- The entry point of a remailer is entry@remail.org,

- entry@remail.org has a forward file to: batch@remail.org

I would state this is a security breach. entry@remail.org should not know anything about the second level re-mailers other than a method to identify them as legitimate.

- batch@remail.org does the actual remailing, since remail.org has installed some sort of MX'ing all messages that leave batch@remail.org will advertise themself as nobody@expendable.org .

The 'client' re-mailers should be the ones to initiate the call-up, not the entry re-mailer. This way if the portal is compromised no information can be gained such as the list of clients. The entry re-mailer should sit there waiting for a call. When it gets one it goes through some kind of verification process (akin to some comments I maid back in the summer relating to making all the packets encrypted at all times).

- If you "loose" expendable.org, you simple set up a new account with MX'ing, the remailer-users will only notice the change in exit-header, the enrty-point of that remailer is still entry@remail.org

If you make the entry point anonymous and have at least two of the entry points slaved (sorta like collision avoidance on ethernet) then the entry point never has to change. Also if one goes down the other takes up the slack. It might also be possible to have it route over-flow packets from the main router to the slave router when traffic maxes out. The reality is that the main point of attack is going to be the incoming since if you take that one (if it is a smalll and simple re-mailer network) will bring the whole system to its knees. Take care. Take care.