Can I Retrieve Email Addresses from BCC?
How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?
Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.
edited 15 hours ago
Fermi paradox
1257
asked yesterday
Jenny BJenny B
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 3 more comments
How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?
Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.
edited 15 hours ago
Fermi paradox
1257
asked yesterday
Jenny BJenny B
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
129
Not being able to do this is the exact point of Bcc.
– chrylis
yesterday
52
I have a feeling there's a followup question coming on workplace.SE
– Sombrero Chicken
20 hours ago
2
You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...
– MonkeyZeus
16 hours ago
10
@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.
– David Z
14 hours ago
4
Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.
– Harper
10 hours ago
|
show 3 more comments
How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?
Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.
edited 15 hours ago
Fermi paradox
1257
asked yesterday
Jenny BJenny B
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
How can I unmask the e-mail addresses in a Bcc field when I am just a recipient?
Need very simple, step-by-step instructions for someone who doesn't code. I have received a group e-mail and would really like to see the others who got it.
edited 15 hours ago
Fermi paradox
1257
asked yesterday
Jenny BJenny B
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 15 hours ago
Fermi paradox
1257
asked yesterday
Jenny BJenny B
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 15 hours ago
Fermi paradox
1257
edited 15 hours ago
Fermi paradox
1257
edited 15 hours ago
Fermi paradox
1257
1257
asked yesterday
Jenny BJenny B
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Jenny BJenny B
12913
asked yesterday
Jenny BJenny B
12913
12913
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Jenny B is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
129
Not being able to do this is the exact point of Bcc.
– chrylis
yesterday
52
I have a feeling there's a followup question coming on workplace.SE
– Sombrero Chicken
20 hours ago
2
You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...
– MonkeyZeus
16 hours ago
10
@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.
– David Z
14 hours ago
4
Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.
– Harper
10 hours ago
|
show 3 more comments
129
Not being able to do this is the exact point of Bcc.
– chrylis
yesterday
52
I have a feeling there's a followup question coming on workplace.SE
– Sombrero Chicken
20 hours ago
2
You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...
– MonkeyZeus
16 hours ago
10
@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.
– David Z
14 hours ago
4
Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.
– Harper
10 hours ago
129
129
Not being able to do this is the exact point of Bcc.
– chrylis
yesterday
Not being able to do this is the exact point of Bcc.
– chrylis
yesterday
52
52
I have a feeling there's a followup question coming on workplace.SE
– Sombrero Chicken
20 hours ago
I have a feeling there's a followup question coming on workplace.SE
– Sombrero Chicken
20 hours ago
2
2
You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...
– MonkeyZeus
16 hours ago
You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...
– MonkeyZeus
16 hours ago
10
10
@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.
– David Z
14 hours ago
@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.
– David Z
14 hours ago
4
4
Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.
– Harper
10 hours ago
Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.
– Harper
10 hours ago
|
show 3 more comments
3 Answers
3
active
oldest
votes
You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".
The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
When a message is a reply to another message, the mailboxes of the
authors of the original message (the mailboxes in the "From:" field)
or mailboxes specified in the "Reply-To:" field (if it exists) MAY
appear in the "To:" field of the reply since these would normally be
the primary recipients of the reply. If a reply is sent to a message
that has destination fields, it is often desirable to send a copy of
the reply to all of the recipients of the message, in addition to the
author. When such a reply is formed, addresses in the "To:" and "Cc:"
fields of the original message MAY appear in the "Cc:" field of the
reply, since these are normally secondary recipients of the reply. If
a "Bcc:" field is present in the original message, addresses in that
field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
appear in the "To:" or "Cc:" fields.
Note: Some mail applications have automatic reply commands that
include the destination addresses of the original message in the
destination addresses of the reply. How those reply commands behave
is implementation dependent and is beyond the scope of this document.
In particular, whether or not to include the original destination
addresses when the original message had a "Reply-To:" field is not
addressed here.
In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.
answered yesterday
PolynomialPolynomial
101k32249342
8
each Bcc'ed address receives a Bcc line containing only their email address, is most common.Is it? That would require sending the message multiple times instead of a single message with multipleRCPT TO:commands. What MUA would do that?
