I recently saw a message thread where somebody asked how they could set up an anonymous email address that they could use when signing up for sites that they didn’t want to give up any real personal or contact information.

The answer they were given was to sign up for a web email account at a place like Yahoo or Hotmail and that if things ever got dicey they could just stop checking that mailbox.

This kind of tactic will get you only very casual anonymity at best for several reasons.

1) Unless you always connect using TOR, they will have your IP address which, along with the time makes finding you trivial.

2) Most services like this require a primary email address in order to sign up for theirs.  It’s both for being able to recover lost passwords and in the event of any legal action involving email you’ve sent with their service they can and will cooperate with courts, lawyers and law enforcement and hand over anything they have on you.

3) The headers in emails sent from these services will include your IP address at the time the message was sent unless you only connect via TOR AND have Javascript disabled. IF you can get signed up without giving an email address that leads back to you, something that’s very hard to find these days.

This low level of anonymity is useful as a “throwaway” email address that you can use when signing up for sites that you suspect might spam you or sell your email address.  When the spam gets too bad, simply delete the account.

It is however, NOT sufficiently anonymous if you’re involved in anything (good or evil) that’s liable to attract attention from somebody’s lawyer(s) or some flavor of Law enforcement.

Technorati Tags: yahoo, hotmail, send anonymous emai, yahoo mail, web mail, not anoymous, weak anonymity, anonymous email

Anonymous Email Review – Deadfake.com

Over the years I’ve seen a lot of sites that offer the visitor the ability to send emails that they promote as being anonymous.  Unfortunately, most of them offer very little if any actual anonymity at all.

Most of these sites tell the user that they make it possible to send an email that the recipient will not be able to find out who sent it when in fact, the email can be traced back to the server it came from and from there it’s a simple matter of a subpoena to get the website server logs and discover when the website form sent the message to the mail server, the IP address of the user that filled out the form and the date & time the form was sent.

Given the IP address and the timestamp, it’s almost trivial for somebody’s lawyer to take the steps needed to get their ISP to give up what user account was assigned that IP address at that time.  From there the person responsible for that user account gets contacted by the attorney and things may or may not get legal depending on the situation.

The so-called anonymous email services that many sites offer are good for very little more than to be used as toys, joking back and forth with friends, family and acquaintances that aren’t going to decide to haul your carcass into court and get legal on you.

Therefore I’m going to start doing reviews of these sites and explaining why I believe their services to not be nearly as anonymous as they look at first glance.  The first of these is deadfake.com.

Deadfake has a simple introduction that tells the visitor that they can use the site to send anonymous emails and make it look like it came from somebody else.  It appears to be intended for the sole purpose of playing pranks on people and having some fun with them.  As a point in their favor they do have a warning:

Don’t send any spam or other illegal things from this site. Email is never really fully anonymous (check the FAQ for more info). It’s also bad karma, and I will track you down and bite you.

Their FAQ also explains that this isn’t *really* anonymous and that it does add both an X-Mailer and X-Originating-Ip headers that contain all the information needed to identify the sender’s ISP and find the sender.

As a test, I went on to the “send fake mail” page and filled in the form to send myself a test message.  Once the message was done I filled in the captcha and hit “send now”.  Instead of being told that the message was sent, I was greeted with an error message:

Oops!

Sorry, there was some sort of problem while sending your message – please try again in a few minutes!

I tried again a few minutes later and then again a few hours later, each time getting the same error message.  That’s when I noticed a block of stats in the sidebar:

Stats

Total emails sent: 223291

…in last 24 hours: 0

I never did get deadfake to work and perhaps it’s just as well.  While a site like this can be fun to play around with sending your kid sister emails from Elvis and such, they can also be all too easily used by somebody who need to really anonymous, only to find out that their anonymity was very thin indeed.

Another thing that the site offers is a two page walk through that explains how to use a very simple nslookup command to identify a mail server to use and how to use telnet to connect to that server and send email from it.

I Strongly recommend AGAINST doing that.

For one thing, if you have a real need to be anonymous, you’ve blown it the second you open the telnet session.  The server logs will have your IP address and a timestamp of when you connected.  In short, you’re pwned before the message is even sent.

For another, while this technique CAN be used to send mail (I’ve done it myself with my own mail server just to prove I could), It requires that the mail server does not require authentication in order to send mail.  That kind of mail server is becoming a rare beast indeed these days as server admins take steps to keep from being an “open relay” that can be taken advantage of by spammers.

Another good reason not to use the telnet method is that there are plenty of sites whose legal departments will be all too glad to jump down your throat for unauthorized use of their servers and frankly, if such a case goes to court they’re going to win.  Save yourself the trouble and DON’T do it in the first place.

Yes, there ARE ways to have secure anonymity and send anonymous email that’s all but impossible to trace.  Deadfake.com isn’t one of them.

Technorati Tags: anonymous email, send anonymous email, anonymous email site, review, anonymity, website review

Anonymous Email – Step Two: Jack B. Nymble

At this point I’m assuming that you have PGP 6.5.8 installed and have taken some time to become familiar with how to create keys and sign and/or encrypt text messages.

One way to send anonymous mail is to use the Cypherpunk remailer system.  The way it works is actually simple, it’s just cumbersome to do by hand.  Say for example you need to send a message to “user1@example.com” by way of a chain of 3 Cpunk remailers.  You would write out the message, then at the top of it put instructions telling remailer #3 to send it to “user1@example.com”.  Then you encrypt the whole thing to remailer #3’s key and put another instruction at the top telling remailer #2 to send it to #3, repeating this until you have built a chain of nested encrypted messages.

