You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2018/08/27 13:19:10 UTC
[Bug 7606] New: Fromnamespoof plugin
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606
Bug ID: 7606
Summary: Fromnamespoof plugin
Product: Spamassassin
Version: 3.4 SVN branch
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Plugins
Assignee: dev@spamassassin.apache.org
Reporter: paul.stead@gmail.com
Target Milestone: Undefined
Created attachment 5585
--> https://bz.apache.org/SpamAssassin/attachment.cgi?id=5585&action=edit
Fromnamespoof Plugin
After some work with regexes on the user forum I made the following plugin to
allow for detection of the From:name field being used to mislead recipients
into thinking the email is from another address.
This plugin performs the following steps:
* Checks for existence of an "emailaddress-looking" string in the From:name
field
* Determines reduces FP by checking if "owner" and tld both differ
<user>@<owner>.<tld>
* Do checks to see if both the From:name and From:addr differ
* Do checks if the above is true to see if From:name matches To:addr
I've added man pages and examples.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7606] Fromnamespoof plugin
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606
--- Comment #4 from Steadramon <pa...@gmail.com> ---
(In reply to Henrik Krohns from comment #3)
> Strange that plugin was dropped into 3.4.2, especially considering it
> probably didn't work from the beginning? Tried to clean it up a bit in Bug
> 7624.
In my instance I have the two hash variables populated by .cf so I'd not come
across this - thanks for the fixes
>
> There is lots of info missing and little to none debugging to see what's
> going on.
I'll try and add some comments/dbg to help understanding of the process.
>
> What do the addrlists actually do?
The addrlists combine similar domains under a common searchable name - this is
similar to BZ 7354 - this extra code can likely be dropped in a subsequent
update
>
> What does fns_check do?
This was typod as dns_check - I'll fix the documents and make it clearer the
function.
>
> Why is there dns_check mentioned that's missing from code?
Type - should be fns_check
>
> Unit tests would be nice.
Agreed - I'll come up with test cases
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7606] Fromnamespoof plugin
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606
Kevin A. McGrail <km...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail@apache.org
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #2 from Kevin A. McGrail <km...@apache.org> ---
Thanks Paul. I'm adding this and renaming it to be more like and kind with
CamelCase naming to existing plugins.
In the future, more focus on patches the work in the root of the branch or
trunk and not drop in files would be good.
And things like the man pages (which yours are quite a good base) with examples
in the man pages not bugzilla.
Plus the full ecosystem such as the MANIFEST, release announcements, v342.pre,
etc. also help.
Hopefully, we can get some rules into rulesrc with conditionals and perhaps
enabling this plugin in trunk by default to see it's S/O.
trunk:
Committed revision 1839386.
Committed revision 1839387.
Committed revision 1839389.
3.4:
Committed revision 1839388.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7606] Fromnamespoof plugin
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606
Steadramon <pa...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |paul.stead@gmail.com
--- Comment #1 from Steadramon <pa...@gmail.com> ---
Example rule:
header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
meta FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF &&
__PLUGIN_FROMNAME_EQUALS_TO)
describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
score FROMNAME_SPOOF_EQUALS_TO 1.2
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7606] Fromnamespoof plugin
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7606
Henrik Krohns <he...@hege.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hege@hege.li
--- Comment #3 from Henrik Krohns <he...@hege.li> ---
Strange that plugin was dropped into 3.4.2, especially considering it probably
didn't work from the beginning? Tried to clean it up a bit in Bug 7624.
There is lots of info missing and little to none debugging to see what's going
on.
What do the addrlists actually do?
What does fns_check do?
Why is there dns_check mentioned that's missing from code?
Unit tests would be nice.
--
You are receiving this mail because:
You are the assignee for the bug.