NAME

FromNameSpoof - perform various tests to detect spoof attempts using the From header name section

SYNOPSIS

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

# From:name and From:addr do not match, matching depends on C<fns_check> setting
header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()

# From:name and From:addr do not match (same as above rule and C<fns_check 0>)
header  __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()

# From:name and From:addr domains differ
header  __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()

# From:name looks like it contains an email address (not same as From:addr)
header  __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()

# From:name matches any To:addr
header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()

# From:name and From:addr owners differ
header  __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()

# From:name matches Reply-To:addr
header  __PLUGIN_FROMNAME_EQUALS_REPLYTO  eval:check_fromname_equals_replyto()

DESCRIPTION

Perform various tests against From:name header to detect spoofing. Steps in place to ensure minimal FPs.

CONFIGURATION

The plugin allows you to skip emails that have been DKIM signed by specific senders:

fns_ignore_dkim googlegroups.com

FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name, the closeness can be adjusted with:

fns_extrachars 50

Note that FromNameSpoof detects the "owner" of a domain by the following search:

<owner>.<tld>

By default FromNameSpoof will ignore the TLD when comparing addresses:

fns_check 1

Check levels:

0 - Strict checking of From:name != From:addr
1 - Allow for different TLDs
2 - Allow for different aliases but same domain

"Owner" info can also be mapped as aliases with fns_add_addrlist. For example, to consider "googlemail.com" as "gmail":

fns_add_addrlist (gmail) *@googlemail.com

EXAMPLE

header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
meta     FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score    FROMNAME_SPOOF_EQUALS_TO 1.2

To install Mail::SpamAssassin, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Mail::SpamAssassin

CPAN shell

perl -MCPAN -e shell
install Mail::SpamAssassin

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

CONFIGURATION

TAGS

EXAMPLE

Module Install Instructions