This is the current list of tests SpamAssassin performs on mail messages to
determine if they're spam or not. If you wish to change the score from the
default, add a line like this to your ~/.spamassassin/user_prefs:
Note that these are the scores for the current stable release of SpamAssassin;
they may be different from the ones you're running on your servers, if SpamAssassin
is installed there.
The 'More Info' links, if present, lead to a section of our Wiki for collaborative
documentation of rules; some of the rules include additional user-contributed
documentation there. If you feel like adding a page describing a rule in
further detail, feel free to create a page at that link, using the RuleDescriptionTemplate format.
|
AREA TESTED
|
LOCALE
|
DESCRIPTION OF TEST
|
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
MORE INFO
(additional wiki docs)
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000.000
|
Wiki
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
2.026 1.102 1.750 1.306
|
Wiki
|
|
body
|
|
Weird repeated double-quotation marks
|
WEIRD_QUOTING
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Body contains a ROT13-encoded email address
|
EMAIL_ROT13
|
1
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF
|
2.246 0.724 0.595 0.790
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF_COUNT
|
2.799 1.483 1.199 1.112
|
Wiki
|
|
body
|
|
Message body has 80-90% blank lines
|
BLANK_LINES_80_90
|
1
|
Wiki
|
|
body
|
|
eval:check_ma_non_text()
|
MULTIPART_ALT_NON_TEXT
|
1
|
Wiki
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
Wiki
|
|
rawbody
|
|
Extra blank lines in base64 encoding
|
MIME_BASE64_BLANKS
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
rawbody
|
|
Message text disguised using base64 encoding
|
MIME_BASE64_TEXT
|
0.001 0.001 0.001 1.741
|
Wiki
|
|
body
|
|
Missing blank line between MIME header and body
|
MISSING_MIME_HB_SEP
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Multipart message mostly text/html MIME
|
MIME_HTML_MOSTLY
|
0.354 0.001 0.725 0.428
|
Wiki
|
|
body
|
|
Message only has text/html MIME parts
|
MIME_HTML_ONLY
|
2.199 1.105 1.199 0.723
|
Wiki
|
|
rawbody
|
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE
|
0.001
|
Wiki
|
|
body
|
|
MIME character set is an unknown ISO charset
|
MIME_BAD_ISO_CHARSET
|
1
|
Wiki
|
|
body
|
|
IP to HTTPS link found in HTML
|
HTTPS_IP_MISMATCH
|
1
|
Wiki
|
|
body
|
|
Message contained a URI which was truncated
|
URI_TRUNCATED
|
0.001
|
Wiki
|
|
header
|
|
Passed through trusted hosts only via SMTP
|
ALL_TRUSTED
|
-1.000
|
Wiki
|
|
header
|
|
Informational: message was not relayed via SMTP
|
NO_RELAYS
|
-0.001
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed open relay
|
RCVD_IN_NJABL_RELAY
|
0 1.881 0 2.499
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed spam source
|
RCVD_IN_NJABL_SPAM
|
0 1.466 0 1.249
|
Wiki
|
|
header
|
|
NJABL: sent through multi-stage open relay
|
