Release: all
Environment
all
Description
Google indexes gpg key servers. This means that spammers don't need to take special measures to harvest email addresses from key servers, they just get them with any old web harvester. For example, search for my email address "ian at eiloart.com" on google. 95% of the hits are from GPG key servers.
How To Repeat
create a GPG key with a new email address, and upload the key to a gpg key servers. Wait a few days, and watch the spam pour in. Search google for that new email address, and see where the spam came from.
Fix
Not sure. Encrypt the output from the key server? Mask the email addresses lightly? Warn people that public GPG keys are spam magnets?