Anonymous Email Review – Webwizny

On the home page of Webwizny you will find a collection of free online tools that range from things like “Send your Xmas List to Santa”, Free Image Hosting and Downloading videos from YouTube, to finding out how old you are in days or analyzing the strength of a password and a few more.

One of those tools is “Send Anonymous Emails”.  It’s a simple form in which you fill in a fake “from” address, the address you’re sending the message to, an optional blind carbon copy that can be sent to another address and then the subject and body of the message.

While it does work, I think there’s a few things to consider before using this as anything more than having a bit of fun.  For example it would be fine if you wanted to send an email to convince somebody you were in the Outer Banks when actually you were in Atlantic city losing your shirt.  Of course, you could only get away with it if somebody didn’t decide to look closely at the email headers and do a bit of easy online detective work

I checked it out sending a test message to myself.  The test message arrived within seconds of being sent.  Fast delivery is good but from a security standpoint, some latency (delay) would be helpful to help disguise when it was sent.

The message headers contain enough standard information that would make tracing the email back to the server it came from easy.  From there it would be a simple matter of getting a court order for server logs to find out the time it was sent and the IP address of the sender.

While it’s labeled as anonymous email, that anonymity is only very casual at best.  A determined lawyer could very likely break that anonymity in a matter of hours.

Anonymous Email Review – Deadfake.com

Over the years I’ve seen a lot of sites that offer the visitor the ability to send emails that they promote as being anonymous.  Unfortunately, most of them offer very little if any actual anonymity at all.

Most of these sites tell the user that they make it possible to send an email that the recipient will not be able to find out who sent it when in fact, the email can be traced back to the server it came from and from there it’s a simple matter of a subpoena to get the website server logs and discover when the website form sent the message to the mail server, the IP address of the user that filled out the form and the date & time the form was sent.

Given the IP address and the timestamp, it’s almost trivial for somebody’s lawyer to take the steps needed to get their ISP to give up what user account was assigned that IP address at that time.  From there the person responsible for that user account gets contacted by the attorney and things may or may not get legal depending on the situation.

The so-called anonymous email services that many sites offer are good for very little more than to be used as toys, joking back and forth with friends, family and acquaintances that aren’t going to decide to haul your carcass into court and get legal on you.

Therefore I’m going to start doing reviews of these sites and explaining why I believe their services to not be nearly as anonymous as they look at first glance.  The first of these is deadfake.com.

Deadfake has a simple introduction that tells the visitor that they can use the site to send anonymous emails and make it look like it came from somebody else.  It appears to be intended for the sole purpose of playing pranks on people and having some fun with them.  As a point in their favor they do have a warning:

Don’t send any spam or other illegal things from this site. Email is never really fully anonymous (check the FAQ for more info). It’s also bad karma, and I will track you down and bite you.

Their FAQ also explains that this isn’t *really* anonymous and that it does add both an X-Mailer and X-Originating-Ip headers that contain all the information needed to identify the sender’s ISP and find the sender.

As a test, I went on to the “send fake mail” page and filled in the form to send myself a test message.  Once the message was done I filled in the captcha and hit “send now”.  Instead of being told that the message was sent, I was greeted with an error message:

Oops!

Sorry, there was some sort of problem while sending your message – please try again in a few minutes!

I tried again a few minutes later and then again a few hours later, each time getting the same error message.  That’s when I noticed a block of stats in the sidebar:

Stats

Total emails sent: 223291

…in last 24 hours: 0

I never did get deadfake to work and perhaps it’s just as well.  While a site like this can be fun to play around with sending your kid sister emails from Elvis and such, they can also be all too easily used by somebody who need to really anonymous, only to find out that their anonymity was very thin indeed.

Another thing that the site offers is a two page walk through that explains how to use a very simple nslookup command to identify a mail server to use and how to use telnet to connect to that server and send email from it.

I Strongly recommend AGAINST doing that.

For one thing, if you have a real need to be anonymous, you’ve blown it the second you open the telnet session.  The server logs will have your IP address and a timestamp of when you connected.  In short, you’re pwned before the message is even sent.

