New IDM captures Tor downloads? False or True?

8 months ago


I always visit some email accounts using Tor.
And Tor always was able to download attached files by itself.

Recently, I updated IDM (Internet Download Manager) to 6.23.
Unexpectedly, I saw IDM handling that attached file when I clicked to download it. :o

So, my question is how compromised was that operation?
Tor and its Firefox was the browser to access that server where I have my email account.
I think the server marked that tunneled IP, not my real one.
And IDM could captured the file AFTER Tor had put its hands on it.

Thus, I guess the logged IP on the server is Tor IP, not my real one.
Am I right?
Or IDM revealed the real IP when it captured the attached file?

Please, some advice.

8 months ago

I think TRUE.

As long as your IDM wasn't configured to use Proxy localhost:9050, it sends direct request from your real IP with sessid of your account.

To avoid this situation in future, you should block all outgoing traffic except Tor.
Or use Tails/Whonix/corridor.

8 months ago

Thank you, TOR Hacker.

So, you are saying that IDM sent my real IP to that server and it was saved there on its log file?
I thought the transaction was established between Tor Browser and the mail server. IDM had received the data of the download [u]after[/u] the connection from the browser and had used its Tor IP.

May you explain better this transaction, handshakes, ports and protocols among IPs?

8 months ago

Well, this is only my GUESS, because I don't know your email server, your configuration, etc.

But let's discuss the most probable case:

1) Tor (the application) chooses random Tor Exit Node from public list, makes virtual circuit to it and creates localhost:9050 that acts like socks5 proxy. Pretty much the same as "SSH Tunneling" (plink.exe or 'ssh -D'), if you are familiar with this technique.

2) Tor Browser uses Socks5 proxy to access Internet (Firefox: Options -> Advanced -> Connection). Tor application receives that traffic, routes it to Tor Exit Node, and Tor Exit Node makes request to target website ("Email server").

3) Email server responds to Tor Exit Node with login page. You see that page in your browser.

4) You type in Login and Password, press Enter, Tor Exit Node submits your form to Email server.

5) Email server responds with HTML view of your mailbox.

As long as you are inside Tor Browser, all traffic continues to travel through Socks5 proxy on localhost -> Tor Exit Node -> Email server. Your real IP is hidden.

Now let's discuss your Email server. For example, imagine there are only 3 users on it: alice, lis, martin. Let's send them 3 different letters:
Hello, Alice, please click here:
Hello Lis please click here:
Hello Martin,

Now let's wait some time and then see ourserver's logs. If we found in logs somebody was visiting "", we would definitely know this is Martin. Because of user=3.

I don't know what server do you actually use. In Gmail link to download original attachment looks like this: /h/tx0derq50qxd/?view=att&th=28f31aa19ba3f28e&attid=0.2&disp=inline&realattid=file2&safe=1&zw

If you are Gmail admin, you can find the account & letter I took this link from. Just search values 'tx0derq50qxd' and '28f31aa19ba3f28e' . If I have downloaded this attachment before, you can also find my IP.
Do you understand how?

So now, what we have:

6) You used IDM to download some link. And that link was tied to your mailbox. (I am pretty sure your Email server doesn't let strangers to download random attaches, so every link contains Session ID or something similar). And I assume your IDM was not configured to use proxy, so it went directly from your IP.

So now what we have in Email server logs?

IP Address of Tor Exit Node, that logs in to mailbox.
Credentials (username, password).
Session ID that was assigned to Tor Exit Node after successful login.
And then some another IP Address that downloaded attach during the session with this Session ID.

Session ID was valid, session was active, just IP was different. And that was YOUR REAL IP.

PS: There are many chances they do not log every download, only sign ins. Or, they could log both, but in different places and without cross reference. Probably, session ID's are not logged, and all session data is discarded after session expires... Who knows? But in theory you gave them enough information to de-anon you.

8 months ago

Thank you very much, TOR Hacker!
Excellent explanation, almost a lecture. :D

My email server is not Gmail.
I'm not so technical expert, but I could understood your examples.
I thought that Tor Exit Node would handle every access to email server and would give the file to IDM. In this case, IDM was talking to Tor, not to server.
But you showed more details on this conversation.

I think, the question is answered and the thread is solved.

Once again, thanks.

But feel free to add any cent you want to our learning level.



You are not logged in. Login or register to reply on this thread.