gnupg encrypted mail and malware/spam

Per Tunedal
Sun May 11 10:16:02 2003

Hash: SHA1

At 00:16 2003-05-11 -0400, you wrote:
 >John wrote:

 >> Eugene Smiley wrote:
 >>> I think you are missing the point with regard to the issue of
 >>> server based virus scanning. It isn't that hard to imagine a
 >>> virus generating an email via Outlook which is then passed to
 >>> GPGRelay; the user isn't paying attention, types the passphrase,
 >>> and it get's emailed; the user on the other end decrypts it and
 >>> opens the attachment... BLAMO!
 >> Ding! There's the REAL culprit - There seems to be as many
 >> LookOut! exploits out on the 'Net as there are attacks against
 >> InternetExploder.
 >When you have companies -- such as my former employer -- that become
 >Microsoft Software Partners and dictate that Outlook must be used,
 >there is little that can be done. People can argue until they are
 >blue about Outlook being broken and attack prone, but until MS fixes
 >it, we all must deal with the consequences.
 >> Perhaps a less-easily hijacked MUA is needed. What you describe
 >> here is more E-mail worm than SPAM.
 >Exactly, but I wasn't talking about Spam. Here's what I was responding to:
 >Thomas Scheffczyk wrote:
 >> If GnuPG is used to protect mail messages it also disables all
 >> server based protection measures against malware and Spam. No
 >> virus scanner nor Spam filter on firewalls or gateways can check
 >> the encrypted messages.
 >Spam had already been addressed, but "malware" wasn't. Virii, Trojans,
 >and Worms can all be encrypted within a message, and won't be detected
 >by a virus scanner on the mail gateway. That's why I created the above
 >possible scenario.
Checking for malware can easily be done after decryption by any antivirus
scanner on the client. The resident scanner (monitor or what ever it is
called) stops the virus if it's known. Ordinary e-mail clients like e.g.
Eudora saves the attachment in an ordinary folder and thus the attachment
can easily be scanned by the antivirus.

If you use Outlook or Outlook Express you'd better use a virus scanner with
an e-mail module. It can easily be configured to scan mail after decryption
with e.g. GPGrelay: the mail first passes GPGrelay and then is scanned by
the antivirus module.

But: The virus scanner at the e-mail server cannot scan encrypted traffic,
as the original message stated. Unless using the commercial PGP:s feature ADK.

You can get extra security by using antivirusprotection that stops any
unknown code from running on the Windows client e.g. the Swedish Abtrusion
Protector (using SHA-1 checksums) or the personal
firewall Tiny Personal Firewall (using md5 checksums) Abtrusion Protector is only for
WindowsXP.  Tiny's solution is a bit tricky to set up and configure, both
do use a lot of resources. (What you win in one end you loose in an other ...)

Per Tunedal

Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92