Manpage logo

Mail::SpamAssassin::Plugin::FromNameSpoof - perform various tests to detect spoof attempts using the From header name section

NAME  SYNOPSIS  DESCRIPTION  CONFIGURATION  TAGS  EXAMPLE 

NAME

FromNameSpoof − perform various tests to detect spoof attempts using the From header name section

SYNOPSIS

loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

# From:name and From:addr do not match, matching depends on C<fns_check> setting
header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
# From:name and From:addr do not match (same as above rule and C<fns_check 0>)
header __PLUGIN_FROMNAME_DIFFERENT eval:check_fromname_different()
# From:name and From:addr domains differ
header __PLUGIN_FROMNAME_DOMAIN_DIFFER eval:check_fromname_domain_differ()
# From:name looks like it contains an email address (not same as From:addr)
header __PLUGIN_FROMNAME_EMAIL eval:check_fromname_contains_email()
# From:name matches any To:addr
header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
# From:name and From:addr owners differ
header __PLUGIN_FROMNAME_OWNERS_DIFFER eval:check_fromname_owners_differ()
# From:name matches Reply−To:addr
header __PLUGIN_FROMNAME_EQUALS_REPLYTO eval:check_fromname_equals_replyto()

DESCRIPTION

Perform various tests against From:name header to detect spoofing. Steps in place to ensure minimal FPs.

CONFIGURATION

The plugin allows you to skip emails that have been DKIM signed by specific senders:

fns_ignore_dkim googlegroups.com

FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name, the closeness can be adjusted with:

fns_extrachars 50

Note that FromNameSpoof detects the "owner" of a domain by the following search:

<owner>.<tld>

By default FromNameSpoof will ignore the TLD when comparing addresses:

fns_check 1

Check levels:

0 − Strict checking of From:name != From:addr
1 − Allow for different TLDs
2 − Allow for different aliases but same domain

"Owner" info can also be mapped as aliases with "fns_add_addrlist". For example, to consider "googlemail.com" as "gmail":

fns_add_addrlist (gmail) *@googlemail.com

TAGS

The following tags are added to the set if a spoof is detected. They are available for use in reports, header fields, other plugins, etc.:

_FNSFNAMEADDR_
Detected spoof address from From:name header
_FNSFNAMEDOMAIN_
Detected spoof domain from From:name header
_FNSFNAMEOWNER_
Detected spoof owner from From:name header
_FNSFADDRADDR_
Actual From:addr address
_FNSFADDRDOMAIN_
Actual From:addr domain
_FNSFADDROWNER_
Actual From:addr owner

EXAMPLE

header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score FROMNAME_SPOOF_EQUALS_TO 1.2

Updated 2026-06-01 - jenkler.se | uex.se