Anonymous remailer: Difference between revisions

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
← Previous edit
VisualWikitext
imported>EatingCarBatteries
 
Line 1: Line 1:
{{Short description|Computer server forwarding anonymous messages}}
{{Short description|Computer server that forwards messages with varying degrees of privacy}}
{{More citations needed|date=March 2008}}
{{Multiple issues|
{{Cleanup reorganize|date=September 2025}}
{{More citations needed|date=September 2025}}
}}


An '''anonymous remailer''' is a [[Server (computing)|server]] that receives messages with embedded instructions on where to send them next, and that forwards them without revealing where they originally came from. There are [[cypherpunk anonymous remailer]]s, [[mixmaster anonymous remailer]]s, and [[Pseudonymous remailer|nym server]]s, among others, which differ in how they work, in the policies they adopt, and in the type of attack on the anonymity of e-mail they can (or are intended to) resist. ''Remailing'' as discussed in this article applies to e-mails intended for particular recipients, not the general public. Anonymity in the latter case is more easily addressed by using any of several methods of anonymous publication.
A '''privacy-focused remailer''' is a [[Server (computing)|server]] that receives messages with embedded instructions on where to send them next, and that forwards them while attempting to obscure their origin. There are [[cypherpunk anonymous remailer|cypherpunk remailers]], [[mixmaster anonymous remailer|mixmaster remailers]], and [[Pseudonymous remailer|nym server]]s, among others, which differ in their design and the level of privacy they were intended to provide. It is critical to understand that without integration with an anonymity network like Tor, these systems do not provide anonymity against powerful adversaries. ''Remailing'' as discussed in this article applies to e-mails intended for particular recipients, not the general public. Anonymity in the latter case is more easily addressed by using any of several methods of anonymous publication.


==Types of remailer==
==Types of remailers==
There are several strategies that affect the anonymity of the handled e-mail. In general, different classes of anonymous remailers differ with regard to the choices their designers/operators have made. These choices can be influenced by the legal ramifications of operating specific types of remailers.<ref>du Pont, George F. (2001) [http://www.thsh.com/documents/JTLM.pdf The Time Has Come for Limited Liability for Operators of True Anonymity Remailers in Cyberspace: An Examination of the Possibilities and Perils] {{Webarchive|url=https://web.archive.org/web/20160305043023/http://www.thsh.com/documents/JTLM.pdf |date=2016-03-05 }}"Journal of Technology Law & Policy"</ref>
There are several strategies that affect the pseudonymity of the handled e-mail. These classes of remailers differ with regard to the choices their designers/operators have made. These choices can be influenced by the legal ramifications of operating specific types of remailers.<ref>du Pont, George F. (2001) [http://www.thsh.com/documents/JTLM.pdf The Time Has Come for Limited Liability for Operators of True Anonymity Remailers in Cyberspace: An Examination of the Possibilities and Perils] {{Webarchive|url=https://web.archive.org/web/20160305043023/http://www.thsh.com/documents/JTLM.pdf |date=2016-03-05 }}"Journal of Technology Law & Policy"</ref>


It must be understood that every [[data packet]] traveling on the [[Internet]] contains the node addresses (as raw [[Internet Protocol|IP]] bit strings) of both the sending and intended recipient nodes, and so no data packet can ''ever'' actually be anonymous at this level {{citation needed|date=January 2016}}. In addition, all standards-based e-mail messages contain defined fields in their headers in which the source and transmitting entities (and Internet nodes as well) are required to be included.
It must be understood that every [[data packet]] traveling on the [[Internet]] contains the node addresses (as raw [[Internet Protocol|IP]] bit strings) of both the sending and intended recipient nodes, and so no data packet can ''ever'' actually be anonymous at this level {{citation needed|date=January 2016}}. In addition, all standards-based e-mail messages contain defined fields in their headers in which the source and transmitting entities (and Internet nodes as well) are required to be included.
Line 16: Line 19:
A [[pseudonymous remailer]] simply takes away the e-mail address of the sender, gives a pseudonym to the sender, and sends the message to the intended recipient (that can be answered via that remailer).<ref>{{cite journal |last=Froomkin |first=A. Michael |author-link=Michael Froomkin |title=Anonymity and its Enmities |date=1995 |volume=1 |journal=Journal of Online Law |at=art. 4 |ssrn=2715621 |location=Rochester, NY }}</ref>
A [[pseudonymous remailer]] simply takes away the e-mail address of the sender, gives a pseudonym to the sender, and sends the message to the intended recipient (that can be answered via that remailer).<ref>{{cite journal |last=Froomkin |first=A. Michael |author-link=Michael Froomkin |title=Anonymity and its Enmities |date=1995 |volume=1 |journal=Journal of Online Law |at=art. 4 |ssrn=2715621 |location=Rochester, NY }}</ref>


===Cypherpunk remailers, also called Type I===
===Cypherpunk remailers===
A [[Cypherpunk anonymous remailer|Cypherpunk remailer]] sends the message to the recipient, stripping away the sender address on it. One can not answer a message sent via a Cypherpunk remailer. The message sent to the remailer can usually be encrypted, and the remailer will decrypt it and send it to the recipient address hidden inside the encrypted message. In addition, it is possible to chain two or three remailers, so that each remailer can't know who is sending a message to whom. Cypherpunk remailers do not keep logs of transactions.
A [[Cypherpunk anonymous remailer|Cypherpunk remailer]] sends the message to the recipient, stripping away the sender address on it. One can not answer a message sent via a Cypherpunk remailer. The message sent to the remailer can usually be encrypted, and the remailer will decrypt it and send it to the recipient address hidden inside the encrypted message. In addition, it is possible to chain two or three remailers, so that each remailer can't know who is sending a message to whom. Cypherpunk remailers typically do not keep logs of transactions, but their design is vulnerable to traffic analysis.


===Mixmaster remailers, also called Type II===
===Mixmaster remailers===
In [[Mixmaster anonymous remailer|Mixmaster]], the user composes an email to a remailer, which is relayed through each node in the network using [[SMTP]], until it finally arrives at the final recipient. Mixmaster can only send emails one way. An email is sent anonymously to an individual, but for them to be able to respond, a reply address must be included in the body of the email. Also, Mixmaster remailers require the use of a computer program to write messages. Such programs are not supplied as a standard part of most operating systems or mail management systems.
In [[Mixmaster anonymous remailer|Mixmaster]], the user composes an email to a remailer, which is relayed through each node in the network using [[SMTP]], until it finally arrives at the final recipient. Mixmaster can only send emails one way. An email is sent pseudonymously to an individual, but for them to be able to respond, a reply address must be included in the body of the email. Also, Mixmaster remailers require the use of a computer program to write messages. Such programs are not supplied as a standard part of most operating systems or mail management systems. Mixmaster is vulnerable to long-term traffic analysis and is considered obsolete.


===Mixminion remailers, also called Type III===
===Mixminion remailers===
A [[Mixminion]] remailer attempts to address the following challenges in Mixmaster remailers: replies, forward anonymity, replay prevention and key rotation, exit policies, integrated directory servers and dummy traffic. They are currently available for the Linux and Windows platforms. Some implementations are open source.
A [[Mixminion]] remailer attempts to address the following challenges in Mixmaster remailers: replies, forward anonymity, replay prevention and key rotation, exit policies, integrated directory servers and dummy traffic. They are currently available for the Linux and Windows platforms. Some implementations are open source. Despite improvements, Mixminion shares the fundamental vulnerability to traffic analysis and requires protection by a network like Tor for meaningful anonymity.


==Traceable remailers==
==Traceable remailers==
<!-- appropriate citations for the penet.fi / Scientology case look to be available on the penet remailer Wikipedia article -->
Some remailers establish an internal list of actual senders and invented names such that a recipient can send mail to ''invented name'' AT ''some-remailer.example''. When receiving traffic addressed to this user, the server software consults that list, and forwards the mail to the original sender, thus permitting anonymous—though traceable with access to the list—two-way communication. The famous "[[penet remailer|penet.fi]]" remailer in Finland did just that for several years.<ref>{{cite press release | url = https://w2.eff.org/Privacy/Anonymity/960830_penet_closure.announce | title = Johan Helsingius closes his Internet remailer | date = 1996-08-30 | access-date = 2014-10-09 | archive-url = https://web.archive.org/web/20160303221336/https://w2.eff.org/Privacy/Anonymity/960830_penet_closure.announce | archive-date = 2016-03-03 | url-status = dead }}</ref> Because of the existence of such lists in this type of remailing server, it is possible to break the anonymity by gaining access to the list(s), by breaking into the computer, asking a court (or merely the police in some places) to order that the anonymity be broken, and/or bribing an attendant. This happened to penet.fi as a result of some traffic passed through it about [[Scientology]].{{Citation needed |date=October 2012}} The Church claimed copyright infringement and sued penet.fi's operator. A court ordered the list be made available. Penet's operator shut it down after destroying its records (including the list) to retain [[digital identity|identity]] [[confidentiality]] for its users; though not before being forced to supply the court with the real e-mail addresses of two of its users.{{Citation needed |date=October 2012}}
Some remailers establish an internal list of actual senders and invented names such that a recipient can send mail to ''invented name'' AT ''some-remailer.example''. When receiving traffic addressed to this user, the server software consults that list, and forwards the mail to the original sender, thus permitting anonymous—though traceable with access to the list—two-way communication. The famous "[[penet remailer|penet.fi]]" remailer in Finland did just that for several years.<ref>{{cite press release | url = https://w2.eff.org/Privacy/Anonymity/960830_penet_closure.announce | title = Johan Helsingius closes his Internet remailer | date = 1996-08-30 | access-date = 2014-10-09 | archive-url = https://web.archive.org/web/20160303221336/https://w2.eff.org/Privacy/Anonymity/960830_penet_closure.announce | archive-date = 2016-03-03 | url-status = dead }}</ref> Because of the existence of such lists in this type of remailing server, it is possible to break the anonymity by gaining access to the list(s), by breaking into the computer, asking a court (or merely the police in some places) to order that the anonymity be broken, and/or bribing an attendant. This happened to penet.fi as a result of some traffic passed through it about [[Scientology]].{{Citation needed |date=October 2012}} The Church claimed copyright infringement and sued penet.fi's operator. A court ordered the list be made available. Penet's operator shut it down after destroying its records (including the list) to retain [[digital identity|identity]] [[confidentiality]] for its users; though not before being forced to supply the court with the real e-mail addresses of two of its users.{{Citation needed |date=October 2012}}


More recent remailer designs use [[cryptography]] in an attempt to provide more or less the same service, but without so much risk of loss of user confidentiality. These are generally termed [[nym server]]s or [[pseudonymous remailer]]s. The degree to which they remain vulnerable to forced disclosure (by courts or police) is and will remain unclear since new statutes/regulations and new [[cryptanalytic]] developments proceed apace. Multiple anonymous forwarding among cooperating remailers in different jurisdictions may retain, but cannot guarantee, anonymity against a determined attempt by one or more governments, or civil litigators.
More recent remailer designs use [[cryptography]] in an attempt to provide more or less the same service, but without so much risk of loss of user confidentiality. These are generally termed [[nym server]]s or [[pseudonymous remailer]]s. The degree to which they remain vulnerable to forced disclosure (by courts or police) is and will remain unclear since new statutes/regulations and new [[cryptanalytic]] developments proceed apace. Multiple anonymous forwarding among cooperating remailers in different jurisdictions may retain, but cannot guarantee, anonymity against a determined attempt by one or more governments, or civil litigators.


==Untraceable remailers==
==Modern Tor-based and Mixnet alternatives==
If users accept the loss of two-way interaction, identity anonymity can be made more secure.
Due to the inherent vulnerabilities of classical remailers to [[Traffic analysis|traffic correlation]]<ref name="Danezis2006">{{cite conference |last1=Danezis |first1=George |last2=Syverson |first2=Paul |title=Eclipse Attacks on Tor |conference=Privacy Enhancing Technologies |year=2006 |doi=10.1007/11957454_4 |url=https://doi.org/10.1007/11957454_4|url-access=subscription }}</ref> and metadata surveillance, the modern approach to anonymous email relies on integrating remailer functionality with robust anonymity networks.


By not keeping any list of users and corresponding anonymizing labels for them, a remailer can ensure that any message that has been forwarded leaves no internal information behind that can later be used to break identity confidentiality. However, while being handled, messages remain vulnerable within the server (e.g., to [[Trojan horse (computing)|Trojan]] software in a compromised server, to a compromised server operator, or to mis-administration of the server), and [[traffic analysis]] comparison of traffic into and out of such a server can suggest quite a lot—far more than almost any would credit.
'''Tor-based remailers:''' Systems like the '''Onion Courier Mixnet'''<ref name="OnionCourier">{{cite web |title=Onion Courier: Anonymous email over Tor |url=https://github.com/Ch1ffr3punk/oc |publisher=GitHub |access-date=2025-06-30}}</ref> operate as [[Tor (network)|Tor]] hidden services. This protects the user's IP address and the remailer's location from network observers. While Tor provides strong protection for network metadata, the mix nodes are adding additional layers of anonymity per hop.


The [[Mixmaster anonymous remailer|Mixmaster]] strategy is designed to defeat such attacks, or at least to increase their cost (i.e., to 'attackers') beyond feasibility. If every message is passed through several servers (ideally in different legal and political jurisdictions), then attacks based on legal systems become considerably more difficult, if only because of '[[Carl von Clausewitz#Principal ideas|Clausewitz]]ian' friction among lawyers, courts, different statutes, organizational rivalries, legal systems, etc. And, since many different servers and server operators are involved, subversion of any (i.e., of either system or operator) becomes less effective also since no one (most likely) will be able to subvert the entire chain of remailers.
'''Mixnet-based remailers:''' The [[Mixnet|Nym]] network is designed specifically to resist powerful traffic analysis attacks that threaten older remailers and even Tor in some scenarios. Nym uses a layered mixnet architecture with cover traffic to provide strong anonymity for message timing and metadata. Future anonymous email systems are likely to be built directly on top of mixnets like Nym to provide anonymity against nation-state adversaries.<ref name="TorDesign">{{cite journal |last1=Dingledine |first1=Roger |title=Tor: The Second-Generation Onion Router |journal=USENIX Security Symposium |year=2004 |url=https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf}}</ref>
 
For any meaningful anonymity, the use of such an integrated network is now considered essential; standalone classical remailers do not provide adequate security.
[[Random]] [[padding (cryptography)|padding]] of messages, random delays before forwarding, and encryption of forwarding information between forwarding remailers, increases the degree of difficulty for attackers still further as message size and timing can be largely eliminated as traffic analysis clues, and lack of easily readable forwarding information renders ineffective simple automated traffic analysis algorithms.
 
'''Modern Tor-Based Alternatives'''.
With the decline of classical remailers (e.g., Mixmaster) due to vulnerabilities to [[Traffic analysis|traffic correlation]]<ref name="Danezis2006">{{cite conference |last1=Danezis |first1=George |last2=Syverson |first2=Paul |title=Eclipse Attacks on Tor |conference=Privacy Enhancing Technologies |year=2006 |doi=10.1007/11957454_4 |url=https://doi.org/10.1007/11957454_4}}</ref>, some users have migrated to Tor-integrated remailers like Onion Courier<ref name="OnionCourier">{{cite web |title=Onion Courier: Anonymous email over Tor |url=https://github.com/Ch1ffr3punk/oc |publisher=GitHub |access-date=2025-06-30}}</ref>. These systems leverage [[Tor (network)|Tor hidden services]] to resist metadata surveillance, addressing key weaknesses of older designs<ref name="TorDesign">{{cite journal |last1=Dingledine |first1=Roger |title=Tor: The Second-Generation Onion Router |journal=USENIX Security Symposium |year=2004 |url=https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf}}</ref>.


==Web-based mailer==
==Web-based mailer==
There are also web services that allow users to send anonymous email messages. These services do not provide the anonymity of real remailers, but they are easier to use. When using a web-based anonymous email or anonymous remailer service, its reputation should first be analyzed, since the service stands between senders and recipients. Some of the aforementioned web services log the users [[IP address]]es to ensure they do not break the law; others offer superior anonymity with attachment functionality by choosing to trust that the users will not breach the websites terms of service (ToS).<ref>{{cite web|title=Amnesty Box|url=http://www.amnestybox.com/|access-date=29 March 2012|archive-date=14 April 2012|archive-url=https://web.archive.org/web/20120414030144/http://www.amnestybox.com/|url-status=live}}</ref>
There are also web services that allow users to send anonymous email messages. These services typically do not provide the strong pseudonymity of cryptographic remailers, let alone anonymity, and they are often easier to use. When using a web-based anonymous email service, its reputation and privacy policy should first be analyzed carefully, since the service stands between senders and recipients. Many such services log the users [[IP address]]es; others may offer superior privacy but still require trust in the operator.<ref>{{cite web|title=Amnesty Box|url=http://www.amnestybox.com/|access-date=29 March 2012|archive-date=14 April 2012|archive-url=https://web.archive.org/web/20120414030144/http://www.amnestybox.com/|url-status=live}}</ref>
 
==Remailer statistics==
{{expand section|date=January 2014}}
In most cases, remailers are owned and operated by individuals, and are not as stable as they might ideally be. In fact, remailers can, and have, gone down without warning. It is important to use up-to-date statistics when choosing remailers.
 
==Remailer abuse and blocking by governments ==
{{expand section|date=October 2012}}
Although most re-mailer systems are used responsibly, the anonymity they provide can be exploited by entities or individuals whose reasons for anonymity are not necessarily benign.<ref>{{Cite web|title=Recommendations for Anonymous Remailer Policy at Oberlin College|url=https://www.cs.cmu.edu/~burnsm/remailers.html|access-date=2021-09-04|website=www.cs.cmu.edu|archive-date=2021-09-04|archive-url=https://web.archive.org/web/20210904002515/https://www.cs.cmu.edu/~burnsm/remailers.html|url-status=live}}</ref>


Such reasons could include support for violent extremist actions,{{citation needed|date=October 2012}} sexual exploitation of children {{citation needed|date=October 2012}} or more commonly to frustrate accountability for 'trolling' and harassment of targeted individuals, or companies (The Dizum.com re-mailer chain being abused as recently as May 2013{{citation needed|date=October 2013}} for this purpose.)
== Remailer statistics ==
In most cases, remailers are owned and operated by individuals, and are not as stable as they might ideally be. In fact, remailers can, and have, gone down without warning. It is important to use up-to-date statistics, such as those provided by SEC3<ref>{{cite web |url=https://www.sec3.net/misc/ |title=Current Remailer Statistics and Network Metrics |publisher=SEC3 |access-date= }}</ref> when choosing remailers.


The response of some re-mailers to this abuse potential is often to disclaim responsibility (as dizum.com does<ref name="DZ">{{cite web|url=https://dizum.com/help/usenet.html |title=DIZUM FAQ |access-date=November 1, 2012 |url-status=dead |archive-url=https://web.archive.org/web/20100710023752/http://dizum.com/help/usenet.html |archive-date=July 10, 2010 }}</ref>), as owing to the technical design (and ethical principles) of many systems, it is impossible for the operators to physically unmask those using their systems. Some re-mailer systems go further and claim that it would be illegal for them to monitor for certain types abuse at all.<ref name="DZ"/>
== Remailer abuse and blocking by governments ==
While most remailers are used responsibly, their pseudonymity has been exploited for illegal activities. A prominent example is the [[2012 University of Pittsburgh bomb threats]], where an Anonymous-linked remailer was seized by the [[Federal Bureau of Investigation|FBI]] after being used to send over 100 threatening emails.<ref>{{cite news |title=FBI seizes activist's Anonymous remailer server in bomb threat investigation |url=https://arstechnica.com/tech-policy/2012/04/fbi-seizes-activists-anonymous-remailer-server-in-bomb-threat-investigation/ |work=Ars Technica |date=2012-04-06 |access-date= }}</ref>


Until technical changes were made in the remailers concerned  in the mid-2000s, some re-mailers (notably nym.alias.net based systems) were seemingly willing to use any genuine (and thus valid) but otherwise forged address. This loophole allowed trolls to mis-attribute controversial claims or statements with the aim of causing offence, upset or harassment to the genuine holder(s) of the address(es) forged.
Some remailers disclaim responsibility for abuse, citing technical and ethical limitations that prevent operators from identifying users.<ref name="DZ">{{cite web |url=https://dizum.com/help/usenet.html |title=DIZUM FAQ |archive-url=https://web.archive.org/web/20100710023752/http://dizum.com/help/usenet.html |archive-date=2010-07-10 |access-date=2012-11-01}}</ref> Others argue that monitoring for certain abuses would itself be illegal under privacy laws.<ref name="DZ"/>
 
While re-mailers may disclaim responsibility, the comments posted via them have led to them being blocked in some countries. In 2014, dizum.com (a [[Netherlands]]-based remailer) was seemingly blocked by authorities in Pakistan,{{citation needed|date=January 2014}} because comments an (anonymous) user of that service had made concerning key figures in Islam.


==See also==
==See also==
 
*[[Anonymity]]
* [[Anonymity]]
*[[Anonymous P2P]]
** [[Anonymity application]]
*[[Private browsing|Anonymous web browsing]]
** [[Anonymous blogging]]
** [[Anonymous P2P]]
** Anonymous remailer
*** [[Cypherpunk anonymous remailer]] (Type I)
*** [[Mixmaster anonymous remailer]] (Type II)
*** [[Mixminion]] anonymous remailer (Type III)
** [[Private browsing|Anonymous web browsing]]
* [[Data privacy]]
* [[Identity theft]]
* [[Internet privacy]]
* [[Personally identifiable information]]
* [[Privacy software]] and [[Privacy-enhancing technologies]]
** [[I2P]]
** [[I2P#I2P-Bote|I2P-Bote]]
** [[Java Anon Proxy]]
** [[Onion routing]]
*** [[Tor (network)]]
* [[Pseudonymity]], [[Pseudonymization]]
** [[Pseudonymous remailer]] (a.k.a. nym servers)
*** [[Penet remailer]]
* [[Traffic analysis]]
* [[Winston Smith Project]]
* [[Mix network]]


==References==
==References==
{{reflist}}
{{reflist}}
* [http://freehaven.net/anonbib/cache/rprocess.html Remailer Vulnerabilities]
[http://freehaven.net/anonbib/cache/rprocess.html Remailer Vulnerabilities]
* ''Email Security'', [[Bruce Schneier]] ({{ISBN|0-471-05318-X}})
''Email Security'', [[Bruce Schneier]] ({{ISBN|0-471-05318-X}})
* ''Computer Privacy Handbook'', Andre Bacard ({{ISBN|1-56609-171-3}})
''Computer Privacy Handbook'', Andre Bacard ({{ISBN|1-56609-171-3}})


