Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses

From: Rich Lafferty (rich@lafferty.ca)
Date: 04/25/02


Date: Thu, 25 Apr 2002 17:44:09 -0400
From: Rich Lafferty <rich@lafferty.ca>
To: bugtraq@securityfocus.com

On Wed, Apr 24, 2002 at 10:49:08AM +0200, Ishay Sommer (ishaybas@netvision.net.il) wrote:
> Hello.
>
> The problem is that, each one of the recipients receives to his mailbox
> the spam warning message,
> including all addresses of which the original message was sent to, even
> if they were sent as Bcc:

Bcc: is *never* reliable unless you already know the behavior of all
of the mail transports along the way. RFC 2821 states:

  Especially when more than one RCPT command is present, and in order to
  avoid defeating some of the purpose of these mechanisms, SMTP clients
  and servers SHOULD NOT copy the full set of RCPT command arguments
  into the headers, either as part of trace headers or as informational
  or private-extension headers. Since this rule is often violated in
  practice, and cannot be enforced, sending SMTP systems that are aware
  of "bcc" use MAY find it helpful to send each blind copy as a separate
  message transaction containing only a single RCPT command.

It's important to note that it says SHOULD NOT, and not MUST NOT.

> This is a serious security disclosure vulnerability, as all of the
> message's recipients, now have all the email addresses who were
> suppose to be kept secret.
 
While I agree it should be fixed, there's really no reason to think
that Bcc: is going to be kept secret. If it's not implemented as a
separate message transaction, you're handing the data to a system you
don't trust and saying "Here, do with this what you will".

Of course, the reliable fix for this is for your local MTA or MUA to
implement Bcc: as a separate message transaction, because they are the
only trustworthy links in the message path.

   -Rich

-- 
Rich Lafferty --------------+-----------------------------------------------
 Ottawa, Ontario, Canada    |  Save the Pacific Northwest Tree Octopus!
 http://www.lafferty.ca/    |    http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------



Relevant Pages

  • Re: & BCC: In Preview Pane
    ... No e-mail client will show you the Bcc header. ... YOU don't get ANYTHING regarding the recipients in the ...
    (microsoft.public.outlook.general)
  • Re: & BCC: In Preview Pane
    ... No e-mail client will show you the Bcc header. ... YOU don't get ANYTHING regarding the recipients in the ...
    (microsoft.public.outlook)
  • Re: BCC on Outlook 2007 not working?
    ... which *field* inside your e-mail client (and which may show in the header ... recipients from its To, CC, and Bcc fields. ... RCPT-TO commands are followed by a single DATA command that contains the ...
    (microsoft.public.outlook.general)
  • Re: tcllib mime smtp proc sends BCC mail copies as attachments
    ... body to each recipient in the BCC list as for the TO list. ... secondary recipients and bcc recipients. ... RCPT per envelope), but each 'session' goes something like this: ... sensitive email lists to verify how their clients and servers work, ...
    (comp.lang.tcl)
  • Re: Can a Bcc recipient use "Reply all"
    ... > don't want Bcc recipients to see each other. ... The recipient never gets the e-mail address of those you put in the Bcc ... It never gets included as a header (well, ... of RCPT commands it sends to the SMTP server. ...
    (microsoft.public.outlook.general)