It seems clear now that the default behavior of the anon.penet.fi remailer (generating only one anonymous ID per user, and anonymizing all messages to other anon users with that ID) is inadequate. At the same time, Julf argues persuasively that users have come to expect that their replies to anonymous Usenet articles will be anonymized. The current na/an address workaround is okay, but I think we could do better. Here's my scheme: When a user first mails to or through a penet-style remailer, the remailer software will automatically allocate an ID for the sender's return address, as usual. _But_, it will keep this number secret, in an internal database. Let's consider this ID to be a binary number. The remailer appends to this ID number some "salt" bits (random bits, perhaps with some time-stamp info to guarantee that the same salt bits are never applied twice, if the RNG is weak). This collection of bits is then encrypted with a secret key only the remailer knows (note: this should _not_ be the secret half of a public/private key pair, for reasons that should become clear). The encrypted bit string is converted by a uuencode/armourtext process that produces characters that will be legal for an e-mail address. This is then used for a return address. When someone wants to reply to an anonymous message or post, the remailer decrypts the address, ignores the "salt" bits, looks up the anonymous ID in its database, and sends it on to the desired recipient. The advantage of this scheme is that no two messages will have the same return address, and no information about the sender can be gleaned from the return address; yet the remailer can allow replies to every message without keeping any more records than it does under the current version. A couple disadvantages could be running out of bits for the return address, and adding more encryption work for the remailer. You'd definitely have to own the machine, and implement some, er, different mailing software, since you'd have to accept mail for users with any random name whatsoever. And, of course, this method is only useful for penet-style remailers, not cypherpunk/mixnet remailers which should not remember anything about messages that pass through. What do you all think about this for a "Mark II" anon.penet.fi? Joe