You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2018/08/27 13:19:10 UTC

[Bug 7606] New: Fromnamespoof plugin

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606

            Bug ID: 7606
           Summary: Fromnamespoof plugin
           Product: Spamassassin
           Version: 3.4 SVN branch
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Plugins
          Assignee: dev@spamassassin.apache.org
          Reporter: paul.stead@gmail.com
  Target Milestone: Undefined

Created attachment 5585
  --> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5585&action=edit
Fromnamespoof Plugin

After some work with regexes on the user forum I made the following plugin to
allow for detection of the From:name field being used to mislead recipients
into thinking the email is from another address.

This plugin performs the following steps:

* Checks for existence of an "emailaddress-looking" string in the From:name
field
* Determines reduces FP by checking if "owner" and tld both differ
  <user>@<owner>.<tld>
* Do checks to see if both the From:name and From:addr differ
* Do checks if the above is true to see if From:name matches To:addr

I've added man pages and examples.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7606] Fromnamespoof plugin

Posted by bu...@bugzilla.spamassassin.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606

--- Comment #4 from Steadramon <pa...@gmail.com> ---
(In reply to Henrik Krohns from comment #3)
> Strange that plugin was dropped into 3.4.2, especially considering it
> probably didn't work from the beginning? Tried to clean it up a bit in Bug
> 7624.

In my instance I have the two hash variables populated by .cf so I'd not come
across this - thanks for the fixes

> 
> There is lots of info missing and little to none debugging to see what's
> going on.

I'll try and add some comments/dbg to help understanding of the process.
> 
> What do the addrlists actually do?

The addrlists combine similar domains under a common searchable name - this is
similar to BZ 7354 - this extra code can likely be dropped in a subsequent
update 

> 
> What does fns_check do?

This was typod as dns_check - I'll fix the documents and make it clearer the
function.

> 
> Why is there dns_check mentioned that's missing from code?

Type - should be fns_check
> 
> Unit tests would be nice.

Agreed - I'll come up with test cases

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7606] Fromnamespoof plugin

Posted by bu...@bugzilla.spamassassin.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606

Kevin A. McGrail <km...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kmcgrail@apache.org
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Kevin A. McGrail <km...@apache.org> ---
Thanks Paul.  I'm adding this and renaming it to be more like and kind with
CamelCase naming to existing plugins.

In the future, more focus on patches the work in the root of the branch or
trunk and not drop in files would be good.

And things like the man pages (which yours are quite a good base) with examples
in the man pages not bugzilla.

Plus the full ecosystem such as the MANIFEST, release announcements, v342.pre,
etc. also help.


Hopefully, we can get some rules into rulesrc with conditionals and perhaps
enabling this plugin in trunk by default to see it's S/O.

trunk:
Committed revision 1839386.
Committed revision 1839387.
Committed revision 1839389.

3.4:
Committed revision 1839388.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7606] Fromnamespoof plugin

Posted by bu...@bugzilla.spamassassin.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606

Steadramon <pa...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |paul.stead@gmail.com

--- Comment #1 from Steadramon <pa...@gmail.com> ---
Example rule:

header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

meta     FROMNAME_SPOOF_EQUALS_TO  (__PLUGIN_FROMNAME_SPOOF &&
__PLUGIN_FROMNAME_EQUALS_TO)
describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score    FROMNAME_SPOOF_EQUALS_TO 1.2

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 7606] Fromnamespoof plugin

Posted by bu...@bugzilla.spamassassin.org.

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606

Henrik Krohns <he...@hege.li> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hege@hege.li

--- Comment #3 from Henrik Krohns <he...@hege.li> ---
Strange that plugin was dropped into 3.4.2, especially considering it probably
didn't work from the beginning? Tried to clean it up a bit in Bug 7624.

There is lots of info missing and little to none debugging to see what's going
on.

What do the addrlists actually do?

What does fns_check do?

Why is there dns_check mentioned that's missing from code?

Unit tests would be nice.

-- 
You are receiving this mail because:
You are the assignee for the bug.