|
|
|
|
| |
| A possible privacy vulnerability has been found in Mail Essentials from GFI Software. The first BCC address recipient is inserted inside the e-mail's standard header, thus revealing its identity. |
| |
Credit:
The information has been provided by Ronan Waide.
|
| |
Vulnerable systems:
Mail essentials 5
Immune systems:
Mail essentials 2000
Headers that are handled by Mail Essentials have been found to contain the following:
Received: From mail.server by other.server
Mail essentials (server 2.422) with SMTP id: <513@mail.server> for <bcc_person@address>; Wed, 29 Aug 2001 16:19:12 +0100 smtp mail from <originator@address>
The 'bcc_person@address' is, presumably, the first person on the BCC list.
Vendor response:
The following response has been received from GFI:
"GFI has received a report that Mail essentials 5, an email content checking and anti-virus gateway, has an issue where in some cases an email in the Bcc field is stored in the Internet headers.
GFI would like to clarify that this problem exists only in Mail essentials 5, which is an old version of the product. GFI already has an upgrade to Mail essentials 5 and customers can upgrade to the latest version for free; this has been the case for the past year.
It is important to note that, although the Bcc is saved in the email, it is saved in a section of the SMTP Internet headers - which the email client does not show by default; for users to see this information, they must open the email in a detailed view. Also, this problem arises only in 2 cases, the first case being when an email is sent with approximately 100 emails in the To field and 2 or more emails in the Bcc field, and the second when an email is sent with no recipients in the To field and with 2 or more recipients in the Bcc field."
|
|
|
|
|
|
|
|
|
|
