On Wed, Dec 12, 2001 at 09:55:18AM +0000, Ronan Waide wrote: > Hi Bugtraqers, > > I recently received a marketing mail from a supplier who uses an email > content filter called Mail Essentials from GFI Software (see > http://www.gfisoftware.com/me/mesfeatures.htm for more > information). The message had no destination address, having been sent > to a BCC list. On inspecting the Received: headers, I found one > inserted by Mail Essentials: > > Received: From mail.server by other.server > Mail essentials (server 2.422) with SMTP id: <513@mail.server> > for <bcc_person@address>; Wed, 29 Aug 2001 16:19:12 +0100 > smtpmailfrom <originator@address> > > The 'bcc_person@address' was, presumably, the first person on the BCC > list - it certainly wasn't /my/ address. I brought this to the > attention of GFI software over a month ago, and the eventual response > was to the effect that 'BCC headers get stripped out' - evidently the > problem was misunderstood. Since I've not heard anything more from > them after clarifying the situation, I'm posting the problem here in > case anyone happens to use this software in-house. > > Cheers, > Waider. True, the described behaviour is usually not desirable. ''GFI Software'' ought to consider to change it. On the other hand, RFC 2821 and RFC 2822 clearly indicates that the Bcc: field is not to be trusted in general unless you know for certain how it will be handled. RFC 2821, section: 4.4 Trace Information 7.2 ''Blind'' Copies 7.5 Information Disclosure in Trace Fields RFC 2822, section: 3.6.3. Destination address fields 5 Security Considerations Sincerely, Jörgen
