Re: [exim] OT: are BCC header lines legitimate ?

Thu, 13 Apr 2023 00:27:49 -0700 

On 2023-04-12, Olaf Hopp (SCC) via Exim-users <exim-users@exim.org> wrote:

> Sorry for being a bit off topic:
> recently we had incoming phishing mails which all had a BCC header line.
> So I thought, that's easy to defend and I introduced a data ACL
>
>       deny condition   = ${if def:h_BCC: {yes}{no}}
>
> My logs revealed a lot of them and I was afraid of doing some overblocking.
> So I changed the "deny" into a "warn", shifted the ACL further down below spam
> and virus scan and added some logging.
>
> The outcome is that there are really a bunch of incoming mails
> with a BCC header, which seems to be no spam.
>
> And forthermore about 90% are coming from Google hosts like e.g. 
> mail-qk1-x742.google.com
>
> So my question for discussion here:
> is there any legitimate use to have a BCC header present
> or is this all crap and can be rejected ?

https://www.rfc-editor.org/rfc/rfc5322#section-3.6.3

   The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
   addresses of recipients of the message whose addresses are not to be
   revealed to other recipients of the message.  There are three ways in
   which the "Bcc:" field is used.  In the first case, when a message
   containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
   removed even though all of the recipients (including those specified
   in the "Bcc:" field) are sent a copy of the message.  In the second
   case, recipients specified in the "To:" and "Cc:" lines each are sent
   a copy of the message with the "Bcc:" line removed as above, but the
   recipients on the "Bcc:" line get a separate copy of the message
   containing a "Bcc:" line.  (When there are multiple recipient
   addresses in the "Bcc:" field, some implementations actually send a
   separate copy of the message to each recipient with a "Bcc:"
   containing only the address of that particular recipient.)  Finally,
   since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
   sent without any addresses indicating to the recipients that blind
   copies were sent to someone.  Which method to use with "Bcc:" fields
   is implementation dependent, but refer to the "Security
   Considerations" section of this document for a discussion of each.


So, sometimes BCC recipients do see the Bcc header.

-- 
 Jasen.
 🇺🇦 Слава Україні

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to