Can I Retrieve Email Addresses from BCC?












22















How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?



Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.










share|improve this question









New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 129





    Not being able to do this is the exact point of Bcc.

    – chrylis
    yesterday






  • 52





    I have a feeling there's a followup question coming on workplace.SE

    – Sombrero Chicken
    20 hours ago






  • 2





    You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...

    – MonkeyZeus
    16 hours ago






  • 10





    @chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.

    – David Z
    14 hours ago






  • 4





    Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.

    – Harper
    10 hours ago
















22















How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?



Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.










share|improve this question









New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 129





    Not being able to do this is the exact point of Bcc.

    – chrylis
    yesterday






  • 52





    I have a feeling there's a followup question coming on workplace.SE

    – Sombrero Chicken
    20 hours ago






  • 2





    You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...

    – MonkeyZeus
    16 hours ago






  • 10





    @chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.

    – David Z
    14 hours ago






  • 4





    Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.

    – Harper
    10 hours ago














22












22








22


1






How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?



Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.










share|improve this question









New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?



Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.







email






share|improve this question









New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 15 hours ago









Fermi paradox

1257




1257






New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









Jenny BJenny B

12913




12913




New contributor




Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 129





    Not being able to do this is the exact point of Bcc.

    – chrylis
    yesterday






  • 52





    I have a feeling there's a followup question coming on workplace.SE

    – Sombrero Chicken
    20 hours ago






  • 2





    You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...

    – MonkeyZeus
    16 hours ago






  • 10





    @chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.

    – David Z
    14 hours ago






  • 4





    Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.

    – Harper
    10 hours ago














  • 129





    Not being able to do this is the exact point of Bcc.

    – chrylis
    yesterday






  • 52





    I have a feeling there's a followup question coming on workplace.SE

    – Sombrero Chicken
    20 hours ago






  • 2





    You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...

    – MonkeyZeus
    16 hours ago






  • 10





    @chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.

    – David Z
    14 hours ago






  • 4





    Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.

    – Harper
    10 hours ago








129




129





Not being able to do this is the exact point of Bcc.

– chrylis
yesterday





Not being able to do this is the exact point of Bcc.

– chrylis
yesterday




52




52





I have a feeling there's a followup question coming on workplace.SE

– Sombrero Chicken
20 hours ago





I have a feeling there's a followup question coming on workplace.SE

– Sombrero Chicken
20 hours ago




2




2





You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...

– MonkeyZeus
16 hours ago





You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...

– MonkeyZeus
16 hours ago




10




10





@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.

– David Z
14 hours ago





@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.

– David Z
14 hours ago




4




4





Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.

– Harper
10 hours ago





Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.

– Harper
10 hours ago










3 Answers
3






active

oldest

votes


















79














You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".



The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:




The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.



When a message is a reply to another message, the mailboxes of the
authors of the original message (the mailboxes in the "From:" field)
or mailboxes specified in the "Reply-To:" field (if it exists) MAY
appear in the "To:" field of the reply since these would normally be
the primary recipients of the reply. If a reply is sent to a message
that has destination fields, it is often desirable to send a copy of
the reply to all of the recipients of the message, in addition to the
author. When such a reply is formed, addresses in the "To:" and "Cc:"
fields of the original message MAY appear in the "Cc:" field of the
reply, since these are normally secondary recipients of the reply. If
a "Bcc:" field is present in the original message, addresses in that
field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
appear in the "To:" or "Cc:" fields.



Note: Some mail applications have automatic reply commands that
include the destination addresses of the original message in the
destination addresses of the reply. How those reply commands behave
is implementation dependent and is beyond the scope of this document.
In particular, whether or not to include the original destination
addresses when the original message had a "Reply-To:" field is not
addressed here.




In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.






share|improve this answer



















  • 8





    each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

    – Esa Jokinen
    yesterday













  • @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

    – Selcuk
    yesterday






  • 3





    The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

    – Esa Jokinen
    yesterday













  • @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

    – Polynomial
    20 hours ago






  • 2





    That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

    – Esa Jokinen
    20 hours ago





















21














Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.



When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
That is the whole point of BCC functionality.






share|improve this answer































    2














    Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".



