Dnia 11.01.2024 o godz. 17:02:01 Tim Starr via mailop pisze: > The image has to be specified in the DNS, and it has to be certified w/ a > VMC. The VMC certification process includes checking if it's trademarked. > So, in order for a trusted brand's BIMI logo to get spoofed, the email > would have to be DMARC-authenticated and the logo specified in the DNS > would be the one presented to the mailbox provider when they do DNS lookups > on the authentication domains.
Under the assumption that that he MUA will display *only certified BIMI logos* and not any other "avatars" with the emails, ever. How are you going to force MUA developers to do that? Assume the recipient uses a MUA that displays not only BIMI logos, but eg. avatars from Gravatar service as well. The attacker just sets as his Gravatar picture the logo he wants to spoof. Then sends mail to the recipient. Recipient sees a familiar logo (without BIMI being used at all!) and assumes the mail is genuine. As I wrote previously, the only method to prevent this is a (totally unrealistic) *legal prohibition* for MUA developers to display any other images than certified BIMI logos. Not possible. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
