Keyservers play an essential role in the world of (Open)PGP. Simson Garfinkel put it as follows in his classic book “PGP: Pretty Good Privacy” from 1995:

The PGP Internet key servers are an attempt to solve the fundamental problem of public key cryptography: how to get the public key of a person with whom you wish to communicate.

Before I uploaded my personal key to a keyserver, I was a bit concerned about the potential of receiving a large amount of encrypted spam. Once I add my key and thus my email address to a keyserver, it’s there for everyone–also spammers–to see.

According to the FAQ of the keyserver at MIT, the database has been used by spammers.

Yes, there have been reports of spammers harvesting addresses from PGP keyservers. Unfortunately, there is not much that either we or you can do about this. Our best suggestion is you take advantage of any spam filtering technology offered by your ISP.

However, in practice, the issue seems to be small. Personally, I did not see an increase after pushing my email addresses to the keyserver.

Most keyservers run Synchronizing Key Server (SKS) software. If you try to siphon a large number of email address from such a keyserver by using a broad search query, it will refuse to respond. This reassured me that keyservers are not easily exploitable by spammers.

However, everyone can run his/her own keyserver which is synchronized with other keyservers. To set up the keyserver, one needs a recent dump from other SKS servers. These dumps are readily available and contain millions of email addresses. It’s just a matter of minutes to download the dumps and extract the email addresses with GPG and related tools.

I’m glad that the dumps are not extensively used as the basis for email spam or even encrypted email spam, but in principle, this sounds like a simple and easy way to get a huge list of email addresses.