From: lcs Remailer Administrator <mix-admin@nym.alias.net>
Date: Mon, 16 Dec 1996 22:12:51 -0800 (PST)
Subject: IMPORTANT: Changes affecting anon.lcs.mit.edu privacy
Message-ID: <199612170612.BAA09244@anon.lcs.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


I'm looking into reconfiguring anon.lcs.mit.edu (a.k.a. nym.alias.net)
in ways that will improve performance and reliability.  This could
involve several changes (either temporary during testing, or even
permanent) that might affect the privacy of users.  I hope these
changes won't affect people who use anon.lcs.mit.edu and nym.alias.net
according to the instructions, but given the sensitive nature of
anonymous services, I want to alert people of these changes to avoid
any surprises.

 * 'Received:' headers may suddenly appear.  Currently,
   anon.lcs.mit.edu does not add 'Received:' headers to any mail it
   relays or delivers to nym.alias.net aliases.  Since the anonymous
   remailers mix@anon.lcs.mit.edu and config/send@nym.alias.net
   already strip header information upon receiving messages, this
   shouldn't really affect people unless they are telnetting to the
   SMPT port and forging E-mail.  Such forgeries are not condoned by
   the administrators, anyway, and have actually not been much of a
   problem.

   If, however, you were somehow relying on anon.lcs.mit.edu's
   sendmail for "light" anonymity, you should start using real
   remailers before it's too late.  Though I don't really mind
   suppressing Received: headers, this looks somewhat difficult to do
   with MTA's other than sendmail, so if sendmail gets junked, we may
   end up with something that adds Received headers.


 * SMTP destination statistics may be kept.  Recent versions of
   sendmail (and other MTA's) can keep statistics on delivery to
   remote machines, to prevent blocking multiple times when sending
   mail to unavailable remote hosts.  The information kept appears to
   be the name of each remote machine to which mail has been sent, and
   the last time at which an attempt to send mail to that host was
   made.  Such information would not be backed up, and could
   potentially be purged daily.

   I understand this may cause concern.  I welcome any feedback or
   suggestions on how to deal with this, either in sendmail or also
   qmail (which I'm thinking of switching to).  The worst case
   scenario seems to be the case where anon is seized or stolen and
   someone discovers that your machine received a piece of mail from
   it.  No information will be available about whether or not you ever
   sent mail to anon.lcs.mit.edu.  This seems acceptable because if
   someone really needed to prove you had received a piece of mail
   from nym.alias.net, that person could already do so by tapping your
   network and sending you a message through nym.alias.net.

Despite these changes, anon.lcs.mit.edu does not currently and will
never keep any message-by-message mail logs.  Sendmail currently runs
at log level 1, which the documentation describes as logging only
"Serious system failures and potential security problems."