hashed user IDs [was: Re: Security of the gpg private keyring?]

Ben McGinnes ben at adversary.org
Wed Mar 16 00:15:41 CET 2011

On 16/03/11 9:54 AM, MFPA wrote:
> On Monday 14 March 2011 at 1:06:26 AM, in
> <mid:4D7D6A12.308 at adversary.org>, Ben McGinnes wrote:
>> Anyway, out of curiosity, did you ever receive spam by that address
>> and prove it had been harvested from the keyservers?  I still think
>> harvesting addresses from the keyservers is too much effort for
>> spammers, who mostly generate the target addresses, but it would be
>> nice to finally answer that question.
> No mail received at all on that address so far. That key has only
> been up just over a year.

I think that if spammers were harvesting addresses from the keyservers
then you would have received some by now.

I don't think they bother because:

a) The effort required to harvest the addresses would be better spent
elsewhere and most, if not all, spammers are lazy.

b) It would be easier to just generate usernames at a target domain
name than to work from a large list (these days).

c) It is more likely that OpenPGP users are going to include people
who will hunt down spammers and get their upstream providers to
disconnect them.

> Up until now, if I received any mail on that address, the address
> could only have been harvested from a keyserver (or randomly
> matched). Going forward, if I receive any mail on that address it
> was probably harvested from the mailing list archive.

That would be likely.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110316/13f17bb9/attachment.pgp>

More information about the Gnupg-users mailing list