Bugtraq mailing list archives
Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses
From: Rich Lafferty <rich () lafferty ca>
Date: Thu, 25 Apr 2002 17:44:09 -0400
On Wed, Apr 24, 2002 at 10:49:08AM +0200, Ishay Sommer (ishaybas () netvision net il) wrote:
Hello. The problem is that, each one of the recipients receives to his mailbox the spam warning message, including all addresses of which the original message was sent to, even if they were sent as Bcc:
Bcc: is *never* reliable unless you already know the behavior of all of the mail transports along the way. RFC 2821 states: Especially when more than one RCPT command is present, and in order to avoid defeating some of the purpose of these mechanisms, SMTP clients and servers SHOULD NOT copy the full set of RCPT command arguments into the headers, either as part of trace headers or as informational or private-extension headers. Since this rule is often violated in practice, and cannot be enforced, sending SMTP systems that are aware of "bcc" use MAY find it helpful to send each blind copy as a separate message transaction containing only a single RCPT command. It's important to note that it says SHOULD NOT, and not MUST NOT.
This is a serious security disclosure vulnerability, as all of the message's recipients, now have all the email addresses who were suppose to be kept secret.
While I agree it should be fixed, there's really no reason to think that Bcc: is going to be kept secret. If it's not implemented as a separate message transaction, you're handing the data to a system you don't trust and saying "Here, do with this what you will". Of course, the reliable fix for this is for your local MTA or MUA to implement Bcc: as a separate message transaction, because they are the only trustworthy links in the message path. -Rich -- Rich Lafferty --------------+----------------------------------------------- Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus! http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html rich () lafferty ca -----------+-----------------------------------------------
Current thread:
- Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Ishay Sommer (Apr 24)
- RE: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Florent Trupheme (Apr 25)
- Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses Rich Lafferty (Apr 25)