This is the current list of tests SpamAssassin performs on mail messages to
determine if they're spam or not. If you wish to change the score from the
default, add a line like this to your ~/.spamassassin/user_prefs:
Note that these are the scores for the current stable release of SpamAssassin;
they may be different from the ones you're running on your servers, if SpamAssassin
is installed there.
The 'More Info' links, if present, lead to a section of our Wiki for collaborative
documentation of rules; some of the rules include additional user-contributed
documentation there. If you feel like adding a page describing a rule in
further detail, feel free to create a page at that link, using the RuleDescriptionTemplate format.
|
AREA TESTED
|
LOCALE
|
DESCRIPTION OF TEST
|
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
MORE INFO
(additional wiki docs)
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000.000
|
Wiki
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
2.699 2.696 2.000 2.003
|
Wiki
|
|
body
|
|
Weird repeated double-quotation marks
|
WEIRD_QUOTING
|
2.799 2.796 1.428 1.396
|
Wiki
|
|
body
|
|
Body contains a ROT13-encoded email address
|
EMAIL_ROT13
|
1.600 1.680 1.850 2.000
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF
|
2.498 1.143 1.456 0.739
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF_COUNT
|
2.899 1.882 1.500 1.110
|
Wiki
|
|
body
|
|
Message body has 80-90% blank lines
|
BLANK_LINES_80_90
|
1
|
Wiki
|
|
body
|
|
eval:tvd_vertical_words('0','10')
|
TVD_SPACE_RATIO
|
2.899 2.899 2.307 2.219
|
Wiki
|
|
body
|
|
eval:check_ma_non_text()
|
MULTIPART_ALT_NON_TEXT
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
Wiki
|
|
rawbody
|
|
Extra blank lines in base64 encoding
|
MIME_BASE64_BLANKS
|
0.221 0.001 0.016 0.041
|
Wiki
|
|
rawbody
|
|
Message text disguised using base64 encoding
|
MIME_BASE64_TEXT
|
2.701 2.796 1.709 1.753
|
Wiki
|
|
body
|
|
Missing blank line between MIME header and body
|
MISSING_MIME_HB_SEP
|
2.599 2.699 2.205 2.119
|
Wiki
|
|
body
|
|
Multipart message mostly text/html MIME
|
MIME_HTML_MOSTLY
|
0.001
|
Wiki
|
|
body
|
|
Message only has text/html MIME parts
|
MIME_HTML_ONLY
|
2.299 1.672 1.925 1.457
|
Wiki
|
|
rawbody
|
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE
|
2.499 1.819 1.500 1.396
|
Wiki
|
|
body
|
|
MIME character set is an unknown ISO charset
|
MIME_BAD_ISO_CHARSET
|
3.363 2.831 2.768 0.346
|
Wiki
|
|
body
|
|
IP to HTTPS link found in HTML
|
HTTPS_IP_MISMATCH
|
2.697 2.896 2.899 2.897
|
Wiki
|
|
body
|
|
Message contained a URI which was truncated
|
URI_TRUNCATED
|
0.001
|
Wiki
|
|
header
|
|
Passed through trusted hosts only via SMTP
|
ALL_TRUSTED
|
-1.360 -1.440 -1.665 -1.800
|
Wiki
|
|
header
|
|
Informational: message was not relayed via SMTP
|
NO_RELAYS
|
-0.001
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed open relay
|
RCVD_IN_NJABL_RELAY
|
0 1.841 0 2.696
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed spam source
|
RCVD_IN_NJABL_SPAM
|
0 3.096 0 2.072
|
Wiki
|
|
header
|
|
NJABL: sent through multi-stage open relay
|
RCVD_IN_NJABL_MULTI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open formmail
|
RCVD_IN_NJABL_CGI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open proxy
|
RCVD_IN_NJABL_PROXY
|
0 1.693 0 1.643
|
Wiki
|
|
header
|
|
SORBS: sender is open HTTP proxy server
|
RCVD_IN_SORBS_HTTP
|
0 0.001 0 0.001
|
Wiki
|
|
header
|
|
SORBS: sender is open SOCKS proxy server
|
RCVD_IN_SORBS_SOCKS
|
0 0.182 0 0.801
|
Wiki
|
|
header
|
|
SORBS: sender is open proxy server
|
RCVD_IN_SORBS_MISC
|
0 0.001 0 0.353
|
Wiki
|
|
header
|
|
SORBS: sender is open SMTP relay
|
RCVD_IN_SORBS_SMTP
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is a abuseable web server
|
RCVD_IN_SORBS_WEB
|
0 1.117 0 0.619
|
Wiki
|
|
header
|
|
SORBS: sender demands to never be tested
|
RCVD_IN_SORBS_BLOCK
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is on a hijacked network
|
RCVD_IN_SORBS_ZOMBIE
|
1
|
Wiki
|
|
header
|
|
SORBS: sent directly from dynamic IP address
|
RCVD_IN_SORBS_DUL
|
0 1.615 0 0.877
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus SBL
|
RCVD_IN_SBL
|
0 2.810 0 1.551
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus XBL
|
RCVD_IN_XBL
|
0 2.896 0 3.033
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus PBL
|
RCVD_IN_PBL
|
0 0.509 0 0.905
|
Wiki
|
|
header
|
|
Envelope sender in dsn.rfc-ignorant.org
|
DNS_FROM_RFC_DSN
|
0 2.527 0 1.495
|
Wiki
|
|
header
|
|
Envelope sender in bogusmx.rfc-ignorant.org
|
DNS_FROM_RFC_BOGUSMX
|
0 2.125 0 1.482
|
Wiki
|
|
header
|
|
CompleteWhois: sender on bogons IP block
|
RCVD_IN_WHOIS_BOGONS
|
1
|
Wiki
|
|
header
|
|
CompleteWhois: sender on hijacked IP block
|
RCVD_IN_WHOIS_HIJACKED
|
0 1.000 0 1.000
|
Wiki
|
|
header
|
|
CompleteWhois: sender on invalid IP block
|
RCVD_IN_WHOIS_INVALID
|
0 1.199 0 0.400
|
Wiki
|
|
header
|
|
Received via a relay in list.dsbl.org
|
RCVD_IN_DSBL
|
0 0.753 0 0.961
|
Wiki
|
|
header
|
|
Envelope sender listed in dnsbl.ahbl.org
|
DNS_FROM_AHBL_RHSBL
|
0 2.025 0 0.692
|
Wiki
|
|
header
|
|
Envelope sender in blackholes.securitysage.com
|
DNS_FROM_SECURITYSAGE
|
0 0.127 0 0.001
|
Wiki
|
|
header
|
|
Received via a relay in bl.spamcop.net
|
RCVD_IN_BL_SPAMCOP_NET
|
0 2.188 0 1.960
|
Wiki
|
|
header
|
|
Relay in RBL, http://www.mail-abuse.org/rbl/
|
RCVD_IN_MAPS_RBL
|
1
|
Wiki
|
|
header
|
|
Relay in DUL, http://www.mail-abuse.org/dul/
|
RCVD_IN_MAPS_DUL
|
1
|
Wiki
|
|
header
|
|
Relay in RSS, http://www.mail-abuse.org/rss/
|
RCVD_IN_MAPS_RSS
|
1
|
Wiki
|
|
header
|
|
Relay in NML, http://www.mail-abuse.org/nml/
|
RCVD_IN_MAPS_NML
|
1
|
Wiki
|
|
header
|
|
Sender is in Bonded Sender Program (trusted relay)
|
RCVD_IN_BSP_TRUSTED
|
0 -4.3 0 -4.3
|
Wiki
|
|
header
|
|
Sender is in Bonded Sender Program (other relay)
|
RCVD_IN_BSP_OTHER
|
0 -0.1 0 -0.1
|
Wiki
|
|
header
|
|
ISIPP IADB lists as vouched-for sender
|
RCVD_IN_IADB_VOUCHED
|
0 -2.2 0 -2.2
|
Wiki
|
|
header
|
|
Habeas Accredited Confirmed Opt-In or Better
|
HABEAS_ACCREDITED_COI
|
0 -8.0 0 -8.0
|
Wiki
|
|
header
|
|
Habeas Accredited Opt-In or Better
|
HABEAS_ACCREDITED_SOI
|
0 -4.3 0 -4.3
|
Wiki
|
|
header
|
|
Habeas Checked
|
HABEAS_CHECKED
|
0 -0.2 0 -0.2
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'cialis'
|
SUBJECT_DRUG_GAP_C
|
0.001 0.001 0.508 0.003
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'levitra'
|
SUBJECT_DRUG_GAP_L
|
1.047 1.831 2.407 2.515
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'soma'
|
SUBJECT_DRUG_GAP_S
|
1
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'valium'
|
SUBJECT_DRUG_GAP_VA
|
1.876 2.596 1.035 1.014
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'xanax'
|
SUBJECT_DRUG_GAP_X
|
1.478 2.052 2.298 1.766
|
Wiki
|
|
body
|
|
Talks about price per dose
|
DRUG_DOSAGE
|
2.514 0.128 1.621 1.623
|
Wiki
|
|
body
|
|
Mentions an E.D. drug
|
DRUG_ED_CAPS
|
0.329 1.540 2.417 0.322
|
Wiki
|
|
body
|
|
Talks about an E.D. drug using its chemical name
|
DRUG_ED_SILD
|
0.001 0.001 1.026 1.185
|
Wiki
|
|
body
|
|
Mentions Generic Viagra
|
DRUG_ED_GENERIC
|
3.286 3.314 2.001 1.558
|
Wiki
|
|
body
|
|
Fast Viagra Delivery
|
DRUG_ED_ONLINE
|
1
|
Wiki
|
|
body
|
|
Online Pharmacy
|
ONLINE_PHARMACY
|
2.701 1.484 0.057 0.001
|
Wiki
|
|
body
|
|
No prescription needed
|
NO_PRESCRIPTION
|
2.573 2.757 2.944 2.619
|
Wiki
|
|
body
|
|
Attempts to disguise the word 'viagra'
|
VIA_GAP_GRA
|
2.203 1.053 2.004 0.133
|
Wiki
|
|
body
|
|
Two or more drugs crammed together into one word
|
DRUGS_SMEAR1
|
1
|
Wiki
|
|
header
|
|
Delivered to trusted network by a host with no rDNS
|
RDNS_NONE
|
0.1
|
Wiki
|
|
header
|
|
Relay HELO'd with suspicious hostname (mail.com)
|
FAKE_HELO_MAIL_COM_DOM
|
3.199 3.196 2.812 3.199
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 1)
|
HELO_DYNAMIC_IPADDR
|
4.399 2.935 2.643 2.426
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (DHCP)
|
HELO_DYNAMIC_DHCP
|
2.298 1.520 1.536 1.398
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (HCC)
|
HELO_DYNAMIC_HCC
|
4.299 4.295 4.299 4.295
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Rogers)
|
HELO_DYNAMIC_ROGERS
|
1
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (T-Dialin)
|
HELO_DYNAMIC_DIALIN
|
3.999 3.995 3.999 3.384
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Hex IP)
|
HELO_DYNAMIC_HEXIP
|
3.099 3.099 3.100 2.204
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Split IP)
|
HELO_DYNAMIC_SPLIT_IP
|
4.199 4.199 4.199 3.493
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 2)
|
HELO_DYNAMIC_IPADDR2
|
4.399 4.395 4.400 4.395
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.nl)
|
HELO_DYNAMIC_CHELLO_NL
|
3.600 3.599 3.599 3.595
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Home.nl)
|
HELO_DYNAMIC_HOME_NL
|
3.499 3.496 3.499 3.463
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: msn.com
|
FAKE_HELO_MSN
|
1
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: mail.com
|
FAKE_HELO_MAIL_COM
|
1.755 0.220 2.600 1.317
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: email.com
|
FAKE_HELO_EMAIL_COM
|
1
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: excite.com
|
FAKE_HELO_EXCITE
|
2.599 2.552 2.599 2.598
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: lycos.com
|
FAKE_HELO_LYCOS
|
2.459 2.432 2.497 2.599
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: yahoo.ca
|
FAKE_HELO_YAHOO_CA
|
1
|
Wiki
|
|
header
|
|
Partial message
|
FRAGMENTED_MESSAGE
|
2.5
|
Wiki
|
|
header
|
|
From: contains empty name
|
FROM_BLANK_NAME
|
2.215 2.212 2.100 0.760
|
Wiki
|
|
header
|
|
From: starts with many numbers
|
FROM_STARTS_WITH_NUMS
|
2.302 0.723 1.232 1.499
|
Wiki
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
2.601 1.145 2.699 0.001
|
Wiki
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
2.199 0.499 2.081 1.483
|
Wiki
|
|
header
|
|
Subject has exclamation mark and question mark
|
PLING_QUERY
|
2.160 1.333 1.400 1.390
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (caps variant)
|
MSGID_SPAM_CAPS
|
4.199 4.195 4.199 4.195
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (letters variant)
|
MSGID_SPAM_LETTERS
|
2.861 1.637 0.866 1.188
|
Wiki
|
|
header
|
|
Message-ID has ALLCAPS@yahoo.com
|
MSGID_YAHOO_CAPS
|
1.197 0.448 2.921 3.107
|
Wiki
|
|
header
|
|
Message-ID is unusually short
|
MSGID_SHORT
|
0.200 0.232 0.690 1.078
|
Wiki
|
|
header
|
|
Message-ID contains multiple '@' characters
|
MSGID_MULTIPLE_AT
|
1.221 1.211 1.571 1.449
|
Wiki
|
|
header
|
|
Date header uses unusual Y2K formatting
|
DATE_SPAMWARE_Y2K
|
2.057 1.031 2.912 2.883
|
Wiki
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
2.303 1.651 1.329 1.245
|
Wiki
|
|
header
|
|
Invalid Date: header (timezone does not exist)
|
INVALID_DATE_TZ_ABSURD
|
0.197 0.243 2.284 2.191
|
Wiki
|
|
header
|
|
Invalid date in header (wrong CST timezone)
|
INVALID_TZ_CST
|
1.704 0.862 1.583 2.079
|
Wiki
|
|
header
|
|
Invalid date in header (wrong EST timezone)
|
INVALID_TZ_EST
|
2.601 2.065 2.265 2.696
|
Wiki
|
|
header
|
|
Subject contains an English UCE tag
|
ENGLISH_UCE_SUBJECT
|
1
|
Wiki
|
|
header
|
|
Subject contains a Japanese UCE tag
|
JAPANESE_UCE_SUBJECT
|
1
|
Wiki
|
|
header
|
|
Subject: contains Korean unsolicited email tag
|
KOREAN_UCE_SUBJECT
|
3.099 1.111 2.114 2.962
|
Wiki
|
|
header
|
|
Contains forged hostname for a DSL IP in Brazil
|
FORGED_TELESP_RCVD
|
1
|
Wiki
|
|
header
|
|
Character set doesn't exist
|
NONEXISTENT_CHARSET
|
1
|
Wiki
|
|
header
|
|
Missing Message-Id: header
|
MISSING_MID
|
0.001
|
Wiki
|
|
header
|
|
Missing Date: header
|
MISSING_DATE
|
0.001
|
Wiki
|
|
header
|
|
Subject: contains G.a.p.p.y-T.e.x.t
|
GAPPY_SUBJECT
|
2.104 2.001 0.941 1.020
|
Wiki
|
|
header
|
|
Message has Prevent-NonDelivery-Report header
|
PREVENT_NONDELIVERY
|
1.515 1.640 1.737 1.600
|
Wiki
|
|
header
|
|
Message has X-IP header
|
X_IP
|
2.840 1.943 2.744 3.177
|
Wiki
|
|
header
|
|
Subject contains "As Seen"
|
SUBJ_AS_SEEN
|
1
|
Wiki
|
|
header
|
|
Subject starts with dollar amount
|
SUBJ_DOLLARS
|
2.399 0.842 1.501 1.421
|
Wiki
|
|
header
|
|
Subject contains "Your Bills" or similar
|
SUBJ_YOUR_DEBT
|
2.899 2.896 2.576 2.622
|
Wiki
|
|
header
|
|
Subject contains "Your Family"
|
SUBJ_YOUR_FAMILY
|
2.799 2.647 2.000 1.043
|
Wiki
|
|
header
|
|
Received contains a faked HELO hostname
|
RCVD_FAKE_HELO_DOTCOM
|
2.789 2.775 2.899 2.592
|
Wiki
|
|
header
|
|
Subject talks about losing pounds
|
SUBJECT_DIET
|
2.527 1.621 2.084 1.466
|
Wiki
|
|
header
|
|
Header has extraneous Content-type:...type= entry
|
EXTRA_MPART_TYPE
|
1.0
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DD_DIGITS
|
3.869 4.199 3.386 1.466
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DIGITS_15
|
2.899 2.896 2.899 2.896
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_MANY_HEX
|
0.001 0.001 1.472 0.803
|
Wiki
|
|
header
|
|
To: has a malformed address
|
TO_MALFORMED
|
0.001 0.001 0.001 1.170
|
Wiki
|
|
header
|
|
Received line contains spam-sign (lowercase smtp)
|
WITH_LC_SMTP
|
1
|
Wiki
|
|
header
|
|
Subject line starts with Buy or Buying
|
SUBJ_BUY
|
2.702 0.900 0.999 0.001
|
Wiki
|
|
header
|
|
Received headers forged (AM/PM)
|
RCVD_AM_PM
|
1.529 1.688 2.833 0.545
|
Wiki
|
|
header
|
|
Received header contains faked 'mr.outblaze.com'
|
FAKE_OUTBLAZE_RCVD
|
3.499 3.496 3.304 2.271
|
Wiki
|
|
header
|
|
Headers contain an unclosed bracket
|
UNCLOSED_BRACKET
|
2.687 2.083 1.580 2.206
|
Wiki
|
|
header
|
|
From: domain has series of non-vowel letters
|
FROM_DOMAIN_NOVOWEL
|
3.000 3.099 2.999 2.592
|
Wiki
|
|
header
|
|
From: localpart has series of non-vowel letters
|
FROM_LOCAL_NOVOWEL
|
3.199 3.196 3.199 3.196
|
Wiki
|
|
header
|
|
From: localpart has long hexadecimal sequence
|
FROM_LOCAL_HEX
|
2.602 2.733 1.432 1.399
|
Wiki
|
|
header
|
|
From: localpart has long digit sequence
|
FROM_LOCAL_DIGITS
|
0.001
|
Wiki
|
|
header
|
|
Cc: after X-Priority: (bulk email fingerprint)
|
X_PRIORITY_CC
|
2.599 1.492 2.599 2.596
|
Wiki
|
|
header
|
|
Message has bad MIME encoding in the header
|
BAD_ENC_HEADER
|
3.499 2.870 1.947 1.810
|
Wiki
|
|
header
|
|
A foreign language charset used in headers
|
CHARSET_FARAWAY_HEADER
|
3.200
|
Wiki
|
|
header
|
|
Subject: has too many raw illegal characters
|
SUBJ_ILLEGAL_CHARS
|
1.173 1.527 1.954 1.586
|
Wiki
|
|
header
|
|
From: has too many raw illegal characters
|
FROM_ILLEGAL_CHARS
|
2.922 3.999 3.999 3.995
|
Wiki
|
|
header
|
|
Headers have too many raw illegal characters
|
HEAD_ILLEGAL_CHARS
|
3.799 3.729 3.799 3.622
|
Wiki
|
|
header
|
|
hotmail.com 'From' address, but no 'Received:'
|
FORGED_HOTMAIL_RCVD2
|
1.947 1.117 1.498 1.502
|
Wiki
|
|
header
|
|
'From' yahoo.com does not match 'Received' headers
|
FORGED_YAHOO_RCVD
|
2.299 1.408 1.889 2.297
|
Wiki
|
|
header
|
|
Recipient list is sorted by address
|
SORTED_RECIPS
|
2.925 1.800 1.972 1.125
|
Wiki
|
|
header
|
|
Similar addresses in recipient list
|
SUSPICIOUS_RECIPS
|
3.199 3.196 2.299 2.912
|
Wiki
|
|
header
|
|
Missing To: header
|
MISSING_HEADERS
|
1.899 1.581 1.500 1.292
|
Wiki
|
|
header
|
|
Received: says mail sent around the world (HELO)
|
ROUND_THE_WORLD_LOCAL
|
2.699 2.696 2.700 2.696
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours before Received: date
|
DATE_IN_PAST_03_06
|
2.299 1.394 1.306 0.044
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours before Received: date
|
DATE_IN_PAST_06_12
|
2.504 1.854 1.499 1.069
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours before Received: date
|
DATE_IN_PAST_12_24
|
2.499 1.770 1.503 0.992
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours before Received: date
|
DATE_IN_PAST_24_48
|
2.300 1.627 1.498 1.219
|
Wiki
|
|
header
|
|
Date: is 96 hours or more before Received: date
|
DATE_IN_PAST_96_XX
|
2.952 2.320 1.800 1.690
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours after Received: date
|
DATE_IN_FUTURE_03_06
|
2.303 0.416 1.461 0.274
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours after Received: date
|
DATE_IN_FUTURE_06_12
|
3.099 3.099 2.136 1.897
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours after Received: date
|
DATE_IN_FUTURE_12_24
|
3.300 3.299 3.000 2.189
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours after Received: date
|
DATE_IN_FUTURE_24_48
|
3.599 2.800 3.599 3.196
|
Wiki
|
|
header
|
|
Date: is 48 to 96 hours after Received: date
|
DATE_IN_FUTURE_48_96
|
3.199 3.182 3.199 3.199
|
Wiki
|
|
header
|
|
Date: is 96 hours or more after Received: date
|
DATE_IN_FUTURE_96_XX
|
3.899 3.899 2.598 1.439
|
Wiki
|
|
header
|
|
Headers contain an unresolved template
|
UNRESOLVED_TEMPLATE
|
2.801 3.325 3.499 3.132
|
Wiki
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
2.299 1.806 1.926 2.077
|
Wiki
|
|