For another, while this technique CAN be used to send mail (I’ve done it myself with my own mail server just to prove I could), It requires that the mail server does not require authentication in order to send mail.  That kind of mail server is becoming a rare beast indeed these days as server admins take steps to keep from being an “open relay” that can be taken advantage of by spammers.

Another good reason not to use the telnet method is that there are plenty of sites whose legal departments will be all too glad to jump down your throat for unauthorized use of their servers and frankly, if such a case goes to court they’re going to win.  Save yourself the trouble and DON’T do it in the first place.

Yes, there ARE ways to have secure anonymity and send anonymous email that’s all but impossible to trace.  Deadfake.com isn’t one of them.

Technorati Tags: anonymity, send anonymous email, website review, anonymous email site, review, anonymous email

Anonymous Email – Step Four: Sending Your First Msg

A quick tutorial for sending messages with Jack B. Nymble.

I’m assuming here that you’ve installed PGP 6.5.8, along with Jack B. Nymble and Mixmaster and that when you installed JBN you gave it fresh stats urls as I described.

If you have auto functions disabled (Tools menu | disable auto functions), JBN won’t do anything when you start it up.  Once auto functions are turned on the It will check to see how old the stats pages are and if necessary it will download fresh ones.  Then it will check any email accounts you’ve set up in Window | Retreival profiles and look for messages in any accounts defined in Window | News profiles.

[click on thumbnail images to enlarge in new window]
JBN Opening Message bookTo send a demo message click the “Books” folder in the folder view and then in the files view click “Anon Mail.TBK” and click “open window” This opens the message book for editing.
 
 
 
 

Jack B. Nymble message bookIn the “To:” field, put your own email address and enter a subject that you’ll recognize (or you might put something that your spam filter will automatically whitelist)

Then in the green area where it says “Add Remailer” you’ll see three lines with “AUTO” already entered.  Here you can customize the remailer chain you’re going to use or you can select a line and then use the drop down box to specify particular remailers.  If you specify your own chain, JBN will check the capabilities of each remailer chosen to help make sure you’ve chosen a valid chain.

Finally, in the body area type your message and click “Queue”.  This puts it in the outbound message queue where it will be sent automatically (though not necessarily right away, part of how anonymity is maintained is by adding delays to message processing.  It’s more involved than this but that’s the basic idea)

Once the message is sent you can expect it to take anywhere from 15 minutes to as long as 12 hours or more to arrive.  When it does arrive you’ll know it was the one you sent because you’ll recognize the subject line and the message body you wrote.  However if you have your mail client view the source of the message there will be nothing in the headers that gives even the remotest clue as to where it came from.

There is a lot more that can be done with this program, for example you can send a message through a chain of anonymous remailers to a mail2news gateway and your message will appear in a Usenet newsgroup.  There are also quite a bit more in the way of settings and options.  Finally, there is the “Nym”, which is a way to have a fully anonymous email address that people can use to sent you email without knowing your real email address

Technorati Tags: , , , , , ,

Anonymous Email – Step Three: Adding Mixmaster

In a previous entry I gave a brief introduction and installation guide to Jack B. Nymble, a client program for sending anonymous email.  Once the program is installed and it’s stats are refreshed.  It’s possible to send anonymous email.

However as it is so far, it’s limited to using Type I (Cypherpunk) remailers.  By adding Mixmaster, you get the ability to use Type II remailers as well.  Type II remailers are designed with higher security in mind and to be resistant to things like replay attacks (where messages are captured by an attacker and resent lots of times to create a large trail of traffic in an attempt to follow the message)

To add mixmaster capability to JBN.  First of course you need the mixmaster executable.  The most recent version that works with JBN is Mixmaster 2.04b6, and it’s detached signature file that you can use to verify that it hasn’t been messed with since it was signed.

Once you have verified the Mixmaster archive, extract the files into a directory of it’s own.  You MUST use a short directory name (8 characters or less.) I use “MIX” and put it in the root directory of the drive it’s installed on for example: C:\MIX

At this point people running win95 or win98 need to add the line:

set MIXPATH=C:\MIX

to their autoexec.bat file

Win XP users need to log into their admin account and right click on the “my computer” icon and choose “properties”, then click the “Advanced” Tab and click the “Environment Variables” button.  Then you click “new” and give the variable name MIXPATH and the value C:\MIX (or the directory you used to install mixmaster).  Then click “OK” on everything and log off of the Admin account.

