• Mixmaster anonymous remailer
• Privacy
• Send

Anonymous remailer

Table of contents

1 Types of remailers 2 Traceable remailers 3 Untraceable remailers 4 Reasons for using an anonymous remailer 5 Using a remailer 6 Choosing a remailer 7 Remailer statistics 8 See also 9 External links 10 Further reading

Types of remailers

It must be understood that every data packet traveling on the Internet contains the node addresses (as raw IP bit strings) of both the sending and intended recipient nodes, and so can never be anonymous at this level. However, if the IP source address is changed, there will be no easy way to trace the originating node (and so the originating entity for the packet). In addition, all standards-based email messages contain defined fields in which the source and transmitting entities (and Internet nodes as well) are required to be included.

Some remailers change both types of address in messages they forward, and the list of forwarding nodes in email as well, as the message passes through; in effect, they substitute 'fake source addresses' for the originals. The 'IP source address' for that packet then becomes that of the remailer server itself, and within an email message (which is usually several packets), a nominal 'user' on that server. Some remailers forward their anonymized email to still other remailers, and only after several such hops is the email actually delivered to the intended address.

Traceable remailers

More recent remailers use cryptography in an attempt to provide more or less the same service, but without so much risk of loss of user confidentiality. These are generally termed nym servers or pseudonymous remailers. The degree to which they remain vulnerable to forced disclosure (by courts or police) is and will remain unclear, since new statutes/regulations and new cryptanalytic developments proceed apace. Multiple anonymous forwarding among cooperating remailers in different jurisdictions may, but cannot guarantee, anonymity even against even a determined attempt by one or more governments, or civil litigators.

Untraceable remailers

By not keeping any list of users and corresponding anonymizing labels for them, a remailer can ensure that any message which has been forwarded leaves no internal information behind which can later be used to break identity confidentiality. However, while being handled, messages remain vulnerable within the server (eg, to Trojan software in a compromised server, to a compromised server operator, or to mis-administration of the server), and traffic analysis comparison of traffic into and out of such a server can suggest quite a lot -- far more than almost any would credit.

The mixmaster strategy is designed to defeat such attacks, or at least to increase their cost (ie, to 'attackers') beyond feasibility. If every message is passed through several servers (ideally in different legal and political jurisdictions), then attacks based in legal systems become considerably more difficult, if only because of 'Clausewitzian' friction amongst lawyers, courts, different statutes, organizational rivalries, etc. And, since many different servers, and server operators, are involved, subversion of any (ie, of either system or operator) becomes less effective also since no one (most likely) will be able to subvert the entire chain of remailers.

Random padding of messages, random delays before forwarding, and encryption of forwarding information between forwarding remailers, increases the degree of difficulty for attackers still further as message size and timing can be largely eliminated as a traffic analysis clue, and lack of easily readable forwarding information makes ineffective simple automated traffic analysis algorithms.

Reasons for using an anonymous remailer

Opponents of anonymity (eg, of anonymous remailers as facilitators of same) suggest that anonymity allows/encourages illegal or dangerous activity (eg, terrorism, drug trafficking, pedophiliac attacks against children, ...). The inference to be made is that, without anonymity, these things would not occur, or would be less likely to do so, and so we would all be safer. This is a questionable inference since, prior to the practical availability of anonymity to many, all of these things occurred anyway. Little actual evidence has been produced to show that their incidence has increased as a result of anonymity. There have been several prominent attempts to claim they have, in the press and otherwise; few have included credible evidence, and some have cited mere allegations as evidence.

In addition, many object to anonymity because it facilitates such things as advocacy of unpopular positions (eg, religious, political, social, sexual, economic, artistic, ...). For societies in which central control of such speech and activity has (or does) exist, anonymity actually does present a problem today. Anonymity advocates suggest that the real problem is not how to centrally or forcibly control speech and thought, but whether it should be controlled at all.

For societies in which free speech and thought is claimed to be an important value, the problem is rather different. To the extent that anonymity (and so anonymous remailers) are used to exercise free speech, neither should be an issue at all, the question having been settled. For those in such societies who are opposed to free speech and thought (or merely opposed to 'some kinds' of speech and thought), anonymity (and so anonymous remailers) will be a problem, just as they are in more explictly controlling cultures. Again, anonymity advocates suggest that the actual problem is less which kind of free speech to abridge, but whether any should be controlled at all.

These issues are unresolved, are perhaps inherently unresolvable unanimously, and remain controversial. To date 'technical solutions', in any direction and for any purpose, have been kludges and less than successful, regardless of perspective.

Using a remailer

Less obviously, some software (eg, recent versions of Microsoft Office components -- Microsoft Word, Microsoft Excel, etc) includes (ordinarily invisible) identifying information in each formatted file it touches. The information might be name / organization / email (collected at 'product registration' and retained internally, or product copy serial number, or computer ID (eg, CPU serial number), or interface hardware address (eg, Ethernet MAC, a unique in the world ID), or ... One software program which claims to remove such information notes that there are about 30 different kinds in Word format files. Those interested in anonymity should limit themselves to plain text messages (ASCII text only) produced by plain text editors (eg, vi, emacs, pico, ...; each is available for most operating systems) as they don't include such hidden information. Alternatively, users should take great care to inspect files (images, sound files, ...) to ensure they contain no identifying information. Note however, that even byte-by-byte inspection will not necessarily uncover such information since it can be easily concealed by encryption, steganography, or simple unfamiliarity and nonrecognition.

Anonymity, once lost, can almost never be regained as those interested in breaching it will often keep (have often kept) records of such discoveries. Such records have typically had very long lives, particularly if those keeping them have long planning horizons (eg, governments, or social/political interest groups). This may have serious consequences in some places for some opinions / speech.

Choosing a remailer

• class (eg, two way vs one way, encrypted message content vs cleartext only, mixmaster style or one hop forwarding, ...)
• location (eg, some jurisdictions allow easier seizure of equipment, data, or operating records than do others)
• history (eg, some operators maintain/administer their hardware and software in better condition than others; in particular, attention to security configuration issues)
• security (eg, some operating systems have much worse security histories (and so likely futures?) than others, even when properly configured, maintained, and administered)
• operator (at worst, a remailer run by some infamous Secret Police Department will be less than desirable; less ominously, an operator may simply be consistently inattentive)
• privacy and operating policies (eg, if stated, better than not; if stated, sensible, and observed, better still; however, recourse (legal or otherwise) has been almost never available against operators, software developers, operating system suppliers, ... in case of loss of anonymity and/or consequent damages regardless of operating policies, stated or observed)
• software used (eg, some remailer software is widely used (and live tested), some is not)
• record and reputation (eg, consult remailer statistics sites, and check around (Google search, news group postings, blogs, ...)

Remailer statistics

• http://lexx.shinn.net/
• http://stats.melontraffickers.com/
• http://dingo.1hwy.com/

See also

• pseudonymous remailer
• data privacy
• identity theft
• penet remailer
• anonymity
• traffic analysis
• anonymous publication

• a remailer FAQ
• Remailer Vulnerabilities
• Mixmaster & Remailer Attacks

• Email Security, Bruce Schneier
• Computer Privacy Handbook, Andre Bacard