott Taylor - <security () 303underground com> Anyone who goes to a psychiatrist ought to have his head examined. -- Samuel Goldwyn _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
_bin
Description:
Current thread:
- a PGP signed mail? Has to be spam! onedo (Nov 11)
- Re: a PGP signed mail? Has to be spam! Peter Moody (Nov 11)
- Re: a PGP signed mail? Has to be spam! Damian Gerow (Nov 11)
- Re: a PGP signed mail? Has to be spam! Ciro (Nov 11)
- Re: a PGP signed mail? Has to be spam! Nick FitzGerald (Nov 12)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Scott Taylor (Nov 11)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Daniel (Nov 11)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Steffen Kluge (Nov 11)
- Re: a PGP signed mail? Has to be spam! Michael Gale (Nov 11)
- Re: a PGP signed mail? Has to be spam! Chris Ruvolo (Nov 12)
- Re: PGP signed mail? Has to be spam! onedo (Nov 12)
- Re: PGP signed mail? Has to be spam! Shawn McMahon (Nov 13)
- Re: a PGP signed mail? Has to be spam! Peter Moody (Nov 11)
- Re: a PGP signed mail? Has to be spam! Valdis . Kletnieks (Nov 12)