Anonymous email

From

Revision as of 17:41, 17 February 2013 by Perspectoff (Talk | contribs)

(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)

Long-term anonymous email accounts

Sometimes you just want a truly anonymous email account. Spammers already know how to do this -- why shouldn't you? The information below is largely from this Global Voices Online article.

Set up Tor and run it. For truly anonymous access, run as a Tor relay.

With Tor running and your Torbutton on (I assume you're running Firefox with Noscript for blocking scripts), access the TorMail hidden service at http://jhiwjjlqpyawmpjx.onion/ . Create a free email account there. This account will be used only as your "verification email" account.

Lavabit.com has a very good free email service that is similar and also works with Tor.

With Tor running and your Torbutton on (I assume you're running Firefox and Noscript is blocking scripts), access the Fastmail web-based email service at https://www.fastmail.fm/. Sign up for a free email account there, using the previously established TorMail account as your verification email address.

Voila! Now you have created an anonymous email account that is linked to another anonymous email account, all accomplished through the Tor network. That's pretty difficult to track, assuming you have the usual tracking mechanisms turned off (i.e. no scripts, routine MAC address changes, using a DNS server other than your own ISP's, encrypted connections (https), and other routine security measures).

Current password crackers (such as John the Ripper) can run through millions of passwords in a few hours (see this H-open article). A random password can be generated using a random password generator and used for your email password. Such passwords can be used for "secret questions" if those are required by the email service, as well. (An anonymous user suggests that even the usernames for the "verification" email accounts can consist of a randomly generated set of characters -- good idea!)

It is relatively insecure to allow one email account to send passwords or password-reset links to a "verification" email account (such as the one set up at TorMail). If the "verification" email account were to become compromised, it would be trivial for the hacker to reset the password at the (main) Fastmail email account. Furthermore, it is difficult to know who is running an email server in the first place, and it is wise to assume that the email on an email server (such as TorMail) can be examined by the owners of the email server. Of course, that's why you're using email through Tor in the first place -- for deniability in case the email server is compromised (and your email is intercepted).

A solution is to daisy-chain the verification email accounts. In such a scenario, the TorMail account is set up first. Then (for example) a Zoho account is set up using the TorMail account for verification. The nice thing about a Zoho account is that the user ID/password for the Zoho account (which is a SSO account for all the Zoho services) is different from the Zoho email username/ID. This adds a level of security. Zoho is Tor-permissive. Once a Zoho account and Zoho email account is set up, the Zoho email account is then used as the verification email for the Fastmail account.
Any or all of the "verification" email accounts (such as the original TorMail account) can then be deleted, leaving only the Fastmail account (and optionally the Zoho account) remaining. It should be noted that TorMail, Zoho, and Fastmail are all in different countries, which lends an added level of security.

Always use email through the Tor network or risk exposing your IP address(es). Always use an encrypted (https) connection as well, or risk exposing your data to a rogue Tor node. (All sensitive email should be encrypted using PGP, of course, and never sent in cleartext.)

Fastmail is a robust, high-bandwidth mail server (unlike TorMail) and is Tor-transparent (unlike Yahoo Mail and other free email services), nor does it have the high level of tracking mechanisms that GMail has. It also allows IMAP and SMTP through Tor (in case you desire to use it in that way).

There are other Tor-permissive email services, however (including RiseUp.net). Want a review of the compatibility of other (free) email services with Tor? Then see this hidden service wiki (with Tor running and your Torbutton turned on): http://kpvz7ki2v5agwt35.onion/wiki/index.php/Email

You could use the TorMail (and/or Zoho) account as your verification email account for a variety of services and if those services were available through Tor as well, you could be anonymous with them, too! However, once you use the TorMail (and/or Zoho) account for anything other than a verification email account, the chances of cross-correlation go up. I therefore recommend reserving a single TorMail (and/or Zoho) account for that purpose (i.e. as a verification account) only.

Here's a moderated list of other Tor hidden services: http://nobody.zerodays.org/hidden-directory/

Temporary non-anonymous email accounts

Sometimes you just need a temporary email account just to sign up for some commenting system or something. Perhaps they send a "click this link to verify account" email, which is all you really need. Such emails need not be secure or private, since passwords and other identifying information is usually not sent in such messages.

Mailinator is the ideal solution for this type of temporary email account. It does not allow sending emails (and therefore is not apporpriate if you are trying to be a spammer), but it does allow you to receive one-time emails. You could use such an email account to receive a one-time message from some website (a coupon or something like that) which you know will generate endless spam in the future. With the temporary email account, you can "Let them eat spam!"

A random string of characters can be generated using a random password generator and used as your email username. Mailinator allows a user ID up to 25 characters. (Mailinator can provide a random userID, as well.)

This is a great service, and the guy who runs it is very well-educated and amusing. Note that there is no privacy whatsoever with this service, except in the obscurity of your chosen email name. All messages to the temporary email box are deleted within a day.

Uh, yeah, of course you should access Mailinator through Tor, unless you particularly want your IP address to be identified with the temporary email account. The guy from Mailinator says he gets subpoena requests all the time. Stay protected. Use Tor when accessing Mailinator.

Spamgourmet is another service that allows temporary, discardable email addresses. It allows forwarding of up to three messages to another email account (perhaps your longterm anonymous email account?) so that you can give a Spamgourmet email address to some website, have their reply forwarded to your regular email account, and then not worry about the subsequent spam (after the first 3 messages) that inevitably follows. Spamgourmet discards anything after the first 3 messages.

Anonymous blogging

Now that you have an anonymous email account, why not set up an anonymous blog? I mean, are you any less reliable than a paid "journalist" that posts their poorly written nonsense on online newspapers? Here are some sites that allow anonymous blogs:

Blog.com allows free blogs.
Wordpress allows free blogs, but has a number of censorship rules and tends to remove sites quite quickly based on any complaint whatsoever. Here is a list of other hosts that allow free blogs using the Wordpress blogging software.
Blogger.com was bought by Google and is available with a Google account. Anything hosted by Google must be assumed to be insecure, but for limited uses it may fit your needs.
Here is a 2007 list of other free blog sites. I'm not sure how many are still functional.

There have been several high-profile lawsuits of anonymous bloggers being sued after being tracked through their IP address using Java-based scripts or by Google Analytics. You are using NoScript to block Google Analytics and Java scripts, aren't you? Of course, I KNOW you are accessing your blog only through Tor... right? See the Global Voices Online article regarding anonymous blogging (with Tor).

Other considerations

Traditonal forensics have always used the evaluation of writing styles to identify authors. See this article. Frequent posts from the same author allow evaluation of writing patterns. One way to get around this is to use a translation service. Translate a message into another language, then translate the result back into the original language. This introduces random errors, making the writing style less consistently recognisable. (Be careful to use Tor when using Google Tranlate or other online services, of course, since Google and others use extensive tracking mechanisms.)

Using an SMTP server

You can easily send anonymous emails with your own SMTP server. This is how spammers and other malevolent Internet users accomplish it. See this article for an example. Spammers suck, though. Heck, beating spam is the purpose of much of this page, isn't it? Why contribute to it?