> I might have missed something, but wouldn't that be a phisher's wet dream?
Indeed, and because the BIMI record references a URI to load the logo from, so the scammers (spammers, phishers, malware/virus distributors, etc.) could simply specify a different logo file with a recognized brand to make their bad eMail appear legitimate. > Most spammers know very well how to do a mail with valid DMARC. So, now > they only need to send a valid mail from any throw away cheap domain and > in their BIMI add the logo of paypal? Yes. > I understand it's not great to have to pay for the > verification/certification, but leaving the door open to abuse is a > dangerous path to take. Some scammers make a lot of money ripping people off. They could easily afford set up a company, get a Trademark, and then use a different logo image when sending their junk eMails. So, once this happens often enough, end-users will just not trust the BIMI logos to be reliable and it will be another internet feature that security educators will recommend be taken with a grain of salt. > Being on the antispam side, I would hate to have to start implementing > BIMI spoof checks. I agree. Even if someone else makes a SpamAssassin plug-in or a milter, it still adds to the overall complexity and will have a potentially-noticeable impact on busier systems ... and then everyone has to pay indirectly for BIMI with slower performance of system upgrades to counter the slower performance. > Regards, > Laurent > > On 11.01.24 00:05, Louis Laureys via mailop wrote: > > We decided to keep this because I read that some webmail clients are > > planning to support BIMI without checking for certificates, or, > > perhaps, also displaying a little lock icon in the corner of the > > sender's BIMI-style logo image where certification is verified. > > > > This is exactly what I have in mind for my client, thanks for publishing > > your > > logo in an easily accessible and standard way :) > > > > Groetjes, > > Louis > > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- Postmaster - postmas...@inter-corporate.com Randolf Richardson, CNA - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Vancouver, British Columbia, Canada https://www.inter-corporate.com/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop