Glassdoor spaffs users' email addresses in bcc fail Jobs site Glassdoor accidentally outed hundreds of users seeking employment in pastures new when it despatched an email and failed to use the bcc button. The missive was sent to users at the weekend and intended to update them on the company's terms and conditions. One user said: "They later sent a follow up email saying …
Why aren't they using proper mailshot software if they do regular newsletters?
Why don't writers of email clients, and / or webmail clients put in place a sanity check, so that if you have more than (say) ten users in the to or cc fields, it asks you what the fuck you are doing.
"...Why don't writers of email clients, and / or webmail clients put in place a sanity check, so that if you have more than (say) ten users in the to or cc fields, it asks you what the fuck you are doing..."
I must confess to not remembering the defaults (and being too lazy right now to Google) but Exchange mailtips has this sort of scenario in mind. It doesn't stop users from sending out but will pop up yellow or red message bars to tell you that you're possibly about to do something dumb.
Alas not many Exchange admins seem to be aware of them or use them to their full extent.
Oh and I just remembered they don't work at all when running offline/cached as they're generated by the server.
I believe one (of many) reasons is that you need to be running Exchange 2013 as I don't think that feature arrived before then, so I guess most places can't that run in-house Exchange.
EDIT: Nope - actually turns out they rocked up in Exchange 2010 so for Exchange organisations I imagine more are on 2010 than 2013, so probably could use it.
Don't even need complicated software, I wrote a script that ran on our SMTP relay; you feed it a file containing the message you want to send and a csv with the email addresses and the variables in the message you want to replace. Took me less than a week worth of slack time to write and now there is no possibility of accidentally leaking recipients.
I once did some contract work for a company who were somewhat tardy in payments. When the manager sent an email to the contractors about his cash flow problems, he put us all in the To: header.
This resulted in one of the other contractors emailing the rest of us telling us that we’ll probably never get paid. This in turn led to more emails, and eventually we became an informal action group, each of us sharing tales of woe, as well as snippets of scandal.
The company folded, the manager went bankrupt, and was given a gaol sentence for crimes committed in trying to cover his financial problems.
We never did get paid, but it makes a good story — not using the BCC button can get you in deep trouble.
Nowadays, when I see this:
"We take the privacy of our users very seriously and are taking corrective steps to ensure this doesn’t happen again."
It gets internally processed as corporate speak for:
"Aw, here's the world's smallest violin playing Hearts and Flowers, just for you. Ain't it grand being our client?"
I remember receiving grief once when someone *did* use BCC to send email, but the email addresses were still visible to other BCC recipients (but not 'To' recipients). Turns out that mail client had an option about how to handle BCC headers. By default, it was compliant with RFC822, which says:
4.5.3. BCC / RESENT-BCCThis field contains the identity of additional recipients of the message. The contents of this field are not included in copies of the message sent to the primary and secondary recipients. Some systems may choose to include the text of the "Bcc" field only in the author(s)'s copy, while others may also include it in the text sent to all those indicated in the "Bcc" list.
Looks as though later RFCs have tightened that up to say the addresses shouldn't be visible to any other recipient.
Hmmm.....wondering now if there are different potential options for those on the same mail server and if BCC recipients may only be dropped at the relay servers as the mail message fans out.
Vague memories of mail addresses for the local domain being stripped off at the relay server and all the rest being left on the forwarded message.
Funny how when it's their cockup 3% is "only", "less than" ie by implication it's "just" a small amount.
If the business grows by 3%, it's shouted from the rooftops like it's a huge number.
PR people seem to live in a universe with variable physical laws.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
