Re-hi, > I brought this up on the Cairo mailing list recently > <http://lists.freedesktop.org/archives/cairo/2006-November/008345.html> > and Carl Worth brought up the idea of a simple option to accept any post > that's cryptographically signed, regardless of subscriber status. I > liked this idea for several reasons. > > 1. I've never seen signed spam > 2. Most mail programs have some way to sign mails > 2. When spammers do start signing spam it allows a straightforward > transition to a real web-of-trust style model.
I already received some spam messages including GPG markings. They were fake, of course; they were used to fool simple scoring systems (e.g. if message contains "BEGIN PGP SIGNED MESSAGE", it is most likely no spam). As you mentioned, signing of a message is easy; so it is easy to sign a spam message, too. The problem is: Which key is used to sign the message, and how do you determine whether a key belongs to a spammer or to an ordinary user? The signature alone does not solve your problem. The (only?) way to tell the mailing list that your key is to be trusted is the same procedure as usual: Register before post. The advantage you'll gain by verifying signatures is independence of the sender's address: - Sender spoofing becomes impossible (the signature cannot be forged) - No more hassle with different mail accounts (as long as the signature verifies, the ml will deliver the mail regardless of the sender's address) Follow-up problem (or implementation detail, call it as you like it): Message freshness and partially signed messages. A spammer could capture a signed mail and repost it to a list; the spam message could be inserted at an unsigned part. If the list checks if some part is signed, the spam will be delivered; if the list verifies that the whole message is signed, you might have a lot of trouble with users using a buggy mail client. Another possible problem: Verifying a cryptographic signature is a rather "expensive" operations (in terms of CPU time), on a high traffic server this will have a severe impact. Please don't get me wrong: I think using signatures (and probably encryption, too) is a good idea - I'm just pointing out thoughts we made up when trying to hack gpg and/or s/mime support into mailman. In course of that project, we tried to implement a "post if signature verifies", too. If you want to have a look at it, see: http://non-gnu.uvt.nl/mailman-ssls/ My initial efforts for an encrypted mailing list are at: http://stefan.ploing.de/linux/gpg-mailman Stefan. _______________________________________________ Mailman-Developers mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
