[Mailman-Developers] Crypto-sign to post
Barry Warsaw
barry at python.org
Sun Nov 12 05:03:52 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Nov 9, 2006, at 5:54 AM, Stefan Schlott wrote:
> I already received some spam messages including GPG markings. They
> were fake,
> of course; they were used to fool simple scoring systems (e.g. if
> message
> contains "BEGIN PGP SIGNED MESSAGE", it is most likely no spam).
>
> As you mentioned, signing of a message is easy; so it is easy to
> sign a spam
> message, too. The problem is: Which key is used to sign the
> message, and how
> do you determine whether a key belongs to a spammer or to an
> ordinary user?
> The signature alone does not solve your problem.
I suppose you could also have each mailing list publish a pubkey and
require that messages be encrypted with that pubkey in order to get
posted. Of course that increases the cycles involved on both ends,
but it allows you to accept messages without requiring the
registration of each sender's key. Sure, spammers could use the same
key to sign spam, but I wonder if that wouldn't be more work than is
worthwhile for a botnet.
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBRVadKHEjvBPtnXfVAQKeXAP/fvdpKqWbXWBubOkpzexyHQXha3EcJBlT
xfV2BKmJkc0cPXiyXgG+V1kKtg3kp+6/tCqRQDXjmAgjjvGZEuB5cWi+ebmqMfcW
ETC4Ma246yuYZNq/yoMu8+o7NlXaIlPQrqSZhzG5rV97BQ8gSa20BxJ+uQNufs4D
/KTeGdA6C9s=
=J1L6
-----END PGP SIGNATURE-----
More information about the Mailman-Developers
mailing list