PGP messages getting flagged as spam

I just received word from one of my regular correspondents that his
email server has begun flagging PGP traffic as spam.  I haven't seen
this come up often (ever?) in the lists before, so I'm operating on the
assumption that this may be a new problem people should be aware of.

SpamAssassin is giving results like this:

> X-Spam-Status: Yes, score=5.6 required=5.0
> tests=BAYES_60,UNIQUE_WORDS,
> UPPERCASE_25_50 autolearn=disabled version=3.0.4
> X-Spam-Report:
> *  2.3 UNIQUE_WORDS BODY: Message body has many words used only >
    once
> *  3.3 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
> *      [score: 0.7031]
> *  0.0 UPPERCASE_25_50 message body is 25-50% uppercase

So, if you're running SpamAssassin, might want to see about tweaking
some rules.  :)



_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

When my university was using SpamAssassin, GPG emails were being
marked as spam because patterns were being matched by the armored text
and no negative bonus was being given to GPG signed or encrypted
messages.  They were not willing to tweak their rules.

Adam Schreiber

On 10/9/07, Robert J. Hansen <rjh@...> wrote:
_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi!

Quite some tima ago a have seen Spams with a (obviously bogus) "---BEGIN
PGP SIGNATURE---" + garbage part at the end of the mails.
This might have had negative influence on some Bayesian databases.

Apart from creating a special Spamassassin module which actually
verifies incoming emails, I would not know what to do about it.

So long,
  Sven

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 9 Oct 2007, Adam Schreiber wrote:

> When my university was using SpamAssassin, GPG emails were being
> marked as spam because patterns were being matched by the armored text
> and no negative bonus was being given to GPG signed or encrypted
> messages.  They were not willing to tweak their rules.

Has anyone tried contacting the SA developers about this? It seems like
something fairly straightforward for them to add.

Doug

--

  If you're never wrong, you're not trying hard enough

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At 2007-10-13 19:52 -0700, Doug Barton <dougb@...> wrote:
> Has anyone tried contacting the SA developers about this? It seems like
> something fairly straightforward for them to add.

"The SA developers" is a misconceived phrase here.

You're interested in the party who wrote widely desseminated rules
that happened to match PGP-enciphered messages (and it's likely to
be several parties each and different parties for PGP/MIME- and
clear-signed messages and for enciphered messages, whether ASCII-
encoded  or not).

It's up o the site administrator to make use of SA rules that aren't
braindamaged. It's hardly the fault of the authors of SA if some
site decides to add 2.5 points to every message with a MIME
attachment, though you can, perhaps, see how that might be a naive
approach that works pretty well most of the time.

--
gabriel rosenkoetter
gr@...


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 10/15/07, gabriel rosenkoetter <gr@...> wrote:
> It's up o the site administrator to make use of SA rules that aren't
> braindamaged. It's hardly the fault of the authors of SA if some
> site decides to add 2.5 points to every message with a MIME
> attachment, though you can, perhaps, see how that might be a naive
> approach that works pretty well most of the time.

Another problem: automatically adding negative score to PGP data would
make that an attractive tactic for spammers. If such a rule were
popular in SpamAssasin, you'd see a lot of base64 encoded HTML spam
with "fake" PGP headers, I imagine.

The real solution would be for SpamAssasin to check that the PGP
messages are well-formed, and verify signatures on any PGP message
before altering its score. A tad CPU intensive, I think, and it poses
a host of key management and trust management issues if the
SpamAssasin systems serves many users (which most do).
--
   RPM

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mon, 15 Oct 2007 13:26, malayter@... said:

> The real solution would be for SpamAssasin to check that the PGP
> messages are well-formed, and verify signatures on any PGP message
> before altering its score. A tad CPU intensive, I think, and it poses

FWIW, a few weeks ago I received the first PGP signed spam.  The
signature was good and I believe that it was sent using a trojan
utilizing the local MUA which was configured to sign all outgoing mail.


