Hacker 10 – Security Hacker

Tag: anonymous email

  • OnionMail an anonymous mail server running on Tor

    OnionMail an anonymous mail server running on Tor

    OnionMail is an open source mail server developed by hacktivists fighting mass surveillance, it runs on the Tor network and is able to communicate with the Internet as well as Tor hidden nodes.

    Running an OnionMail server and joining the federated network is open to everybody, connections in between servers are always encrypted with SSL, transition servers do not store any data, only in the final destination OnionMail server saves messages and it automatically erases them after reading or if they have not been picked up by the user in a period of days, using the wipe command (Linux) to make forensic recovery impossible.

    An OnionMail email inbox is encrypted with RSA/AES asymmetric encryption keys and user passwords, data is then hashed and scattered around multiple OnionMail servers in the network, if a server is seized no meaningful information or metadata can be obtained. Another security feature is the ability to remotely nuke a server’s digital certificate, this is useful if an administrator loses physical access to the server, OnionMail checks the legitimacy of digital certificates in the network and servers not using a valid one will be disconnected.

    OnionMail anonymous Tor email
    OnionMail anonymous Tor email

    In Tor you don’t have to worry about revealing your computer IP but a local email system clock can give away your approximate geographical location, to stop this, OnionMail spoofs your time zone, it will also spoof the PGP version you are using, helpful in case a vulnerability is discovered in a specific PGP release, an attacker would be unable to find out who is using it without testing everybody.

    For internal email communications inside the Tor network you are assigned a cryptic .onion address, this is automatically transformed into a a clearnet comprehensible address using the Virtual Mail Address Translation protocol to append the .com/.net/.info of your Tor exit node so that people on Yahoo or Gmail can reach you.

    For example, if you are using the onionmail.info exit node, your .onion email address will be transformed into test.serveraddress.onion@onionmail.info when you send an email message to the Internet. Spam is eliminated using custom blacklists that mail server operators can tweak.

    You can find a few Tor email providers but they are not chained and their addresses can’t be used to contact people outside Tor. OnionMail stands out from the crowd uniting all email servers in a single network and allowing users to send and receive email to the Internet from within Tor.

    More than a dozen OnionMail servers are listed in the homepage, to open an account you only need to select one of them with Tor installed in your computer, or download a python script that can be used in Tails to configure your email client. Windows users can download a beta version of OnionMail and the more technical advanced people can install OnionMail in a rooted Android device with Orbot, a free proxy app that runs Tor, the K9 Mail client, and APG, a PGP key manager.

    OnionMail anonymous email
    OnionMail anonymous email

    OnionMail does not hide that it has been specifically developed to stop the NSA and similar espionage agencies from following you. The developers know what they are up against and they make sure that their zero knowledge design will withstand rogue operators and mail server seizure, which leaves only a trojan horse or spear phishing attack as the only way to get into your email account.

    A very well designed, thought out email system with good documentation and help screenshots that has all a security paranoid person can wish for, anonymity, encryption, free and running on Tor.

    Visit OnionMail homepage

  • Email providers connection logs table

    Email providers connection logs table

    Last week I emailed 14 different email providers and identifying myself as a blogger I asked them about their connection logs retention policy, here are the answers:

    Would it be possible for you to let me know for how long does your email service keep customer connection logs? (By connection logs I mean timestamp logs that contain computer IPs used to connect to the account) 

    Email provider Connection logs retention
    Countermail.com We keep a traffic log for 24h, the incoming external server IP-addresses are stored in this log, but the countermail users IP-addresses are never stored in this log
    Protonmail.ch The answer to your questions is fairly simple: we do not have connection logs where ip’s are matched with accounts and tracked
    Inbox.com We are sorry but we can not share this info with you because it is not considered a public information
    Hushmail.com They told me to read their privacy policy, I did and it says that Hushmail keeps connection logs for 18 months
    AnonymousSpeech.com For trial user we keep a connection log for 5 days. After this 5 days we delete them. For paid memberships we do not keep ANY log information
    Mailbox.org The specific logs you asked about are deleted after 7 days
    NeoMailbox.com Updated: It took them ONE MONTH to reply. “We keep email logs for 7 days after which they are securely wiped.”
    Cotse.net Did not reply
    MyKolab.com Unfortunately, I am not in the position to give you a concrete time frame for this. For example, deleted mails are not purged from our storage immediately but at regular intervals, usually every day at night time when there are less users on the systems. In addition to that, we keep backups for disaster recovery, but we only keep them for a limited amount of time and not forever
    Unseen.is We keep email server access logs for seven days. This is only to prevent abuse and spamming using our system
    OpenMailbox.org We keep logs 1 year to comply to local laws
    Posteo.de

    We only save IP addresses when an account is accessed using an external email client and in the process of sending or receiving emails. When an account is accessed via the webmail interface we generally do not save IP addresses.