– Esa Jokinen
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
3
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to addRCPT TOasBcc:. It's more likely in aReceived:header asfor <user@example.com>.
– Esa Jokinen
yesterday
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
2
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on theTo&Ccheaders. MUA just saves theBccwhen saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.
– Esa Jokinen
20 hours ago
|
show 4 more comments
Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.
When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
That is the whole point of BCC functionality.
answered yesterday
NaoyNaoy
32113
add a comment |
Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".
It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.
Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.
So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.
answered 20 hours ago
ZimbaZimba
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Jenny B is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206003%2fcan-i-retrieve-email-addresses-from-bcc%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".
The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
When a message is a reply to another message, the mailboxes of the
authors of the original message (the mailboxes in the "From:" field)
or mailboxes specified in the "Reply-To:" field (if it exists) MAY
appear in the "To:" field of the reply since these would normally be
the primary recipients of the reply. If a reply is sent to a message
that has destination fields, it is often desirable to send a copy of
the reply to all of the recipients of the message, in addition to the
author. When such a reply is formed, addresses in the "To:" and "Cc:"
fields of the original message MAY appear in the "Cc:" field of the
reply, since these are normally secondary recipients of the reply. If
a "Bcc:" field is present in the original message, addresses in that
field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
appear in the "To:" or "Cc:" fields.
Note: Some mail applications have automatic reply commands that
include the destination addresses of the original message in the
destination addresses of the reply. How those reply commands behave
is implementation dependent and is beyond the scope of this document.
In particular, whether or not to include the original destination
addresses when the original message had a "Reply-To:" field is not
addressed here.
In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.
answered yesterday
PolynomialPolynomial
101k32249342
8
each Bcc'ed address receives a Bcc line containing only their email address, is most common.Is it? That would require sending the message multiple times instead of a single message with multipleRCPT TO:commands. What MUA would do that?
– Esa Jokinen
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
3
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to addRCPT TOasBcc:. It's more likely in aReceived:header asfor <user@example.com>.
– Esa Jokinen
yesterday
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
2
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on theTo&Ccheaders. MUA just saves theBccwhen saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.
– Esa Jokinen
20 hours ago
|
show 4 more comments
You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".
The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
When a message is a reply to another message, the mailboxes of the
authors of the original message (the mailboxes in the "From:" field)
or mailboxes specified in the "Reply-To:" field (if it exists) MAY
appear in the "To:" field of the reply since these would normally be
the primary recipients of the reply. If a reply is sent to a message
that has destination fields, it is often desirable to send a copy of
the reply to all of the recipients of the message, in addition to the
author. When such a reply is formed, addresses in the "To:" and "Cc:"
fields of the original message MAY appear in the "Cc:" field of the
reply, since these are normally secondary recipients of the reply. If
a "Bcc:" field is present in the original message, addresses in that
field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
appear in the "To:" or "Cc:" fields.
Note: Some mail applications have automatic reply commands that
include the destination addresses of the original message in the
destination addresses of the reply. How those reply commands behave
is implementation dependent and is beyond the scope of this document.
In particular, whether or not to include the original destination
addresses when the original message had a "Reply-To:" field is not
addressed here.
In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.
answered yesterday
PolynomialPolynomial
101k32249342
8
each Bcc'ed address receives a Bcc line containing only their email address, is most common.Is it? That would require sending the message multiple times instead of a single message with multipleRCPT TO:commands. What MUA would do that?
– Esa Jokinen
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
3
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to addRCPT TOasBcc:. It's more likely in aReceived:header asfor <user@example.com>.
– Esa Jokinen
yesterday
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
2
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on theTo&Ccheaders. MUA just saves theBccwhen saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.
– Esa Jokinen
20 hours ago
|
show 4 more comments
You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".
The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
When a message is a reply to another message, the mailboxes of the
authors of the original message (the mailboxes in the "From:" field)
or mailboxes specified in the "Reply-To:" field (if it exists) MAY
appear in the "To:" field of the reply since these would normally be
the primary recipients of the reply. If a reply is sent to a message
that has destination fields, it is often desirable to send a copy of
the reply to all of the recipients of the message, in addition to the
author. When such a reply is formed, addresses in the "To:" and "Cc:"
fields of the original message MAY appear in the "Cc:" field of the
reply, since these are normally secondary recipients of the reply. If
a "Bcc:" field is present in the original message, addresses in that
field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
appear in the "To:" or "Cc:" fields.
