Chris, You have discovered something indeed; sorry I reacted before delving in deeper. Hotmail is not creating separate messages for each Bcc: recipient, which is RFC-compliant: though we might expect otherwise, the sending MTA is under no obligation to create a custom message for each Bcc: user. All that is required is that the Bcc: recipients are transformed into envelope recipients. If they happen to be at the same MX, they may be sent, as they are here, a single message body. As Rod pointed out, Imail uses the first recipient when generating the X-RCPT-TO: header, so you've (i.e. we all've) got a security hole! (Rod, do note that it's not actually "when creating the Qf98b21a.SMD file" that this happens, but rather when the Q file is *processed* by SMTP32.EXE.)
There is a workaround. X-RCPT-TO: is not required by the RFCs and is considered nonstandard, so Imail can do with it as insecurely as it wishes. But luckily, it does follow standard MTA practice of not modifying headers that already exist in the message body. In other words, if you craft a message that already has an X-RCPT-TO: header, Imail's SMTP sender will not modify that header, be it blank or populated with anything you choose. So, via copy, I am advising Scott Perry of Declude that, since Declude acts as a preprocessor, it would be possible for a future Declude version to plug this hole by writing a blank X-RCPT-TO: into relevant messages (you'd lose whatever usefulness the header might have had, but at least you'd preserve privacy). I have also submitted it to Ipswitch tech support with details. Regards, Sandy P.S. Interestingly, there was a thread that came close to discovering this in late November, but no one quite hit it (in addition to the years of QA at Ipswitch during which it's never been caught). Good eye and I apologize again for dismissing you. Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
