gnupg encrypted mail and malware/spam

Ingo Klöcker
Mon May 12 09:37:03 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Monday 12 May 2003 08:30, you wrote:
> At 20:34 2003-05-11 +0200, Ingo Kl=F6cker wrote:
>  >On Sunday 11 May 2003 13:28, Thomas Scheffczyk wrote:
>  >> Until now, no comment was given to my first post scriptum:
>  >>
>  >> 'I do not fear 'ordinary' viruses or other malware. What i really
>  >> fear is a sophisticated attacker that send on a very slow rate
>  >> backdoors to single users in my network. I can not guarantee the
>  >> really no user will start the program. If it is started, it's
>  >> easy to create a backchannel over allowed traffic like http.'
>  >>
>  >> Does nobody fear this, too?
>  >
>  >There's not much you can do to prevent this from happening apart
>  > from installing a strict policy for the usage of encryption. One
>  > option would be to disallow MIME (OpenPGP or S/MIME) encrypted
>  > messages and only allow inline encryption because with inline
>  > encryption attachments can't be encrypted.
>  >
>  >Regards,
>  >Ingo
> Yes, Ingo! GPGrelay encrypts attachments when using inlined
> encryption! I really like it! A wonderful feature ;-)>

Well, that's good for you. ;-) But there is no standard for inline=20
encrypted attachments. So that's no problem because there's probably=20
not a single native Windows email client which automatically decrypts=20
these attachments. Heck, not even PGP/MIME is supported by Outlook. So=20
what's the problem anyway? I don't think that an attacker will use PGP=20
(be it inline or PGP/MIME) as long as Outlook only supports S/MIME=20
encryption natively.


Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)