Note: Some mail applications have automatic reply commands that
include the destination addresses of the original message in the
destination addresses of the reply. How those reply commands behave
is implementation dependent and is beyond the scope of this document.
In particular, whether or not to include the original destination
addresses when the original message had a "Reply-To:" field is not
addressed here.
In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.
answered yesterday
PolynomialPolynomial
101k32249342
You can't. You simply won't have any information about the Bcc header when you receive the mail, so you there's nothing to "unmask".
The way Bcc is designed is specified in RFC 2822, under section 3.6.3. To quote the specification:
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
When a message is a reply to another message, the mailboxes of the
authors of the original message (the mailboxes in the "From:" field)
or mailboxes specified in the "Reply-To:" field (if it exists) MAY
appear in the "To:" field of the reply since these would normally be
the primary recipients of the reply. If a reply is sent to a message
that has destination fields, it is often desirable to send a copy of
the reply to all of the recipients of the message, in addition to the
author. When such a reply is formed, addresses in the "To:" and "Cc:"
fields of the original message MAY appear in the "Cc:" field of the
reply, since these are normally secondary recipients of the reply. If
a "Bcc:" field is present in the original message, addresses in that
field MAY appear in the "Bcc:" field of the reply, but SHOULD NOT
appear in the "To:" or "Cc:" fields.
Note: Some mail applications have automatic reply commands that
include the destination addresses of the original message in the
destination addresses of the reply. How those reply commands behave
is implementation dependent and is beyond the scope of this document.
In particular, whether or not to include the original destination
addresses when the original message had a "Reply-To:" field is not
addressed here.
In practice the case where To and Cc recipients receive no Bcc line, but each Bcc'ed address receives a Bcc line containing only their email address, is most common. This provides no indication of a Bcc to the To and Cc recipients, and indicates to the Bcc'ed recipients that they were sent the email via the use of Bcc without revealing other Bcc recipients.
answered yesterday
PolynomialPolynomial
101k32249342
answered yesterday
PolynomialPolynomial
101k32249342
answered yesterday
PolynomialPolynomial
101k32249342
answered yesterday
PolynomialPolynomial
101k32249342
101k32249342
8
each Bcc'ed address receives a Bcc line containing only their email address, is most common.Is it? That would require sending the message multiple times instead of a single message with multipleRCPT TO:commands. What MUA would do that?
– Esa Jokinen
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
3
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to addRCPT TOasBcc:. It's more likely in aReceived:header asfor <user@example.com>.
– Esa Jokinen
yesterday
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
2
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on theTo&Ccheaders. MUA just saves theBccwhen saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.
– Esa Jokinen
20 hours ago
|
show 4 more comments
8
each Bcc'ed address receives a Bcc line containing only their email address, is most common.Is it? That would require sending the message multiple times instead of a single message with multipleRCPT TO:commands. What MUA would do that?
– Esa Jokinen
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
3
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to addRCPT TOasBcc:. It's more likely in aReceived:header asfor <user@example.com>.
– Esa Jokinen
yesterday
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
2
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on theTo&Ccheaders. MUA just saves theBccwhen saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.
– Esa Jokinen
20 hours ago
8
8
each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?– Esa Jokinen
yesterday
each Bcc'ed address receives a Bcc line containing only their email address, is most common. Is it? That would require sending the message multiple times instead of a single message with multiple RCPT TO: commands. What MUA would do that?– Esa Jokinen
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
@EsaJokinen What other choice does the MUA have when the recipients are on different domains? BCC simply forces that behaviour.
– Selcuk
yesterday
3
3
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add
RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.– Esa Jokinen
yesterday
The MUA sends it only once to the MTA, and the MTA starts delivering it separately to all the different domains. The thing is that MTAs won't usually bother to add
RCPT TO as Bcc:. It's more likely in a Received: header as for <user@example.com>.– Esa Jokinen
yesterday
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
@EsaJokinen I am somewhat unfamiliar with the underlying process between MUAs and MTAs, but ultimately the effect is the same - you receive an email with some indication that you were Bcc'ed (not in the To or Cc lines) and no information about other Bcc recipients.
