On Sat, 26 Jul 2003 11:18:39 +0700, Alexander Litvinov <[EMAIL PROTECTED]> writes:
> > Of course, in theory spammers could start including things that look like > > PGP signatures. But since most people don't use PGP or GnuPG, we don't > > have to worry about this. > > > > Later of, if spammers start to add fake PGP signatures, we can call an > > external program to check the signature. Emails whose signatures are > > recognized would automatically accepted. Having an un-recognized PGP > > signature might even count as a spam score. > > > > Thoughts? > > Spammer WILL start to use real, good signatures. It is not too hard. > Harder than it seems. Lets say we have a PGP signature blacklist for keys that sign spam. Secondly, we have a minimum key-length requirement (say, 1024 bits). Each time they generate a signing-only key, they have to burn about 4 seconds of CPU time to make the key, and .08 seconds each to sign it. If they reuse the exact same signed message, then razor will be able to trivially detect it. If they reuse the same signing key for more than a few hundred messages, then the key may be blacklisted. Also, signatures aren't the same as encryption. The message still exists in plaintext which is still analyzable via content-filtering. Scott ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
