This is the current list of tests SpamAssassin(tm) performs on mail messages to
determine if they're spam or not. If you wish to change the score from the
default, add a line like this to your ~/.spamassassin/user_prefs:
Note that these are the scores for the current stable release of SpamAssassin;
they may be different from the ones you're running on your servers, if SpamAssassin
is installed there.
The 'More Info' links, if present, lead to a section of our Wiki for collaborative
documentation of rules; some of the rules include additional user-contributed
documentation there. If you feel like adding a page describing a rule in
further detail, feel free to create a page at that link, using the RuleDescriptionTemplate format.
|
AREA TESTED
|
LOCALE
|
DESCRIPTION OF TEST
|
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
MORE INFO
(additional wiki docs)
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000.000
|
|
full
|
|
Listed in Razor2 (http://razor.sf.net/)
|
RAZOR2_CHECK
|
0 0.150 0 1.511
|
|
body
|
|
Razor2 gives confidence level above 50%
|
RAZOR2_CF_RANGE_51_100
|
0 1.485 0 0.056
|
|
full
|
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.373 0 2.169
|
|
full
|
|
Listed in Pyzor (http://pyzor.sf.net/)
|
PYZOR_CHECK
|
0 2.041 0 3.451
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
1.825 1.064 1.818 0.555
|
|
body
|
|
Weird repeated double-quotation marks
|
WEIRD_QUOTING
|
1.353 1.966 1.774 2.000
|
|
rawbody
|
|
Extra blank lines in base64 encoding
|
MIME_BASE64_BLANKS
|
0.693 0.819 1.391 1.469
|
|
rawbody
|
|
base64 attachment does not have a file name
|
MIME_BASE64_NO_NAME
|
0.022 0 0.017 0.000
|
|
rawbody
|
|
Message text disguised using base64 encoding
|
MIME_BASE64_TEXT
|
1.780 0.110 1.403 0.298
|
|
rawbody
|
|
MIME section missing boundary
|
MIME_MISSING_BOUNDARY
|
0 0.247 0.224 0
|
|
body
|
|
Multipart message mostly text/html MIME
|
MIME_HTML_MOSTLY
|
1.540 0.285 0.713 1.023
|
|
body
|
|
Message only has text/html MIME parts
|
MIME_HTML_ONLY
|
1.204 1.158 1.156 0.177
|
|
rawbody
|
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE
|
0 0.000 0.105 0.039
|
|
rawbody
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.100
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF
|
1.837 1.505 1.823 0.066
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
|
body
|
|
Message written in an undesired language
|
UNWANTED_LANGUAGE_BODY
|
2.800
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
|
body
|
|
Body contains a ROT13-encoded email address
|
EMAIL_ROT13
|
2.720 1.474 2.934 3.105
|
|
body
|
|
Message body has 70-80% blank lines
|
BLANK_LINES_70_80
|
1.668 1.127 0.745 1.515
|
|
body
|
|
Message body has 80-90% blank lines
|
BLANK_LINES_80_90
|
0.046 0 0.216 0
|
|
body
|
|
Message body has 90-100% blank lines