RCVD_IN_NJABL_MULTI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open formmail
|
RCVD_IN_NJABL_CGI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open proxy
|
RCVD_IN_NJABL_PROXY
|
0 0.208 0 2.224
|
Wiki
|
|
header
|
|
SORBS: sender is open HTTP proxy server
|
RCVD_IN_SORBS_HTTP
|
0 2.499 0 0.001
|
Wiki
|
|
header
|
|
SORBS: sender is open SOCKS proxy server
|
RCVD_IN_SORBS_SOCKS
|
0 2.443 0 1.927
|
Wiki
|
|
header
|
|
SORBS: sender is open proxy server
|
RCVD_IN_SORBS_MISC
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is open SMTP relay
|
RCVD_IN_SORBS_SMTP
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is an abusable web server
|
RCVD_IN_SORBS_WEB
|
0 0.614 0 0.770
|
Wiki
|
|
header
|
|
SORBS: sender demands to never be tested
|
RCVD_IN_SORBS_BLOCK
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is on a hijacked network
|
RCVD_IN_SORBS_ZOMBIE
|
1
|
Wiki
|
|
header
|
|
SORBS: sent directly from dynamic IP address
|
RCVD_IN_SORBS_DUL
|
0 0.001 0 0.001
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus SBL
|
RCVD_IN_SBL
|
0 2.596 0 0.141
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus XBL
|
RCVD_IN_XBL
|
0 0.724 0 0.375
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus PBL
|
RCVD_IN_PBL
|
0 3.558 0 3.335
|
Wiki
|
|
header
|
|
Envelope sender in dsn.rfc-ignorant.org
|
DNS_FROM_RFC_DSN
|
0 0.001 0 0.001
|
Wiki
|
|
header
|
|
Envelope sender in bogusmx.rfc-ignorant.org
|
DNS_FROM_RFC_BOGUSMX
|
0 1.464 0 1.668
|
Wiki
|
|
header
|
|
Envelope sender listed in dnsbl.ahbl.org
|
DNS_FROM_AHBL_RHSBL
|
0 2.438 0 2.699
|
Wiki
|
|
header
|
|
Received via a relay in bl.spamcop.net
|
RCVD_IN_BL_SPAMCOP_NET
|
0 1.246 0 1.347
|
Wiki
|
|
header
|
|
Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
|
RCVD_IN_MAPS_RBL
|
1
|
Wiki
|
|
header
|
|
Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html
|
RCVD_IN_MAPS_DUL
|
1
|
Wiki
|
|
header
|
|
Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html
|
RCVD_IN_MAPS_RSS
|
1
|
Wiki
|
|
header
|
|
Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html
|
RCVD_IN_MAPS_OPS
|
1
|
Wiki
|
|
header
|
|
Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html
|
RCVD_IN_MAPS_NML
|
1
|
Wiki
|
|
header
|
|
ISIPP IADB lists as vouched-for sender
|
RCVD_IN_IADB_VOUCHED
|
0 -2.2 0 -2.2
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'cialis'
|
SUBJECT_DRUG_GAP_C
|
2.108 0.989 1.348 2.140
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'levitra'
|
SUBJECT_DRUG_GAP_L
|
2.799 2.304 1.402 1.561
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'soma'
|
SUBJECT_DRUG_GAP_S
|
1
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'valium'
|
SUBJECT_DRUG_GAP_VA
|
1
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'xanax'
|
SUBJECT_DRUG_GAP_X
|
1
|
Wiki
|
|
body
|
|
Talks about price per dose
|
DRUG_DOSAGE
|
1
|
Wiki
|
|
body
|
|
Mentions an E.D. drug
|
DRUG_ED_CAPS
|
2.799 1.023 2.516 0.936
|
Wiki
|
|
body
|
|
