Saturday, December 1, 2007

Demystifying Craigslist Anonymization

Craigslist is one of those services that many people could not live without. Where else can you go to get free palm trees, 40 cubic yards of broken concrete sidewalk, AND get rid of that ugly couch and pick up a date all in one visit?

When Craigslist started, if I had to guess there was little expectation of privacy. When you posted, you entered your "real" email address and your dirty laundry was now in the public eye. At one point they added functionality whereby you could anonymize your posting if you so desired. The functionality was quite simple. At the time of your posting, if you opted to remain anonymous, an email address within craigslist was created -- it took the format of -@craigslist.org. Emails to this address would get relayed to your email address of choice. At some point within the last year or so, the options have changed. Previously, you could chose to be anonymous or not, or even not post any email related contact information whatsoever. You now only have two options -- anonymous or none.

As an example of how this anonymization works, I've posted to the Los Angeles Craigslist "items wanted" section seeking the much desired left handed smoke shifter. The email address sale-495545652@craigslist.org will accept and relay messages to my Gmail account which I keep for these purposes. If you email and I reply, by default you would see my Gmail address, thereby ruining my anonymity. Many Craigslisters, however, are savvy enough to properly set their From: when replying to continue to mask their true identity. For example, in my .muttrc, I have the following:

alternates = .*@spoofed\.org|.*@craigslist\.org

This tells mutt that if I get email to either of those domains, it should set the From: to that of the original To:. You can accomplish something similar in Gmail with the "send mail as" setting.

Unfortunately, Craigslist anonymization only provides a minimal amount of anonymity, but I suspect it serves its original purpose -- to protect the addresses of posters from being harvested by spammers. This should not come as a surprise to anyone who is familiar with how SMTP works, but aside from front-line anonymity, this service is rather trivial to abuse.

For example, if you respond to my posting about the left-handed smoke shifter, I see the following in Gmail:

Date: Sat, 1 Dec 2007 12:46:24 -0800
From: Jon Hart 
To: sale-495545652@craigslist.org
Subject: shifter?

That craigslist.org address forwards all correspondence to my Gmail address. When I reply, the untrained eye will see:

Date: Sat, 1 Dec 2007 12:51:33 -0800
From: Test 
To: Jon Hart 
Subject: Re: shifter?

However, with the exception of pretty much all email services except one that is configured exactly for this purpose, the headers will give away my true identity:

Return-Path: 
Date: Sat, 1 Dec 2007 12:51:33 -0800
From: Test 
Sender: 
To: Jon Hart 
Subject: Re: shifter?

As you can see, if you view the full, unmolested headers of my supposedly anonymous response, the From: is my craigslist relayer, but Return-Path: and Sender: give me away. There are other headers that can give away, most notably X-Original-From:.

I have to stress that this is not really anyone's fault. Craigslist did what you asked -- it masked your email address. Gmail and other services did what you asked -- they set your From: to your craigslist address. When you combine these two services, however, your anonymity is broken.

The lesson here is that if you are a disgruntled employee ranting about your boss, a SWF BBW ISO NSA BDSM from a generous SBM, or other forms of depravity, either create a dedicated email address that cannot be trivially traced to your true identity, or simply don't respond to any emails sent to your supposedly anonymous craigslist email.

1 comment:

Anonymous said...

Thanks for the clear explanation. I've noticed that every time I post to CL I get an email reply from a random address asking if the item is available. I reply yes and never hear another word. Seems like someone found a way to harvest my email address anyway.