1Mail::SpamAssassin::PluUgsienr::CFornotmrNiabmuMetaSeipdlo:oP:feS(rp3la)mDAoscsuamsesnitna:t:iPolnugin::FromNameSpoof(3)
2
3
4

NAME

6       FromNameSpoof - perform various tests to detect spoof attempts using
7       the From header name section
8

SYNOPSIS

10       loadplugin    Mail::SpamAssassin::Plugin::FromNameSpoof
11
12        # Does the From:name look like it contains an email address
13        header   __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()
14
15        # Is the From:name different to the From:addr header
16        header   __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()
17
18        # From:name and From:addr owners differ
19        header   __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()
20
21        # From:name domain differs to from header
22        header   __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()
23
24        # From:name and From:address don't match and owners differ
25        header   __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
26
27        # From:name address matches To:address
28        header __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
29

DESCRIPTION

31       Perform various tests against From:name header to detect spoofing.
32       Steps in place to ensure minimal FPs.
33

CONFIGURATION

35       The plugin allows you to skip emails that have been DKIM signed by
36       specific senders:
37
38        fns_ignore_dkim googlegroups.com
39
40       FromNameSpoof allows for a configurable closeness when matching the
41       From:addr and From:name, the closeness can be adjusted with:
42
43        fns_extrachars 50
44
45       Note that FromNameSpoof detects the "owner" of a domain by the
46       following search:
47
48        <owner>.<tld>
49
50       By default FromNameSpoof will ignore the TLD when testing if From:addr
51       is spoofed.  Default 1
52
53         fns_check 1
54
55       Check levels:
56
57        0 - Strict checking of From:name != From:addr
58        1 - Allow for different tlds
59        2 - Allow for different aliases but same domain
60

TAGS

62       The following tags are added to the set if a spoof is detected. They
63       are available for use in reports, header fields, other plugins, etc.:
64
65         _FNSFNAMEADDR_
66           Detected spoof address from From:name header
67
68         _FNSFNAMEDOMAIN_
69           Detected spoof domain from From:name header
70
71         _FNSFNAMEOWNER_
72           Detected spoof owner from From:name header
73
74         _FNSFADDRADDR_
75           Actual From:addr address
76
77         _FNSFADDRDOMAIN_
78           Actual From:addr domain
79
80         _FNSFADDROWNER_
81           Actual From:addr detected owner
82

EXAMPLE

84       header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() header
85       __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
86
87       meta     FROMNAME_SPOOF_EQUALS_TO  (__PLUGIN_FROMNAME_SPOOF &&
88       __PLUGIN_FROMNAME_EQUALS_TO) describe FROMNAME_SPOOF_EQUALS_TO
89       From:name is spoof to look like To: address score
90       FROMNAME_SPOOF_EQUALS_TO 1.2
91
92
93
94perl v5.34.0                      2M0a2i1l-:0:7S-p2a3mAssassin::Plugin::FromNameSpoof(3)