Bug 2139 - Fake PGP signatures
Summary: Fake PGP signatures
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (Eval Tests) (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: All All
: P3 enhancement
Target Milestone: 2.70
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-06-26 05:40 UTC by Jack Gostl
Modified: 2003-12-02 07:10 UTC (History)
1 user (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jack Gostl 2003-06-26 05:40:50 UTC 
I'm getting a growing number of spams that slip through by embedding a 
syntactically correct but fake PGP signature inside HTML. The fake signature 
generates a large negative value, allowing almost anything to slip through. 

Note: This seems to be combined with a random word attack aimed at disabling 
the Bayes algorithm.
Comment 1 Matt Kettler 2003-06-26 07:42:55 UTC 
Subject: Re: [SAdev]  New: Fake PGP signatures

The PGP half seems to be fixed in 2.60 by the total elimination of the PGP 
signature rules. Check the daily snapshot tarballs.

I'vReally, no matter how picky SA gets spammers can always forge a PGP sig 
into their mail. Heck, worst case spammers can generate a real PGP 
signature if they want.

Eliminating the negative scoring rule for PGP signed messages is really the 
right thing to do, as spammers can always forge it, so I think the SA dev 
crew did the right thing there.

I do think it would be beneficial to SA to have a positive scoring "abused 
PGP signature" rule set. These deformed PGP signatures are a good 
indication of ratware that's trying to evade SA by faking signatures. Sure, 
spammers will eventually stop, but in the interim they'll get a double-hit 
(no more comp points, and added spam points for their efforts).

Something like this grouping:

body __PGP_BEGIN_SIG  /-----BEGIN PGP SIGNATURE-----/
body __PGP_END_SIG     /-----END PGP SIGNATURE-----/
body __PGP_SIGNED_MESSAGE  /-----BEGIN PGP SIGNED MESSAGE-----/

meta PGP_ABUSED_SIGNATURE   __PGP_BEGIN_SIG && !__PGP_SIGNED_MESSAGE
meta PGP_INCOMPLETE_SIGNATURE   __PGP_BEGIN_SIG && !__PGP_END_SIG
Comment 2 Justin Mason 2003-12-02 16:10:37 UTC 
closing as WONTFIX; since the removal of the PGP sig bonus rules in
2.5x, spammers haven't been forging these recently in any numbers,
so it'd be too much pain for too little gain.