Then start JBN.  on the Window menu, choose Remailer config and select the mixmaster tab.  Enter the mixmaster directory and set the version to 2.0.4 you can set MINREL to 95, MAXLAT to 6:00 and DISTANCE to 5 and click ‘OK’

Now when you’re composing a message you can use the Remailers menu item Mixmaster to use mixmaster remailers and JBN will handle setting things up for mixmaster and emailing the resulting file.

There’s a lot more to this of course and I just realized that I haven’t covered sending messages with JBN at all and while just spending some time reading the docs that come with the program and looking over menu choices really does tell you all you need, I’ll cover that in an upcoming entry.

Technorati Tags: , , , , , ,

Anonymous Email – Step Two: Jack B. Nymble

At this point I’m assuming that you have PGP 6.5.8 installed and have taken some time to become familiar with how to create keys and sign and/or encrypt text messages.

One way to send anonymous mail is to use the Cypherpunk remailer system.  The way it works is actually simple, it’s just cumbersome to do by hand.  Say for example you need to send a message to “user1@example.com” by way of a chain of 3 Cpunk remailers.  You would write out the message, then at the top of it put instructions telling remailer #3 to send it to “user1@example.com”.  Then you encrypt the whole thing to remailer #3’s key and put another instruction at the top telling remailer #2 to send it to #3, repeating this until you have built a chain of nested encrypted messages.

Each remailer decrypts the part that is for it, reads the instructions and sends it to the next step.  This process guarantees that no message headers from your original email to remailer #1 will remain.  As long as your message content doesn’t give you away, you are anonymous.

Obviously “hand rolling” like this, while possible (I’ve done it myself with more complicated chains than this), It’s cumbersome and easy to make a single mistake that will cause your efforts to be wasted and your message not to arrive.

This is where software like Jack B. Nymble comes in.  JBN automates a lot of this work so that all you have to do is give it the address, type your message, choose the remailers in the chain and JBN handles all of the formatting and multiple layers of encryption and sends the result to the first remailer in the chain.  Once it’s set up right, JBN makes using remailers easy.

First you need the software.  If you just search “Jack B. Nymble” download you can find it in several places or you can download JBN and a detached signature from the Panta-Rhei website.

You can (and should) use PGP to verify the signature, this assures that setup_jbn214.exe hasn’t been altered.  (of course, to verify the signature you’ll need to have PGP search keyservers for the author’s PGP key (User-id: RProcess key-id: 0x9310EE89).

Once you’re satisfied that you’ve got a good file you’re ready to install it.  When you install JBN and start it up, DO NOT have it update stats just yet.  This is because the stats urls that the program ships with are old and out of date.  Before you can allow it to update stats, you need to give it current urls to work with.

On it’s Window menu, choose ‘stats config’ and on the cypherpunk tab, replace the urls there with the one’s on this page.  Once this is done, JBN can be allowed to get remailer keys and stats.

Once it has current stats it’s a simple matter of opening ‘Window | Send Profiles’ and putting in the information for the mail server it’s to use for sending mail.  (note, this original version of JBN cannot perform SMTP Auth, for that, you will need a MOD that was created to add features to JBN.

It does take some time, both in reading the documentation that comes with the program and in plain old fashioned trial and error to learn how to use it, but it’s worth the time.

More information and help can be found on the Pantawiki.  You can also ask questions (and sometimes find answers) in the Usenet group alt.privacy.anon-server (Beware of the trolls)

I’ve only just touched on the subject here.  But I think it’s enough to get you started learning how to use JBN.  In an upcoming post I’ll cover adding Mixmaster capability for stronger anonymity and a larger choice of remailers.

Technorati Tags: , , , , ,

This post was sponsored by www.buy.com, among other things they’re a source of all sorts of equipment from a Linksys router to computers, CD’s, downloads and more.


 Page 1 of 5  1  2  3  4  5 »