header
|
|
Local part of To: address appears in Subject
|
LOCALPART_IN_SUBJECT
|
2.499 2.497 1.641 2.020
|
Wiki
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_INVALID
|
2.899 2.896 2.899 2.899
|
Wiki
|
|
header
|
|
Multiple Content-Type headers found
|
HEADER_COUNT_CTYPE
|
2.699 0.671 2.390 3.026
|
Wiki
|
|
header
|
|
Message headers are very long
|
HEAD_LONG
|
2.5
|
Wiki
|
|
header
|
|
Missing blank line between message header and body
|
MISSING_HB_SEP
|
2.5
|
Wiki
|
|
header
|
|
Informational: message has unparseable relay lines
|
UNPARSEABLE_RELAY
|
0.001
|
Wiki
|
|
header
|
|
Received: HELO and IP do not match, but should
|
RCVD_HELO_IP_MISMATCH
|
2.401 2.320 2.627 2.837
|
Wiki
|
|
header
|
|
Received: contains an IP address used for HELO
|
RCVD_NUMERIC_HELO
|
2.599 2.599 2.272 2.067
|
Wiki
|
|
header
|
|
Received: contains illegal IP address
|
RCVD_ILLEGAL_IP
|
3.199 3.196 2.902 1.908
|
Wiki
|
|
header
|
|
Host HELO'd as a big ISP, but had no rDNS
|
NO_RDNS_DOTCOM_HELO
|
2.411 0.799 0.000 0.001
|
Wiki
|
|
rawbody
|
|
Javascript to hide URLs in browser
|
HIDE_WIN_STATUS
|
2.499 2.213 2.499 2.499
|
Wiki
|
|
body
|
|
HTML included in message
|
HTML_MESSAGE
|
0.001
|
Wiki
|
|
body
|
|
HTML comment is very short
|
HTML_COMMENT_SHORT
|
0.001 0.001 0.032 0.727
|
Wiki
|
|
body
|
|
HTML message is a saved web page
|
HTML_COMMENT_SAVED_URL
|
1.677 1.820 0.492 0.114
|
Wiki
|
|
body
|
|
HTML with embedded plugin object
|
HTML_EMBEDS
|
1.083 0.440 0.001 0.056
|
Wiki
|
|
body
|
|
HTML contains far too many close tags
|
HTML_EXTRA_CLOSE
|
1.041 1.089 2.502 2.809
|
Wiki
|
|
body
|
|
HTML font size is large
|
HTML_FONT_SIZE_LARGE
|
0.147 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
HTML font size is huge
|
HTML_FONT_SIZE_HUGE
|
0.804 0.389 0.001 0.057
|
Wiki
|
|
body
|
|
HTML font color similar to background
|
HTML_FONT_LOW_CONTRAST
|
0.131 0.543 0.663 0.124
|
Wiki
|
|
body
|
|
HTML font face is not a word
|
HTML_FONT_FACE_BAD
|
0.923 0.606 0.650 0.884
|
Wiki
|
|
body
|
|
HTML includes a form which sends mail
|
HTML_FORMACTION_MAILTO
|
1
|
Wiki
|
|
body
|
|
HTML: images with 0-400 bytes of words
|
HTML_IMAGE_ONLY_04
|
2.502 1.462 1.875 2.041
|
Wiki
|
|
body
|
|
HTML: images with 400-800 bytes of words
|
HTML_IMAGE_ONLY_08
|
2.554 2.432 2.045 1.787
|
Wiki
|
|
body
|
|
HTML: images with 800-1200 bytes of words
|
HTML_IMAGE_ONLY_12
|
2.552 2.245 2.779 2.460
|
Wiki
|
|
body
|
|
HTML: images with 1200-1600 bytes of words
|
HTML_IMAGE_ONLY_16
|
2.646 2.498 2.078 1.526
|
Wiki
|
|
body
|
|
HTML: images with 1600-2000 bytes of words
|
HTML_IMAGE_ONLY_20
|
2.401 1.808 1.500 1.546
|
Wiki
|
|
body
|
|
HTML: images with 2000-2400 bytes of words
|
HTML_IMAGE_ONLY_24
|
2.400 2.207 1.501 1.552
|
Wiki
|
|
body
|
|
HTML: images with 2400-2800 bytes of words
|
HTML_IMAGE_ONLY_28
|
2.500 1.519 2.115 1.561
|
Wiki
|
|
body
|
|
HTML: images with 2800-3200 bytes of words
|
HTML_IMAGE_ONLY_32
|
2.353 1.318 2.004 1.778
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_02
|
1.518 0.550 0.573 0.383
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_04
|
1.561 0.170 0.863 0.172
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_06
|
0.401 0.001 0.501 0.001
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_08
|
0.203 0.001 0.179 0.001
|
Wiki
|
|
body
|
|
Message is 5% to 10% HTML obfuscation
|
HTML_OBFUSCATE_05_10
|
0.638 0.572 0.000 0.001
|
Wiki
|
|
body
|
|
Message is 10% to 20% HTML obfuscation
|
HTML_OBFUSCATE_10_20
|
2.600 3.196 2.487 2.601
|
Wiki
|
|
body
|
|
Message is 20% to 30% HTML obfuscation
|
HTML_OBFUSCATE_20_30
|
3.199 2.747 3.199 3.196
|
Wiki
|
|
body
|
|
Message is 30% to 40% HTML obfuscation
|
HTML_OBFUSCATE_30_40
|
2.599 2.599 2.214 1.362
|
Wiki
|
|
body
|
|
Message is 50% to 60% HTML obfuscation
|
HTML_OBFUSCATE_50_60
|
1
|
Wiki
|
|
body
|
|
Message is 70% to 80% HTML obfuscation
|
HTML_OBFUSCATE_70_80
|
1
|
Wiki
|
|
body
|
|
Message is 90% to 100% HTML obfuscation
|
HTML_OBFUSCATE_90_100
|
1
|
Wiki
|
|
body
|
|
HTML has unbalanced "body" tags
|
HTML_TAG_BALANCE_BODY
|
1.253 0.807 1.082 1.263
|
Wiki
|
|
body
|
|
HTML has unbalanced "head" tags
|
HTML_TAG_BALANCE_HEAD
|
2.498 1.370 0.533 1.334
|
Wiki
|
|
body
|
|
HTML has "bgsound" tag
|
HTML_TAG_EXIST_BGSOUND
|
1
|
Wiki
|
|
body
|
|
HTML message is 40% to 50% bad tags
|
HTML_BADTAG_40_50
|
1
|
Wiki
|
|
body
|
|
HTML message is 50% to 60% bad tags
|
HTML_BADTAG_50_60
|
1
|
Wiki
|
|
body
|
|
HTML message is 60% to 70% bad tags
|
HTML_BADTAG_60_70
|
1
|
Wiki
|
|
body
|
|
HTML message is 90% to 100% bad tags
|
HTML_BADTAG_90_100
|
1
|
Wiki
|
|
body
|
|
30% to 40% of HTML elements are non-standard
|
HTML_NONELEMENT_30_40
|
1.024 1.775 0.074 0.001
|
Wiki
|
|
body
|
|
40% to 50% of HTML elements are non-standard
|
HTML_NONELEMENT_40_50
|
0.322 0.001 1.707 0.944
|
Wiki
|
|
body
|
|
60% to 70% of HTML elements are non-standard
|
HTML_NONELEMENT_60_70
|
1
|
Wiki
|
|
body
|
|
80% to 90% of HTML elements are non-standard
|
HTML_NONELEMENT_80_90
|
1
|
Wiki
|
|
body
|
|
Message has HTML IFRAME tag with SRC URI
|
HTML_IFRAME_SRC
|
0.001 0.001 0.000 0.043
|
Wiki
|
|
header
|
|
Envelope sender has no MX or A DNS records
|
NO_DNS_FOR_FROM
|
0 1.407 0 1.496
|
Wiki
|
|
header
|
|
Received: says mail sent around the world (DNS)
|
ROUND_THE_WORLD
|
1
|
Wiki
|
|
body
|
|
Removal phrase right before a link
|
REMOVE_BEFORE_LINK
|
0.001 0.001 0.010 0.001
|
Wiki
|
|
body
|
|
One hundred percent guaranteed
|
GUARANTEED_100_PERCENT
|
0.571 0.965 0.001 0.012
|
Wiki
|
|
body
|
|
Dear Friend? That's not very dear!
|
DEAR_FRIEND
|
2.649 2.696 2.699 2.699
|
Wiki
|
|
body
|
|
Contains 'Dear (something)'
|
DEAR_SOMETHING
|
2.799 2.234 1.721 1.605
|
Wiki
|
|
body
|
|
Talks about lots of money
|
BILLION_DOLLARS
|
2.658 0.001 1.603 1.875
|
Wiki
|
|
body
|
|
Claims you can be removed from the list
|
EXCUSE_4
|
1.999 1.934 0.001 1.336
|
Wiki
|
|
body
|
|
Claims you wanted this ad
|
EXCUSE_24
|
2.599 2.599 2.600 2.596
|
Wiki
|
|
body
|
|
Talks about how to be removed from mailings
|
EXCUSE_REMOVE
|
2.999 1.477 2.999 0.001
|
Wiki
|
|
body
|
|
Tells you about a strong buy
|
STRONG_BUY
|
3.599 2.478 2.623 2.488
|
Wiki
|
|
body
|
|
Offers a alert about a stock
|
STOCK_ALERT
|
2.899 2.889 2.899 2.897
|
Wiki
|
|
body
|
|
Not registered investment advisor
|
NOT_ADVISOR
|
1
|
Wiki
|
|
body
|
|
'Prestigious Non-Accredited Universities'
|
PREST_NON_ACCREDITED
|
1
|
Wiki
|
|
body
|
|
Information on growing body parts
|
BODY_ENHANCEMENT
|
1.799 1.608 1.499 0.309
|
Wiki
|
|
body
|
|
Information on getting larger body parts
|
BODY_ENHANCEMENT2
|
1.659 0.714 0.122 0.001
|
Wiki
|
|
body
|
|
Impotence cure
|
IMPOTENCE
|
2.608 1.678 2.862 1.886
|
Wiki
|
|
body
|
|
Talks about a million North American dollars
|
NA_DOLLARS
|
2.385 1.129 1.506 1.329
|
Wiki
|
|
body
|
|
Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)
|
US_DOLLARS_3
|
2.342 1.165 1.046 0.630
|
Wiki
|
|
body
|
|
Talks about millions of dollars
|
MILLION_USD
|
2.391 1.777 1.501 1.528
|
Wiki
|
|
body
|
|
Contains urgent matter
|
URG_BIZ
|
2.384 0.667 1.511 1.585
|
Wiki
|
|
body
|
|
Money back guarantee
|
MONEY_BACK
|
0.939 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Free express or no-obligation quote
|
FREE_QUOTE_INSTANT
|
2.500 2.499 1.499 1.496
|
Wiki
|
|
body
|
|
Eliminate Bad Credit
|
BAD_CREDIT
|
2.602 0.325 1.500 0.001
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_YOUR_HOME
|
2.699 0.001 2.699 2.039
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_NOW
|
2.393 0.169 1.933 0.556
|
Wiki
|
|
body
|
|
No Medical Exams
|
NO_MEDICAL
|
1
|
Wiki
|
|
body
|
|
Lose Weight Spam
|
DIET_1
|
2.472 0.336 1.442 0.083
|
Wiki
|
|
body
|
|
Freedom of a financial nature
|
FIN_FREE
|
2.599 2.599 2.599 2.596
|
Wiki
|
|
body
|
|
Stock Disclaimer Statement
|
FORWARD_LOOKING
|
1
|
Wiki
|
|
body
|
|
One Time Rip Off
|
ONE_TIME
|
1
|
Wiki
|
|
body
|
|
Join Millions of Americans
|
JOIN_MILLIONS
|
1.398 1.807 2.912 1.777
|
Wiki
|
|
body
|
|
Claims you registered with a partner
|
MARKETING_PARTNERS
|
2.599 2.355 1.614 1.295
|
Wiki
|
|
body
|
|
Lowest Price
|
LOW_PRICE
|
1.903 1.159 0.743 0.001
|
Wiki
|
|
body
|
|
People just leave money laying around
|
UNCLAIMED_MONEY
|
3.099 2.985 2.943 3.096
|
Wiki
|
|
body
|
|
Message seems to contain rot13ed address
|
OBSCURED_EMAIL
|
1.899 0.012 0.000 0.001
|
Wiki
|
|
body
|
|
Talks about Oprah with an exclamation!
