Mailfilter for unknown signatures (Re: gpg --search-keys)

Albert gnupg at ml0402.albert.uni.cc
Thu Mar 25 01:54:41 CET 2004 

Am Donnerstag, 25. März 2004 00:05 schrieb Thomas Sjögren:
> On Wed, Mar 24, 2004 at 11:22:04PM +0100, Albert wrote:
> > I tried to search my own key with different search strategies
> > :-)
>
> Did it work?

With everything including my lastname I found my key, but not with 
Albert.

> > I uploaded 1 new email-address with my key and after a few days
> > I got a W32/Mydoom.G to this address. A 2nd address which was
> > uploaded to the keyserver too at the same time, got this Mydoom
> > too, while a 3rd and 4th address (daughter, friend) didn't. It
> > was very strange.
>
> I got limited knowledge about worm/malware but it seems unlikely
> that MyDoom actually scans keyservers to gather email addresses.
> If i'm not mistaken no worm has done this (yet).

I don't think the malware itselfs scans the keyservers, but probably 
spammers and also people with viruses. Nowadays spammers use viruses 
to create open relays and to spread their mails later.

> > With 99.99% I can exclude, that the malware came from
> > the only person who knew the new email-address. We both use
> > linux systems. I never heard of a linux system which spreads a
> > win-worm automatically and passes the firewall.
>
> I have to trust you about the number of people knowing the
> address in question. However, as long as you can send emails, you
> can spread malware.

I think it is very unlikely to spread win-viruses with linux 
machines.

> > I think the only way to protect email-addresses registered at
> > key-servers from spam is to accept mails with signatures only
> > and make an autoresponder for the non-signed.
>
> This behavior would, sad to say, kill 99% of all mails sent.

It depends on your email-strategies and on your _personal_ needs. 
Why shouldn't one use an email-address for signed/encrypted mails 
_only_? There are only a few people (below 10) who send me signed 
emails and all of them I know personally very well. Because I am 
very sure, that nobody else than a few people and spammers would 
send emails to this address, I can be very strict. I think of a 
filter with an autoresponder, which mentions a webpage were a 
standard-email-address is included as a picture, which is 
unreadable for a scanner, but a human has a chance to contact me. 
Also I am sure nobody would ever contact me via this way.

> > As a 2nd step I would like to check for encrypted mails, which
> > are signed but not known locally. Any ideas how I can do this
> > with a linux-mailserver?
>
> Set a procmail filter, for example, to look for the PGP MESSAGE
> string and the parse the message to a shell script.

I think the first filter I can setup at a freemailer like gmx, where 
I check for "application/pgp-signature" in the header, so unsigned 
emails are deleted there without downloading. Maybe I belong to the 
people who have no real security needs, but think where everything 
is monitored and manipulated, using gpg shouldn't be wrong.

The next step after the redirection to a freemailer are the local 
filters.

I am not very familiar with procmail, any help would be appreciated.

Different users on a small mailserver use fetchmail to get the 
mails. Then postfix and .forward is used to check for viruses with 
amavis and spamassassin

cat .forward
"|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #localuser"

cat .procmailrc
:0fw: spamc.lock
* < 256000
| spamc
:0
* ^^rom[ ]
{
  LOG="*** Dropped F off From_ header! Fixing up. "

  :0 fhw
  | sed -e '1s/^/F/'
}

qpopper is also setup. So the users clients get their mails via a 
local POP3-server, using KMail and mails are stored there in 
maildir-format. At the end a valid email has to be forwared to the 
default mailbox in /var/spool/mail and maybe the user should get a 
note that an encrypted email from X was deleted.

I don't know _where_ I can include the shell script. But I think I 
could write this script with all features I would like to have.

Also I am unsure how I should check for known signatures.

The mail doesn't contain a key-ID, so I have to check if the 
email-address can be found in my local keys, or am I wrong?

Using grep I should be able to get the from-address and with 
gpg --list-keys <email-address> I can check the public keys, the 
program mail could be used to inform of a deleted email.

> btw, dont use pgp.mit.edu, it's broken. use subkeys.pgp.net
> instead.

I don't use it, but why are they broken? I know that 
www.keyserver.net shows a wrong fingerprint with my key, but with 
pgp.mit.edu it is ok.

Albert

More information about the Gnupg-users mailing list