Note: Links on this page use the anonym.to service.

The cake isn’t real. Even if you can get it. Cyber warfare isn’t real either, and security just a hype. Merely security software vendors and secretly security consultants trying to shock and scare everyone so they can sell their products and services.

Well yes, on occasion that is true. But what about banks, big corporations and their hand puppets, governments? Governments and military have long developed intelligence activities with an eye on foreign threats (states) and terrorists (people). And yes, with recent developments that may mean you. Have you worn a tent lately? Or assembled peacefully at an occupy or portshutdown to express your disgust with the war-work-machine?

Okay, and it’s not just the US. If you DO NOT want to make it easy for the darn arrogating and appropriating snoopers, an ancient strategy is encryption of data, like email content. They will be able to see who sends to whom but not what (unless they are also using keyloggers).

In case you are a terrorist (yes, even babies can be foreign agents in disguise, or worse, terrorists wearing pink tents), governments and military of course want to be able to read your email (and all your other data for that matter). For they saw that one coming a long time ago too. Many countries have passed laws to maintain law-enforcement and national-security capabilities through regulation of cryptography.

Bert-Jaap Koops:
This survey gives an overview of the current (July 2010, next update December 2011) state of affairs, with entries per country on import/export controls, domestic laws, developments to restrict cryptography, and developments favoring crypto use. For more background on the crypto policy dilemma, see my Ph.D. thesis The Crypto Controversy or my JENC8 conference presentation.

Mail clients

Not all mailclients work the same when it comes to composing and sending a mail message, thus exposing more or less information to the SMTP server. It is preferred to not create sensitive data in the first place. And this is where different mailclients work differently.

Sylpheed Claw does well in that regard, and so does Thunderbird.

Sylpheed Claw exposes version number and platform of the operating system (i686-linux-gnu/win32) and creates a message ID containing a local timestamp and the sender’s mail address. You can and should configure Sylpheed to change its behaviour to not sending a message id header at all. Also, by default Sylpheed uses the locally configured hostname as HELO string. This setting can be changed too. As a bonus Sylpheed can be configured to not create a Date headerlinewhich is helpful for not exposing your local timezone. Claws Mail includes PGP functionality.

Thunderbird exposes software release and OS in the X-Mailer: header and creates a message ID with a random stamp and the sender domain – this is not critical. HELO host-name is your sender-domain. For now, this is acceptable. Consider using Thunderbird along with Gpg4win (windows) or Enigmail (linux) to add PGP functionality.