M2Usenet

Every submission follows this route, all over Tor:

Browser → M2Usenet web interface (Tor hidden service)
  ↓
Onion mail2news gateway (primary)
  ↓  clearnet fallback if primary unavailable
NNTP server: peannyjkqwqfynd24p6dszvtchkq7hfkwymi5by5y332wmosy5dwfaqd.onion
  ↓
Usenet propagation

The NNTP server operates exclusively as a Tor hidden service. Originating IP addresses are structurally unloggable — the server only ever sees Tor exit traffic.

Creating an identity

In the web interface, choose a pseudonym and an optional address, then click Generate New Keypair. The interface creates a fresh Ed25519 keypair in your browser. Your public key becomes your verifiable identity — anyone can check that posts signed with it came from the same keypair, without knowing who holds it.

Saving and reusing your keypair

Download your identity file after generation. It contains your keypair bound to your chosen pseudonym. On future sessions, load the file to restore your identity — your posts will carry the same public key and signature, making them attributable to the same pseudonym over time.

The private key never leaves your browser and is never sent to the server. If you lose the file, the keypair is gone — there is no recovery mechanism, by design.

Single-use mode

If you do not load or save a keypair, the interface generates a fresh ephemeral keypair for each session. Posts are signed and authenticated but carry no persistent identity. Each session is cryptographically unlinked from the previous one.

Open, registration-free posting is only viable with a spam barrier. M2Usenet uses Hashcash — a computational proof-of-work scheme — to make bulk posting economically expensive without requiring any account.

How it works:

1. Your browser assembles a challenge from a timestamp, the destination newsgroup, and a 64-bit nonce, combined with your message content.
2. It increments the nonce and computes SHA-1 hashes until finding one with 24 leading zero bits. This takes roughly 16 million hash operations — around 5 to 15 seconds on a modern CPU.
3. The resulting stamp is attached to the post.
4. The server verifies the stamp in microseconds, checks that the timestamp is within a ±2 hour window, and rejects any stamp already seen (replay prevention via a spent-token database).

For a single post the cost is negligible. For an automated spam campaign sending 1,000 messages, the cost is approximately 5 CPU-hours — enough to make it uneconomical. You can adjust the difficulty level in the interface: higher bits means stronger protection but longer wait.

Every post is signed with an Ed25519 key before submission. The signature proves that the message body has not been tampered with in transit and that it originated from whoever holds the corresponding private key.

The private key is generated in your browser via a cryptographically secure random number generator. The complete message body is signed, producing a 64-byte signature that travels with the post alongside the public key. The server validates the signature before accepting the post.

Ephemeral keypairs ensure that different sessions are cryptographically unlinkable — unless you intentionally load a saved identity to maintain continuity.

The posting form at m2usenet.virebent.art walks you through three steps:

Step 1 — Identity

Load an existing identity file, or create a new one by entering a pseudonym and generating a keypair. The status indicator confirms which identity is active. Skip this step to post ephemerally.

Step 2 — Proof-of-work

Select a difficulty level and generate the Hashcash stamp. The browser runs the computation locally. Copy the resulting token — you will paste it into the post form.

Step 3 — Post

Fill in the post form:

• From — your pseudonym or any string (not verified)
• Newsgroups — up to 3 groups, comma-separated
• Subject
• References — Message-ID of the post you are replying to (optional)
• X-Hashcash — paste the stamp from Step 2
• Message body

Submit. The gateway signs the post with your active keypair and routes it through the Tor hidden service chain. No confirmation email, no account, no record of your submission.