– Polynomial
20 hours ago
2
2
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the
To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.– Esa Jokinen
20 hours ago
That's true: you know that you were Bcc'd (or otherwise undisclosed) from not being on the
To & Cc headers. MUA just saves the Bcc when saving the mail to the senders Sent-folder, but it's not part of the message sent via SMTP.– Esa Jokinen
20 hours ago
|
show 4 more comments
Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.
When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
That is the whole point of BCC functionality.
answered yesterday
NaoyNaoy
32113
add a comment |
Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.
When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
That is the whole point of BCC functionality.
answered yesterday
NaoyNaoy
32113
add a comment |
Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.
When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
That is the whole point of BCC functionality.
answered yesterday
NaoyNaoy
32113
Typically not possible if you don't have control over the sender SMTP server since this field is not transmitted to the recipient SMTP server.
When sending a mail, the sender SMTP server checks the BCC field and creates a copy for each recipient listed, removing the list of other recipients.
That is the whole point of BCC functionality.
answered yesterday
NaoyNaoy
32113
answered yesterday
NaoyNaoy
32113
answered yesterday
NaoyNaoy
32113
answered yesterday
NaoyNaoy
32113
32113
add a comment |
add a comment |
Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".
It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.
Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.
So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.
answered 20 hours ago
ZimbaZimba
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
add a comment |
Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".
It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.
Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.
So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.
answered 20 hours ago
ZimbaZimba
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
add a comment |
Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".
It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.
Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.
So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.
answered 20 hours ago
ZimbaZimba
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Request For Comments (RFC) standard (published by The Internet Engineering Task Force (IETF)) specifies that recipients of an email, sent to recipients specified in "BCC" header may receive the email but not be aware of any other recipients mentioned in the header. Specifically, "addresses are not to be revealed to other recipients of the message".
It's a request to SMTP servers to reflect current practice (protocol) for the Internet community by The Internet Society.
Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction.
So if you're a recipient of an email from a compliant (mail) server, you won't receive other recipients emails mentioned in the "BCC" field, unless you're in control of the sending (SMTP) server, the incoming (POP,IMAP, etc) server, and all the relay servers that routed the IP packets.
answered 20 hours ago
ZimbaZimba
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 20 hours ago
ZimbaZimba
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 20 hours ago
ZimbaZimba
471
answered 20 hours ago
ZimbaZimba
471
471
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Zimba is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
add a comment |
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
"Those found to be not compliant may be segregated and if found to be rogue, will be banned/blacklisted, and even prosecuted when found to conduct activities in contravention of laws in the jurisdiction." - I would suggest this is an extremely unlikely outcome for a server that leaked BCC addresses. Moreover, if a message is BCC'd to x@foo.com and y@bar.com, and foo.com and y.com have different SMTP servers, bar.com will not even receive the x@foo.com's address to leak, so there would be no point in "segregating" it as its leaks only affect its own users.
– abligh
2 hours ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
Are there laws requiring IETF RFC compliance for email systems now?
– grawity
1 hour ago
add a comment |
Jenny B is a new contributor. Be nice, and check out our Code of Conduct.
Jenny B is a new contributor. Be nice, and check out our Code of Conduct.
Jenny B is a new contributor. Be nice, and check out our Code of Conduct.
Jenny B is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206003%2fcan-i-retrieve-email-addresses-from-bcc%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
129
Not being able to do this is the exact point of Bcc.
– chrylis
yesterday
52
I have a feeling there's a followup question coming on workplace.SE
– Sombrero Chicken
20 hours ago
2
You would have to hack into the SMTP server that sent you the email and decipher the incoming logs to see the BCC. You, as an average person will most likely have a tough time achieving this...
– MonkeyZeus
16 hours ago
10
@chrylis To be fair, there are so many cases where information that shouldn't be accessible is merely hidden, that I can understand how a person would think it might be possible.
– David Z
14 hours ago
4
Nothing easier. Sue the sender then use a subpoena to compel disclosure of the original message.
– Harper
10 hours ago