Re: a PGP signed mail? Has to be spam!

[Michael Gale <michael () bluesuperman com>]

Hello,

        But public keys are only valid if you trust them -- the points in just
because a person signs a e-mail with a PGP key and the key matches the
from address does not mean it is NOT spam.

E-mail from spammers do not usually have valid from addresses - so the
PGP key can match the fake from addresses with out a problem.

So again -- a PGP signed message is as trust worthy as the from address
of the spammer is. The only reason my from address did not match my PGP
key is because I can not post to the list if my from address is not
michael () bluesuperman com

Also -- having a mail server check PGP sig's on e-mails it NOT an option
-- think of the over head, the delay and time out if the server does not
exist or no response. 

This would cause major mailq build up's and could easier crash a mail
system. 

Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis
and then whitelist and blacklist.

Not PGP checks.

Michael.



On Wed, 12 Nov 2003 04:24:11 +0000
"Daniel" <dan () lockedbox net> wrote:

> Michael Gale <michael () bluesuperman com> wrote:
>
> > Hello,
> >
> >     Do you know how PGP signatures work, you need to have the person
> >     who
> > signed it / created the PGP sig to somehow securely provide you with
> > their key to validate it. 
>
> Ummm, no, that is why we have public/private keys. The private key can
> be used to sign and the public key used to verify. Yes you can create
> a key from an address that is not your own. But if you recieve a
> message from bill () microsoft com you would exspect a key to say the
> same.
>
> Regards,
> Daniel B.
>
> ----------------------------------------
> Please do not send me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html