.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "Mail::SpamAssassin::Plugin::FromNameSpoof 3"
.TH Mail::SpamAssassin::Plugin::FromNameSpoof 3 2023-07-26 "perl v5.38.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
FromNameSpoof \- perform various tests to detect spoof attempts using the
From header name section
.SH SYNOPSIS
.IX Header "SYNOPSIS"
loadplugin    Mail::SpamAssassin::Plugin::FromNameSpoof
.PP
.Vb 2
\& # From:name and From:addr do not match, matching depends on C<fns_check> setting
\& header  _\|_PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
\&  
\& # From:name and From:addr do not match (same as above rule and C<fns_check 0>)
\& header  _\|_PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()
\&
\& # From:name and From:addr domains differ
\& header  _\|_PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()
\&
\& # From:name looks like it contains an email address (not same as From:addr)
\& header  _\|_PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()
\&
\& # From:name matches any To:addr
\& header  _\|_PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
\&
\& # From:name and From:addr owners differ
\& header  _\|_PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()
\&
\& # From:name matches Reply\-To:addr
\& header  _\|_PLUGIN_FROMNAME_EQUALS_REPLYTO  eval:check_fromname_equals_replyto()
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
Perform various tests against From:name header to detect spoofing. Steps in place to 
ensure minimal FPs.
.SH CONFIGURATION
.IX Header "CONFIGURATION"
The plugin allows you to skip emails that have been DKIM signed by specific senders:
.PP
.Vb 1
\&  fns_ignore_dkim googlegroups.com
.Ve
.PP
FromNameSpoof allows for a configurable closeness when matching the From:addr and From:name,
the closeness can be adjusted with:
.PP
.Vb 1
\&  fns_extrachars 50
.Ve
.PP
\&\fBNote\fR that FromNameSpoof detects the "owner" of a domain by the following search:
.PP
.Vb 1
\&  <owner>.<tld>
.Ve
.PP
By default FromNameSpoof will ignore the TLD when comparing addresses:
.PP
.Vb 1
\&  fns_check 1
.Ve
.PP
Check levels:
.PP
.Vb 3
\&  0 \- Strict checking of From:name != From:addr
\&  1 \- Allow for different TLDs
\&  2 \- Allow for different aliases but same domain
.Ve
.PP
"Owner" info can also be mapped as aliases with \f(CW\*(C`fns_add_addrlist\*(C'\fR.  For
example, to consider "googlemail.com" as "gmail":
.PP
.Vb 1
\&  fns_add_addrlist (gmail) *@googlemail.com
.Ve
.SH TAGS
.IX Header "TAGS"
The following tags are added to the set if a spoof is detected. They are available for 
use in reports, header fields, other plugins, etc.:
.PP
.Vb 2
\&  _FNSFNAMEADDR_
\&    Detected spoof address from From:name header
\&
\&  _FNSFNAMEDOMAIN_
\&    Detected spoof domain from From:name header
\&
\&  _FNSFNAMEOWNER_
\&    Detected spoof owner from From:name header
\&
\&  _FNSFADDRADDR_
\&    Actual From:addr address
\&
\&  _FNSFADDRDOMAIN_ 
\&    Actual From:addr domain
\&
\&  _FNSFADDROWNER_
\&    Actual From:addr owner
.Ve
.SH EXAMPLE
.IX Header "EXAMPLE"
.Vb 5
\&  header  _\|_PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
\&  header  _\|_PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
\&  meta     FROMNAME_SPOOF_EQUALS_TO (_\|_PLUGIN_FROMNAME_SPOOF && _\|_PLUGIN_FROMNAME_EQUALS_TO)
\&  describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
\&  score    FROMNAME_SPOOF_EQUALS_TO 1.2
.Ve