I'm looking into reconfiguring anon.lcs.mit.edu (a.k.a. nym.alias.net) in ways that will improve performance and reliability. This could involve several changes (either temporary during testing, or even permanent) that might affect the privacy of users. I hope these changes won't affect people who use anon.lcs.mit.edu and nym.alias.net according to the instructions, but given the sensitive nature of anonymous services, I want to alert people of these changes to avoid any surprises. * 'Received:' headers may suddenly appear. Currently, anon.lcs.mit.edu does not add 'Received:' headers to any mail it relays or delivers to nym.alias.net aliases. Since the anonymous remailers mix@anon.lcs.mit.edu and config/send@nym.alias.net already strip header information upon receiving messages, this shouldn't really affect people unless they are telnetting to the SMPT port and forging E-mail. Such forgeries are not condoned by the administrators, anyway, and have actually not been much of a problem. If, however, you were somehow relying on anon.lcs.mit.edu's sendmail for "light" anonymity, you should start using real remailers before it's too late. Though I don't really mind suppressing Received: headers, this looks somewhat difficult to do with MTA's other than sendmail, so if sendmail gets junked, we may end up with something that adds Received headers. * SMTP destination statistics may be kept. Recent versions of sendmail (and other MTA's) can keep statistics on delivery to remote machines, to prevent blocking multiple times when sending mail to unavailable remote hosts. The information kept appears to be the name of each remote machine to which mail has been sent, and the last time at which an attempt to send mail to that host was made. Such information would not be backed up, and could potentially be purged daily. I understand this may cause concern. I welcome any feedback or suggestions on how to deal with this, either in sendmail or also qmail (which I'm thinking of switching to). The worst case scenario seems to be the case where anon is seized or stolen and someone discovers that your machine received a piece of mail from it. No information will be available about whether or not you ever sent mail to anon.lcs.mit.edu. This seems acceptable because if someone really needed to prove you had received a piece of mail from nym.alias.net, that person could already do so by tapping your network and sending you a message through nym.alias.net. Despite these changes, anon.lcs.mit.edu does not currently and will never keep any message-by-message mail logs. Sendmail currently runs at log level 1, which the documentation describes as logging only "Serious system failures and potential security problems."