This is the fifth in a series of articles on reading internet message headers. If you haven’t already done so, please read the previous articles: Reading Internet Message Headers, Where’d That Email Come From?, So It Came From a Mailing List — Where Did It Come From Before That?, and Tracking the Trolls: Usenet Headers.
Anonymous remailers are systems that permit users to send, and sometimes to receive, email while hiding the user’s identity. Some of the anonymous remailers also offer mail to news gateways, so that their users can make truly anonymous posts to usenet. The administrators of such systems either do not keep access logs, or deliberately configure their system so as to make it difficult to determine the identity of the user sending the email or newsgroup messages. Anonymous remailers do have legitimate uses, such as providing a safe way for victims of abuse to participate in support forums without revealing their identity. Unfortunately, they have far more less legitimate uses, and from what I’ve seen 99% of the use of these services is for illegal or abusive activity. The headers of almost any message posted through an anonymous remailer will give you instructions on who to contact regarding abuse of the service.
While you can use the same techniques I’ve outlined in previous articles to read the headers of anonymous email and usenet messages, it won’t do you much good — you’ll just learn what service was used to send the message, and who to contact regarding abuse of the service. The messages can be traced in some cases — but it usually takes serious law enforcement involvement to do it. It has been done, but I’m only aware of that happening in cases that are of particular interest to government or big industry parties.
On the plus side, most anonymous gateways are set up so that only one message at a time may be sent through them, which means that they are extremely impractical for use by spammers. On the minus side, people who want to send harassing messages absolutely love these services. I have found that most server administrators will block your address so that you will not receive messages from their server if you request it — but there are a lot of anonymous servers out there, you have to find each of them and make the requests one by one, and new servers pop up every day.
If you’re having a problem with messages sent through anonymous servers, I suggest that you do contact law enforcement if the messages are overtly threatening. Otherwise, contact the server’s administrator and have her block your address from her system. You can also use various filtering tools, like procmail or SpamCop, to keep all unwanted messages from reaching you.
If you want to learn more about anonymous remailers and how they work — from someone far more positive about them than I am — try Andre Bacard’s Anonymous Remailer FAQ.
For the curious, here’s an example of a message posted to usenet through one anonymous service:
Path: typhoon.southeast.rr.com!cyclone.southeast.rr.com!newsfeed2.skycache.com! newsfeed.skycache.com!Cidera!skynet.be!newsfeeds.belnet.be!news.belnet.be!nmaster. kpnqwest.net!newsfeed.Austria.EU.net!anon.lcs.mit.edu!nym.alias.net!mail2news Date: Tue, 28 Nov 2000 22:45:43 -0600 From: No User <firstname.lastname@example.org> Comments: This message did not originate from the Sender address above. It was remailed automatically by anonymizing remailer software. Please report problems or inappropriate use to the remailer administrator at <email@example.com>. Subject: Re: Atlanta police References: 3a236b2a.91029379@news Newsgroups: alt.fandom.cons X-No-Archive: No Message-ID: <firstname.lastname@example.org> Mail-To-News-Contact: email@example.com Organization: firstname.lastname@example.org Lines: 7 Xref: cyclone.southeast.rr.com alt.fandom.cons:10311
And the following is an example of a message sent to one of my email addresses via another anonymous remailer:
Return-Path: <email@example.com> Delivered-To: firstname.lastname@example.org Received: (qmail 11992 invoked from network); 1 Dec 2000 21:31:56 -0000 Received: from unknown (HELO remailer.privacy.at) (220.127.116.11) by zeus.larp.com with SMTP; 1 Dec 2000 21:31:56 -0000 Received: (from mixmaster@localhost) by remailer.privacy.at (8.8.8/8.8.8) id WAA06020; Fri, 1 Dec 2000 22:40:02 +0100 Date: Fri, 1 Dec 2000 22:40:02 +0100 From: Anonymous <email@example.com> Comments: This message did not originate from the Sender address above. It was remailed automatically by anonymizing remailer software. Please report problems or inappropriate use to the remailer administrator at >firstname.lastname@example.org>. To: email@example.com Subject: Re: Spam targeted to people who post here? Message-ID: <firstname.lastname@example.org>
While I can’t tell from those headers who sent the original message, they do tell me to report problems to email@example.com. When I wrote to that address, I received a message explaining how to have my address blocked from receiving further messages from this remailer (which I did, for my addresses and those of the rest of the family). That is, in fact, what I do every time I find out about any remailer I haven’t seen before, as a preemptive strike due to past problems.
That’s it for our series. You should be able to figure out the origin of most messages on your own now. If you can’t figure out a particular message, however, try using SpamCop for spam or asking for help through Working to Halt Online Abuse if it’s a harassing or threatening message.
Originally published February 17, 2001