Talks about an E.D. drug using its chemical name
|
DRUG_ED_SILD
|
0.001 0.170 0.113 1.794
|
Wiki
|
|
body
|
|
Mentions Generic Viagra
|
DRUG_ED_GENERIC
|
1
|
Wiki
|
|
body
|
|
Fast Viagra Delivery
|
DRUG_ED_ONLINE
|
0.696 1.152 1.221 0.608
|
Wiki
|
|
body
|
|
Online Pharmacy
|
ONLINE_PHARMACY
|
0.843 2.371 0.008 0.650
|
Wiki
|
|
body
|
|
No prescription needed
|
NO_PRESCRIPTION
|
1.915 1.102 2.280 2.399
|
Wiki
|
|
body
|
|
Attempts to disguise the word 'viagra'
|
VIA_GAP_GRA
|
1
|
Wiki
|
|
body
|
|
Two or more drugs crammed together into one word
|
DRUGS_SMEAR1
|
3.300 2.051 3.148 0.235
|
Wiki
|
|
header
|
|
Relay HELO'd with suspicious hostname (mail.com)
|
FAKE_HELO_MAIL_COM_DOM
|
1.887 0.152 1.370 2.136
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Rogers)
|
HELO_DYNAMIC_ROGERS
|
1
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (T-Dialin)
|
HELO_DYNAMIC_DIALIN
|
2.629 3.233 2.186 1.366
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Hex IP)
|
HELO_DYNAMIC_HEXIP
|
2.321 0.511 1.773 1.789
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Split IP)
|
HELO_DYNAMIC_SPLIT_IP
|
3.031 2.893 4.225 3.482
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 2)
|
HELO_DYNAMIC_IPADDR2
|
2.815 3.888 3.728 3.607
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.nl)
|
HELO_DYNAMIC_CHELLO_NL
|
2.412 1.918 2.019 2.428
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Home.nl)
|
HELO_DYNAMIC_HOME_NL
|
2.385 1.530 1.024 1.459
|
Wiki
|
|
header
|
|
Sender email is freemail
|
FREEMAIL_FROM
|
0.001
|
Wiki
|
|
header
|
|
Envelope-from freemail username ends in digit
|
FREEMAIL_ENVFROM_END_DIGIT
|
2.602 2.223 1.770 1.553
|
Wiki
|
|
header
|
|
Reply-To freemail username ends in digit
|
FREEMAIL_REPLYTO_END_DIGIT
|
1.221 0.980 1.179 1.151
|
Wiki
|
|
header
|
|
Partial message
|
FRAGMENTED_MESSAGE
|
1
|
Wiki
|
|
header
|
|
From: contains empty name
|
FROM_BLANK_NAME
|
2.099 2.099 2.099 0.723
|
Wiki
|
|
header
|
|
From: starts with many numbers
|
FROM_STARTS_WITH_NUMS
|
2.801 0.553 1.201 0.738
|
Wiki
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
2.699 2.699 2.510 2.699
|
Wiki
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
0.001 2.599 0.019 0.798
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (caps variant)
|
MSGID_SPAM_CAPS
|
2.366 1.997 3.099 3.099
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (letters variant)
|
MSGID_SPAM_LETTERS
|
1
|
Wiki
|
|
header
|
|
Message-ID has ALLCAPS@yahoo.com
|
MSGID_YAHOO_CAPS
|
0.797 1.413 2.278 1.411
|
Wiki
|
|
header
|
|
Message-ID is unusually short
|
MSGID_SHORT
|
0.001 0.337 0.001 0.001
|
Wiki
|
|
header
|
|
Message-ID contains multiple '@' characters
|
MSGID_MULTIPLE_AT
|
0.001
|
Wiki
|
|
header
|
|
Date header uses unusual Y2K formatting
|
DATE_SPAMWARE_Y2K
|
1
|
Wiki
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
1.701 0.432 1.200 1.096
|
Wiki
|
|
header
|
|
Invalid Date: header (timezone does not exist)
|
INVALID_DATE_TZ_ABSURD
