Re: [mailop] BIMI pilot @ Google

Further down in one of the faq's on the bimigroup website is a link to an IETF document. draft-brotman-ietf-bimi-guidance-01 https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-01 It has information on the actual recommended implementation of BIMI including more information about

Re: [mailop] BIMI pilot @ Google

On Wed, 22 Jul 2020 20:59:54 -0400, Matt Corallo via mailop wrote: > but I don't see an answer to this question I assume it's the sentence > We’ll be starting the BIMI pilot in the coming weeks with a limited > number of senders, and with two Certification Authorities to validate > logo ownersh

Re: [mailop] BIMI pilot @ Google

The standard appears to provide no protection whatsoever, but the specific implementation announced by Google relies on CAs to "authenticate" the domains' logo. Seems like there should be a standard for that, too. Matt On 7/22/20 9:17 PM, Ted Hatfield via mailop wrote: > > > On Wed, 22 Jul 20

Re: [mailop] BIMI pilot @ Google

Right, the BIMI website doesn't mention it anywhere, silly me forgot to read the non-official source :). On 7/22/20 9:20 PM, Daniel Jakots wrote: > On Wed, 22 Jul 2020 20:59:54 -0400, Matt Corallo via mailop > wrote: > >> but I don't see an answer to this question > > I assume it's the sentenc

Re: [mailop] BIMI pilot @ Google

On 2020-07-22 20:59, Matt Corallo via mailop wrote: > Maybe I'm missing something, but I don't see an answer to this > question - Ted's point seems well-made and it seems like this will > retrain users to be more vulnerable to phishing attacks by putting the > correct logo on an unrelated domain.

Re: [mailop] BIMI pilot @ Google

On Wed, 22 Jul 2020, Marcel Becker via mailop wrote: On Wed, Jul 22, 2020 at 5:27 PM Ted Hatfield wrote: Maybe this is a stupid question but Excuse me, but: Re-read the Google announcement and https://bimigroup.org ;-)   I read the page at https://bimigroup.org/ The first sta

Re: [mailop] BIMI pilot @ Google

Maybe I'm missing something, but I don't see an answer to this question - Ted's point seems well-made and it seems like this will retrain users to be more vulnerable to phishing attacks by putting the correct logo on an unrelated domain. Matt On 7/22/20 8:30 PM, Marcel Becker via mailop wrote:

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 5:27 PM Ted Hatfield wrote: > > Maybe this is a stupid question but > > Excuse me, but: Re-read the Google announcement and https://bimigroup.org ;-) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/m

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 5:22 PM Brandon Long via mailop wrote: > An interesting question might be, how would you implement this for an MUA > using IMAP without inbox style exposure... > > THIS is indeed a very relevant question which I don't think we have a (good enough) answer for. It remains a

Re: [mailop] BIMI pilot @ Google

Maybe this is a stupid question but as BIMI is a txt record in dns An example BIMI TXT record. "v=BIMI1; l=https://images.example.com/somedir/logo.svg;"; What exactly keeps someone from publishing their own BIMI TXT record and simply copying your image. How exactly does this improve fraud

Re: [mailop] BIMI pilot @ Google

An interesting question might be, how would you implement this for an MUA using IMAP without inbox style exposure... You'd probably have to do it through your contacts server, ie CardDav. Server side, you could collect all of the avatars and populate them per-user into their Contacts data. That m

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 4:46 PM Jim Popovitch via mailop wrote: > On Wed, 2020-07-22 at 11:56 -0700, Marcel Becker via mailop wrote: > > > > On Wed, Jul 22, 2020 at 11:35 AM Jim Popovitch via mailop < > mailop@mailop.org> wrote: > > > On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wr

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 4:49 PM Jim Popovitch via mailop wrote: > > Good, DMARC is good, but we don't need yet another standard to get DKIM > and SPF into the wider use. > Based on the data I see on the receiving side I disagree. But that's ok. > I hope you understand that most providers don't

Re: [mailop] BIMI pilot @ Google

On Wed, 2020-07-22 at 11:56 -0700, Marcel Becker via mailop wrote: > > On Wed, Jul 22, 2020 at 11:35 AM Jim Popovitch via mailop > wrote: > > On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wrote: > > > but if the effect is that it will drive up the adoption rate for DMARC > > > the

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 4:06 PM Jim Popovitch via mailop wrote: > > That's inbox tracking, just like tracking pixels that are > blocked by most reasonable and sane filters/firewalls. > No. It's not. And I explained why. ___ mailop mailing list mailop@m

Re: [mailop] BIMI pilot @ Google

On Thu, 2020-07-23 at 00:19 +0200, Jaroslaw Rafa via mailop wrote: > Dnia 22.07.2020 o godz. 14:27:52 Jim Popovitch via mailop pisze: > > "Once verified, the BIMI file tells the email service where to find the > > sender’s logo and the email service pulls that logo into the inbox." > > > > > > I

