lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: esper at sherohman.org (Dave Sherohman)
Subject: a question about e-mails

On Fri, Feb 27, 2004 at 10:16:43AM -0500, Pamela Patterson wrote:
> OK,you tell me who this was bcc'ed to, and I'll believe you.  I can't
> get the bcc to show in the headers even if I sit at the command line of
> the mail server and type "mail foo -b bar" when both foo and bar are
> local addresses.  I can see the bcc info in the message when it's in the
> Postfix queue, but not once it is delivered.
> 
> Maybe what you did only works when you are using sendmail and reading
> the mail on the same machine it was composed on.

No, actually I suspect that it works (or, rather, doesn't work)
because he _isn't_ using sendmail.  Note in Nico's headers that he is
using mutt on a Debian system.  Debian's default MTA is exim.
According to my (Debian-supplied) /etc/Muttrc,

# Exim does not remove Bcc headers
unset write_bcc

Therefore, if he is using exim and has customized his /etc/Muttrc and
~/.muttrc such that write_bcc is being left at its apparent default
of being on, then, yes, he probably is leaking Bcc information.  This
is, however, a flaw in his particular combination of MUA and MTA, not
standard behaviour.

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)


Powered by blists - more mailing lists