Ender3rd
join:2001-07-15
East Granby, CT
 ·Cox HSI
| PGP key server and SPAM
Several of my students and I have been experimenting with encryption and decryption by using the last free version of PGP. After sending our public keys to the PGP key server (associated with each of our email addresses) we all began receiving the same identical SPAM messages within 24 hours. A search of this forum indicates at least one other member of this forum had a suspicion that his email address had been grabbed off the PGP key server back in 2003. Has anyone here who uses PGP noticed a change in SPAM levels after generating a key and sending it to the server? I just find it more than a coincidence that all of us are getting the same identical SPAM messages wihin 24 hours of submitting our keys, even on brand new throw-away web-based mail accounts.
Thanks for any observations you might have.
Regards,
Ender
--
My Jeep is not an SUV. Your SUV is not a Jeep. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| Your conclusion is logical -- I've heard this for some time as well. I use my real address and just see it as an opportunity to tune Spamassassin.  Lemons and Lemonade.
--
dmiessler.com - grep understanding knowledge |
|
Ender3rd
join:2001-07-15
East Granby, CT
·Cox HSI
| Thank you for your response. I received a private message with this link enclosed and a reference to FAQ #6:
»keyserver.borgnet.us/faq.html
----------------------------------------------------------
"FAQ #6
I think spammers got my email address from the PGP keyserver. What can I do?
Yes, there have been reports of spammers harvesting addresses from PGP keyservers. Unfortunately, there is not much that either we or you can do about this. Our best suggestion is you take advantage of any spam filtering technology offered by your ISP."
---------------------------------------------------------
It seems like kind of a casual attitude from a service that is completely security based. Ummm... if you use our security key servers, which we cannot keep spammers from raiding, you will probably be spammed, so live with it. Unfortunately, this warning is not in any part of the setup/help files of the program. Oh well, not the end of the world, but very annoying. If you use PGP, think twice before uploading your public keys to any of the key servers. Just exchange your public keys directly with your own contacts. Lesson learned.
Regards,
Ender
--
My Jeep is not an SUV. Your SUV is not a Jeep. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Well, the thing is that the email address is part of the identification of a key.  That's the trick. I mean, the simple solution is for them to not display email addresses, but that's not really possible. I don't think the people hosting the keys deserve any blame; it's just the nature of the application. Blame the spammers.
--
dmiessler.com - grep understanding knowledge |
|
OZO
Premium
join:2003-01-17
| reply to Ender3rd
First of all - from my experience of using PGP key servers for several years - there is no increase of SPAM on the e-mail address that I use with PGP.
Second. That's correct - your e-mail provided to key servers is published with all corresponding consequences.
Third. I think that we'll all benefit if everyone will implement policy (it's easy via filters) to treat messages as SPAM-like that are not signed by its sender. Of cause it may come from your friend who do not use signing technique yet, but it's easy to filter it back (as a part of "white" list).
I'd just like to see a real SPAM signed by its sender coming to my e-mail box
--
Keep it simple, it'll become complex by itself... |
|
Tom Mc
join:2004-06-17
| reply to Ender3rd
I don't really have a reason to think my spam is keyserver related.
But it may be helpful to know that PGP Corp's Global Directory has specifically been designed to minimize this chance. That is why you can never get more than one key returned on any key search. |
|
