Deliberate false signatures in spam?

David Shaw dshaw@jabberwocky.com
Mon Jul 21 23:35:03 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 21, 2003 at 03:48:11PM -0500, Kyle Hasselbacher wrote:

> This is probably an attempt to get the message through SpamAssassin.
> 
> SpamAssassin uses a simple pattern (/-----BEGIN PGP SIGNATURE-----/) to
> check for a PGP signature, and matching that (in the config I'm looking at)
> is worth -2.095.  SpamAssassin has a bunch of rules that it uses to
> evaluate a message, eacn rule has a score, and if a message goes over a
> certain score, it is considered spam.  That fake signature would make
> SpamAssassin think that the message is (2.095 points) "less spammy" than it
> would be otherwise.  The default is for a message to be considered spam
> when it's over 5 points, so that -2.095 is a pretty big win for the
> spammer.  I'm betting that there are spammers out there crafting their
> messages specifically to get through SpamAssassin since it's easy to test
> their output to see if it makes it through.
> 
> I wonder if SpamAssassin can do multi-line patterns.  If so, you could get
> it to match PGP signatures more strictly.  That would have stopped this,
> but not a more carefully created fake.  To make it really work, you'd have
> to be able to really verify the signature.

Yes, this was a pretty lame quasi "signature".  No CRC, no proper
ending to the armor, etc.  Of course you are right - if spamassassin
started checking for properly formatted signatures then spammers would
start providing them.  The only way to be sure is to verify the
signature and that is expensive.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc

iD8DBQE/HFzK4mZch0nhy8kRAvEfAJ0aMr24rzisub642jvGvbOHEX91YgCdF7Nk
LuKCXzIJSo1Q0I9CBdjz3yU=
=64V4
-----END PGP SIGNATURE-----