NAME
    FromNameSpoof - perform various tests to detect spoof attempts using the
    From header name section

SYNOPSIS
    loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

     # From:name and From:addr do not match, matching depends on C<fns_check> setting
     header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()

     # From:name and From:addr do not match (same as above rule and C<fns_check 0>)
     header  __PLUGIN_FROMNAME_DIFFERENT  eval:check_fromname_different()

     # From:name and From:addr domains differ
     header  __PLUGIN_FROMNAME_DOMAIN_DIFFER  eval:check_fromname_domain_differ()

     # From:name looks like it contains an email address (not same as From:addr)
     header  __PLUGIN_FROMNAME_EMAIL  eval:check_fromname_contains_email()

     # From:name matches any To:addr
     header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()

     # From:name and From:addr owners differ
     header  __PLUGIN_FROMNAME_OWNERS_DIFFER  eval:check_fromname_owners_differ()

     # From:name matches Reply-To:addr
     header  __PLUGIN_FROMNAME_EQUALS_REPLYTO  eval:check_fromname_equals_replyto()

DESCRIPTION
    Perform various tests against From:name header to detect spoofing. Steps
    in place to ensure minimal FPs.

CONFIGURATION
    The plugin allows you to skip emails that have been DKIM signed by
    specific senders:

      fns_ignore_dkim googlegroups.com

    FromNameSpoof allows for a configurable closeness when matching the
    From:addr and From:name, the closeness can be adjusted with:

      fns_extrachars 50

    Note that FromNameSpoof detects the "owner" of a domain by the following
    search:

      <owner>.<tld>

    By default FromNameSpoof will ignore the TLD when comparing addresses:

      fns_check 1

    Check levels:

      0 - Strict checking of From:name != From:addr
      1 - Allow for different TLDs
      2 - Allow for different aliases but same domain

    "Owner" info can also be mapped as aliases with "fns_add_addrlist". For
    example, to consider "googlemail.com" as "gmail":

      fns_add_addrlist (gmail) *@googlemail.com

TAGS
    The following tags are added to the set if a spoof is detected. They are
    available for use in reports, header fields, other plugins, etc.:

      _FNSFNAMEADDR_
        Detected spoof address from From:name header

      _FNSFNAMEDOMAIN_
        Detected spoof domain from From:name header

      _FNSFNAMEOWNER_
        Detected spoof owner from From:name header

      _FNSFADDRADDR_
        Actual From:addr address

      _FNSFADDRDOMAIN_ 
        Actual From:addr domain

      _FNSFADDROWNER_
        Actual From:addr owner

EXAMPLE
      header  __PLUGIN_FROMNAME_SPOOF  eval:check_fromname_spoof()
      header  __PLUGIN_FROMNAME_EQUALS_TO  eval:check_fromname_equals_to()
      meta     FROMNAME_SPOOF_EQUALS_TO (__PLUGIN_FROMNAME_SPOOF && __PLUGIN_FROMNAME_EQUALS_TO)
      describe FROMNAME_SPOOF_EQUALS_TO From:name is spoof to look like To: address
      score    FROMNAME_SPOOF_EQUALS_TO 1.2