Shalom-Salam,

   Werner


--
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ryan Malayter-2 wrote:

On 10/15/07, gabriel rosenkoetter <gr@eclipsed.net> wrote:
> It's up o the site administrator to make use of SA rules that aren't
> braindamaged. It's hardly the fault of the authors of SA if some
> site decides to add 2.5 points to every message with a MIME
> attachment, though you can, perhaps, see how that might be a naive
> approach that works pretty well most of the time.

Another problem: automatically adding negative score to PGP data would
make that an attractive tactic for spammers. If such a rule were
popular in SpamAssasin, you'd see a lot of base64 encoded HTML spam
with "fake" PGP headers, I imagine.

The real solution would be for SpamAssasin to check that the PGP
messages are well-formed, and verify signatures on any PGP message
before altering its score. A tad CPU intensive, I think, and it poses
a host of key management and trust management issues if the
SpamAssasin systems serves many users (which most do).

I have started an OpenPGP plugin for SpamAssassin that could be useful to assign a negative score to signed emails.  See http://search.cpan.org/perldoc?Mail::SpamAssassin::Plugin::OpenPGP  I am using it myself, but it is not complete and I wouldn't recommend using it in production environment without some good testing.  And patches for it, probably :)

Hi!

Werner Koch schrieb:

> FWIW, a few weeks ago I received the first PGP signed spam.  The
> signature was good and I believe that it was sent using a trojan
> utilizing the local MUA which was configured to sign all outgoing mail.

Just out of curiosity: Does this (or, rather: should this) have
implications for your trust of the signer's key?
If the system is compromised, you cannot be sure of the authenticity of
messages coming from there, can you?

cu, Sven

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Sven Radde wrote:
> Just out of curiosity: Does this (or, rather: should this) have
> implications for your trust of the signer's key?

There are two schools of thought on this.

1.  "Beats me.  You get to define your policy, not me."

2.  "If this guy's control of his keys and passphrase is so poor
    that a spammer can use them, then there is no sensible policy
    which would consider that key uncompromised."


Personally, I side with #1, but my own personal policy is #2.  YMMV.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 16 Oct 2007 07:46, email@... said:

> Just out of curiosity: Does this (or, rather: should this) have
> implications for your trust of the signer's key?

Well I assume that this guy keeps his primary key offline and thus
malware would not be able to let him sign other keys ;-)

> If the system is compromised, you cannot be sure of the authenticity of
> messages coming from there, can you?

Right.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Werner Koch writes:
 |
 | > If the system is compromised, you cannot be sure of the
 | > authenticity of messages coming from there, can you?
 |
 | Right.
 |


And therein is the issue.  A year ago, I wrote an
editorial where I made a semi-numeric mostly educated
guess that 15-30% of all home/private systems were
already compromised.  I got some hate mail but in
the intervening months, Vint Cert said 40%, Microsoft
said 2/3rds, and IDC said 3/4ths.  Whatever the true
number is, real risk management must now assume that
the counterparty to a conversation stands a good chance
of being 0wned.

That said, the discount brokerages are hurting on this
as 0wned machines mean that stock pump&dump schemes
can be pumped by booking real trades from real people
with real money, i.e., steal the password via a key
logger and then time the trade to help with the pump
phase.  I've another editorial on that, but suffice it
to say that in at least one instance, the November 06
10-Q filing by e-Trade, the losses in question reached
the level that required SEC disclosure.

Which brings us to a point: Those brokerages want,
and are willing to pay real money for, something like
an Active-X component that at the outset of the trading
session is downloaded fresh, steals the keyboard away
from the operating system, and pipes keystrokes through
an entirely distinct network stack direct to the trading
environment, i.e., makes the home user's PC into a dumb
terminal for a moment.  On the one hand, that this could
work is horrifying and the idea of teaching the user
community to say yes to "steal my keyboard" is likewise
horrifying.  But on the other hand there is a coherent
argument that people fall in two camps: Those who always
click "YES" and those who never do.