[[Category:Anonymous file sharing networks]]
[[Category:Anonymous file sharing networks]]

Latest revision as of 22:50, 26 October 2025

Template:Short description Template:Multiple issues

A privacy-focused remailer is a server that receives messages with embedded instructions on where to send them next, and that forwards them while attempting to obscure their origin. There are cypherpunk remailers, mixmaster remailers, and nym servers, among others, which differ in their design and the level of privacy they were intended to provide. It is critical to understand that without integration with an anonymity network like Tor, these systems do not provide anonymity against powerful adversaries. Remailing as discussed in this article applies to e-mails intended for particular recipients, not the general public. Anonymity in the latter case is more easily addressed by using any of several methods of anonymous publication.

Types of remailers

There are several strategies that affect the pseudonymity of the handled e-mail. These classes of remailers differ with regard to the choices their designers/operators have made. These choices can be influenced by the legal ramifications of operating specific types of remailers.[1]

It must be understood that every data packet traveling on the Internet contains the node addresses (as raw IP bit strings) of both the sending and intended recipient nodes, and so no data packet can ever actually be anonymous at this level Script error: No such module "Unsubst".. In addition, all standards-based e-mail messages contain defined fields in their headers in which the source and transmitting entities (and Internet nodes as well) are required to be included.

Some remailers change both types of address in messages they forward, and the list of forwarding nodes in e-mail messages as well, as the message passes through; in effect, they substitute 'fake source addresses' for the originals. The 'IP source address' for that packet may become that of the remailer server itself, and within an e-mail message (which is usually several packets), a nominal 'user' on that server. Some remailers forward their anonymized e-mail to still other remailers, and only after several such hops is the e-mail actually delivered to the intended address.

There are, more or less, four types of remailers:

Pseudonymous remailers

A pseudonymous remailer simply takes away the e-mail address of the sender, gives a pseudonym to the sender, and sends the message to the intended recipient (that can be answered via that remailer).[2]

Cypherpunk remailers

A Cypherpunk remailer sends the message to the recipient, stripping away the sender address on it. One can not answer a message sent via a Cypherpunk remailer. The message sent to the remailer can usually be encrypted, and the remailer will decrypt it and send it to the recipient address hidden inside the encrypted message. In addition, it is possible to chain two or three remailers, so that each remailer can't know who is sending a message to whom. Cypherpunk remailers typically do not keep logs of transactions, but their design is vulnerable to traffic analysis.

Mixmaster remailers

In Mixmaster, the user composes an email to a remailer, which is relayed through each node in the network using SMTP, until it finally arrives at the final recipient. Mixmaster can only send emails one way. An email is sent pseudonymously to an individual, but for them to be able to respond, a reply address must be included in the body of the email. Also, Mixmaster remailers require the use of a computer program to write messages. Such programs are not supplied as a standard part of most operating systems or mail management systems. Mixmaster is vulnerable to long-term traffic analysis and is considered obsolete.

Mixminion remailers

A Mixminion remailer attempts to address the following challenges in Mixmaster remailers: replies, forward anonymity, replay prevention and key rotation, exit policies, integrated directory servers and dummy traffic. They are currently available for the Linux and Windows platforms. Some implementations are open source. Despite improvements, Mixminion shares the fundamental vulnerability to traffic analysis and requires protection by a network like Tor for meaningful anonymity.

Traceable remailers

Some remailers establish an internal list of actual senders and invented names such that a recipient can send mail to invented name AT some-remailer.example. When receiving traffic addressed to this user, the server software consults that list, and forwards the mail to the original sender, thus permitting anonymous—though traceable with access to the list—two-way communication. The famous "penet.fi" remailer in Finland did just that for several years.[3] Because of the existence of such lists in this type of remailing server, it is possible to break the anonymity by gaining access to the list(s), by breaking into the computer, asking a court (or merely the police in some places) to order that the anonymity be broken, and/or bribing an attendant. This happened to penet.fi as a result of some traffic passed through it about Scientology.Script error: No such module "Unsubst". The Church claimed copyright infringement and sued penet.fi's operator. A court ordered the list be made available. Penet's operator shut it down after destroying its records (including the list) to retain identity confidentiality for its users; though not before being forced to supply the court with the real e-mail addresses of two of its users.Script error: No such module "Unsubst".

