Re: [exim] OT: are BCC header lines legitimate ?

Top Page
Delete this message
Reply to this message
Author: Jasen Betts
Date:  
To: exim-users
Subject: Re: [exim] OT: are BCC header lines legitimate ?
On 2023-04-12, Olaf Hopp (SCC) via Exim-users <exim-users@???> wrote:

> Sorry for being a bit off topic:
> recently we had incoming phishing mails which all had a BCC header line.
> So I thought, that's easy to defend and I introduced a data ACL
>
>     deny condition   = ${if def:h_BCC: {yes}{no}}

>
> My logs revealed a lot of them and I was afraid of doing some overblocking.
> So I changed the "deny" into a "warn", shifted the ACL further down below spam
> and virus scan and added some logging.
>
> The outcome is that there are really a bunch of incoming mails
> with a BCC header, which seems to be no spam.
>
> And forthermore about 90% are coming from Google hosts like e.g. mail-qk1-x742.google.com
>
> So my question for discussion here:
> is there any legitimate use to have a BCC header present
> or is this all crap and can be rejected ?


https://www.rfc-editor.org/rfc/rfc5322#section-3.6.3

The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.


So, sometimes BCC recipients do see the Bcc header.

--
Jasen.
🇺🇦 Слава Україні