|
0.262 0.632 0.706 0.491
|
Wiki
|
|
header
|
|
Invalid date in header (wrong CST timezone)
|
INVALID_TZ_CST
|
1
|
Wiki
|
|
header
|
|
Invalid date in header (wrong EST timezone)
|
INVALID_TZ_EST
|
1
|
Wiki
|
|
header
|
|
Subject contains an English UCE tag
|
ENGLISH_UCE_SUBJECT
|
0.953 1.542 2.569 2.899
|
Wiki
|
|
header
|
|
Subject contains a Japanese UCE tag
|
JAPANESE_UCE_SUBJECT
|
1
|
Wiki
|
|
header
|
|
Subject: contains Korean unsolicited email tag
|
KOREAN_UCE_SUBJECT
|
1
|
Wiki
|
|
header
|
|
Contains forged hostname for a DSL IP in Brazil
|
FORGED_TELESP_RCVD
|
2.499 2.499 2.499 1.841
|
Wiki
|
|
header
|
|
Character set doesn't exist
|
NONEXISTENT_CHARSET
|
1
|
Wiki
|
|
header
|
|
Message has Prevent-NonDelivery-Report header
|
PREVENT_NONDELIVERY
|
1
|
Wiki
|
|
header
|
|
Message has X-IP header
|
X_IP
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
header
|
|
Subject contains "As Seen"
|
SUBJ_AS_SEEN
|
2.711 3.099 3.099 1.461
|
Wiki
|
|
header
|
|
Subject starts with dollar amount
|
SUBJ_DOLLARS
|
0.600 0.001 0.601 1.800
|
Wiki
|
|
header
|
|
Subject contains "Your Bills" or similar
|
SUBJ_YOUR_DEBT
|
3.299 3.045 1.199 0.987
|
Wiki
|
|
header
|
|
Subject contains "Your Family"
|
SUBJ_YOUR_FAMILY
|
2.910 2.999 2.999 2.999
|
Wiki
|
|
header
|
|
Received contains a faked HELO hostname
|
RCVD_FAKE_HELO_DOTCOM
|
2.799 2.389 2.605 1.189
|
Wiki
|
|
header
|
|
Subject talks about losing pounds
|
SUBJECT_DIET
|
1.927 1.563 0.817 1.466
|
Wiki
|
|
header
|
|
Header has extraneous Content-type:...type= entry
|
EXTRA_MPART_TYPE
|
1.0
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DD_DIGITS
|
3.016 0.349 2.417 1.373
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DIGITS_15
|
0.432 1.225 1.241 0.798
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_MANY_HEX
|
1
|
Wiki
|
|
header
|
|
To: has a malformed address
|
TO_MALFORMED
|
0.892 1.247 2.099 2.099
|
Wiki
|
|
header
|
|
Received line contains spam-sign (lowercase smtp)
|
WITH_LC_SMTP
|
1
|
Wiki
|
|
header
|
|
Subject line starts with Buy or Buying
|
SUBJ_BUY
|
0.594 1.498 0.001 0.639
|
Wiki
|
|
header
|
|
Received headers forged (AM/PM)
|
RCVD_AM_PM
|
1
|
Wiki
|
|
header
|
|
Received header contains faked 'mr.outblaze.com'
|
FAKE_OUTBLAZE_RCVD
|
1
|
Wiki
|
|
header
|
|
Headers contain an unclosed bracket
|
UNCLOSED_BRACKET
|
2.699 1.329 1.425 1.496
|
Wiki
|
|
header
|
|
From: domain has series of non-vowel letters
|
FROM_DOMAIN_NOVOWEL
|
0.500
|
Wiki
|
|
header
|
|
From: localpart has series of non-vowel letters
|
FROM_LOCAL_NOVOWEL
|
0.500
|
Wiki
|
|
header
|
|
From: localpart has long hexadecimal sequence
|
FROM_LOCAL_HEX
|
0.000 0.331 0.001 0.006
|
Wiki
|
|
header
|
|
From: localpart has long digit sequence
|
FROM_LOCAL_DIGITS
|
0.001
|
Wiki
|
|
header
|
|
Cc: after X-Priority: (bulk email fingerprint)
|
X_PRIORITY_CC
|
1
|
Wiki
|
|
header
|
|
Message has bad MIME encoding in the header
|
BAD_ENC_HEADER
|
3.099 1.716 1.805 1.988
