Matt Blaze says:
I think the best solution is to require any message sent through a remailer to include explicit instructions as to how it should be handled. [...] Messages that don't include the field should bounce, probably with some instructions as to how to fix the message to make it go through properly.
For messages that are deliberately sent through remailers, I agree that the sender should provide explicit instructions to direct the operation of the remailer. However, I would note that the mere act of deliberately using a particular remailer can constitute an explicit instruction for the remailer to perform its "standard" processing. Messages that are inadvertantly sent through remailers by innocent folk who simply reply to a (pseudonymous) message that they have received, or simply write to an address that they have seen advertised, are different. I think that such messages should function as much like ordinary (non-anonymous) mail as possible, consistent with the goal of protecting the recipient's identity, to avoid surprising the innocent sender. Servers like the present implementation of anon.penet.fi do not satisfy this requirement. --apb (Alan Barrett)