Assuming malicious intent on the part of the provider, the envelope sent to SDF will have a post office stamp from the city from which he sent it. Intersect the IP subnets for the area with the IPs used to connect to SDF to find a connection he made to a non-anonymous account.
Second, the command `ssh -o ProxyCommand="nc -X 4 -x localhost:9050 %h %p" sdf.org` seems to be unique (to Google), and may be in a script he has written previously.
This type of pattern recognition is a very interesting approach to fingering people, even anonymous ones. I've often thought that perfect anonymity is essentially impossible, mostly because nobody wants to enable it, and nobody is smart enough to pull it off for long enough (essentially have a split personality, from even before the time of beginning the anonymous side). As benmanns points out, that ssh command is unique so far. If voidnull has been talking IRL with people about this, they would be able to associate him with it.
Related to the issue of the postmark, there is also the issue of (potential) fingerprints on the envelope and money. The point is, even if the public cannot find identities, the authorities (almost) always can.
Anyways, anonymity is an odd thing: in the US, anonymous speech is allowed (by court decision), but not guaranteed. The government isn't obligated to facilitate it and businesses aren't forced to allow it. voidnull's access to anonymity rests solely on SDF's goodwill and solvency. And the government could easily harrass them, even if they are overseas.
Which brings up an interesting thought experiment: what would it look like if anonymity were guaranteed by law, how could it be implemented reliably and verifiably, and what would the counter-balance be against illegal activity?
My mother took advantage of that when my brother was in the hospital for several months.
When the morning mail came around on Valentine's day, he had a ton of mail from women he'd never heard from from half the towns in the USA with any kind of romantic name.
When the afternoon mail came around, he got the same from the half that didn't arrive in the morning.
For the rest of his stay, he had an unassailable reputation as a super stud. Not a particularly bad thing for a marine in a military hospital!
Mail something to a friend in New York, ask them to remail via a super-busy mail box and destroy the original envelope. Sure it'll technically be possible to review CCTV around the mail box, but then the investigators have to find out who asked the remailer to do this. More difficult than just cross-checking IP addresses to find potential matches for one person.
Daisy-chain the remails a couple of times and it gets ridiculously complicated for all but highest security purposes. Get the accomplices to each wait some semi-random amount of days before remailing to help improve chances that one of the CCTVs will roll-over and write over footage of a remailer...
Or mail it yourself while travelling without connecting to the server while in the area. Sure, you can technically cross-check CCTV from mailbox with transport centres footage with transport records, but...
Do U.S. stamps have identifying features like printers these days? Shown a stamp or three stamps, can you tell e.g. which store chain sold them?
Make sure your friend isn't FBI, or FBI, Police, or other informant.
Make sure your friend isn't going to rat you out.
Make sure your friend isn't going to just take the money and tell you he mailed it.
Make sure your friend doesn't get caught.
Make sure your friend can resist NYPD torture (cough, I mean Enhanced Interrogation) because how do they know it's not ricin in the envelope, so they can't take any chances.
Make sure your friend understands that if you're doing something shady, something that could be considered Postal Fraud, that he could then be prosecuted as an accomplice. Make sure he understands that he could spend years in jail for blindly remailing something of yours.
For someone willing to take those risks based on your friendship, that would be some really close friend! (or an FBI informant).
I think it's safer to just not mail the letter if you really want to be anonymous.
Second, the command `ssh -o ProxyCommand="nc -X 4 -x localhost:9050 %h %p" sdf.org` seems to be unique (to Google), and may be in a script he has written previously.