Mailing List Archive

Well Kevin I think that article is one of the biggest lying sacks of dog
dung I have ever read.

The ONLY reason they are doing this is pure greed. The email scanning
services charge extra for applying "branding" and the amounts are
unreal, and I happen to have a customer going through the RDP process
for a new firewall mail scanner and every last dirty dog sales guy
has been badgering them "do you want Branding, huh, huh, huh," and
every one of them charges am EXTRA fee per message and user for this
"service"

It's disgusting. It's just greed disguised as "we are making things
safe for YOUUU" They are trying to push a "standard" into email that
they are hoping to make so that 99% of the companies that do it, have
to pay someone a fee-per-message-per-month.

Go ahead and support it if you want but please don't pretend it's
purpose is to make things safer. It's purpose is to enrich someone's
pockets.

Ted

On 7/22/2020 8:07 AM, Kevin A. McGrail wrote:
> There's been some sporadic discussion from BIMI for a few years. Just
> caught this article:
> https://venturebeat.com/2020/07/21/google-launches-bimi-pilot-to-bring-verified-brand-logos-to-gmail/
>
> Regards,
>
> KAM
>

I posted it without any opinion just as a data point. No need for the
personal attack.

If the feature ends up helping me classify spam.or ham accurately, maybe
it's a good thing. I pay for plenty of intelligence feeds to do that.

However, I have questions of adoption rate, impersonation concerns,
anticompetitive concerns, and privacy concerns. This just sounds like a
commercial tracking pixel but the devil is in the details.

The pilot will shake things out more I imagine.


On Thu, Jul 23, 2020, 01:29 Ted Mittelstaedt <tedm@ipinc.net> wrote:

>
> Well Kevin I think that article is one of the biggest lying sacks of dog
> dung I have ever read.
>
> The ONLY reason they are doing this is pure greed. The email scanning
> services charge extra for applying "branding" and the amounts are
> unreal, and I happen to have a customer going through the RDP process
> for a new firewall mail scanner and every last dirty dog sales guy
> has been badgering them "do you want Branding, huh, huh, huh," and
> every one of them charges am EXTRA fee per message and user for this
> "service"
>
> It's disgusting. It's just greed disguised as "we are making things
> safe for YOUUU" They are trying to push a "standard" into email that
> they are hoping to make so that 99% of the companies that do it, have
> to pay someone a fee-per-message-per-month.
>
> Go ahead and support it if you want but please don't pretend it's
> purpose is to make things safer. It's purpose is to enrich someone's
> pockets.
>
> Ted
>
> On 7/22/2020 8:07 AM, Kevin A. McGrail wrote:
> > There's been some sporadic discussion from BIMI for a few years. Just
> > caught this article:
> >
> https://venturebeat.com/2020/07/21/google-launches-bimi-pilot-to-bring-verified-brand-logos-to-gmail/
> >
> > Regards,
> >
> > KAM
> >
>

On 22 Jul 2020, at 23:14, Kevin A. McGrail wrote:

> However, I have questions of adoption rate, impersonation concerns,
> anticompetitive concerns, and privacy concerns. This just sounds like
> a
> commercial tracking pixel but the devil is in the details.
>
> The pilot will shake things out more I imagine.

Money is of course a motivation here. This breathes some fresh air to
CAs and opens the possibility to a few new interesting revenue streams
for all the parties.

I'm not sure on the potential for user tracking although I haven't read
the material deep enough.

The adoption will depend greatly on the price for the new certificates
that will have to go with this service. I think a wait-and-see approach
is the right thing to do here. This is what I'm advising others to do on
this topic.

Impersonation will of course be a very interesting topic.

