explain nrsign & lsign?

David Shaw dshaw at jabberwocky.com
Mon Jan 29 16:22:18 CET 2007

On Mon, Jan 29, 2007 at 12:18:18AM -0600, Robert J. Hansen wrote:
> > The thing is degree. Yes, keys are likely harvested. But I will  
> > suggest you'll
> > get /much more/ SPAM from sending a message to this list than you  
> > will from
> > publishing an email address on a key and sending it to a keyserver.
> While I agree that in general keyserver harvesting is not a huge  
> problem for the community, we should be wary about thinking it will  
> not become a huge problem for the community.  Prudence suggests we  
> consider both alternatives.
> > Those volumes represent about one or two days worth on a couple  
> > other accounts.
> This may only mean that there's only one spam syndicate who's  
> harvesting keyservers, whereas the countless numbers of other  
> spammers haven't caught on yet.  This could just as easily mean that  
> other spammers have considered the option and decided it's a bad idea  
> for whatever reason, and only one syndicate isn't getting the memo.   
> Hard to say.

This is very true.  The economics of spam have changed radically over
the past few years.

At one point, the keyservers could be considered "uninteresting" to
the average spammer: lots of invalid addresses mixed in with the good
addresses, the annoyance factor of pulling addresses from a keyserver
that only returns a small fraction of the entire keyring per search,
etc.  Nowadays, many spammers aren't using their own bandwidth or CPU.
So why *not* hit the keyservers?  It costs them essentially nothing.

> Ultimately, I decided that since I was already drowning in spam on  
> all of my accounts anyway, the added trouble was insignificant, even  
> if the added benefit was insignificant.  I put an email address on my  
> key and decided I wasn't going to worry about it any more, since I  
> didn't see it mattered too much either way.

This was my conclusion as well.


More information about the Gnupg-users mailing list