Deliberate false signatures in spam?

Neil Williams
Mon Jul 21 23:27:03 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 21 Jul 2003 9:48 pm, Kyle Hasselbacher wrote:
> This is probably an attempt to get the message through SpamAssassin.

Except it failed. Hehe. I'm one of many, many people using SpamAssassin who=
also use a spamtrap - an old account that receives nothing but spam. EVERY=
message received is them pumped through spamassassin and reported as spam t=
Razor. That has two effects - first it updates my spamassassin files to cut=
this email from any of my other email accounts that get hit, second it adds=
this specific email to the online razor database that spamassassin uses to=
check emails that don't hit other rules, so now the email is also cut from=
anyone else's account that accesses the Razor database later, whether using=
SpamAssassin or some other prog.

(And yes, before I made it a spamtrap I did watch the account carefully and=
contacted all genuine contacts to make sure their emails are sent to other=

> I wonder if SpamAssassin can do multi-line patterns.  If so, you could get
> it to match PGP signatures more strictly.  That would have stopped this,
> but not a more carefully created fake.  To make it really work, you'd have
> to be able to really verify the signature.

Then I'd have a known key to pursue (ok with forged / bad email content) - =
makes it VERY easy to block all email using that KeyID, whether the signatu=
itself is valid or not.

Thankfully SpamAssassin doesn't automatically pass an email as OK just beca=
it matches the rule about a possible PGP sig - it simply takes a few points=
off the total so far. The email can still fail simply because of the obviou=
spam content. Once reported to Razor, the next time it is scored the total=
will be even higher.

It is gratifying that the forged sig didn't fool GnuPG and therefore KMail=
into showing it as a bad signature or something - it was simply ignored, ju=
what it deserved.

This really is a hiding to nothing for spammers - forge a sig properly (as =
it's worth the effort) and make it even easier to block all spam containing=
the forged sig. Forge it badly and it is just ignored and their spam gets=20
marked as spam anyway.=20

Interesting that they try though.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)