[23606] in bugtraq
Re: Mail Essentials reveals identity of first BCC recipient
daemon@ATHENA.MIT.EDU (J Leon)
Mon Dec 24 19:10:07 2001
Date: 24 Dec 2001 22:03:06 -0000
Message-ID: <20011224220306.7272.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: J Leon <jimatwork@local-connect.com>
To: bugtraq@securityfocus.com
In-Reply-To: <15383.10630.436261.175544@eris.euroconex.prv>
I've been using GFI Mail Essentials since May 2000,
and have never seen such a thing. I've looked at
thousands of email messages passing through my
MES server. I've also performed some tests to see if
MES could do what you've seen, and could not
duplicate the symptom.
Is it possible that the address you saw is a
distribution list and that part of the header was sent
from an upstream server, not actually from MES? If I
could see the complete header, I could try duplicate
the problem more accurately.
I'm not intimately familiar with the RFC's, but it
seems that an email could not be correctly delivered
with an incorrect "for" in the header. In fact, if the
originating server didn't send BCC information, MES
should never get any BCC information. All MES sees
is the "mail from" and "rcpt to" commands and then
the "data" from the upstream server.
I use MES on a machine separated from the
Exchange server, like a proxy. Exchange sends all
mail out to MES, and MES forwards it on. However,
MES can be installed directly on the Exchange server
to give it some added capabilities. I doubt the
forwarding part works significantly different when
installed on the same server compared to being
installed alone, but it's possible. When together,
MES listens on 25 and Exchange listens on a
different port.
There certainly are problems with MES, but I don't
think this one can be blamed on MES.
J. Leon