|
BANG_OPRAH
|
1
|
Wiki
|
|
body
|
|
Talks about 'acting now' with capitals
|
ACT_NOW_CAPS
|
0.948 0.001 1.259 0.792
|
Wiki
|
|
body
|
|
Talks about a bigger drive for sex
|
MORE_SEX
|
3.699 2.321 1.631 1.183
|
Wiki
|
|
body
|
|
Something is emphatically guaranteed
|
BANG_GUAR
|
2.002 1.237 1.500 0.939
|
Wiki
|
|
body
|
|
Message mentions investment advice
|
INVESTMENT_ADVICE
|
0.001 0.001 0.421 0.042
|
Wiki
|
|
body
|
|
Message talks about enhancing men
|
MALE_ENHANCE
|
2.600 2.596 2.599 2.596
|
Wiki
|
|
body
|
|
Message says that prices aren't too expensive
|
PRICES_ARE_AFFORDABLE
|
2.195 0.001 2.444 0.001
|
Wiki
|
|
body
|
|
Message talks about a replica watch
|
REPLICA_WATCH
|
3.399 3.396 3.399 3.396
|
Wiki
|
|
body
|
|
Message puts emphasis on the watch manufacturer
|
EM_ROLEX
|
1
|
Wiki
|
|
body
|
|
Possible porn - Free Porn
|
FREE_PORN
|
1
|
Wiki
|
|
body
|
|
Possible porn - Cum Shot
|
CUM_SHOT
|
2.799 2.796 2.632 2.799
|
Wiki
|
|
body
|
|
Possible porn - Live Porn
|
LIVE_PORN
|
1
|
Wiki
|
|
header
|
|
Subject indicates sexually-explicit content
|
SUBJECT_SEXUAL
|
2.900 0.116 1.499 0.001
|
Wiki
|
|
header
|
|
Bulk email fingerprint (eGroups) found
|
RATWARE_EGROUPS
|
2.673 2.379 3.181 2.001
|
Wiki
|
|
header
|
|
X-Mailer has malformed Outlook Express version
|
RATWARE_OE_MALFORMED
|
0.581 2.095 2.624 2.927
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Mozilla malformed) found
|
RATWARE_MOZ_MALFORMED
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (mPOP Web-Mail)
|
RATWARE_MPOP_WEBMAIL
|
1
|
Wiki
|
|
rawbody
|
|
Contains a hashbuster in Send-Safe format
|
RATWARE_HASH_DASH
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Gecko faked) found
|
RATWARE_GECKO_BUILD
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (X-Message-Info) found
|
X_MESSAGE_INFO
|
3.499 3.496 3.330 1.597
|
Wiki
|
|
header
|
|
Bulk email fingerprint (header-based) found
|
HEADER_SPAM
|
3.399 3.396 3.399 3.396
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received PF) found
|
RATWARE_RCVD_PF
|
3.899 3.895 3.900 3.847
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received @) found
|
RATWARE_RCVD_AT
|
1.918 0.650 1.741 0.213
|
Wiki
|
|
header
|
|
Bulk email fingerprint (envfrom) found
|
RATWARE_EFROM
|
3.799 3.795 3.799 1.529
|
Wiki
|
|
uri
|
|
/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i
|
HIGH_CODEPAGE_URI
|
2.5
|
Wiki
|
|
uri
|
|
Uses a numeric IP address in URL
|
NUMERIC_HTTP_ADDR
|
0.919 0.001 0.312 0.001
|
Wiki
|
|
uri
|
|
Uses %-escapes inside a URL's hostname
|
HTTP_ESCAPED_HOST
|
0.001 0.001 0.071 0.134
|
Wiki
|
|
uri
|
|
Completely unnecessary %-escapes inside a URL
|
HTTP_EXCESSIVE_ESCAPES
|
2.701 0.964 1.500 0.001
|
Wiki
|
|
uri
|
|
Dotted-decimal IP address followed by CGI
|
IP_LINK_PLUS
|
0.000 0.001 0.001 0.001
|
Wiki
|
|
uri
|
|
Uses non-standard port number for HTTP
|
WEIRD_PORT
|
1.599 1.499 1.089 0.001
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_RD_REDIR
|
0.001 0.000 3.000 0.000
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_DRS_REDIR
|
1.007 0.313 1.189 1.103
|
Wiki
|
|
uri
|
|
Contains an URL-encoded hostname (HTTP77)
|
HTTP_77
|
3.199 0.001 3.199 1.414
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle
|
SPOOF_COM2OTH
|
2.840 0.848 1.996 2.044
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle and end
|
SPOOF_COM2COM
|
0.001 0.341 2.051 2.272
|
Wiki
|
|
uri
|
|
URI contains ".net" or ".org", then ".com"
|
SPOOF_NET2COM
|
2.899 2.896 2.037 1.586
|
Wiki
|
|
uri
|
|
URI hostname has long hexadecimal sequence
|
URI_HEX
|
1.777 1.316 1.395 0.368
|
Wiki
|
|
uri
|
|
URI hostname has long non-vowel sequence
|
URI_NOVOWEL
|
2.899 2.543 1.764 1.620
|
Wiki
|
|
uri
|
|
URI contains suspicious unsubscribe link
|
URI_UNSUBSCRIBE
|
2.794 3.092 1.538 2.737
|
Wiki
|
|
uri
|
|
CGI in .info TLD other than third-level "www"
|
URI_NO_WWW_INFO_CGI
|
2.720 0.601 3.138 1.043
|
Wiki
|
|
uri
|
|
CGI in .biz TLD other than third-level "www"
|
URI_NO_WWW_BIZ_CGI
|
1
|
Wiki
|
|
uri
|
|
Uses a dotted-decimal IP address in URL
|
NORMAL_HTTP_TO_IP
|
0.101 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Bayesian spam probability is 0 to 1%
|
BAYES_00
|
0 0 -2.312 -2.599
|
Wiki
|
|
body
|
|
Bayesian spam probability is 1 to 5%
|
BAYES_05
|
0 0 -1.110 -1.110
|
Wiki
|
|
body
|
|
Bayesian spam probability is 5 to 20%
|
BAYES_20
|
0 0 -0.740 -0.740
|
Wiki
|
|
body
|
|
Bayesian spam probability is 20 to 40%
|
BAYES_40
|
0 0 -0.185 -0.185
|
Wiki
|
|
body
|
|
Bayesian spam probability is 40 to 60%
|
BAYES_50
|
0 0 0.001 0.001
|
Wiki
|
|
body
|
|
Bayesian spam probability is 60 to 80%
|
BAYES_60
|
0 0 1.0 1.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 80 to 95%
|
BAYES_80
|
0 0 2.0 2.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 95 to 99%
|
BAYES_95
|
0 0 3.0 3.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 99 to 100%
|
BAYES_99
|
0 0 3.5 3.5
|
Wiki
|
|
header
|
|
Message would have been caught by accessdb
|
ACCESSDB
|
1
|
Wiki
|
|
body
|
|
Message includes Microsoft executable program
|
MICROSOFT_EXECUTABLE
|
0.100
|
Wiki
|
|
body
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.100
|
Wiki
|
|
full
|
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.37 0 2.17
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: message has a signature
|
DKIM_SIGNED
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: signature passes verification
|
DKIM_VERIFIED
|
-0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain is testing DK
|
DKIM_POLICY_TESTING
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain signs some mails
|
DKIM_POLICY_SIGNSOME
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain signs all mails
|
DKIM_POLICY_SIGNALL
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: message has a signature
|
DK_SIGNED
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: signature passes verification
|
DK_VERIFIED
|
-0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain is testing DK
|
DK_POLICY_TESTING
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain signs some mails
|
DK_POLICY_SIGNSOME
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain signs all mails
|
DK_POLICY_SIGNALL
|
0.001
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (20 bits)
|
HASHCASH_20
|
-0.500
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (21 bits)
|
HASHCASH_21
|
-0.700
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (22 bits)
|
HASHCASH_22
|
-1.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (23 bits)
|
HASHCASH_23
|
-2.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (24 bits)
|
HASHCASH_24
|
-3.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (25 bits)
|
HASHCASH_25
|
-4.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (>25 bits)
|
HASHCASH_HIGH
|
-5.000
|
Wiki
|
|
header
|
|
Hashcash token already spent in another mail
|
HASHCASH_2SPEND
|
0.100
|
Wiki
|
|
full
|
|
Listed in Pyzor (http://pyzor.sf.net/)
|
PYZOR_CHECK
|
0 2.834 0 3.700
|
Wiki
|
|
full
|
|
Listed in Razor2 (http://razor.sf.net/)
|
RAZOR2_CHECK
|
0 0.5 0 0.5
|
Wiki
|
|
full
|
|
Razor2 gives confidence level above 50%
|
RAZOR2_CF_RANGE_51_100
|
0 0.5 0 0.5
|
Wiki
|
|
full
|
|
Razor2 gives engine 4 confidence level above 50%
|
RAZOR2_CF_RANGE_E4_51_100
|
0 1.5 0 1.5
|
Wiki
|
|
full
|
|
Razor2 gives engine 8 confidence level above 50%
|
RAZOR2_CF_RANGE_E8_51_100
|
0 1.5 0 1.5
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_MEDS
|
3.800 2.812 3.799 3.799
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_CHEAP
|
1
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_PENIS
|
3.099 1.308 3.100 3.096
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_TION
|
1.100 0.410 0.749 0.156
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AFFORDABLE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AMBIEN
|
1.520 0.962 0.195 1.026
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_BILLION
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CPILL
|
0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CREDIT
|
1.696 0.522 0.740 1.238
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ERECT
|
2.529 0.708 1.736 0.804
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_GUARANTEE
|
2.496 0.962 2.899 1.252
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MEDICATION
|
0.307 0.001 2.637 2.717
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MILLION
|
2.173 2.325 1.797 2.529
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MONEY
|
2.799 2.796 2.799 2.799
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MORTGAGE
|
3.299 3.296 3.036 1.880
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OBLIGATION
|
2.799 2.796 2.799 2.469
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OFFERS
|
3.299 1.032 2.199 1.246
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHARMACY
|
2.999 2.999 2.090 1.704
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHENT
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRESCRIPT
|
2.699 2.644 1.704 1.604
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRICES
|
2.801 2.458 1.665 1.304
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REFINANCE
|
2.102 0.001 0.505 0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REMOVE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ROLEX
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_SOFTWARE
|
2.797 2.860 3.169 3.471
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_THOUSANDS
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VLIUM
|
0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VIOXX
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VPILL
|
1.004 0.001 0.480 0.687
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_XPILL
|
3.399 3.314 1.549 1.746
|
Wiki
|
|
header
|
|
SPF: sender matches SPF record
|
SPF_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (neutral)
|
SPF_NEUTRAL
|
2.199 1.210 0.756 0.686
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (fail)
|
SPF_FAIL
|
2.600 0.992 1.669 0.693
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (softfail)
|
SPF_SOFTFAIL
|
2.301 0.654 0.698 0.596
|
Wiki
|
|
header
|
|
SPF: HELO matches SPF record
|
SPF_HELO_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (neutral)
|
SPF_HELO_NEUTRAL
|
2.231 2.000 0.744 0.576
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (fail)
|
SPF_HELO_FAIL
|
2.298 0.365 0.540 0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (softfail)
|
SPF_HELO_SOFTFAIL
|
2.599 1.533 1.427 0.841
|
Wiki
|
|
body
|
|
Message written in an undesired language
|
UNWANTED_LANGUAGE_BODY
|
2.800
|
Wiki
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the SBL blocklist
|
URIBL_SBL
|
0 2.468 0 1.499
|
Wiki
|
|
body
|
|
Contains an URL listed in the SC SURBL blocklist
|
URIBL_SC_SURBL
|
0 2.523 0 0.474
|
Wiki
|
|
body
|
|
Contains an URL listed in the WS SURBL blocklist
|
URIBL_WS_SURBL
|
0 2.100 0 1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the PH SURBL blocklist
|
URIBL_PH_SURBL
|
0 2.035 0 1.787
|
Wiki
|
|
body
|
|
Contains an URL listed in the OB SURBL blocklist
|
URIBL_OB_SURBL
|
0 2.132 0 1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the AB SURBL blocklist
|
URIBL_AB_SURBL
|
0 1.613 0 1.860
|
Wiki
|
|
body
|
|
Contains an URL listed in the JP SURBL blocklist
|
URIBL_JP_SURBL
|
0 2.857 0 1.501
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL blacklist
|
URIBL_BLACK
|
0 1.961 0 1.955
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL greylist
|
URIBL_GREY
|
0.25
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL redlist
|
URIBL_RED
|
0.001
|
Wiki
|
|
header
|
|
From: address is in the auto white-list
|
AWL
|
1
|
Wiki
|
|
header
|
|
From: address is in the user's black-list
|
USER_IN_BLACKLIST
|
100.000
|
Wiki
|
|
header
|
|
From: address is in the user's white-list
|
USER_IN_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default white-list
|
USER_IN_DEF_WHITELIST
|
-15.000
|
Wiki
|
|
header
|
|
User is listed in 'blacklist_to'
|
USER_IN_BLACKLIST_TO
|
10.000
|
Wiki
|
|
header
|
|
User is listed in 'whitelist_to'
|
USER_IN_WHITELIST_TO
|
-6.000
|
Wiki
|
|
header
|
|
User is listed in 'more_spam_to'
|
USER_IN_MORE_SPAM_TO
|
-20.000
|
Wiki
|
|
header
|
|
User is listed in 'all_spam_to'
|
USER_IN_ALL_SPAM_TO
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the user's DK whitelist
|
USER_IN_DK_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DK white-list
|
USER_IN_DEF_DK_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's DKIM whitelist
|
USER_IN_DKIM_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DKIM white-list
|
USER_IN_DEF_DKIM_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's SPF whitelist
|
USER_IN_SPF_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default SPF white-list
|
USER_IN_DEF_SPF_WL
|
-7.500
|
Wiki
|
|
header
|
|
Subject: contains string in the user's white-list
|
SUBJECT_IN_WHITELIST
|
-100
|
Wiki
|
|
header
|
|
Subject: contains string in the user's black-list
|
SUBJECT_IN_BLACKLIST
|
100
|
Wiki
|
|
header
|
|
From address contains an apostrophe
|
APOSTROPHE_FROM
|
0.002 0.001 1.597 0.001
|
Wiki
|
|
header
|
|
Message-Id =~ /^<[0-9]{12}\.[0-9]{12}\@/
|
AXB_XMID_1212
|
3.899 3.899 3.899 3.496
|
Wiki
|
|
header
|
|
Message-Id =~ /<[0-9A-F]{15}\.[0-9A-F]{10}\@/
|
AXB_XMID_1510
|
4.299 4.295 3.893 3.015
|
Wiki
|
|
header
|
|
Message-ID =~ /^<[0-9-a-f]{12}\(dollar) [0-9-a-f]{8}\(dollar) [0]{8}\@/
|
AXB_XMID_OEGOESNULL
|
4.291 4.216 1.083 2.034
|
Wiki
|
|
header
|
|
Received =~ /\([123456790]{1,2}\.[0-9]{1,2}\.[0-9]{1}\/[0-9]{1,2}\.[0-9]{2}\.[0-9]{1}\)/
|
AXB_XM_SENDMAIL_NOT
|
1
|
Wiki
|
|
header
|
|
Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
|
AXB_XR_STULDAP
|
3.199 3.196 3.199 3.004
|
Wiki
|
|
header
|
|
Thread-Index =~ /(?:\*| \<\>| \)| \()/
|
AXB_XTIDX_CHAIN
|
1
|
Wiki
|
|
body
|
|
Talks about banking laws
|
BANKING_LAWS
|
3.099 3.096 2.900 2.002
|
Wiki
|
|
body
|
|
eval:check_base64_length('78','79')
|
BASE64_LENGTH_78_79
|
3.699 3.699 3.133 2.783
|
Wiki
|
|
body
|
|
eval:check_base64_length('79')
|
BASE64_LENGTH_79_INF
|
3.900 2.763 2.962 1.496
|
Wiki
|
|
body
|
|
/^\xEF\xBB\xBFMessage-ID:/
|
BROKEN_RATWARE_BOM
|
2.699 2.267 2.440 2.473
|
Wiki
|
|
header
|
|
Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0001_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_A
|
2.299 2.319 1.500 1.498
|
Wiki
|
|
header
|
|
Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_B
|
1
|
Wiki
|
|
body
|
|
/\bCurrent Price:/
|
CURR_PRICE
|
4.161 2.659 1.412 1.588
|
Wiki
|
|
body
|
|
/\bdear.{1,20}winner/i
|
DEAR_WINNER
|
3.199 3.196 3.199 3.197
|
Wiki
|
|
full
|
|
/<DIV align=3Dcenter><A href=3D=\n/
|
DIV_CENTER_A_HREF
|
3.799 3.795 3.799 2.590
|
Wiki
|
|
header
|
|
Sender from new domain (Day Old Bread)
|
DNS_FROM_DOB
|
0 0.341 0 0.732
|
Wiki
|
|
header
|
|
Envelope sender listed in bl.open-whois.org.
