1Mail::SpamAssassin::PluUgsienr::CFornotmrNiabmuMetaSeipdlo:oP:feS(rp3la)mDAoscsuamsesnitna:t:iPolnugin::FromNameSpoof(3)
2
3
4
6 FromNameSpoof - perform various tests to detect spoof attempts using
7 the From header name section
8
10 loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
11
12 # Does the From:name look like it contains an email address
13 header __PLUGIN_FROMNAME_EMAIL eval:check_fromname_contains_email()
14
15 # Is the From:name different to the From:addr header
16 header __PLUGIN_FROMNAME_DIFFERENT eval:check_fromname_different()
17
18 # From:name and From:addr owners differ
19 header __PLUGIN_FROMNAME_OWNERS_DIFFER eval:check_fromname_owners_differ()
20
21 # From:name domain differs to from header
22 header __PLUGIN_FROMNAME_DOMAIN_DIFFER eval:check_fromname_domain_differ()
23
24 # From:name and From:address don't match and owners differ
25 header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
26
27 # From:name address matches To:address
28 header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
29
31 Perform various tests against From:name header to detect spoofing.
32 Steps in place to ensure minimal FPs.
33
35 The plugin allows you to skip emails that have been DKIM signed by
36 specific senders:
37
38 fns_ignore_dkim googlegroups.com
39
40 FromNameSpoof allows for a configurable closeness when matching the
41 From:addr and From:name, the closeness can be adjusted with:
42
43 fns_extrachars 5
44
45 Note that FromNameSpoof detects the "owner" of a domain by the
46 following search:
47
48 <owner>.<tld>
49
50 By default FromNameSpoof will ignore the TLD when testing if From:addr
51 is spoofed. Default 1
52
53 dns_check 1
54
55 Check levels:
56
57 0 - Strict checking of From:name != From:addr
58 1 - Allow for different tlds
59 2 - Allow for different aliases but same domain
60
62 The following tags are added to the set if a spoof is detected. They
63 are available for use in reports, header fields, other plugins, etc.:
64
65 _FNSFNAMEADDR_
66 Detected spoof address from From:name header
67
68 _FNSFNAMEDOMAIN_
69 Detected spoof domain from From:name header
70
71 _FNSFNAMEOWNER_
72 Detected spoof owner from From:name header
73
74 _FNSFADDRADDR_
75 Actual From:addr address
76
77 _FNSFADDRDOMAIN_
78 Actual From:addr domain
79
80 _FNSFADDROWNER_
81 Actual From:addr detected owner
82 =head1 EXAMPLE
83
84 header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() header
85 __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
86
87 meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF &&
88 __PLUGIN_FROMNAME_EQUALS_TO) describe FROMNAME_SPOOF_EQUALS_TO
89 From:name is spoof to look like To: address score
90 FROMNAME_SPOOF_EQUALS_TO 1.2
91
92
93
94perl v5.30.0 2M0a1i9l-:1:0S-p0a1mAssassin::Plugin::FromNameSpoof(3)