FromName Spoofing

Implementing SpamAssassin's 'FromNameSpoof' plugin to prevent spammers from spoofing



Problem

Spammers spoof the From Name

Description

Name spoofing is when an attacker forges From name so that it appears the email has been sent by someone else.

Prevention

SpamAssassin will prevent From name spoofed emails by enabling "FromNameSpoof" plugin, by default it will be disabled.

Steps to follow

Step-1

Enable FromNameSpoof plugin by uncommenting the below line.

# /opt/zimbra/data/spamassassin/localrules/v342.pre
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof
Step-2

Uncomment below lines and modify the spam score as per needs

# /opt/zimbra/data/spamassassin/rules/72_active.cf
score    T_FROMNAME_EQUALS_TO 1.0
score    T_FROMNAME_SPOOFED_EMAIL 0.3
Post edit
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
meta     T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
describe T_FROMNAME_EQUALS_TO From:name matches To:
score    T_FROMNAME_EQUALS_TO 1.0
tflags   T_FROMNAME_EQUALS_TO publish
endif

meta     T_FROMNAME_SPOOFED_EMAIL  (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
score    T_FROMNAME_SPOOFED_EMAIL 0.3
tflags   T_FROMNAME_SPOOFED_EMAIL publish
endif
Note:
T_FROMNAME_EQUALS_TO, this condition will apply when From name matches To address.
i.e.:
From Name: user@domain.com
To: user@domain.com
T_FROMNAME_SPOOFED_EMAIL, this condition will apply when From name looks like a spoofed email.
i.e.:
From Name: usera@domain.com
From address: usersome@example.com
To: userb@domain.com
Step-3

Restart amavid, mta.

zmamavisdctl restart
zmmtactl restart

Ref:

https://metacpan.org/pod/Mail::SpamAssassin::Plugin::FromNameSpoof
https://metacpan.org/release/Mail-SpamAssassin
Submitted by: Raghu Noti
Verified Against: ZCS 8.8.15, ZCS 9.0 Date Created: 2020-09-26
Article ID: https://wiki.zimbra.com/index.php?title=FromName_Spoofing Date Modified: 2020-09-29



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search