lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <28915501A44DBA4587FE1019D675F9831AE381@grfint>
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: a question about e-mails

> Do a "REPLY ALL" (MS Outlook/express)
> All the email ids in TO, CC, BCC will be displayed.

BCC will not. The reason is that BCC recipients are only in the
envelope, which should not be seen by the MUA (mail user agent, e.g.
outlook). All non-broken implementations do this right (and I don't know
a broken implementation that does *this* wrong).

The only way you can see BCC recipients is if you

a) have access to the first server used to transmit the message
   (the sender's server)
b) this server has detailled-enough logging active
c) you can access & review the logs

Subsequent servers (recipient's servers) do NOT have full BCC
information, not even in their logs. This is because the sending server
does not mention envelope recipients that are not on the target server.

For the same reasons, envelope recipients and body recipients ("TO:",
"CC:") can be totally differnet (yet another way to fake things).

All of this, of course, is nicely documented in the SMTP RFCs (which I
don't all know by number - RFC 822 may be a good starting point, google
may be another ;)).

HTH
Rainer


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