Thunderbird & Gmail

[Jonathan Addington]

On Tue, Oct 7, 2008 at 4:03 PM, anonym <anonym at lavabit.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/10/08 22:18, Gerardo Rodríguez wrote:
> > I´ve found the version you told me and installed it (in a th v1.5.x),
> > and as far as the headers info sent to the receiver it´s ok, it
> > doesn´t leak any thing - only the client version - so it´s impossible
> > to trace the email.
>
> All information leaks are bad, but this is probably not critical, yes.
> There could be other problems that we are not aware of, though.
>
> > Now I just need to verify that there is no registration of mi ip &
> > other info @ the smpt & pop servers;

With Wireshark you can filter by port. So if you know that the remote
port is 25 for SMTP, 110 for unencrypted POP3 (standard port anyway,
this is all in your Thunderbird settings anyway), or 465 for encrypted
POP3 (standard port) that will pretty easily bring down the amount of
packets shown. Then you can browser through the packets for whatever
you are looking for.

> I'd be surprised if you could verify this with any certainty. I highly
> recommend you to register a new account anonymously (e.g. through Tor)
> and never access it directly without Tor. Any account that you have
> accessed directly should immediately be considered as compromised (in
> terms of lost anonymity), and that's also the case with all previous
> correspondence that account has participated with. That's dangerous
> stuff. _Any_ eavesdropper could have connected your IP address to that
> account and logged that. [/paranoia mode]
>
> > you told me to sniff the packets; I´m not to involved into sniffers
> > and only used one or two times the wireshark, is there a special
> > technique to do so?
>
> It's easy with Wireshark. Turn off all network using applications except
> Tor, then:
>
> 1. start a new Wireshark capture
> 2. start Thunderbird
> 3. refresh inbox
> 4. send an email
> 5. stop the Wireshark capture
>
> Then make sure that the destinations of all packets are either
> 127.0.0.1/localhost (where you run Tor and privoxy/polipo) or Tor entry
> nodes and possibly Tor directory servers (there are services like
> http://torstatus.kgprog.com/ to look that up). In particular, make sure
> that your email account's POP/IMAP and SMTP server addresses do not appear.

With Wireshark: filter by remote IP/domain. So if you filter for
"mail.Whatever.com" and see something come in Wireshark something went
wrong (Thunderbird didn't use Tor at some step).

> I'd also recommend to look for the EHLO/HELO message in the beginning of
> the SMTP transaction (when it's sent to Tor on localhost, i.e. before
> Tor encrypts it) and make sure that the message content/payload does not
> contain your IP address/hostname. Torbutton should scrub that and put
> 0.0.0.0 there instead. Note that you'll have to use plaintext SMTP (that
> is without TLS/SSL) in order to do this easily.

To address the above, filter by ports, and then by your IP inside the
packet (either through a filter or a search, there shouldn't be too
many captured packets with such a filter.)

>So I recommend you do
> this with a disposable account that you later terminate as the login
> credentials may (that is: should be assumed to) have been compromised
> when sent in plaintext.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAkjrzpUACgkQp8EswdDmSVh/xgCgmSFrHZ5G64M+fMq+08MFB07q
> gJ4An17qv9UmghNjwdLuDsAltKVoc38F
> =eTcs
> -----END PGP SIGNATURE-----
>

--
madjon at gmail.com