You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Tristan Miller <ps...@nothingisreal.com> on 2006/04/05 22:25:29 UTC
Rule for OpenPGP-signed mail
Greetings.
Has anyone considered the utility of having SpamAssassin score based partly
on the presence and validity of an OpenPGP signature, and on the trust of
the OpenPGP key?
Here are some ideas:
1) So far I've never received any spam which has been digitally signed; on
the other hand, I do receive some legitimate OpenPGP-signed mail.
Therefore SA could decrease the score on the mere presence of a digital
signature. (But see below.)
2) Because it's easy for spammers to generate an invalid signature, then
instead of just checking for a signature, SA could verify it by piping the
message to the appropriate program (e.g., GnuPG). This would require some
configuration on the part of the user. However, it would allow for more
fine-tuned testing: the score could be decreased for a valid signature,
and increased for an invalid one.
We still have the problem that digital signatures are simply proof of
identity and not proof of not being a spammer, so even a message with a
valid signature might be spam. However, I think that in practice spammers
are unlikely to sign their mails, for the following reasons: a) at the
moment, most spammers don't know how to use OpenPGP tools; b) using the
same OpenPGP ID for all mails makes it easy for blacklists and law
enforcement authorities to positively identify them as coming from the
same source; and c) generating a new OpenPGP ID for each spam is too
time-consuming to be cost-effective (à la Hashcash).
3) One instance where checking a signature is probably always effective at
stopping unwanted mail is in the case where the key has been revoked.
Signing mail with a revoked key pretty much always signifies that the
sender is not who he claims to be. Practically nobody wants to receive a
message where the sender admits he is impersonating someone else.
4) Another instance where checking a signature is always effective is with
whitelists and blacklists. Any spammer can forge a "From:" header to
bypass a SA whitelist, but no spammer can produce a digital signature from
a specific key unless he himself is the owner of that key. Therefore it
would be good if SpamAssassin allowed the user to specify a set of trusted
OpenPGP key IDs for which validly signed mail should be whitelisted.
Likewise, if any spammer is stupid enough to use the same ID to sign all
his spam, his key could be added to a blacklist.
Anyone care to discuss? Has anyone else prepared some SA rulesets which
implement any of the above checks?
Regards,
Tristan
--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you
Re: Rule for OpenPGP-signed mail
Posted by Kelson <ke...@speed.net>.
Tristan Miller wrote:
> > I could just steal/generate a real signature from another source...
>
> A digital signature is a guarantee that the document has not been altered.
> It's therefore impossible to "steal" a signature from another document and
> add it to your own; the signature wouldn't verify.
But it would force you to expend resources to determine that -- which
was the context in which it was suggested.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: Rule for OpenPGP-signed mail
Posted by Tristan Miller <ps...@nothingisreal.com>.
Greetings.
In article <20...@kluge.net>, Theo Van Dinter wrote:
> FWIW: While this type of thing may sound like a good idea, it also opens
> you to a remote abuse of resources. If I'm a spammer and I want to
> annoy people, I'd start sending all of my mails with fake signatures.
> Then the recipients, who use this plugin, will get to spend a lot
> of cpu time finding out that the signatures aren't good.
Is this really an issue? Consider the following:
1) How does the CPU time required to check a signature compare to the CPU
time required for other typical SA tests? For installations which
implement large rulesets (SARE) and Bayesian filtering, my guess is that
the extra cost of verifying a signature will be relatively small.
2) How does the real time required to check a signature compare to the real
time required for other typical SA tests? For installations which
implement network checks (DNS checks, Razor), these will be the real time
bottlenecks. Even if the recipient needs to query a key server for the
signature verification, the delay will be increased only by a constant
factor.
3) Neither the increase in real time nor CPU time necessary to implement
signature checks is likely to be an issue for home users. Your
annoying-spammer scenario would annoy only ISPs who offer server-side SA
filtering to a large number of clients. And any ISPs so annoyed are
welcome to configure SA not to implement signature checks.
> I could just steal/generate a real signature from another source...
A digital signature is a guarantee that the document has not been altered.
It's therefore impossible to "steal" a signature from another document and
add it to your own; the signature wouldn't verify.
It would be possible to *embed* a digitally signed non-spam document inside
a spam mail; in that case the signature would apply only to the embedded
document and not to the mail as a whole. However, if the SA rules are
applied only for mail in which the entire message is signed, not just some
part of it, then we avoid the problem of spammers trying to fool SA by
embedding legitimate signed documents.
Regards,
Tristan
--
_
_V.-o Tristan Miller [en,(fr,de,ia)] >< Space is limited
/ |`-' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= <> In a haiku, so it's hard
(7_\\ http://www.nothingisreal.com/ >< To finish what you
Re: Rule for OpenPGP-signed mail
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Apr 06, 2006 at 10:21:27AM -0400, Theo Van Dinter wrote:
> FWIW: While this type of thing may sound like a good idea, it also opens
[...]
Also, is this type of rule worthwhile? Yes, validly signed messages
are unlikely to be spam (currently), but are signed messages regularly
marked up as spam? If so, then maybe. If not, why waste the resources?
I haven't checked my corpus, but I can't recall the last time I received
a signed message that got marked up as spam.
--
Randomly Generated Tagline:
"I've got too much blood in my alcohol stream." - Jon
Re: Rule for OpenPGP-signed mail
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Apr 06, 2006 at 08:57:34AM +0200, Michael Monnerie wrote:
> I'd love to see this. For the moment, a simple check for an existing
> signature could be enough to set negative points. If spammers adopt and
> insert random pgp sigs, the real sig check could be activated. That
> would need a plugin, I guess. With simple rules that's not possible, is
> it?
Just to share some history here... Do *not* blindly assume that seeing
something that looks like a pgp/gpg signature means the message should
get some negative points. We did that kind of thing in the 2.5x series
of code and spammers hopped on it very quickly.
To do the more proper action of "check to see if a message seems to
be signed, call out to gpg/pgp to validate, return true if validation
succeeds," yes, you'd need a plugin.
FWIW: While this type of thing may sound like a good idea, it also opens
you to a remote abuse of resources. If I'm a spammer and I want to
annoy people, I'd start sending all of my mails with fake signatures.
Then the recipients, who use this plugin, will get to spend a lot
of cpu time finding out that the signatures aren't good. (by "fake
signatures", it could be random strings, or I could just steal/generate
a real signature from another source...)
--
Randomly Generated Tagline:
"Cut the [network] line to your bathroom ... life will be good again."
- Hal Stern
Re: Rule for OpenPGP-signed mail
Posted by Michael Monnerie <m....@zmi.at>.
On Mittwoch, 5. April 2006 22:25 Tristan Miller wrote:
> Anyone care to discuss? Has anyone else prepared some SA rulesets
> which implement any of the above checks?
Sounds very good, I love to sign e-mails, even when most receivers can't
check (is there some plugin for Outlook easy and free?). But you would
have to setup a key import feature, or ensure everybody upload their
keys to keyservers. Shouldn't be that hard though.
I'd love to see this. For the moment, a simple check for an existing
signature could be enough to set negative points. If spammers adopt and
insert random pgp sigs, the real sig check could be activated. That
would need a plugin, I guess. With simple rules that's not possible, is
it?
mfg zmi
--
// Michael Monnerie, Ing.BSc --- it-management Michael Monnerie
// http://zmi.at Tel: 0660/4156531 Linux 2.6.11
// PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import"
// Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879