Secure relay capability has been added to the Phantom Remailer. This feature allows a masquerading user to send messages through the remailer without needing to use a login and password. This is achieved through the use of a secret token that is known to the users of the remailer (if you choose to share it). This feature is described in the associated Github issue: https://github.com/DerPhantomCoder/remailer/issues/2
Adding anti-SPAM and abuse protection to the Phantom Remailer is the focus of my most recent commits. I created the Phantom Remailer for personal use, but when you release a piece of software to a wider audience it becomes your responsibility to ensure it is secure and robust.
The Phantom Remailer uses the Reply-To header to encode necessary meta information about the sender — while this information was encoded it was not authenticated. The design of the Phantom Remailer does not rely on storing any information about the sender or recipient on the server running the remailer so it was vulnerable to attack by crafting compatible To headers in messages addressed to the remailer.