lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200402271743.i1RHhSkW009936@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: a question about e-mails 

OK.  Enough is enough.  RFC2822, section 3.6.3 "Destination Addresses" says:

   The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
   addresses of recipients of the message whose addresses are not to be
   revealed to other recipients of the message.  There are three ways in
   which the "Bcc:" field is used.  In the first case, when a message
   containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
   removed even though all of the recipients (including those specified
   in the "Bcc:" field) are sent a copy of the message.  In the second
   case, recipients specified in the "To:" and "Cc:" lines each are sent
   a copy of the message with the "Bcc:" line removed as above, but the
   recipients on the "Bcc:" line get a separate copy of the message
   containing a "Bcc:" line.  (When there are multiple recipient
   addresses in the "Bcc:" field, some implementations actually send a
   separate copy of the message to each recipient with a "Bcc:"
   containing only the address of that particular recipient.) Finally,
   since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
   sent without any addresses indicating to the recipients that blind
   copies were sent to someone.  Which method to use with "Bcc:" fields
   is implementation dependent, but refer to the "Security
   Considerations" section of this document for a discussion of each.
   When a message is a reply to another message, the mailboxes of the
   authors of the original message (the mailboxes in the "From:" field)
   or mailboxes specified in the "Reply-To:" field (if it exists) MAY
   appear in the "To:" field of the reply since these would normally be
   the primary recipients of the reply.  If a reply is sent to a message
   that has destination fields, it is often desirable to send a copy of
   the reply to all of the recipients of the message, in addition to the
   author.  When such a reply is formed, addresses in the "To:" and
   "Cc:" fields of the original message MAY appear in the "Cc:" field of
   the reply, since these are normally secondary recipients of the
   reply.  If a "Bcc:" field is present in the original message,
   addresses in that field MAY appear in the "Bcc:" field of the reply,
   but SHOULD NOT appear in the "To:" or "Cc:" fields.

and Section 5 Security Considerations:

   Many implementations use the "Bcc:" (blind carbon copy) field
   described in section 3.6.3 to facilitate sending messages to
   recipients without revealing the addresses of one or more of the
   addressees to the other recipients.  Mishandling this use of "Bcc:"
   has implications for confidential information that might be revealed,
   which could eventually lead to security problems through knowledge of
   even the existence of a particular mail address.  For example, if
   using the first method described in section 3.6.3, where the "Bcc:"
   line is removed from the message, blind recipients have no explicit
   indication that they have been sent a blind copy, except insofar as
   their address does not appear in the message header.  Because of
   this, one of the blind addressees could potentially send a reply to
   all of the shown recipients and accidentally reveal that the message
   went to the blind recipient.  When the second method from section
   3.6.3 is used, the blind recipient's address appears in the "Bcc:"
   field of a separate copy of the message. If the "Bcc:" field sent
   contains all of the blind addressees, all of the "Bcc:" recipients
   will be seen by each "Bcc:" recipient.  Even if a separate message is
   sent to each "Bcc:" recipient with only the individual's address,
   implementations still need to be careful to process replies to the
   message as per section 3.6.3 so as not to accidentally reveal the
   blind recipient to other recipients.

As a practical matter, the decision of which method to use is up to the
sender's MUA, but there's 2 general guidelines:

1) Each set of different RFC822/2822 headers requires a separate SMTP
transaction, with a MAIL FROM, RCTP TO's for each recipient of that
version of the headers, and a DATA step that includes that version of headers.
This would include the second method.

2) MUAs that use the first or third method will generate one SMTP
transaction, list all recipients in RCPT TO's, and either omit (method 1)
or use a blank bcc (3rd method).

The first-hop MTA will probably log all the RCPT TO's, but after that all
bets are off as far as logging goes (basically, each MTA will log those RCPT TOs
that it receives).  In general this info is only accessible by the sysadmin.

A careful reading of RFC822/2822 will show that there's absolutely no reason
for the bcc: field to have anything sane in it - there's absolutely no reason you
couldn't get an e-mail that has a "bcc: god@...sing-in-action.example.com".

Now can we put this to rest? :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040227/e9b25581/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