Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

BREACH OF PRIVACY - Pegasus should not be doing this!

Last post 05-08-2020, 15:02 by Euler GERMAN. 10 replies.
Sort Posts: Previous Next
  •  03-05-2018, 5:49

    BREACH OF PRIVACY - Pegasus should not be doing this!

    I'm experimenting with Pegasus 4.7. I sent an email to to adress "X" with a BCC to "A" and "B". (All three addresses are mine with different email providers.) To my surprise, I noticed, when reading it as recipient A and then as recipient B, that in the detailed headers there is a BCC field with adressees A and B, both listed in the clear in a comma separated list. This should not be happening. Addressee A should never see addressee B and vice versa. BCC means (or should mean) that it is not only blind to X, the recipient in the "To" field, but also to each of the BCC recipients. Mailers other than Pegasus respect this principle.

    When I am not using Pegasus, my mail client of choice is Yahoo mail. Yahoo does this correctly. It strips out the BCC field before sending, then it sends a copy to A and B, so that  neither sees the address of the other, and of course, X sees none of the others. X's address is visible to A and B, but that is the norm and is expected behaviour, unlike Pegasus's behaviour described above, which is not expected and contrary to all accepted email etiquette.

    Below is an extract  of the relevant section in the detailed headers of the copy received by B, with the personal information redacted.  I also have a transcript of the TCP session. If that is of interest to anyone, let me know and I'll post it here.

    Moongazer.

    Subject: test 1 with multiple BCCs
    Reply-to: xxxxxxxxxxxxx.xxx.xx
    BCC: aaaaaaaaaaaaaaa@aaaaa.aaa.aa, bbbbbbb@bbbbb.bbb
    Message-ID: <5A9CA2DB.1587.11111111@xxxxxxx.xxxxx.xxx.xx>
    X-Confirm-Reading-To: xxxxxxx@xxxxx.xxx.xx
    X-pmrqc: 1
    Return-receipt-to: xxxxxxx@xxxxx.xxx.xx
    Priority: normal
    X-mailer: Pegasus Mail for Windows (4.72.572)

     

    Filed under: ,
  •  03-05-2018, 7:30

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    This is weird. The behaviour I described in the first post of this thread is not occurring uniformly. It seems to depend on which SMTP host Pegasus is connecting to to send the mail.

     This makes me wonder: Whose responsibility is it to strip out the BCC field? Should it be done by the email client residing on my PC before sending (in this case Pegasus Mail), or should it be done by the SMTP server that Pegasus connects to?

    I have two identities set up in Pegasus, each using a different SMTP definition: (1) uses my ISP's SMTP server (smtp.ozemail.com.au), (2) uses Yahoo's SMTP server (smtp.mail.yahoo.com). The behaviour described in my first post occurred using (1). When I did the same thing using (2), it did not occur - there was no BCC field in the received emails.

    I thought maybe my ISP has not configured its SMTP server correctly. So I went to my ISP's website and sent a similar email from its online webmail client. I presume that that client is using IMAP, not SMTP, so that experiment may not be conclusive, but, wherever it was occurring (within the webmail client or the mail transport system it uses) it did the right thing and stripped out the BCC field.

    This still leaves me wondering where I should be laying the blame for the behaviour described in my first post - the authors of Pegasus or my ISP?

     

    Filed under: , ,
  •  03-05-2018, 9:18

    • Shades is not online. Last active: 05-18-2020, 13:09 Shades
    • Top 100 Contributor
    • Joined on 06-16-2007
    • Member
    • Points 910

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    I suspect more likely that as you have multiple ISP;s you also have many Id's to go with them (?)

    If so have you checked that you set  "Suppress BCC field listings in outgoing mail"  for each?


  •  03-05-2018, 11:01

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    See:

    http://community.pmail.com/forums/thread/9227.aspx

    and

    http://community.pmail.com/forums/thread/29832.aspx

  •  03-05-2018, 11:19

    • PaulW is not online. Last active: 31 May 2020, 15:17 PaulW
    • Top 10 Contributor
    • Joined on 05-08-2007
    • UK
    • SuperStar
    • Points 18,645

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    To summarise from 10 years ago:

    The primary purpose of BCC is to hide addresses from the TO and CC recipients, not from each BCC address.

    Pegasus also provides a mechanism to suppress the BCC line altogether if that's what you want.

  •  03-05-2018, 11:25

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    Thank you, Shades, for that information.

    I only have one ISP (iiNet, which owns the Ozemail domain), and only two Pegasus identities - one for use with my ISP's mail servers and the other for when I'm using my Yahoo mail account. (AFAIK, Yahoo is not an ISP.)

     So I checked both id's and in both of them that setting was unchecked (probably the default value, because I didn't get around to setting all the options yet. After about half way down, I just skimmed through the rest and thought they don't look too crucial, I'll come back and do them later). So thank you for pointing me to the right setting. I ticked it, and then repeated the test with id (1), and now that header appears as "BCC: (Suppressed)"

     However, I'm not marking this as the definitive answer just yet, because it still leaves open the question: Whose responsibility is it to ensure that the BCC recipients' privacy is not breached? Should it be up to the mail client or the SMTP host? Is there a standard or at least a convention for this? In the previous tests described in my second post, when using id (2) (Yahoo) the complete absence of the BCC field indicates that Yahoo's SMTP server must have stripped it out of the headers. (Remember that option was unchecked in both id's at that time.) So that might suggest that by convention, it is done by the SMTP host. In which case, I ask, Why didn't my ISP's SMTP host do it? So it's unclear to me whose responsibility it is. And I question why Pegasus doesn't at least make the suppression of the BCC field's contents the default setting.

