Robots in the WoT (clean version)

David Shaw
Mon Jun 30 05:42:41 2003

Hash: SHA1

On Thu, Jun 26, 2003 at 01:19:06AM -0500, John B wrote:

> Does it make any sense that it's possible for someone to bot a
> keyserver to get a darn good sized amount of *real* e-mail
> addresses, and then use them for a spamming session? I don't
> understand anywhere near enough about keyservers or cryptography or
> that kind of thing (I just know how to use my key and make up a
> keyring, heh), so maybe this isn't feasible, right?

This is pretty much a FAQ nowadays.  The answer is yes, but it doesn't
make a difference.

Yes, it is possible to hit a keyserver over and over to get addresses
from it.  No, it doesn't really make a difference for a few reasons:

1) It's hard to do, as keyservers only give a few hundred responses at
   a time.  This means the spammer has to do "aaaaaa" "aaaaab"
   "aaaaac" etc, searches and that takes forever.  Remember that if it
   is hard to do, the spammer is going to go where it is easier to
   reduce costs.

2) There are MUCH richer sources of addresses out there.  A spammer
   can pull a never-ending stream of addresses from the web and/or
   usenet.  Comparatively, the keyservers are worthless.

3) Just because an address is on a keyserver, it doesn't make it
   valid.  There are a lot of old dead addresses in there.

Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at