Digital sig in OL2003

Hi

Outlook 2003/Exchange 2000

I have tried to setup a digital sig & have bought the facility from Verisign
& installed on my computer. When I active the sig, the recipient gets a
message that the sig could not be verified because it has been changed.
Although I have set it up in OL, is there something I must do in Exchange
please?

Regards
Nick

Nick Hill

Nick Hill wrote:
> Hi
>
> Outlook 2003/Exchange 2000
>
> I have tried to setup a digital sig & have bought the facility from
> Verisign & installed on my computer. When I active the sig, the
> recipient gets a message that the sig could not be verified because
> it has been changed. Although I have set it up in OL, is there
> something I must do in Exchange please?
>
> Regards
> Nick

Did anything get appended or inserted into the message after it left
your e-mail client? For example, some folks use MsgTag to determine if
someone opened a message (it's the equivalent of web bugs or beacons
used by spammers). It runs as a proxy. You sign the message using your
certificate in your e-mail client, it goes through the proxy which
modifies the message, and now the recipient gets a warning that the
message is invalid (the hash code for it doesn't match what your e-mail
client inserted when it created the message). Well, that's because the
message *did* get modified so it can no longer be guaranteed to be the
exact content that the sender composed. Maybe you have something
upstream that is modifying your e-mails, like adding signatures or
footers, or converting from HTML to text or visa versa. Could be a
proxy through which you are sending your outbound e-mails, could be the
Exchange admin are modifying your e-mails before sending them, could be
your ISP is modifying their contents, like tacking on a promotional spam
signature. Have you actually asked the recipient to quote to you the
content of their received copy of your signed e-mail to ensure it ONLY
contains *exactly* what you wrote?

I'm not experienced with Exchange. However, I thought the security
certificate was local; i.e., it is save on the client host. So it is
used at your end by your e-mail client to sign the message. You may
have to enable the "Send clear text signed message when sending signed
messages" option so the recipient can still read a text-only version of
your message even if it gets modified during transit.


--
__________________________________________________ __________
*** Post replies to newsgroup. E-mail is not accepted. ***
__________________________________________________ __________

Vanguard

"Vanguard" <no-> wrote in message
news:5wcub.228849$Fm2.229480@attbi_s04...
> Nick Hill wrote:
> > Hi
> >
> > Outlook 2003/Exchange 2000
> >
> > I have tried to setup a digital sig & have bought the facility from
> > Verisign & installed on my computer. When I active the sig, the
> > recipient gets a message that the sig could not be verified because
> > it has been changed. Although I have set it up in OL, is there
> > something I must do in Exchange please?
> >
> > Regards
> > Nick
>
> Did anything get appended or inserted into the message after it left
> your e-mail client? For example, some folks use MsgTag to determine if
> someone opened a message (it's the equivalent of web bugs or beacons
> used by spammers). It runs as a proxy. You sign the message using your
> certificate in your e-mail client, it goes through the proxy which
> modifies the message, and now the recipient gets a warning that the
> message is invalid (the hash code for it doesn't match what your e-mail
> client inserted when it created the message). Well, that's because the
> message *did* get modified so it can no longer be guaranteed to be the
> exact content that the sender composed. Maybe you have something
> upstream that is modifying your e-mails, like adding signatures or
> footers, or converting from HTML to text or visa versa. Could be a
> proxy through which you are sending your outbound e-mails, could be the
> Exchange admin are modifying your e-mails before sending them, could be
> your ISP is modifying their contents, like tacking on a promotional spam
> signature. Have you actually asked the recipient to quote to you the
> content of their received copy of your signed e-mail to ensure it ONLY
> contains *exactly* what you wrote?
>
> I'm not experienced with Exchange. However, I thought the security
> certificate was local; i.e., it is save on the client host. So it is
> used at your end by your e-mail client to sign the message. You may
> have to enable the "Send clear text signed message when sending signed
> messages" option so the recipient can still read a text-only version of
> your message even if it gets modified during transit.
>

Thanks for your reply.

