Anonymous remailers can be used to hide information about the sender of email by re-sending the email through a series of nodes that are connected in a chain thus hiding the originating location. The aim of remailers is to protect the anonymity of people who may find themselves in a variety of situations such as [CRP01]:
- Individuals who don’t trust their Internet Service Provider or Network Administrator
- Consumers, who want to send feedback on a product or service
- Activists, protesting against political issues and local concerns
- Journalists, who want to correspond with a source without exposing the source, or being tracked down themselves.
- Whistleblowers, who want to report illegal activity of a co-worker, government or company
- Law Enforcement, who want to communicate with confidential sources or undercover agents without risking their operational security
- Researchers and Survey Participants, who don’t want to expose their opinions on sensitive topics
There are four types of remailers [VAN01].
- Type I (Cypherpunk) – removes identifying information from the header, such as the sender address, and originating IP address of an email that is either encrypted or plain text. Messages can be sent through several different servers in a chain so that each remailer will not know who is sending a message to whom. Type I remailers do not keep logs of transactions. In addition, messages cannot be answered.
- Type II (Mixmaster) – requires the use of a computer program used at the command line or using 3rd party minimalist graphical user interfaces to compose emails that are then sent to a remailer server. Type II remailers can only send emails one way. Type II remailers use a Mix Network, a routing protocol that uses a chain of proxy servers called ‘mixes’. It shuffles messages from multiple sources and sends them out in a random order to another mix node, thus breaking the link between the source of a request and its destination. Message are relayed through each node in the network through the Application layer using – Simple Mail Transfer Protocol (SMTP).
- Type III (Mixminion) – can be used to both send and receive anonymous e-mail and was designed to address some of the limitations of Type II remailers. Like Type II, it uses a Mix Network, however, a key difference between remailers is that Type III use of the Transport layer security (TLS) unlike Type II, which uses the Simple Mail Transfer Protocol (SMTP). This allows for the establishment of an encrypted tunnel that messages travel though. It also addresses a number of other technical vulnerabilities such as [Danezis et al., 2003] provides defence against attacks (by breaking the security of a mix network), routes encryption keys (by resetting encryption keys) and other improvements.
- Pseudonymous remailers – takes away the e-mail address of the sender, gives a pseudonym to the sender, and sends the message to the intended recipient that can be answered via that remailer. It assigns its users a user name, and it keeps a database of instructions on how to return messages to the real user. These are used on popular websites such as Gumtree through email masking [GUM01]. This replaces actual email addresses with pseudonyms allowing users to communicate back and forth through the remailer. Although, this commercial use differs from using a nym server (pseudonym server), which provides untraceable e-mail addresses, where neither the nym server operator nor the operators of the remailers involved can discover which nym corresponds to which real identity.
- Anonymity – mix routing and nym servers strip identifying information replacing it with either a pseudonymous or anonymous name along with a proxy server IP address.
- Usability – There is a learning curve to being able to use anonymous remailers [LBT01] because it uses a command line interface. Although there is a graphical user interface provided by QuickSliver Lite [QSL01] it is still quite basic. There is also a web interface available [PRW01] although these are not as secure because the website operator or anyone spying on the website has the ability to see the originating IP address unless the person is using TOR [PRW02]. It is more secure to install the client directly on to the machine used to send an email. However, this takes a level of technical skill and confidence that ordinary users may not possess. A person who wants to download Mixmaster will need to know how to install and configure the software within the UNIX operating system.
- Threat modelling – Users of anonymous remailers have to determine for themselves the level of technical security they require based upon the number of ‘chains’ or proxy servers an email goes through before reaching its destination. In addition, a person will also need to specific how many copies of the email are sent to ensure that at least one makes it through the Mix Network.
- Data loss – Email can get lost in the Mix Network and as a result may never reach their intended destination.
Layer of interaction:
- Application layer: Simple Mail Transfer Protocol (SMTP) – Type II remailers.
- Transport layer: Transport layer security (TLS) – Type III remailers.
The first anonymous remailer appeared in the early 1990s as the Penet remailer, at anon.penet.fi [LEN01]. It was widely used however the service had a number of vulnerabilities including storing real email address that were mapped to anonymous ones. Also, the remailer had been compromised through multiple technical attacks. Additionally, it was required to reveal information about a user who posted copyrighted documents from the Church of Scientology to a newsgroup in 1995. The operator eventually shut down the service due to legal concerns and privacy issues [IAC01].
Since the Snowden revelations and the emergence of the ‘real-name paradigm’ where online identity mirrors the real world as in Facebook, Twitter and other social media have [INF01] people have become increasingly interested in technical resources that provide anonymity and the remailer provides this capability.
Danezis, G., Dingledine, R., Mathewson, N. (2003) Mixminion: Design of a Type III Anonymous Remailer Protocol. In IEEE Symposium on Security and Privacy, Berkeley, CA, 11-14 May 2003.
The Information (INF)
Leavitt, N. (LEN)
Anonymization Technology Takes a High Profile. 2009. IEEE Computer.
Light Blue Touchpaper (LBT)
Paranoia remailer web interface (PRW)
QuickSliver Lite (QSL)