Once upon a time I was a company’s technical contact with Diebold. One day I received an important message from Diebold’s corporate headquarters: “Please remember to return your tray to the cafeteria!”
Someone had accidentally sent this internal reprimand to every staffer, customer contact, vendor, friend, enemy, and distribution list in their and the company’s global address book. World-wide. In the “To:” header. There were days of Reply-All responses full of confusion, anger, ridicule, apology, please-don’t-use-reply-all, please-don’t-use-reply-all-to-complain-about-reply-all, and comedian-in-their-own-eyes commentary. Throw in some out-of-office-responses from mal-configured mail systems as well.
I’d not thought about that incident in a long time, but I was reminded of it today by a discussion at the office about Microsoft Outlook. Coincidentally I then ran across John Scalzi’s ‘The “Bcc:” Field is Your Friend‘ in which he points out several issues with exposing addresses in the “To:” or “Cc:” headers of email.
A related issue involves posting style. Not only are potentially “private” addresses exposed in the headers, but many email clients now include the previous sender’s From/To/Cc headers in the quoted part of a message. Think of how many times you’ve received those iteratively forwarded-from-a-friend messages — where the actual content is swamped by the accumulated quoted headers from a few to literally dozens of forwards, each one containing several, dozens, or even hundreds of addresses — all available for spam harvesting.
Although I don’t do this so much now, I used to provide a unique address whenever a vendor rep asked for contact information — that way I could both filter easily and tell when they’d given my address to some third party. In addition I could tell by the sudden burst of spam when some poor staffer had had their email compromised. IBM, bless their hearts, went so far as to make up an address for me (rather than ask me; I found out from seeing it in a Cc header forwarded (ha) to me from another staffer). I corrected the error with IBM, set up an alias for the bogus address to catch any leftovers, and never ever used it. And then one day, spam started pouring in. Thanks, IBM. This was back when it wasn’t quite so common for spammers to generate thousands of random addresses in a domain.