    This data is automatically deleted after seven days. The data is only used to diagnose problems and can not be requested by authorities. Only in response to a judicial ruling in the case of a serious crime can this data be accessed.
    CryptoHeaven.org The logs are kept for anywhere from 8 to 48 hours, and that is only on the web server and not the mail system
    Fastmail.fm We normally keep logs of email and server activity for up to 6 months. This is for the purposes of diagnosing and fixing problems, which are often reported to us weeks or months after they occur. Backups and logs may be kept longer in special circumstances. For example, if a problem is taking a long time to resolve, logs relevant to that investigation may be retained. Or if a server that contains backups or logs is temporarily offline because of a fault, then those backups or logs may not be deleted until the server is brought back up. These situations are unusual, however, and when they do occur, they are temporary
  • Bitmail, encrypted friend to friend email without central server

    Bitmail, encrypted friend to friend email without central server

    Bitmail is a decentralized open source email gateway that stores email messages encrypted offline and includes a secure IRC gateway for real time online chat. You can connect to the developer’s IRC channel from within the client.

    Email communications are secured with libgcrypt, a GPG cryptographic library, and AES over SSL. There is no need to install the client, it can be run as portable. As soon as you launch it you will be asked to enter a password with a minimum of 16 characters, this will be used to create your private encryption keys. Make sure not to forget it like me, because you will be locked out of Bitmail the next time you launch it, with all tabs greyed out.

    The same email client allows you to operate an IMAP capable BitMail server to relay messages to other people, running a server requires lots of configuration and it is not easy. Bitmail interface is well structured and tabbed but you will have to be familiar with encryption terms, there are lots of things that can be customized, like encryption algorithm, itiretation count, RSA key size and even salt length. This is not an email client for beginners.

    Secure P2P email client Bitmail
    Secure P2P email client Bitmail

    You will need to manually add the encryption keys from the people you would like to communicate with in the address book, encryption keys will have to be exchanged via different channel, like messenger. Once you have the participants encryption keys and your IP has been added to the list of allowed senders in the Bitmail server, anyone in the group is able to securely exchange messages.

    Bitmail darknet approach where there is no central authority that can be compromised and only those who know someone in the group are allowed to join in is the right approach against NSA state surveillance but I did not like that there was no anonymity in the network.

    Your computer IP could be traced if anybody in the darknet is eavesdropped with something as simple as a trojan horse. P2P email services should have built in mechanisms to stop the compromise of a single user from spreading to the other people in the network and Bitmail does not accomplish this.

    I liked that Bitmail is open source but due to the complicated set up and lack of anonymity I don’t think it is something I will be using. If you only need privacy, it might fulfil your needs, specially for intranet communications.

    Visit Bitmail homepage

  • Lelantos, a secure, anonymous email provider through Tor

    Lelantos, a secure, anonymous email provider through Tor

    Lelantos is a privacy email provider only accessible through Tor but able to communicate and receive messages from any Internet wide email services like Gmail or Yahoo. The owners, a small unidentied group of people, claim that all data in the server is encrypted, with data back ups located in different countries.

    When you open a Lelantos email account you will initially get a @lelantos.org address, currently that domain name is registered to someone called Ryan Harris living in Canada and the DNS servers are set to Domains4Bitcoins, the little information one can gather from that is that Lelantos is paying the domain registration with Bitcoins, registration details in Canada might be fake or might not.

    To stop other people from knowing that you are using a Tor email service Lelantos gives you a choice of multiple private clean domain names that are not listed anywhere and not linked to the Tor network. Lelantos obviously doesn’t have access to your computer IP since the only way for you to read and send messages is using Tor.

    Anonymous Tor email provider Lelantos
    Anonymous Tor email provider Lelantos

    Lelantos webmail has two interfaces, a SquirrelMail layout that does not need Javascript enabled to login and a RoundCube interface that needs Javascript. I have used both interfaces and there isn’t too much difference in between them, RoundCube, looks more modern and has drag and drop but the main functions work the same. If you are serious about privacy go for the SquirrelMail interface with no Javascript.

    Another way to protect yourself against browser exploits is by using Lelando’s IMAP and SMTP .onion servers with TLS, for this you have to set up your email program with a socks proxy and run Tor in your computer. Unfortunately few email programs support socks proxies, I suggest the free open source Thunderbird email client from the Mozilla Foundation.

    Lelando’s terms and conditions forbid using their email service to transmit child pornography, spam or sending violent threats, if you breach their Acceptable Use Policy your account could be terminated.

    This is not a free email provider, you have to pay some Bitcoins to fund service maintenance, I think that it is not unreasonable since they also provide support, with a public PGP encryption key available to communicate with Lelantos staff. For extra security is best to anonymize your bitcoins with a laundering service like Bitlaundry, but, as long as bitcoin payments can not be linked to an specific email account it should be fine.

    Lelantos Tor address: http://lelantoss7bcnwbv.onion