Perhaps this has been discussed before (I am often guilty of Not Paying Attention(tm)), but would security not be improved for the remailers if people used some simple software to connect to the remailer via socket 25 and send the message that way, rather than leaving log files on their host? For remailers run from student account security could be increased by doing the same; preventing log files by using direct SMTP connections? Ex: (1) User composes message. (2) User encrypts to recipient. (3) User encrypts to remailer. (4) User then mails to remailer using a small program to handle the SMTP connection directly. (5) Remailer (perhaps running on a student account) decrypts message with its secret key. (6) Remailer manually (whenever it gets around to it (to guard against traffic analysis)) SMTP's the message to the recipients host. (7) Recipient decrypts message. Of course these security gains could be circumvented by root (on the remailer) in several different ways, but it would take much more work I would think. Hell, it could be that the remailers already do this (I don't have the code) but I doubt if many people send mail to the remailers by connecting to port 25 of the host. -Sam