|
DNS_FROM_OPENWHOIS
|
0 2.431 0 1.130
|
Wiki
|
|
body
|
|
Provision for income taxes
|
DOS_PROVISION4
|
1.5
|
Wiki
|
|
body
|
|
Report of financial income
|
DOS_REPORT_FIN_INC
|
0.5
|
Wiki
|
|
body
|
|
Pump and dump stock spam
|
DOS_STOCK_CDYV_GENERIC
|
2.5
|
Wiki
|
|
uri
|
|
Found an asterisk in a URI
|
DOS_URI_ASTERISK
|
1
|
Wiki
|
|
header
|
|
Subject =~ /\bhoodia\b/i
|
DRUGS_HDIA
|
2.529 2.501 2.483 2.697
|
Wiki
|
|
body
|
|
Add / Gain inches
|
FB_ADD_INCHES
|
2.999 2.999 2.620 2.131
|
Wiki
|
|
body
|
|
It's almost sex, but not!
|
FB_ALMOST_SEX
|
3.099 3.096 2.841 2.110
|
Wiki
|
|
body
|
|
Broken AnaTrim phrase.
|
FB_ANA_TRIM
|
3.999 3.995 3.797 3.764
|
Wiki
|
|
body
|
|
Phrase: A_U_N_I
|
FB_ANUI
|
0.431 1.618 2.634 0.823
|
Wiki
|
|
body
|
|
Phrase: [BM]Illi0n
|
FB_BILLI0N
|
1
|
Wiki
|
|
body
|
|
Phrase: C0mpany
|
FB_C0MPANY
|
2.799 2.106 2.799 2.455
|
Wiki
|
|
body
|
|
Phrase: can last longer
|
FB_CAN_LONGER
|
1.403 1.309 0.474 0.442
|
Wiki
|
|
body
|
|
Uses a mis-spelled version of cialis.
|
FB_CIALIS_LEO3
|
2.628 2.815 3.001 1.441
|
Wiki
|
|
body
|
|
Looks like double 0 words
|
FB_DOUBLE_0WORDS
|
3.599 3.595 3.599 3.533
|
Wiki
|
|
body
|
|
Phrase: email hier
|
FB_EMAIL_HIER
|
0.342 1.203 2.941 2.189
|
Wiki
|
|
body
|
|
Phrase: extra inches
|
FB_EXTRA_INCHES
|
1.234 3.096 2.081 2.442
|
Wiki
|
|
body
|
|
Looks like numbers with O's insted of 0's
|
FB_FAKE_NUMBERS
|
1
|
Wiki
|
|
body
|
|
Looks like fake numbers (4)
|
FB_FAKE_NUMS4
|
1
|
Wiki
|
|
body
|
|
Phrase: Farmacy
|
FB_FHARMACY
|
3.699 3.695 2.819 3.576
|
Wiki
|
|
body
|
|
Phrase: forward look with 0's
|
FB_FORWARD_LOOK
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
body
|
|
Too much spacing in Address
|
FB_GAPPY_ADDRESS
|
3.399 3.399 3.399 2.674
|
Wiki
|
|
body
|
|
Looks like trying to sell meds
|
FB_GET_MEDS
|
3.599 1.097 1.501 0.803
|
Wiki
|
|
body
|
|
Looks like generic viagra
|
FB_GVR
|
0.469 0.001 0.001 0.127
|
Wiki
|
|
body
|
|
Phrase hey bro,
|
FB_HEY_BRO_COMMA
|
3.099 2.783 3.099 2.331
|
Wiki
|
|
body
|
|
Phrase: HGH
|
FB_HG_H_CAP
|
1.885 0.887 0.007 0.274
|
Wiki
|
|
body
|
|
Phrase (dollar) x home loan
|
FB_HOMELOAN
|
2.487 2.014 2.003 0.710
|
Wiki
|
|
body
|
|
Phrase: impress ... girl
|
FB_IMPRESS_GIRL
|
2.197 1.757 1.964 2.581
|
Wiki
|
|
body
|
|
Phrase: Increase your energy
|
FB_INCREASE_YOUR
|
3.399 3.396 3.399 3.396
|
Wiki
|
|
body
|
|
Phrase: independent reward
|
FB_INDEPEND_RWD
|
3.599 3.599 3.600 3.595
|
Wiki
|
|
body
|
|
Phrase: L0an
|
FB_L0AN
|
1
|
Wiki
|
|
body
|
|
Special people leave special signs!
|
FB_LETTERS_21B
|
3.999 3.999 3.999 3.995
|
Wiki
|
|
body
|
|
Phrase: lower your monthly payments
|
FB_LOWER_PAYM
|
3.000 2.996 2.999 2.996
|
Wiki
|
|
body
|
|
Phrase: Med1cat
|
FB_MED1CAT
|
1
|
Wiki
|
|
body
|
|
Talks about meds and %
|
FB_MEDS_PERCENT
|
1
|
Wiki
|
|
body
|
|
Phrase: more size
|
FB_MORE_SIZE
|
1.166 1.422 2.013 0.397
|
Wiki
|
|
body
|
|
Looks like a fake phone number (1)
|
FB_NOT_PHONE_NUM1
|
2.600 2.599 2.599 2.596
|
Wiki
|
|
body
|
|
Looks like a fake phone number (3)
|
FB_NOT_PHONE_NUM3
|
2.599 2.596 2.599 2.599
|
Wiki
|
|
body
|
|
Looks like school but it's not!
|
FB_NOT_SCHOOL
|
3.099 2.312 1.868 2.961
|
Wiki
|
|
body
|
|
Phrase: no prescription needed.
|
FB_NO_SCRIP_NEEDED
|
3.088 2.458 2.403 3.228
|
Wiki
|
|
body
|
|
Speaks of teenager.
|
FB_NUMYO
|
2.400 2.397 2.399 2.397
|
Wiki
|
|
body
|
|
Speaks of 20+ year old.
|
FB_NUMYO2
|
1
|
Wiki
|
|
body
|
|
Looks like money but has odd spacing.
|
FB_ODD_SPACED_MONEY
|
2.303 2.723 2.697 1.959
|
Wiki
|
|
body
|
|
Mis-spelled online
|
FB_ONIINE
|
1
|
Wiki
|
|
body
|
|
Phrase: p1ll
|
FB_P1LL
|
0.467 1.088 1.552 1.814
|
Wiki
|
|
body
|
|
Phrase: penis growth
|
FB_PENIS_GROWTH
|
1
|
Wiki
|
|
body
|
|
Phrase: Dollar, with pipes or 0's.
|
FB_PIPEDOLLAR
|
2.599 2.430 2.599 2.599
|
Wiki
|
|
body
|
|
Looks like illion, but it's not
|
FB_PIPE_ILLION
|
1
|
Wiki
|
|
body
|
|
Talks about prolonged hardness
|
FB_PROLONGED_HARD
|
1
|
Wiki
|
|
body
|
|
Phrase: quality replica
|
FB_QUALITY_REPLICA
|
3.899 3.899 3.899 2.949
|
Wiki
|
|
body
|
|
Refcode with spacing
|
FB_REF_CODE_SPACE
|
3.599
|
Wiki
|
|
body
|
|
Phrase: REPLICA
|
FB_REPLIC_CAP
|
4.000 3.995 3.567 3.242
|
Wiki
|
|
body
|
|
Looks like refi.
|
FB_RE_FI
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
body
|
|
Phrase: Roller is th
|
FB_ROLLER_IS_T
|
1
|
Wiki
|
|
body
|
|
Phrase: rolx
|
FB_ROLX
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
body
|
|
Phrase: Softabs
|
FB_SOFTTABS
|
4.299 4.281 4.064 3.513
|
Wiki
|
|
body
|
|
Phrase: F R E E
|
FB_SPACED_FREE
|
1
|
Wiki
|
|
body
|
|
Phone number with -- spacing. (B)
|
FB_SPACED_PHN_3B
|
2.899 2.896 2.899 2.896
|
Wiki
|
|
body
|
|
Looks like a s p a c e d zipcode.
|
FB_SPACEY_ZIP
|
2.687 1.785 3.099 1.680
|
Wiki
|
|
body
|
|
Phrase: SPUR-M
|
FB_SPUR_M
|
1
|
Wiki
|
|
body
|
|
Phrase: ssex
|
FB_SSEX
|
2.019 2.001 2.556 2.489
|
Wiki
|
|
body
|
|
Looks like stocks exploding.
|
FB_STOCK_EXPLODE
|
2.699 2.696 1.927 1.833
|
Wiki
|
|
body
|
|
Mis-spelled symbol.
|
FB_SYMBLO
|
1
|
Wiki
|
|
body
|
|
Phrase: this advertiser
|
FB_THIS_ADVERT
|
1
|
Wiki
|
|
body
|
|
Phrase: thousand personal
|
FB_THOUS_PERSONAL
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
body
|
|
Phrase: to stop further distribution
|
FB_TO_STOP_DISTRO
|
3.099 3.096 3.099 3.096
|
Wiki
|
|
body
|
|
Phrase: Ultra Allure
|
FB_ULTRA_ALLURE
|
2.999 2.841 2.374 2.999
|
Wiki
|
|
body
|
|
Phrase: lock to your girlfriend
|
FB_UNLOCK_YOUR_G
|
2.699 2.696 2.618 2.002
|
Wiki
|
|
body
|
|
Pattern Replacement PROV_D
|
FB_UNRESOLV_PROV
|
1.606 1.132 2.429 0.765
|
Wiki
|
|
body
|
|
Looks like a word ending with a (dollar)
|
FB_WORD1_END_DOLLAR
|
1
|
Wiki
|
|
body
|
|
Phrase: yourself master
|
FB_YOURSELF_MASTER
|
0.421 1.248 1.557 2.011
|
Wiki
|
|
body
|
|
Phrase: Your refi
|
FB_YOUR_REFI
|
2.701 3.306 3.300 3.518
|
Wiki
|
|
header
|
|
Bad X-Mailer version
|
FH_BAD_OEV1441
|
0.974 2.393 2.440 2.401
|
Wiki
|
|
header
|
|
The date is not 19xx.
|
FH_DATE_IS_19XX
|
1.947 1.970 2.512 2.199
|
Wiki
|
|
header
|
|
The date is grossly in the future.