If someone always clicks "YES," then the odds are that
they are alreacy 0wned and, thus, you need to 0wn them
for a moment if you are going to do anything important.
If someone never clicks "YES," then the odds are that
they are canny and self-protecting, so you don't need
to 0wn them up just to have a transaction.

The times, they are a changin'

--dan


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dan@... wrote:
> And therein is the issue.  A year ago, I wrote an editorial where I
> made a semi-numeric mostly educated guess that 15-30% of all
> home/private systems were already compromised.  I got some hate mail
> but in the intervening months, Vint Cert said 40%, Microsoft said
> 2/3rds, and IDC said 3/4ths.

I seem to recall hearing Cerf say one in four, not two in five.
Regardless, the numbers are still shockingly high.

> Whatever the true number is, real risk management must now assume
> that the counterparty to a conversation stands a good chance of being
> 0wned.

It goes a lot deeper than brokerages, although it doesn't surprise me
that this industry has done a lot of thought about it.  In my day job
I'm finishing a Ph.D. in computer security, using electronic voting
systems as a testbed for research.  I am appalled at how often
well-meaning people ask "well, overhauling all these DRE machines would
cost a fortune, so why not just let people vote from home?"

Vote-from-home over the internet is probably going to happen sooner or
later in some jurisdiction, if only because it is possible for a vendor
to claim huge cost savings and convenience increases.  And what do we do
once we've turned the machinery of democracy over to a network which is
increasingly owned lock, stock and barrel by botnets?

In a similar vein, I have two close relatives who are judges.  It scares
me... I mean, it downright _terrifies me_... that they are unaware of
just how many machines are compromised, or the likelihood that their own
machines are compromised.  Whenever I visit either of them--which I do
with some frequency--the first thing I do is scour their PCs for traces
of infestation.  It's a substantial amount of work, but I would much
rather do this than run the risk of a felon's conviction being
overturned on the grounds of the judge's PC was part of a botnet and
thus we can't trust that the entered opinion was accurate.

The implications of botnets are both wide-ranging and bone-chilling.  I
am quite concerned about the potential impacts of botnets upon the world
at large.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At 2007-10-15 06:26 -0500, Ryan Malayter <malayter@...> wrote:
> The real solution would be for SpamAssasin to check that the PGP
> messages are well-formed, and verify signatures on any PGP message
> before altering its score. A tad CPU intensive, I think, and it poses
> a host of key management and trust management issues if the
> SpamAssasin systems serves many users (which most do).

It's still a worthwhile check, assuming an appropriately weighted
system (valid PGP signatures don't necessarily mean I want to read
the email, so it's worth a few points, but definitely a less-than-1
fraction of my "not spam, deliver it" number). Given that the default
install of SA in most package distributions makes use of various
DNS[/RBL] checks, I'm pretty sure that CPU time isn't the compelling
factor. I'm happy to accept a 10 minute lag in my email delivery
(from or two, really) for a 95%+ reduction in email I didn't want
to have to delete manually.

At 2007-10-15 19:51 -0700, Dave Brondsema <dave@...> wrote:
> I have started an OpenPGP plugin for SpamAssassin that could be useful to
> assign a negative score to signed emails.  See
> http://search.cpan.org/perldoc?Mail::SpamAssassin::Plugin::OpenPGP

I am interested in your project and excited by the concept, but I'm
pretty sure it will reach the point of Works Good Enough before I
have the free time to help. Good luck, though!

At 2007-10-15 16:32 +0200, Werner Koch <wk@...> wrote:
> FWIW, a few weeks ago I received the first PGP signed spam.  The
> signature was good and I believe that it was sent using a trojan
> utilizing the local MUA which was configured to sign all outgoing mail.

It was only a matter of time.

--
gabriel rosenkoetter
gr@...


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gabriel rosenkoetter wrote:
> It's still a worthwhile check, assuming an appropriately weighted
> system (valid PGP signatures don't necessarily mean I want to read
> the email, so it's worth a few points, but definitely a less-than-1
> fraction of my "not spam, deliver it" number). Given that the default

Not really.

The instant spammers figure they can sneak past SpamAssassin a
fractional bit more by having a good PGP signature, we're going to see
an explosion of PGP/MIME.  The main body will be random text and have a
valid signature; the attachment will be the permuted-per-recipient
image, and will not.

They need to sign one message and send it to ten million people.  Ten
million people then need to have their spamfilters parse the PGP
signature to see whether to give it the fractional point deduction.

This is classic asymmetric warfare.  In very short order so many
spammers will be using PGP/MIME that just using PGP/MIME legitimately
will raise the point value of your traffic.  Which means that six months
after people start marking down PGP-signed emails, people start marking
the scores way, way up.

I don't feel like sacrificing my ability to send encrypted emails to
someone just to get an additional six months delay in the spam war.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

At 16:32 2007-10-15, Werner Koch wrote:
 >On Mon, 15 Oct 2007 13:26, malayter@... said:
 >
 >> The real solution would be for SpamAssasin to check that the PGP
 >> messages are well-formed, and verify signatures on any PGP message
 >> before altering its score. A tad CPU intensive, I think, and it poses
 >
 >FWIW, a few weeks ago I received the first PGP signed spam.  The
 >signature was good and I believe that it was sent using a trojan
 >utilizing the local MUA which was configured to sign all outgoing mail.
 >
 >
 >Shalom-Salam,
 >
 >   Werner

The good news is that this makes it fairly easy to locate the
compromised computer and alert the user.
Snoken


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi!

Robert J. Hansen schrieb:
> The instant spammers figure they can sneak past SpamAssassin a
> fractional bit more by having a good PGP signature, we're going to see
> an explosion of PGP/MIME.
Probably true, but how will spammers get signatures on their stuff that
are valid *for me*? They would have to compromise one of the keys that
are valid on my keyring or one that would be considered trustworthy by
means of the web-of-trust.
Maintaining a dedicated database of "spam-keys" that had been
trustworthy but were used for spam would help, too (to assign messages
signed by those keys a bad score).
Note that this approach requires a per-user filtering by Spamassassin
but SA already handles per-user whitelists, blacklists and even
user-defined rules (not sure on the last one, though).
> The main body will be random text and have a
> valid signature; the attachment will be the permuted-per-recipient
> image, and will not.
Looks like a template for a nice Spamassassin filtering rule ("signed
body + unsigned attachment") to at least offset the bonus received from
the valid sig. ;-)

Just my 2 cents,
 Sven



_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Sven Radde wrote:
> Probably true, but how will spammers get signatures on their stuff that
> are valid *for me*?

So, what, the plan then is to discard any message that's signed by an
unknown or untrusted key?  Or consider that to be a spam indicator?

These cures are just as lousy as the disease.

> Looks like a template for a nice Spamassassin filtering rule ("signed
> body + unsigned attachment") to at least offset the bonus received from
> the valid sig. ;-)

So _more_ valid OpenPGP data gets discarded?  This plan gets better and
better.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi!

Robert J. Hansen schrieb:
> So, what, the plan then is to discard any message that's signed by an
> unknown or untrusted key?
> (...)
> So _more_ valid OpenPGP data gets discarded?  This plan gets better and
> better.
The plan was not to discard anything, but *deny the bonus* in some cases
where valid OpenPGP data is found.
I fail to see why this would be worse than the current situation where
OpenPGP data does not get a bonus at all.

cu, Sven

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 16 Oct 2007, Robert J. Hansen wrote:
  . . .
> Vote-from-home over the internet is probably going to happen sooner or
> later in some jurisdiction, if only because it is possible for a vendor
  . . .

IIRC there was a Technische Universitaet or similar in
Austria a while ago that was going to do some student
elections by internet.  Like maybe 2-3 years ago or so??
Reading their description of their plan at the time, I
was not (FWIW) specially impressed that they were
considering what might be all possible problems, although
IIRC there was discussion of doing regular political
elections the same way.  I should have checked later to
see what the outcome was, but did not.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@...
http://lists.gnupg.org/mailman/listinfo/gnupg-users