Is BCCing e-mails guaranteed to be reliable?

29

3

In other words is it a safe assumption that no-one of recipients will ever see e-mails in BCC? What if the recipient is an administrator of his (but not sender's) mail server and can do any modifications to his server?

qwerty

Posted 2011-10-11T11:56:24.837

Reputation: 291

For what it is worth I am having an issue with just this ATM. http://stackoverflow.com/questions/31527974/bcc-recipients-visible-to-eachother/31528084

– johnsnails – 2015-07-21T00:34:16.487

15Generally email is not secure and not reliable. If the recipient is an admin of his server then he can do pretty much anything to it. – Lord Peter – 2011-10-11T12:09:39.693

Answers

21

No. SMTP is a plaintext protocol, using store-and-forward methods.

What this means:

  • Plaintext: Every server that relays this message sees it in its entirety, including all header information. Although each recipient in the BCC field typically gets their own e-mail (so the server sends out a customized e-mail where all the other BCC recipients should be stripped out (emphasis on should!), as opposed to CC, where the data is retained), that one single e-mail is still stored in the headers, in plaintext (no encryption, no obfuscation, nothing).
  • Store-and-forward: The e-mail doesn't necessarily go to the recipient's mail server directly, but could be (and usually is) forwarded over a series of intermediate e-mail servers; it is stored on each one (for an indefinite amount of time) and then forwarded to the next hop (again, not necessarily the final destination).
  • consider that the e-mail is sent to a non-existent, full, blocked, or otherwise non-functional address - the copy of the mail, along with diagnostic data, can end up in multiple places, not all of them necessarily mailboxes (e.g. error logs or the postmaster mailbox)
  • (this before your e-mail ends up at the destination's mailservers, who could store it forever and readily hand it to whomever comes along with a subpoena, but that's a slightly different story)

In other words, your assumption is unsafe. If you want privacy and security, use digital signatures and encryption, e.g. GPG; vanilla e-mail is a Wrong tool for such job.

Piskvor left the building

Posted 2011-10-11T11:56:24.837

Reputation: 2 277

1How does encryption solve the problem of hiding recipients? – detly – 2011-10-12T02:45:18.390

It doesn't, but Piskvor wasn't necessarily talking about the recipient mailboxes of the message when referencing privacy, merely the contents. AFAIK, it's generally not possible to hide the recipients of an email unless it can be forwarded through non-logging proxies. If your message is so secret that you need to mask the recipients as well as the contents, you need to find another communication mechanism. – afrazier – 2011-10-12T03:39:15.453

2I was with Piskvor until the last sentence. If all you want to do is hide recipients from each other, then you just need a mail client that can send all the BCCs individually. – Steve Bennett – 2011-10-12T06:52:33.047

@afrazier: Had I not already added a competing answer, I'd have downvoted this one for not answering the OP's question. – Blrfl – 2011-10-13T13:04:59.140

1BCC recipients are not recorded in the email header (except for very old and broken MTAs). A standard mail server doesn't even look at the header, it only uses the envelope to decide where emails should go. – Adrian Pronk – 2011-10-14T08:35:18.493

13

Any mail transfer agent (MTA) that fully complies with RFC 2822 (specifically, section 3.6.3, Destination address fields) will remove the Bcc: field from the header before attempting delivery, making it impossible for the non-blind recipients to determine the blind recipients' identities.

There are a couple of catches:

  • Unless you have control over the very first MTA that your outbound emails reach, you cannot guarantee that the software on that MTA will do as RFC 2822 instructs.

  • The fact that an email from you to a recipient who may have been blind-copied traversed one or more MTAs may survive in the logs of those MTAs.

Blrfl

Posted 2011-10-11T11:56:24.837

Reputation: 519

1Great answer specifically addressing "no-one of recipients will ever see e-mails [addresses] in BCC". You can test what your first MTA do with BCC headers by sending email to an email reply-bot that returns headers of your email. – sabre23t – 2011-10-15T23:48:56.933

The MTA is not supposed to even see the Bcc: header; instead, the MUA (mail client program) should specify all addresses in the SMTP envelope (MAIL FROM). – user1686 – 2011-11-07T08:49:08.137

That trick won't work in all cases because the standards don't require that delivery traverses something that can be given a recipient address outside of the headers. MTP didn't exist until six years after the BCC behavior was first defined (RFC 680, in 1975); SMTP came a year later. – Blrfl – 2011-11-07T11:54:19.200

5

You should never assume that the recipients won't become aware of the BCC recipient. I've had BCCed recipients hit "Reply All" in their mail program, and announce to everyone their receipt of a mail before, in a stunning lack of understanding of what being BCCed actually meant. If you really need it to be private, forward the message from your Sent folder after you send it to the original recipients, so the only other address in the message headers is yours.

