Anonymous Remailer Operators FAQ : Got Root

The authors of mixmaster, nymserv, multipost, reliable, rlist, PGP, premail, My Private Idaho, ghio, freedom and all other remailer, mail2news, crypto and pinger software.

Revision History

Version 0.00

First public release of this FAQ.

Version 0.31

Another pre-release.

Version 0.37

Another pre-release.

Version 0.41

Another pre-release with some errors fixed and some more content. (Wow... how descriptive)

New versions of this document will be periodically posted to the alt.privacy.anon-server newsgroup. They will also be uploaded to various anonymous ftp sites that archive such information including ftp://ftp.shinn.net/HOWTOs. (external link)

If you make a translation of this document into another language, let me know and I'll include a reference to it here.

Feedback

DOT

Distribution Policy

This FAQ is free documentation; you can redistribute it and/or modify it under the terms of the LDP license. This document is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the LDP license for more details.

Purpose of this document

Background

I've been the remailer operator for the

GILC/GMS/EPIC remailer

shinn remailer

Shinn.net mail2news gateway

We could use your suggestions and ideas on how to improve this document. Please send any questions, comments or whatnot to: admins AT mixmaster DOT shinn DOT net.

Audience for this document

This document was written to help you to setup and run a remailer, mail2news gateway and/or remailer stat "pinger". It is not a document to help you to use a remailer or mail2news gateway, although this document should be of interest to those users. It is not designed to answer questions about remailer or mail2news gateway use. If you need help on how to use anonymous remailers or mail2news gateways, then you want to read the Anonymous Remailer FAQ Part I.

Whats a remailer?

Anonymous Remailer FAQ

"A remailer is a computer service which privatizes your e-mail. A remailer is in sharp contrast to the average Internet Service Providers ISP which is terribly anti-private. In fact, ISP could equally stand for "Internet Surveillance Point". Click here to Learn About Email Privacy.
"Traditionally, a remailer allowed you to send electronic mail to a Usenet news group, or to a person, without revealing your true name or e-mail address to the recipient. Today, new web-based remailers permit you to send mail using your real name (if you wish), while protecting your email records from the snooping eyes of your Internet Service Provider.
"In the first version of this FAQ (published in 1995), all popular remailers were free-of-charge. Today, a number of services either charge user fees, or support themselves via advertisers.

Why run a remailer?

Why, to solve world hunger, of course. Duh.

Requirements for running a remailer

Minimum

an e-mail address, with the ability to "POP" the traffic down
an internet connection to and from the remailer itself that can handle the remailer traffic
a system (hardware) that can handle the traffic
- UNIX users: 486 DX 33Mhz (Yes, believe it or not, a few BIG remailers run on such humble hardware, imagine that.)
- Windows users: Pentium II, 200Mhz, 64MB RAM. (For OSes with significant GUI overhead you need more RAM and more CPU power.) Comments: This is my best guess, I would be delighted to hear from remops running remailers on Windows systems for comment. I imagine you can run a remailer on less hardware, but I wouldn't know from first hand experience. We're looking for minimum hardware requirements here, so think bare minimum without OS thrashing.
an OS that can handle the traffic
- UNIX: Linux, BSD, Solaris, Open BSD, Free BSD are all good choices. AIX, HPUX, IRIX would do well too, except that they are not nearly as well supported with good ports of tools like PGP, ripem, perl, etc. If you don't mind being a "lone ranger" with those OSes, then go for it. Otherwise, expect more problems with those OSes.
- Windows: Windows NT or Windows 2000. Windows 98, 95 or ME are all well and good, but the suffer in the reliability department, whereas NT and 2000 are signicantly more stable than 95, 98 and even ME. They also offer more security services, ACL control and other features needed to secure the system you are running your remailer on.
Examples:
Shell Account
Dial-up user with POP e-mail account