|
BLANK_LINES_90_100
|
1.490 1.750 1.877 1.996
|
|
body
|
|
Message body has many words used only once
|
UNIQUE_WORDS
|
3.109 2.549 1.639 2.273
|
|
body
|
|
Message body mentions many internet domains
|
DOMAIN_RATIO
|
2.552 1.360 2.534 3.176
|
|
header
|
|
Did not pass through any untrusted hosts
|
ALL_TRUSTED
|
-2.400 -2.820 -2.867 -3.300
|
|
header
|
|
NJABL: sender is confirmed open relay
|
RCVD_IN_NJABL_RELAY
|
0 0.934 0 1.397
|
|
header
|
|
NJABL: dialup sender did non-local SMTP
|
RCVD_IN_NJABL_DUL
|
0 1.655 0 0.088
|
|
header
|
|
NJABL: sender is confirmed spam source
|
RCVD_IN_NJABL_SPAM
|
0 1.051 0 1.841
|
|
header
|
|
NJABL: sent through multi-stage open relay
|
RCVD_IN_NJABL_MULTI
|
1
|
|
header
|
|
NJABL: sender is an open formmail
|
RCVD_IN_NJABL_CGI
|
1
|
|
header
|
|
NJABL: sender is an open proxy
|
RCVD_IN_NJABL_PROXY
|
0 1.026 0 0.438
|
|
header
|
|
SORBS: sender is open HTTP proxy server
|
RCVD_IN_SORBS_HTTP
|
0 0 0 0.043
|
|
header
|
|
SORBS: sender is open proxy server
|
RCVD_IN_SORBS_MISC
|
0 0 0 0.338
|
|
header
|
|
SORBS: sender is open SMTP relay
|
RCVD_IN_SORBS_SMTP
|
0 1.597 0 2.493
|
|
header
|
|
SORBS: sender is open SOCKS proxy server
|
RCVD_IN_SORBS_SOCKS
|
0 1.847 0 2.054
|
|
header
|
|
SORBS: sender is a abuseable web server
|
RCVD_IN_SORBS_WEB
|
0 0 0 0.007
|
|
header
|
|
SORBS: sender demands to never be tested
|
RCVD_IN_SORBS_BLOCK
|
1
|
|
header
|
|
SORBS: sender is on a hijacked network
|
RCVD_IN_SORBS_ZOMBIE
|
0 0.819 0 0
|
|
header
|
|
SORBS: sent directly from dynamic IP address
|
RCVD_IN_SORBS_DUL
|
0 0.137 0 1.987
|
|
header
|
|
Received via a relay in Spamhaus SBL
|
RCVD_IN_SBL
|
0 1.050 0 0.107
|
|
header
|
|
Received via a relay in Spamhaus XBL
|
RCVD_IN_XBL
|
0 2.511 0 3.076
|
|
header
|
|
Envelope sender in dsn.rfc-ignorant.org
|
DNS_FROM_RFC_DSN
|
1
|
|
header
|
|
Envelope sender in postmaster.rfc-ignorant.org
|
DNS_FROM_RFC_POST
|
0 1.376 0 1.614
|
|
header
|
|
Envelope sender in abuse.rfc-ignorant.org
|
DNS_FROM_RFC_ABUSE
|
0 0.374 0 0
|
|
header
|
|
Envelope sender in whois.rfc-ignorant.org
|
DNS_FROM_RFC_WHOIS
|
0 0.492 0 0.296
|
|
header
|
|
Envelope sender in bogusmx.rfc-ignorant.org
|
DNS_FROM_RFC_BOGUSMX
|
0 1.463 0 2.630
|
|
header
|
|
Received via a relay in list.dsbl.org
|
RCVD_IN_DSBL
|
0 2.765 0 3.805
|
|
header
|
|
From: sender listed in dnsbl.ahbl.org
|
DNS_FROM_AHBL_RHSBL
|
0 0.070 0 0.295
|
|
header
|
|
Has Habeas warrant mark and on Infringer List
|
HABEAS_INFRINGER
|
0 16.0 0 16.0
|
|
header
|
|
Has Habeas warrant mark and on User List
|
HABEAS_USER
|
0 -8.0 0 -8.0
|
|
header
|
|
Sender is in Bonded Sender Program (trusted relay)
|
RCVD_IN_BSP_TRUSTED
|
0 -4.3 0 -4.3
|
|
header
|
|
Sender is in Bonded Sender Program (other relay)
|
RCVD_IN_BSP_OTHER
|
0 -0.1 0 -0.1
|
|
header
|
|
Sender domain is new and very high volume
|
SB_NEW_BULK
|
1
|
|
header
|
|
Sender IP hosted at NSP has a volume spike
|
SB_NSP_VOLUME_SPIKE
|
1
|
|
header
|
|
Received via a relay in bl.spamcop.net
|
RCVD_IN_BL_SPAMCOP_NET
|
0 1.832 0 1.216
|
|
header
|
|
Received via a relay in RSL
|
RCVD_IN_RSL
|
0 0.677 0 1.720
|
|
header
|
|
Relay in RBL, http://www.mail-abuse.org/rbl/
|
RCVD_IN_MAPS_RBL
|
1
|
|
header
|
|
Relay in DUL, http://www.mail-abuse.org/dul/
|
RCVD_IN_MAPS_DUL
|
1
|
|
header
|
|
Relay in RSS, http://www.mail-abuse.org/rss/
|
RCVD_IN_MAPS_RSS
|
1
|
|
header
|
|
Relay in NML, http://www.mail-abuse.org/nml/
|
RCVD_IN_MAPS_NML
|
1
|
|
header
|
|
Envelope sender has no MX or A DNS records
|
NO_DNS_FOR_FROM
|
0 1.1 0 1.6
|
|
header
|
|
Subject contains a gappy version of 'cialis'
|
SUBJECT_DRUG_GAP_C
|
1.993 1.917 2.501 1.325
|
|
header
|
|
Subject contains a gappy version of 'levitra'
|
SUBJECT_DRUG_GAP_L
|
2.117 2.726 2.181 2.456
|
|
header
|
|
Subject contains a gappy version of 'phentermine'
|
SUBJECT_DRUG_GAP_P
|
0.621 0.765 0.698 1.425
|
|
header
|
|
Subject contains a gappy version of 'soma'
|
SUBJECT_DRUG_GAP_S
|
2.005 0.277 2.920 2.041
|
|
header
|
|
Subject contains a gappy version of 'valium'
|
SUBJECT_DRUG_GAP_VA
|
2.005 1.922 2.934 3.680
|
|
header
|
|
Subject contains a gappy version of 'viagra'
|
SUBJECT_DRUG_GAP_VIA
|
2.659 1.770 3.158 0.253
|
|
header
|
|
Subject contains a gappy version of 'vicodin'
|
SUBJECT_DRUG_GAP_VIC
|
2.560 2.961 2.691 2.868
|
|
header
|
|
Subject contains a gappy version of 'xanax'
|
SUBJECT_DRUG_GAP_X
|
2.538 2.282 2.945 2.512
|
|
body
|
|
Talks about price per dose
|
DRUG_DOSAGE
|
0.342 0.608 0.405 0.862
|
|
body
|
|
Mentions an E.D. drug
|
DRUG_ED_CAPS
|
0.122 1.535 0 0.185
|
|
body
|
|
Viagra and other drugs
|
DRUG_ED_COMBO
|
1.000 0.183 1.415 1.636
|
|
body
|
|
Talks about an E.D. drug using its chemical name
|
DRUG_ED_SILD
|
1.856 0.421 1.597 1.666
|
|
body
|
|
Mentions Generic Viagra
|
DRUG_ED_GENERIC
|
1.933 1.181 0 1.128
|
|
body
|
|
Fast Viagra Delivery
|
DRUG_ED_ONLINE
|
0.553 1.820 1.097 2.300
|
|
body
|
|
Deep discount medications
|
DEEP_DISC_MEDS
|
2.480 1.211 2.573 2.626
|
|
body
|
|
Online Pharmacy
|
ONLINE_PHARMACY
|
2.730 0 2.895 0.000
|
|
body
|
|
Attempts to disguise the word 'viagra'
|
VIA_GAP_GRA
|
2.800 3.171 2.886 3.005
|
|
body
|
|
Two or more drugs crammed together into one word
|
DRUGS_SMEAR1
|
0.515 1.522 0.475 2.351
|
|
header
|
|
Host HELO did not match rDNS: msn.com
|
FAKE_HELO_MSN
|
1.773 1.456 2.069 2.645
|
|
header
|
|
Host HELO did not match rDNS: mail.com
|
FAKE_HELO_MAIL_COM
|
1.303 1.972 0.111 0.000
|
|
header
|
|
Host HELO did not match rDNS: email.com
|
FAKE_HELO_EMAIL_COM
|
0 0 0 1.537
|
|
header
|
|
Host HELO did not match rDNS: eudoramail.com
|
FAKE_HELO_EUDORAMAIL
