“Reply-to-All” Exposes Blind Co-conspirators

I’ve read a number of articles that say we should use Reply-to-All very sparingly, so as to reduce the volume of unnecessary email people are getting. There are also those who try to discourage us from using the BCC feature, on moral grounds.

Although I agree with these noble reasons, I’d like to add another, much more practical reason why we need to be extra careful before using these features.

Download SpeedFiler Now!If you are a BCC recipient of a message, when you Reply-to-All, people will wonder how you got involved, and will realize that the original sender blind-copied you. This can be rather embarrassing for the original sender, who deliberately tried to hide the fact that you were copied. Who knows what can of political worms you are opening by doing this!

What about the other side of the coin? How can we blind-copy someone without risking exposure? Here’s a much safer way:

Address the message in the normal way to the regular recipients, then enter your own address on the BCC line and send the message. When you receive your copy, forward it to your secret correspondent. Because your forwardee is the only recipient, s/he cannot inadvertently expose your “conspiracy” by misusing the Reply-to-All command.

For those of you who are wondering: yes, I did learn this the hard way. I’ve never used the BCC feature since!

For those who prefer the moral approach: BCC = Blind Co-conspirator


52 responses to ““Reply-to-All” Exposes Blind Co-conspirators

  1. Well, yes. Or you could just leave the BCC field completely empty, send the mail, then go into your “Sent” mailbox and forward your own mail.

    I just don’t see the point of BCCing yourself first and forwarding the mail you receive, as opposed to the mail you sent. (But maybe I’m missing something here.)

  2. You are right — if you can be bothered to fish the mail you sent out of Sent Items, fine.

    Isn’t it easier to have it come to you, rather than going to look for it?

  3. Alternately you can just drop every name in the BCC box with none in the TO or CC boxes. This has the disadvantage of usually* revealing to the recipients that they were BCC’d, tipping them off to the possible presence of other BCCers. But it’s quick.

    * Some mail systems/programs do weird things.

  4. Seriously, Itzy? Your Sent folder is that faaaar away?

    1. BCC yourself.
    2. Wait for mail to come. La la la.
    3. Forward mail. Have duplicates of the same message lying around.

    1. Click Sent folder. The one you just sent should be the first listed. No fishing required.
    2. Forward mail. Done.

  5. I tried this just now with Thunderbird and could not get ‘a received’ or ‘a sent’ bcc to forward. The undisclosed recipients does not come with the email.
    Am I doing something wrong? or Right?

  6. I just BCC everyone and send to a fake and verifiably non-existant address OR better yet my own e-mail in the TO field.

    Disadvantages of this method:

    – you usually get an error back from the remote server that the recipient does not exist (in Outlook Express you were even allowed to use allmybuddies@ with nothing after the @.. but this has weird results if some domain actually has an “allmybuddies” e-mail address at their domain, but when using something like thismailhasbeensenttoallthatareconcerned@yourdomain.tld it will be less likely to become an issue if you get my meaning)

    – depending on the mail client used, it is harder to trace back whom you sent the e-mail to after the fact if you don’t remember

    Advantages of this method:

    – anyone who replies “to all” will reply to either the fake address (which returns an error) or to you

    – avoids accidental exposure to other recipients

    – avoids unnecessarily easy exposure of addresses to worms and viruses in other peoples computers and zombie-PC’s, which slows the spreading of such malware and avoids you becoming a passive participant in infecting someone elses’ computer

    – on most mail clients, the mail looks a lot cleaner than the use of a gazillion addresses and names for spammers to harvest and hard to read for the recipients (scrolling all the way down to get to the message)

    To sum up, I actually reverse the policy. In MOST circumstances, I send TO: myself@mydomain.tld and BCC: list-of-recipient-addresses. Any replies, including reply-to-all will be sent to me alone.

    The EXCEPTIONS to this: when I specifically want two ore more specific recipients to mutually know that they got this message, such as when dealing with person A but then dealing with person B whilst officially keeping person A informed out of courtesy or agreement — however I try to limit this to two or three recipients at the most.

  7. I was once embarrassed by this. I sent an email to a colleague about his mishandling of a certain process, and bcc’ed the other involve coleagues. In the process, the bcc’ed colleagues joined the discussion by using the reply to all option…

    Learned my lesson the hard way, never thought that the bcc reply will be sent to all as well. Stupid me =(

  8. I perhaps the lesson that needs to be taught is to look at the header before you reply to see if you were BCC’d.

    There’s nothing wrong with the BCCers. They are using the tool for what it’s designed for. It’s the hasty replies without looking that are the problem.

    For that matter, it’s a safe policy to always look at who the message was sent to before using “Reply to All”.

    Just my .02.

  9. Mau said it right.

  10. Pingback: Leadership » Blog Archive » Email tip: Beware using BCC

  11. I like the suggestions of ways around BCC. I too am quite paranoid when using it. Before I hit send on any message with BCC recipients, I think to myself “What if the BBC person does reply to all? Is there anything in there I’ve said about someone or something that could come back to haunt me?”

    If so, then I try to tone down what I’ve said.

  12. Create a custom form which disables the Reply to All possibility (for Outlook users).
    Use this form when applicable.

    Go to source: Microsoft Office Assistance: Prevent e-mail message recipients from using Reply All or Forward at: http://office.microsoft.com/en-au/assistance/HA011142241033.aspx

  13. Is there any way to know the BCC recipients in a received mail??????

  14. Realistically speaking, only if someone foolishly replies-to-all.

    Otherwise, only if the sender’s email client and/or server software is buggy — this has happened in the past in very specific environments.

  15. I have another problem.
    Suppose “A” sends email to “B” and BCC to me.
    I get the email with “A” in “From:” field and “B” in TO: field. My email address missing as I am the BCC recipient.
    How do I set automatic rule to reply to B.
    The automatic reply rule will always send the email back to “A”.
    Any ideas???

  16. KB, Why would you want to reply to “B”?

    B does not know that “A” blind-copied you and by replying to “B”, you’ll expose what “A” did.

    What are you hoping to achieve by such an automatic rule?

  17. Thanks for your reply.
    Yes, it is hard to comprehend without example.

    I am supplier of a product, A is a 3rd party/independent ORDER TAKER and B is the customer.

    A, B and myself are NOT related or part of the same compeny/group.

    A takes the order from B(over the phone) and generates an automatic email order confirmation which is sent to B and I get a blind copy BCC.

    At the moment, I have to manually send an email to B, to let the buyer(B) know about the receipt of their order and send a thank you message.

    If I REPLY to this BCC sent to me it goes to A.

    If I REPLY TO ALL. Then A and B both will get my email. (I am not sure if I can choose REPLY to ALL in OUTLOOK auto rules anyway.)

    The problem is that I do not want A to get this email reply from me, as it contains pricing/other info. they don’t need to see.

    So My problem is reverse of what has been discussed before on this page. I WANT the reply to go to B and not to the original sender(A).

    I just want the BCC I get processed at my end, which is easy for me to do. Then I want my auto system to send an email to B and NOT to A.

    If I get lots of orders the manual processing is a pain.

    Sorry, you might have to read it twice to understand it.


    • null infinitude

      I’d say if this is an issue still, it sounds like it’s time to create a custom “reply to recipients” or “exclude sender reply to all” rule.

  18. Ah I get it. I was wondering how it is possibly for your ‘To’ recipients to see the ‘BCC’ person when they reply-to-all, but what you mean is if the ‘BCC’ recipient replies to all. Lol that would be dum, and potentially disastrous. And come to think of it, that has happened to me. Thanks for the tips.

  19. I’d like to offer that BCC is not just a conspiracy technique. Often I will BCC a recipient because I want them to know about the email, however I don’t want to drag them into the discussions that may or may not follow. Of course, they can choose to get themselves into the following email trails with a REPLY TO ALL.

    I do agree that if I don’t want someone to know I am sending their email to another person, BCCing has some problems. I’d suggest a phone call . . .

  20. Are you absolutely sure that a email can NOT be checked for a bcc? I don’t need to know who was copied just IF it was copied. I used to be able to use the Organize feature and color code all emails sent Just To Me; but that no longer seems to work with bcc. Any other ideas on how to identify an email with a blind copy would be greatly appreciated.

  21. Burt, I’m absolutely sure that any email software that allows a recipient to determine whether a message has been BCC’ed to others will be considered to have a gaping security or privacy hole. This has happened in the past to Outlook/Exchange and Lotus Notes, but only in very specific configurations.

  22. i was a bcc recepient. when I responded to the email, i used reply to all. Will all the bcc recepient recd my response?

  23. theresag: No, only the visible TO and CC recipients will get your reply. However, if they are observant, they will realize that you were a BCC recipient of the original message.

  24. My boss is a very coniving person who BCCs our Managing Director on all e-mails especially potentially contentous ones. Is there no way I can reply to my to my boss that will enable all the BCC recipients to see my response, therefore providing the whole picture and not just one side of the story?

  25. Vanessa: unfortunately, when you reply-to-all, you are only replying to the people who are publicly associated with the original message. Your email program is totally unaware of who received a BCC copy, or even whether anyone at all was BCC’ed on the message. You’ll have to find another way to get your side of the story across. How about an anonymous blog? ;-) (WARNING – be very careful if you take the blog route – if it becomes too popular, and you make a careless mistake, you could end up getting found out…)

  26. Yes, this can be embarassing and may damage relationships, diminish trust, create more work and reduce your ability to make decisions. It’s time to get human again. Replace the screen-time with face time.

  27. HI….I was bcc’d on an e-mail and was wondering if it is at all possible to determine who else…not an address really…just if there was another recipient besides myself..?

  28. Mark: there’s no way to know even whether BCC was used, unless you yourself are a BCC recipient. Even then, you cannot know if you were the only BCC recipient.

