Provided by: spamassassin_4.0.0-8ubuntu5_all bug

NAME
       FromNameSpoof - perform various tests to detect spoof attempts using the From header name
       section


SYNOPSIS
       loadplugin    Mail::SpamAssassin::Plugin::FromNameSpoof

        # From:name and From:addr do not match, matching depends on C<fns_check> setting
        header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()

        # From:name and From:addr do not match (same as above rule and C<fns_check 0>)
        header  __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()

        # From:name and From:addr domains differ
        header  __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()

        # From:name looks like it contains an email address (not same as From:addr)
        header  __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()

        # From:name matches any To:addr
        header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()

        # From:name and From:addr owners differ
        header  __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()

        # From:name matches Reply-To:addr
        header  __PLUGIN_FROMNAME_EQUALS_REPLYTO  eval:check_fromname_equals_replyto()


DESCRIPTION
       Perform various tests against From:name header to detect spoofing. Steps in place to
       ensure minimal FPs.


CONFIGURATION
       The plugin allows you to skip emails that have been DKIM signed by specific senders:

         fns_ignore_dkim googlegroups.com

       FromNameSpoof allows for a configurable closeness when matching the From:addr and
       From:name, the closeness can be adjusted with:

         fns_extrachars 50

       Note that FromNameSpoof detects the "owner" of a domain by the following search:

         <owner>.<tld>

       By default FromNameSpoof will ignore the TLD when comparing addresses:

         fns_check 1

       Check levels:

         0 - Strict checking of From:name != From:addr
         1 - Allow for different TLDs
         2 - Allow for different aliases but same domain

       "Owner" info can also be mapped as aliases with "fns_add_addrlist".  For example, to
       consider "googlemail.com" as "gmail":

         fns_add_addrlist (gmail) *@googlemail.com


TAGS
       The following tags are added to the set if a spoof is detected. They are available for use
       in reports, header fields, other plugins, etc.:

         _FNSFNAMEADDR_
           Detected spoof address from From:name header

         _FNSFNAMEDOMAIN_
           Detected spoof domain from From:name header

         _FNSFNAMEOWNER_
           Detected spoof owner from From:name header

         _FNSFADDRADDR_
           Actual From:addr address

         _FNSFADDRDOMAIN_
           Actual From:addr domain

         _FNSFADDROWNER_
           Actual From:addr owner


EXAMPLE
         header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
         header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
         meta     FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
         describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
         score    FROMNAME_SPOOF_EQUALS_TO 1.2

perl v5.38.2                                2024-04Mail::SpamAssassin::Plugin::FromNameSpoof(3pm)