Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Using BCC Reduces Spam

Keeping private things private.

Stop Compromising the Privacy of Others
(Image: canva.com)
Using BCC on forwarded email is one way to reduce the amount of spam your recipients might get.
The Best of Ask Leo!
Is it true that if I use BCC to email attachments, it will mean less danger of spam? How’s that?

It has nothing to do with attachments and everything to do with any email you receive and then forward on.

It has little to do with reducing your own spam and more to do with preventing the other people involved from getting more.

It’s all about keeping their email addresses private and un-harvestable.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Reducing spam with BCC

Take care to hide the email addresses that would otherwise be exposed in the emails you forward and send. Use BCC to hide the recipient’s email addresses, and edit the body of any forwarded email to remove email addresses it may contain.

Privacy violations

The scenario:

  • You get a wonderful piece of humor (or something else) via email.
  • You forward it to a collection of your friends.1

The mail that you received looks something like this.

From: yourfriend@reallybigbookstore.com
To: you@reallybigbookstore.com
Cc: anotherfriend@reallybigbookstore.com,
    anotherfriend2@reallybigbookstore.com, 
    someoneelse@reallybigbookstore.com,
    acontact@somerandomservice.com,
    morepeople@somerandomservice.com
Subject: This is funny

I thought this joke was kinda funny:

A pirate walked into a bar and the bartender said, ...

Your friend has emailed you some humor and CC’ed a number of other people.

Think about that for a moment. You can see all the email addresses on the CC line, whether or not those people wanted their email addresses exposed.

In fact, all those recipients can see your email address, too, as well as everyone else’s.

Privacy violation compounded

It gets worse.

You think this joke is really funny and worth forwarding on to more of your friends, so you hit Forward and create a message that looks like this.

From: you@reallybigbookstore.com
To: aclosefriend@reallybigbookstore.com,
    familymember@somerandomservice.com,
    apal@somerandomservice.com,
    collegue@reallybigbookstore.com
Subject: FW: This is funny

Pretty cute...

> From: yourfriend@reallybigbookstore.com
> To: you@reallybigbookstore.com
> Cc: anotherfriend@reallybigbookstore.com, anotherfriend2@reallybigbookstore.com,
>     someoneelse@reallybigbookstore.com, acontact@somerandomservice.com,
>     morepeople@somerandomservice.com
> Subject: This is funny
>
> I thought this joke was kinda funny:
>
> A pirate walked into a bar and the bartender said, ...

Just look at all the email addresses that are visible to anyone who gets this message. It’s a gold mine of known-good email addresses they can then use for any purpose they wish.

Of course, we immediately think of spam, but there are many other privacy issues that result as well.

What if one of your friends was trying to keep their email address private? You just ruined that with a simple forward.

And after the message has been forwarded a few times, the list of juicy email addresses at the top often exceeds the length of the actual message at the bottom!

You’d be surprised at how often the resulting email messages get forwarded to a mailing list archived online where it a) lives on pretty much forever and b) is even more easily harvested by spammers.

Be a good email citizen

There are two things you must do to avoid adding to the problem.

  • Use BCC for the recipients. BCC reduces spam by preventing the email addresses you send the email to from being visible to the people who get it. (How you do this will vary, but almost all email programs and interfaces have it.)
  • Edit any email addresses out of the body of the message before you hit Send. This will remove all the prior recipients from being visible and has the added benefit of making the email smaller and easier to read.

Of course, you should always consider whether the message should be forwarded at all, but I’ll assume you’ve made that decision properly.

So this time, when we click Forward, we do those two things:

  1. Instead of entering all those addresses on the TO or CC lines, we put all the recipients on the BCC line.2
  2. Before pressing Send, we click in the body of the message and delete all the lines that are nothing more than forwarded email headers.

Using the example from above, here’s what our forward looks like.

From: you@reallybigbookstore.com
To: you@reallybigbookstore.com
Bcc: aclosefriend@reallybigbookstore.com,
    familymember@somerandomservice.com,
    apal@somerandomservice.com,
    collegue@reallybigbookstore.com
Subject: FW: This is funny

Pretty cute...

> I thought this joke was kinda funny:
>
> A pirate walked into a bar and the bartender said, ...

And here’s what the recipients see.

From: you@reallybigbookstore.com
To: you@reallybigbookstore.com
Subject: FW: This is funny

Pretty cute...

> I thought this joke was kinda funny:
>
> A pirate walked into a bar and the bartender said, ...

Not an email address to be found.

Nothing for spammers to harvest.

Privacy maintained.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: Never forward anything that asks you to forward it without checking it out first. It’s likely an urban legend or a scam.)

2: Most email programs won’t let you leave both the To and Cc lines blank, so it’s common to send the message “to” yourself, with all the real recipients on Bcc.

