Deliberate false signatures in spam?
Mon Jul 21 23:27:03 2003
Content-Description: signed data
On Monday 21 Jul 2003 9:48 pm, Kyle Hasselbacher wrote:
> This is probably an attempt to get the message through SpamAssassin.
Except it failed. Hehe. I'm one of many, many people using SpamAssassin who=
also use a spamtrap - an old account that receives nothing but spam. EVERY=
message received is them pumped through spamassassin and reported as spam t=
Razor. That has two effects - first it updates my spamassassin files to cut=
this email from any of my other email accounts that get hit, second it adds=
this specific email to the online razor database that spamassassin uses to=
check emails that don't hit other rules, so now the email is also cut from=
anyone else's account that accesses the Razor database later, whether using=
SpamAssassin or some other prog.
(And yes, before I made it a spamtrap I did watch the account carefully and=
contacted all genuine contacts to make sure their emails are sent to other=
> I wonder if SpamAssassin can do multi-line patterns. If so, you could get
> it to match PGP signatures more strictly. That would have stopped this,
> but not a more carefully created fake. To make it really work, you'd have
> to be able to really verify the signature.
Then I'd have a known key to pursue (ok with forged / bad email content) - =
makes it VERY easy to block all email using that KeyID, whether the signatu=
itself is valid or not.
Thankfully SpamAssassin doesn't automatically pass an email as OK just beca=
it matches the rule about a possible PGP sig - it simply takes a few points=
off the total so far. The email can still fail simply because of the obviou=
spam content. Once reported to Razor, the next time it is scored the total=
will be even higher.
It is gratifying that the forged sig didn't fool GnuPG and therefore KMail=
into showing it as a bad signature or something - it was simply ignored, ju=
what it deserved.
This really is a hiding to nothing for spammers - forge a sig properly (as =
it's worth the effort) and make it even easier to block all spam containing=
the forged sig. Forge it badly and it is just ignored and their spam gets=20
marked as spam anyway.=20
Interesting that they try though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----