|
1.520 0.907 0 0
|
|
header
|
|
Host HELO did not match rDNS: excite.com
|
FAKE_HELO_EXCITE
|
1.840 2.127 2.127 2.074
|
|
header
|
|
Host HELO did not match rDNS: lycos.com
|
FAKE_HELO_LYCOS
|
1.410 1.645 0 0.988
|
|
header
|
|
Host HELO did not match rDNS: yahoo.ca
|
FAKE_HELO_YAHOO_CA
|
1.166 0 0.171 1.116
|
|
header
|
|
Relay HELO'd with suspicious hostname (mail.com)
|
FAKE_HELO_MAIL_COM_DOM
|
1.920 2.173 2.312 2.108
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 1)
|
HELO_DYNAMIC_IPADDR
|
3.520 2.754 4.070 4.400
|
|
header
|
|
Relay HELO'd using suspicious hostname (DHCP)
|
HELO_DYNAMIC_DHCP
|
2.791 0.087 0.958 1.248
|
|
header
|
|
Relay HELO'd using suspicious hostname (HCC)
|
HELO_DYNAMIC_HCC
|
3.360 1.540 2.451 3.741
|
|
header
|
|
Relay HELO'd using suspicious hostname (ATTBI.com)
|
HELO_DYNAMIC_ATTBI
|
3.200 3.662 2.760 3.147
|
|
header
|
|
Relay HELO'd using suspicious hostname (Rogers)
|
HELO_DYNAMIC_ROGERS
|
1.677 0.793 1.888 2.094
|
|
header
|
|
Relay HELO'd using suspicious hostname (Adelphia)
|
HELO_DYNAMIC_ADELPHIA
|
2.320 1.829 2.389 2.199
|
|
header
|
|
Relay HELO'd using suspicious hostname (T-Dialin)
|
HELO_DYNAMIC_DIALIN
|
2.320 0.443 2.429 1.755
|
|
header
|
|
Relay HELO'd using suspicious hostname (Hex IP)
|
HELO_DYNAMIC_HEXIP
|
1.826 1.320 1.453 1.522
|
|
header
|
|
Relay HELO'd using suspicious hostname (Split IP)
|
HELO_DYNAMIC_SPLIT_IP
|
2.869 0.887 0.992 0.775
|
|
header
|
|
Relay HELO'd using suspicious hostname (YahooBB)
|
HELO_DYNAMIC_YAHOOBB
|
2.800 2.776 2.572 3.000
|
|
header
|
|
Relay HELO'd using suspicious hostname (OptOnline)
|
HELO_DYNAMIC_OOL
|
3.120 2.508 3.065 3.182
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 2)
|
HELO_DYNAMIC_IPADDR2
|
3.271 0.805 2.554 3.496
|
|
header
|
|
Relay HELO'd using suspicious hostname (RR 2)
|
HELO_DYNAMIC_RR2
|
2.080 1.015 1.678 2.200
|
|
header
|
|
Relay HELO'd using suspicious hostname (Comcast)
|
HELO_DYNAMIC_COMCAST
|
3.040 3.533 3.217 3.700
|
|
header
|
|
Relay HELO'd using suspicious hostname (Telia)
|
HELO_DYNAMIC_TELIA
|
0 0 1.216 1.515
|
|
header
|
|
Relay HELO'd using suspicious hostname (VTR)
|
HELO_DYNAMIC_VTR
|
1.916 0.805 2.013 1.960
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.no)
|
HELO_DYNAMIC_CHELLO_NO
|
1.388 0.226 1.409 1.570
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.nl)
|
HELO_DYNAMIC_CHELLO_NL
|
1.762 0 0.542 0.244
|
|
header
|
|
Relay HELO'd using suspicious hostname (Veloxzone)
|
HELO_DYNAMIC_VELOX
|
1.680 1.877 1.803 2.003
|
|
header
|
|
Relay HELO'd using suspicious hostname (NTL)
|
HELO_DYNAMIC_NTL
|
1.340 0.187 1.445 1.732
|
|
header
|
|
Relay HELO'd using suspicious hostname (Home.nl)
|
HELO_DYNAMIC_HOME_NL
|
1.737 0.635 1.660 1.878
|
|
header
|
|
Message headers are very long
|
HEAD_LONG
|
2.5
|
|
header