41 comments on “How Using BCC Reduces Spam”

  1. And if any e-mail says “forward this to everyone you know,” don’t.

    BTW, sending chain mail is a violation of the terms of service of almost every ISP and web-mail service. If you get caught, you could lose your e-mail account.

    Reply
  2. i have been telling people this for years. i am going to forward this page to all those people today. your explanation is concise and to the point with easy to understand why and how to. thanks!

    If you do it in one mailing, be sure to … BCC them. 🙂

    – Leo
    11-Feb-2009
    Reply
  3. You are absolutely right about the collection of addresses that come with many forwarded mails,
    but there is not even any need to fill in the To:line nor the CC line all addresses on the blind copy line will do,using Outlook Express.So no need even to send it to your self.
    Joe

    That’s actually not true for all mail programs and all mail providers. Some will reject mail without a visible recipient, so it’s just easier to send it to yourself. Also email without a visible recipient, when it does make it through, is more likely to be flagged as spam.

    – Leo
    11-Feb-2009
    Reply
  4. It’s certainly the conventional wisdom these days that you should use BCC when sending to multiple recipients, but to play devil’s advocate for a moment I’d like to point out that there are drawbacks. For instance, you sent several people an important e-mail, but can’t remember whether you left certain addressees out. It’s easy to reopen it in your sent folder and check, isn’t it?

    Not if you BCCed them! You won’t see the blind copied recipients even in Outlook Express; I’ve tried, even using dodges found on the net which apparently worked in the past, but not now, at least on my system. So you’d better keep a list of those addressees somewhere else. Then I have to admit that there have been times when someone else has lifted my address from a list on a message, or I have found an acquaintance’s in that way, and the resulting communications have been helpful. Everyone is so jealous of their privacy nowadays that finding people can be difficult, eg with most telephone numbers beung ex-directory. I am not convinced that the gains from this outweigh the losses.

    I am also not convinced that spammers harvest their addresses in this way. It doesn’t sound very practical. I have been sending and receiving e-mails with large numbers of addresses for years with no noticeable affect on my spam: I think the servers are quite good at filtering it now. So I think the question is arguable.

    Reply
  5. Not only should you remove the lines that are nothing more than forwarded email headers, the message would be much more readable were you to remove all of the > symbols.

    In outlook express if you click on Tools, then Options, then the Send tab, uncheck the box ‘Indent message on Reply’ for both HTML settings and Text settings.

    If, however, you use web mail, some web mail programs do not allow you to make any changes to the message being forwarded but send them as attachments after adding the indents and headers. (One more reason to use an POP e-mail instead of web mail.)

    Reply
  6. While the BCC addresses are definitely not included in the copies of the message sent by your email provider to the BCC addressees, they appear to be included in the original message as it travels from you to your email provider; that would seem to be necessary so that your email provider knows where to send the copies. So a spammer could still harvest the BCC addresses if your email is intercepted on the way from you to your email provider, although not on its way from there to the recipients.

    Reply
    • If you’re connected via HTTPS the message will be encrypted and hopefully can’t be intercepted. If you’re using an email client like Outlook or Thunderbird all traffic to the email provider is automatically encrypted.

      Reply
  7. Much easier way to do this. I just copy the the message and paste it in a new e mail with only the address’s I want….to, CC or BCC

    Reply
  8. @ Bernard Winchester,
    Yes, its harder to mfind who you BCC’d, but its possible. (In Outlook Express)
    Find the email in ‘Sent Items’
    Right-click->properties
    Then click on the ‘Details’ tab. They are all there easy to find.

    Always use BCC is you send to multiple people unless you want them to know you have sent it to each other.

    Reply
  9. It doesn’t seem to work this way if you use AOL..
    I have told people how to send to Bcc, but if they have AOL, they can’t do it!

    Reply
  10. In windows live mail you can see who you sent it to by just looking in sent items and I leave the ‘to’ empty most of the time and they have always went where I sent them to none have been refused and all were answered when I requested them to be.

    Reply
  11. Yes, Marion Sutton, it does work on AOL. I am on AOL and use BCC and it works. In the “Copy To:” section, type in all your recipients, putting them all together in parentheses. That is, put the open parentheses before the first e-mail address and the close parentheses after the last one. I use this method all the time.

    Reply
  12. For serious purposes, i.e. business, a proprietary e-mail program like MS Outlook is infinitely preferable to Outlook Express. The former also enables you to see to whom you blind copied so that you can easily keep track.

    Reply
  13. YOU DON’T ADDRESS SBC OR ATT ISSUES, JUST HOT MAIL…HOW COME….ONE QUESTION I HAVE IS WHAT HAPPENED TO THE MAIL ICON IN AT&T…(SBC)THEY CHANGED IT SOMEHOW AND I CAN’T GET THE ICON BACK (??) YES, YOU ARE DEALING WITH A NONSAVVY COMP.USER…

    THANK YOU..

    Reply
  14. It would really help with the bcc. I use it all the time but deleting all the addresses are a pain as they have usually been sent to upteen people before I get to them.I still delete them before I send them on.I even sent explaining how to use bcc but it is easier just to send it. Thank you for addressing this subject

    Reply
  15. All the big email services (Gmail, Yahoo) claim to be opposed to spam, why don’t they just make BCC the default setting and require personal attention when you want to send an open (visible) carbon copy?

    Reply
  16. Many thank yous for this article. I seem to have a fair number of tech “challenged” friends & family. This forwarding of cutesy jokes, riddles, etc. always comes with the above mentioned CC problems. I try to get them to visualize crossing out the address on an envelope then remailing it to other recipients.

    Anyhow, your explanation is much better. Oh, also to “Digital Artist” love the suggestion of BCC as the default setting.

    Reply
  17. Please use the full words when sending how to information like what is CC and BCC I don’t have any idear what they mean please explane them.Thank you.

    Reply
    • CC stands for “carbon copy” (remember carbon paper?). It’s used for sending to multiple recipients, visibly.

      BCC stands for “blind carbon copy.” It’s used for sending to multiple recipients, INvisibly.

      In Leo’s defense, he is NOT the one doing the abbreviating — he is merely quoting the terms used by actual E-Mail programs and websites. THEY are the ones doing the abbteviating, meaning that when you open up GMail, or Yahoo! Mail, or a desktop E-Mail program like Thunderbird, you’ll see the terms “CC” and “BCC” beong used. So better get used to these terms, because I’m quite sure that neither GMail nor Thunderbird bother to explain either one of them. :/

      Reply
  18. BCC is a great tool…but for the stuff yakked about in this article…Better yet! Stop sending all this junk around the Internet. Do you really really think this behavior means you’re the friend of someone because you load up their chuckle box? It bogs down email servers, slows the Internet with extra traffic, and sometimes has inadvertently passed links to virus sites. If you or your friends need chuckles that bad, figure out how to be funny on your own. MOST of the seriously needed information sent around the net is garbage, untrue, and ridiculous. And the little that is true and worthwhile…if it’s so worthwhile, bring it to the attention of an agency responsible in that area and see to it they publish it for people to see. CHECK THINGS OUT THOROUGHLY BEFORE YOU SEND ANYTHING AROUND! Just because you poked over to Snopes and see an approval flag does not necessarily mean you read the fine print there, or researched further. Many of the “true” ones are also BS or otherwise unworthy of your attention. (chuckle on that)
    And btw…don’t use Forward. Copy paste the message body into a new email, then call up your mailing list into the BCC field. If there is none, put each email address inside parentheses.

    Reply
  19. There is another problem that your suggestions seems to bring up. BCC can also be used to hide your address in such a manner that you’ll get spam and never see your address in it?

    Your explanation of BCC here is the first instance I’ve actually seen in 15 years that managed to possibly explain this to me.

    Email may be a pain sometimes but I would think IM is 10X the pain. Since any protocol involves giving up control at some point to deliver data you are at the mercy of the network at all times I would suppose. The system was born open and people are used to getting their messages etc without a hassle and somebody will get what they want eventually. Perhaps if BCC were mandatory for all addresses beyond the first?

    Still, when you get a spam email that has no trace of you in it it’s probably worse to you than the other way around, highly bothersome and doesn’t leave you feeling any better, as in, “how the blank…”?

    Reply
  20. I wonder how the spammers have the time to look at the millions of email each day and harvest email addresses. I don’t see how that is possible.

    Reply
  21. But one (slight) disadvantage to using BCC:
    My friend Joe sends me a funny joke, and several other friends on BCC. I read it and laugh.

    But over the net few hours or days, I get as dozen or so emails from friends, all forwarding the funny joke they got from Joe. After the 3rd or 4th one, I’m not laughing at it any more.

    It’s the BCC causing this — if the original joke had been sent CC, all these friends would have seen that Joe already copied all of us on that, and wouldn’t have kept forwarding it.
    But a minor problem compared to sending everybodies email out in CC.

    Reply
    • A workaround is to email those people you are getting the joke emails from and tell them to stop sending the jokes via email. They can post the jokes to social media and you and all your friends can see them. You can start a Facebook friends’ group to keep up the with those people where you can share jokes and other things. That way, you’ll have more control over what you receive. It’s probably best to make the group private or secret so it stays among friends.

