Better E-Mail Anonymity


by a295225(at)hotmail, 25 June 1999
Courtesy of Reverser's pages of reverse engineering

Better E-Mail Anonymity

Abstract:
==========
This essay adds to the basic knowledge gained from +Reverser's introduction on his Anonymity pages. The basics of SMTP and telnet will be used to explain how to enhance anonymity. My experiences with alias creation will be referred to occasionally.

Introduction
=============
I will assume in this essay, most of what is contained in +Reverser's own pages has been learned and applied (you have several aliases, and several email accounts, not in your name). This essay will add to that knowledge to create a very powerful tool which for the sending of ***very*** hard to trace email.

The first difficult task is finding a UNIX shell account. This may be done in two ways. One I know, the other I don't . The way I know invloves doing a search on the internet for +free+UNIX+shell+accounts". The kind you really, really want, have telnet access right away without any verification process. The other way is to steal it somehow, like as in hacking the account of someone else (I've tried, and I haven't been able to do this). Your goal should be to get as many accounts as you can, even multiple accounts with the same provider. Once you have your accounts, pick one, and log in with telnet.

telnet
======
Telnet is probably one of the most important tools an internet junkie can have. Nearly every internet service devised can be accessed with telnet and a knowledge of the protocol. I will only talk about it's uses in the current context of email and SMTP hosts. The protocol we are interested in, is on TCP port 25. It is called SMTP, or Simple Mail Transfer Protocol. This is a text based
protocol, and very simple to learn. A sample of the commands and steps required to send mail is presented below and is fully commented:
localhost$ telnet remote.host.net 25      /* open an SMTP connection         
                                   	  /* to remote.host.net
next, the connection banner will appear. It will describe the host, give some other information, and let the connecting process know what the exact protocol is. SMTP is good and ESMTP is not so good (more later).

Once connected send the following:
helo any.server.com            /* let the SMTP host know who is              
                               /* calling

The host replies with something like:

Hello any.server.com, Pleased to meet you.  /* the SMTP host thinks          
                                    	    /* that is you

Then you send:

mail from: any.name@any.org     /* this is the fake name

The host says:

502 sender ok <any.name@any.org>...   /* this means your ok to go

Then you send:

rcpt to: intended.recipient@intended.target.org  /* who you want it to       
                                            /* go to

The host says:
502 recipient ok
<intended.recipient@intended.target.org>...   /* this 
     
                                        /* means its ok to go

Then you send:
data				/* let the host know this is the              
                                /* message part of the message
Subject: Gotta have a subject   /* put a subject in
then you type away              /* now type your message
.                               /* when you are done,
put a  .  on a line all by itself

The host responds with:
502 ok, message sent
You did it, you have just sent an anonymous faked email.

TCP Port 25 Protocols
========================
In my not so extensive experience, there are two main protocols alive on port 25. These are SMTP and ESMTP. When using email manually, for anonymity purposes as we are, the best protocol to find is SMTP. ESMTP has the ability to actually track where you are coming from, and SMTP does not. ESMTP may even be able to verify the "mail from:" address in some cases. Also, many ESMTP hosts do not relay. SMTP works best for our purposes.

Finding an SMTP host is simple, but time consuming. Search, search and search. Try out domains from other email messages you have seen, try out random sites, try out sites you have done other stuff at.

Putting it All Together
==========================
Now to put this all together, in conjunction with +Reverser's own discussion on email anonymity. Log in to your first telnet account, then telnet into the next from that, and so on, until you have no more accounts left to telnet into. Then telnet into smtp.host.com port 25 (as in +Reverser's web page), and send your anonymous message using the given guidelines to remailer@replay.com, and using the SMTP protocol. Admittedly, this is quite paranoid, so you can tame it down to any extent you desire.

The benefits of this approach are the nearly impossible to track ip addresses, and all traceable telnet accounts are not in your own name. You also have complete control over the message.

The drawbacks are the time spent connecting, and you still need to connect to the internet somehow, which may eventually result in an ip address tracked to your computer.

Script Dump
============
Below is a script dump of a session I just had. My ip address according to Winsock is 207.195.xxx.xxx, note the ip address reported by ESMTP Sendmail. Also note that for security my own ip, user name and sending address have been altered in some way, while the integrity of the rest of the information may be deemed as intact. Comments are denoted by /*
Script started on Wed Jun 23 20:51:45 1999
<xxxxx@yyyyyyyy> [~] $ telnet mail.compuserve.com 25
Trying 149.174.217.152...
Connected to mail.compuserve.com.
Escape character is '^]'.
220 hpamraaa.compuserve.com ESMTP Sendmail
8.8.8/8.8.8/HP-REL-1.0; Wed, 23 
Jun 1
999 21:54:30 -0400 (EDT)
helo check.com
250 hpamraaa.compuserve.com Hello [205.198.xxx.xxx],
pleased to meet you  /* note ip address
mail from: tester@test.org			/* just make up a name
250 tester@test.org... Sender ok
rcpt to: remailer@replay.com			/* but specify the     
                      
                      /*anon remailer
250 remailer@replay.com... Recipient ok data	/* start message
354 Enter mail, end with "." on a line by itself
subject: Anonymous Mail	       /* even though this is part of the body
::						/* of the message, we are still giving commands
Anon-To: a295225@hotmail.com			/* to the SMTP server

This is the anonymous message
.			     /* signal end of message to SMTP server
250 VAA17655 Message accepted for delivery
quit						/* We're done
221 hpamraaa.compuserve.com closing connection
Connection closed by foreign host.
<xxxxx@yyyyyyyy> [~] $ exit

Script done on Wed Jun 23 21:00:54 1999
References
===========
noanon.htm and anonema.htm: +Reverser's Anonymity Pages
Phrack issue 41, article 4 (www.phrack.com)

email: a295225(at)hotmail(dot)com

One last note, you may be able to find a telnet proxy which will even further protect your originating ip address, admittedly, I have been unable to locate such a beast.


noanon
Reverser's Anonymity Academy
redhomepage redlinks red+ORC redbots wars redstudents' essays redcounter measures
redbots wars redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_reverser
redIs software reverse engineering illegal?