|
FH_DATE_PAST_20XX
|
2.075 3.384 3.554 3.188
|
Wiki
|
|
header
|
|
RCVD line looks faked (A)
|
FH_FAKE_RCVD_LINE
|
2.230 2.215 2.670 2.470
|
Wiki
|
|
header
|
|
E-mail address doesn't have TLD (.com, etc.)
|
FH_FROMEML_NOTLD
|
2.699 2.196 2.699 2.696
|
Wiki
|
|
header
|
|
From name has "cash"
|
FH_FROM_CASH
|
2.999 2.996 2.999 2.996
|
Wiki
|
|
header
|
|
From name says Get
|
FH_FROM_GET_NAME
|
1
|
Wiki
|
|
header
|
|
From name is giveaway.
|
FH_FROM_GIVEAWAY
|
2.799 2.796 2.799 1.597
|
Wiki
|
|
header
|
|
From has Hoodia!!?
|
FH_FROM_HOODIA
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
header
|
|
Has X-AIMC-AUTH header
|
FH_HAS_XAIMC
|
2.699 2.699 2.699 2.696
|
Wiki
|
|
header
|
|
Has X-ID
|
FH_HAS_XID
|
2.400 2.399 2.399 2.397
|
Wiki
|
|
header
|
|
Helo is almost an IP addr.
|
FH_HELO_ALMOST_IP
|
3.222 3.727 3.463 3.565
|
Wiki
|
|
header
|
|
Helo ends with a dot.
|
FH_HELO_ENDS_DOT
|
3.599 3.020 1.395 2.308
|
Wiki
|
|
header
|
|
Helo is 6-10 hex chr's.
|
FH_HELO_EQ_610HEX
|
4.099 4.099 4.099 4.095
|
Wiki
|
|
header
|
|
Helo is d-d-d-d charter.com
|
FH_HELO_EQ_CHARTER
|
0.359 1.258 1.495 1.044
|
Wiki
|
|
header
|
|
Helo is d-d-d-d
|
FH_HELO_EQ_D_D_D_D
|
2.399 0.498 0.561 0.001
|
Wiki
|
|
header
|
|
Faked helo of gmail-smtp-in
|
FH_HELO_GMAILSMTP
|
1
|
Wiki
|
|
header
|
|
The host almost looks like an IP addr.
|
FH_HOST_ALMOST_IP
|
4.099 3.791 2.170 1.751
|
Wiki
|
|
header
|
|
Host is dynamicip
|
FH_HOST_EQ_DYNAMICIP
|
0.964 3.097 3.103 4.058
|
Wiki
|
|
header
|
|
Host starts with d-d-d-d
|
FH_HOST_EQ_D_D_D_D
|
2.599 1.992 1.692 1.212
|
Wiki
|
|
header
|
|
Host is d-d-d-d
|
FH_HOST_EQ_D_D_D_DB
|
0.102 0.095 0.055 0.223
|
Wiki
|
|
header
|
|
Host is pacbell.net dsl
|
FH_HOST_EQ_PACBELL_D
|
0.005 0.893 1.479 1.670
|
Wiki
|
|
header
|
|
Host is pool-.+verizon.net
|
FH_HOST_EQ_VERIZON_P
|
2.101 1.105 0.001 0.001
|
Wiki
|
|
header
|
|
Special MSGID
|
FH_MSGID_000000
|
4.399 4.299 2.809 3.236
|
Wiki
|
|
header
|
|
Special MSGID
|
FH_MSGID_01C67
|
3.299 0.495 1.500 0.001
|
Wiki
|
|
header
|
|
MESSAGE ID seen often!!!
|
FH_MSGID_01C70XXX
|
3.899 3.895 2.757 3.899
|
Wiki
|
|
header
|
|
Broken Replace Template
|
FH_MSGID_REPLACE
|
1.282 2.079 2.223 2.512
|
Wiki
|
|
header
|
|
Common sign in msg-id's 12/21/2006
|
FH_MSGID_XXBLAH
|
4.499 4.495 4.319 3.390
|
Wiki
|
|
header
|
|
Message-Id = @xxx
|
FH_MSGID_XXX
|
3.200 3.196 3.200 2.682
|
Wiki
|
|
header
|
|
Subject is Re: new \d\d\d
|
FH_RE_NEW_DDD
|
2.251 1.209 1.526 2.687
|
Wiki
|
|
header
|
|
Broken Replace Template
|
FH_XMAIL_REPLACE
|
1.254 2.142 1.662 1.065
|
Wiki
|
|
header
|
|
Special X-Mailer Version
|
FH_XMAIL_RND_833
|
1
|
Wiki
|
|
header
|
|
Looks like Fake Outlook?
|
FM_XMAIL_F_OUT
|
4.199 4.199 2.643 1.815
|
Wiki
|
|
body
|
|
ReplaceTags: Adobe
|
FRT_ADOBE2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Bigger / Larger, Penis / Member
|
FRT_BIGGERMEM1
|
0.000 0.001 1.205 1.782
|
Wiki
|
|
body
|
|
ReplaceTags: Diploma
|
FRT_DIPLOMA
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Discount
|
FRT_DISCOUNT
|
2.999 2.996 1.498 1.810
|
Wiki
|
|
body
|
|
ReplaceTags: Dollar
|
FRT_DOLLAR
|
2.529 2.596 2.133 2.366
|
Wiki
|
|
body
|
|
ReplaceTags: Establish (2)
|
FRT_ESTABLISH2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Fuck (2)
|
FRT_FUCK2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Guarantee (1)
|
FRT_GUARANTEE1
|
2.503 2.819 2.144 1.253
|
Wiki
|
|
body
|
|
ReplaceTags: Investor
|
FRT_INVESTOR
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Levitra
|
FRT_LEVITRA
|
0.001 0.745 1.685 1.814
|
Wiki
|
|
body
|
|
ReplaceTags: Meeting
|
FRT_MEETING
|
2.700 2.699 2.699 2.699
|
Wiki
|
|
body
|
|
ReplaceTags: Offer (2)
|
FRT_OFFER2
|
2.700 1.590 1.097 1.287
|
Wiki
|
|
body
|
|
ReplaceTags: Oppertun (1)
|
FRT_OPPORTUN1
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Oppertun (2)
|
FRT_OPPORTUN2
|
2.699 2.699 2.699 2.689
|
Wiki
|
|
body
|
|
ReplaceTags: Penis
|
FRT_PENIS1
|
3.799 3.074 3.002 2.486
|
Wiki
|
|
body
|
|
ReplaceTags: Price
|
FRT_PRICE
|
3.699 2.531 3.072 3.491
|
Wiki
|
|
body
|
|
ReplaceTags: Refinance (1)
|
FRT_REFINANCE1
|
2.799 2.727 0.994 0.921
|
Wiki
|
|
body
|
|
ReplaceTags: Rolex
|
FRT_ROLEX
|
3.099 3.096 3.099 3.096
|
Wiki
|
|
body
|
|
ReplaceTags: Sexual
|
FRT_SEXUAL
|
3.199 3.196 3.199 3.142
|
Wiki
|
|
body
|
|
ReplaceTags: Soma
|
FRT_SOMA
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Soma (2)
|
FRT_SOMA2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Strong (1)
|
FRT_STRONG1
|
3.699 2.919 2.712 2.976
|
Wiki
|
|
body
|
|
ReplaceTags: Strong (2)
|
FRT_STRONG2
|
1.302 0.001 2.745 3.096
|
Wiki
|
|
body
|
|
ReplaceTags: Symbol
|
FRT_SYMBOL
|
1.902 3.561 2.587 2.943
|
Wiki
|
|
body
|
|
ReplaceTags: Today (2)
|
FRT_TODAY2
|
2.523 2.460 3.246 2.382
|
Wiki
|
|
body
|
|
ReplaceTags: Valium
|
FRT_VALIUM1
|
3.096 3.049 0.664 1.590
|
Wiki
|
|
body
|
|
ReplaceTags: Valium (2)
|
FRT_VALIUM2
|
1.903 1.933 1.328 1.301
|
Wiki
|
|
body
|
|
ReplaceTags: Weight (2)
|
FRT_WEIGHT2
|
2.529 2.930 3.099 2.121
|
Wiki
|
|
body
|
|
ReplaceTags: Xanax (1)
|
FRT_XANAX1
|
3.799 3.799 2.265 2.423
|
Wiki
|
|
body
|
|
ReplaceTags: Xanax (2)
|
FRT_XANAX2
|
0.001
|
Wiki
|
|
rawbody
|
|
Looks like 3 <e> small tags.
|
FR_3TAG_3TAG
|
2.405 0.998 2.599 1.053
|
Wiki
|
|
rawbody
|
|
Almost looks like viagra.
|
FR_ALMOST_VIAG2
|
2.402 2.376 2.051 1.990
|
Wiki
|
|
rawbody
|
|
Phrase class=cantseetext
|
FR_CANTSEETEXT
|
1
|
Wiki
|
|
rawbody
|
|
Sign often seen in spams
|
FR_MIDER
|
1.233 1.706 0.792 2.068
|
Wiki
|
|
header
|
|
Subject says "At No Cost"
|
FS_AT_NO_COST
|
2.600 2.596 2.599 1.561
|
Wiki
|
|
header
|
|
Phrase: Cheap in Caps in Subject.
|
FS_CHEAP_CAP
|
0.001 0.001 0.005 0.001
|
Wiki
|
|
header
|
|
Subject talks about money bonus!
|
FS_DOLLAR_BONUS
|
2.699 2.696 2.699 2.673
|
Wiki
|
|
header
|
|
Phrase: ejaculation in subject.
|
FS_EJACULA
|
2.999 2.996 2.999 1.803
|
Wiki
|
|
header
|
|
Phrase: erection in subject.
|
FS_ERECTION
|
2.699 2.020 2.042 2.643
|
Wiki
|
|
header
|
|
Phrase: Huge Cock
|
FS_HUGECOCK
|
1
|
Wiki
|
|
header
|
|
Larger than 100% in subj.
|
FS_LARGE_PERCENT2
|
2.999 1.037 2.363 0.412
|
Wiki
|
|
header
|
|
Phrase: lower your
|
FS_LOWER_YOUR
|
1
|
Wiki
|
|
header
|
|
Subject says low rates
|
FS_LOW_RATES
|
2.799 1.763 1.849 2.001
|
Wiki
|
|
header
|
|
Subj starts with New software uploaded
|
FS_NEW_SOFT_UPLOAD
|
1.177 1.154 3.476 1.790
|
Wiki
|
|
header
|
|
Subject looks like Fharmacy spams.
|
FS_NEW_XXX
|
0.009 0.616 0.125 1.100
|
Wiki
|
|
header
|
|
Subject almost says No prescription
|
FS_NO_SCRIP
|
1.432 2.422 1.384 1.577
|
Wiki
|
|
header
|
|
what could this word be?
|
FS_OBFU_PRMCY
|
1.681 0.722 3.191 1.460
|
Wiki
|
|
header
|
|
Subject mis-spelled prescription
|
FS_PERSCRIPTION
|
1
|
Wiki
|
|
header
|
|
Looks like Phramacy subject.
|
FS_PHARMASUB2
|
3.899 3.895 3.899 3.896
|
Wiki
|
|
header
|
|
Subject says Ramrod
|
FS_RAMROD
|
1.076 2.820 2.317 2.777
|
Wiki
|
|
header
|
|
Subject says "replica"
|
FS_REPLICA
|
2.800 1.179 1.403 1.041
|
Wiki
|
|
header
|
|
Subject says Replica watch
|
FS_REPLICAWATCH
|
3.524 3.799 2.094 2.502
|
Wiki
|
|
header
|
|
Phrase: re approved
|
FS_RE_APPROV
|
1
|
Wiki
|
|
header
|
|
Subject starts with Do you dream,have,want,love, etc.
|
FS_START_DOYOU2
|
3.099 3.099 3.099 3.097
|
Wiki
|
|
header
|
|
Subject starts with Lose
|
FS_START_LOSE
|
2.599 2.596 2.034 2.167
|
Wiki
|
|
header
|
|
Subject says something bad about teens
|
FS_TEEN_BAD
|
2.501 2.596 2.441 2.549
|
Wiki
|
|
header
|
|
Phrase: subject = tip ddd
|
FS_TIP_DDD
|
0.001 0.021 1.726 0.101
|
Wiki
|
|
header
|
|
Subject says Weight Loss
|
FS_WEIGHT_LOSS
|
1
|
Wiki
|
|
header
|
|
Subject says will help
|
FS_WILL_HELP
|
3.299 3.299 3.299 3.296
|
Wiki
|
|
header
|
|
Subject says With ... small
|
FS_WITH_SMALL
|
1
|
Wiki
|
|
body
|
|
/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
|
FUZZY_MERIDIA
|
0.001 0.778 1.936 2.374
|
Wiki
|
|
uri
|
|
Sub-dir seen often in spam (2).
