To my mind, remailer vulnerability starts with the Net addresses used to send to them and send from them. It seems to me that a fortress remailer must have solve two problems: 1) Getting a message to the remailer without knowing the remailer's Net address. 2) Sending a message from the remailer without revealing a Net address. Problem 1 can be easily solved by having users send messages to various new groups the remailer scans. The messages would be encrypted with the remailer's public key. The remailer continuously scans for new messages encrypted with its public key. When it finds one, it decrypts it and processes it. Problem 2 it the tricky part. How can the remailer inject a message back into the public Net without revealing its Net-location? If the remailer could sovle this problem, then why couldn't everybody use the same solution, eliminating the need for remailers? The one possibility is that the solusion requires something that most average users can't do or can't acquire economically (i.e. most everybody can grow their own food, but why bother). I haven't come up with any really good ideas here. Here are a couple thoughts: a) Using various hacker tricks to forge "From:" e-mail addresses. b) Use short-lived addresses. Set the remailer up some how so it can frequently acquire new e-mail addresses. Each address would only be used to forward a limited number of messages, and then it would be abandoned. Jim_Miller@suite.com