FromName Spoofing: Difference between revisions
(By enabling From Name Spoof plugin of SpamAssassin name spoofed emails can be prevented) |
|||
Line 1: | Line 1: | ||
= | =Implementing SpamAssassin's 'FromNameSpoof' plugin to prevent spammers from spoofing= | ||
<hr> | <hr> | ||
{{WIP}} | {{WIP}} | ||
====Problem==== | ====Problem==== | ||
Spammers spoof the From | Spammers spoof the From Name | ||
====Description==== | ====Description==== |
Latest revision as of 04:11, 29 September 2020
Implementing SpamAssassin's 'FromNameSpoof' plugin to prevent spammers from spoofing
- This article is a Work in Progress, and may be unfinished or missing sections.
Problem
Spammers spoof the From Name
Description
Name spoofing is when an attacker forges From name so that it appears the email has been sent by someone else.
Prevention
SpamAssassin will prevent From name spoofed emails by enabling "FromNameSpoof" plugin, by default it will be disabled.
Steps to follow
Step-1
Enable FromNameSpoof plugin by uncommenting the below line.
- # /opt/zimbra/data/spamassassin/localrules/v342.pre
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
Step-2
Uncomment below lines and modify the spam score as per needs
- # /opt/zimbra/data/spamassassin/rules/72_active.cf
score T_FROMNAME_EQUALS_TO 1.0 score T_FROMNAME_SPOOFED_EMAIL 0.3
- Post edit
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO describe T_FROMNAME_EQUALS_TO From:name matches To: score T_FROMNAME_EQUALS_TO 1.0 tflags T_FROMNAME_EQUALS_TO publish endif meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email score T_FROMNAME_SPOOFED_EMAIL 0.3 tflags T_FROMNAME_SPOOFED_EMAIL publish endif
- Note:
- T_FROMNAME_EQUALS_TO, this condition will apply when From name matches To address.
- i.e.:
- From Name: user@domain.com
- To: user@domain.com
- T_FROMNAME_SPOOFED_EMAIL, this condition will apply when From name looks like a spoofed email.
- i.e.:
- From Name: usera@domain.com
- From address: usersome@example.com
- To: userb@domain.com
Step-3
Restart amavid, mta.
zmamavisdctl restart zmmtactl restart
Ref:
- https://metacpan.org/pod/Mail::SpamAssassin::Plugin::FromNameSpoof
- https://metacpan.org/release/Mail-SpamAssassin
Submitted by: Raghu Noti |