Hey all,
> I might have missed something, but wouldn't that be a phisher's wet dream?
It depends on the implementation really. A lot of parallels can be drawn to
things email clients and other platforms have been doing for years. Email
clients have already been using Gravatar, and on almost every social media
platform or forum you can set your own name and avatar. It's not much different.
> I don't think that the regular user will check if the little extra lock is
> there on the icon. They'll see a version of the paypal logo on the phish and
> have an extra feeling of safety.
Maybe, maybe not. I feel about 70% of all commercial emails in my client have
logos. It's essentially same as the sender name being "PayPal". There's really
no implicit extra trust about there being a logo in this context.
> how the user is supposed to distinguish which avatars are verified BIMI logos,
> and which ones come from a totally different source?
An indicator. It's probably not as effective as only ever showing BIMI verified,
but it's been standard on other platforms for a while now. It's not the solution
to all problems, but it does seem like a design pattern that users will
recognize. I have not done any user research into this though, this is just my
thought process at the moment.
> Otherwise, the non-BIMI avatars displayed along the messages, mixed with BIMI
> ones, will just facilitate phishing instead of making it more difficult
I'm honestly not sure whether that was a great promise to begin with. It's an
attractive one, for sure. BIMI being mixed with other avatars was always a thing
that would probably happen. Gravatar is already widely used, and Gmail shows
avatars for other google users (as far as I know).
I've implemented it this way into my client because I liked being able to more
visually differentiate emails, and reduce the mental load of having to scan
text. It initially had absolutely nothing to do with BIMI, in fact I added BIMI
after I added the other sources. But in my case BIMI can still add security
through the verification indicator, which I will be adding. I've hidden avatars
for messages in the junk folder as well, as a precaution.
Anecdotally, none of the mass phishing emails I've received have had the correct
logo associated. It's usually compromised credentials without access to the
domain, and they don't seem to go through the effort of setting up Gravatar. Of
course this really means nothing for targeted attacks by actually competent
phishers, but I thought it was fun to see. It's something I wondered about when
I started adding the avatars.
Groetjes,
Louis
Op donderdag 11 januari 2024 om 20:43, schreef Tim Starr via mailop
<mailop@mailop.org>:
> They can already rip people off, w/out BIMI. BIMI limits their ability to do
> so in two ways:
>
>
> 1) It raises the cost, because BIMI setup costs more.
> 2) It makes it harder for scammers to impersonate trusted brands.
>
>
> -Tim
>
> On Thu, Jan 11, 2024 at 12:58 PM Randolf Richardson, Postmaster via mailop
> <mailop@mailop.org [mailop@mailop.org]> wrote:
>
>
> > > I might have missed something, but wouldn't that be a phisher's wet dream?
> >
> > Indeed, and because the BIMI record references a URI to load the
> > logo from, so the scammers (spammers, phishers, malware/virus
> > distributors, etc.) could simply specify a different logo file with a
> > recognized brand to make their bad eMail appear legitimate.
> >
> > > Most spammers know very well how to do a mail with valid DMARC. So, now
> > > they only need to send a valid mail from any throw away cheap domain and
> > > in their BIMI add the logo of paypal?
> >
> > Yes.
> >
> > > I understand it's not great to have to pay for the
> > > verification/certification, but leaving the door open to abuse is a
> > > dangerous path to take.
> >
> > Some scammers make a lot of money ripping people off. They could
> > easily afford set up a company, get a Trademark, and then use a
> > different logo image when sending their junk eMails.
> >
> > So, once this happens often enough, end-users will just not trust
> > the BIMI logos to be reliable and it will be another internet feature
> > that security educators will recommend be taken with a grain of salt.
> >
> > > Being on the antispam side, I would hate to have to start implementing
> > > BIMI spoof checks.
> >
> > I agree. Even if someone else makes a SpamAssassin plug-in or a
> > milter, it still adds to the overall complexity and will have a
> > potentially-noticeable impact on busier systems ... and then everyone
> > has to pay indirectly for BIMI with slower performance of system
> > upgrades to counter the slower performance.
> >
> > > Regards,
> > > Laurent
> > >
> > > On 11.01.24 00:05, Louis Laureys via mailop wrote:
> > > > We decided to keep this because I read that some webmail clients
> > are
> > > > planning to support BIMI without checking for certificates, or,
> > > > perhaps, also displaying a little lock icon in the corner of the
> > > > sender's BIMI-style logo image where certification is verified.
> > > >
> > > > This is exactly what I have in mind for my client, thanks for publishing
> > your
> > > > logo in an easily accessible and standard way :)
> > > >
> > > > Groetjes,
> > > > Louis
> > > >
> > > >
> > >
> > > _______________________________________________
> > > mailop mailing list
> > > mailop@mailop.org [mailop@mailop.org]
> > > https://list.mailop.org/listinfo/mailop
> > [https://list.mailop.org/listinfo/mailop]
> >
> >
> > --
> > Postmaster - postmas...@inter-corporate.com [postmas...@inter-corporate.com]
> > Randolf Richardson, CNA - rand...@inter-corporate.com
> > [rand...@inter-corporate.com]
> > Inter-Corporate Computer & Network Services, Inc.
> > Vancouver, British Columbia, Canada
> > https://www.inter-corporate.com/ [https://www.inter-corporate.com/]
> >
> >
> > _______________________________________________
> > mailop mailing list
> > mailop@mailop.org [mailop@mailop.org]
> > https://list.mailop.org/listinfo/mailop
> > [https://list.mailop.org/listinfo/mailop]
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org [mailop@mailop.org]
> https://list.mailop.org/listinfo/mailop
> [https://list.mailop.org/listinfo/mailop]
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
