This is the current list of tests SpamAssassin(tm) performs on mail messages to
determine if they're spam or not. If you wish to change the score from the
default, add a line like this to your ~/.spamassassin/user_prefs:
Note that these are the scores for the current stable release of SpamAssassin;
they may be different from the ones you're running on your servers, if SpamAssassin
is installed there.
The 'More Info' links, if present, lead to a section of our Wiki for collaborative
documentation of rules; some of the rules include additional user-contributed
documentation there. If you feel like adding a page describing a rule in
further detail, feel free to create a page at that link, using the RuleDescriptionTemplate format.
|
AREA TESTED
|
LOCALE
|
DESCRIPTION OF TEST
|
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
MORE INFO
(additional wiki docs)
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000
|
|
full
|
|
Listed in Razor2 (http://razor.sf.net/)
|
RAZOR2_CHECK
|
0 0.899 0 1.047
|
|
body
|
|
Razor2 gives confidence between 11 and 50
|
RAZOR2_CF_RANGE_11_50
|
0 0.559 0 0.876
|
|
body
|
|
Razor2 gives confidence between 51 and 100
|
RAZOR2_CF_RANGE_51_100
|
0 1.552 0 1.101
|
|
full
|
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.806 0 2.907
|
|
full
|
|
Listed in Pyzor (http://pyzor.sf.net/)
|
PYZOR_CHECK
|
0 0.322 0 3.511
|
|
body
|
|
List removal information
|
REMOVE_IN_QUOTES
|
0.001 0.187 0.001 0.001
|
|
body
|
|
Click-to-remove with mailto: found
|
CLICK_TO_REMOVE_2
|
1
|
|
rawbody
|
|
Contains an ASCII-formatted form
|
ASCII_FORM_ENTRY
|
1
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
2.528 3.527 3.261 3.784
|
|
body
|
|
RAND found, spammer tried to use a random-ID
|
MARKUP_RAND
|
2.900 2.800 0 0
|
|
body
|
|
SSPL found, spammer tried to use a random-ID
|
MARKUP_SSPL
|
1
|
|
body
|
|
Contains a large block of hexadecimal code
|
LARGE_HEX
|
0.633 1.595 1.193 1.160
|
|
body
|
|
A WHOLE LINE OF YELLING DETECTED
|
LINES_OF_YELLING
|
0 0.011 0 0
|
|
body
|
|
2 WHOLE LINES OF YELLING DETECTED
|
LINES_OF_YELLING_2
|
0 0.105 0 0
|
|
body
|
|
3 WHOLE LINES OF YELLING DETECTED
|
LINES_OF_YELLING_3
|
1
|
|
body
|
|
Weird repeated double-quotation marks
|
WEIRD_QUOTING
|
1.373 0.471 0.061 0
|
|
rawbody
|
|
Extra blank lines in base64 encoding
|
MIME_BASE64_BLANKS
|
1
|
|
rawbody
|
|
base64 attachment uses illegal characters
|
MIME_BASE64_ILLEGAL
|
0.432 1.715 0 1.581
|
|
rawbody
|
|
Latin alphabet text using base64 encoding
|
MIME_BASE64_LATIN
|
1.101 1.101 0.500 0.500
|
|
rawbody
|
|
base64 attachment does not have a file name
|
MIME_BASE64_NO_NAME
|
0.189 0 0 0
|
|
rawbody
|
|
Message text disguised using base64 encoding
|
MIME_BASE64_TEXT
|
1.101 1.101 1.001 1.008
|
|
rawbody
|
|