|
FU_COMMON_SUBS2
|
2.403 2.057 2.136 1.498
|
Wiki
|
|
uri
|
|
Ends with clk/d+.d+.d+
|
FU_ENDS_NUMS_DOTS_CLK
|
3.200 3.196 3.199 3.196
|
Wiki
|
|
uri
|
|
ET Phone Home?
|
FU_END_ET
|
3.599 3.599 3.599 3.500
|
Wiki
|
|
uri
|
|
URL has hoodia in it.
|
FU_HOODIA
|
1.177 1.484 0.751 1.652
|
Wiki
|
|
uri
|
|
URL has a long file name with .aspx extension.
|
FU_LONG_QUERY3
|
1.662 0.001 1.649 0.001
|
Wiki
|
|
uri
|
|
URL has /gal/
|
FU_MIDER
|
3.767 2.024 1.458 1.110
|
Wiki
|
|
uri
|
|
URL with [a-z]{2}.geocities.com
|
FU_UKGEOCITIES
|
3.299 3.296 3.299 3.296
|
Wiki
|
|
uri
|
|
URI style tracker (T)
|
FU_URI_TRACKER_T
|
3.899 3.895 2.400 3.193
|
Wiki
|
|
uri
|
|
/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
|
GEO_QUERY_STRING
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
header
|
|
Multiple Subject headers found
|
HEADER_COUNT_SUBJECT
|
3.099 3.099 3.100 3.096
|
Wiki
|
|
header
|
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i
|
HELO_FRIEND
|
0.001
|
Wiki
|
|
header
|
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home| lan) /i
|
HELO_LH_HOME
|
2.602 3.169 2.689 3.714
|
Wiki
|
|
header
|
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i
|
HELO_LH_LD
|
0.800 0.792 1.184 1.215
|
Wiki
|
|
header
|
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i
|
HELO_LOCALHOST
|
4.499 4.499 3.998 3.941
|
Wiki
|
|
header
|
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc| oem\S*) /i
|
HELO_OEM
|
3.299 3.296 3.043 2.195
|
Wiki
|
|
body
|
|
Somebody has uploaded some new software for you
|
HS_BODY_UPLOADED_SOFTWARE
|
0.043 1.992 2.046 2.658
|
Wiki
|
|
body
|
|
Contains a drug and price-like pattern.
|
HS_DRUG_DOLLAR_1
|
1.033 1.350 1.929 0.090
|
Wiki
|
|
body
|
|
Contains a drug and price-like pattern.
|
HS_DRUG_DOLLAR_2
|
0.304 1.119 2.748 1.617
|
Wiki
|
|
body
|
|
Contains a drug and price-like pattern.
|
HS_DRUG_DOLLAR_3
|
2.349 1.901 1.317 1.378
|
Wiki
|
|
uri
|
|
Links to common unsubscribe script: 'getmeoff.php'
|
HS_GETMEOFF
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
uri
|
|
Link contains a common tracker pattern.
|
HS_INDEX_PARAM
|
0.001
|
Wiki
|
|
body
|
|
Talks about meeting up for sex.
|
HS_MEETUP_FOR_SEX
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
header
|
|
Subject starts with 'New software uploaded by'
|
HS_SUBJ_NEW_SOFTWARE
|
1.118 0.253 2.395 3.599
|
Wiki
|
|
header
|
|
Subject contains the phrase 'Online pharmaceutical'
|
HS_SUBJ_ONLINE_PHARMACEUTICAL
|
0 0 0.001 0.001
|
Wiki
|
|
body
|
|
eval:check_https_http_mismatch('1','10')
|
HTTPS_HTTP_MISMATCH
|
1
|
Wiki
|
|
header
|
|
Received =~ /by \S+ \(Qmailv1\) with ESMTP/
|
JM_RCVD_QMAILV1
|
3.999 3.995 3.999 3.996
|
Wiki
|
|
body
|
|
/(?:OTC| OTCBB| OTC Pink Sheets):/is
|
KAM_STOCKOTC
|
3.999 2.328 3.947 3.964
|
Wiki
|
|
body
|
|
/(?:Conforce International| CFRI)/is
|
KAM_STOCKTIP14
|
1
|
Wiki
|
|
body
|
|
/(?:Nano Superlattice Technology| NSLT)/is
|
KAM_STOCKTIP15
|
0.001
|
Wiki
|
|
body
|
|
/(?:PREMIER INFORMATION| (^| \b)PIFR((dollar) | \b))/is
|
KAM_STOCKTIP20
|
1
|
Wiki
|
|
body
|
|
/(?:Harbin Pingchuan| P G C N| PGCN)/is
|
KAM_STOCKTIP21
|
1
|
Wiki
|
|
body
|
|
/(?:Remington Ventures| RMVN)/is
|
KAM_STOCKTIP4
|
1
|
Wiki
|
|
body
|
|
/(?:China World Trade Corporation| CWTD)/is
|
KAM_STOCKTIP6
|
1
|
Wiki
|
|
body
|
|
/long\W+term\W+(target| projected)(\W+price)?/i
|
LONG_TERM_PRICE
|
0.001 0.212 0.001 0.001
|
Wiki
|
|
body
|
|
A loop hole in the banking laws?
|
LOOPHOLE_1
|
2.188 2.474 2.623 2.210
|
Wiki
|
|
header
|
|
Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /
|
L_SPAM_TOOL_13
|
4.499 4.499 4.499 4.495
|
Wiki
|
|
header
|
|
Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /
|
MID_DEGREES
|
4.199 4.195 4.057 3.700
|
Wiki
|
|
header
|
|
Content-Type =~ /boundary="=====================_\d+==\.REL"/s
|
MIME_BOUND_EQ_REL
|
0.123 0.845 2.457 2.832
|
Wiki
|
|
full
|
|
Message has NUL (ASCII 0) byte in message
|
NULL_IN_BODY
|
2.802 1.489 3.699 2.425
|
Wiki
|
|
header
|
|
Claims to be sent by an unusual build of Outlook (3416)
|
OUTLOOK_3416
|
1.702 1.695 1.821 1.744
|
Wiki
|
|
header
|
|
Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar) \%&'()*:<=>?\@\[\]^\`{| }~]| ;\S)/
|
RCVD_BAD_ID
|
2.100 2.088 3.266 2.837
|
Wiki
|
|
header
|
|
Forged 'Received' header found ('wrote:' spam)
|
RCVD_FORGED_WROTE
|
4.365 4.479 4.499 2.523
|
Wiki
|
|
header
|
|
Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
|
RCVD_FORGED_WROTE2
|
2.052 2.736 1.391 4.325
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, high trust
|
RCVD_IN_DNSWL_HI
|
0 -8 0 -8
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, low trust
|
RCVD_IN_DNSWL_LOW
|
0 -1 0 -1
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, medium trust
|
RCVD_IN_DNSWL_MED
|
0 -4 0 -4
|
Wiki
|
|
header
|
|
Received via relay in new domain (Day Old Bread)
|
RCVD_IN_DOB
|
0 0.835 0 1.103
|
Wiki
|
|
header
|
|
IADB: Sender publishes Domain Keys record
|
RCVD_IN_IADB_DK
|
1
|
Wiki
|
|
header
|
|
IADB: All mailing list mail is confirmed opt-in
|
RCVD_IN_IADB_DOPTIN
|
0 -4 0 -4
|
Wiki
|
|
header
|
|
IADB: Confirmed opt-in used more than 50% of the time
|
RCVD_IN_IADB_DOPTIN_GT50
|
1
|
Wiki
|
|
header
|
|
IADB: Confirmed opt-in used less than 50% of the time
|
RCVD_IN_IADB_DOPTIN_LT50
|
1
|
Wiki
|
|
header
|
|
IADB: Participates in Email Deliverability Database
|
RCVD_IN_IADB_EDDB
|
0 -0.001 0 -0.293
|
Wiki
|
|
header
|
|
IADB: Member of Email Processing Industry Alliance
|
RCVD_IN_IADB_EPIA
|
0 -0.135 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Sender has been certified by GoodMail
|
RCVD_IN_IADB_GOODMAIL
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
Participates in the IADB system
|
RCVD_IN_IADB_LISTED
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Adds relationship addrs w/out opt-in
|
RCVD_IN_IADB_LOOSE
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Complies with Michigan's CPEAR law
|
RCVD_IN_IADB_MI_CPEAR
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Checked lists against Michigan's CPR within 30 days
|
RCVD_IN_IADB_MI_CPR_30
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Sends no material under Michigan's CPR
|
RCVD_IN_IADB_MI_CPR_MAT
|
1
|
Wiki
|
|
header
|
|
IADB: Mailing list email only, confirmed opt-in
|
RCVD_IN_IADB_ML_DOPTIN
|
0 -6 0 -6
|
Wiki
|
|
header
|
|
IADB: Has absolutely no mailing controls in place
|
RCVD_IN_IADB_NOCONTROL
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: One-to-one/transactional email only
|
RCVD_IN_IADB_OOO
|
1
|
Wiki
|
|
header
|
|
IADB: All mailing list mail is opt-in
|
RCVD_IN_IADB_OPTIN
|
1
|
Wiki
|
|
header
|
|
IADB: Opt-in used more than 50% of the time
|
RCVD_IN_IADB_OPTIN_GT50
|
0 -0.499 0 -0.245
|
Wiki
|
|
header
|
|
IADB: Opt-in used less than 50% of the time
|
RCVD_IN_IADB_OPTIN_LT50
|
1
|
Wiki
|
|
header
|
|
IADB: Scrapes addresses, pure opt-out only
|
RCVD_IN_IADB_OPTOUTONLY
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Sender has reverse DNS record
|
RCVD_IN_IADB_RDNS
|
1
|
Wiki
|
|
header
|
|
IADB: Sender publishes Sender ID record
|
RCVD_IN_IADB_SENDERID
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Sender publishes SPF record
|
RCVD_IN_IADB_SPF
|
0 -0.001 0 -0.078
|
Wiki
|
|
header
|
|
IADB: Accepts unverified sign-ups
|
RCVD_IN_IADB_UNVERIFIED_1
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Accepts unverified sign-ups, gives chance to opt out
|
RCVD_IN_IADB_UNVERIFIED_2
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Complies with Utah's CPEAR law
|
RCVD_IN_IADB_UT_CPEAR
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Checked lists against Utah's CPR within 30 days
|
RCVD_IN_IADB_UT_CPR_30
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Sends no material under Utah's CPR
|
RCVD_IN_IADB_UT_CPR_MAT
|
1
|
Wiki
|
|
header
|
|
Forged Received header (contains post.com or mail.com)
|
RCVD_MAIL_COM
|
1.082 1.452 2.532 0.930
|
Wiki
|
|
body
|
|
/short\W+term\W+(target| projected)(\W+price)?/i
|
SHORT_TERM_PRICE
|
0.540 1.950 0.655 0.676
|
Wiki
|
|
header
|
|
Received =~ / by \d+\.\d+\.\d+\.\d+ \(\d\.\d\d\.\d\/\d\.\d\d\.\d\) with SMTP id [\dA-Za-z]+\;/
|
STOX_RCVD_N_NN_N
|
1
|
Wiki
|
|
header
|
|
Content-Type =~ /text\/plain; .* reply-type=original/
|
STOX_REPLY_TYPE
|
0.001
|
Wiki
|
|
header
|
|
Received =~ /from 192.168.0.\d+ \(203-219-/
|
TEMPLATE_203_RCVD
|
1
|
Wiki
|
|
header
|
|
Scora: Message-Id ends after left-bracket + digits
|
TT_MSGID_TRUNC
|
0.001 1.874 1.924 1.364
|
Wiki
|
|
body
|
|
/\bact of (?:193| nineteen thirty)/i
|
TVD_ACT_193
|
2.273 3.420 3.499 2.622
|
Wiki
|
|
body
|
|
/you.{1,2}re .{0,20}approved/i
|
TVD_APPROVED
|
2.999 2.558 1.550 1.731
|
Wiki
|
|
body
|
|
/approved .{0,20}loan/i
|
TVD_APP_LOAN
|
1
|
Wiki
|
|
body
|
|
/^dear homeowner/i
|
TVD_DEAR_HOMEOWNER
|
2.599 2.599 2.599 2.596
|
Wiki
|
|
header
|
|