Best regards

-lem

On 23.7.2020 9.14, Kevin A. McGrail wrote:
> I posted it without any opinion just as a data point. No need for the
> personal attack.
>
> If the feature ends up helping me classify spam.or ham accurately,
> maybe it's a good thing. I pay for plenty of intelligence feeds to do
> that.
>
> However, I have questions of adoption rate, impersonation concerns,
> anticompetitive concerns, and privacy concerns.  This just sounds like
> a commercial tracking pixel but the devil is in the details.
>
> The pilot will shake things out more I imagine.
>
Seems that the purpose it to help mail recipients to see if the sender
is who she claims to be. I have long ago implemented similar purpose in
my Maildir by creating a folder INBOX/DKIM_VALID_AU. I tend to be very
careful on mail in INBOX but that special folder is more easy to trust.

Classified by SpamAssassin, of course.

br. jarif

On 23.07.20 08:14, Kevin A. McGrail wrote:

> However, I have questions of adoption rate, impersonation concerns,
> anticompetitive concerns, and privacy concerns. This just sounds like
> a commercial tracking pixel but the devil is in the details.

As the logo path is supposed to be published through TXT record, I guess
the tracking would be much more limited compared to what we usually see
in a mail body.

On 23.07.20 09:09, Jari Fredriksson wrote:

> Seems that the purpose it to help mail recipients to see if the sender
> is who she claims to be. I have long ago implemented similar purpose in
> my Maildir by creating a folder INBOX/DKIM_VALID_AU. I tend to be very
> careful on mail in INBOX but that special folder is more easy to trust.

BIMI requires DMARC, which is much easier to implement if you are a
phisher creating a brand new domain .xyz with all the right SPF, DKIM,
DMARC and BIMI. Putting the paypal logo on that .xyz domain and there
you go. Your regular legit company will often struggle to implement all
those correctly.

So either you display any BIMI and it's a phisher's wet dream (also a
nightmare to catch for a spam filter), or you only use a exhaustive list
which will leave out most companies that don't have the (financial)
resources.

I am extremely skeptical of the whole BIMI thing and hate that it's
presented as a security thing.

Laurent S.

Ted Mittelstaedt skrev den 2020-07-23 07:28:

> Go ahead and support it if you want but please don't pretend it's
> purpose is to make things safer. It's purpose is to enrich someone's
> pockets.

without dnssec nothing is safe

maybe thay want to sell that aswell ?

Thanks Kevin. We need to know about it.

Like DMARC, it is promoted as a standard to the C-level execs, but I can't
find a RFC that supports that claim. And it depends on DMARC!

It's another open rate tracker. I have image loading turned off in Gmail. I
wonder whether that will stop loading this thing.



--
Joseph Brennan
Lead, Email and Systems Applications
Columbia University Information Technology

On 7/22/2020 11:14 PM, Kevin A. McGrail wrote:
> I posted it without any opinion just as a data point. No need for the
> personal attack.

What personal attack? It's a standard and google is an org. Neither
are people.

Ted

Search for "you" in your response to me.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Thu, Jul 23, 2020 at 2:09 PM Ted Mittelstaedt <tedm@ipinc.net> wrote:

>
>
> On 7/22/2020 11:14 PM, Kevin A. McGrail wrote:
> > I posted it without any opinion just as a data point. No need for the
> > personal attack.
>
> What personal attack? It's a standard and google is an org. Neither
> are people.
>
> Ted
>

On 23 Jul 2020, at 0:56, Laurent S. wrote:

> BIMI requires DMARC, which is much easier to implement if you are a
> phisher creating a brand new domain .xyz with all the right SPF, DKIM,
> DMARC and BIMI. Putting the paypal logo on that .xyz domain and there
> you go. Your regular legit company will often struggle to implement
> all
> those correctly.
>
> So either you display any BIMI and it's a phisher's wet dream (also a
> nightmare to catch for a spam filter), or you only use a exhaustive
> list
> which will leave out most companies that don't have the (financial)
> resources.

At some point, there is an entity that sanctions the relationship
between a domain name and the logo to be displayed. That entity is a CA
which will produce a new kind of certificate ("VMC").

