gnupg encrypted mail and malware/spam
Eugene Smiley
eugene@esmiley.net
Sun May 11 00:51:02 2003
Neil wrote:=20
> On Saturday 10 May 2003 7:15 pm, Thomas Scheffczyk wrote:
>> If gnupg is used to protect mail messages it also disables all
>> server based protection measures against malware and spam. No
>> virus scanner nor spam filter an firewalls or gateways can check
>> the encrypted messages.=20
>=20
> This isn't often a problem - a signed email is not attractive as
> a vehicle of spam - those who send spam want to be invisible not
> verifiably identifiable.=20
>=20
> Encrypting the mail even without signing it is a MAJOR workload
> for spammers who need to send tens of millions of emails to even
> get a few responses. Each one would need to be individually
> encrypted. Even if a spammer used every single key on a
> keyserver, it really is not appealing.=20
I think you are missing the point with regard to the issue of=20
server based virus scanning. It isn't that hard to imagine a=20
virus generating an email via Outlook which is then passed to=20
GPGRelay; the user isn't paying attention, types the passphrase,
and it get's emailed; the user on the other end decrypts it and=20
opens the attachment... BLAMO!