adding BIMI record retrival

[darcosion]

Hi @MattKeeley, I'm really happy to use your tool and wanted to add another interesting record if you agree.

The subject : BIMI

The BIMI record enable the possibility to put logo onto email head (like people logo on outlook/gmail) , that's not something common but it's interesting for phishing awareness campaign.

The BIMI is interesting because really easy to spoof, all you'r need to do is to create a domain, add a logo on HTTPS server and create a TXT record on it. And the image could be basically whatever you want... That's not the best design for protecting email imho. For the defense of BIMI model, it's not trivial to detect logo impersonation...

You can read more here : https://datatracker.ietf.org/doc/html/draft-brand-indicators-for-message-identification

the feature : gather BIMI record

So I've added a BIMI record libs (bimi.py) containing only the model proposed on RFC and just that basically. I've also adapted spoofy.py, report.py for using it and export it on report. ;)

Some though on developing

I've struggling a long time with debugging because of that :

Spoofy/spoofy.py

Lines 39 to 42 in d723ffa

	except:
	with print_lock:
	report.output_error(
	f"Domain {domain} is offline or format cannot be interpreted.")

You catch basically every error and consider it as a malformed domain, I think it could help to catch only DNS error like that.

On test.py, to be honest, I don't understand how I've passed it, just added None everywhere at the beginning, roll back and that mysteriously working.

Finally I would add new feature regarding BIMI because the image can be check with a PEM key (take amazon.fr as an example), and it could be parsed, but imho, the simple existence of BIMI record enable impersonation on company brand.

[darcosion]

Hi,

I've added BIMI parsing so

Now, it render like that :

[*] BIMI record : "v=BIMI1;l=https://d3frv9g52qce38.cloudfront.net/amazondefault/order_329474121_logo.svg;a=https://d3frv9g52qce38.cloudfront.net/amazondefault/amazon_web_services_inc.pem"
[*] BIMI version : BIMI1
[*] BIMI location : https://d3frv9g52qce38.cloudfront.net/amazondefault/order_329474121_logo.svg
[*] BIMI authority : https://d3frv9g52qce38.cloudfront.net/amazondefault/amazon_web_services_inc.pem"

Not sure if BIMI version would help because there is only one version for the moment, but I've followed the RFC.

I've dig into it also, and it seem many company hide BIMI record with the selector because they don't want everyone to see their BIMI and have the ability to copy it. It's security by obscurity, but better than nothing...
I'm also digging into how some company hide entierly their BIMI record, because sometime a have emails with email icones, but no BIMI email header, not sure if it's my email provider or a new brand tricks©.

Btw, I was mostly inspired by dmarc.py, I'm really thankful for that because I was easy to copy and reproduce 👍