lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: security at 303underground.com (Scott Taylor)
Subject: a PGP signed mail? Has to be spam!

On Tue, 2003-11-11 at 19:22, onedo@....net wrote:
> Hi everyone
> 
> I had to notice something today that really disturbed me. A friend of 
> mine(working for a very big company) complained, that she doesn't get any 
> mails from me anymore. It turned out, that apparently my mails went straight 
> into the spam filter, as I signed everyone of them. When I sent unsigned 
> mails, she got them. What do we learn? Crypto is bad m'kay?
> But for real, does that mean that we won't be able to sign any mails anymore 
> soon, due to the spam problem(and stupid admins)?
> 'EGovernment' is the big word everywhere nowadays. The electronic signature is 
> mentioned as a way to ensure the credidibility of sender and receiver. Now 
> what?
> Guys(and girls), the situation sucks. What do you think? And, most important 
> of all, do you see any way to fight this behaviour? Because honestly, I 
> don't. 
> Greets
> 
> $me

Quite the opposite. My bayesian filter is learning to love signed
messages.  I'd probably start rejecting any non-signed messages just on
principle if I didn't have so many friends that paid for their operating
system. Your friend's company probably overpaid for their spam filter
too. She should send a note to her boss, the mail admin, etc. saying
that *business contacts* are being blocked due to poor filtering. They
tend to pay a little more attention if they think its affecting their
sales.

I don't know any spammers that actually sign with valid gpg signatures.
And even if they did, their fingerprint would give us something to
specifically blacklist. It would be worth the effort to have the
mailserver itself verify signatures if enough people used them. Decent
mail clients make signing and checking signatures easy, and they do a
good job now of turning otherwise ugly blocks of random text into a nice
little 'valid signature' icon. Its not so much that I think someone is
going to spoof a friend's email account although with all the poser
viruses out there, a message claiming to be from me but unsigned should
raise concern among the people I regularly email. 


--
Scott Taylor - <security@...underground.com> 

Anyone who goes to a psychiatrist ought to have his head examined.
		-- Samuel Goldwyn

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