In 23 Jan 2005 at 7:28, Marc Perkel wrote about
"[exim] BCC Leakage":
| I just had an interesting spam get through. It had exactly 10,000 bcc:
| lines and the bcc was exposed. I don't know what the limit is - but this
| spammer found it. Apparently at some point the bcc lists make it through.
I don't understand this post. You think there is some connection
between the length of a BCC header and whether or not it "makes it
through"? More to the point, you think it should not "make it
through" in general?
BCC headers are no different than any other header. They are just
part of the message data, and an RFC-compliant MTA is not allowed to
mess with them.
BCC has got to be one of the most misunderstood aspects of email.
The only requirement imposed by RFC is that the *non*BCC recpients of
a message do not see the BCC header. The BCC recpients are supposed
to see it, and whether it lists only the individual BCC recpient's
address, or none, or *all* BCC recpient's addresses is left up to the
MUA to decide.
- Fred