    It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.



    Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.



    So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.






    share|improve this answer








    New contributor




    Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















    • "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

      – abligh
      2 hours ago













    • Are there laws requiring IETF RFC compliance for email systems now?

      – grawity
      1 hour ago











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Jenny B is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206003%2fcan-i-retrieve-email-addresses-from-bcc%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    79














    You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".



    The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:




    The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
    addresses of recipients of the message whose addresses are not to be
    revealed to other recipients of the message. There are three ways in
    which the "Bcc:" field is used. In the first case, when a message
    containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
    removed even though all of the recipients (including those specified
    in the "Bcc:" field) are sent a copy of the message. In the second
    case, recipients specified in the "To:" and "Cc:" lines each are sent
    a copy of the message with the "Bcc:" line removed as above, but the
    recipients on the "Bcc:" line get a separate copy of the message
    containing a "Bcc:" line. (When there are multiple recipient
    addresses in the "Bcc:" field, some implementations actually send a
    separate copy of the message to each recipient with a "Bcc:"
    containing only the address of that particular recipient.) Finally,
    since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
    sent without any addresses indicating to the recipients that blind
    copies were sent to someone. Which method to use with "Bcc:" fields
    is implementation dependent, but refer to the "Security
    Considerations" section of this document for a discussion of each.



    When a message is a reply to another message, the mailboxes of the
    authors of the original message (the mailboxes in the "From:" field)
    or mailboxes specified in the "Reply-To:" field (if it exists) MAY
    appear in the "To:" field of the reply since these would normally be
    the primary recipients of the reply. If a reply is sent to a message
    that has destination fields, it is often desirable to send a copy of
    the reply to all of the recipients of the message, in addition to the
    author. When such a reply is formed, addresses in the "To:" and "Cc:"
    fields of the original message MAY appear in the "Cc:" field of the
    reply, since these are normally secondary recipients of the reply. If
    a "Bcc:" field is present in the original message, addresses in that
    field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
    appear in the "To:" or "Cc:" fields.



    Note: Some mail applications have automatic reply commands that
    include the destination addresses of the original message in the
    destination addresses of the reply. How those reply commands behave
    is implementation dependent and is beyond the scope of this document.
    In particular, whether or not to include the original destination
    addresses when the original message had a "Reply-To:" field is not
    addressed here.




    In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.






    share|improve this answer



















    • 8





      each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

      – Esa Jokinen
      yesterday













    • @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

      – Selcuk
      yesterday






    • 3





      The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

      – Esa Jokinen
      yesterday













    • @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

      – Polynomial
      20 hours ago






    • 2





      That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

      – Esa Jokinen
      20 hours ago


















    79














    You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".



    The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:




    The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
    addresses of recipients of the message whose addresses are not to be
    revealed to other recipients of the message. There are three ways in
    which the "Bcc:" field is used. In the first case, when a message
    containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
    removed even though all of the recipients (including those specified
    in the "Bcc:" field) are sent a copy of the message. In the second
    case, recipients specified in the "To:" and "Cc:" lines each are sent
    a copy of the message with the "Bcc:" line removed as above, but the
    recipients on the "Bcc:" line get a separate copy of the message
    containing a "Bcc:" line. (When there are multiple recipient
    addresses in the "Bcc:" field, some implementations actually send a
    separate copy of the message to each recipient with a "Bcc:"
    containing only the address of that particular recipient.) Finally,
    since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
    sent without any addresses indicating to the recipients that blind
    copies were sent to someone. Which method to use with "Bcc:" fields
    is implementation dependent, but refer to the "Security
    Considerations" section of this document for a discussion of each.



    When a message is a reply to another message, the mailboxes of the
    authors of the original message (the mailboxes in the "From:" field)
    or mailboxes specified in the "Reply-To:" field (if it exists) MAY
    appear in the "To:" field of the reply since these would normally be
    the primary recipients of the reply. If a reply is sent to a message
    that has destination fields, it is often desirable to send a copy of
    the reply to all of the recipients of the message, in addition to the
    author. When such a reply is formed, addresses in the "To:" and "Cc:"
    fields of the original message MAY appear in the "Cc:" field of the
    reply, since these are normally secondary recipients of the reply. If
    a "Bcc:" field is present in the original message, addresses in that
    field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
    appear in the "To:" or "Cc:" fields.



