++ed by:
SREZIC SYP KEEDI SHLOMIF VOEGELAS

5 PAUSE users
1 non-PAUSE user.

Kevin A. McGrail
and 1 contributors

NAME

FromNameSpoof - perform various tests to detect spoof attempts using the From header name section

SYNOPSIS

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

 # Does the From:name look like it contains an email address
 header   __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()

 # Is the From:name different to the From:addr header
 header   __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()

 # From:name and From:addr owners differ
 header   __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()

 # From:name domain differs to from header
 header   __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()

 # From:name and From:address don't match and owners differ
 header   __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
  
 # From:name address matches To:address
 header __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()

DESCRIPTION

Perform various tests against From:name header to detect spoofing. Steps in place to ensure minimal FPs.

CONFIGURATION

The plugin allows you to skip emails that have been DKIM signed by specific senders:

 fns_ignore_dkim googlegroups.com

FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name, the closeness can be adjusted with:

 fns_extrachars 5

Note that FromNameSpoof detects the "owner" of a domain by the following search:

 <owner>.<tld>

By default FromNameSpoof will ignore the TLD when testing if From:addr is spoofed. Default 1

  dns_check 1

Check levels:

 0 - Strict checking of From:name != From:addr
 1 - Allow for different tlds
 2 - Allow for different aliases but same domain

TAGS

The following tags are added to the set if a spoof is detected. They are available for use in reports, header fields, other plugins, etc.:

  _FNSFNAMEADDR_
    Detected spoof address from From:name header

  _FNSFNAMEDOMAIN_
    Detected spoof domain from From:name header

  _FNSFNAMEOWNER_
    Detected spoof owner from From:name header

  _FNSFADDRADDR_
    Actual From:addr address

  _FNSFADDRDOMAIN_ 
    Actual From:addr domain

  _FNSFADDROWNER_
    Actual From:addr detected owner
=head1 EXAMPLE 

header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO) describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address score FROMNAME_SPOOF_EQUALS_TO 1.2