Ubuntu Manpage: FromNameSpoof - perform various tests to detect spoof attempts using the From header name

Provided by: spamassassin_3.4.2-0ubuntu0.18.04.5_all

NAME

       FromNameSpoof - perform various tests to detect spoof attempts using the From header name
       section

SYNOPSIS

       loadplugin    Mail::SpamAssassin::Plugin::FromNameSpoof

        # Does the From:name look like it contains an email address
        header   __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()

        # Is the From:name different to the From:addr header
        header   __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()

        # From:name and From:addr owners differ
        header   __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()

        # From:name domain differs to from header
        header   __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()

        # From:name and From:address don't match and owners differ
        header   __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()

        # From:name address matches To:address
        header __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()

DESCRIPTION

       Perform various tests against From:name header to detect spoofing. Steps in place to
       ensure minimal FPs.

CONFIGURATION

       The plugin allows you to skip emails that have been DKIM signed by specific senders:

        fns_ignore_dkim googlegroups.com

       FromNameSpoof allows for a configurable closeness when matching the From:addr and
       From:name, the closeness can be adjusted with:

        fns_extrachars 5

       Note that FromNameSpoof detects the "owner" of a domain by the following search:

        <owner>.<tld>

       By default FromNameSpoof will ignore the TLD when testing if From:addr is spoofed.
       Default 1

         dns_check 1

       Check levels:

        0 - Strict checking of From:name != From:addr
        1 - Allow for different tlds
        2 - Allow for different aliases but same domain

TAGS

       The following tags are added to the set if a spoof is detected. They are available for use
       in reports, header fields, other plugins, etc.:

         _FNSFNAMEADDR_
           Detected spoof address from From:name header

         _FNSFNAMEDOMAIN_
           Detected spoof domain from From:name header

         _FNSFNAMEOWNER_
           Detected spoof owner from From:name header

         _FNSFADDRADDR_
           Actual From:addr address

         _FNSFADDRDOMAIN_
           Actual From:addr domain

         _FNSFADDROWNER_
           Actual From:addr detected owner
       =head1 EXAMPLE

       header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() header
       __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

       meta     FROMNAME_SPOOF_EQUALS_TO  (__PLUGIN_FROMNAME_SPOOF &&
       __PLUGIN_FROMNAME_EQUALS_TO) describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look
       like To: address score    FROMNAME_SPOOF_EQUALS_TO 1.2

perl v5.26.1                                2021-03Mail::SpamAssassin::Plugin::FromNameSpoof(3pm)