Ideal

Dedicated, static IP address for the remailer
Dedicated, high speed internet connection (DSL, T-1, Cable modem, etc.)
Dedicated box for the remailer that does NOTHING else (no users on this box!)
- UNIX: Pentium Pro 200, 128MB of RAM
  (Yes, this is overkill, Mikes last remailer was a P166 with 64MB of RAM and it did pretty well being a pinger, remailer, mail2news gateway all running on sendmail, Andy's remailer is a 486, and its running just fine - but he's using qmail, which uses less resources than sendmail. Keep in mind, this is an ideal case.)
- Windows: Pentium III, 333Mhx, 256MB of RAM
  (Yes, this too is probably overkill)
  In either case, the most important thing is that your remailer not do anything else unrelated to remailing. This system should not be your workstation, firewall, game box, etc. It should be an isolated server, with NO user accounts, except for yours (and any other admin that helps to run the remailer). It should be running no additional services or programs except the remailer, programs that support the remailer and programs that help to keep the box and OS secure and functioning properly.
UNIX based OS
An ISP/NSP that will support and defend your remailer (ie, they won't buckle and force you to shut down just because someone is complaining) See the section on running a remailer behind a nym if you are really worried about this.

Planning your remailer or mail2news gateway

Specing out the hardware

For instance, an OS with a GUI running on top of it needs more CPU power and more RAM for that GUI than an OS that can run without a GUI. Therefore, Windows OSes will need to run on faster systems with more RAM than OSes such as Linux, BSD, etc - as they do not need GUIs to run as remailers.

Recommended system: (See above, but to reiterate the point)

Pentium Pro 200, with 128MB of RAM running Linux or OpenBSD with two identical hard drives running in a Raid 0 configuration. Use qmail instead of sendmail if you can. It can not be stressed enough that the OS you use be secure, reliable and within your knowledge base. It does you no good to drop a stock Redhat Linux on the net without adequate knowledge about how to run it and lock it down. It will get owned, crash or both. IF you want to go the UNIX route, and you do not know UNIX, then build yourself FreeBSD, OpenBSD or Linux box from scratch, break it a bunch of times, try to secure it ask your evil friends to try to break into it, and learn. It will be a worthwhile experience to challenge yourself like this, and your users will thank you for the added reliability and security that comes with knowledge of the system you are running.

Specing out the OS

if you know what you are doing

For ease of use though, nothing beats Windows NT or 2000 and Reliable. Windows 95, 98 and even ME are not recommened for remailer use as they are significantly less stable than NT or 2000. But, a remailer will run just as well on 95, 98 or ME. The bottom line here is that should use the most reliable, stable and secure OS that you can sucessful manage. It might be tempting to use the latest gee wiz bang feature rich or "secure" OS, but if you don't know how to manage that system, you're headed for trouble.

Filesystem

Space requirements
- Type I
- Type II
- Nym
- mail2news gateways
  - Multipost
- "pinger" services
  - Classic
    - rlist
    - remlist
    - Pingstats
  - Experimental
    - Computer Cryptographys comparison stats pinger
Encrypted filesystems
- UNIX
  - Linux
  - FreeBSD
  - OpenBSD
- Windows

"uptime" considerations (pick your OS, hardware, and if you are dialing up, log on times carefully)

Minimum uptime
Ideal

To be Middle or not Middle

Its also useful, to end users, that there be middle remailers (in case you need any further encouragement to at least setup a middle remailer) In a nym reply block, it is good for the last remailer chain to be a middleman. This makes the message to the user's real address come from any of several remailers (middle remailers are not endpoint remailers. They always send their messages thru other remailers), and it's harder to trace. The remailer should also remix, as that way no one can trace the message from the middleman to where it comes out.

If you can run an "end-point" remailer, that is a remailer that posts and e-mail's to end users will come from, then do not set your remailer up as a "middle" remailer. The remailer network also needs non-middle man remailers. Without those non-middle man remailers, the entire network would not operate. (Its the non-middle remailers that actually send messages on to end-users and to usenet).

Should you run your remailer behind a nym?

Considerations
Types
- "Classic" nym.alias.net nym "hidden" remailers
- ZKS remailers (much be LOW volume unfortunately)
- Hush Mail
- Secure Nym
- Cotse
- Pseudo-hidden remailers
  - Free POP services
  - Bigfoot, yahoo and other redirectors
Instructions for setting up a "Classic" nym.alias.net nym "hidden" remailer
- How to setup a nym account
- How to setup a remailer behind a nym

Bandwidth considerations

"Arick receives ~31 MB each day and sends ~57 MB each day on an average traffic count of 2100 messages each day, according to daily mailstats(1) output from May. Per month, this would mean receiving ~960 MB, and sending ~1.7 GB." Austria was then processing 2 500 to 3 000 messages per day. Frog-Admin? also summarized the peak loads for frog and azerty remailers:

http://yi.org/frogadmin/PeakLoads.html

Frog's current and past loads are available in a variety of forms:

http://yi.org/frogadmin/Sta_.html http://yi.org/frogadmin/Graphs/Browse.html

Some remailers report daily loads in answer to a "remailer-stats" request. This is not necessarily completely accurate; there are bugs in Reliable. All "remailer-stats" are available from two sources: Frog and Weasel (Peter). Frog has the original, but what you see depends on your browser, its settings, and your aesthetic taste. Try these URLs:

http://yi.org/frogadmin/Thesaurus/Thesaurus.html http://www.giga.or.at/cgi-bin/weasel/trex.cgi

To see how features and reliability might affect traffic, compare the remailer volumes:

http://yi.org/frogadmin/Thesaurus/Thesaurus.gif

From Christian Mock:

"Austria is getting some 80MB/day inbound and 60 outbound, averaged over the last two months; there have been months with 120/100 MB. in numbers, this is about 3500 mails/day ATM, with peaks at above 5000. according to frog's "market share" pages, austria is one of the remailers that gets most traffic, so these are kinda maximum numbers."

Type I remailers
Type II remailers
nym remailers
mail2news gateways

Getting the software

remailing software

UNIX
- Type I remailers
  - Freedom
  - ghio
  - mixmaster
- Type II remailers
  - mixmaster
- Nym remailers
  - nymserv
Windows
- Reliable or local copy.
Web Frontends
- Freedom
  This is a modified version of the original cypherpunk web frontend. It is used by the GMS/GILC remailer.
- COTSE
- Cypherpunk

mail2news gatewaying software

UNIX
- multipost (What this server uses)
Windows

"pinger" software

Classic
- UNIX
  - rlist
  - remlist
  - Pingstats
- Windows
  - Reliable
New/Experimental
- UNIX
  - Marketshare
  - Computer Cryptology "Comparative" stats
- Windows
  - Marketshare

Setting up the software

Setting up the remailer software

UNIX
Windows
- Reliable

Setting up a mail2news gateway

UNIX
- multipost
  Setting up multipost is extremely easy.
  Installation:
  su - root mkdir /usr/mail2news mkdir /usr/mail2news/lib mkdir /usr/mail2news/tmp cp multipost /usr/mail2news
  Change the variables inside multipost to reflect your news servers, IP address and so on.
  Then, setup either your .procmailrc or .forward files to call multipost. We recommend using .procmailrc for those systems that use procmail as their local delivery agent. (Otherwise, add this to your .forward to call procmail:)
  - procmail
  - .forward
Windows
Getting access to news servers for posting purposes

Setting up a "pinger"

Configuring the software
- rlist
  - Setting up premail
    - .remailers file
    - pubring.asc
- remlist
- Pingstats

Making the service available to users

finger
- UNIX
- Windows
  - Getting a finger server and client
  - Setting it up
http
- On your own box
  As with any service, if you are going to run this on your own boxes, you need, ideally, a static IP address and DNS name resolution services. Less ideal is a dynamic DNS service that will adjust your FQDN to your current IP address. This less desirable because there will be some latency in the time your IP address changes, the time in which your DNS record changes and the time in which it takes your DNS record to age out of any users DNS.
  - Dynamic DNS services
  - UNIX
  - Windows
- Redirector services
  - List of services
  - Tools to help push your cotent to these services automagically
    - UNIX
    - Windows
regular posts to usenet
- UNIX
  - Setting up the cronjob
  - Scripts
- Windows
  - Setting up the AT job
  - Scripts

