FromName Spoofing
From Name Spoofing
- This article is a Work in Progress, and may be unfinished or missing sections.
Problem
Spammers spoof the From name
Description
Name spoofing is when an attacker forges From name so that it appears the email has been sent by someone else.
Prevention
SpamAssassin will prevent From name spoofed emails by enabling "FromNameSpoof" plugin, by default it will be disabled.
Steps to follow
Step-1
Enable FromNameSpoof plugin by uncommenting the below line.
- # /opt/zimbra/data/spamassassin/localrules/v342.pre
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
Step-2
Uncomment below lines and modify the spam score as per needs
- # /opt/zimbra/data/spamassassin/rules/72_active.cf
score T_FROMNAME_EQUALS_TO 1.0 score T_FROMNAME_SPOOFED_EMAIL 0.3
- Post edit
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO describe T_FROMNAME_EQUALS_TO From:name matches To: score T_FROMNAME_EQUALS_TO 1.0 tflags T_FROMNAME_EQUALS_TO publish endif meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email score T_FROMNAME_SPOOFED_EMAIL 0.3 tflags T_FROMNAME_SPOOFED_EMAIL publish endif
- Note:
- T_FROMNAME_EQUALS_TO, this condition will apply when From name matches To address.
- i.e.:
- From Name: user@domain.com
- To: user@domain.com
- T_FROMNAME_SPOOFED_EMAIL, this condition will apply when From name looks like a spoofed email.
- i.e.:
- From Name: usera@domain.com
- From address: usersome@example.com
- To: userb@domain.com
Step-3
Restart amavid, mta.
zmamavisdctl restart zmmtactl restart
Ref:
- https://metacpan.org/pod/Mail::SpamAssassin::Plugin::FromNameSpoof
- https://metacpan.org/release/Mail-SpamAssassin
Submitted by: Raghu Noti |