| OmniMix • Tutorial • Nyms • Receiving Nym Messages |
  
|
Incoming nym messages are only forwarded to users authorized to retrieve them, which is why you must not forget to assign
newly created nyms to specific OmniMix users, at best immediately after sending the creation message. Otherwise nym replies
sent to your mail account aren't decoded, and those posted to a newsgroup like alt.anonymous.messages will even show no
sign of life at all.
So go to the 'User' tab, select the respective user from the list, which with a fresh installation usually is 'OmniMix',
and click '=' to edit that account.
A dialog window opens, where you find a list of the 'Nyms' you defined within the Nym Configurator. Add a checkmark to
the nym for which you just sent a creation message, click 'Accept'. Always repeat that procedure with the 'Nym' account,
which is used by the OmniMix GUI itself for example to send nym test messages from the 'ModNym' tab. Otherwise such a
task will be aborted with a 'Nym account not assigned to given user account' error message. Finally restart the servers
to propagate the changes you made.
Since reply blocks may point to an email address or a newsgroup, there are also two ways to collect reply messages,
either from a POP3 (mail) server or an NNTP (news) server.
So 'Polling' has to be activated ('Enabled' or 'Optional') for 'Mail P' and / or 'NwsNym', where the first-mentioned is
also required if you only intend to fetch normal, non-nym mails. The option 'Disabled' means, that the concerning source
isn't polled, with 'Optional' OmniMix tries to obtain messages from the source, but doesn't care about a failure, whereas
'Enabled' insists in establishing a connection and aborts with an error message sent to the mail client if the source
isn't available.
With reply blocks pointing to a newsgroup it's necessary to enter the parameters of a news server at the 'NwsNym' tab.
When selecting a suitable server you have to consider, that some of them don't keep the complete set of all messages
posted to 'alt.anonymous.messages'. The most reliable freely accessible server I found was the one at 'news.mixmin.net',
run by Zax, which therefore is used by OmniMix.
Different from mail coming from a POP3 server, which is deleted after retrieval, nym messages routed through a newsgroup are
available there for a longer period of time. So OmniMix has to take notes of the messages it already processed to prevent multiple
deliveries. The fact that each nym server chronologically assigns a strictly ascending order of numbers to all messages within a
newsgroup allows OmniMix to keep track of its progress within the group by simply storing the number of the next message that has to
be interpreted. The only problem is that those numbers are news server specific. Therefore especially if you're experimenting with
different news servers for nym message retrieval, that 'Newsgroup Pointer' of the involved accounts may have been set to values
unsuitable for the server you're currently using. If it's too high OmniMix ignores all messages offered by the server supposing
they've already been downloaded. So after every redefinition of the nym related news server the newsgroup pointer of all nym accounts
with newsgroup delivery has to be adjusted! The 'Nym' log presents data, which allow to estimate the correct number. Nevertheless a
secure alternative would be to reset it to 1, which however results in another processing of all nym replies still available at the
server no matter whether they've already been presented to the client.
Now there are several possible ways to retrieve your nym's reply messages from the newsgroup they are posted to. To
download them directly from there enter access parameters of the news server of your choice at the 'NwsNym' > 'Server'
tab.
As OmniMix doesn't buffer messages, and therefore nym message retrieval from its source is only done on a mail client's
request, processing time has to be kept short to avoid a connection timeout initiated by the client. That becomes even
more evident with a slow Tor routing. To solve the problem increase your client's connection timeout interval and within
OmniMix limit the number of newsgroups articles processed with each mail request. That's what the 'Analysis Block Size'
parameter is designated for. It defines the maximum number of articles analyzed at once in order to extract your incoming
nym messages with '0' meaning no restriction at all. To avoid fingerprinting that amount can randomly be varied to the
downside limited by the percentage defined in 'Variation'. With a restriction in place you have to check repeatedly for
new mail till the 'Newsgroup Pointer' fields of your OmniMix account's nym accounts show up-to-date numbers. In order to
reread messages set that pointer manually to a lower value, for example to '1' to reload all available messages, which
can simply be done by clicking at the 'R' button adjacent to the value. But don't forget to save the changes with
'Modify'.
Especially while fetching only specific messages, which offers an adversary valuable information, another layer of
anonymization provided by a conncetion through Tor is highly recommended to increase security.
But there are further options to confuse snoops. Beyond the group's message catalog entries required to locate your own
messages within the range defined by the 'Analysis Block Size' OmniMix can also download a random amount of already
processed articles' so-called 'Xover' data. And additional irrelevant dummy messages ('Messages') can be put between the
downloads of real nym replies. Furthermore OmniMix may vary the message processing time ('Delay') randomly to prevent
timing analyses. All that has to be adjusted at the 'NwsNym' > 'Access' tab.
Nevertheless, if you aim at maximum security you have to follow a different retrieval strategy, namely to download the
complete set of the newsgroup's postings to your computer and then to process them locally, shielded from any external
observer.
That's where the integrated Hamster server comes into play. It offers a local news server, preconfigured to work as a
buffer of the group where your nym replies get posted. In freely definable time intervals it contacts the external NNTP
server looking for new articles and downloading them.
It's very easy to get your Hamster make a move on. Go to the 'Hamster' > 'Run' tab and click 'Start'. And if you want
Hamster to start along with OmniMix check the 'Autostart' box.
After a few seconds Hamster gets active, which you can see at the 'Hamster' log list. First it creates resp. updates
internal reports, then, after a while, as per specification at the next quarter of an hour, it starts to download
'alt.anonymous.messages' articles from the 'news.mixmin.messages' server already mentioned above.
This is also done using the OmniMix NNTP proxy server, so that Hamster isn't exposed to the Internet. The download
process may take some time depending on the 'Pull Limit First' value, which describes the number of latest articles to
retrieve when doing so for the first time. From then on all articles are downloaded, as defined in 'Pull Limit Later'
('0').
To activate Hamster parameter changes shut down Hamster, press the 'Update Hamster Configuration' button at the
'Hamster' > 'Config' tab, then restart Hamster. That's also the place where you define the connection parameters of
Hamster's NNTP server. If you change the port number take care that it doesn't collide with other services, esp. OmniMix.
At Hamster's 'Groups' tab you can even specify the set of newsgroups Hamster has to stock. The integration of further
groups beyond alt.anonymous.messages may once become relevant with an increasing number of nym reply postings exceeding
the client's download capacity. Be aware that with an increasing amount of data stored in Hamster a restart may take
longer than OmniMix tries to connect, as auxiliary files have to be rebuilt. If that happens try to connect manually by
clicking 'Connect' at the 'Hamster' > 'Run' tab.
As you see on the 'NwsNym' > 'Server' tab OmniMix is already configured to get nym replies from Hamster, so apart from
starting that server nothing has to be done to provide mail clients with their messages.
Of course with a local newsgroup depository countermeasures against adversaries as described above aren't required. So
keep them deactivated at the 'NwsNym' > 'Access' tab.
With the decoding of nym replies OmniMix preserves the headers of the 'envelope' message by preceding the header names
with the character sequence 'O-Nym-'. The introducing 'O-Nym-Crypto:' line is a matter of particular interest, as it
offers you some information about the decryption process, which were the reply block slot ('slot='), the number of
symmetric ('sym=') and asymmetric decryption stages ('asym='), the subject encoding method ('esub=') used with that
message ('p' for plain unencrypted subject, 'i' for esub/IDEA, 'b' for bsub/Blowfish, 's' for hsub/SHA256) and the
respective nym account ('account='). The 'O-Nym-Sig:' header indicates whether the message's nym server signature is
valid.
So as an answer for a configuration request you have to expect something like
--------------------------------------------------------------------------------
O-Nym-Crypto: slot=3; sym=4; asym=1; esub=i; account=whopper@nym.mixmin.net
O-Nym-Sig: Good signature (RIPEMD160:[562619C278247C3B] Bananasplit Pseudonym Server (Bananasplit Pseudonymous Email Server) <config@nym.mixmin.net>; Mon, 25 May 2015 02:52:31 +0000)
O-Nym-X-Hamster-Info: Score=0 Received=20150525104535 UID=7
O-Nym-Xref: anonymous.invalid alt.anonymous.messages:1073
O-Nym-From: Nomen Nescio <nobody@dizum.com>
O-Nym-Subject: 5e53ff1d2d343096a8fed57e2de7f3c0b2c4901e55eeb8d3
O-Nym-Message-ID: <ec4c32d7868ddc2d8871e022705153a5@dizum.com>
O-Nym-Date: Mon, 25 May 2015 08:45:43 +0200 (CEST)
O-Nym-Newsgroups: alt.anonymous.messages
O-Nym-Path: news.mixmin.net!news2.arglkargh.de!sewer!news.dizum.net!not-for-mail
O-Nym-Organization: dizum.com - The Internet Problem Provider
O-Nym-X-Abuse: abuse@dizum.com
O-Nym-Injection-Info: sewer.dizum.com - 194.109.206.211
O-Nym-X-Old-Xref: news.mixmin.net alt.anonymous.messages:564896
Received: by nym.mixmin.net with unique id --jtcNK4vK2FD7 for <whopper@nym.mixmin.net>; Mon May 25 02:52:31 2015 +0000 (GMT)
Message-ID: <--jtcNK4vK2FD7@nym.mixmin.net>
Reply-To: confirm+30dcb911435d759d@nym.mixmin.net
From: config@nym.mixmin.net
Date: Mon, 25 May 2015 02:52:31 +0000 (GMT)
To: whopper@nym.mixmin.net
Your configuration request completed successfully.
A new reply block has been received for your mail alias, but has not
yet been activated. In order to start receiving mail with your new
reply block, you must confirm it by sending an (anonymous) E-mail
message to the following address:
confirm+30dcb911435d759d@nym.mixmin.net
The contents of the message can be anything. Any message delivered to
this address will activate your reply block.
--------------------------------------------------------------------------------
The quoted date of signature means local time, which is why OmniMix adds the UTC offset.
When OmniMix succeeds to decrypt and forward a reply message it preserves the originally encrypted version in its 'msg'
subfolder. That behaviour can be changed at the 'SetNym' > 'Server' tab.
In case there are problems in decoding a nym reply and OmniMix forwards the still encrypted message to the client you can
try to decrypt it manually.
To do so go to the Nym Configurator's 'Decoding' tab and paste the encrypted text into the 'Encoded' field or load a
message previously stored from within your mail client from disk by pressing the 'Load Message' button. Then click on
'Decode Nym'. The 'Decoded' field finally shows either the decoded message or a log of the failing decoding process. You
may store the resulting data from the 'Decoded' field to a file by clicking 'Save Message'. Mail clients usually support
the import of message files in mbox format, so keep that option activated. Of course this way you can also review the
encrypted original messages stored in the 'msg' subfolder.