[PLUG] what is the point of PGP-signed emails?

Zot O'Connor zot at whiteknighthackers.com
Tue Dec 9 11:41:02 UTC 2003 

On Tue, 2003-12-09 at 11:18, Jason Van Cleve wrote:
> Quoth Paul Johnson, on Mon, 8 Dec 2003 18:51:28 -0800:
> 
> > > violates the trust given to them by sending spam, their signatures
> > > are revoked. It's a thought, anyways.
> > 
> > Well, their signatures wouldn't be revoked, but everybody could just
> > set their trust level with that person to be untrustable.
> 
> So every client has to maintain a separate list of known spammers?  I
> don't know, the web of trust is a fine idea, but I don't think it is
> strong enough to tackle spam.

No, you subscribe to a list of known spammers (ala razor).  Remember
this is "in the future" where everyone normally signs their email.  Thus
spammers to avoid being easily filtered will have to sign their emails. 

They then have a few choices, 
        Fake the signatures
                This will fail a automated system.
        Sign as a unknown user
                This will raise their spam score.
                Once this is a known spammer it will clinch it
                (razor-PGP)
        Sign as a different user each mail
                This always makes them an unknown and makes it harder to
                send bulk mail.
        Not sign the mail
                The most likely tactic, this will raise their score
                
Currently Spam Assassin can white list people as they send non spam
mails to you.  This slowly builds a negative spam score.  With
signature, this could be 100% on the first time a non-spam mail is
sent.  Thus you will always be sure that the email is from a legit
person.  Once that person starts spamming, then you tag the key, send it
razor-PGP and the account is bad.

Now the razor-PGP idea is a blacklist and has all the issues that all
blacklists have, but it is far more effective than the current
score/weight scheme.

> 
> --Jason Van Cleve
> 
> --
> God bless America.  Or we'll nuke Him!
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
-- 
Zot O'Connor

http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com

More information about the PLUG mailing list