EnvelopeFrom =~ /\'/
|
TVD_ENVFROM_APOST
|
4.199 3.307 0.465 0.088
|
Wiki
|
|
header
|
|
Content-Type =~ /^text\/plain(?:; (?:format=flowed| charset="Windows-1252"| reply-type=original)){3}/i
|
TVD_FINGER_02
|
2.796 2.720 3.199 2.134
|
Wiki
|
|
rawbody
|
|
/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
|
TVD_FLOAT_GENERAL
|
3.599 1.114 0.591 0.001
|
Wiki
|
|
body
|
|
/<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
|
TVD_FUZZY_DEGREE
|
1
|
Wiki
|
|
body
|
|
/(?!finance)<F><I><N><A><N><C><E>/i
|
TVD_FUZZY_FINANCE
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
|
TVD_FUZZY_FIXED_RATE
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
|
TVD_FUZZY_MICROCAP
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
|
TVD_FUZZY_PHARMACEUTICAL
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
|
TVD_FUZZY_SYMBOL
|
3.099 1.435 2.086 1.699
|
Wiki
|
|
body
|
|
/\bsize of .{1,20}(?:penis| dick| manhood)/i
|
TVD_INCREASE_SIZE
|
1
|
Wiki
|
|
body
|
|
/\blink to save\b/i
|
TVD_LINK_SAVE
|
1
|
Wiki
|
|
body
|
|
/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/i
|
TVD_PH_BODY_ACCOUNTS_PRE
|
1
|
Wiki
|
|
body
|
|
Message has a phrase standard for phishing mails
|
TVD_PH_REC
|
2.702 2.996 2.996 2.996
|
Wiki
|
|
body
|
|
Message has a phrase standard for phishing mails
|
TVD_PH_SEC
|
1
|
Wiki
|
|
header
|
|
Subject =~ /\b(?:(?:re-?)?activat[a-z]*| secure| verify| restore| flagged| limited| unusual| report| notif(?:y| ication)| suspen(?:d| ded| sion)| confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
|
TVD_PH_SUBJ_ACCOUNTS_POST
|
2.999 2.996 2.999 2.996
|
Wiki
|
|
header
|
|
Subject =~ /^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert| response| assistance| proposal| reply| warning| noti(?:ce| fication)| greeting| matter))/i
|
TVD_PH_SUBJ_URGENT
|
2.616 2.102 2.799 2.797
|
Wiki
|
|
body
|
|
/\bquality med(?:ication)?s\b/i
|
TVD_QUAL_MEDS
|
2.626 4.123 2.647 3.568
|
Wiki
|
|
header
|
|
Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
|
TVD_RATWARE_CB
|
2.839 2.914 2.465 2.645
|
Wiki
|
|
header
|
|
Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
|
TVD_RATWARE_CB_2
|
1
|
Wiki
|
|
header
|
|
Message-ID =~ /^[^<]*<[a-z]+\@/
|
TVD_RATWARE_MSGID_02
|
2.139 1.688 1.557 0.581
|
Wiki
|
|
header
|
|
Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
|
TVD_RCVD_IP
|
0.502 1.617 2.270 1.931
|
Wiki
|
|
header
|
|
Received =~ /^from\s+(?:\d+\.){3}\d+\s/
|
TVD_RCVD_IP4
|
4.099 3.344 2.901 3.183
|
Wiki
|
|
header
|
|
Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
|
TVD_RCVD_SINGLE
|
2.999 0.303 2.999 1.351
|
Wiki
|
|
header
|
|
Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
|
TVD_RCVD_SPACE_BRACKET
|
1
|
Wiki
|
|
body
|
|
/\bSection (?:27A| 21B)/i
|
TVD_SECTION
|
2.956 3.317 1.541 3.499
|
Wiki
|
|
body
|
|
m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!i
|
TVD_SILLY_URI_OBFU
|
1
|
Wiki
|
|
header
|
|
Subject =~ /^(?:(?:Re| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) /
|
TVD_SPACED_SUBJECT_WORD3
|
2.802 3.599 2.276 2.412
|
Wiki
|
|
body
|
|
eval:check_stock_info('2')
|
TVD_STOCK1
|
4.199 3.792 4.199 3.753
|
Wiki
|
|
header
|
|
Subject has spammy looking monetary reference
|
TVD_SUBJ_ACC_NUM
|
1
|
Wiki
|
|
header
|
|
Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) /
|
TVD_SUBJ_FINGER_03
|
1
|
Wiki
|
|
header
|
|
Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe| indebted)\s+(?:\w+\s+)+an\s*other/i
|
TVD_SUBJ_OWE
|
3.199 3.196 3.199 3.196
|
Wiki
|
|
header
|
|
Subject =~ /(?:wipe out| remove| get (?:rid| out) of| eradicate) .{0,20}(?:owe| debt| obligation)/i
|
TVD_SUBJ_WIPE_DEBT
|
2.899 2.896 2.899 2.663
|
Wiki
|
|
body
|
|
/Online Ph.rmacy/i
|
TVD_VISIT_PHARMA
|
2.297 0.001 0.001 0.001
|
Wiki
|
|
rawbody
|
|
/<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
|
TVD_VIS_HIDDEN
|
2.600 1.908 2.368 0.839
|
Wiki
|
|
body
|
|
URI in combined-HIB.dnsiplists.completewhois.com
|
URIBL_COMPLETEWHOIS
|
1
|
Wiki
|
|
body
|
|
Contains an URI listed in abuse.rfc-ignorant.org
|
URIBL_RHS_ABUSE
|
1
|
Wiki
|
|
body
|
|
Contains an URI listed in rhsbl.ahbl.org.
|
URIBL_RHS_AHBL
|
1
|
Wiki
|
|
body
|
|
Contains an URI listed in bogusmx.rfc-ignorant.org
|
URIBL_RHS_BOGUSMX
|
1
|
Wiki
|
|
body
|
|
Contains an URI of a new domain (Day Old Bread)
|
URIBL_RHS_DOB
|
0 0.901 0 1.083
|
Wiki
|
|
body
|
|
Contains an URI listed in dsn.rfc-ignorant.org
|
URIBL_RHS_DSN
|
1
|
Wiki
|
|
body
|
|
Contains an URI in postmaster.rfc-ignorant.org
|
URIBL_RHS_POST
|
1
|
Wiki
|
|
body
|
|
Contains an URI TLD in whois.rfc-ignorant.org
|
URIBL_RHS_TLD_WHOIS
|
1
|
Wiki
|
|
body
|
|
Contains an URI listed in [black] uribl.com
|
URIBL_RHS_URIBL_BLACK
|
1
|
Wiki
|
|
body
|
|
Contains an URI listed in [grey] uribl.com
|
URIBL_RHS_URIBL_GREY
|
1
|
Wiki
|
|
body
|
|
Contains an URI listed in whois.rfc-ignorant.org
|
URIBL_RHS_WHOIS
|
1
|
Wiki
|
|
body
|
|
URL listed in XS SURBL - TEsting
|
URIBL_XS_SURBL
|
1
|
Wiki
|
|
uri
|
|
/\/l\.php\?\d/
|
URI_L_PHP
|
3.099 3.096 3.099 2.905
|
Wiki
|
|
body
|
|
URL registered to 1&1 Private Registration
|
WHOIS_1AND1PR
|
1
|
Wiki
|
|
body
|
|
URL registered as an AIT Private Registration
|
WHOIS_AITPRIV
|
0 3.995 0 3.510
|
Wiki
|
|
body
|
|
URL registered to contactprivacy.com
|
WHOIS_CONTACTPRIV
|
0 2.696 0 2.696
|
Wiki
|
|
body
|
|
Contains URL registered to Domains by Proxy
|
WHOIS_DMNBYPROXY
|
0 0.260 0 0.478
|
Wiki
|
|
body
|
|
URL registered to Domain Escrow Services
|
WHOIS_DOMESCROW
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered to DomainPrivacyCorp.com
|
WHOIS_DOMPRIVCORP
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered as a DreamHost Private Registration
|
WHOIS_DREAMPRIV
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered as an DROA Private Registration
|
WHOIS_DROA
|
1
|
Wiki
|
|
body
|
|
URL registered to Dynadot Privacy
|
WHOIS_DYNADOT
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered to Finexe Domain Proxy Service
|
WHOIS_FINEXE
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered to GKG.NET Domain Proxy Service
|
WHOIS_GKGPROXY
|
1
|
Wiki
|
|
body
|
|
Contains URL registered to WHOIS ID Shield
|
WHOIS_IDSHIELD
|
1
|
Wiki
|
|
body
|
|
URL registered to Whois ID Theft Protection
|
WHOIS_IDTHEFTPROT
|
1
|
Wiki
|
|
body
|
|
URL registered to Katz Global Domain Name Trust
|
WHOIS_KATZ
|
1
|
Wiki
|
|
body
|
|
URL registered to Domain Listing Agent
|
WHOIS_LISTINGAG
|
1
|
Wiki
|
|
body
|
|
URL registered to LNOA WHOIS Privacy
|
WHOIS_LNOA
|
1
|
Wiki
|
|
body
|
|
URL registered to MapName
|
WHOIS_MAPNAME
|
1
|
Wiki
|
|
body
|
|
URL registered to Moniker Privacy Protection
|
WHOIS_MONIKER_PRIV
|
0 2.596 0 2.596
|
Wiki
|
|
body
|
|
URL registered to myprivateregistration.com
|
WHOIS_MYPRIVREG
|
0 0.156 0 1.499
|
Wiki
|
|
body
|
|
URL registered to NameKing
|
WHOIS_NAMEKING
|
0 1.477 0 1.409
|
Wiki
|
|
body
|
|
Contains URL registered to NameSecure
|
WHOIS_NAMESECURE
|
1
|
Wiki
|
|
body
|
|
URL registered to NetIdentity
|
WHOIS_NETID
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered as a NetSol Private Registration
|
WHOIS_NETSOLPR
|
0 0.001 0 0.001
|
Wiki
|
|
body
|
|
URL registered to NOLDC, Inc.
|
WHOIS_NOLDC
|
1
|
Wiki
|
|
body
|
|
URL registered to Nominet Private Registrant
|
WHOIS_NOMINET
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
Contains URL registered to PrivacyPost
|
WHOIS_PRIVACYPOST
|
0 0.647 0 0.001
|
Wiki
|
|
body
|
|
URL registered to privacy-domain.com
|
WHOIS_PRIVDOMAIN
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered to WHOIS Privacy Protection
|
WHOIS_PRIVPROT
|
0 2.801 0 1.501
|
Wiki
|
|
body
|
|
URL registered to R4L Privacy
|
WHOIS_REGISTER4LESS
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
Contains URL registered to RegisterFly
|
WHOIS_REGISTERFLY
|
0 3.196 0 1.645
|
Wiki
|
|
body
|
|
URL registered to RegTek Whois Envoy
|
WHOIS_REGTEK
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
Contains URL registered to SafeNames
|
WHOIS_SAFENAMES
|
0 0.000 0 1.000
|
Wiki
|
|
body
|
|
URL registered to Secure WHOIS Information Services
|
WHOIS_SECINFOSERV
|
1
|
Wiki
|
|
body
|
|
Contains URL registered to SecureWhois
|
WHOIS_SECUREWHOIS
|
0 2.696 0 2.696
|
Wiki
|
|
body
|
|
URL registered to SpamFreeReg.com
|
WHOIS_SPAMFREE
|
1
|
Wiki
|
|
body
|
|
URL registered as an SRSPlus Private Registration
|
WHOIS_SRSPLUS
|
1
|
Wiki
|
|
body
|
|
Contains URL registered to Unlisted-Whois.com
|
WHOIS_UNLISTED
|
0 2.170 0 2.839
|
Wiki
|
|
body
|
|
URL registered to WhoisGuard
|
WHOIS_WHOISGUARD
|
0 3.399 0 2.025
|
Wiki
|
|
body
|
|
URL registered to WhoisProtector
|
WHOIS_WHOISPROT
|
0 0.000 0 1.000
|
Wiki
|
|
header
|
|
X-Library =~ /^Indy/
|
X_LIBRARY
|
2.700 2.696 2.899 2.752
|
Wiki
|
|
body
|
|
/Your cr[d\.]* (?:scor| rat)ing doesn.t matter/
|
YOUR_CRD_RATING
|
3.099 3.096 3.099 2.848
|
Wiki
|