Message text in HTML without charset
|
MIME_HTML_NO_CHARSET
|
1.064 0.716 1.030 0.561
|
|
rawbody
|
|
MIME section missing boundary
|
MIME_MISSING_BOUNDARY
|
1.179 0.803 0 1.838
|
|
body
|
|
Multipart message mostly text/html MIME
|
MIME_HTML_MOSTLY
|
1.587 1.162 1.180 1.238
|
|
body
|
|
Message only has text/html MIME parts
|
MIME_HTML_ONLY
|
0.666 0.100 0.248 0.320
|
|
rawbody
|
|
Deficient quoted-printable encoding in body
|
MIME_QP_DEFICIENT
|
1.048 1.797 2.097 1.912
|
|
rawbody
|
|
Excessive quoted-printable encoding in body
|
MIME_QP_EXCESSIVE
|
1
|
|
rawbody
|
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE
|
0.242 0 0 0
|
|
rawbody
|
|
Quoted-printable inline text with no charset
|
MIME_QP_NO_CHARSET
|
0.931 0.714 0.047 0.197
|
|
rawbody
|
|
Message includes Microsoft executable program
|
MICROSOFT_EXECUTABLE
|
0.100
|
|
rawbody
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.100
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
|
body
|
|
Message written in an undesired language
|
UNWANTED_LANGUAGE_BODY
|
2.800
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
|
rawbody
|
|
Contains a hashbuster in Send-Safe format
|
RATWARE_HASH_DASH
|
1.101 4.300 1.920 4.100
|
|
body
|
|
Body contains a ROT13-encoded email address
|
EMAIL_ROT13
|
4.400 4.300 2.590 4.100
|
|
body
|
|
Message body has 70-80% blank lines
|
BLANK_LINES_70_80
|
1.999 0.867 1.424 2.126
|
|
body
|
|
Message body has 80-90% blank lines
|
BLANK_LINES_80_90
|
1.643 1.489 2.596 2.599
|
|
body
|
|
Message body has 90-100% blank lines
|
BLANK_LINES_90_100
|
1
|
|
header
|
|
Has Habeas warrant mark (http://www.habeas.com/)
|
HABEAS_SWE
|
-8.0
|
|
header
|
|
NJABL: sender is confirmed open relay
|
RCVD_IN_NJABL_RELAY
|
0 1.133 0 0.824
|
|
header
|
|
NJABL: dialup sender did non-local SMTP
|
RCVD_IN_NJABL_DUL
|
0 1.580 0 1.708
|
|
header
|
|
NJABL: sender is confirmed spam source
|
RCVD_IN_NJABL_SPAM
|
0 0.899 0 0.951
|
|
header
|
|
NJABL: sent through multi-stage open relay
|
RCVD_IN_NJABL_MULTI
|
0 0.101 0 0.101
|
|
header
|
|
NJABL: sender is an open formmail
|
RCVD_IN_NJABL_CGI
|
0 0.1 0 0.100
|
|
header
|
|
NJABL: sender is an open proxy
|
RCVD_IN_NJABL_PROXY
|
0 1.186 0 2.342
|
|
header
|
|
SORBS: sender is open HTTP proxy server
|
RCVD_IN_SORBS_HTTP
|
0 0.000 0 1.203
|
|
header
|
|
SORBS: sender is open proxy server
|
RCVD_IN_SORBS_MISC
|
0 0.118 0 0.004
|
|
header
|
|
SORBS: sender is open SMTP relay
|
RCVD_IN_SORBS_SMTP
|
0 1.630 0 0.382
|
|
header
|
|
SORBS: sender is open SOCKS proxy server
|
RCVD_IN_SORBS_SOCKS
|
0 1.603 0 0.927
|
|
header
|
|
SORBS: sender is a abuseable web server
|
RCVD_IN_SORBS_WEB
|
0 0.000 0 0.353
|
|
header
|
|
SORBS: sender demands to never be tested
|
RCVD_IN_SORBS_BLOCK
|
0 0.001 0 0.001
|
|
header
