|
| Potential exposure of "Bcc:" list |
 |
Thu, 17 Apr 2008 01:01:51 -050 |
SMTP servers reportedly exist which,
in the absence of a "To:" header in a message,
will create a "To:" header for you,
inserting all recipients given by "RCPT TO" commands (of the SMTP
protocol),
which could thus expose one's entire "Bcc:" list,
via that list being converted to an explicit "To:" header.
Although this potential for "private" address exposure,
whenever a "To:" list is optional in an email client (MUA),
may be said to be a fault of SMTP servers,
and is recommended against by RFC2821 section 7.2 "Blind" Copies
(only via "should not," rather than "must not"),
a number of email clients counter this possibility
by generating a "To:" header of their own,
whenever none is supplied by the sender,
often of a perfectly legal form such as:
To: "Recipient list suppressed":;
Opera (9.27/8841/Win32), however, not only doesn't generate such a header,
but even if I manually type such a header myself,
refuses to include it in my outgoing message!
It thus appears impossible for anyone to take this "standard
precaution,"
even if they are fully aware of the issue and attempt to rectify it
by trying to create their own "To:" header like that above.
|
| Post Reply
|
|
|
|
|
|
|
|
|
|