sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] serving a robots.txt

From: Jan Dreyer
Subject: Re: [Sks-devel] serving a robots.txt
Date: Fri, 22 Aug 2008 13:56:53 +0200
User-agent: Thunderbird 2.0.0.16 (Windows/20080708) 
Hi,

address@hidden schrieb:

E-Mail harvesting on PGP key servers can be done with such commands:
http://www.google.com/search?q=site%3Akeyserver.fabbione.net+pks+uid

I already receive spam because i decided to upload my public key years ago. I 
know its the source, because the same spam message arrived on all accounts 
belonging to one key withing seconds.

Those results could be prevented if server administrators would place such a 
robots.txt file in their webroot:
User-agent: *
Disallow: /pks/

WOW, i found a PGP Server that already has the file: 
http://keyserver.hadiko.de/robots.txt

It would be great if every PGP Server would do this, but how many of them are 
out there? Is it possible to contact every administrator?

The homepage of a common PGP Server software is: http://minskyprimus.net/sks/. They have 
a pool status page at: http://sks-keyservers.net/status/ . About 30-60 Servers here. 
Asking google, there might be 99 servers out there: 
http://www.google.com/search?q="%2Fpks%2Flookup%3Fop%3Dstats"; .
Hmm, there are hundreds. But not thousands.
Perhaps it is still worth a try, since keys can never ever be deleted. Once 
your key leaked out to a public key server its spreaded all over the world. 
Thanks google, its ready to get spammed then.

Could sks suggest setting up such a robots.txt file? What do you think?
I think it makes sense for "easy" spidering; google (and other websearches like yahoo) will respect the robots.txt so the mail adresses won't show up in websearches. Nevertheless as mentioned before many spam-bots are using own spiders which don't respect anything.
But: bad maintained keyservers have been a problem since pks was out first ...
If you would like to remove your mail address from websearches, you may consider uploading an updated "broken" version of your key without any (valid) mailaddress - though this makes the keyserver useless (for your key). I think I will have no more friends here after posting this proposal ;-) 

Greetings
Jan Dreyer
reply via email to
[Prev in Thread] Current Thread [Next in Thread]