e-mail

UNIX

rlist
remlist

pingstats

		:0 h
		# Take just the headers and discard the body.
		* Subject: keh'umri- sidju
		# Match the subject. "h'" matches either "h" or "'".
		* !FROM_DAEMON
		# If it's a MAILER-DAEMON message, bypass this rule.
		# The X-Loop: criterion in the procmail recipe needs to match the address in the
		# X-Loop: header it adds.
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		# Formail is a program which takes a message and prepares a reply.
    		 -I "From: " \
		     -I "Subject: pilno le cmevi'u ke'umri segau makau" \
		     -A "X-Loop: "; \
		# The message has only one subject, but it can have several X-Loop: headers.
		     cat $HOME/Mix/help-lojban.txt ) | $SENDMAIL -oi -t
		# What -oi is supposed to mean, I don't know. It isn't in the man page.

		:0 h
		* 
Subject: aide- réeexpéediteur
		* !FROM_DAEMON
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: Comment se servir des réexpéditeurs anonymes" \
		     -A "X-Loop: "; \
		     cat $HOME/Mix/help-french.txt ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-mlist2
		* !FROM_DAEMON
		* !X-Loop: YOURADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: Mixmaster statistics" \
		     -A "X-Loop: "; \
		     pingstats format 2 mix ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-dlist2
		# get-dlist2 must precede get-dlist because otherwise get-dlist matches first.
		* !FROM_DAEMON
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: DH/DSS Cypherpunk statistics" \
		     -A "X-Loop: "; \
		     pingstats format 2 dss ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-rlist2
		* !FROM_DAEMON
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: RSA Cypherpunk statistics" \
		     -A "X-Loop: "; \
		     pingstats format 2 rsa ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-mlist
		* !FROM_DAEMON
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: Mixmaster statistics" \
		     -A "X-Loop: "; \
		     pingstats format 1 mix ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-dlist
		* !FROM_DAEMON
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: DH/DSS Cypherpunk statistics" \
		     -A "X-Loop: "; \
		     pingstats format 1 dss ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-rlist
		* !FROM_DAEMON
		* !X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: RSA Cypherpunk statistics" \
		     -A "X-Loop: "; \
		     pingstats format 1 rsa ) | $SENDMAIL -oi -t

		:0 h
		* Subject: get-pingstats
		* !FROM_DAEMON
		* !^X-Loop: YOUR_ADDRESS
		  | (formail -rtb -I "Precedence: junk" \
		     -I "From: " \
		     -I "Subject: Pingstats" \
		     -I "Content-Type: multipart/mixed; boundary=\"=_tersepli_cmeclax_kehumri\"" \
		# This is the header for a MIME message which I compose by hand.
		     -I "MIME-Version: 1.0" \
		     -A "X-Loop: "; \
		     cat $HOME/pingstats/pingstats.eml ) | $SENDMAIL -oi -t

Windows

ftp
- UNIX
- Windows

Configuring MTAs

Setting up obtuse smtpd to handle the load
Setting up sendmail to handle the load
Setting up postfix to handle the load
Setting up smap to handle the load
Setting up qmail to handle the load
- If you have trouble installing qmail after reading the documentation and after looking at the big picture, try reading the good book Life with qmail.
- In the .qmal of the mixmaster user (or whatever user you are running your remailer as) put the same line that mixmaster requires in the .forward.
- Adjust the concurrency level (see qmail-send man) to balance the load.
- Increase the timeout connect (see qmail-remote man) to help slow remailers (or under flood).
- If sometimes some remailer DNS don't work you can put a line in smtproutes to make a temporany work around.
Setting up ZMailer to handle the load
Setting up Microsoft Exchange to handle the load
Setting up Solaris Internet Mail to handle the load
Setting up iPlanet Mail Server to handle the load
Advanced MTA configurations and tips
- TLS-SSL
- RBLs (ORBS, RSS, RBL, etc.)
  - Tools to help
    - rblsmtpd It blocks mail from RBL-listed sites. It works with any SMTP server that can run under tcpserver. You must install the RSS patch in order to work with all the lists and not only MAPS RBL. You must also make your service avaiable from remailers blocked by some lists (ex.: ORBS for lefarris, DUL for dial-up remailers) simply with tcpserver.
  - Pros and Cons of various RBLs
    - MAPS RBL (Realtime Blackhole List) for known spammers. Normally only spam is sent through these. The domain is rbl.maps.vix.com.
    - MAPS RSS (Relay Spam Stopper) for known spam-relaying mail servers. Normally open relays begin used from spammers. The domain is relays.mail-abuse.org.
    - ORBS (Open Relay Behaviour-modification System) for known (tested) open relaying mail servers. Some of these are not used by spammers and could be used as a proxy (optionally encrypted by TLS). The domain is relays.orbs.org.
    - MAPS DUL (Dial-Up List) for IPs reserved to dial-up lines. The MAPS TSI encourage its use, but many legitimate users and some remailer will be stopped and the privacy is, in some parts, violated . The domain is dul.mail-abuse.org.

