PGP sign highlight on mutt

["Ademar de Souza Reis Jr." <ademar () conectiva com br>]

Hi there.

When you receive a PGP signed message on mutt (a very popular text
based mail client), there are some ways you know it's signed:

1. The flags "s" or "S" in the message index (and in the bottom of a msg)
2. A message like "PGP signature successfully verified" in the bottom when
   opening a message
3. A *highlighted* message body with the gpg output (example given below)

"

[-- PGP output follows (current time: Tue 23 Oct 2001 05:10:41 PM BRST) --]
gpg: Warning: using insecure memory!
gpg: Signature made Tue 23 Oct 2001 04:35:11 PM BRST using DSA key ID 825F1270
gpg: Good signature from "Ademar de Souza Reis Junior <ademar () conectiva com br>"
[-- End of PGP output --]

[-- The following data is signed --]

Hi there.

[]'s
   - Ademar

[-- End of signed data --]
"

The point here is that since the most notorious one is (3), you can
copy&paste it in a message body (change times and some details) and
let mutt users think a message is signed when it's not.

In fact, I did it here in the company I work for. Since almost everybody
uses mutt in my department, it was easy to send a message with the
"From: " adultered and "signed" as the boss. (Yes, the boss didn't like
it, but he understood since I explained it was a "proof of concept") :)

Yes, you can consider this just a "human mistake", a "social exploit"
or whatever you want, but I think mutt could help avoiding that easily:

It could highlight the text only when it cames from gpg and not
every time it appears in the message body
or
It could interact with gpg in some other (better) way.
or
[put your solution here]

BTW, does that "vulnerability" applies to other mail clients too?

[]'s
   - Ademar