Re: Disclosure of BCC field

---

• From: "Sumanth Naropanth" <sumanthn@xxxxxxxxx>
• Date: 28 Jun 2006 14:53:11 -0700

---

Grant Taylor wrote:

Sumanth Naropanth wrote:

My email client throws up a warning when I have email addresses only in
the "BCC" field, that the recipients may be able to view the others in
the list using the "Apparently-To:" field in the headers.

Is this a feature in sendmail only?

I do not believe that it is Sendmail doing this.

Sendmail seems to have a feature of adding "Apparently-to" header, as
mentioned in the man pages:
http://unixhelp.ed.ac.uk/CGI/man-cgi?sendmail . Excerpt below

===========================================

NoRecipientAction=action
Set the behaviour when there are no recipient headers (To:, Cc:
or Bcc:) in the message to action: none leaves the message
unchanged, add-to adds a To: header with the envelope recipi-
ents, add-apparently-to adds an Apparently-To: header with the
envelope recipients, add-bcc adds an empty Bcc: header, and add-
to-undisclosed adds a header reading `To: undisclosed-recipi-
ents:;'.

===========================================

Searching on google for more info led me to another
place:http://cr.yp.to/immhf/recip.html
where it says:

============================================

[RFC?] 822 requires that every message contain at least one
To, Cc, or Bcc field. This poses problems in practice for
messages without any visible recipients. Users occasionally
leave out all recipient fields; unfortunately, if a message
without To/Cc/Bcc passes through sendmail, sendmail will put
the recipient list into a new Apparently-To field.

============================================

The above blurbs do not say that the BCC entries are placed into
"Apparently-To" field, but they make me wonder if Sendmail has
something to do with it.

When does this happen? I see that in my usual email means of GMail,
Yahoo! and my corporate emails, there is no "Apparently To:" field in
the headers for emails with BCC lists.

Is this header information introduced at the sender's side sendmail
daemon? It only seems logical, but just want to make sure.

No, I believe that this is introduced on the receiving side.

So, that means the BCC list is communicated to each of the destination
email servers even though none of them really have the need for it. If
BCC field isn't part of the message header at the destination side, why
should it be propogated to the receiving side? There may also be a
higher risk of exposure of the email addresses.

Is there any way for this to see it actually happen? Any settings that
I can tweak with at least on a local Unix machine?

I believe that Postfix and / or QMail will add "X-Apparently-To:" (or the likes) headers if a message comes in and is destined to a recipient not listed in any of the standard "To:" or "CC:" headers. The receiving MTA is adding the "X-Apparently-To:" header with the contents of the SMTP "RCPT TO:" command. I don't think you need to worry too much about the "X-Apparently-To:" header unless your recipients are forwarding / replying with headers in tact and as such exposing their address. However I do not know what will happen when one of these servers receives an email for multiple people on the same server. You may have to play with this and see what happens.

Interesting... So, X-Apparently-To field is pretty much like saying
"This message was BCC'ed to me" (if at all it appears). And if all
recipients are on the same server, still they should not be able to see
each others email address functionally speaking. But I'm not sure what
happens in reality.

It sounds more like you need to take a look in to a mailing list software that will send out individual messages, one per recipient.

As far as testing goes, find someone that has a Postfix / QMail box that will allow you to have a test account.



Grant. . . .

-Sumanth

.

---

• References:
  • Disclosure of BCC field
    • From: Sumanth Naropanth
  • Re: Disclosure of BCC field
    • From: Grant Taylor

• Prev by Date: Force queue on individual email
• Next by Date: Re: forwarding mail based on addressee
• Previous by thread: Re: Disclosure of BCC field
• Next by thread: Re: Disclosure of BCC field
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Bcc ... your "newsletters" and it is inserting the Bcc header. ... The mail server cannot do anything about a client program ... The list of recipients specified by ... (microsoft.public.outlook.general) Re: Can a Bcc recipient use "Reply all" ... > don't want Bcc recipients to see each other. ... The recipient never gets the e-mail address of those you put in the Bcc ... It never gets included as a header (well, ... of RCPT commands it sends to the SMTP server. ... (microsoft.public.outlook.general) Re: Disclosure of BCC field ... that the recipients may be able to view the others in ... the headers for emails with BCC lists. ... Is this header information introduced at the sender's side sendmail ... It sounds more like you need to take a look in to a mailing list software that will send out individual messages, ... (comp.mail.sendmail) Re: NoRecipientAction=add-to and multiple addresses ... when there are multiple recipients? ... BAD header error. ... I'm using sendmail 8.13.8. ... But of course if this really is wanted, it is again better to format the ... (comp.mail.sendmail) Change Headers That Exchange Uses To Deliver Mail? ... When someone sends a BCC mail to recipients in my domain, the TO: header ... It turns out that our ISP has some kind of SPAM filter that parses the BCC ... Is there a way to tell my exchange server to use the contents of that new ... (microsoft.public.exchange.admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)