On 2023-04-12, Olaf Hopp (SCC) via Exim-users <exim-users@exim.org> wrote:
> Sorry for being a bit off topic: > recently we had incoming phishing mails which all had a BCC header line. > So I thought, that's easy to defend and I introduced a data ACL > > deny condition = ${if def:h_BCC: {yes}{no}} > > My logs revealed a lot of them and I was afraid of doing some overblocking. > So I changed the "deny" into a "warn", shifted the ACL further down below spam > and virus scan and added some logging. > > The outcome is that there are really a bunch of incoming mails > with a BCC header, which seems to be no spam. > > And forthermore about 90% are coming from Google hosts like e.g. > mail-qk1-x742.google.com > > So my question for discussion here: > is there any legitimate use to have a BCC header present > or is this all crap and can be rejected ? https://www.rfc-editor.org/rfc/rfc5322#section-3.6.3 The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message. There are three ways in which the "Bcc:" field is used. In the first case, when a message containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is removed even though all of the recipients (including those specified in the "Bcc:" field) are sent a copy of the message. In the second case, recipients specified in the "To:" and "Cc:" lines each are sent a copy of the message with the "Bcc:" line removed as above, but the recipients on the "Bcc:" line get a separate copy of the message containing a "Bcc:" line. (When there are multiple recipient addresses in the "Bcc:" field, some implementations actually send a separate copy of the message to each recipient with a "Bcc:" containing only the address of that particular recipient.) Finally, since a "Bcc:" field may contain no addresses, a "Bcc:" field can be sent without any addresses indicating to the recipients that blind copies were sent to someone. Which method to use with "Bcc:" fields is implementation dependent, but refer to the "Security Considerations" section of this document for a discussion of each. So, sometimes BCC recipients do see the Bcc header. -- Jasen. 🇺🇦 Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/