lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031111213926.3bd142d9.michael@bluesuperman.com>
From: michael at bluesuperman.com (Michael Gale)
Subject: a PGP signed mail? Has to be spam!

Hello,

	But public keys are only valid if you trust them -- the points in just
because a person signs a e-mail with a PGP key and the key matches the
from address does not mean it is NOT spam.

E-mail from spammers do not usually have valid from addresses - so the
PGP key can match the fake from addresses with out a problem.

So again -- a PGP signed message is as trust worthy as the from address
of the spammer is. The only reason my from address did not match my PGP
key is because I can not post to the list if my from address is not
michael@...esuperman.com

Also -- having a mail server check PGP sig's on e-mails it NOT an option
-- think of the over head, the delay and time out if the server does not
exist or no response. 

This would cause major mailq build up's and could easier crash a mail
system. 

Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis
and then whitelist and blacklist.

Not PGP checks.

Michael.



On Wed, 12 Nov 2003 04:24:11 +0000
"Daniel" <dan@...kedbox.net> wrote:

> Michael Gale <michael@...esuperman.com> wrote:
> 
> > Hello,
> > 
> > 	Do you know how PGP signatures work, you need to have the person
> > 	who
> > signed it / created the PGP sig to somehow securely provide you with
> > their key to validate it. 
> 
> Ummm, no, that is why we have public/private keys. The private key can
> be used to sign and the public key used to verify. Yes you can create
> a key from an address that is not your own. But if you recieve a
> message from bill@...rosoft.com you would exspect a key to say the
> same.
> 
> Regards,
> Daniel B.
> 
> ----------------------------------------
> Please do not send me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html
> 
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