Remailing with USPS

by Samuel A. Bancroft (SamuelBancroft@gmx.com)

Using the United States Postal Service (USPS) almost daily was common for those of us growing up before the Internet was in every household.  Postal hacking has a rich history that dates back to the 1700s in the United States.  Many amazing examples of social engineering were conducted over the postal service and serve today as text book examples for today's hacker.

For those reading this publication who grew up in the age of email, it's my hope that this article will whet your appetite to learn more about the post office and how it works.  This article will touch upon the topic of remailing a letter in order to obfuscate the origins of the mailing source.  Using a remailing service is perfectly legal.  In fact, it's used by philatelists to collect postmarks.

That said, don't try to cheat the post office out of 49 cents.  Although it's extremely easy to do since the face canceling machines have a serious handicap when it comes to recognizing stamps, don't do it.  Saving a few cents in postage is not worth going to federal prison over.  Also, while remailing a letter is perfectly legal, using the postal service to mail/remail anything illegal will get you in a world of hurt, so don't do anything stupid.

Postmark

When you mail a letter, the recipient of a letter can determine from where the letter was mailed by looking at the stamp's cancellation, also called postmark, in the same way the header of an email can be examined to determine the source of a message.

This is because all of the United States' post offices are required to cancel all stamps with a die engraved with the following information:

A.)  The mailing date (day, month, and year) if used on First-Class Mail; the month and year of mailing may be shown on Standard Mail.

B.)  The words "Mailer's Postmark" followed by the permit number and enough lines to deface (cancel) the postage.

C.)  Either the city, state, and five-digit ZIP Code of the post office where the pre-cancel permit is held and the mailing is to be deposited, or the words "Mailed From ZIP Code" followed by the five-digit ZIP Code of the mailing office.  (If that post office is assigned more than one five-digit ZIP Code, the pre-cancel postmark must show the five-digit ZIP Code assigned to the postmaster.)

Format A is the most common cancellation,
while Format B is only used by authorized post offices that have the die.

That said, there may come a day when you want to avoid giving away your general location to the recipient of your letter.  If one were in need of sending an anonymous email, a remailer such as Mixmaster or Cyberpunk could be used.  The principal behind a remailer is to forward an email to multiple locations in order to obfuscate the source's identifying information and make it hard to trace the message to the original sender.  A physical letter can be "spoofed" in a similar manner by using a remailer.

Remailers

So how does remailing work?

A stamped and sealed envelope containing a message and the final destination is put inside another envelope which is addressed to the remailer.  The letters are then received by the remailer and the outer shell of the letter is opened and discarded.  The inner envelope is mailed from the remailer's location.  The outcome is that the recipient of the envelope containing the message is unable to determine the source's location by looking at the postmark.  The recipient would only see the cancellation stamp of the remailing post office with no evidence that a remailer was used.

A quick Startpage.com search will reveal that there are plenty of private remailing services available.  For example, Texasremail.com will happily remail your letters for $2 per envelope.  Using a private remailing service is the most expensive method to remail letters, but they may provide more security by receiving your letter in one post office, then driving to another post office to mail the letter.

The cheaper route would be to have USPS remail your letters for free.  This method may be familiar to you already if you have ever sent letters with a novelty postmark.  If you are not familiar with novelty postmarks and were born in the 2000s, ask your parents about it.  I'm sure they will be familiar with it.

Using USPS as a Remailer

The process to have USPS remail your letter is simple and straightforward.  Prepare your letter as explained previously.

Follow the format below to enter the remailing post office on the outer envelope:

[Name of City] Post Office POSTMASTER "Remailing" [City], [State] [ZIP Code]

For example, if you are in a HOPE spirit, you may use the following USPS post office to remail a letter:

Hope Post Office POSTMASTER "Remailing" Hope, AK 99605

You don't need to add a return address if you are using First Class, but will have to include a return address if you use Priority Mail or send a package.

Of course, the return address can be anything you like.  Keep in mind if USPS has an issue with your mailing, change of address, return to sender request, damage to the envelope causing the addressee address to be unreadable, etc., USPS will return the mailing to the return address.

That said, using a return address like:

9800 Savage Road Fort Meade, MD 20755

might not be in your best interest...

Also, if you send First Class without a return address and USPS has similar problems as mentioned before, the envelope will be opened and examined.  USPS does this to try to identify either the sender or addressee of the letter.  The mailing is destroyed if either addresses cannot be determined after the mailing has been opened.

Shortcomings of Remailing

So you place your post into a USPS collection box and feel confident that you will remain anonymous.  Should you?

Perhaps if you are sending 2600 hate mail, you will remain anonymous.  But that's because 2600 doesn't have the resources to find you; at least I'm assuming they don't.  Either way, I would be careful if I were you!

What if you are being persecuted by a group which has the resources to stage massive surveillance?

The first thing we have to consider is that all mail that USPS handles is tracked and photographed ¹ from beginning to end.

Barcodes

USPS uses various barcodes to track its mailings, one being a 31-digit, 65-bar, height-modulated, four-state barcode called Intelligent Mail barcode.

It's also known as the USPS OneCode Solution or USPS Four-State Customer Barcode.  It's often abbreviated as 4CB, 4-CB or USPS4CB. ²

Intelligent Mail

Intelligent Mail was created to consolidate the data of the Postal Numeric Encoding Technique (POSTNET), and the Postal Alpha Numeric Encoding Technique (PLANET) barcodes, along with additional data, into a single barcode.

Intelligent Mail includes tracking and routing information for each mail item.  The different barcode systems can be identified by the following.  Intelligent Mail uses a 65-bar four-state barcode, POSTNET uses a 62-bar two-state barcode, while PLANET uses a 72-bar two-state barcode.

The post office uses large canceling machines called Advanced Facer-Canceler System (AFCS), manufactured by Siemens Energy and Automation, Inc.  In 2008, USPS replaced its 20-year-old fleet of AFCS with 550 of the new Siemens AFCS 200.  The upgrade cost USPS $245 million.

The AFCS systems are responsible for orienting mail, photographing the front and back of the envelope, determining if the envelope has a stamp or postage meter, applying a postmark if the mail piece has a stamp, determining and applying the correct Intelligent Mail barcode, and sorting the mail.

Special Orange Fluorescent Barcode

If the address is handwritten, the AFCS will use handwriting recognition to determine the destination address and automatically spray the Intelligent Mail barcode if it has enough confidence in its recognition.

If the system is unable to read the handwriting, a photograph of both sides of the envelope is sent to one of the two Remote Video Encoding (RVE) facilities still in use.  A special orange fluorescent single state 40-bar barcode is sprayed onto the envelope to identify it later. ³

At the RVE facility, staffers examine the images of the envelopes sent by the mail processing center and punch in addressing information in a special shorthand.  Later, the envelopes are run through the machines once more and the RVE information is read.  The machine links the information entered at the RVE facility with the envelope and sprays the appropriate Intelligent Mail barcode on the envelope. ^{4, 5}

The data fields used in the USPS Intelligent Mail barcodes.

Mail Covers

Apart from each parcel being tracked by barcodes, for the past decade, USPS has been photographing the front and back of letters in a program called Mail Isolation Control and Tracking.  Photographs of the envelopes are known as mail covers.

These mail covers are collected by the NSA.  It's the NSA's analog version of the META data collection they have been doing to our phone calls and emails. ^{6, 7}

Also, other agencies can acquire mail covers from USPS.  To read more about how authorities go about requesting mail covers from USPS, read "USPS Procedures Mail Cover Requests," which can be read online ⁷ with annotations or downloaded ⁸ in PDF form.

One can start to see how the origins of a letter can be worked out by using a combination of barcode and mail covers.

A Theoretical Situation

Say Suzy sends a sensitive letter via a USPS collection box in Texas to a newspaper in New York and she uses a post office in Virginia to remail the letter.

The letter is then intercepted or reported to the authorities in New York.  The authorities will quickly know the specific post office in Virginia which handled the letter due to the postmark.  Agents will suspect two situations.  The letter was originally mailed from Virginia or it was remailed from Virginia.  Say agents determine it was remailed from Virginia.

Two things will likely happen at this point:

1.)  Agents will visit the post office in Virginia to investigate further, perhaps going through the post office's trash to find the original envelope - the outer shell of the letter used for the remailing.

2.)  The USPS and/or NSA will provide the authorities with mail covers of the front and back of all mail arriving at the Virginia post office on the date in question.  A letter sent from Texas to Virginia addressed to the Postmaster for remailing will be found.

With the mail cover or original outer shell envelope, the possible city of origin can be known, along with the date and time the letter was postmarked - in Suzy's case, Texas.  If mail is processed as it arrives from mail carriers, then specific mail carrier(s) that brought the letter in question can be derived.

For instance, if the letter was processed at 6 pm and Mr. McFeely, a friendly mail carrier, arrived at the small post office with the day's mail at 5:30 pm, then it's probable that McFeely and perhaps a handful of other carriers were the ones who brought Suzy's letter.  Their routes would be examined.  Agents can then pull video feeds from cameras around the routes for the specific date on which Suzy's letter was received in the Texas post office.

Everyone dropping a letter into the mail collection boxes would be viewed as a suspect.  At this point, Suzy may have been made out or fallen into a suspect list.  If Suzy used a collection box in a part of the city with plenty of cameras, investigators could theoretically follow her back to her car and lift her vehicle's license plate.  In case she used mass transit, they would be able to follow her via video and/or payment method back to her home.

While the above is taking place, the actual physical envelopes found in Virginia and New York will be sent to the labs where fingerprints will be lifted, DNA will be searched for - licks of the envelope or hair that may have made its way into the envelope - and handwriting analysis will be performed.  The handwriting can be compared to past mail covers from suspects.  Remember, the NSA has been collecting mail covers since 2001.  If the NSA has an automated system to compare handwriting samples to the database of mail covers it has collected, then Suzy may be identified fairly easily.  If the letter and envelope address were printed on a color inkjet printer rather than handwritten, the printer's ID and time stamp will be lifted instead.  At this point, things will not be looking too good for Suzy.

Bibliography

1. Systems at Work  [2:36, 5:18]  (YouTube)
2. ribbs.usps.gov/intelligentmail_mailpieces/documents/tech_guides/SPUSPSG.pdf
3. Ever Wonder How Mail is Sorted?  [1:00]  (YouTube)
4. How It's Made: Mail  (YouTube)
5. Poor Penmanship Not a Problem for U.S. Postal Service
6. U.S. Postal Service Logs All Mail for Law Enforcement
7. U.S. Postal Service Logging All Mail for Law Enforcement
8. USPS Procedures - Mail Cover Requests  This publication provides instructions to law enforcement agencies requesting a mail cover as part of a criminal investigation.  All conditions and procedures contained in these instructions must be met before a mail cover can be authorized.