I've often wondered, if I am sending emails from one of these free providers, can the recipient find out where I am and which computer I'm using, or is it completely untraceable?

You are not invisible.Your IP address is recorded within the email header.If you are using your ISP connection for illegal purposes and the cops get interested,your IP address will lead them to your front door after they identify the ISP and obtain your private details from such.Other than law enforcement,the closest anyone will get is the name of your ISP and your general location.

Caveat:I'm not an IT expert,those here who are will no doubt fill in any missing pieces.

Hobo,

TWT was almost there in his description.

Some of the services will withhold your IP address from the header, and as such, the recipient may not necessarily be able to see your IP address in the email headers.

However, should you send something that subsequently causes lawyers (civil) or law enforcement (criminal) to be involved, then all they need to do is to serve the email provider with notice to release relevant information, which they can then follow up with your ISP, which they can then use to come knocking at your door.

Some may seek to argue that intermediary services such as "TOR" are untraceable. However the fact of the matter is that you have to have the service setup in a particular manner, and be particularly disciplined in your usage of it to give yourself a reasonable chance of being more difficult to find. For example, the well publicised case of "Sabu" from hacking group "Anonymous" was eventually tracked down by the authorities despite being a heavy user of "TOR".

Yeah, but didn't "Sabu" let his guard down and use a computer in an internet cafe that wasn't on Tor?

The site owners (Internet Brands) have stated that they must comply with subpoenas requesting such information as is held in the system about specific members, including posts, PMs, email address(es) and post IP addresses. If that information is sufficient to provide a member's true identity, then that identity is revealed.

Moderators are not involved in this process. I am not aware of any moderator ever abusing their position to reveal a member's identity to a 3rd party.

SD

Yeah, but didn't "Sabu" let his guard down and use a computer in an internet cafe that wasn't on Tor?

See:
be particularly disciplined in your usage of it

:E


(Even if you meet both criteria previously outlined, you are still assuming the authorities don't run Tor nodes, have not backdoored Tor etc. etc.)

I forget the details, but TOR can leave a trail. And it doesn't necessarily obfuscate your MAC address.
Besides which, you have to be consistent in your use of TOR.

Lets think about this a bit - the authorities won't just check the contents of one e-mail or forum post. They'll cross-check for any posts through that e-mail account or forum account. Can you be sure that ALL of them were through a correctly configured TOR system? Even when you set the account up? Say you log into an anonymous e-mail account while using TOR, then while still logged in you access facebook. Then later, you log out and again access facebook. Bang, you're caught.
Or consider an e-mail sent to that anonymous account which contains a trojan. Good bet it will get past your security software, and be able to obtain your real IP address and start sending details home. Not much you can do about that - some variants of (for instance) TDSS are virtually undetectable and we know the security services have better tools.

So what realistically can you try to do?
First always access the internet via someone elses link e.g. pub/hotel/starbucks/mcdonalds and only ever use that access point once - and hope there is no camera logging you. And pray that someone hasn't intercepted the wireless signal (which is dead easy)
Or you could use a new 3G dongle each time - but you would have to make sure that each is purchased from a different dealer, and each is used once only, and in a different location
Next obfuscate your MAC address (this can be done, but here's not the place)
Use TOR, but it may be better to run through a series of so-called anonymous proxies in a country which is unlikely to be subject to western request for info e.g. Russia or any of the ex-Soviet asian states
Use a series of unrelated e-mail addresses based in Russia or similar. Use each one only once, and make sure the data given at setup does not ID yourself.
Use a computer with an embedded operating system (e.g Android, or Windows CE) and give it a hard reset before every internet session so theres no chance of infection.
Even then theres not a lot you can do to stop the data being read at the far end.
Of course rather than e-mail you could run your correspondence through the PM systems of a large number of web forums such as this, the more the better - but there are obvious risks with that.

The above is just a simplistic view - in reality you can do much more, but this isn't the place to say what. However to remain truly anonymous is hard once someone has identified you as a risk.

And it doesn't necessarily obfuscate your MAC address

So you're saying ARP survives NAT & Co. What part of TCP carries MAC addresses?

I need to clarify that
The MAC address only carries as far as the next router node - and could be picked up there only
However theres nothing to stop a piece of software picking up a MAC address and transmitting it to a third party. Or for a bug or trojan to transmit that info.
Thats really the point I was trying to make, I just worded it badly

Of course what the network sees is the MAC address of the router - not of the user's PC. BUT, if the authorities can gain local access to the network and find the MAC address of the specific machine, then all bets are off
A very simplified example of how this can be used
How the FBI used computer MAC addresses against Lulzsec hackers | Hacker 10 - Security Tips (http://www.hacker10.com/other-computing/how-the-fbi-used-computer-mac-addresses-against-lulzsec-hackers/)


the next comment is a bit of a double post as I've added it to Probe's thread on a similar issue, but for someone not bothered about the authorities, who just wants to encrypt mail, take a look at these offerings
Hacker 10 - Security Tips | Email encryption (http://www.hacker10.com/email-encryption/)

Thanks for the very helpful replies chaps.

I wasn't thinking of doing anything illegal, I just wondered if using one of the free providers would sufficiently muddy the waters for yer average internet savvy punter.

So, hypothetically of course, from your replies, am I right in thinking that you could tell a certain party that you were emailing while on a layover in New York, when, in fact, you were in a discreet hotel in Chipping Norton, and all else being equal, the party would be none the wiser.

as long as your wife doesn't know how to read the e-mail headers, and doesn't know how to look up IP addresses using "whois" type services then you should be OK
However don't forget that women have inbuilt ESP and clairvoyance, and just know when these things happen. Especially those red haired green eyed Medea-like witches

the answer is obviously to use a proxy on your laptop even when at home, that way you always look like you're sending them from the same place!

Lots of free proxies out there, and with ProxySwitch + Chrome, you can automatically have it activate proxy when you access www.gmail.com so you don't have to mess around with it.


Plus free proxies are usually slow so you would only want to use it when you are sending email

elmetal

If I've guessed the gist of his post correctly I get the impression that he's already fooling around with a proxy wife ...probably not free though

Send a letter/postcard with no return address ... jobs a goodun!

Gmail does not include the originating IP address in the header, only the IP of the Google server located somewhere in California.

This may be useful: HTG Explains: What Can You Find in an Email Header? - How-To Geek (http://www.howtogeek.com/108205/htg-explains-what-can-you-find-in-an-email-header/)

I have used WHOIS a few times. Sometimes the last bounce has been from a named account - a legal firm once, a church grup another time. I guess they just have poor server security and have been hacked.

Having an open email relay doesn't mean that they have been hacked.

SD