They can already rip people off, w/out BIMI. BIMI limits their ability to do so in two ways:
1) It raises the cost, because BIMI setup costs more. 2) It makes it harder for scammers to impersonate trusted brands. -Tim On Thu, Jan 11, 2024 at 12:58 PM Randolf Richardson, Postmaster via mailop < mailop@mailop.org> wrote: > > I might have missed something, but wouldn't that be a phisher's wet > dream? > > Indeed, and because the BIMI record references a URI to load the > logo from, so the scammers (spammers, phishers, malware/virus > distributors, etc.) could simply specify a different logo file with a > recognized brand to make their bad eMail appear legitimate. > > > Most spammers know very well how to do a mail with valid DMARC. So, now > > they only need to send a valid mail from any throw away cheap domain and > > in their BIMI add the logo of paypal? > > Yes. > > > I understand it's not great to have to pay for the > > verification/certification, but leaving the door open to abuse is a > > dangerous path to take. > > Some scammers make a lot of money ripping people off. They could > easily afford set up a company, get a Trademark, and then use a > different logo image when sending their junk eMails. > > So, once this happens often enough, end-users will just not trust > the BIMI logos to be reliable and it will be another internet feature > that security educators will recommend be taken with a grain of salt. > > > Being on the antispam side, I would hate to have to start implementing > > BIMI spoof checks. > > I agree. Even if someone else makes a SpamAssassin plug-in or a > milter, it still adds to the overall complexity and will have a > potentially-noticeable impact on busier systems ... and then everyone > has to pay indirectly for BIMI with slower performance of system > upgrades to counter the slower performance. > > > Regards, > > Laurent > > > > On 11.01.24 00:05, Louis Laureys via mailop wrote: > > > We decided to keep this because I read that some webmail clients > are > > > planning to support BIMI without checking for certificates, or, > > > perhaps, also displaying a little lock icon in the corner of the > > > sender's BIMI-style logo image where certification is verified. > > > > > > This is exactly what I have in mind for my client, thanks for > publishing your > > > logo in an easily accessible and standard way :) > > > > > > Groetjes, > > > Louis > > > > > > > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > > > -- > Postmaster - postmas...@inter-corporate.com > Randolf Richardson, CNA - rand...@inter-corporate.com > Inter-Corporate Computer & Network Services, Inc. > Vancouver, British Columbia, Canada > https://www.inter-corporate.com/ > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
