Mailfilter for unknown signatures (Re: gpg --search-keys)

[Thomas Sjögren]

On Wed, Mar 24, 2004 at 11:22:04PM +0100, Albert wrote:
> I tried to search my own key with different search strategies :-)

Did it work?

> I uploaded 1 new email-address with my key and after a few days I 
> got a W32/Mydoom.G to this address. A 2nd address which was 
> uploaded to the keyserver too at the same time, got this Mydoom 
> too, while a 3rd and 4th address (daughter, friend) didn't. It was 
> very strange. 

I got limited knowledge about worm/malware but it seems unlikely that 
MyDoom actually scans keyservers to gather email addresses. If i'm not
mistaken no worm has done this (yet).

> With 99.99% I can exclude, that the malware came from 
> the only person who knew the new email-address. We both use linux 
> systems. I never heard of a linux system which spreads a win-worm 
> automatically and passes the firewall. 

I have to trust you about the number of people knowing the address in
question. However, as long as you can send emails, you can spread
malware.

> I think the only way to protect email-addresses registered at 
> key-servers from spam is to accept mails with signatures only and 
> make an autoresponder for the non-signed.

This behavior would, sad to say, kill 99% of all mails sent.

> As a 2nd step I would like to check for encrypted mails, which are 
> signed but not known locally. Any ideas how I can do this with a 
> linux-mailserver?

Set a procmail filter, for example, to look for the PGP MESSAGE string
and the parse the message to a shell script.

btw, dont use pgp.mit.edu, it's broken. use subkeys.pgp.net instead.

/Thomas
-- 
== thomas at northernsecurity.net | thomas at se.linux.org
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
Url : /pipermail/attachments/20040325/3c366e7d/attachment-0001.bin