Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses

From: Rich Lafferty (rich@lafferty.ca)
Date: 04/25/02


Date: Thu, 25 Apr 2002 17:44:09 -0400
From: Rich Lafferty <rich@lafferty.ca>
To: bugtraq@securityfocus.com

On Wed, Apr 24, 2002 at 10:49:08AM +0200, Ishay Sommer (ishaybas@netvision.net.il) wrote:
> Hello.
>
> The problem is that, each one of the recipients receives to his mailbox
> the spam warning message,
> including all addresses of which the original message was sent to, even
> if they were sent as Bcc:

Bcc: is *never* reliable unless you already know the behavior of all
of the mail transports along the way. RFC 2821 states:

  Especially when more than one RCPT command is present, and in order to
  avoid defeating some of the purpose of these mechanisms, SMTP clients
  and servers SHOULD NOT copy the full set of RCPT command arguments
  into the headers, either as part of trace headers or as informational
  or private-extension headers. Since this rule is often violated in
  practice, and cannot be enforced, sending SMTP systems that are aware
  of "bcc" use MAY find it helpful to send each blind copy as a separate
  message transaction containing only a single RCPT command.

It's important to note that it says SHOULD NOT, and not MUST NOT.

> This is a serious security disclosure vulnerability, as all of the
> message's recipients, now have all the email addresses who were
> suppose to be kept secret.
 
While I agree it should be fixed, there's really no reason to think
that Bcc: is going to be kept secret. If it's not implemented as a
separate message transaction, you're handing the data to a system you
don't trust and saying "Here, do with this what you will".

Of course, the reliable fix for this is for your local MTA or MUA to
implement Bcc: as a separate message transaction, because they are the
only trustworthy links in the message path.

   -Rich

-- 
Rich Lafferty --------------+-----------------------------------------------
 Ottawa, Ontario, Canada    |  Save the Pacific Northwest Tree Octopus!
 http://www.lafferty.ca/    |    http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------