At 8:21 AM -0800 2/28/12, Ned Freed wrote:
> > (Not to mention that bcc "fields" should not exist anyway - that's the
> > whole point)
> Strongy disagree. The problem with implementations that cheat and implement
> Bcc: by generating a single message copy with the Bcc: addresses only
> appearing in the envelope is that those recipients do not get any sort
> of indication that that were Bcc:'ed. If they don't realize that and
> do a reply-all, the cat's out of the bad and the sender may be in big
> trouble.
Another source of potential BCC leakage are MTAs, which might record
all local recipients. Most MTAs only record the recipient in a
"Received:" header field if there is only one, but there have been
some which record all. If the MUA generates multiple message objects
and transactions, it no longer relies on the MTAs also not letting
the feline escape its confinement/concealment.
Good point. I haven't seen that particular leakage, but I have seen one case
where a for clause for only one recipient, selected who knows how, got inserted
into a multi-recipient message and the message wasn't split.
Of course the only way to be absolutely certain your bcc never leaks out is not
to send it. But a certain amount of prudence on the part of implementors in the
face of potential infrastructure issues is still a good thing.
Ned