That said, even if you used BCC, as long as the BCCed recipient's server is separate from the original recipient, the recipient's server would not have access to the BCC information, as it would have been stripped out (or more likely never included in the message body) by your provider's mail server.

On a side note: SMTP is neither reliable, not particularly private. Some posters claim that SMTP "chains" of servers exist, but in general, SMTP sends from your computer, to your ISP, to the recipients ISP. (and however many servers they have internally) In general, your mail will NOT be routed to a third party's mail server, and in fact such attempts are generally disallowed for anti-spam reasons. (There are exceptions, as small providers and home networks will forward to their provider, but this is the exception not the rule)

That said, email in transit is not guaranteed to be encrypted, and anything potentially sensitive really shouldn't be trusted unencrypted to the internet via ANY method, including email, as it's trivial for any large provider, or telco to tap the fibers running through their facilities, or log packets traveling across their routers.

The FBI regularly does so through the Carnivore and other programs, and rogue elements have been documented doing so in the past as well.

SplinterReality

Posted 2011-10-11T11:56:24.837

Reputation: 370

1I've had BCCed recipients hit "Reply All" in their mail program This has never happened to me, but I've seen it happen numerous times. Your advice (don't Bcc, but forward after sending) is exactly what I do too. I hate to sound like an arrogant jerk, but sometimes you have to protect people from themselves. – Dan7119 – 2011-10-13T17:42:39.027

@Dan7119 Let me guess.. are you/were you a sysadmin too? – SplinterReality – 2011-10-14T05:50:06.070

Great answer. Even if stripping of BCC information is 100% reliable, the human factor BCCed recipients hit "Reply All" is not guaranteed reliable. I concur with forward the message from your Sent folder especially for non-tech savvy BCCed recipients such as CEOs. – sabre23t – 2011-10-16T00:37:37.073

1

Your email client or server (don't know which) should strip out BCC information before sending a message. If you BCC yourself on a message and then view the source, you shouldn't find your email address anywhere except in the From line (verified this with my own mail).

zpletan

Posted 2011-10-11T11:56:24.837

Reputation: 894

Thank you. But my question is actually deeper and about reliability and security. Not how it is supposed to be in theory. – qwerty – 2011-10-11T12:24:43.130

Well, as far as I know, the way to see if theory matches practice is to BCC yourself on an email, view the source, and see if the BCC address is in there. – zpletan – 2011-10-11T12:25:29.570

Your email client doesn't strip out BCC information. That doesn't make any sense. – Steve Bennett – 2011-10-12T06:53:21.250

1

It all depends on the server. Most servers will take the BCC line and basically send the message once per address. basically putting the bcc address into cc line send, next address into cc line and send type thing. But it all depends on the MAIL server setup. BCC should never go further than your outgoing mail server.

Peter

Posted 2011-10-11T11:56:24.837

Reputation: 67

7False on three points. First, it is MUAs, not SMTP servers, that deal with Bcc: headers. By the time that things reach an SMTP server, the recipient addresses are in the message envelope, not the headers. Second, only SMTP Submission servers ever rewrite such headers in the first place. Third, messages are always sent once per envelope recipient. This isn't special or different. – JdeBP – 2011-10-11T14:29:04.707

1

Everything travelling on the net without digital signature or encryption can be easily modified. If you need end-to-end integrity for email, use PGP/GPG signing.

Also you will need to transfer your public PGP/GPG key to recipients somehow (so they can verify your email messages are really yours). Its kind of chicken-and-egg problem: this is to establish safe comm channel, but it already requires safe comm channel. Sending it via email is OK, but you need to verify PGP/GPG key fingerprint by phone or by other means. Publishing it on https-enabled website is also a good idea, as SSL provides necessary transport integrity guarantees.

Mikhail Kupchik

Posted 2011-10-11T11:56:24.837

Reputation: 2 381

Asked: 2011-10-11T11:56:24.837

Viewed: 2 417 times

Active: 2011-11-07T08:22:31.217