Possible attack method?? Question..

Anon Mus a_green_lantern at yahoo.com
Sat Jan 12 00:56:19 UTC 2008

  Thanks, I have some comments that may help...

Max Berger wrote:  
Am Freitag, den 11.01.2008, 09:44 -0800 schrieb Anon Mus:  
This question is for those with the knowhow.A while back I got a number of emails from the same source where the emails were sent in "pairs" a minute or less apart.The first of each of the "email pair" were large (over 700characters), the second were small (under 50 characters). On the face of it the "email pairs"  appeared to be a genuine error ("oh yes I forgot to mention" kind of thing) by the sender, so I took no notice at the time.    
Perhaps someone isn't looking for an unknown IP-address, but just wantto prove that the owner if a given IP-address is the owner of theMailbox "green lantern at yahoo".
It is not a given IP addressed account - its only accessed via tor andnot  a Yahoo account. 
 If this one is able to do a traffic analysis on this IP-address andknows the login time at the pop/imap-Server of yahoo, a well definedpattern of mail sizes could help.   

I agree - I am using POP3 + SMTP  (over SSL) to connect. And if I amon-line and thunderbird is up then it could create just enough delay tobe seen. But the mail account is in the USA, so they could see thedownload precisely and the EXIT server if they had US help. 

Of course they could watch the streams from the exit server looking forthe precise "size" pattern (and could probably calculate the sizesanyway). Then they only need to look for the traffic connected tor thetor network in the suspected country of connection origin. 


in the suspected country of origin filter traffic

 - by time band
 - by tor network node source
 - by packet size pattern

and you get a list of possible IP's who could be the suspect.

Do this a couple of times for confirmation of suspects real IP.
Lookup IP in ISP's records.
Give suspect a medal for identifying criminals (-yea sure-).
But in this case I think it's not useful for him, to send these mails insuch short intervals, because you would fetch both mails at one loginand in one stream of data...Max  

I had no idea my contact may be an intel-op posing as an activist. Sotherefore I was not concerned that I should be up against intelcommunity.

It would be interesting to hear if any other tor users have gottensimilar email patterns.

Maybe its a new intel technique against tor. More reliable than astraight forward timing attack.

Never miss a thing.   Make Yahoo your homepage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080111/c55b4aca/attachment.htm>

More information about the tor-talk mailing list