    Moongazer

    Filed under: , ,
  •  03-05-2018, 11:47

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    Sorry Dilberts and Paul, your replies came through as I was writing my response to Shades. I see now, from following those links that the rules are quite flexible on this, so I guess it's not such a surprise after all to discover that different internet companies handle this differently from one another. I believe RFC stands for Request For Comment. Did they subsequently harden into rules that all software publishers and network operators are expected to follow? This too is a bit of a mystery to me, but having seen on one of those linked threads that the RFC officially provides for three ways of handling the BCC field, covering all possibilities, I guess there is no fixed rule.

    Moongazer

    Filed under: , ,
  •  03-05-2018, 19:51

    • idw is not online. Last active: Sun, May 31 2020, 15:57 idw
    • Top 10 Contributor
    • Joined on 03-25-2007
    • Germany
    • SuperStar
    • Points 49,510
    • BetaTeam

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    Moongazer:
    I believe RFC stands for Request For Comment. Did they subsequently harden into rules that all software publishers and network operators are expected to follow?

    See the Wikipedia article's elaborations on this, e.g.


    Michael

    --
    PGP Key ID (RSA 2048): 0xC45D831B
    PGP Plugin for Pegasus Mail: <http://www.pmpgp.de/pmpgp/>
    S/MIME Certificate Fingerprint: 94 c6 b4 71 0c 62 30 88 a5 b2 77 01 74 2b 86 66 3b 7e 65 7c
  •  05-07-2020, 11:02

    • Sheepdog is not online. Last active: 05-18-2020, 10:38 Sheepdog
    • Top 500 Contributor
    • Joined on 11-17-2014
    • Member
    • Points 325

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    Correct me if I am wrong, and I may well be, but I suspect the question reveals two misunderstandings....

    "Should I blame the authors of Pegasus or my ISP for not stripping out the names in the BCC list?"

    I believe that should be "Should I blame the authors of Pegasus or the people who manage the server where my outgoing email is processed?"

    Now... that server may well be a server managed by your ISP. But those roles are not joined at the hip. If you use Gmail, for instance, then the email server your mail passes through is certainly not run by your ISP.

    And then there's the fundamental question of How Bcc Works. I believe that the underlying mechanism is that you ALWAYS send the email to your mail server with the whole list of intended recipients attached. This saves you sending the message 5 times if you have 5 people Bcc'd. It is a concession to efficiency. If some mail-servers are not set up to do what I think everyone would expect, then I would call that a badly managed mail-server.

    If we sent a piece of ordinary mail... you know, ink on paper, a stamp... we are used to using just one "channel"- the (old fashioned) Post Office.

    The answers to many email questions become easier to understand if you understand that the path an email FROM you takes is quite different from the path an email TO you takes.

     

  •  05-08-2020, 10:57

    • PaulW is not online. Last active: 31 May 2020, 15:17 PaulW
    • Top 10 Contributor
    • Joined on 05-08-2007
    • UK
    • SuperStar
    • Points 18,645

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    Sheepdog:

    And then there's the fundamental question of How Bcc Works. I believe that the underlying mechanism is that you ALWAYS send the email to your mail server with the whole list of intended recipients attached. This saves you sending the message 5 times if you have 5 people Bcc'd. It is a concession to efficiency. If some mail-servers are not set up to do what I think everyone would expect, then I would call that a badly managed mail-server.

    I believe Pegasus Mail sends two mails if you have BCC recipient(s) - one with just the TO & CC addresses, and the other with BCC addresses.

    The mail server then just does what it's told as the envelope addressing knows nothing about the difference between any of the addresses. 

  •  05-08-2020, 15:02

    Re: BREACH OF PRIVACY - Pegasus should not be doing this!

    PaulW:
    Sheepdog:

    And then there's the fundamental question of How Bcc Works. I believe that the underlying mechanism is that you ALWAYS send the email to your mail server with the whole list of intended recipients attached. This saves you sending the message 5 times if you have 5 people Bcc'd. It is a concession to efficiency. If some mail-servers are not set up to do what I think everyone would expect, then I would call that a badly managed mail-server.

    I believe Pegasus Mail sends two mails if you have BCC recipient(s) - one with just the TO & CC addresses, and the other with BCC addresses.

    Correct, unless you have Suppress BCC field listings in outgoing mail checked. If so, all you have in the headers is BCC: (Suppressed).

    , .



    Best,

    euler f german
    sete lagoas, mg, brazil
    Pegasus Mail 4.73.639 Standalone - Windows 7 Ultimate
    BearHTML 4.9.9.6 IERenderer 2.6.3.5
    Binaries: C:\PMAIL\Programs
    Mailboxes: C:\PMAIL\MAIL

    InsPMDic — Dictionary Handler Add-on (link on profile)
View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page