Page MenuHome GnuPG

spam harvesting
Closed, ResolvedPublic

Description

Release: all

Environment

all

Description

Google indexes gpg key servers. This means that spammers don't need to take special measures to harvest email addresses from key servers, they just get them with any old web harvester. For example, search for my email address "ian at eiloart.com" on google. 95% of the hits are from GPG key servers.

How To Repeat

create a GPG key with a new email address, and upload the key to a gpg key servers. Wait a few days, and watch the spam pour in. Search google for that new email address, and see where the spam came from.

Fix

Not sure. Encrypt the output from the key server? Mask the email addresses lightly? Warn people that public GPG keys are spam magnets?

Event Timeline

That is really interesting. It seems that they got a full keyserver dump and intiate searches for all those keys to get then "indexed". We can't do anything about it because all kind of encryption would be worked around by Google.

Is helping spammers a new part of their business mode?

Well, the keyserver software could mangle eamil addresses but this breaks automatic access to it. I further doubt that all operators would do so - some are still running buggy old keyservers. Why should they change anything just to try avoiding spam.

What fascinates me about this is that some of the keyservers
have a robots.txt file that explicitly disallows indexing,
but yet Google is still indexing them. For example, pgp.nic.ad.jp

Me can't do anything about it. Having key servers on port 80 and quite some key
statistic pages will allow any harvester to get the keys.