      Reply
  22. I once received such an e-mail. It have been forwarded maybe over 100 times, each times to 10 to 30, maybe more, recipients. Many had some nice, often remote, images as signature.
    The message proper was only about two or three lines of un-formated text. It was one of those «Forward to x peoples to ensure the continuation of your e-mail account» chain letters that plagued the internet some years ago. The message, including all the previous recipients addresses, was nearly 2 MEG in size, plus many signature images hosted on some remote servers.

    Reply
  23. “Most email programs won’t let you leave both the To and Cc lines blank, so…”

    Not every E-Mail program is quite so inflexible. While they won’t accept blank TO: or CC:, there’s “secret syntax” for fictitious addresses that some will accept, of the form:

    Undisclosed-Recipient:;

    …Those last two “:;” characters are important; they are what signal to the mailer that “this is a fictitious address.”

    And although “undisclosed-recipients” appears to be traditional, my understanding is that it can be anything you please as long as its all one word (hence the need for the hyphen).

    Just bear in mind that if you put any such fictional address on a TO: or a CC: line, that address will be fully visible to all recipients. In other words, use of an address such as SkrooYoo:; is not recommended!

    Reply
  24. This is a very important concept often overlooked by many people.

    When forwarding an email, I also find it wise to remove parts of the email that have anything to do with the original recipient, such as an unsubscribe link or profile. Some unsubscribe links are set up properly (they’ll notify the original recipient that they’ve been unsubscribed). Some unsubscribe links do not do that. I once received a forwarded email from a friend and the email included an unsubscribe link. Just to be mean, I clicked on the unsubscribe link. The unsubscribe page appeared. It had the original recipient’s email address pre-filled (the link included the email address of the original recipient). POOF! The person was now unsubscribed. As far as I know, the person did not receive a confirmation email stating they had been unsubscribed.

    Reply
  25. I use Thunderbird as my email client, and I’ve loaded an extension called “Limit non-BCC recipients” With the extension you can set a threshold, which can be any number including zero. If the number of addresses for the message you’re sending exceeds the threshold a popup gives you the option of either sending the message as is or converting the addressees to BCC before sending. I simply set the threshold to 1 and add as many addresses as I like without worrying about BCC. If the recipients exceed the threshold the popup says:

    Non-BCC recipients limit exceeded!
    Non-BCC count – (a)
    Your Limit –
    Send anyway?
    Change all to BCC?

    I just select “Change all to BCC” and Send anyway OK. The extension does the work and I don’t have to worry about using BCC.

    Reply
  26. Brilliant! Thanks for this, Leo. Of all the articles I’ve seen on the subject, this is the best by far.
    I’ve bookmarked the URL to send to my friends and colleagues who just don’t listen when I try to explain why they shouldn’t forward in the wrong way.

    Reply
  27. The abbreviations “cc” and “bcc” have one reeeally outdated thing in common: the “cc” in both stands for “carbon copy” which harkens back to a century ago when typewriters made copies by inserting carbon paper and a second piece of paper so an exact typed copy would appear on the second piece of paper.
    Let’s leave the last century in the past and go with “c” and “bc.” Simple. WAIT, there’s more:
    The “b” in bc stands for blind, which is reeeally outdated, out-of-touch, and perhaps insulting for vision impaired people. Go with “hc” for hidden copy. Please.

    Reply
  28. Thank you, Leo.
    This post is thorough, and it’s useful.
    I’m saying that, even though I was already aware of much more of its precautionary advice than many of the people and institutions I correspond with.
    **In your next revision/release of this post, I hope you will prune-off the pieces which are dreadfully out-of-date. Think about it; a lot of the earlier pieces of this ‘conversation’ are dated 2010, even 2011… back then, we generally didn’t know much about the vast numbers of internet “bad guys” and their innovative but unethical/immoral methods. **
    I was intrigued by TheGrandRascal’s post of 11/23/21, re the use of the “:;” combination. How about sharing with us your thoughts about it, esp. whether it’s only applicable to emails sent from certain sites?
    Cheers…

    Reply
    • “undisclosed-recipients” was something added by Outlook Express, I believe, when you had nothing in the to line. It’s VERY email program specific. I’ve never heard of the “:;” requirement at all. If it works for you, great, but I see no benefit to using it if it does.

      Reply
  29. I suspect this debate will go on and on. I agree with the principle of using BCC wherever possible and on the good practice of deleting email addresses on the incoming mail when forwarding it. However if one is communicating with a group of people who need to know or are likely to be interested in who else has been sent the message it is easy to generate a second tier of propagation where recipients forward the incoming BCC message to other people whom they believe should have seen it but don’t know for sure if they have, or they pester the author with questions about whether or not so and so and so and so have been told.
    It may be possible to mitigate this by prefacing every mail with something like ‘this mail has been sent to all members of etc’ but if you forget the problem remains and in any case not all the members of the group will necessarily be familiar with all the rest.
    Good practice isn’t necessarily the best solution.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.