1
0
Fork 0
mayvaneday/blog/2022/october/email.html

125 lines
13 KiB
HTML
Executable file

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Anonymous email is still alive and well</title>
<link href="../../../style.css" rel="stylesheet" type="text/css" media="all">
<meta name="author" content="Vane Vander">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body class="mayvaneday">
<article>
<div class="box">
<h1>Anonymous email is still alive and well</h1>
<p>published: 2022-10-25</p>
</div>
<hr>
<div class="box">
<p>The nice thing about being the admin of Let's Decentralize is that, whenever I wish there was a way to do something on the Internet anonymously, I already have a mental record of which of those things I can do simply by hopping onto Tor Browser. Need to look at a public Twitter feed? <a href="http://xanthexikes7btjqlkakrxjf546rze2n4ftnqzth6qk52jdgrf6jwpqd.onion/rollcall/tor.html#nitter">Peep that shit using a Nitter instance</a>. Need to look up a weird health symptom or something potentially incriminating (like if it's spelled sodium <em>nitrite</em> with an I or <em>nitrate</em> with an A)? <a href="http://xanthexikes7btjqlkakrxjf546rze2n4ftnqzth6qk52jdgrf6jwpqd.onion/rollcall/tor.html#searx">Searx instances</a> have an awfully hard time tracking <code>127.0.0.1</code>. Publishing code for a project that enables the user to do something illegal, like <a href="https://web.archive.org/web/20221022233636/https://deemix.app/">download massive amounts of music off Deezer</a>? Codeberg and Notabug are pretty Tor-friendly, but you can do one better by <a href="https://letsdecentralize.org/rollcall/gits.md">using a hidden service</a>.</p>
<p>Unfortunately I also have a bad habit of <a href="../september/browsers.html">giving moids on the Internet the time of day</a> and falling victim to <a href="https://web.archive.org/web/20221022234415/https://lifehacker.com/what-cunninghams-law-really-tells-us-about-how-we-inter-1848733445">Cunningham's law</a>. So when I booted up <a href="https://codeberg.org/lethe/beres">Beres</a>, the worst RSS feed reader in existence (I should know; I made the damn thing), and saw that our (formerly-)favorite moid was <a href="https://archive.ph/S4Q8R">failing at technology <em>yet</em> again</a>, naturally I felt the urgent need to respond. Thankfully I managed to calm myself before sitting down to write this post. I decided to not make you slog through a misandrist rant. You're welcome!</p>
<p>The argument of the aforementioned article is twofold:</p>
<ol>
<li>Because of the increase in recent years of Internet surveillance and cancel culture, the only way to ensure you are safe online is to minimize the amount of personal information, such as IP addresses, phone numbers, and "real" (legal) names, that websites know about you.</li>
<li>Mainstream social media sites have gotten more restrictive regarding people using throwaway email accounts for signing up, so this somehow means that anonymity on the Internet is dying.</li>
</ol>
<p>I have no issues with argument one. My problem is with argument two.</p>
<p>The question the author of the aforementioned article poses is: "If I were fleeing from one of the top four or five email providers in order to have more privacy, where would I go?" I've had to set up anonymous identities in the past, so my thoughts immediately went to the <a href="https://letsdecentralize.org/rollcall/tor.html#email">list of Tor email providers</a> on Let's Decentralize. On that list are both temporary receive-only services and full-blown providers that let you both send <em>and</em> receive. Despite being hidden services on the Tor network, with one or two exceptions they're designed for email going over the clearnet. These services have worked quite well for me in the past; it's very rare that I find a website on the clearnet that won't accept one of these anonymous email addresses for signing up. Given how much the author of the aforementioned article liked to shill Let's Decentralize in the past, I was surprised to see that he came up with a quite different "solution": going to seemingly every semi-mainstream email provider that's ever slapped the word "privacy" in its marketing and trying to use them instead.</p>
<p>The author who I am refusing to name came to the conclusion that only Tutanota passed his "criteria" for "anonymity". Of course, he only ran said tests on half of the email providers he listed. (Seriously, look at that table: I thought FreeBSD was freaking out about missing fonts again from all the question marks I saw.) So, true to Cunningham's law, I have no choice but to run my own tests on the anonymous email providers <em>I've</em> been using and emit <em>much</em> better data.</p>
<p>For the table below, please note the following:</p>
<ol>
<li>The table states where an email from an "anonymous" email provider sent to a mainstream one ended up if it was delivered. Ideally every column (the vertical ones) should be green with minimal yellow and no red.</li>
<li>For the anonymous email providers tested, <strong>I only used ones that had Tor hidden services</strong> as known by <a href="https://letsdecentralize.org/rollcall/tor.html">the Let's Decentralize list of Tor hidden services</a> and were capable of both receiving emails from and sending emails to clearnet addresses. A Tor email service that can only send to other Tor hidden services is useless for the purposes of keeping one anonymous on the clearnet. <strong>Because I only ever used the hidden services for said email providers, at no point did they ever receive my IP address</strong>, meaning without analyzing the content of my emails they have no idea who I am or where I am located.</li>
<li>For Gmail and Outlook, I did not have to sign up for new accounts purely for testing because Hell College and the college I actually graduated from have their email hosted by Google (Gmail) and Microsoft (Outlook) respectively. If anything, this should mean even <em>harsher</em> spam filtering because of the added risk of organizational data leakage should a malicious email gain access to one of these school accounts. So if one of these anonymous email providers still managed to get through, you <em>know</em> it's good.</li>
<li>For Tutanota, I used the personal account I've been using since 2018. (So moids in my email inbox, <em>please</em> stop mansplaining the existence of Tutanota to me.) Same goes for cock.li and Zoho. My cock.li account is old enough that I remember when registration was open instead of invite-only.</li>
<li>ProtonMail made me give them an alternate email address for the purposes of verifying I was a human. I did this as opposed to giving them a phone number. The domains for Onion Mail and DNMX gave me a "this domain has been temporarily blocked" error. SecTor.City worked instead.</li>
<li>I could not test receiving with Yahoo because they demanded I give them a working phone number. I have done a lot of dumb shit in the past in the name of content for this website, but buying a burner phone is not going to be one of them.</li>
<li>X axis is "anonymous email provider", Y axis is "mainstream email provider".</li>
</ol>
<table>
<thead>
<th></th>
<th>Onion Mail</th>
<th>SecTor.City</th>
<th>DNMX</th>
<th>ProtonMail</th>
<th>morke.org</th>
</thead>
<tbody>
<tr>
<td>Outlook</td>
<td><font color="orange">spam</font></td>
<td><font color="orange">spam</font></td>
<td><font color="orange">spam</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
</tr>
<tr>
<td>Gmail</td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="orange">spam</font></td>
</tr>
<tr>
<td>Mail.com</td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="red">no</font></td>
<td><font color="orange">spam</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="orange">spam</font></td>
</tr>
<tr>
<td>Tutanota</td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="red">no</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
</tr>
<tr>
<td>cock.li</td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="red">no</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
</tr>
<tr>
<td>Disroot</td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="red">no</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="chartreuse">inbox</font></td>
</tr>
<tr>
<td>Zoho</td>
<td><font color="orange">spam</font></td>
<td><font color="red">no</font></td>
<td><font color="orange">spam</font></td>
<td><font color="chartreuse">inbox</font></td>
<td><font color="orange">spam</font></td>
</tr>
</tbody>
</table>
<p>Conclusion: <strong>as far as Tor-available email providers go, ProtonMail has the highest deliverability</strong>. SecTor.City has piss-poor deliverability, but they work for the purposes of getting a ProtonMail account. <strong>If you don't want to daisychain email providers together like this, Onion Mail comes in second</strong> but also has a relatively low quota of emails you can send per day on the free plan, a fact which considerably slowed my research for this post down.</p>
<p>But anonymous email addresses are kind of useless if you don't already have someone you want to talk to. So I took my new plethora of addresses and attempted to sign up for some mainstream social media sites.</p>
<p>Reddit isn't nearly as hostile to Tor users as I had expected. They accepted my Onion Mail address without issue. However, reCAPTCHA, better known as "please click seven thousand traffic lights", kept accusing my IP of being part of a botnet. I had to restart Tor Browser no less than <em>seven</em> tims (I counted) before I got a clean IP that reCAPTCHA would let through. My problems with Reddit after that were less "ew, Tor user" and more "AutoMod is set to remove posts/downvotes from extremely new accounts"... until suddenly the "join" button on subreddits stopped working. Although maybe that was just Jett trying to keep me from purposely wading into cringe.</p>
<p>Something with Tor Browser's implementation of uBlock Origin prevented me from completing the Twitter signup, even via the <a href="https://twitter3e4tixl4xyajtrzo62zg5vztmjuricljdp2c5kshju4avyoid.onion">hidden service</a>. Smashing the F12 button on my keyboard revealed that uBlock Origin was blocking a third-party domain used to load "Arkose challenges", which Twitter uses instead of captchas. For example, one of the "Arkose challenges" shows six images of monochrome dice with symbols on them, and you have to pick the image where two of the dice have the same symbol on top. Temporarily disabling uBlock Origin allowed me to complete these, but then Twitter threw a "we can't complete your signup right now" error. So I booted up Falkon and configured it to use a random proxy from <a href="https://openproxylist.com">this free proxy list</a>. It worked for a few hours until my account was locked for "suspicious activity". I did another "Arkose challenge" to prove I was a human, but I ended up locked out of the account anyway because Twitter demanded I give them a phone number.</p>
<p>I didn't test Facebook or Instagram despite a Tor hidden service for Facebook existing because I already knew I'd get locked out of any account I made in five minutes with a demand to see my driver's license. Tumblr works fine if you can get past the billion captchas every time you want to log in. Ovarit works fine if you have an invite code, although I don't know why you'd want to join <a href="./ovarit.html"><em>that</em> cesspit given recent events</a>. I'm sure ThePinkPill will work fine once (if) registrations open up again.</p>
<p>In conclusion, the "age" of anonymous email is <em>far</em> from over. Providers who don't need to know any information about you are still alive and well. As with anything that research-allergic boomers or technological doomers think is dying, anonymous email is still out there... you just have to know where to look.</p>
</div>
<hr>
<div class="box">
<p align=right>CC BY-NC-SA 4.0 &copy; Vane Vander</p>
</div>
</article>
<script data-goatcounter="https://stats.letsdecentralize.org/count"
async src="//stats.letsdecentralize.org/count.js"></script>
<noscript>
<img src="https://stats.letsdecentralize.org/count?p=/blog/2022/october/email.html">
</noscript>
</body>
</html>