Each remailer decrypts the part that is for it, reads the instructions and sends it to the next step.  This process guarantees that no message headers from your original email to remailer #1 will remain.  As long as your message content doesn’t give you away, you are anonymous.

Obviously “hand rolling” like this, while possible (I’ve done it myself with more complicated chains than this), It’s cumbersome and easy to make a single mistake that will cause your efforts to be wasted and your message not to arrive.

This is where software like Jack B. Nymble comes in.  JBN automates a lot of this work so that all you have to do is give it the address, type your message, choose the remailers in the chain and JBN handles all of the formatting and multiple layers of encryption and sends the result to the first remailer in the chain.  Once it’s set up right, JBN makes using remailers easy.

First you need the software.  If you just search “Jack B. Nymble” download you can find it in several places or you can download JBN and a detached signature from the Panta-Rhei website.

You can (and should) use PGP to verify the signature, this assures that setup_jbn214.exe hasn’t been altered.  (of course, to verify the signature you’ll need to have PGP search keyservers for the author’s PGP key (User-id: RProcess key-id: 0x9310EE89).

Once you’re satisfied that you’ve got a good file you’re ready to install it.  When you install JBN and start it up, DO NOT have it update stats just yet.  This is because the stats urls that the program ships with are old and out of date.  Before you can allow it to update stats, you need to give it current urls to work with.

On it’s Window menu, choose ‘stats config’ and on the cypherpunk tab, replace the urls there with the one’s on this page.  Once this is done, JBN can be allowed to get remailer keys and stats.

Once it has current stats it’s a simple matter of opening ‘Window | Send Profiles’ and putting in the information for the mail server it’s to use for sending mail.  (note, this original version of JBN cannot perform SMTP Auth, for that, you will need a MOD that was created to add features to JBN.

It does take some time, both in reading the documentation that comes with the program and in plain old fashioned trial and error to learn how to use it, but it’s worth the time.

More information and help can be found on the Pantawiki.  You can also ask questions (and sometimes find answers) in the Usenet group alt.privacy.anon-server (Beware of the trolls)

I’ve only just touched on the subject here.  But I think it’s enough to get you started learning how to use JBN.  In an upcoming post I’ll cover adding Mixmaster capability for stronger anonymity and a larger choice of remailers.

Technorati Tags: , , , , ,

This post was sponsored by www.buy.com, among other things they’re a source of all sorts of equipment from a Linksys router to computers, CD’s, downloads and more.


Basic Email Safety

Because of the recent book about email etiquette and an Oprah show about
email scammers, I thought it’d be a good idea to briefly touch on basics
of not getting burned in email.

If you think about it, "phishing" is actually pretty easy to avoid.
Companies such as ebay, paypal and nearly any reputable outfit is NOT
EVER going to ask you for sensitive information by email. Instead
they’ll notify you when you log on to their site.

It’s also a good idea to NEVER click on a link in an email unless you
are CERTAIN that it’s really pointing to the site it looks like. To be
sure of what you’re looking at you can use your email program’s ability
to ‘view source’, or at least turn off html email. There are ways to
disguise urls in html email that could have you think you’re clicking on
a link to a legitimate site when it’s really a site made to look like
like the real one so that you’ll give your information to them. DON’T
use the link in the email, instead take the few seconds to type it into
your browser’s location bar yourself. It’s well worth the time to know
what site you’re going to.

Another thing to look out for is the "419" or "Nigerian" scams.  These
are scams that sound legit on the surface but are just efforts to get
you to pay this or that fee to get something for nothing.  If you get an
email telling you about a contest, sweepstakes or lottery that you’ve
won, double check.  There is no such thing as winning a contest without
knowing about the possibility.  If you didn’t enter, then you didn’t
win.  If you check them out, don’t use the contact info or links in the
emails.  Instead go to a search engine and look up the company’s website
and get contact info from there.

Emails that tell you to forward the message to everyone in your address
book need to be deleted as soon as you see the part saying to forward it
to everybody. Petition emails are also a waste of time.  They’re nothing
but lists of names (and sometimes email addresses) that get duplicated
and sent all over.  If you want to email a representative or senator,
search out their official web site or use tools at sites like eff.org to
do so.  Email petitions are absolutely meaningless, the ONLY thing they
do is waste time and bandwidth.

Technorati Tags: , ,

Review of Gebhart Properties website

Gebhart Properties is in Baltimore Maryland and they deal in apartment
homes and comercial space in Baltimore, and luxury vacation rental
properties in Colorado and Hawaii.  The site has a clean, easy to use
design that makes it easy to find what you want from a Maui
Condo
to commercial properties in and around Baltimore.

They even include virtual tours that allow you to rotate the point to of
view and zoom in or out to get as good a look at a property as you can
without either being there or sending a camera crew. There is a ‘book it
now’ button on the pages featureing the Hawaii vacation rentals that
opens a contact form in the bottom half of the page that includes
buttons to show availability in a calendar on another window.

There is also a powerpoint slide show you can download and look at off
line, but they also warn you that it’s 96 megabytes and could take a
long time to download if you’re using a dialup conection.

The contact page is thorough, providing physical addresses, phone & fax
numbers as well as email addresses.

 Page 1 of 9  1  2  3  4  5 » ...  Last »