gnupg encrypted mail and malware/spam

Sun May 11 06:15:02 2003

Eugene Smiley wrote:

>> I think you are missing the point with regard to the issue of
>> server based virus scanning. It isn't that hard to imagine a
>> virus generating an email via Outlook which is then passed to
>> GPGRelay; the user isn't paying attention, types the passphrase,
>> and it get's emailed; the user on the other end decrypts it and
>> opens the attachment... BLAMO!

And I think you are missing the point.  A virus is (by definition) a
piece of code that executes automatically once it is on your system.
However, Windows is an OS that is designed to automatically execute
code: its one of its inherant properties and one its main security
weaknesses.  It is the reason why a number of mailing lists do not allow
attachments and why many users delete attachments when they come from an
unknown source.

Encrypted code cannot be executed automatically, and provided you take
certain security measure (always run an attachment through a virus
filter, for instance, or a trojan filter, before opening it) you should
be safe.  Or you can opt to use an OS which doesn't execute code
automatically, such as Linux.  Many Linux based email servers do, in
fact, scan for Windows viruses, but its up to the individual user to
protect his own system.

The original poster was asking whether spammers could use encryption to
get round spam checking.  As was pointed out, the additional resources
in time and effort would not make it worth it, and for the message to
get through to the recipient they would have to harvest vast numbers of
keys, which though technically feasible is impractical.  However using
an MUA based Beysian spam filtering system (such as that in Mozilla Mail
from version 1.3) you can easily filter for spam once decryption has
taken place and before the message is opened.

It all boils down to whether GPG should protect users who can't be
bothered to protect themselves :)

GPG Keys at