[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Possible attack method?? Question..

Thanks, I have some comments that may help...

Max Berger wrote:
Am Freitag, den 11.01.2008, 09:44 -0800 schrieb Anon Mus:
This question is for those with the knowhow.

A while back I got a number of emails from the same source where the 
emails were sent in "pairs" a minute or less apart.

The first of each of the "email pair" were large (over 700characters), 
the second were small (under 50 characters). On the face of it the 
"email pairs"  appeared to be a genuine error ("oh yes I forgot to 
mention" kind of thing) by the sender, so I took no notice at the time.

Perhaps someone isn't looking for an unknown IP-address, but just want
to prove that the owner if a given IP-address is the owner of the
Mailbox "green lantern at yahoo".
It is not a given IP addressed account - its only accessed via tor and not  a Yahoo account.

If this one is able to do a traffic analysis on this IP-address and
knows the login time at the pop/imap-Server of yahoo, a well defined
pattern of mail sizes could help. 


I agree - I am using POP3 + SMTP  (over SSL) to connect. And if I am on-line and thunderbird is up then it could create just enough delay to be seen. But the mail account is in the USA, so they could see the download precisely and the EXIT server if they had US help.

Of course they could watch the streams from the exit server looking for the precise "size" pattern (and could probably calculate the sizes anyway). Then they only need to look for the traffic connected tor the tor network in the suspected country of connection origin.


in the suspected country of origin filter traffic

 - by time band
 - by tor network node source
 - by packet size pattern

and you get a list of possible IP's who could be the suspect.

Do this a couple of times for confirmation of suspects real IP.
Lookup IP in ISP's records.
Give suspect a medal for identifying criminals (-yea sure-).
But in this case I think it's not useful for him, to send these mails in
such short intervals, because you would fetch both mails at one login
and in one stream of data...



I had no idea my contact may be an intel-op posing as an activist. So therefore I was not concerned that I should be up against intel community.

It would be interesting to hear if any other tor users have gotten similar email patterns.

Maybe its a new intel technique against tor. More reliable than a straight forward timing attack.


Never miss a thing. Make Yahoo your homepage.