Thanks, I have some comments that may help...|
Max Berger wrote:
It is not a given IP addressed account - its only accessed via tor and not a Yahoo account.Am Freitag, den 11.01.2008, 09:44 -0800 schrieb Anon Mus:This question is for those with the knowhow. A while back I got a number of emails from the same source where the emails were sent in "pairs" a minute or less apart. The first of each of the "email pair" were large (over 700characters), the second were small (under 50 characters). On the face of it the "email pairs" appeared to be a genuine error ("oh yes I forgot to mention" kind of thing) by the sender, so I took no notice at the time.Perhaps someone isn't looking for an unknown IP-address, but just want to prove that the owner if a given IP-address is the owner of the Mailbox "green lantern at yahoo".
If this one is able to do a traffic analysis on this IP-address and knows the login time at the pop/imap-Server of yahoo, a well defined pattern of mail sizes could help.
I agree - I am using POP3 + SMTP (over SSL) to connect. And if I am on-line and thunderbird is up then it could create just enough delay to be seen. But the mail account is in the USA, so they could see the download precisely and the EXIT server if they had US help.
Of course they could watch the streams from the exit server looking for the precise "size" pattern (and could probably calculate the sizes anyway). Then they only need to look for the traffic connected tor the tor network in the suspected country of connection origin.
in the suspected country of origin filter traffic
- by time band
- by tor network node source
- by packet size pattern
and you get a list of possible IP's who could be the suspect.
Do this a couple of times for confirmation of suspects real IP.
Lookup IP in ISP's records.
Give suspect a medal for identifying criminals (-yea sure-).
But in this case I think it's not useful for him, to send these mails in such short intervals, because you would fetch both mails at one login and in one stream of data... Max
I had no idea my contact may be an intel-op posing as an activist. So therefore I was not concerned that I should be up against intel community.
It would be interesting to hear if any other tor users have gotten similar email patterns.
Maybe its a new intel technique against tor. More reliable than a straight forward timing attack.
Never miss a thing. Make Yahoo your homepage.