By publishing the BIMI spec. No one's required to follow the spec, but if they don't, then they're not doing BIMI, and that's not the fault of the spec.
-Tim On Thu, Jan 11, 2024 at 5:31 PM Jaroslaw Rafa via mailop <mailop@mailop.org> wrote: > Dnia 11.01.2024 o godz. 17:02:01 Tim Starr via mailop pisze: > > The image has to be specified in the DNS, and it has to be certified w/ a > > VMC. The VMC certification process includes checking if it's trademarked. > > So, in order for a trusted brand's BIMI logo to get spoofed, the email > > would have to be DMARC-authenticated and the logo specified in the DNS > > would be the one presented to the mailbox provider when they do DNS > lookups > > on the authentication domains. > > Under the assumption that that he MUA will display *only certified BIMI > logos* and not any other "avatars" with the emails, ever. > > How are you going to force MUA developers to do that? > > Assume the recipient uses a MUA that displays not only BIMI logos, but eg. > avatars from Gravatar service as well. The attacker just sets as his > Gravatar picture the logo he wants to spoof. Then sends mail to the > recipient. Recipient sees a familiar logo (without BIMI being used at all!) > and assumes the mail is genuine. > > As I wrote previously, the only method to prevent this is a (totally > unrealistic) *legal prohibition* for MUA developers to display any other > images than certified BIMI logos. Not possible. > -- > Regards, > Jaroslaw Rafa > r...@rafa.eu.org > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub." > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop