It seems that an anonymous remailer can operate in one of three ways - it can reveal your psuedonym, it can reveal your identity, or it can reveal nothing and simply give you a generaic "anonymous" identity. Unfortunately each mode of operation is inapproprate as a default behavior: - If it reveals your psuedonym, you could inadvertently expose map your name to your psuedonym if you reply to a remailed message and include your real identity. - If it reveals your real identity, this could lead all sorts of obvious problems with people who don't expect this behavior. - If it simply strips out all identifying information and calls you some generic anonymous name, this could lead to problems for people who expect a reply to their messages. I think the best solution is to require any message sent through a remailer to include explicit instructions as to how it should be handled. For example, require something like an "X-Identify:" field that would be used to select the return address behavior, with options like "real-id", "psuedonym", or "anonymous". Messages that don't include the field should bounce, probably with some instructions as to how to fix the message to make it go through properly. -matt