More recent remailer designs use cryptography in an attempt to provide more or less the same service, but without so much risk of loss of user confidentiality. These are generally termed nym servers or pseudonymous remailers. The degree to which they remain vulnerable to forced disclosure (by courts or police) is and will remain unclear since new statutes/regulations and new cryptanalytic developments proceed apace. Multiple anonymous forwarding among cooperating remailers in different jurisdictions may retain, but cannot guarantee, anonymity against a determined attempt by one or more governments, or civil litigators.

Modern Tor-based and Mixnet alternatives

Due to the inherent vulnerabilities of classical remailers to traffic correlation[4] and metadata surveillance, the modern approach to anonymous email relies on integrating remailer functionality with robust anonymity networks.

Tor-based remailers: Systems like the Onion Courier Mixnet[5] operate as Tor hidden services. This protects the user's IP address and the remailer's location from network observers. While Tor provides strong protection for network metadata, the mix nodes are adding additional layers of anonymity per hop.

Mixnet-based remailers: The Nym network is designed specifically to resist powerful traffic analysis attacks that threaten older remailers and even Tor in some scenarios. Nym uses a layered mixnet architecture with cover traffic to provide strong anonymity for message timing and metadata. Future anonymous email systems are likely to be built directly on top of mixnets like Nym to provide anonymity against nation-state adversaries.[6] For any meaningful anonymity, the use of such an integrated network is now considered essential; standalone classical remailers do not provide adequate security.

Web-based mailer

There are also web services that allow users to send anonymous email messages. These services typically do not provide the strong pseudonymity of cryptographic remailers, let alone anonymity, and they are often easier to use. When using a web-based anonymous email service, its reputation and privacy policy should first be analyzed carefully, since the service stands between senders and recipients. Many such services log the users IP addresses; others may offer superior privacy but still require trust in the operator.[7]

Remailer statistics

In most cases, remailers are owned and operated by individuals, and are not as stable as they might ideally be. In fact, remailers can, and have, gone down without warning. It is important to use up-to-date statistics, such as those provided by SEC3[8] when choosing remailers.

Remailer abuse and blocking by governments

While most remailers are used responsibly, their pseudonymity has been exploited for illegal activities. A prominent example is the 2012 University of Pittsburgh bomb threats, where an Anonymous-linked remailer was seized by the FBI after being used to send over 100 threatening emails.[9]

Some remailers disclaim responsibility for abuse, citing technical and ethical limitations that prevent operators from identifying users.[10] Others argue that monitoring for certain abuses would itself be illegal under privacy laws.[10]

See also

References

Template:Reflist Remailer Vulnerabilities Email Security, Bruce Schneier (Template:ISBN) Computer Privacy Handbook, Andre Bacard (Template:ISBN)

  1. du Pont, George F. (2001) The Time Has Come for Limited Liability for Operators of True Anonymity Remailers in Cyberspace: An Examination of the Possibilities and Perils Template:Webarchive"Journal of Technology Law & Policy"
  2. Script error: No such module "Citation/CS1".
  3. Script error: No such module "citation/CS1".
  4. Script error: No such module "citation/CS1".
  5. Script error: No such module "citation/CS1".
  6. Script error: No such module "Citation/CS1".
  7. Script error: No such module "citation/CS1".
  8. Script error: No such module "citation/CS1".
  9. Script error: No such module "citation/CS1".
  10. a b Script error: No such module "citation/CS1".
Retrieved from "http://debianws.lexgopc.com/wiki143/index.php?title=Anonymous_remailer&oldid=3190969"