|
Wiki
|
|
header
|
|
Received: contains illegal IP address
|
RCVD_ILLEGAL_IP
|
3.399
|
Wiki
|
|
header
|
|
A foreign language charset used in headers
|
CHARSET_FARAWAY_HEADER
|
3.200
|
Wiki
|
|
header
|
|
From: has too many raw illegal characters
|
FROM_ILLEGAL_CHARS
|
2.192 2.059 0.240 0.036
|
Wiki
|
|
header
|
|
Headers have too many raw illegal characters
|
HEAD_ILLEGAL_CHARS
|
1
|
Wiki
|
|
header
|
|
hotmail.com 'From' address, but no 'Received:'
|
FORGED_HOTMAIL_RCVD2
|
0.001 1.187 0.698 0.874
|
Wiki
|
|
header
|
|
'From' yahoo.com does not match 'Received' headers
|
FORGED_YAHOO_RCVD
|
2.397 1.022 2.599 1.630
|
Wiki
|
|
header
|
|
Recipient list is sorted by address
|
SORTED_RECIPS
|
1.801 2.474 1.791 2.499
|
Wiki
|
|
header
|
|
Similar addresses in recipient list
|
SUSPICIOUS_RECIPS
|
2.499 2.497 2.139 2.510
|
Wiki
|
|
header
|
|
Missing To: header
|
MISSING_HEADERS
|
0.915 1.207 1.204 1.021
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours before Received: date
|
DATE_IN_PAST_03_06
|
2.399 1.076 1.200 1.592
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours before Received: date
|
DATE_IN_PAST_06_12
|
1.699 1.103 1.274 1.543
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours before Received: date
|
DATE_IN_PAST_12_24
|
0.001 0.804 1.190 1.049
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours before Received: date
|
DATE_IN_PAST_24_48
|
1.109 0.485 0.624 1.340
|
Wiki
|
|
header
|
|
Date: is 96 hours or more before Received: date
|
DATE_IN_PAST_96_XX
|
2.600 2.070 1.233 3.405
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours after Received: date
|
DATE_IN_FUTURE_03_06
|
3.399 2.426 2.997 3.027
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours after Received: date
|
DATE_IN_FUTURE_06_12
|
2.899 0.001 2.222 1.947
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours after Received: date
|
DATE_IN_FUTURE_12_24
|
2.603 2.489 3.199 3.199
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours after Received: date
|
DATE_IN_FUTURE_24_48
|
2.598 1.248 0.001 2.048
|
Wiki
|
|
header
|
|
Date: is 48 to 96 hours after Received: date
|
DATE_IN_FUTURE_48_96
|
2.384 0.813 1.078 2.181
|
Wiki
|
|
header
|
|
Date: is 96 hours or more after Received: date
|
DATE_IN_FUTURE_96_XX
|
2.614 3.028 2.851 3.087
|
Wiki
|
|
header
|
|
Headers contain an unresolved template
|
UNRESOLVED_TEMPLATE
|
3.035 0.716 2.424 1.252
|
Wiki
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
0.518 1.625 1.197 1.506
|
Wiki
|
|
header
|
|
Local part of To: address appears in Subject
|
LOCALPART_IN_SUBJECT
|
0.001 0.730 1.199 1.107
|
Wiki
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_INVALID
|
3.899
|
Wiki
|
|
header
|
|
Multiple Content-Type headers found
|
HEADER_COUNT_CTYPE
|
1
|
Wiki
|
|
header
|
|
Message headers are very long
|
HEAD_LONG
|
1
|
Wiki
|
|
header
|
|
Missing blank line between message header and body
|
MISSING_HB_SEP
|
1
|
Wiki
|
|
header
|
|
