2
Gmail reveals addresses in BCC field
Question asked by Robert Mathias - 11/22/2021 at 10:50 AM
Unanswered
If you send an email and list recipients in the BCC field then only the sender should be able to see the BCC recipients.

If the BCC recipients are a mixture of Gmail accounts and non-Gmail then the non-Gmail accounts do not see the BCC lists, which is correct. However any recipient that is a Gmail account can see the full BCC list. 

This is not only wrong, but a breach of GDPR as private email addresses are shared with people who are not entitled to see them. This little known “feature” of Gmail appears to go back to at least 2014.

Is there any way SmarterMail could handle this other than using a mailing list?

5 Replies

Reply to Thread
1
Matt Petty Replied
Employee Post
We do this stripping of BCC while its in the spool before its sent, are you sure these messages came from us?

It's the responsibility of the sender to strip the BCC header right before it is transmitted to the recipient SMTP server. Our spool does this however seeing messages in a GMAIL account with this problem could mean they came from a source that wasn't us or used a mechanism of ours that would bypass the BCC removal-logic. If SmarterMail transmitted the emails your seeing in the GMAIL account then it might be need to be looked into as a bug, is this your case?
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Robert Mathias Replied
Hi Matt - I see what you mean. However I have tested this on two separate SM servers by sending emails to myself and including both my GMail and Outlook accounts in the BCC. When I view the email in my GMail account the addresses are shown in the BCC. Not so in Outlook or SM. 

One of our clients brought this too our attention as a (GMAil) recipient of one of their emails could see all the recipients in the BCC field. 
1
Matt Petty Replied
Employee Post
I just did a test from SM webmail where I composed an email TO "example@gmail.com" with BCC  "example@hotmail.com" and "example@example.com". When viewing the message in Gmail I do not see the BCC. I'd try to figure out how these messages are getting to your user. It's not the software's responsibility to hide BCC its the senders servers responsibility to not even include it. The fact your able to see it in Google means whoever sent to TO google is NOT stripping BCC.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Robert Mathias Replied
Hi Matt - I'll open a support ticket so I can send you details. I also need to run some more tests here.
Thanks for your input!
0
Kyle Kerst Replied
Employee Post
I tested this as well following a scenario similar to Robert's, but was not able to replicate. As part of the ticket handling I'm seeking access to logs/configuration so we can take another look. Will report back once we narrow it down. Thanks Robert!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread