[conspire] Mailing list servers and the spam problem

[Rick Moen]

Quoting Scott DuBois (rhcom.linux at gmail.com):

> A good example of why I send _signed_ mail and suggest others do as
> well.

Sending signed e-mail seems at first useful to ensure that other people
won't believe forgeries are from you.  You think 'Ah, other people will
_know_ it's not from me because it doesn't verify as having my GPG
signature.'

This _could_ work if (1) people have a chain of signatures permitting
them to trust that the key is yours, and (2) they are bothering to check
keys at all.

And that's almost nobody, at present.

General-case spam sent out from a compromised webmail account is not
relying on recipients _believing_ that the sender is real.  The spammer
is merely trying to reach more people and take advantage of
whitelisting.

For the second case of 'send money to me because I'm a stranded
traveler' fraud mail, the spammer _is_ hoping some recipients believe
the impersonation, _but_ as with similar 419 advance-fee frauds, they're
consciously aiming at unusually credulous people.  Indeed, they're
tailored to be worded to have a particular, very peculiar narrative with
the explicit intent of reaching a narrow, vulnerable subpopulation:
http://news.yahoo.com/study--obvious-nigerian-scam-emails-appear-that-way-for-a-reason.html
http://www.techrepublic.com/blog/it-security/the-truth-behind-those-nigerian-419-scammers/

All the 'send money to me because I'm a stranded traveler' scammers need
is to find a _single_ person in a compromised Yahoo Mail account owner's
address book who falls for the story, and they can steal vast amounts of
money.  And the odds of their target population even noticing a missing
gpg (let alone wrong) signature is exactly zero.