gpg signed spam email ???

[RobertH <ro...@abbacomm.net>]

i was reading at

http://www.karan.org/blog/

specifically

http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam

that he recv'd a "gpg signed spam email"

ive never heard of that before yet i havent thought much about it or studied
it...

Q: is this unheard of, or common?

near as i can quickly investigate, it doesnt appear to be common as per
"papa google" [sic].

comments? feedback?

just trying to get up on the curve now.

tia

 - rh

Re: gpg signed spam email ???

[Benny Pedersen <me...@junc.org>]

On Sat, June 27, 2009 16:02, RobertH wrote:

> just trying to get up on the curve now.

it all turns downto do you trust the sender ?, whether you verify this with gpg or not is not the point

Mail::SpamAssassin::Plugin::Konfidi
Mail::SpamAssassin::Plugin::OpenPGP

both can use gpg as a verify on trusted senders, but why not use dkim ?

--
xpoint

Re: gpg signed spam email ???

[Matt Kettler <mk...@verizon.net>]

True, it likely is. But it would also be trivial for the spammer to
generate a valid one.

Given what we've seen with the image spams in the past (custom generated
image for *every* email with random font, size, color, offset, and
randomized dots added on), computational power is hardly an obstacle.

As before, you might be able to write a plugin to check the signature
and assign positive points if it is invalid, but I don't know if that
would work long enough to be worthwhile.

Justin Mason wrote:
> there's a very good chance the GPG signature in this case was fake --
> ie. a cut-and-paste job.
>
> --j.
>
> On Sat, Jun 27, 2009 at 19:05, Matt Kettler<mk...@verizon.net> wrote:
>   
>> RobertH wrote:
>>     
>>> i was reading at
>>>
>>> http://www.karan.org/blog/
>>>
>>> specifically
>>>
>>> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam
>>>
>>> that he recv'd a "gpg signed spam email"
>>>
>>> ive never heard of that before yet i havent thought much about it or studied
>>> it...
>>>
>>> Q: is this unheard of, or common?
>>>
>>> near as i can quickly investigate, it doesnt appear to be common as per
>>> "papa google" [sic].
>>>
>>> comments? feedback?
>>>
>>> just trying to get up on the curve now.
>>>       
>> Well, let's put it this way:
>>
>> A long, long time ago, SA had a rule in the default set, giving negative
>> score to PGP and GPG signed messages. Quickly, spammers started adding
>> enough fragments of a signature to match the rule. This was very
>> obvious, as the rule only matched the begin clause, and the spams had a
>> begin clause dropped at the bottom of the message, with no end clause.
>>
>> The rule could have been modified to validate the signature, but of
>> course, anyone can GPG sign a message and have it be valid, and the
>> spammers probably would have done so if the rule changed. Therefore, the
>> rule was dropped from the set entirely.
>>
>> GPG signatures only validate that the sender has the private key that
>> matches the public one signing the email. Like SPF, and many other
>> "authentication only" technologies, this doesn't tell you anything about
>> the sender. Even perfect authentication at best only provides
>> confirmation of who the sender is, and most of these technologies only
>> prove a sender is the proper owner holder of some abstract identity like
>> a key or domain.
>>
>> Authentication needs to be paired with recognition to be meaningful.  If
>> a sender proves who they are, will you immediately accept the email
>> without further question? What if they just proved they were Alan Ralsky?
>>
>> http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky
>>
>>
>> Moral of the story: don't assign negative scores to systems that only
>> provide authentication, unless you're somehow pairing it with proof the
>> sender is someone you actually trust (or at least is trusted by a
>> service you trust, etc).
>>
>> Ever notice that the negative score of SPF_PASS is insignificantly
>> small, there's a reason for that.. Spammers can pass SPF too, so by
>> itself, it's meaningless. But paired with your explicit trust of a
>> domain or sender, it provides forgery resistant whitelisting
>> (whitelist_from_spf).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>     
>
>
>   

Re: gpg signed spam email ???

[Justin Mason <jm...@jmason.org>]

there's a very good chance the GPG signature in this case was fake --
ie. a cut-and-paste job.

--j.

On Sat, Jun 27, 2009 at 19:05, Matt Kettler<mk...@verizon.net> wrote:
> RobertH wrote:
>> i was reading at
>>
>> http://www.karan.org/blog/
>>
>> specifically
>>
>> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam
>>
>> that he recv'd a "gpg signed spam email"
>>
>> ive never heard of that before yet i havent thought much about it or studied
>> it...
>>
>> Q: is this unheard of, or common?
>>
>> near as i can quickly investigate, it doesnt appear to be common as per
>> "papa google" [sic].
>>
>> comments? feedback?
>>
>> just trying to get up on the curve now.
>
> Well, let's put it this way:
>
> A long, long time ago, SA had a rule in the default set, giving negative
> score to PGP and GPG signed messages. Quickly, spammers started adding
> enough fragments of a signature to match the rule. This was very
> obvious, as the rule only matched the begin clause, and the spams had a
> begin clause dropped at the bottom of the message, with no end clause.
>
> The rule could have been modified to validate the signature, but of
> course, anyone can GPG sign a message and have it be valid, and the
> spammers probably would have done so if the rule changed. Therefore, the
> rule was dropped from the set entirely.
>
> GPG signatures only validate that the sender has the private key that
> matches the public one signing the email. Like SPF, and many other
> "authentication only" technologies, this doesn't tell you anything about
> the sender. Even perfect authentication at best only provides
> confirmation of who the sender is, and most of these technologies only
> prove a sender is the proper owner holder of some abstract identity like
> a key or domain.
>
> Authentication needs to be paired with recognition to be meaningful.  If
> a sender proves who they are, will you immediately accept the email
> without further question? What if they just proved they were Alan Ralsky?
>
> http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky
>
>
> Moral of the story: don't assign negative scores to systems that only
> provide authentication, unless you're somehow pairing it with proof the
> sender is someone you actually trust (or at least is trusted by a
> service you trust, etc).
>
> Ever notice that the negative score of SPF_PASS is insignificantly
> small, there's a reason for that.. Spammers can pass SPF too, so by
> itself, it's meaningless. But paired with your explicit trust of a
> domain or sender, it provides forgery resistant whitelisting
> (whitelist_from_spf).
>
>
>
>
>
>
>
>
>
>
>

Re: gpg signed spam email ???

[Matt Kettler <mk...@verizon.net>]

RobertH wrote:
> i was reading at
>
> http://www.karan.org/blog/
>
> specifically
>
> http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam
>
> that he recv'd a "gpg signed spam email"
>
> ive never heard of that before yet i havent thought much about it or studied
> it...
>
> Q: is this unheard of, or common?
>
> near as i can quickly investigate, it doesnt appear to be common as per
> "papa google" [sic].
>
> comments? feedback?
>
> just trying to get up on the curve now.

Well, let's put it this way:

A long, long time ago, SA had a rule in the default set, giving negative
score to PGP and GPG signed messages. Quickly, spammers started adding
enough fragments of a signature to match the rule. This was very
obvious, as the rule only matched the begin clause, and the spams had a
begin clause dropped at the bottom of the message, with no end clause.

The rule could have been modified to validate the signature, but of
course, anyone can GPG sign a message and have it be valid, and the
spammers probably would have done so if the rule changed. Therefore, the
rule was dropped from the set entirely.

GPG signatures only validate that the sender has the private key that
matches the public one signing the email. Like SPF, and many other
"authentication only" technologies, this doesn't tell you anything about
the sender. Even perfect authentication at best only provides
confirmation of who the sender is, and most of these technologies only
prove a sender is the proper owner holder of some abstract identity like
a key or domain.

Authentication needs to be paired with recognition to be meaningful.  If
a sender proves who they are, will you immediately accept the email
without further question? What if they just proved they were Alan Ralsky?

http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Alan%20Ralsky


Moral of the story: don't assign negative scores to systems that only
provide authentication, unless you're somehow pairing it with proof the
sender is someone you actually trust (or at least is trusted by a
service you trust, etc).

Ever notice that the negative score of SPF_PASS is insignificantly
small, there's a reason for that.. Spammers can pass SPF too, so by
itself, it's meaningless. But paired with your explicit trust of a
domain or sender, it provides forgery resistant whitelisting
(whitelist_from_spf).