    Note: Some mail applications have automatic reply commands that
    include the destination addresses of the original message in the
    destination addresses of the reply. How those reply commands behave
    is implementation dependent and is beyond the scope of this document.
    In particular, whether or not to include the original destination
    addresses when the original message had a "Reply-To:" field is not
    addressed here.




    In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.






    share|improve this answer



















    • 8





      each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

      – Esa Jokinen
      yesterday













    • @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

      – Selcuk
      yesterday






    • 3





      The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

      – Esa Jokinen
      yesterday













    • @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

      – Polynomial
      20 hours ago






    • 2





      That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

      – Esa Jokinen
      20 hours ago
















    79












    79








    79







    You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".



    The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:




    The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
    addresses of recipients of the message whose addresses are not to be
    revealed to other recipients of the message. There are three ways in
    which the "Bcc:" field is used. In the first case, when a message
    containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
    removed even though all of the recipients (including those specified
    in the "Bcc:" field) are sent a copy of the message. In the second
    case, recipients specified in the "To:" and "Cc:" lines each are sent
    a copy of the message with the "Bcc:" line removed as above, but the
    recipients on the "Bcc:" line get a separate copy of the message
    containing a "Bcc:" line. (When there are multiple recipient
    addresses in the "Bcc:" field, some implementations actually send a
    separate copy of the message to each recipient with a "Bcc:"
    containing only the address of that particular recipient.) Finally,
    since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
    sent without any addresses indicating to the recipients that blind
    copies were sent to someone. Which method to use with "Bcc:" fields
    is implementation dependent, but refer to the "Security
    Considerations" section of this document for a discussion of each.



    When a message is a reply to another message, the mailboxes of the
    authors of the original message (the mailboxes in the "From:" field)
    or mailboxes specified in the "Reply-To:" field (if it exists) MAY
    appear in the "To:" field of the reply since these would normally be
    the primary recipients of the reply. If a reply is sent to a message
    that has destination fields, it is often desirable to send a copy of
    the reply to all of the recipients of the message, in addition to the
    author. When such a reply is formed, addresses in the "To:" and "Cc:"
    fields of the original message MAY appear in the "Cc:" field of the
    reply, since these are normally secondary recipients of the reply. If
    a "Bcc:" field is present in the original message, addresses in that
    field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
    appear in the "To:" or "Cc:" fields.



    Note: Some mail applications have automatic reply commands that
    include the destination addresses of the original message in the
    destination addresses of the reply. How those reply commands behave
    is implementation dependent and is beyond the scope of this document.
    In particular, whether or not to include the original destination
    addresses when the original message had a "Reply-To:" field is not
    addressed here.




    In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.






    share|improve this answer













    You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".



    The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:




    The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
    addresses of recipients of the message whose addresses are not to be
    revealed to other recipients of the message. There are three ways in
    which the "Bcc:" field is used. In the first case, when a message
    containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
    removed even though all of the recipients (including those specified
    in the "Bcc:" field) are sent a copy of the message. In the second
    case, recipients specified in the "To:" and "Cc:" lines each are sent
    a copy of the message with the "Bcc:" line removed as above, but the
    recipients on the "Bcc:" line get a separate copy of the message
    containing a "Bcc:" line. (When there are multiple recipient
    addresses in the "Bcc:" field, some implementations actually send a
    separate copy of the message to each recipient with a "Bcc:"
    containing only the address of that particular recipient.) Finally,
    since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
    sent without any addresses indicating to the recipients that blind
    copies were sent to someone. Which method to use with "Bcc:" fields
    is implementation dependent, but refer to the "Security
    Considerations" section of this document for a discussion of each.



