Deliberate false signatures in spam?
Mon Jul 21 23:35:03 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Jul 21, 2003 at 03:48:11PM -0500, Kyle Hasselbacher wrote:
> This is probably an attempt to get the message through SpamAssassin.
> SpamAssassin uses a simple pattern (/-----BEGIN PGP SIGNATURE-----/) to
> check for a PGP signature, and matching that (in the config I'm looking at)
> is worth -2.095. SpamAssassin has a bunch of rules that it uses to
> evaluate a message, eacn rule has a score, and if a message goes over a
> certain score, it is considered spam. That fake signature would make
> SpamAssassin think that the message is (2.095 points) "less spammy" than it
> would be otherwise. The default is for a message to be considered spam
> when it's over 5 points, so that -2.095 is a pretty big win for the
> spammer. I'm betting that there are spammers out there crafting their
> messages specifically to get through SpamAssassin since it's easy to test
> their output to see if it makes it through.
> I wonder if SpamAssassin can do multi-line patterns. If so, you could get
> it to match PGP signatures more strictly. That would have stopped this,
> but not a more carefully created fake. To make it really work, you'd have
> to be able to really verify the signature.
Yes, this was a pretty lame quasi "signature". No CRC, no proper
ending to the armor, etc. Of course you are right - if spamassassin
started checking for properly formatted signatures then spammers would
start providing them. The only way to be sure is to verify the
signature and that is expensive.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc
-----END PGP SIGNATURE-----