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 3:30 PM Jaroslaw Rafa via mailop wrote: > > Do I understand correctly that this works on MUA level and not MTA? > > Long answer: http://bimigroup.org Short answer: no, with BIMI you can't track our users. > I'm putting > "feature" in quotes because I see absolutely no b

Re: [mailop] BIMI pilot @ Google

Dnia 22.07.2020 o godz. 14:27:52 Jim Popovitch via mailop pisze: > > "Once verified, the BIMI file tells the email service where to find the > sender’s logo and the email service pulls that logo into the inbox." > > > I don't think this is anything about DMARC, this is about inbox > tracking. D

Re: [mailop] It there an "official" test domain for testing zrd.dql.spamhaus.com?

In article <20200722205656.gb2...@jumper.schlittermann.de> you write: >> Following your logic, I also tried out "zrdtest.com" and it seems to do >> the same. > >Interesting, even it is not mentioned in RFC5782. The point of TEST and INVALID is that they can never be real domains in the DNS. zrdte

Re: [mailop] It there an "official" test domain for testing zrd.dql.spamhaus.com?

Chris via mailop (Di 21 Jul 2020 23:50:55 CEST): > dbltest.com does work for dbl. Does it not work for zrd? As pointed out in the other response: zrdtest.com works, as well as the RFC5782 suggested domain "test". > I think you meant ..zrd.dqs.spamhaus.net, right? Yes, typo. Thanks. .net Be

Re: [mailop] It there an "official" test domain for testing zrd.dql.spamhaus.com?

Atro Tossavainen via mailop (Di 21 Jul 2020 23:16:59 CEST): > On Mon, Jul 20, 2020 at 04:57:05PM +0200, Heiko Schlittermann via mailop > wrote: > > zrd..dbl.dqs.spamhaus.com? > > RFC 5782 suggests that all domain name DNSBLs should have an entry > for "test". Thanks. The pointer to the RFC was

Re: [mailop] BIMI pilot @ Google

On Wed, Jul 22, 2020 at 11:35 AM Jim Popovitch via mailop wrote: > On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wrote: > > but if the effect is that it will drive up the adoption rate for DMARC > then I am clapping my hands. > > "Once verified, the BIMI file tells the email service

Re: [mailop] BIMI pilot @ Google

>I don't think this is anything about DMARC... BIMI requires an enforced DMARC policy, so the idea is that it will increase adoption because marketing teams will be motivated to put pressure on their security/IT teams to implement DMARC in the hopes of improving brand recognition, reducing phishing

Re: [mailop] BIMI pilot @ Google

On Wed, 2020-07-22 at 14:49 +0200, Sidsel Jensen via mailop wrote: > but if the effect is that it will drive up the adoption rate for DMARC then I > am clapping my hands. "Once verified, the BIMI file tells the email service where to find the sender’s logo and the email service pulls that logo in

Re: [mailop] BIMI pilot @ Google

October will be too soon to have any meaningful results, but February might be more reasonable. --Kurt On Wed, Jul 22, 2020 at 5:50 AM Sidsel Jensen via mailop wrote: > Hi peeps > > I read today at > https://cloud.google.com/blog/products/g-suite/gsuite-security-updates-for-gmail-meet-chat-and-

Re: [mailop] List of domain mappings for related mail hosts (under shared management)

Yes, I try to track those here: https://www.spamresource.com/search/label/ispdomains You'll find Microsoft, Verizon (Yahoo/AOL), 1&1, and a few others. Cheers, Al On Wed, Jul 22, 2020 at 7:01 AM Sam Tuke via mailop wrote: > > Hi all, is there a place which lists mail domains with shared managem

Re: [mailop] CutWail infections growing again, all China based..

On 2020-07-21 9:15 a.m., Bill Cole via mailop wrote: On 19 Jul 2020, at 22:38, Chris via mailop wrote: It is particularly bizarre that it infests one ISP like this.  I'm wondering if someone managed to force the infection to do IP reallocations frequently to IP-hop.  Cutwail normally has thous

[mailop] Contact for Juno.com?

Hello, Does anyone have a contact for Juno.com? We are getting abuse reports for mail that is not coming from our servers. Thanks, Tracey Crawford ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] BIMI pilot @ Google

Hi peeps I read today at https://cloud.google.com/blog/products/g-suite/gsuite-security-updates-for-gmail-meet-chat-and-admin - that Google/Gmail is starting a BIMI pilot. I hope Google will

[mailop] List of domain mappings for related mail hosts (under shared management)

Hi all, is there a place which lists mail domains with shared management / delivery policies? Eg. msn.com and outlook.com? Asking in order to set local sending policies which will not exceed limits of remote hosts (eg Microsoft may keep a single internal threshold counter for incoming mail to it