Page MenuHome GnuPG
Create Task
Maniphest T557

spam harvesting
Closed, ResolvedPublic
Actions

Description

Release: all

Environment

all

Description

Google indexes gpg key servers. This means that spammers don't need to take special measures to harvest email addresses from key servers, they just get them with any old web harvester. For example, search for my email address "ian at eiloart.com" on google. 95% of the hits are from GPG key servers.

How To Repeat

create a GPG key with a new email address, and upload the key to a gpg key servers. Wait a few days, and watch the spam pour in. Search google for that new email address, and see where the spam came from.

Fix

Not sure. Encrypt the output from the key server? Mask the email addresses lightly? Warn people that public GPG keys are spam magnets?

Event Timeline

anonymous added projects: gnupg, Bug Report.Oct 11 2005, 3:43 PM
werner added a subscriber: werner.Oct 11 2005, 10:26 PM

That is really interesting. It seems that they got a full keyserver dump and intiate searches for all those keys to get then "indexed". We can't do anything about it because all kind of encryption would be worked around by Google.

Is helping spammers a new part of their business mode?

werner added a comment.Oct 11 2005, 10:26 PM

see below

werner added a comment.Oct 11 2005, 10:29 PM

Well, the keyserver software could mangle eamil addresses but this breaks automatic access to it. I further doubt that all operators would do so - some are still running buggy old keyservers. Why should they change anything just to try avoiding spam.

dshaw added a subscriber: dshaw.Oct 11 2005, 10:44 PM

What fascinates me about this is that some of the keyservers
have a robots.txt file that explicitly disallows indexing,
but yet Google is still indexing them. For example, pgp.nic.ad.jp

werner added a comment.Oct 19 2006, 5:16 PM

Me can't do anything about it. Having key servers on port 80 and quite some key
statistic pages will allow any harvester to get the keys.

werner closed this task as Resolved.Oct 19 2006, 5:16 PM
werner added projects: Not A Bug, Keyserver.