|
|
From: does not include a real name
|
NO_REAL_NAME
|
0.124 0.178 0.336 0.007
|
|
header
|
|
From: ends in numbers
|
FROM_ENDS_IN_NUMS
|
0.177 0.516 0.517 0.000
|
|
header
|
|
From: starts with nums
|
FROM_STARTS_WITH_NUMS
|
1.218 1.492 1.441 0.300
|
|
header
|
|
From: contains numbers mixed in with letters
|
FROM_HAS_MIXED_NUMS
|
0.107 0.298 0.024 0.000
|
|
header
|
|
From: contains numbers mixed in with letters
|
FROM_HAS_MIXED_NUMS3
|
1.132 1.113 1.513 1.614
|
|
header
|
|
Uses an address with lots of numbers, at a big ISP
|
ADDR_NUMS_AT_BIGSITE
|
0.072 0.748 0.112 0.081
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
1.822 0.861 2.243 1.491
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
1.358 0.344 1.460 0.983
|
|
header
|
|
To: has no local-part before @ sign
|
TO_NO_USER
|
0.332 0.116 1.615 0.128
|
|
header
|
|
To: is empty
|
TO_EMPTY
|
0 0 0.164 0.097
|
|
header
|
|
Reply-To: is empty
|
REPLY_TO_EMPTY
|
1.274 1.410 1.568 1.643
|
|
header
|
|
To: repeats address as real name
|
TO_ADDRESS_EQ_REAL
|
0 0.470 0.131 0.026
|
|
header
|
|
Valid-looking To "undisclosed-recipients"
|
UNDISC_RECIPS
|
0.966 1.391 1.295 1.302
|
|
header
|
|
Faked To "Undisclosed-Recipients"
|
FAKED_UNDISC_RECIPS
|
1.287 0.565 1.431 1.602
|
|
header
|
|
Subject has exclamation mark and question mark
|
PLING_QUERY
|
0.201 0.857 0.906 0.368
|
|
header
|
|
Subject contains a unique ID
|
SUBJ_HAS_UNIQ_ID
|
0.899 1.122 0.809 1.339
|
|
header
|
|
Subject contains lots of white space
|
SUBJ_HAS_SPACES
|
2.240 0.637 1.899 1.175
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
0.763 0.365 0.257 0.665
|
|
header
|
|
Spam tool Message-Id: (99x9xx99 variant)
|
MSGID_SPAM_99X9XX99
|
0.500 0.864 1.576 1.442
|
|
header
|
|
Spam tool Message-Id: (alpha-numeric variant)
|
MSGID_SPAM_ALPHA_NUM
|
2.640 3.004 3.330 3.228
|
|
header
|
|
Spam tool Message-Id: (caps variant)
|
MSGID_SPAM_CAPS
|
3.500 3.221 3.545 3.791
|
|
header
|
|
Spam tool Message-Id: (letters variant)
|
MSGID_SPAM_LETTERS
|
2.960 3.151 3.052 2.709
|
|
header
|
|
Spam tool Message-Id: (12-zeroes variant)
|
MSGID_SPAM_ZEROES
|
1.584 1.763 1.783 1.859
|
|
header
|
|
Message-Id has no hostname
|
MSGID_NO_HOST
|
0.087 0 0.816 0.140
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_INVALID
|
2.000 2.290 2.498 2.700
|
|
header
|
|
Message-ID has ALLCAPS@yahoo.com
|
MSGID_YAHOO_CAPS
|
2.425 0.702 2.442 3.800
|
|
header
|
|
Message-Id for external message added locally
|
MSGID_FROM_MTA_ID
|
1.440 1.704 1.756 1.723
|
|
header
|
|
Message-Id was added by a hotmail.com relay
|
MSGID_FROM_MTA_HOTMAIL
|
1.600 1.858 1.987 2.144
|
|
header
|
|
Date header uses unusual Y2K formatting
|
DATE_SPAMWARE_Y2K
|
2.958 2.888 3.384 3.911
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
0.011 0.235 0 0.236
|
|
header
|
|
