The Phantom Remailer is a pseudonymous single-blind remailer that runs as a delivery agent on a mail server. It was designed for use with Sendmail and other mail transfer agents that support the Sendmail standard. This remailer implements fully SPF and DKIM compatible mail forwarding with a low Spamassassin score.
The remailer works as a transparent forwarder for incoming emails and an anonymizing remailer for outgoing emails. This means you get the full benefit of Multipart/MIME email messages as an incoming address and a stripped down text/plain experience for outgoing messages, even when your reply contains a Multipart message.
I modeled the Phantom Remailer after the Craigslist remailer in that it is designed to only support text replies and it copies a specific minimal list of headers from the source email message. Where it differs from the Craigslist remailer is that I take advantage of the detail portion of the email address to encode the necessary meta information for the remailer.
A little known feature of the email address format is that you can have multiple unique email addresses that all deliver to the same box by adding what is referred to as a detail to your box. The format of the email address is like this:
box+detail@domain
The box is the foo in foo@example.com, the detail is the +detail before the at sign. You can have foo+anything@example.com and it will be delivered to foo@example.com with the To header containing foo+anything@example.com.
The Phantom Remailer encodes the original To and From addresses into base64 then generates a Reply-To address like foo+anonymize.ABCXYZ==.LMNOQRTS==@example.com that tells the mail user agent to reply to that address, and since foo@example.com is your original address it transparently delivers that big encoded address to the remailer script. The reason the remailer does this is that when a mail user agent replies to an email, all of the header information in the original message is lost, so the only way to retain the metadata is to encode it in the Reply-To header. Craigslist works around this limitation by setting up an anonymous double blind remailer that has 2 different hostnames, sale.craigslist.org is for the seller’s email and reply.craigslist.org is the person responding to the ad. The email addresses are randomly generated SHA hashes that are unique for every page visit. In theory Craigslist could be using the random SHA hash and linking it with a cookie in your browser to associate an email address with a given browser session and IP address. Their privacy policy hints they may be doing this to combat SPAM/abuse.
Why
Why write a remailer, why not just get a throwaway account at <insert random big tech company here>?
I want to hide my IP address in the mail headers. If you believe all of the agitprop pushed by YouTubers hawking the latest RandoVPN service, I just need to sign up for a VPN service and that will fix everything — for a nominal fee. Aside from the cost, you are placing an immense amount of trust in the VPN service not to divulge who you are. I just don’t feel it is necessary to spend extra money on a VPN and I don’t have any trust in those services.
Aside from a VPN, there are only 2 solutions which would obscure my IP address and protect my privacy: Using a Unix text based mail user agent like mutt, or using a remailer. I gave up mutt a long time ago and have no desire to return to the dark ages, so after failing to find a turnkey remailer that would do exactly what I want, I wrote my own. I wanted incoming email to work just like a mail forward but I wanted outgoing email to be anonymized, I didn’t find anything that did that easily. Perhaps mixminion does, but I didn’t look into it.
Privacy
The purpose of the Phantom Remailer is to maintain privacy, while I have made attempts to sanitize input as much as possible, there may still be corner cases where it fails to do so. Fortunately you are in control of the input fed to the anonymizer, if you are paranoid then you can force your mail user agent to send only text/plain with no signature and no attachments.
Here are the steps I’ve taken to ensure privacy:
- Anonymized messages (replies from the protected party to the public sender) are created anew and only the following headers are copied from the source message: MIME-Version, Subject, Content-Language
- Multipart messages are stripped and the “best guess” text/plain body of the message is used in the body of the reply
- All obfuscating encoding is stripped and text is re-encoded as quoted-printable. This means Unicode characters appear as
=AA=55interspersed in the body of the message. Insidious characters like the ZERO WIDTH SPACE are made plain as day 😉 - The signature is stripped from the bottom of replies. If you have a plain text signature block automatically appended to replies by your mail user agent, the remailer attempts to identify and strip the signature block. If you have an HTML signature block this may not work.
- If your mail user agent is configured to automatically sign all messages with OpenPGP, then the signature and all identifying information is stripped. For those in the know this sounds anathema, but if you want a Cypherpunk remailer, run a Cypherpunk remailer 😁
Getting the Phantom Remailer
If you want to run your own copy of the Phantom Remailer, you can obtain it from The Phantom Coder Github page: https://github.com/DerPhantomCoder/remailer Instructions for installing the Phantom Remailer are in the README of the repo, they contain all of the nuanced details necessary for running the remailer on an RHEL derivative with SELinux enabled. I did not include information on setting up your own email server, this is assumed.
The way I installed the Phantom Remailer is to make it a catchall alias so that ALL email for my domain is passed through the remailer.
In the /etc/mail/virtusertable create an entry like this:
@example.com remailer
Then in /etc/aliases create an entry like this:
remailer: "|python3 /usr/local/bin/remailer.py --config /path/to/remailer.yml"
Then you can configure the remailer with a catchall address so that all email gets forwarded to a single address. This also allows you to add additional parties to the @example.com domain by simply editing and rebuilding the remailer address aliases database.
The Phantom Remailer was a fun piece of code to write and the outcome is better than I expected. There is no compromise in usage and it Just Works™. The Phantom Remailer is licensed under the MIT license, so feel free to use it, create a derivative, or contribute.
