Email

From The Hidden Wiki
Jump to navigation Jump to search

This page lists a variety of realworld Email services. The tables primarily denote areas of interest and useability for the anonymous community. We aim to make it the canonical one stop reference for choosing Email providers. (This framework and data is imported and synced with another project. Feel free to edit it.)

  • These are realworld services. Using them to harass people or break the law WILL cause them to ban anonymous networks, that hurts everyone. All it takes is one bad case. So PLEASE, use them responsibly!
  • Volunteer what you know
- Take a moment to find a new provider, then fully test and list them.
- Pick a listed provider, then verify that their listing details are still accurate.
  • Some selection/usage tips
- Source IP addresses - It is usually not desirable to allow the recipient to learn the mail came from Tor (or anywhere else). Those people or use cases might thus discount the authenticity of what was sent. Look at the headers to see if mail claiming to be from a person is in fact from their location. If it's not, it may be suspect. Without an IP, it can't be called either way.
- Doomsday Provisions - Consider creating a stockpile of pristine unused email accounts at the major free providers so that, if they begin barring signups from exits, access to new accounts will still be possible, at least until logins from exits are also blocked. If an account hasn't been used in a while, many providers will mark the account dormant (no mail delivery/storage), or they will simply delete the account. So checking it once in a while might be in order.


Free Mail Services - Traditional Full Service

Minimum criteria for listing in this section:

- Login to at least one method of sending (web, smtp, submission) must be via SSL/TLS/OTP.
- Login to at least one method of receiving (web, imap, pop) must be via SSL/TLS/OTP.
- Must offer both one method of sending, and one method of receiving, for free.


Protocol List

Service HTTP (80) HTTPS (443) IMAP (143) IMAPS (993) SMTP (25) SMTPS (465) submission (587) POP3 (110) POP3S (995)
AOL ? ? ? ? ? ? ? ? ?
Fastmail Y Y Y Y N a N a N a Y Y
Gmail Y Y d Y Y Y Y Y Y Y
Hotmail Y Y N N Y f N Y f N Y f
Rambler Y Y Y Y Y Y Y Y Y
Yahoo Y N N N N N N ? N
Zoho Y Y N Y g N Y N N Y g
Lavabit Y Y Y Y Y Y Y Y Y

Column headings:

HTTPS - Indicates that everything (creation, login, management and use) is available over SSL/TLS, fulltime, natively, no tricks or certificate acceptance required.
xxxxx - The other columns are similarly self explanatory and are hereby omitted.

Notes from the above table:

a - Present but not free, has no known APAY scheme, thus marked N.
b - Possible with HttpsEveryWhere.
c - Works, but uses a self signed, expired, or otherwise deviant, certificate.
d - Gmail has a cleartext session leak with the splash page after signup (welcoming the new user to their mailbox one click away). A password change and log out/in will nullify this.
e - (This table note is available for future use.)
f - More info here: techblissonline
g - Zoho's IMAP returns an odd EXPUNGE response, and pop appears to be nonstandard.

Feature List

Service SIPW SIPS SINW REQE/UPDE REQP REQN FNMC NACT TRAV DELE APAY MULD/ADVM CTYO LENG ZONE DNLD
AOL ? ? ? ?/? ? ? ? ? ? ? ? ?/N US ? ? ?
Fastmail N N N Y/Y N N Y Y N Y ? Y/Y NO Y ? ?
Gmail N Y Y N/? Y Y Y Y N Y ? N/N US Y Y ?
Hotmail ? ? ? ?/? ? ? ? ? ? ? ? ?/N US ? ? ?
Rambler Y Y N N/? N Y Y Y N Y ? Y/N RU Y ? ?
Yahoo Y ? ? N/? N Y Y Y N Y ? Y/N US Y Y N b
Zoho N Y Y Y/Y N N Y Y a N Y ? N/N US Y Y ?
Lavabit ? Y Y N N N ? ? Y ? Y N/N US Y ? Y

Column headings:

SIPW - Source IP appears in mail sent via webmail.
SIPS - Source IP appears in mail sent via SMTP/SMTPS/submission.
SINW - Mail sent via SMTP/SMTPS/submission appears in webmail.
REQE - Requires alternate email to sign up, often used to send activation/recovery links.
UPDE - The address from REQE may be updated later to be the account itself, thus removing the third party.
REQP - Requires phone (SMS/voice) to sign up.
REQN - Requires filling out some name fields (first/last/full), or other PII, to sign up.
FNMC - The '^From: ' "name (GECOS)" field is a single configurable string, independent of the REQN string(s).
NACT - Defaults, or configurable, to not automatically add contacts when sending and receiving mail.
TRAV - Has issues when the exit changes mid session (traveling), or with certain countries/networks in general. This does not include the normal blocking of random exits due to abuse.
1 - Requires the user to log back in to clear things up. Not preventable with the usual 'remember me' cookie/session login options.
2 - Fails to create the account, or fails to login.
3 - Locks the account (requiring helpdesk (human) intervention), or deletes the account.
Note: (1) is usually due to benign software issues. (2) and (3) are usually due to the provider automating their country/network restrictions. (3) is especially bad/unreliable/unpredictable and use of the service is not recommended without MAPADDRESS.
DELE - The account may be deleted by the user.
APAY - Accepts anonymous/alternative payment methods for usage, extended features, or donations. A slash (/) separated list.
1 - Money order
2 - Non-personalized credit (gift) cards.
3 - Bitcoin
MULD - Offers multiple domains to choose from. These are listed on the discussion page.
ADVM - Tags mail body with adverts that give away the MULD parent (ex: when mailing a single recipient from accounts using said domains). Or puts its name in the domain names.
CTYO - Country of organization.
LENG - Language is English by default or configurable as such.
ZONE - Timezone is settable.
DNLD - Messages in the web interface are downloadable to disk via some mechanism.

Notes from the above table:

a - True. Yet when sending via webmail, destination addresses appear in (settings.mail.anti-spam.whitelisted_email). They are deletable.
b - And the headers appear raw, separate from the interpreted body. No way to easily cut/paste the whole thing.

Test Accounts

These accounts are to permit verification of the data in the above tables. Feel free to take a test drive and then create your own accounts later. Please make the username and password eight(8) characters long and from the set [a-z0-9]. Lead both with a letter. Don't be an asshole.

Service Username Password Created
AOL anotst01 qwerty73 12-20-11 EDITED: June 13th, 2013, hardly a 'hack' - more like; "I was here"
Fastmail anotst01 p90xmous 06-20-2011
Gmail anotst01 I changed it :-) Account Hacked By Me (Mr.Anonymous) on May 19, 2013 :P
Hotmail john.anotst p90xmous 02-20-2012
Rambler anotst01 p90xmous 02-20-2012
Yahoo anotst01 p90xmous 07-06-2011
Zoho anotst01 p90xmous Not yet

Record all the parameters you supplied when creating the account. Name, DOB, address, country, email, recovery Q&A, activation link, exit (fingerprint, IP, country) if you locked it to one, etc.

AOL - Richard Jensen, April 18 1987, Security Question "Tom and Jerry". Requires javascript to sign up and use.
Fastmail - Alternative email: anotst01@hmamail.com; Full Name: optional, not provided; no location or DOB requested; no security question; Javascript not required for signup or use.
Gmail - Naver Sinead (male), DOB 8 July 1965, Location Ireland, Email anotst01@mailinator.com, Cell phone +353854790102
Hotmail - John Stevenson, Recovery Q&A: "best friend"\fapfap, DOB 1 Jan 1970, Cell phone: +1(123)456-7890, Country: USA, postal code (not req'd fot non-US): 12345
Rambler - John Stevenson, Recovery Q&A: hui/hui, DOB 1 Jan 1970,
Yahoo - anotst01@yahoo.com; Full Name = Anonymouse Usser; DOB=July 4, 1976; Home=Germany; Postal Code= 35-364; Security Question #1: Where did you meet your spouse? Answer=Berlin; Security Question #2: Where did you spend your childhood summers? Answer=Munchen
Zoho -

Old style listings (test and port these to the above tables)

