Spammers do everything they can to get their garbage in front of you, and that means using and abusing every tool at their disposal.
One of those tools is also available to you and me when we send email.
Become a Patron of Ask Leo! and go ad-free!
You were BCC’ed. The “BCC”, or “blind carbon copy” feature of email, allows email to be sent without displaying the recipient’s email address at all. Spammers often use this to hide some or all the actual recipients of a spam email message. A a result, you may receive spam email where your email address does not appear. Since it is spam, mark it as such and move on.
The BCC field
“BCC” stands for Blind Carbon Copy1, a technique to send an email without the recipient’s email address appearing in the message. You might use the BCC field when emailing a group of people so as not to share their email addresses without permission.
In addition to the To: and Cc: fields, email programs typically include a Bcc: field. Here’s an example in the Windows 10 Mail program.2
You can add email addresses to any of these fields.
- To: is used for one or more direct recipients for the message.
- Cc: is used for one or more recipients who also get the message. While the message is not directed at them, they also receive it. Often, people use this as an FYI to others to see the message. Any Cc: recipients are displayed in the message on the Cc: line.
- Bcc: is used for one or more recipients who also get the message. This is exactly like Cc:, except that the list of people receiving the message via Bcc is not included in the message when it is sent.
Who was BCC’ed?
There is no way for a recipient to tell who was BCC’ed, how many were BCC’ed, or even if any Bcc: addresses were used when a message was sent. (There are sometimes ways you can see the BCC’ed recipients on a message you’ve sent.)
Spammers use this technique to send one message to perhaps hundreds of people at once, because listing all of those addresses as Cc: or To: makes the message more likely to be flagged as spam. Since there’s no way to tell when you get the message that Bcc: was used, you have no idea that hundreds of others might be getting the same message.
As just one example, those hundreds of messages might be what’s called a dictionary attack, meaning they try variations on email names in the hope that one or more will reach a real person. For example, they might3 try “leo@”, “leoa@”, “leob@”, and so on, on any of my domains. Some might work, some might not, but there’s no added cost to the spammer to try ’em all. Most will be hidden in the Bcc: you can’t see.
What you can or cannot do
Ultimately, there’s nothing you can really do about this specific situation.
Mark the message as spam if it’s landed in your inbox. Your spam filter will use other factors and characteristics of the message to update its database of what you (and perhaps others) consider spam. Mark these messages as spam enough times, and they should get routed to your spam folder automatically.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!