|
|
SORBS: sender is on a hijacked network
|
RCVD_IN_SORBS_ZOMBIE
|
0 0.948 0 0.918
|
|
header
|
|
SORBS: sent directly from dynamic IP address
|
RCVD_IN_SORBS_DUL
|
0 0.067 0 0.092
|
|
header
|
|
Received via a relay in Spamhaus SBL
|
RCVD_IN_SBL
|
0 0.814 0 0.875
|
|
header
|
|
Received via a relay in Spamhaus XBL
|
RCVD_IN_XBL
|
0 2.333 0 4.923
|
|
header
|
|
Received via a relay in list.dsbl.org
|
RCVD_IN_DSBL
|
0 1.101 0 0.706
|
|
header
|
|
Sent via a relay in ipwhois.rfc-ignorant.org
|
RCVD_IN_RFCI
|
0 0.100 0 0.100
|
|
header
|
|
From: sender listed in dsn.rfc-ignorant.org
|
DNS_FROM_RFCI_DSN
|
0 1.389 0 0.291
|
|
header
|
|
Has Habeas warrant mark and on Infringer List
|
HABEAS_VIOLATOR
|
16.0
|
|
header
|
|
Sender is in Bonded Sender Program (trusted relay)
|
RCVD_IN_BSP_TRUSTED
|
0 -4.3 0 -4.3
|
|
header
|
|
Sender is in Bonded Sender Program (other relay)
|
RCVD_IN_BSP_OTHER
|
0 -0.1 0 -0.1
|
|
header
|
|
Received via a relay in bl.spamcop.net
|
RCVD_IN_BL_SPAMCOP_NET
|
0 2.25 0 1.50
|
|
header
|
|
Relay in RBL, http://www.mail-abuse.org/rbl/
|
RCVD_IN_MAPS_RBL
|
1
|
|
header
|
|
Relay in DUL, http://www.mail-abuse.org/dul/
|
RCVD_IN_MAPS_DUL
|
1
|
|
header
|
|
Relay in RSS, http://www.mail-abuse.org/rss/
|
RCVD_IN_MAPS_RSS
|
1
|
|
header
|
|
Relay in NML, http://www.mail-abuse.org/nml/
|
RCVD_IN_MAPS_NML
|
1
|
|
header
|
|
Host HELO did not match rDNS: aol.com
|
FAKE_HELO_AOL
|
1.916 1.875 1.788 2.354
|
|
header
|
|
Host HELO did not match rDNS: hotmail.com
|
FAKE_HELO_HOTMAIL
|
1.172 0 2.335 1.499
|
|
header
|
|
Host HELO did not match rDNS: usa.net
|
FAKE_HELO_USA_NET
|
2.800 2.800 2.696 2.488
|
|
header
|
|
Host HELO did not match rDNS: shaw.ca
|
FAKE_HELO_SHAW_CA
|
0.298 0.904 2.800 0.585
|
|
header
|
|
Host HELO did not match rDNS: netscape.com
|
FAKE_HELO_NETSCAPE_COM
|
0.583 1.133 2.078 1.817
|
|
header
|
|
Host HELO did not match rDNS: netzero.net
|
FAKE_HELO_NETZERO
|
1
|
|
header
|
|
Host HELO did not match rDNS: msn.com
|
FAKE_HELO_MSN
|
0.700 1.883 1.576 0.319
|
|
header
|
|
Host HELO did not match rDNS: mail.ru
|
FAKE_HELO_MAIL_RU
|
2.033 1.859 2.462 0.473
|
|
header
|
|
Host HELO did not match rDNS: mail.com
|
FAKE_HELO_MAIL_COM
|
4.113 3.526 3.705 3.769
|
|
header
|
|
Host HELO did not match rDNS: flashmail.com
|
FAKE_HELO_FLASHMAIL
|
1
|
|
header
|
|
Host HELO did not match rDNS: email.com
|
FAKE_HELO_EMAIL_COM
|
2.900 2.800 2.800 2.700
|
|
header
|
|
Host HELO did not match rDNS: caramail.com
|
FAKE_HELO_CARAMAIL
|
2.900 2.800 0 2.700
|
|
header
|
|
Host HELO did not match rDNS: bigfoot.com
|
FAKE_HELO_BIGFOOT
|
2.900 2.800 2.800 2.700
|
|
header
|
|
Host HELO did not match rDNS: eudoramail.com
|
FAKE_HELO_EUDORAMAIL
|
2.900 2.800 2.800 2.700
|
|
header
|
|
Host HELO did not match rDNS: excite.com
