Fog
Mix Networks Sphinx mixnet anonymous SMTP relay over Tor hidden services. Send email or Usenet posts through a multi-hop onion-encrypted network that provides sender unlinkability even against global passive adversaries.
▸ Fog is an open relay. The FROM address can be anything — including forged.
Never trust sender identity without independent cryptographic verification (PGP/GPG).
This is a feature, not a bug: it enables true sender anonymity.
▸ We are looking for node operators to expand the Fog network. If you run a VPS and care about privacy infrastructure, read the self-hosting section and reach out via the contact page.
What Fog is
Fog is a free-software anonymous SMTP relay written in Go, built on the Sphinx packet format — the same provably-secure mix format used by Nym and Katzenpost. Messages are routed through a variable number of independent nodes, each applying layered Curve25519 ECDH encryption and randomised delays. No single node — and no external observer — can link sender to recipient.
Unlike traditional anonymous remailers, every Fog node is simultaneously an entry point.
There is no designated gateway to attack or monitor.
All five current nodes accept SMTP submissions via Tor on port 2525.
Source: github.com/Virebent-do-ART/fog
Entry points
Connect to any node via Tor on port 2525.
All five are equivalent — pick any one, or rotate between them.
| Node | Onion address | Port |
|---|---|---|
| kvara | ej5dj774rkmfxvo3jexcmyotkq6bwgmr45dmwrbmk366lcvalnrgolad.onion |
2525 |
| dries | iycr4wfrdzieogdfeo7uxrj77w2vjlrhlrv3jg2ve62oe5aceqsqu7ad.onion |
2525 |
| mct8 | 66ehoz4ir6beuovmgt4gbpdfpmy43iuouj36dylqvkwgyp2dwpcbvjqd.onion |
2525 |
| news | y3lozzcvvxgorgfofupvfmn4j2fuu3sz2sw7ha3ifpcsxjkuafllzvyd.onion |
2525 |
| pietro | ejdrw3ka2mjhvsuz7uxjnzjircsdpoiu3a33g2xoywlafqetptjpqryd.onion |
2525 |
To submit a message, configure your mail client or tool to use one of the above
addresses as an SMTP relay (via Tor SOCKS5 proxy) on port 2525.
No authentication is required — Fog is an open relay by design.
Every node in the network can act as an introduction point — there is no architectural distinction between entry, relay, and exit roles. Any node that receives a Sphinx packet can be the first hop for a new message and can also relay packets originated by other nodes. This means the network has no fixed topology to map and no privileged nodes to target.
How it works
When you submit a message, Fog wraps it in a Sphinx packet with a randomly selected route of 3 to 6 hops through the node pool. Each node decrypts only its own layer using per-hop ECDH (Curve25519), learns only the next hop address, and forwards a fixed-size packet. The number of hops and the node selection are randomised independently for every message.
You (SMTP → any node via Tor :2525)
↓
Sphinx packet: N layers, N = random(3..6)
↓
Node A — strips outer layer → knows: next = Node C
↓ [Poisson delay, batch window 30s]
Node C — strips next layer → knows: next = Node B
↓ [Poisson delay, batch window 30s]
...
Exit node — strips final layer → delivers to recipient MTA
↓
RecipientBecause the hop count is variable and randomly chosen per message, an attacker who compromises one node cannot determine whether they are seeing the first hop, an intermediate hop, or the last.
Protocol properties
| Packet format | Sphinx — provably secure, per-hop ECDH with Curve25519 |
| Hop count | 3 to 6 hops, randomly selected per message |
| Entry points | All 5 nodes — no single gateway to surveil or block |
| Batch window | Messages collected in 30-second windows, shuffled, released together |
| Timing | Poisson inter-message delays (exponential distribution) |
| Size padding | 9-bucket adaptive normalization, recomputed hourly |
| Key rotation | Dynamic PKI — automatic key rotation every 3 hours |
| Logs | None — zero metadata retention |
Security guarantees
| Threat | Countermeasure |
|---|---|
| Traffic analysis by size | 9-bucket adaptive padding — all forwarded packets fall into normalized size classes |
| Timing correlation | Poisson delays + 30-second batch mixing before each forward |
| Node compromise | Sphinx onion encryption — a compromised node learns only its two adjacent hops |
| Variable-hop uncertainty | 3–6 hop range means an attacker cannot determine position within the route |
| Tagging / packet modification | Sphinx MAC on each layer — modified packets are silently dropped |
| Replay attacks | Per-message nonce + replay cache with TTL at every node |
| Key compromise over time | Dynamic PKI with 3-hour rotation — past sessions protected by forward secrecy |
| Persistent metadata | Zero logs — no sender address, no routing history, no plaintext retained at any node |
What Fog does not protect against
- Unencrypted message content. Fog anonymises the transport path, not the payload. Encrypt the message body with PGP before submitting. The exit node delivers whatever you send — plaintext or ciphertext.
- Recipient-side visibility. The exit node must know the destination address to deliver. The recipient's mail server sees a Fog exit node address, not your IP — but the delivery event itself is visible.
- Content-based deanonymisation. Writing style, vocabulary, specific details, or unique knowledge can identify you regardless of transport. Use a consistent pseudonym and avoid fingerprinting markers in what you write.
- Global passive adversary at scale. Sphinx delays and batch mixing raise the cost of intersection attacks significantly, but a sufficiently resourced adversary observing all network segments simultaneously remains a theoretical threat.
Self-hosting a node
Build requirements: Go 1.21+. No CGO required.
git clone https://github.com/Virebent-do-ART/fog
cd fog
go mod tidy
CGO_ENABLED=0 go build -ldflags="-s -w" -o fog ./cmd/fogRun as a dedicated non-privileged user:
useradd -r -s /sbin/nologin -d /var/lib/fog fog
install -o fog -g fog -m 750 fog /usr/local/bin/fog
install -o fog -g fog -m 640 config.toml /etc/fog/config.toml
Each node needs a Tor hidden service configured to forward port 2525
to the local SMTP submission listener. Node-to-node Sphinx traffic is also
routed over Tor — no clearnet exposure is required or recommended.
To join the network, exchange your onion address and public key with existing operators so nodes can include you in route selection. A systemd unit file is included in the repository.
Join the network
The Fog network needs more independent nodes to provide meaningful anonymity sets. If you run a VPS, want to operate a node on a best-effort basis, and are comfortable with Go and Tor configuration, get in touch.
Contact to join → Source on GitHub →