  • mail.yandex.com russian e-mail provider. english interface. click 'I don't have a telephone number' on registration to switch to security question.
  • mail.ru russian e-mail provider. append 'lang=en' to the URL query string for english interface. registration field 'Alternate Email' is not needed. if you dont understand the russian language, you can use Google Translator.
  • Box.az - Use this link to bypass Javascript register button. Service requires Javascript to get past login screen if the URL ends with /yeni (ie. https://box.az/yeni). If you change the /yeni to /sade no Javascript is needed to access inbox email. Sending email still requires Javascript (cannot be bypassed by simply hitting enter). Blocks at least a few tor IP's from signup.
  • GMX.net (asks for phone number.) (note: I had an account blocked without warning, apparently due to Tor usage during setup and thereafter; I didn't use my account for anything 'bad'. GMX has not responded to my _many_ requests for explanation and unblocking of account.)
  • MailVault.com (27.10.11 - down)
  • riseup.net (2 invites needed or create a help ticket to register an account. They also provides a tor hidden service).
  • safe-mail.net (down) 3MB free accounts (drops large protion of incoming mail- unreliable. Requires JS to login for the first time (unless you close the tab/browser after signup, reload https://safe-mail.net and login again being sure to select "Fast (no scripts or icons)" as your "Interface" just above the SignIn button!). Terms of Service PROHIBITS use of proxies, but tor/proxies are not blocked and no violation of this term has ever been known to get an account flagged. All login attempts (successful or not) create a record of the user's IP address & user agent string! Warning: Safemail is an Israeli company and as such is subject to foreign treaties with the US. They have already been contacted by law enforcement agencies. They have likely handed over information.
  • Hushmail.com (asks for phone number.) (accounts expire after 3 weeks of inactivity. Requires javascript to sign up, but can send/receive using mobile site. Blocks some Tor IPs for "abuse", deletes accounts at random for "suspicious activity")
  • Bigstring.com (has various bugs, not reliable and not safe!)
  • Gawab.com (requires JS, address, and phone number)
  • Zapak.com (broken signin- requires you to click a button that doesnt exist, even with js enabled)
  • Myspace.com (blocks signups from Tor)
  • Hotpop.com (down or firewalls Tor IPs)
  • Myway.com (forwards to error page if JS is disabled)
  • Care2.com (no longer a mail provider)
  • Mail.com (captcha requires JS, requires major ISP-provided email for verification, not at all anon unless you can hack someone elses)
  • Tuffmail.com - 30day free hardlimit, may not support ssl for any protos?
  • Mail.md - requires Javascript, no alternate email required
  • PrivatDEMail.net (no webmail, requires other address but you can use e.g. mailcatch.com)
  • inMail24.com Claims web, POP3, and IMAP4 access. I was unable to register an account: throws "access denied" page.
  • Luxmail.com - Redirects to another domain when checking mail. Requires Javascript. No ssl.
  • mail.lycos.com - cell phone number is needed
  • mail.opera.com (FastMail Engine) - captcha is not displayed
  • netaddress.com
  • Runbox.com Free trial only
  • AnonymousSpeech.com - Free trail only, JS required.
  • protonmail.ch - An email service. Apparently very secure. Requires JS.
  • anonmail.biz - Anonymous premium email service like lavabit. (Not free).

Sending email (aka: simple webgates up to strong mixnets)

Receiving email (aka: disposable address maildrops/forwarders)

Service HTTP HTTPS DROP OPEN AUTH HEAD BODY MUDE MADE DNLD AFWD CTYO
Spamavert Y N N Y N Y Y a N Y ? ? N b NO
Yopmail Y N ? Y N Y N Y Y c N N b ?
10 Minute Mail Y N ? Y N N N N Y d N N b ?

Column headings:

HTTP - Everything works via HTTP.
HTTPS - Everything works via HTTPS.
DROP - This is a maildrop service.
OPEN - Maildrops are not protected other than by the randomness of the address.
AUTH - Maildrops are protected by authentication.
HEAD - Full, original as received, headers are available.
BODY - Full, original as received, body is available.
MUDE - Messages are user deletable.
MADE - Messages are automatically deleted after this many hours.
DNLD - Messages (too long for cut and paste) are downloadable to disk via some mechanism.
AFWD - This is an automatic forwarding service.
CTYO - Country of organization.

Notes from the above table:

a - Only up to a certain length.
b - Per message manual forwarding available.
c - The emails are deleted after 8 days.
d - Mailbox (along with emails) disappear in 10 minutes if not click on the corresponding link.

old style listings (test and port these to the above table)

TRADITIONAL WEBMAIL SERVICES

EMAIL FORWARDING SERVICES

  • SpamBox - free forwarding up to 1 year!
  • NotSharingMy.info - free forwarding for life!
  • MailExpire
  • Jetable - Requires email confirmation before temporary address becomes active. 24 hours to 1 month lifetime.

TEMP/DISPOSABLE E-MAIL ADDRESSES & UNSORTED?

  • HerpMail - Temporary read and reply email addresses from Ugleh (This is PiraX, yo.)
  • GuerrillaMail
  • Mailinator
  • WH4F - Will Hack For Food
  • OneOffEmail (Service offline)
  • MyTrashMail
  • WhySpam.Me (Site is down due to repeated abuse of the mail server.) operating normally at November 9, 2011 (for now)
  • Dispostable
  • Make Me The King - Can notify you when you receive mail.
  • MintEmail - bookmarkable, forwardable three-hour email addresses
  • Melt Mail - email forwarding with a lifespan you control
  • GishPuppy - Manage multiple forwardable temporary addresses.
  • tempalias - forwards to your real email address and expires after a set time or number of messages - DISCONTINUED BY HIS AUTHOR
  • spamgourmet - disposable spam filter, SSL available, specify max # of emails forwarded, field to identify sender
  • Shady Email - Don't just hide your email, Make it Questionable & Suspicious.
  • FilzMail - temporary read and reply email addresses
  • Nabuma - read and reply email addresses at a variety of domains, an announcement on the site reads "The service will be down for remodelling from Dec. 22nd, 2011 till summer 2012"
  • MaskedMail - Get your email address masked with a 24-hour working temporary anonymous email forwarder.
  • 1dl.us - Requires javascript. Temp Email, file dump and a bunch of other networking tools.
  • yass.com/anonymous-email/ Hide My Ass mail - Allows passwords for anonymous mail accounts and self-destruction after time limit or on demand.
  • mailop - YAMD, yet another mail drop
  • funky mail
  • IncognitoMail
  • YopMail.com catch all, disposable e-mail. no reply. deletable or deleted after 90 days. javascript required. multiple domains available.
  • anonbox
  • trash-mail.com stores mails for 6 months if registered, else 24 hours.

Pay Mail Services - Traditional Full Service

These are known for their strong public stance on, and in, the privacy field. Instead of the usual boilerplate/loopholed TOS/AUP/Privacy policies, expect to see ones that make that clear. This section exists because some users, particularly businesses, may benefit from having a paid/contractual relationship with their mail provider.

Minimum criteria for listing in this section:

- Login to at least one method of sending (web, smtp, submission) must be via SSL/TLS/OTP.
- Login to at least one method of receiving (web, imap, pop) must be via SSL/TLS/OTP.
- Must offer both one method of sending, and one method of receiving, all for pay, none for free.
- Must have a strong/atypical position regarding privacy.


Protocol List

Service HTTP (80) HTTPS (443) IMAP (143) IMAPS (993) SMTP (25) SMTPS (465) submission (587) POP3 (110) POP3S (995)
None at the moment ? ? ? ? ? ? ? ? ?

Column headings:

xxxxx - Refer to the Free section, the columns are an identical mirror.

Notes from the above table:

x - None at the moment.


Feature List

Service SIPW SIPS SINW REQE/UPDE REQP REQN FNMC NACT TRAV DELE APAY MULD/ADVM CTYO LENG ZONE
None at the moment ? ? ? ?/? ? ? ? ? ? ? ? ?/? ?? ? ?

Column headings:

xxxxx - Refer to the Free section, the columns are an identical mirror.

Notes from the above table:

x - None at the moment.


Useful tools

  • Fake Name Generator - Random identity to go with your fake persona
  • GenerateData.com - Similar to above but with a more limited range of data to generate
  • Privnote - Self-destructing message, get notified when read, doesn't send the email, but tells you the IP address of who opened it.

See also