I have complete control of my server & no-one else is involved in the
management of it. I use Exchange 2000 & have GFI Essentials for spam
filtering & Exclaimer for message tags. I turned off Exclaimer for the test.
My ISP is a paid service (Demon Internet) & they do not add tags. I don't
use MsgTag. I use ISA proxy server for web access, but this is not used for
email. I have checked the mail content & it is exactly as left me. I have
"send clear text signed message...." enabled.

Regards
Nick

Nick Hill

Have you tried the 'extra line breaks removed' function, in the yellow area
at the top of the message? It changes the message format, leading to similar
errors with other security tools
Lyal


"Nick Hill" <> wrote in message
news:bpbpcc$fgd$1$...
> "Vanguard" <no-> wrote in message
> news:5wcub.228849$Fm2.229480@attbi_s04...
> > Nick Hill wrote:
> > > Hi
> > >
> > > Outlook 2003/Exchange 2000
> > >
> > > I have tried to setup a digital sig & have bought the facility from
> > > Verisign & installed on my computer. When I active the sig, the
> > > recipient gets a message that the sig could not be verified because
> > > it has been changed. Although I have set it up in OL, is there
> > > something I must do in Exchange please?
> > >
> > > Regards
> > > Nick
> >
> > Did anything get appended or inserted into the message after it left
> > your e-mail client? For example, some folks use MsgTag to determine if
> > someone opened a message (it's the equivalent of web bugs or beacons
> > used by spammers). It runs as a proxy. You sign the message using your
> > certificate in your e-mail client, it goes through the proxy which
> > modifies the message, and now the recipient gets a warning that the
> > message is invalid (the hash code for it doesn't match what your e-mail
> > client inserted when it created the message). Well, that's because the
> > message *did* get modified so it can no longer be guaranteed to be the
> > exact content that the sender composed. Maybe you have something
> > upstream that is modifying your e-mails, like adding signatures or
> > footers, or converting from HTML to text or visa versa. Could be a
> > proxy through which you are sending your outbound e-mails, could be the
> > Exchange admin are modifying your e-mails before sending them, could be
> > your ISP is modifying their contents, like tacking on a promotional spam
> > signature. Have you actually asked the recipient to quote to you the
> > content of their received copy of your signed e-mail to ensure it ONLY
> > contains *exactly* what you wrote?
> >
> > I'm not experienced with Exchange. However, I thought the security
> > certificate was local; i.e., it is save on the client host. So it is
> > used at your end by your e-mail client to sign the message. You may
> > have to enable the "Send clear text signed message when sending signed
> > messages" option so the recipient can still read a text-only version of
> > your message even if it gets modified during transit.
> >
>
> Thanks for your reply.
>
> I have complete control of my server & no-one else is involved in the
> management of it. I use Exchange 2000 & have GFI Essentials for spam
> filtering & Exclaimer for message tags. I turned off Exclaimer for the
test.
> My ISP is a paid service (Demon Internet) & they do not add tags. I don't
> use MsgTag. I use ISA proxy server for web access, but this is not used
for
> email. I have checked the mail content & it is exactly as left me. I have
> "send clear text signed message...." enabled.
>
> Regards
> Nick
>
>

lyal

Thanks Lyal

It's not line breaks, as I've been sending 1 liner test messages. There's
been no message in the header bar abotu line breaks removed.

Regards
Nick


"lyal" <> wrote in message
news:75jub.148$...
> Have you tried the 'extra line breaks removed' function, in the yellow
area
> at the top of the message? It changes the message format, leading to
similar
> errors with other security tools
> Lyal
>
>
> "Nick Hill" <> wrote in message
> news:bpbpcc$fgd$1$...
> > "Vanguard" <no-> wrote in message
> > news:5wcub.228849$Fm2.229480@attbi_s04...
> > > Nick Hill wrote:
> > > > Hi
> > > >
> > > > Outlook 2003/Exchange 2000
> > > >
> > > > I have tried to setup a digital sig & have bought the facility from
> > > > Verisign & installed on my computer. When I active the sig, the
> > > > recipient gets a message that the sig could not be verified because
> > > > it has been changed. Although I have set it up in OL, is there
> > > > something I must do in Exchange please?
> > > >
> > > > Regards
> > > > Nick
> > >
> > > Did anything get appended or inserted into the message after it left
> > > your e-mail client? For example, some folks use MsgTag to determine
if
> > > someone opened a message (it's the equivalent of web bugs or beacons
> > > used by spammers). It runs as a proxy. You sign the message using
your
> > > certificate in your e-mail client, it goes through the proxy which
> > > modifies the message, and now the recipient gets a warning that the
> > > message is invalid (the hash code for it doesn't match what your
e-mail
> > > client inserted when it created the message). Well, that's because
the
> > > message *did* get modified so it can no longer be guaranteed to be the
> > > exact content that the sender composed. Maybe you have something
> > > upstream that is modifying your e-mails, like adding signatures or
> > > footers, or converting from HTML to text or visa versa. Could be a
> > > proxy through which you are sending your outbound e-mails, could be
the
> > > Exchange admin are modifying your e-mails before sending them, could
be
> > > your ISP is modifying their contents, like tacking on a promotional
spam
> > > signature. Have you actually asked the recipient to quote to you the
> > > content of their received copy of your signed e-mail to ensure it ONLY
> > > contains *exactly* what you wrote?
> > >
> > > I'm not experienced with Exchange. However, I thought the security
> > > certificate was local; i.e., it is save on the client host. So it is
> > > used at your end by your e-mail client to sign the message. You may
> > > have to enable the "Send clear text signed message when sending signed
> > > messages" option so the recipient can still read a text-only version
of
> > > your message even if it gets modified during transit.
> > >
> >
> > Thanks for your reply.
> >
> > I have complete control of my server & no-one else is involved in the
> > management of it. I use Exchange 2000 & have GFI Essentials for spam
> > filtering & Exclaimer for message tags. I turned off Exclaimer for the
> test.
> > My ISP is a paid service (Demon Internet) & they do not add tags. I
don't
> > use MsgTag. I use ISA proxy server for web access, but this is not used
> for
> > email. I have checked the mail content & it is exactly as left me. I
have
> > "send clear text signed message...." enabled.
> >
> > Regards
> > Nick
> >
> >
>
>

Nick Hill

Maybe it's on the recipient's end. Is the problem being tested by the
same recipient? If so, do they have something inline with their inbound
e-mails that may modify its content?

For example, I use the HTML-Modify plug-in with SpamPal (to detect
spam). It can modify the content of an inbound e-mail to remove
nasties, like linked images (which can be used as beacons back to a
spammer's server). So anyone trying to use MsgTag to track if I opened
their e-mail will never find out - because the linked image isn't in the
modified copy that I receive in my e-mail client. However, that means
the content got altered so the hash code recorded in the digital
signature won't match anymore for the contents that I eventually receive
in my e-mail client.

If the "recipient" is you (for testing the certificate) then see if
disabling any anti-spam software or any other proxies before or after
your mail server fixes the problem. Also check if you have any plug-ins
to Outlook that might modify the contents of inbound e-mails.

Vanguard

Thanks for your reply.

I've checked it with 2 receipients, but both have the same server setup. I
think you are right, it could be Groupshield (anti virus) that is doing
something to the mail, however I'm not going to switch that off.

Back to insecure emails.....

Regards
Nick


"Vanguard" <no-> wrote in message
news:e0qub.235704$Tr4.694321@attbi_s03...
> Maybe it's on the recipient's end. Is the problem being tested by the
> same recipient? If so, do they have something inline with their inbound
> e-mails that may modify its content?
>
> For example, I use the HTML-Modify plug-in with SpamPal (to detect
> spam). It can modify the content of an inbound e-mail to remove
> nasties, like linked images (which can be used as beacons back to a
> spammer's server). So anyone trying to use MsgTag to track if I opened
> their e-mail will never find out - because the linked image isn't in the
> modified copy that I receive in my e-mail client. However, that means
> the content got altered so the hash code recorded in the digital
> signature won't match anymore for the contents that I eventually receive
> in my e-mail client.
>
> If the "recipient" is you (for testing the certificate) then see if
> disabling any anti-spam software or any other proxies before or after
> your mail server fixes the problem. Also check if you have any plug-ins
> to Outlook that might modify the contents of inbound e-mails.
>
>

Nick Hill