|
FAKE_HELO_EXCITE
|
2.804 2.800 2.800 2.700
|
|
header
|
|
Host HELO did not match rDNS: mailcity.com
|
FAKE_HELO_MAILCITY
|
2.287 2.800 1.309 0
|
|
header
|
|
Host HELO did not match rDNS: lycos.com
|
FAKE_HELO_LYCOS
|
2.900 2.800 2.800 1.355
|
|
header
|
|
Host HELO did not match rDNS: juno.com
|
FAKE_HELO_JUNO
|
2.551 2.800 2.800 2.700
|
|
header
|
|
Host HELO did not match rDNS: yahoo.com
|
FAKE_HELO_YAHOO
|
1.871 0 2.696 2.599
|
|
header
|
|
Host HELO did not match rDNS: yahoo.ca
|
FAKE_HELO_YAHOO_CA
|
1.424 1.852 2.800 2.700
|
|
header
|
|
From: does not include a real name
|
NO_REAL_NAME
|
0.339 0.285 0.339 0.160
|
|
header
|
|
From: ends in numbers
|
FROM_ENDS_IN_NUMS
|
0.999 0.869 0.677 0.994
|
|
header
|
|
From: starts with nums
|
FROM_STARTS_WITH_NUMS
|
0.390 1.574 1.044 0.579
|
|
header
|
|
From: contains numbers mixed in with letters
|
FROM_HAS_MIXED_NUMS
|
0.100 0.304 0.100 0.259
|
|
header
|
|
From address matches known spammer format
|
FROM_HAS_MIXED_NUMS2
|
1.977 2.800 1.960 2.216
|
|
header
|
|
From: contains numbers mixed in with letters
|
FROM_HAS_MIXED_NUMS3
|
1.811 1.999 4.095 3.248
|
|
header
|
|
Uses an address with lots of numbers, at a big ISP
|
ADDR_NUMS_AT_BIGSITE
|
1.044 0.724 1.087 2.699
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
4.300 3.932 4.095 4.100
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
2.226 1.286 2.599 2.386
|
|
header
|
|
To: has no local-part before @ sign
|
TO_NO_USER
|
1.662 1.498 1.597 0
|
|
header
|
|
To: address contains spaces
|
TO_HAS_SPACES
|
0.492 2.397 0 0
|
|
header
|
|
To: is empty
|
TO_EMPTY
|
1.600 0 0 0
|
|
header
|
|
Reply-To: is empty
|
REPLY_TO_EMPTY
|
0.065 0.888 1.663 2.599
|
|
header
|
|
Reply-To: has an underline and numbers/letters
|
REPLY_TO_ULINE_NUMS
|
0.001 0.001 0.001 2.699
|
|
header
|
|
To: repeats address as real name
|
TO_ADDRESS_EQ_REAL
|
0.444 0.011 0.593 0.778
|
|
header
|
|
Valid-looking To "undisclosed-recipients"
|
UNDISC_RECIPS
|
1
|
|
header
|
|
Faked To "Undisclosed-Recipients"
|
FAKED_UNDISC_RECIPS
|
2.899 2.694 2.800 2.700
|
|
header
|
|
Subject has exclamation mark and question mark
|
PLING_QUERY
|
0.014 0.238 0 0
|
|
header
|
|
Subject contains a unique ID
|
SUBJ_HAS_UNIQ_ID
|
1.390 0.212 0.882 2.677
|
|
header
|
|
Subject contains lots of white space
|
SUBJ_HAS_SPACES
|
1.581 0.973 3.324 4.099
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
0.550 0.567 0 0
|
|
header
|
|
Message-Id has no @ sign
|
MSGID_HAS_NO_AT
|
1
|
|
header
|
|
Message-Id generated by a spam tool
|
MSGID_SPAM_1
|
2.900 2.800 0 2.700
|
|
header
|
|
Spam tool Message-Id: (6-letter variant)
|
MSGID_SPAM_6LETTER
|
2.900 2.800 2.800 2.700
|
|
header
|
|
Spam tool Message-Id: (99x9xx99 variant)
|
MSGID_SPAM_99X9XX99
|
4.300 4.300 4.100 4.100
|
|
header
|
|
Spam tool Message-Id: (12-zeroes variant)
|
MSGID_SPAM_ZEROES
|
4.400 4.300 4.200 4.100
|
|
header
|
|
Spam tool Message-Id: (3-dollars variant)
|
MSGID_3_DOLLARS
|
2.900 0 2.800 0
|
|
header
|
|
Spam tool Message-Id: (4-num-dollar variant)
|
MSGID_4NUMS_DOLLAR
|
2.900 2.800 2.800 2.700
|
|
header
|
|
Spam tool Received: (6-caps ESMTP ID variant)
|
RCVD_6_CAPS_ESMTP_ID
|
2.900 2.800 2.800 2.700
|
|
header
|
|
Message-Id has no hostname
|
MSGID_NO_HOST
|
0.381 1.278 2.397 1.103
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_INVALID
|
4.400 4.300 4.200 4.100
|
|
header
|
|
Message-Id was added by a relay
|
MSGID_FROM_MTA_SHORT
|
3.665 3.310 3.167 3.030
|
|
header
|
|
Message-Id was added by a relay
|
MSGID_FROM_MTA_LATER
|
1
|
|
header
|
|
Message-Id was added by a relay
|
MSGID_FROM_MTA_BACKUP
|
0 1.774 0 0.817
|
|
header
|
|
Message-Id was added by a hotmail.com relay
|
MSGID_FROM_MTA_HOTMAIL
|
1.747 1.560 2.800 2.700
|
|
header
|
|
Date header uses unusual Y2K formatting
|
DATE_SPAMWARE_Y2K
|
4.500 4.400 4.300 4.200
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
0.042 0 0 0
|
|
header
|
|
Invalid Date: header (timezone does not exist)
|
INVALID_DATE_TZ_ABSURD
|
1.746 1.737 1.749 1.779
|
|
header
|
|
Invalid Date: year begins with zero
|
DATE_YEAR_ZERO_FIRST
|
2.900 0 2.800 0
|
|
header
|
|
Date: is 3 to 6 hours before Received: date
|
DATE_IN_PAST_03_06
|
0.322 0.680 0.753 0.419
|
|
header
|
|
Date: is 6 to 12 hours before Received: date
|
DATE_IN_PAST_06_12
|
0.800 0.599 1.363 0.650
|
|
header
|
|
Date: is 12 to 24 hours before Received: date
|
DATE_IN_PAST_12_24
|
0.756 0.385 1.364 0.746
|
|
header
|
|
Date: is 24 to 48 hours before Received: date
|
DATE_IN_PAST_24_48
|
1
|
|
header
|
|
Date: is 48 to 96 hours before Received: date
|
DATE_IN_PAST_48_96
|
1
|
|
header
|
|
Date: is 96 hours or more before Received: date
|
DATE_IN_PAST_96_XX
|
1.781 1.238 2.165 1.534
|
|
header
|
|
Date: is 3 to 6 hours after Received: date
|
DATE_IN_FUTURE_03_06
|
2.904 2.834 0.753 1.931
|
|
header
|
|
Date: is 6 to 12 hours after Received: date
|
DATE_IN_FUTURE_06_12
|
1.609 1.946 1.559 1.973
|
|
header
|
|
Date: is 12 to 24 hours after Received: date
|
DATE_IN_FUTURE_12_24
|
1.754 1.953 2.216 3.332
|
|
header
|
|
Date: is 24 to 48 hours after Received: date
|
DATE_IN_FUTURE_24_48
|
2.730 2.796 2.567 2.546
|
|
header
|
|
Date: is 48 to 96 hours after Received: date
|
DATE_IN_FUTURE_48_96
|
1
|
|
header
|
|
Date: is 96 hours or more after Received: date
|
DATE_IN_FUTURE_96_XX
|
2.486 2.370 2.071 2.599
|
|
header
|
|
Subject: starts with advertising tag
|
ADVERT_CODE
|
2.899 1.578 2.633 1.817
|
|
header
|
|
Subject: contains advertising tag
|
ADVERT_CODE2
|
2.299 2.098 2.097 1. |