This means that the trust model does include a number of CAs just as in
the browser PKI model.

Best regards

-lem

"Go ahead and support it if you want but please don't pretend it's
purpose is to make things safer."

Sorry you took that wrong it was not aimed at you. I will restate that
to make it more clear,here:

"Go ahead and support it if you want but please, nobody pretend it's
purpose is to make things safer"

Ted

On 7/23/2020 2:31 PM, Kevin A. McGrail wrote:
> Search for "you" in your response to me.
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
> On Thu, Jul 23, 2020 at 2:09 PM Ted Mittelstaedt <tedm@ipinc.net
> <mailto:tedm@ipinc.net>> wrote:
>
>
>
> On 7/22/2020 11:14 PM, Kevin A. McGrail wrote:
> > I posted it without any opinion just as a data point. No need for the
> > personal attack.
>
> What personal attack? It's a standard and google is an org. Neither
> are people.
>
> Ted
>

On Thu, 23 Jul 2020, Luis E. Mu?oz wrote:

> On 23 Jul 2020, at 0:56, Laurent S. wrote:
>
>> BIMI requires DMARC, which is much easier to implement if you are a
>> phisher creating a brand new domain .xyz with all the right SPF, DKIM,
>> DMARC and BIMI. Putting the paypal logo on that .xyz domain and there
>> you go. Your regular legit company will often struggle to implement all
>> those correctly.
>>
>> So either you display any BIMI and it's a phisher's wet dream (also a
>> nightmare to catch for a spam filter), or you only use a exhaustive list
>> which will leave out most companies that don't have the (financial)
>> resources.
>
> At some point, there is an entity that sanctions the relationship between a
> domain name and the logo to be displayed. That entity is a CA which will
> produce a new kind of certificate ("VMC").

Does that certificate include some kind of checksum of the logo image
itself?

If not, what is to prevent a spammer from obtaining all the needed
certificates, and then changing the logo image they are hosting to match
the entity they are spoofing?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #4: If your shooting stance is good,
you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
102 days until the Presidential Election

On 24 Jul 2020, at 12:22, John Hardin wrote:

> Does that certificate include some kind of checksum of the logo image
> itself?
>
> If not, what is to prevent a spammer from obtaining all the needed
> certificates, and then changing the logo image they are hosting to
> match the entity they are spoofing?

Don't know yet, but probably the certificate will include a signature
for the SVG file. I'm speculating at this point.

Best regards

-lem

> On Jul 22, 2020, at 23:56, Luis E. Muñoz <sa@lem.click> wrote:
>
> On 22 Jul 2020, at 23:14, Kevin A. McGrail wrote:
>
>> However, I have questions of adoption rate, impersonation concerns,
>> anticompetitive concerns, and privacy concerns. This just sounds like a
>> commercial tracking pixel but the devil is in the details.
>>
>> The pilot will shake things out more I imagine.
>
> Money is of course a motivation here. This breathes some fresh air to CAs and opens the possibility to a few new interesting revenue streams for all the parties.
>
> I'm not sure on the potential for user tracking although I haven't read the material deep enough.
>
> The adoption will depend greatly on the price for the new certificates that will have to go with this service. I think a wait-and-see approach is the right thing to do here. This is what I'm advising others to do on this topic.
>
> Impersonation will of course be a very interesting topic.

I looked at it briefly for *dayjob* because of the lunatics that email us trying to claim we have a bug bounty because we don't do it. (Just like the ones that tell us robots.txt is an XSS issue. Yes, really.)

It looks like the price for one of the CA's to do this is $2500 *per year*. And the image you're linking has to be registered as your actual trademark for your actual organization -- so there could not, for example, be my personal logo in there since it's not a registered trademark.

(We need those CA's to do something with the money they were making on EV certs for the "green browser bar" after all!)

From there, the certificate either embeds the svg, or it links to it, but I think the preference is that it be an embed.

-Dan