Re: [PLUG] BCCs potentially exposed

Mark Dominus on Fri, 18 Apr 2003 15:09:09 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] BCCs potentially exposed

From: mjd-lists-plug@plover.com (Mark Dominus)

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] BCCs potentially exposed

Date: Fri, 18 Apr 2003 15:08:41 -0400

For-your-information: Mark Dominus sent mail to this serve on 20030212 with Subject: Re: you bring the goat and I will scrape the mustard off the walls

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

> I just learned on the Evolution list that some servers add the header > Apparently-to: identifying BCC recipients. I don't think that is true. Some servers (including Sendmail, I think) add 'Apparently-To' to identify the *envelope recipient* when there is no 'To' field in the message. > In Windows, I have always used Pegasus as my MUA. Pegasus sends out > separate mails whenever there is a BCC, to insure security. I thought > all MUAs did this. Even if they did do that, it would not 'insure security'. The 'Apparently-To' field could be (and sometimes is) added by the remote MTA. There is nothing to stop this MTA from adding a field that says Thought-you-might-like-to-know: Arthur Alexion also sent mail today to Miss Audra Scarlett with subject "CONFIDENTIAL: you left your underpants at my house" or whatever else it likes, regardless of whether the message was sent separately from others or not. Here the remote MTA has helpfully linked your message concerning the FY 2003 budget with an unrelated one concerning Miss Scarlett's underwear. > Are the other Linux MUAs broken like Evolution? There is no officially recognized set of "Linux MUAs". There are probably dozens of different MUAs that can be used with a GNU/Linux system. So there is no way to answer this question without enumerating the behavior of every one of the dozens of programs that you might be interested in. In any case I think you may be mistaken in assigning the blame to the MUA here. For example, consider the 'qmail-inject' MUA. qmail-inject properly removes the Bcc: line from the message before inserting it into the qmail local queue. If there are three local recipients and three remote recipients, there will be two copies of the message in the queue, one for the local recipients and one for the remote recipients. However, both copies will be identical. >From there, the qmail MTA will transmit the message separately to every one of the six recipients. The remote MTA still might add naughty or scurrilous headers to the incoming messages. This has nothing to do with qmail-inject. > Is it a flaw in the standard that permits this? That is a judgement call. I would say that it is not, that it is a quality-of-implementation issue in the remote MTA. > In my work BCCs and their privacy are critical. It's a "don't use this > software for serious work" issue. I hope this message contains specific information that makes it easier for you to evaluate MUAs. _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] BCCs potentially exposed
From: "Arthur S. Alexion" <arthur@alexion.com>

References:

[PLUG] BCCs potentially exposed
From: "Arthur S. Alexion" <arthur@alexion.com>

Prev by Date: Re: [PLUG] BCCs potentially exposed

Next by Date: Re: [PLUG] $20 wireless PCMCIA card

Previous by thread: Re: [PLUG] BCCs potentially exposed

Next by thread: Re: [PLUG] BCCs potentially exposed

Index(es):

Date

Thread