    When a message is a reply to another message, the mailboxes of the
    authors of the original message (the mailboxes in the "From:" field)
    or mailboxes specified in the "Reply-To:" field (if it exists) MAY
    appear in the "To:" field of the reply since these would normally be
    the primary recipients of the reply. If a reply is sent to a message
    that has destination fields, it is often desirable to send a copy of
    the reply to all of the recipients of the message, in addition to the
    author. When such a reply is formed, addresses in the "To:" and "Cc:"
    fields of the original message MAY appear in the "Cc:" field of the
    reply, since these are normally secondary recipients of the reply. If
    a "Bcc:" field is present in the original message, addresses in that
    field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
    appear in the "To:" or "Cc:" fields.



    Note: Some mail applications have automatic reply commands that
    include the destination addresses of the original message in the
    destination addresses of the reply. How those reply commands behave
    is implementation dependent and is beyond the scope of this document.
    In particular, whether or not to include the original destination
    addresses when the original message had a "Reply-To:" field is not
    addressed here.




    In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    PolynomialPolynomial

    101k32249342




    101k32249342








    • 8





      each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

      – Esa Jokinen
      yesterday













    • @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

      – Selcuk
      yesterday






    • 3





      The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

      – Esa Jokinen
      yesterday













    • @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

      – Polynomial
      20 hours ago






    • 2





      That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

      – Esa Jokinen
      20 hours ago
















    • 8





      each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

      – Esa Jokinen
      yesterday













    • @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

      – Selcuk
      yesterday






    • 3





      The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

      – Esa Jokinen
      yesterday













    • @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

      – Polynomial
      20 hours ago






    • 2





      That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

      – Esa Jokinen
      20 hours ago










    8




    8





    each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

    – Esa Jokinen
    yesterday







    each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?

    – Esa Jokinen
    yesterday















    @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

    – Selcuk
    yesterday





    @EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.

    – Selcuk
    yesterday




    3




    3





    The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

    – Esa Jokinen
    yesterday







    The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.

    – Esa Jokinen
    yesterday















    @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

    – Polynomial
    20 hours ago





    @EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.

    – Polynomial
    20 hours ago




    2




    2





    That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

    – Esa Jokinen
    20 hours ago







    That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.

    – Esa Jokinen
    20 hours ago















    21














    Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.



    When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
    That is the whole point of BCC functionality.






    share|improve this answer




























      21














      Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.



      When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
      That is the whole point of BCC functionality.






      share|improve this answer


























        21












        21








        21







        Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.



        When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
        That is the whole point of BCC functionality.






        share|improve this answer













        Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.



        When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
        That is the whole point of BCC functionality.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered yesterday









        NaoyNaoy

        32113




        32113























            2














            Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".



            It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.



            Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.



            So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.






            share|improve this answer








            New contributor




            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

              – abligh
              2 hours ago













            • Are there laws requiring IETF RFC compliance for email systems now?

              – grawity
              1 hour ago
















            2














            Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".



            It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.



            Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.



            So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.






            share|improve this answer








            New contributor




            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

              – abligh
              2 hours ago













            • Are there laws requiring IETF RFC compliance for email systems now?

              – grawity
              1 hour ago














            2












            2








            2







            Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".



            It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.



            Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.



            So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.






            share|improve this answer








            New contributor




            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.










            Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".



            It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.



            Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.



            So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.







            share|improve this answer








            New contributor




            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer






            New contributor




            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered 20 hours ago









            ZimbaZimba

            471




            471




            New contributor




            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.













            • "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

              – abligh
              2 hours ago













            • Are there laws requiring IETF RFC compliance for email systems now?

              – grawity
              1 hour ago



















            • "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

              – abligh
              2 hours ago













            • Are there laws requiring IETF RFC compliance for email systems now?

              – grawity
              1 hour ago

















            "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

            – abligh
            2 hours ago







            "Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.

            – abligh
            2 hours ago















            Are there laws requiring IETF RFC compliance for email systems now?

            – grawity
            1 hour ago





            Are there laws requiring IETF RFC compliance for email systems now?

            – grawity
            1 hour ago










            Jenny B is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Jenny B is a new contributor. Be nice, and check out our Code of Conduct.













            Jenny B is a new contributor. Be nice, and check out our Code of Conduct.












            Jenny B is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206003%2fcan-i-retrieve-email-addresses-from-bcc%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

            He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

            Bunad