gnupg encrypted mail and malware/spam

Neil Williams linux@codehelp.co.uk
Sat May 10 22:20:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 10 May 2003 7:15 pm, Thomas Scheffczyk wrote:
> If gnupg is used to protect mail messages it also disables all server
> based protection measures against malware and spam. No virus scanner nor
> spam filter an firewalls or gateways can check the encrypted messages.

This isn't often a problem - a signed email is not attractive as a vehicle of 
spam - those who send spam want to be invisible not verifiably identifiable.

Encrypting the mail even without signing it is a MAJOR workload for spammers 
who need to send tens of millions of emails to even get a few responses. Each 
one would need to be individually encrypted. Even if a spammer used every 
single key on a keyserver, it really is not appealing.

> All protection is to be done on the host where the mail is decrypted. At

There are spam filters that can be run within the mail client on manual action 
- - post decryption. At present, it is fiddly but it's also not exactly a 
priority. (SpamAssassin is one of the filters that can be run this way. It is 
only Perl and it would be easy to adapt the code to cope. A script could 
perform the steps required for SpamAssassin to receive the original plain 
text.)

> least for bigger networks this is nearly impossible do do: No system
> administrator will be happy if most of the defence lines will be
> unusable and without doubt is needs a lot more manpower to secure all
> local workstations to a level comparable with a firewall.

I really can't see that this could even be a problem worth the effort.

> Gnupg is used for various task within the network I'm responsible for
> and I really want to give all users access to gnupg to allow them to
> protect their privacy and the data that is transferred by mail, but I
> can't risc the security and integrity of the network itself.

? spam only affects the network itself when a spammer uses your domain to 
pretend to send from - the bounces overwhelm the victim server. How does it 
matter if the spam is one form or another? It's the sheer size that matters. 
Encryption doesn't add that much to the total traffic.

> PPS: I hope the I don't awake sleeping dogs, but what would happen, if
> spammers would start to send encrypted messages? All countermeasures
> like spamassassin or even statistical token analysis wouldn'd stop this
> kind of spam.

As above: Encrypting spam individually to tens of millions of users is not a 
trivial task! Compared to just using a database of email addresses, I can't 
see that it is at all appealing for a spammer.

- -- 

Neil Williams
=============
http://www.codehelp.co.uk
http://www.dclug.org.uk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+vV5Uk7DVr6iX/QIRAoG2AJ9MVDCqy4TB7gBJttw4pBxBDiwgdgCaAgaN
NH7YZ1tir1NRoRbGODCU8RE=
=9/6b
-----END PGP SIGNATURE-----