Mailing List Archive

> is there any legitimate use to have a BCC header present

Have you checked the fine documentation?
RFC 5322 Internet Message Forma
3.6.3. Destination Address Fields
look for "Bcc".
(it's fairly long and there are probably more places in the RFCs
about this, e.g., RFC 5323).

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 12. apríla 2023 11:18:28 UTC používate? Claus Assmann via Exim-users <exim-users@exim.org> napísal:
>> is there any legitimate use to have a BCC header present
>
>Have you checked the fine documentation?
>RFC 5322 Internet Message Forma

While legitimate, it is not common and can be used as spam
indicator. Of course not standalone, i use it as part of rspamd
scoring, it adds small points, not enough to mark as SPAM,
but counts with others, especially useful for gmail, where one
cannot expet many bad points from RBLs or so...

regards


--
Slavko
https://www.slavino.sk/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-04-12, Olaf Hopp (SCC) via Exim-users <exim-users@exim.org> wrote:

> Sorry for being a bit off topic:
> recently we had incoming phishing mails which all had a BCC header line.
> So I thought, that's easy to defend and I introduced a data ACL
>
> deny condition = ${if def:h_BCC: {yes}{no}}
>
> My logs revealed a lot of them and I was afraid of doing some overblocking.
> So I changed the "deny" into a "warn", shifted the ACL further down below spam
> and virus scan and added some logging.
>
> The outcome is that there are really a bunch of incoming mails
> with a BCC header, which seems to be no spam.
>
> And forthermore about 90% are coming from Google hosts like e.g. mail-qk1-x742.google.com
>
> So my question for discussion here:
> is there any legitimate use to have a BCC header present
> or is this all crap and can be rejected ?

https://www.rfc-editor.org/rfc/rfc5322#section-3.6.3

The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.


So, sometimes BCC recipients do see the Bcc header.

--
Jasen.
???????? ????? ???????

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/