Introduction[edit]

An anonymous remailer is: ^[1]:

... a server that receives messages with embedded instructions on where to send them next, and that forwards them without revealing where they originally came from. There are Cypherpunk anonymous remailers ^[archive], Mixmaster anonymous remailers ^[archive], and nym servers ^[archive], among others, which differ in how they work, in the policies they adopt, and in the type of attack on anonymity of e-mail they can (or are intended to) resist.

In Whonix-Workstation ™, remailers can be used over Tor. The goal is access to a cheap tool that can send messages without registration, rather than offering more anonymity for (web) messages than Tor can provide.

In theory, remailers are high latency networks that should provide more security than using low latency networks like Tor in isolation; see Anonymity Network for further details. However, the unfortunate reality is there are no known high latency networks which meet the following criteria at the time of writing (2019):

Development: active development is indicated by regular:
- developer commits addressing bugs, maintenance and design improvements
- press releases and blog posts
- forum/mailing list activity
Infrastructure: users have reliable access to multiple servers.
User Base: a significant population regularly utilizes remailers for (pseudo)-anonymous messages.

In practice, the dearth of users and servers means it is safest to assume that remailers provide little to no additional anonymity. Whonix developers would welcome a rebirth of high latency networks and an active, sizable user/developer community, but this is an unlikely outcome in the near-medium term.

Remailer Tips[edit]

Table: Remailer Recommendations

Domain	Recommendation
Message Encryption	Dependent on your requirements, it is suggested to encrypt the content of the mail/message, otherwise the last (or only) remailer and the recipient's mail provider can read it. It is safer to use a subject line that does not provide any hints about the contents -- therefore an empty or random subject is recommended.
Remailer Chain	Due to the small existing remailer ecosystem, it is recommended to only use one remailer at a time and not a chain of them. This will ensure the message/mail is delivered quickly and more reliably. ^[2]
Remailer Software/Interface	It is safest to install and use remailer software directly inside Whonix-Workstation ™ over Tor. The alternative is to utilize a Third Party Web Interface (see further below). For security reasons this is recommended against, since the website owner can monitor various metadata, conduct keystroke fingerprinting and inspect 'cleartext' (unencrypted content) communications.
Remailer Test	Do not test the remailer by sending a remailed mail/message to yourself.

Remailer Attacks[edit]

If remailers are not careful, various attacks are possible when attempts are made to send mail/messages.

Table: Remailer Threats ^[3]

Threat	Description
Adversary Threat Model	Adversaries can record the contents of all unencrypted messages into and out of remailers, as well as time metadata related to arrival and departure. Adversaries can send an unlimited number of messages through emails, and also try to prevent messages arriving at their destintation.
Man-in-the-Middle Attack	It is possible for adversaries to intercept the very first message to a correspondent, and substitute a genuine public key with a fake one. If undetected, the respondent will write a 'confidential' message using the fake public key for encryption, which when intercepted can be read by the adversary using the private key they created. ^[4]
Reordering	Messages can be traced through chains of remailers with encryption if the incoming messages are processed and forwarded directly. Delaying messages for a period of time does not fully address this problem, since remailers generally have little traffic ^[5] to disguise the messages. 'Reordering' tries to address this threat by keeping some messages in the remailer at all times ('message pool') and then randomly sending out one of the messages in the pool. However, this is susceptible to spam attacks. This threat is mitigated by sending out all messages periodically and at random intervals.
Replay Attack	If remailer settings do not refuse to send a message more than once, ^[6] then adversaries can follow a message to the final destination or trace the original sender. ^[7]
Size and Distinguishability	Messages can be tracked by their size, even though default messages decrease in size by a fraction at each hop due to the removal of padding. Very large messages will stand out to adversaries and can be pinpointed for attacks. Mitigating this threat requires each mail/message to be exactly the same size.
Trivial Attacks	A number of attacks are possible when a message is sent unencrypted, or when the message is encrypted but the remailer is compromised (since the operator knows both originating and final addresses).

Mixmaster: Tor Remailer[edit]

This option is now deprecated. Mixmaster is dead upstream and has been permanently removed from Debian ^[archive].

Mixmaster remailers do several things: ^[3]

They send a message to another e-mail address or post it to a news group.

They accept encrypted messages with instructions for processing hidden inside the encrypted envelope.

They strip all mail headers.

They add new headers such as subject lines.

They remove some information from the end of the message.

They encrypt part of a message using a key specified in the message.

Interested readers are still free to peruse the Mixmaster documentation. Historical tests with this software were successful -- when utilizing one remailer, mail/messages took between 10-120 minutes before arriving in the recipient's inbox.

Third Party Web Interface[edit]

As noted earlier, Tor Browser can be paired with a third party web interface. However, this configuration is less secure and should be used with care because the server administrator is capable of snooping on cleartext as it is typed or pasted.

Mixmaster[edit]

German Privacy Foundation (awxcnx) email
German Privacy Foundation (awxcnx) usenet ^[archive]
Webmixmaster paranoici (clearnet SSL) ^[archive]
W3- Anonymous Remailer (clearnet) ^[archive]

Note: The Cotse.net clearnet SSL ^[archive] mixmaster public usenet interface has been taken offline due to repeated abuse by botnets. It is now only possible to pay for a subscription to the service.

Unknown[edit]

Cypherpunk Remailer[edit]

Note: Readers are welcome to correct any inaccuracies in this section.

The Wikipedia Cypherpunk anonymous remailer ^[archive] article and list of Cypherpunk remailer services ^[archive] suggests these services utilize Mixmaster. Online, associated help files ^[8] also explain that it is safer to use Mixmaster, since Cypherpunk remailers just provide an email based interface.

Since the full list of type I and type II remailer servers ^[9] reveals that most type I (Cypherpunk) are also type II (Mixmaster) servers, it does not appear necessary to learn and document how Cypherpunk remailers work. In fact, it does not appear to be an actual alternative, since Cypherpunk remailers cannot be used if Mixmaster is non-functional for some reason. This option would also defeat the purpose of this wiki entry (sending mail without registration), since it still requires a mail provider.

Footnotes / References[edit]

↑ https://en.wikipedia.org/wiki/Anonymous_remailer ^[archive]
↑ Those who believe remailer chains will improve anonymity are free to disregard this advice and create a path length of their choosing.
↑ ^3.0 ^3.1 https://mason.gmu.edu/~afinn/html/tele/components/anonymous_remailers.htm ^[archive]
↑ This can be averted by exchanging public keys in person and on disk, downloading public keys over a secure website, or using a digital signature certificate from a qualified company.
↑ Or experience network outages.
↑ By including a random ID number for each hop.
↑ Tracing a message forward requires an adversary to capture the message and then send many copies to the first remailer. When multiple, identical messages emerge from the remailer and move to the next hop, the 'bump' in remailer traffic reveals the route it took.
↑ Broken link: http://www.cypherpunks.to/remailers/help.txt ^[archive]
↑ https://remailer.paranoici.org/rlist2.html ^[archive]

Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.

Jobs in USA

Follow:

Donate:

Share: Twitter | Facebook

Check out the Whonix News Blog ^[archive].

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee ^[archive] of the Open Invention Network ^[archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian ^[archive]. Debian is a registered trademark ^[archive] owned by Software in the Public Interest, Inc ^[archive].

Whonix ™ is produced independently from the Tor® ^[archive] anonymity software and carries no guarantee from The Tor Project ^[archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

[1] ttps://en.wikipedia.org/wiki/Anonymous_remailer ^[archive]

[2] Those who believe remailer chains will improve anonymity are free to disregard this advice and create a path length of their choosing.

[mixmaster_remailers-3] 3.0 ^3.1 https://mason.gmu.edu/~afinn/html/tele/components/anonymous_remailers.htm ^[archive]

[4] This can be averted by exchanging public keys in person and on disk, downloading public keys over a secure website, or using a digital signature certificate from a qualified company.

[5] Or experience network outages.

[6] By including a random ID number for each hop.

[7] Tracing a message forward requires an adversary to capture the message and then send many copies to the first remailer. When multiple, identical messages emerge from the remailer and move to the next hop, the 'bump' in remailer traffic reveals the route it took.

[8] Broken link: http://www.cypherpunks.to/remailers/help.txt ^[archive]

[9] ttps://remailer.paranoici.org/rlist2.html ^[archive]

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Remailers: Send Emails without Registration

From Whonix

Contents