[e-privacy] Anonymous Emails

mandrivo at hushmail.com mandrivo at hushmail.com
Thu Dec 28 10:21:02 CET 2006 

Vi segnalo questa guida, forse non c'è nulla di nuovo, ma conviene 
leggerla. Ciao.

Anonymous Emails

Low-grade anonymous email can effectively be achieved by creating a 
Yahoo or gmail account and only accessing it through Tor. BEWARE 
however, that many webmail services will append your IP to the mail 
headers. So be absolutely sure to never send any messages (or even 
log in) without using Tor.

Worse still, the mainstream webmail services typically offer other 
services that "conveniently" allow you to share the same 
account/cookie between them. For this reason, if you opt to use a 
major webmail service, you need to be careful with things like 
entering your street address/zip code into their corresponding 
mapping services, or for that matter, ever using a yellow pages. 
Careful and judicious use of various cookie control mechanisms or 
throwaway computing is required. It is also rumored that hotmail 
will pull your browser time info and place it on emails, thus 
narrowing your geographical location.

If you desire more anonymity with less hassle, you have a couple of 
options. HushMail and MailVailt provide limited free accounts that 
automatically support GPG. HushMail unfortunately uses some kind of 
hokey Java interface, and I have difficulty getting it to reliably 
work on many OS/browser combos. Also, note that some Java 
implementations may not pass your connections through your proxy 
settings, which would may mean that Tor is not sufficient 
protection. Check netstat to be sure. MailVault does not use Java, 
and thus is fully Tor-friendly. It's also lighter and quicker. 
However, I would not rely on mailvault OR hushmail (or any other 
provider) to ensure your email is private. While both of these 
companies are outside of the USA (which at least should provide 
protection against a National Security Letter), they still could 
fall prey to some other coercive tactic. If you need a high level 
of assurance of secrecy, you must manage your own GPG key using a 
front end or plugin to your mail client.

Your last option for anonymous mail is to use a proper mix network. 
However, these networks require a good deal of configuration and 
setup to join, and once you do, they are only one way. There are 
two main anonymous remailer networks in existence, MixMaster and 
MixMinion MixMinion is designed to succeed MixMaster, but it is 
still in development and thus has debug logs, etc in place that can 
be confiscated and used to betray anonymity. There are web gateways 
available to use, but again they are only one way.

It is also possible to set up a return path, or Nym through certain 
mix networks. Hushmail provides nym service as part of their paid 
accounts, and Panta Rhei maintains a list of NymServers as well.

If you only need a throwaway email address for or for signing up 
for a google groups or other forum account, you can use 
Mailinator.com or pookmail.com. Note that these temporary mailboxes 
have no passwords. Also don't forget to use Tor or some other IP 
obfuscater
Note

If you use a webmail account, you should expect that your email is 
NOT PRIVATE. According to the ECPA, after 180 days it becomes 
possible to demand email from a server without a warrant, and for 
non-criminal matters. This means all that has to happen is a civil 
attorney decides they want to see your email because they might 
have a reason to sue you, so they write a subpoena demanding all 
email older than 180 days from your provider, and it is theirs.

A few interesting anonymity/privacy mailing services have also 
arisen lately because of this loophole. StealthMessage, Self 
Destructing Email and MailJedi all provide "self-destruct" 
capabilities for email, so that you don't have to worry about 
messages you send sitting in someone's inbox to be discovered 
later. StealthMessage for some reason does not work for me, 
however. It also requires Javascript and is pretty clunky.

Once again, I would not rely on any of these services to actually 
destroy your mail or otherwise keep it private, especially in the 
case of subpoena, National Security Letter, or coercive tactics. If 
you need this level of assurance, you must manage your own GPG key 
using a front end or plugin to your mail client. 



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

More information about the E-privacy mailing list