> I might have missed something, but wouldn't that be a phisher's wet dream?
Indeed, and because the BIMI record references a URI to load the
logo from, so the scammers (spammers, phishers, malware/virus
distributors, etc.) could simply specify a different logo file with a
recognized brand to make their bad eMail appear legitimate.
> Most spammers know very well how to do a mail with valid DMARC. So, now
> they only need to send a valid mail from any throw away cheap domain and
> in their BIMI add the logo of paypal?
Yes.
> I understand it's not great to have to pay for the
> verification/certification, but leaving the door open to abuse is a
> dangerous path to take.
Some scammers make a lot of money ripping people off. They could
easily afford set up a company, get a Trademark, and then use a
different logo image when sending their junk eMails.
So, once this happens often enough, end-users will just not trust
the BIMI logos to be reliable and it will be another internet feature
that security educators will recommend be taken with a grain of salt.
> Being on the antispam side, I would hate to have to start implementing
> BIMI spoof checks.
I agree. Even if someone else makes a SpamAssassin plug-in or a
milter, it still adds to the overall complexity and will have a
potentially-noticeable impact on busier systems ... and then everyone
has to pay indirectly for BIMI with slower performance of system
upgrades to counter the slower performance.
> Regards,
> Laurent
>
> On 11.01.24 00:05, Louis Laureys via mailop wrote:
> > We decided to keep this because I read that some webmail clients are
> > planning to support BIMI without checking for certificates, or,
> > perhaps, also displaying a little lock icon in the corner of the
> > sender's BIMI-style logo image where certification is verified.
> >
> > This is exactly what I have in mind for my client, thanks for publishing
> > your
> > logo in an easily accessible and standard way :)
> >
> > Groetjes,
> > Louis
> >
> >
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
--
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
