How can you send an anonymous email? And how do cybercriminals go about sending them, in large quantities even?
Sometimes readers ask us how to send an anonymous email or how criminals and scammers manage to send anonymous emails. Since this is not an easy question to answer, because, for starters, there are several ways to interpret the question, I’ll try to give you some information here.
Interpret the question
Sending an anonymous letter via snail-mail was easy. You forgot to add the sender address, filled out a false one, and if there was a chance the receiver could recognize you by your handwriting you used newspaper clippings to construct the sentences. And snail mail had the advantage that you could drop your message in a mailbox that gathered mails from various senders before starting the delivery process. So, not even the carrier had any way to identify the sender. The place of origin is hidden except maybe roughly by looking at the post stamp to see from what postal district the letter came. Unless the sender went through the trouble of driving halfway across the country to post the letter.
As you can see there are a few sides even to this low-tech version of an anonymous mail:
- No sender address
- False sender address
- Masking the content > encryption
- Origin masking
What is a spoofed email?
Since sending an email without a sender address can result in errors and will certainly raise suspicion, it is easier to spoof a sender address. Spoofing is sending an email with a false sender address. Spoofing an address is relatively simple since the Simple Mail Transfer Protocol (SMTP) does not check the information in the “From”, “Reply to”, or “Sender” fields. The only reason it is possible to track back an email with a spoofed address is because the email headers will include the sending IP address.
So, to pull off a completely untraceable spoofed email the sender will have to use a VPN to mask their IP address or use a compromised system to send the emails from. Compromised servers are popular with people running malicious email campaigns.
How can I send and receive an encrypted email?
A very different concern is to hide the content of an email from anyone except the intended receiver. This requires some type of encryption that only the receiver can decrypt. Encrypting emails like this—known as end-to-end encryption—has historically been difficult, although the tools for achieving this kind of encryption are getting better and easier to use.
Most emails are encrypted during transmission, but they are stored in clear text when they are at rest, making them readable by third parties such as email providers. But there are some providers that provide end-to-end encryption and zero access encryption to secure emails. This means even the service provider cannot decrypt and read your emails.
If you want to have full control and not depend on a provider you will need to exchange public keys with the parties that you want to start encrypted communications with. Once you have exchanged keys, most email clients will offer you the option to encrypt emails on a per-message basis.
How can I send an email anonymously?
I wrote a blog post on how to send encrypted mails a long time ago. Some things have become considerably easier since then. Some carriers offer you the option to send end-to-end encrypted email for free. Personally I have only tried Protonmail which allows you to come up with your own email address, and even the free version is free of advertisements. You only need to provide an existing email address if you want to use that as a recovery method in case you forget your credentials. If you do not need that option the sign-up procedure is completely anonymous.
Is ProtonMail really anonymous?
Protonmail is a secure email provider that does not solicit any information from you to use the free version, as long as you don’t chose to use the recovery option. For any legitimate use case Protonmail can be considered secure and private. This is considering that for any legitimate use cases it should be enough to send an encrypted email, so that the intended receiver is the only one that can read the content of the message.
Protonmail can even be used in combination with a VPN so that even your IP address remains hidden. Unfortunately this also makes the service very popular amongst ransomware peddlers who sometimes create individual Protonmail accounts for every single victim.
Can email be traced?
Even hardened criminals make mistakes, so you should always be weary of the fact that an email you sent can be tracked back to you. On the other hand it is virtually impossible for anyone to trace back an email that was sent using all the techniques we have described above. As so often, it is wise to assume the worst possible scenario. We have seen script kiddies that thought they could use a Gmail account as a means to send anonymous emails. Maybe the receiver will not be able to trace it back, but the police certainly will, with some help from Google. If you need plausible deniability don’t put it in writing. For legitimate use we hope to have handed you some useful tips.
I have received an anonymous or spoofed email. What should I do?
How you deal with any mails you receive normally depends on the content. As with any email, it is advisable to scrutinize whether the email and the sender are who and what they claim to be. If you recognize the sender but don’t trust the content, contact the sender through other means to verify they sent it. Do not send read receipts or other confirmations that you have read the mail before you are sure you can trust the sender.
You can find some tips on how to recognize and deal with unsolicited mail in this blogpost about recognizing and disposing of malicious emails and this article about phishing. If the mail has the character of an extortion email you may find our post describing what to do when you receive an extortion email helpful. Depending on where you live it may be prudent, or even mandatory, to inform the proper authorities about any extortion attempts.