Scroll to navigation

Mail::SpamAssassin::Plugin::FromNameSpoof(3pm) User Contributed Perl Documentation Mail::SpamAssassin::Plugin::FromNameSpoof(3pm)


FromNameSpoof - perform various tests to detect spoof attempts using the From header name section


loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

 # From:name and From:addr do not match, matching depends on C<fns_check> setting
 header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
 # From:name and From:addr do not match (same as above rule and C<fns_check 0>)
 header  __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()
 # From:name and From:addr domains differ
 header  __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()
 # From:name looks like it contains an email address (not same as From:addr)
 header  __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()
 # From:name matches any To:addr
 header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
 # From:name and From:addr owners differ
 header  __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()
 # From:name matches Reply-To:addr
 header  __PLUGIN_FROMNAME_EQUALS_REPLYTO  eval:check_fromname_equals_replyto()


Perform various tests against From:name header to detect spoofing. Steps in place to ensure minimal FPs.


The plugin allows you to skip emails that have been DKIM signed by specific senders:


FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name, the closeness can be adjusted with:

  fns_extrachars 50

Note that FromNameSpoof detects the "owner" of a domain by the following search:


By default FromNameSpoof will ignore the TLD when comparing addresses:

  fns_check 1

Check levels:

  0 - Strict checking of From:name != From:addr
  1 - Allow for different TLDs
  2 - Allow for different aliases but same domain

"Owner" info can also be mapped as aliases with "fns_add_addrlist". For example, to consider "" as "gmail":

  fns_add_addrlist (gmail) *


The following tags are added to the set if a spoof is detected. They are available for use in reports, header fields, other plugins, etc.:

    Detected spoof address from From:name header
    Detected spoof domain from From:name header
    Detected spoof owner from From:name header
    Actual From:addr address
    Actual From:addr domain
    Actual From:addr owner


  header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
  header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
  describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
2022-09-10 perl v5.34.0