Deliberate false signatures in spam?

Kyle Hasselbacher Kyle Hasselbacher <kyle-exp-1064004493.5a95a4@toehold.com>
Mon Jul 21 22:47:03 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 21, 2003 at 08:52:07PM +0100, Neil Williams wrote:
>Just received a spam message with this contained within:
>
>Pretending to be from:  "Kate Shaver" <kr245gxuqp@canada.com>
>(The usual Viagra/whatever spam).
>
>-----BEGIN PGP SIGNATURE-----
>version: pgpfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>
>ksie8fg4j8r7m3s9od5h2ixrqheaqqa3ysepsq0xzdhzuvskfdktfpe9xs4fhqs
>wacj49dk6u883sxo4kb9u6/jnjdx6cjqnzxpetxk9b2dogll/c/60hwrpn+vujdu
>xav65sop+px4knaqcciecamqj7ugcsw+cqmpnbxwyatymjafkbkh1eulc2vrwdmd
>cjdi57fh43ks9cm78h4t
>-----END PGP SIGNATURE-----

This is probably an attempt to get the message through SpamAssassin.

SpamAssassin uses a simple pattern (/-----BEGIN PGP SIGNATURE-----/) to
check for a PGP signature, and matching that (in the config I'm looking at)
is worth -2.095.  SpamAssassin has a bunch of rules that it uses to
evaluate a message, eacn rule has a score, and if a message goes over a
certain score, it is considered spam.  That fake signature would make
SpamAssassin think that the message is (2.095 points) "less spammy" than it
would be otherwise.  The default is for a message to be considered spam
when it's over 5 points, so that -2.095 is a pretty big win for the
spammer.  I'm betting that there are spammers out there crafting their
messages specifically to get through SpamAssassin since it's easy to test
their output to see if it makes it through.

I wonder if SpamAssassin can do multi-line patterns.  If so, you could get
it to match PGP signatures more strictly.  That would have stopped this,
but not a more carefully created fake.  To make it really work, you'd have
to be able to really verify the signature.

SpamAssassin home page:

http://spamassassin.org/
- -- 
Kyle Hasselbacher | There's an old proverb which says just about
kyle@toehold.com  | whatever you want it to.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/HFGL10sofiqUxIQRAtepAJ9NzBIuRVWGI5wDp33Vg5TiFi5TcwCdGskb
mvdEMrez/EwQuhoWLZIHSc8=
=g/Ku
-----END PGP SIGNATURE-----