1Mail::SpamAssassin::PluUgsienr::CFornotmrNiabmuMetaSeipdlo:oP:feS(rp3la)mDAoscsuamsesnitna:t:iPolnugin::FromNameSpoof(3)
2
3
4

NAME

6       FromNameSpoof - perform various tests to detect spoof attempts using
7       the From header name section
8

SYNOPSIS

10       loadplugin    Mail::SpamAssassin::Plugin::FromNameSpoof
11
12        # From:name and From:addr do not match, matching depends on C<fns_check> setting
13        header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
14
15        # From:name and From:addr do not match (same as above rule and C<fns_check 0>)
16        header  __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()
17
18        # From:name and From:addr domains differ
19        header  __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()
20
21        # From:name looks like it contains an email address (not same as From:addr)
22        header  __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()
23
24        # From:name matches any To:addr
25        header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
26
27        # From:name and From:addr owners differ
28        header  __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()
29
30        # From:name matches Reply-To:addr
31        header  __PLUGIN_FROMNAME_EQUALS_REPLYTO  eval:check_fromname_equals_replyto()
32

DESCRIPTION

34       Perform various tests against From:name header to detect spoofing.
35       Steps in place to ensure minimal FPs.
36

CONFIGURATION

38       The plugin allows you to skip emails that have been DKIM signed by
39       specific senders:
40
41         fns_ignore_dkim googlegroups.com
42
43       FromNameSpoof allows for a configurable closeness when matching the
44       From:addr and From:name, the closeness can be adjusted with:
45
46         fns_extrachars 50
47
48       Note that FromNameSpoof detects the "owner" of a domain by the
49       following search:
50
51         <owner>.<tld>
52
53       By default FromNameSpoof will ignore the TLD when comparing addresses:
54
55         fns_check 1
56
57       Check levels:
58
59         0 - Strict checking of From:name != From:addr
60         1 - Allow for different TLDs
61         2 - Allow for different aliases but same domain
62
63       "Owner" info can also be mapped as aliases with "fns_add_addrlist".
64       For example, to consider "googlemail.com" as "gmail":
65
66         fns_add_addrlist (gmail) *@googlemail.com
67

TAGS

69       The following tags are added to the set if a spoof is detected. They
70       are available for use in reports, header fields, other plugins, etc.:
71
72         _FNSFNAMEADDR_
73           Detected spoof address from From:name header
74
75         _FNSFNAMEDOMAIN_
76           Detected spoof domain from From:name header
77
78         _FNSFNAMEOWNER_
79           Detected spoof owner from From:name header
80
81         _FNSFADDRADDR_
82           Actual From:addr address
83
84         _FNSFADDRDOMAIN_
85           Actual From:addr domain
86
87         _FNSFADDROWNER_
88           Actual From:addr owner
89

EXAMPLE

91         header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
92         header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
93         meta     FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
94         describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
95         score    FROMNAME_SPOOF_EQUALS_TO 1.2
96
97
98
99perl v5.36.0                      2M0a2i3l-:0:1S-p2a1mAssassin::Plugin::FromNameSpoof(3)
Impressum