Mailfilter for unknown signatures (Re: gpg --search-keys)
gnupg at ml0402.albert.uni.cc
Thu Mar 25 01:54:41 CET 2004
Am Donnerstag, 25. März 2004 00:05 schrieb Thomas Sjögren:
> On Wed, Mar 24, 2004 at 11:22:04PM +0100, Albert wrote:
> > I tried to search my own key with different search strategies
> > :-)
> Did it work?
With everything including my lastname I found my key, but not with
> > I uploaded 1 new email-address with my key and after a few days
> > I got a W32/Mydoom.G to this address. A 2nd address which was
> > uploaded to the keyserver too at the same time, got this Mydoom
> > too, while a 3rd and 4th address (daughter, friend) didn't. It
> > was very strange.
> I got limited knowledge about worm/malware but it seems unlikely
> that MyDoom actually scans keyservers to gather email addresses.
> If i'm not mistaken no worm has done this (yet).
I don't think the malware itselfs scans the keyservers, but probably
spammers and also people with viruses. Nowadays spammers use viruses
to create open relays and to spread their mails later.
> > With 99.99% I can exclude, that the malware came from
> > the only person who knew the new email-address. We both use
> > linux systems. I never heard of a linux system which spreads a
> > win-worm automatically and passes the firewall.
> I have to trust you about the number of people knowing the
> address in question. However, as long as you can send emails, you
> can spread malware.
I think it is very unlikely to spread win-viruses with linux
> > I think the only way to protect email-addresses registered at
> > key-servers from spam is to accept mails with signatures only
> > and make an autoresponder for the non-signed.
> This behavior would, sad to say, kill 99% of all mails sent.
It depends on your email-strategies and on your _personal_ needs.
Why shouldn't one use an email-address for signed/encrypted mails
_only_? There are only a few people (below 10) who send me signed
emails and all of them I know personally very well. Because I am
very sure, that nobody else than a few people and spammers would
send emails to this address, I can be very strict. I think of a
filter with an autoresponder, which mentions a webpage were a
standard-email-address is included as a picture, which is
unreadable for a scanner, but a human has a chance to contact me.
Also I am sure nobody would ever contact me via this way.
> > As a 2nd step I would like to check for encrypted mails, which
> > are signed but not known locally. Any ideas how I can do this
> > with a linux-mailserver?
> Set a procmail filter, for example, to look for the PGP MESSAGE
> string and the parse the message to a shell script.
I think the first filter I can setup at a freemailer like gmx, where
I check for "application/pgp-signature" in the header, so unsigned
emails are deleted there without downloading. Maybe I belong to the
people who have no real security needs, but think where everything
is monitored and manipulated, using gpg shouldn't be wrong.
The next step after the redirection to a freemailer are the local
I am not very familiar with procmail, any help would be appreciated.
Different users on a small mailserver use fetchmail to get the
mails. Then postfix and .forward is used to check for viruses with
amavis and spamassassin
"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #localuser"
* < 256000
* ^^rom[ ]
LOG="*** Dropped F off From_ header! Fixing up. "
| sed -e '1s/^/F/'
qpopper is also setup. So the users clients get their mails via a
local POP3-server, using KMail and mails are stored there in
maildir-format. At the end a valid email has to be forwared to the
default mailbox in /var/spool/mail and maybe the user should get a
note that an encrypted email from X was deleted.
I don't know _where_ I can include the shell script. But I think I
could write this script with all features I would like to have.
Also I am unsure how I should check for known signatures.
The mail doesn't contain a key-ID, so I have to check if the
email-address can be found in my local keys, or am I wrong?
Using grep I should be able to get the from-address and with
gpg --list-keys <email-address> I can check the public keys, the
program mail could be used to inform of a deleted email.
> btw, dont use pgp.mit.edu, it's broken. use subkeys.pgp.net
I don't use it, but why are they broken? I know that
www.keyserver.net shows a wrong fingerprint with my key, but with
pgp.mit.edu it is ok.
More information about the Gnupg-users