Other tools for your box

UNIX

teergrube
German for tar-pit. This is a SMTP layer replacement for your MTA in daemon mode. It slows down flooders and spammers by keeping the SMTP session open, but grinding progress on the session to a halt, essentially putting the spammer or flooder out of business and denying them their tools (their box is all locked up trying to talk to your box).
There are several teergrubes out there, but this is the only one we could find that is being actively maintained:
teergrube
(If anyone knows of any others, please inform us and we'll add it to this FAQ).
tripwire
ssh
daemontools
ucspi-tcp
chrootuid A great tool for both chrooting a process, and running it as a UID other than root. You can get chrootuid from:
ftp://ftp.shinn.net/pub/security
portsentry A tool for detecting and responding to port scans or probes on your system. Available from:
ftp://ftp.shinn.net/pub/security/psionic
hostsentry A tool for detecting and responding to intruders your system. Available from:
ftp://ftp.shinn.net/pub/security/psionic
autorpm A tool for automatically downloading, checking the PGP sigs on, and install RPMs for redhat Linux boxes.
ftp://ftp.shinn.net/pub/autorpm
cupyvei

Windows

Securing your box

Note: I'm going to pull this out and make it into its own FAQ (and link to it from the RemOp? faq) eventually, since its clearly applicable outside of the world of remailing, and this section to fill several FAQs all by itself.

How to think about security

A Process based approach
This process is based on several years of experience with both public and private sector infosec. It is a best practice document written to reduce all that has been written about this topic to what we believe is a very common sense and easy to practice process. For more information, please see The Shadow Group's website.

The Process steps

Analyze
Reduce to policies
Secure/Implement
Monitor
Test
Improve
Repeat

Analyze

Quanitifying value

Attack Tree Analysis

Reduce to policies

Secure/Implement

OS specific techniques

UNIX
- Locking the box down from remote attacks
  - Firewalling
  - shutting down unnecessary processes/services
- Locking the box down from local attacks
- ID&R
Windows
- Locking the box down from remote attacks
  - Firewalling
  - shutting down unnecessary processes/services
  - Turning off shares
- Locking the box down from local attacks
  - Protecting your box from trojans and viruses
  - Turning off unnecessary processes
- patching
- ID&R

Securing your network

ID&R
Router filters
Firewalling
- Packet based firewalls
- Application based proxies
- Hybrids

The Importance of protecting keys

Monitor

IDS&R
Log auditing
Human factors

Test

Improve

Tools to help automate the patching process

Repeat

Final Words

Did we mention the importance of applying the process above honestly, completely and regularly? Nothing you do will be more important than actually applying this process. It puts you in the right frame of mind to think about security, and it will keep you from having to pay for your mistakes in the long run.

To log or not to log

Contributors to this page: Michael Shinn .
Page last modified on Friday 11 of February, 2005 10:16:04 EST by Michael Shinn .
The content on this page is licensed under the terms of the Got Root License.

Similar

Table of contents

Specing out the hardware

Specing out the OS

Filesystem

"uptime" considerations (pick your OS, hardware, and if you are dialing up, log on times carefully)

To be Middle or not Middle

Should you run your remailer behind a nym?

Bandwidth considerations

remailing software

mail2news gatewaying software

"pinger" software

Setting up the remailer software

Setting up a mail2news gateway

Setting up a "pinger"

UNIX

Windows

How to think about security

Analyze

Reduce to policies

Secure/Implement

Monitor

Test

Improve

Repeat

Sidebar

Our Books