table of contents
other versions
- buster 3.4.2-1+deb10u3
- buster-backports 3.4.4-1~bpo10+1
- testing 3.4.6-1
- unstable 3.4.6-1
- experimental 4.0.0~0.0svn1892135-1
| Mail::SpamAssassin::Plugin::FromNameSpoof(3pm) | User Contributed Perl Documentation | Mail::SpamAssassin::Plugin::FromNameSpoof(3pm) |
NAME¶
FromNameSpoof - perform various tests to detect spoof attempts using the From header name sectionSYNOPSIS¶
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof# Does the From:name look like it contains an email address header __PLUGIN_FROMNAME_EMAIL eval:check_fromname_contains_email() # Is the From:name different to the From:addr header header __PLUGIN_FROMNAME_DIFFERENT eval:check_fromname_different() # From:name and From:addr owners differ header __PLUGIN_FROMNAME_OWNERS_DIFFER eval:check_fromname_owners_differ() # From:name domain differs to from header header __PLUGIN_FROMNAME_DOMAIN_DIFFER eval:check_fromname_domain_differ() # From:name and From:address don't match and owners differ header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() # From:name address matches To:address header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
DESCRIPTION¶
Perform various tests against From:name header to detect spoofing. Steps in place to ensure minimal FPs.CONFIGURATION¶
The plugin allows you to skip emails that have been DKIM signed by specific senders:fns_ignore_dkim googlegroups.com
FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name, the closeness can be adjusted with:
fns_extrachars 50
Note that FromNameSpoof detects the "owner" of a domain by the following search:
<owner>.<tld>
By default FromNameSpoof will ignore the TLD when testing if From:addr is spoofed. Default 1
fns_check 1
Check levels:
0 - Strict checking of From:name != From:addr 1 - Allow for different tlds 2 - Allow for different aliases but same domain
TAGS¶
The following tags are added to the set if a spoof is detected. They are available for use in reports, header fields, other plugins, etc.: _FNSFNAMEADDR_
Detected spoof address from From:name header
_FNSFNAMEDOMAIN_
Detected spoof domain from From:name header
_FNSFNAMEOWNER_
Detected spoof owner from From:name header
_FNSFADDRADDR_
Actual From:addr address
_FNSFADDRDOMAIN_
Actual From:addr domain
_FNSFADDROWNER_
Actual From:addr detected owner
EXAMPLE¶
header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO) describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address score FROMNAME_SPOOF_EQUALS_TO 1.2
| 2020-01-31 | perl v5.28.1 |