[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IMPORTANT: Changes affecting anon.lcs.mit.edu privacy
I'm looking into reconfiguring anon.lcs.mit.edu (a.k.a. nym.alias.net)
in ways that will improve performance and reliability. This could
involve several changes (either temporary during testing, or even
permanent) that might affect the privacy of users. I hope these
changes won't affect people who use anon.lcs.mit.edu and nym.alias.net
according to the instructions, but given the sensitive nature of
anonymous services, I want to alert people of these changes to avoid
any surprises.
* 'Received:' headers may suddenly appear. Currently,
anon.lcs.mit.edu does not add 'Received:' headers to any mail it
relays or delivers to nym.alias.net aliases. Since the anonymous
remailers [email protected] and config/[email protected]
already strip header information upon receiving messages, this
shouldn't really affect people unless they are telnetting to the
SMPT port and forging E-mail. Such forgeries are not condoned by
the administrators, anyway, and have actually not been much of a
problem.
If, however, you were somehow relying on anon.lcs.mit.edu's
sendmail for "light" anonymity, you should start using real
remailers before it's too late. Though I don't really mind
suppressing Received: headers, this looks somewhat difficult to do
with MTA's other than sendmail, so if sendmail gets junked, we may
end up with something that adds Received headers.
* SMTP destination statistics may be kept. Recent versions of
sendmail (and other MTA's) can keep statistics on delivery to
remote machines, to prevent blocking multiple times when sending
mail to unavailable remote hosts. The information kept appears to
be the name of each remote machine to which mail has been sent, and
the last time at which an attempt to send mail to that host was
made. Such information would not be backed up, and could
potentially be purged daily.
I understand this may cause concern. I welcome any feedback or
suggestions on how to deal with this, either in sendmail or also
qmail (which I'm thinking of switching to). The worst case
scenario seems to be the case where anon is seized or stolen and
someone discovers that your machine received a piece of mail from
it. No information will be available about whether or not you ever
sent mail to anon.lcs.mit.edu. This seems acceptable because if
someone really needed to prove you had received a piece of mail
from nym.alias.net, that person could already do so by tapping your
network and sending you a message through nym.alias.net.
Despite these changes, anon.lcs.mit.edu does not currently and will
never keep any message-by-message mail logs. Sendmail currently runs
at log level 1, which the documentation describes as logging only
"Serious system failures and potential security problems."