Provided by: spamassassin_4.0.0-4_all
NAME
FromNameSpoof - perform various tests to detect spoof attempts using the From header name section
SYNOPSIS
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof # From:name and From:addr do not match, matching depends on C<fns_check> setting header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() # From:name and From:addr do not match (same as above rule and C<fns_check 0>) header __PLUGIN_FROMNAME_DIFFERENT eval:check_fromname_different() # From:name and From:addr domains differ header __PLUGIN_FROMNAME_DOMAIN_DIFFER eval:check_fromname_domain_differ() # From:name looks like it contains an email address (not same as From:addr) header __PLUGIN_FROMNAME_EMAIL eval:check_fromname_contains_email() # From:name matches any To:addr header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() # From:name and From:addr owners differ header __PLUGIN_FROMNAME_OWNERS_DIFFER eval:check_fromname_owners_differ() # From:name matches Reply-To:addr header __PLUGIN_FROMNAME_EQUALS_REPLYTO eval:check_fromname_equals_replyto()
DESCRIPTION
Perform various tests against From:name header to detect spoofing. Steps in place to ensure minimal FPs.
CONFIGURATION
The plugin allows you to skip emails that have been DKIM signed by specific senders: fns_ignore_dkim googlegroups.com FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name, the closeness can be adjusted with: fns_extrachars 50 Note that FromNameSpoof detects the "owner" of a domain by the following search: <owner>.<tld> By default FromNameSpoof will ignore the TLD when comparing addresses: fns_check 1 Check levels: 0 - Strict checking of From:name != From:addr 1 - Allow for different TLDs 2 - Allow for different aliases but same domain "Owner" info can also be mapped as aliases with "fns_add_addrlist". For example, to consider "googlemail.com" as "gmail": fns_add_addrlist (gmail) *@googlemail.com
TAGS
The following tags are added to the set if a spoof is detected. They are available for use in reports, header fields, other plugins, etc.: _FNSFNAMEADDR_ Detected spoof address from From:name header _FNSFNAMEDOMAIN_ Detected spoof domain from From:name header _FNSFNAMEOWNER_ Detected spoof owner from From:name header _FNSFADDRADDR_ Actual From:addr address _FNSFADDRDOMAIN_ Actual From:addr domain _FNSFADDROWNER_ Actual From:addr owner
EXAMPLE
header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO) describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address score FROMNAME_SPOOF_EQUALS_TO 1.2 perl v5.36.0 2023-01Mail::SpamAssassin::Plugin::FromNameSpoof(3pm)