[23468] in bugtraq
Mail Essentials reveals identity of first BCC recipient
daemon@ATHENA.MIT.EDU (Ronan Waide)
Wed Dec 12 11:54:39 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15383.10630.436261.175544@eris.euroconex.prv>
Date: Wed, 12 Dec 2001 09:55:18 +0000
From: Ronan Waide <ronan.waide@euroconex.com>
To: bugtraq@securityfocus.com
Hi Bugtraqers,
I recently received a marketing mail from a supplier who uses an email
content filter called Mail Essentials from GFI Software (see
http://www.gfisoftware.com/me/mesfeatures.htm for more
information). The message had no destination address, having been sent
to a BCC list. On inspecting the Received: headers, I found one
inserted by Mail Essentials:
Received: From mail.server by other.server
Mail essentials (server 2.422) with SMTP id: <513@mail.server>
for <bcc_person@address>; Wed, 29 Aug 2001 16:19:12 +0100
smtpmailfrom <originator@address>
The 'bcc_person@address' was, presumably, the first person on the BCC
list - it certainly wasn't /my/ address. I brought this to the
attention of GFI software over a month ago, and the eventual response
was to the effect that 'BCC headers get stripped out' - evidently the
problem was misunderstood. Since I've not heard anything more from
them after clarifying the situation, I'm posting the problem here in
case anyone happens to use this software in-house.
Cheers,
Waider.
--
Ronan Waide / Unix Guy / euroConex Technologies Ltd.