  29. Thanks Itszy….I found this on line….wuold this apply for a work server? …does this ring true?
    “….Note there is a potential security flaw in the BCC feature. According to the conventions of the SMTP protocol, all addresses, including BCC addresses, are included in every email as it is sent over the Internet. The BCC addresses are stripped off blind copy email only at the destination email server. Therefore, if the addressee controls their email server or can access it, they could examine the BCC addresses on every email they receive.

  30. UGH! I was just bit by this one. I read this article quite a while ago and have since changed my habits however; a co-worker uses BCC to the point of annoyance. I frequently get BCC’d on emails contents that leave me scratching my head due to the lack of context. Upon returning from vacation as I was sorting through my week of email I accidentally replied-to-all to ask him what the email was about. Ugh!

    Now to fix the problem… *sigh*

  31. Mark: I do not believe it is true for all cases. I am by no means an expert in the technical aspects of SMTP, but as far as I understand, a mail server that receives a message for delivery, will receive a list of recipients. So within your company, your mail server will know who all the recipients are, including the BCC recipients. However, if you receive a message from outside your network, your mail server will only know about the recipients it was asked to distribute the message to, i.e. those within your company. Other mail servers will have been asked to distribute the message to the recipients not under control of your mail server.

    Whether or not I am correct, most people cannot access the mail server’s logs to see how specific messages were handled — this itself would be considered a breach of security.

  32. Pingback: Four (or Five!) Reasons Why » …The “Reply All” Button Must Die

  33. How can stop my Exchange 2007 STOP delivering messages to persons listed in the BCC field ? This should ONLY apply to messages sent from within my domain. Thanks.

  34. hey everyone i got a Q… ” As a reciver of an e-mail, can i find out if the sender BCC anyone ?

  35. Mix: Not unless one of the BCC recipients Replies-to-All by mistake.

  36. What a great discussion,

    My boss sends emails to be with a different tone sometimes, like he is BCCing someone.

    How can I find out who did he BCC??

  37. what was I thinking? I’m somewhat new to my organization (been here about a year), having been hired in from outside. I recently sent an email to one of my employees asking why he didn’t trust me, stating we’re all in this together, along with the typical motivational, team-building comments.

    As the email came about because of specific issues that needed to be addressed, I wanted my supervisor to be aware of it. So….I BCC’d him.

    think about it…. a BCC on an email telling someone he needed to trust me! What was I thinking? Fortunately my supe didn’t ‘reply-to-all’. That would not have been pretty!

  38. “why me”: it sounds like it would have been better to have a face-to-face discussion with your employee. Email is not a good medium for some things, see Don’t write to me in that tone of voice!

  39. Is there a method to see who all the addressees are when you receive an “undisclosed recipients” e mail, i.e. everyone has been BCC’d?

  40. need advanced mailind tools contact thru my mail

  41. I often receive emails re: urban legends, hate mongering against Islam with pictures labeled falsely etc. In the TO: column is the sender’s name along w/ “undisclosed recipients”. If I (after research on Snopes, etc) hit “reply all”, will the “undisclosed recipients” receive my email exposing the truth, or just the sender whose name I can see in the TO: box?

  42. I just performed a test e-mail to see if my sisters “reply all” to my bcc e-mail gave them any reason to suspect that the e-mail was going out to the other sister and me. Well…it didn’t. It just went to me, the sender. I don’t know what the e-mail looked like to them, as far as “exposing” the bcc sender (aka me!) but as far as all the senders receiving a “reply to all” e-mail via an original blind copy, I don’t think we have to worry. If I’m wrong, I’d love for someone to help me understand this. Thanks!

  43. I tested it out: you CAN know who was Bcc’d in an email, even if you were one of the Bcc members.
    I don’t see why replying to all would invoke the bcc email addresses as well. What’s the point of having the option to bcc people if someone could just simply hit “reply to all” and see who was bcc’d? Ack.

  44. Know your co-workers! I once emailed a co-director discussing the merits of employing someone who wanted to join our business. The potential employee would have had a senior position and I thought they would be a real asset. So I cc’d the potential employee in: my aim was an open and frank debate. My co-director ‘replied to all’ detailing his negative and pretty ill-reasoned reservations regarding the individual! Needless to say, the dialogue stopped with that email. Sometime later, I sold the business to that director. It went bust within two years!

  45. if you get a message in lotus notes that has been bcc to others and you reply, you don’t have an option to reply to all unless there are cc’d in addition to bcc…you cannot reply to all if it is only sent to you and bcc…

  46. ken e. no, there is no method…not one that would be easily found…I believe there is a way to find anything, but only those who really know what they are doing can figure it out…hence the true hackers…

  47. jev…you are correct in your thinking…most likely you cannot do it…if people say they can reply to all and it goes to those bcc’d in original email, they are misleading you….

  48. Hi how can I find out ro whom an email has been BCC’ed wen I receive an email

  49. Pingback: loose lips sink ships in Columbia, too. « Columbia news, views & reviews

  50. Mr. Itzy Sabo

    You are totally wrong as i tried it on outlook an it failed. reply if u r right???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s