(No, this is not Jonathan Blake; see .sig below :) Jonathan Blake <grafolog@netcom.com> writes:
When I get the bugs out of the procmail script I'm writing, to accomplish this, I'll send it to you.
I'd be very interested. I may even use it, if it works. :) I like Adam Shostak's suggestion regarding caching hashes of signed portions of incoming e-mail. If the filter is going to keep track of e-mail history, then another possible useful feature would be to limit the number of e-mails accepted from a given party (even distinict). "You mail is being returned to you because you're only authorized to send 10 e-mails here in a 24-hour period". Heh.
However, won['t most messages have the name of the intended recipient inside the PGP signature lines?
Not necessarily. Most e-mails say something like "Dear Alice," but not all. I wish the important headers were included in the signed portion. Here's another variant of the same attack: Bob sends Alice a PGP-signed e-mail. Alice posts a Usenet forgery, making it look like it came from Bob, and using the same PGP-signed body.
Alice _may_ notice that the _Received:_ headers are weird, but this forgery will certainly pass through a script that checks signatures.
I'll have to give this some thought. Have the script match the from id, with the message id. << Not sure how I can do this one, yet. >>
It's a piece of cake to forge the message-id to match the forged "From:". In fact, I'll do just that in this article, and I bet it'll take me less than a minute. Besides, your message-id doesn't match your host. :) I'm off to teach C++ now. (Yes, on Xmas) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps