Servers of email host used in US school bomb threats seized by German police

Cock.li was allegedly used by an unknown person to send bomb threats to Los Angeles and New York schools earlier in the month.

canfield-use-jpg.jpg
(Screenshot via Vincent Canfield; video)

An email provider, thought to have been used to send threatening emails to a number of US school districts earlier this month, had a hard drive that contained "all data" on the company seized by German authorities.

In a brief video statement posted late in the day on Monday, Cock.li owner Vincent Canfield confirmed that the site's SSL keys (for encrypted site access), Secure Shell host keys, and full mail content of the site's 64,500 users, as well as hashed passwords, registration time, and the last week's worth of logs were all confiscated by the police from its Bavarian datacenter.

'Dark mail' debut will open door for Lavabit's return, says Ladar Levison

The new encrypted email protocol may land as soon as this month.

Read More

The site suffered minimal downtime, he said, noting that the email provider is still operational, because the mirrored server configuration kept a backup on another hard disk. One of the two disks was taken by German police.

Canfield, who recently moved to Romania, said on Tuesday that he had regenerated the site's SSL keys, and registration to the site was open again.

Cock.li was said to have been used earlier in December to send emailed bomb threats to a number of US schools, which led to the complete shutdown of Los Angeles' school district. New York City's schools remained open after dismissing the email as a "cut-and-paste" hoax.

Although he did not speculate as to why his servers were raided, he said that people can "draw your own conclusions based on stuff that's been happening," likely referring to the email hoax.

He added that while he has complied with US subpoenas before, he noted that he has "had no dealings in the past with the German authorities at all."

The email provider was served its most recent subpoena by New York City Police on November 15, the day the email was reportedly sent, and a day prior to the school shutdown, which Canfield published on his site.

Police demanded IP addresses, MAC addresses, phone numbers, and "other user information" pertaining to the email address, which police said sent the threatening email.

The email provider was also served unrelated subpoenas on November 4 and November 10.

The seizure of the email service is reminiscent of Lavabit, founded and operated by Ladar Levison who shut down his service shortly after whistleblower Edward Snowden revealed in a press release that he used the service, in order to prevent US federal agents from acquiring his private encryption keys.

Levison, a native of Dallas, Texas, said earlier this year that the service could one day return to the web with the roll out of his new encrypted email protocol, dubbed "dark mail."

Corrected: with an update regarding Secure Shell keys, not private user keys.