In Case of Inquiries ...
Advices for Exit Mix Administrators Regarding Abuses
If the anonymization service got abused the IP address of the exit mix is usually identified. Often it is the case that the server is assumed to cause the abuse.
Already before getting the first abuses there is something one can do to minimize the trouble later on:
- Talk to your ISP and explain what you are doing with your server and what kind of problems may occur. The best thing is to ask before signing the contract whether and under which conditions it is tolerable to deploy an anonymization service at all and if there are requirements concerning the handling of abuses. Some ISPs say: "We are just relaying traffic and you are supposed to deal with abuses." Other ISPs want to get feedback regarding the processing of abuses.
- Do not run the exit mix on a server in your home country. This is not only recommended by JonDos in order to provide high anonymity but serves avoiding abuses as well. Insignificant abuses are often not prosecuted if an international coordination is necessary to identify the offender.
- A "talking" Reverse-DNS entry may clarify the function of the server: IT-savvy victims or prosecutors may use tools like host or nslookup.
- The Whois record should contain respective information about the server. The AnonBox of the Chaos Computer Club is a good example.
- Ideally, the RIPE entry of the server's IP should point to its operator directly. Then all abuses go directly to the mix operator without detour via the ISP. Not all ISPs are offering to set the RIPE entry but if it is possible you should use this option.
- Victims or prosecutors are often checking the IP address of the exit mix server using a web browser in order to inform themselves about its operator. It is helpful if a small web server like lighttpd provides a information page on port 80. The JonDos GmbH offers an example of an Exit Mix Information. If the anonymity service was abused in a criminally liable way this information page can influence whether one is treated as a suspect or a witness.
- Installing the web server. (Debian:
# aptitude install lighttpd)
- The example prepared by the JonDos GmbH do you find in the mix sources in the subdirectory misc/exit-mix-notice. If you are using the mix server debian packages please install the package mix-exit-notice. The prepared web page is available in the directory /usr/share/mix-exit-notice. Do not forget to adjust the configuration for the installed web server.
- Installing the web server. (Debian:
SRC: DocumentRoot /home/mix/stable/misc/exit-mix-notice DEB: DocumentRoot /usr/share/mix-exit-notice
Spamming via Web Interface
It is quite often the case that a bunch of spam mails is sent using the web interface of a mail provider. The spammer wants to stay anonymous and is usually using free anonymous services to log himself in to the web interface of a mail provider.
The recipients of those spam mails are able to trace their origin to the exit mix looking at the sent headers. They send an abuse mail to the ISP of the exit mix and the ISP in turn forwards this mail to the one renting the server and expects feedback after it is processed. Do not ignore these abuse mails even if they are not relevant in a criminally liable way as this can lead to a violation of the ISP's terms and conditions and finally to a termination of the server.
Generally, one is receiving the complete spam mail including its headers together with the abuse notice. A fictious example:
Dear customer, . We received a complaint regarding an IP assigned to you. Please see the complaint at the bottom of this e-mail. We urge you to take appropriate ation to prevent future complaints. . Security Response Team . Return-path: <firstname.lastname@example.org> Delivery-date: Fri, 14 Mar 2015 06:39:21 +0200 Received: from pra7.smp.wab.co.za ([220.127.116.11]) .... Received: from 18.104.22.168 (SquirrelMail authenticated user medium) by mail.domain.tld with HTTP; Date: Fri, 14 May 2010 07:37:04 +0300 (EAT) Subject: HELLO!! From: ........
In the last section Received: may the necessary information be found to forward the abuse notice on your part. The headers are always different and every abuse notice has to be addressed individually.
- 22.214.171.124 is an example. It should be the IP address of the exit mix. But possibly it is an other one in which case the abuse notice was sent to you by mistake. (That happens but is quite seldom)
- medium is the user account on the mail server which got used for spamming.
- mail.domain.tld is the mail server on which SquirrelMail (a web frontend) is running.
Forward the abuse notice to the abuse account of the mail provider and ask for deleting the spam account. Furthermore, send the forwarding as a copy to the security response team of your ISP in order to give them feedback showing that and how you reacted to the abuse notice. Most providers are satisfied with that. They forward your response on their turn to the sender of the abuse notice.
Spam DNS Blacklists
By spamming via mail or in forums it happens on and off that an exit mix is listed as spam IP by a DNSBL.
For free exit mixes this is usually no problem as long as the server is not used for spamming as well. Mostly, the ISPs hold the position that the user of the server is responsible herself whether the IP address is on a DNS blacklist or not. As the most DNSBL are analyzing comments in forums as well it were a Sysiphos job for an admin to remove the server from all DNSBL over and over again. As this is not affecting the normal mix operation, free exit mixes can ignore this problem. Own e-mails should be sent over an other IP address.
For premium services is the situation a bit different. As these services are allowing to send e-mails via SMTP anonymously as well the exit mix operators should make sure that their servers are no listed on a DNSBL. The webpage Spam Database Lookup offers the opportunity to check a multitude of DNSBL.
Stalking and Offending
If victims of stalking and offenses are addressing themselves to exit mix operators one can point to the opportunity to block anonymous usage. Webservices (Blogs, Forums, Wikis or other webpages) can be banned on all exit mixes if the operator of a webpage does that want.
Copyright infringements are very rare. The automatically generated copyright infringements are unknown to most exit mix operators. The free cascades can only be used for surfing anonymously and BitTorrent via premium services is not very profitable. Instead of paying for the traffic one can buy the desired video.
Obtaining Credit by False Pretences
An order on an online shop was made using wrong personal data and anonymization services. The goods are delivered but the bill is not being paid. The owner of the online shop Der Online-Händler makes a report and provides the saved IP address as evidence. A routine investigation is started and the operator of the exit mix in question is summoned sometime be it as a suspect or be it as a witness.
This is no reason for concern. Accept the appointment of the summoning or arrange one that fits better. Explain to the prosecutors what you are doing and that an identification of the offender is not possible by means of the IP address. A protocol is written and the investigation against the exit mix operator is discontinued. A prepared fact sheet about JonDonym is helpful here. (Possibly, the prosecutor him/herself is going to use this service in the future to avoid data traces while surfing the Web.)
With some routine you may answer the summoning written and ask whether your personal appearance to clarify further questions is necessary.
Severe Criminal Offenses
Mix operator do not act independent of laws. Due to severe criminal offenses there is the possibility that a mix operator is forced by a legally binding enactment to log data with the aim to deanonymize users.
Do not play a cat-and-mouse game with officials. Do not say you are agreeing to this telecommunication surveillance to deliver later on meaningless data that are not analyzable without the cooperation of the other mixes within your cascade. Explain how JonDonym is working and that the cascade your mix is belonging to is (hopefully) an international one meaning the mixes are located in different countries and get advice from a lawyer.
If you have to log data remind the following points:
- Save only the absolute necessary data.
- Make sure that nobody has access to this data.
- Only forward the amount of data you are forced to.
- Do not allow an arbitrary data collection. If you cannot resist that shut your server down.
Similarly to the case of obtaining credit by false pretences and other minor offenses it is possible as well that the operator of a mix is treated as a suspect regarding severe offenses. But you probably won't get a summoning at once, though. Rather, the investigation against you is going to start unnoticed and is presumably including the surveillance of telecommunication connections and the observation of your money transfers among others.