Deliberate false signatures in spam?

Neil Williams linux@codehelp.co.uk
Mon Jul 21 23:27:03 2003 

--Boundary-02=_WsFH/TJZ5YBmrEL
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 21 Jul 2003 9:48 pm, Kyle Hasselbacher wrote:
> This is probably an attempt to get the message through SpamAssassin.

Except it failed. Hehe. I'm one of many, many people using SpamAssassin who=
=20
also use a spamtrap - an old account that receives nothing but spam. EVERY=
=20
message received is them pumped through spamassassin and reported as spam t=
o=20
Razor. That has two effects - first it updates my spamassassin files to cut=
=20
this email from any of my other email accounts that get hit, second it adds=
=20
this specific email to the online razor database that spamassassin uses to=
=20
check emails that don't hit other rules, so now the email is also cut from=
=20
anyone else's account that accesses the Razor database later, whether using=
=20
SpamAssassin or some other prog.

(And yes, before I made it a spamtrap I did watch the account carefully and=
=20
contacted all genuine contacts to make sure their emails are sent to other=
=20
accounts.)

> I wonder if SpamAssassin can do multi-line patterns.  If so, you could get
> it to match PGP signatures more strictly.  That would have stopped this,
> but not a more carefully created fake.  To make it really work, you'd have
> to be able to really verify the signature.

Then I'd have a known key to pursue (ok with forged / bad email content) - =
it=20
makes it VERY easy to block all email using that KeyID, whether the signatu=
re=20
itself is valid or not.

Thankfully SpamAssassin doesn't automatically pass an email as OK just beca=
use=20
it matches the rule about a possible PGP sig - it simply takes a few points=
=20
off the total so far. The email can still fail simply because of the obviou=
s=20
spam content. Once reported to Razor, the next time it is scored the total=
=20
will be even higher.

It is gratifying that the forged sig didn't fool GnuPG and therefore KMail=
=20
into showing it as a bad signature or something - it was simply ignored, ju=
st=20
what it deserved.

This really is a hiding to nothing for spammers - forge a sig properly (as =
if=20
it's worth the effort) and make it even easier to block all spam containing=
=20
the forged sig. Forge it badly and it is just ignored and their spam gets=20
marked as spam anyway.=20

Interesting that they try though.

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://slashdot.org/~codehelp


--Boundary-02=_WsFH/TJZ5YBmrEL
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/HFsViAEJSii8s+MRAtYJAKDBQp3Ra4qbN2jhpquGvRXxHBNEPwCghM/X
bp7A2sbzlNeYaRcjeqnD7Ng=
=IN/N
-----END PGP SIGNATURE-----

--Boundary-02=_WsFH/TJZ5YBmrEL--