Informational: message has unparseable relay lines
|
UNPARSEABLE_RELAY
|
0.001
|
Wiki
|
|
header
|
|
Received: HELO and IP do not match, but should
|
RCVD_HELO_IP_MISMATCH
|
1.680 1.186 2.362 2.368
|
Wiki
|
|
header
|
|
Received: contains an IP address used for HELO
|
RCVD_NUMERIC_HELO
|
0.001 0.865 0.001 1.164
|
Wiki
|
|
header
|
|
Host HELO'd as a big ISP, but had no rDNS
|
NO_RDNS_DOTCOM_HELO
|
3.100 0.433 3.099 0.823
|
Wiki
|
|
rawbody
|
|
Javascript to hide URLs in browser
|
HIDE_WIN_STATUS
|
0.001 1.353 0.754 1.380
|
Wiki
|
|
body
|
|
HTML included in message
|
HTML_MESSAGE
|
0.001
|
Wiki
|
|
body
|
|
HTML comment is very short
|
HTML_COMMENT_SHORT
|
1
|
Wiki
|
|
body
|
|
HTML message is a saved web page
|
HTML_COMMENT_SAVED_URL
|
0.198 0.357 0.899 1.391
|
Wiki
|
|
body
|
|
HTML with embedded plugin object
|
HTML_EMBEDS
|
0.001 0.001 1.171 1.799
|
Wiki
|
|
body
|
|
HTML contains far too many close tags
|
HTML_EXTRA_CLOSE
|
0.001
|
Wiki
|
|
body
|
|
HTML font size is large
|
HTML_FONT_SIZE_LARGE
|
0.001
|
Wiki
|
|
body
|
|
HTML font size is huge
|
HTML_FONT_SIZE_HUGE
|
0.001
|
Wiki
|
|
body
|
|
HTML font color similar to background
|
HTML_FONT_LOW_CONTRAST
|
0.713 0.001 0.786 0.001
|
Wiki
|
|
body
|
|
HTML font face is not a word
|
HTML_FONT_FACE_BAD
|
0.001 0.289 0.286 0.981
|
Wiki
|
|
body
|
|
HTML includes a form which sends mail
|
HTML_FORMACTION_MAILTO
|
1
|
Wiki
|
|
body
|
|
HTML: images with 0-400 bytes of words
|
HTML_IMAGE_ONLY_04
|
1.680 0.342 1.799 1.172
|
Wiki
|
|
body
|
|
HTML: images with 400-800 bytes of words
|
HTML_IMAGE_ONLY_08
|
0.585 1.781 1.845 1.651
|
Wiki
|
|
body
|
|
HTML: images with 800-1200 bytes of words
|
HTML_IMAGE_ONLY_12
|
1.381 1.629 1.400 2.059
|
Wiki
|
|
body
|
|
HTML: images with 1200-1600 bytes of words
|
HTML_IMAGE_ONLY_16
|
1.969 1.048 1.199 1.092
|
Wiki
|
|
body
|
|
HTML: images with 1600-2000 bytes of words
|
HTML_IMAGE_ONLY_20
|
2.109 0.700 1.300 1.546
|
Wiki
|
|
body
|
|
HTML: images with 2000-2400 bytes of words
|
HTML_IMAGE_ONLY_24
|
2.799 1.282 1.328 1.618
|
Wiki
|
|
body
|
|
HTML: images with 2400-2800 bytes of words
|
HTML_IMAGE_ONLY_28
|
2.799 0.726 1.512 1.404
|
Wiki
|
|
body
|
|
HTML: images with 2800-3200 bytes of words
|
HTML_IMAGE_ONLY_32
|
2.196 0.001 1.172 0.001
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_02
|
2.199 0.805 1.200 0.437
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_04
|
2.089 0.610 0.607 0.556
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_06
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_08
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Message is 5% to 10% HTML obfuscation
|
HTML_OBFUSCATE_05_10
|
0.601 0.001 0.718 0.260
|
Wiki
|
|
body
|
|
Message is 10% to 20% HTML obfuscation
|
HTML_OBFUSCATE_10_20
|
0.174 1.162 0.588 0.093
|
Wiki
|
|
body
|
|
Message is 20% to 30% HTML obfuscation
|
HTML_OBFUSCATE_20_30
|
2.499 2.441 1.449 1.999
|
Wiki
|
|
body
|
|
Message is 30% to 40% HTML obfuscation
|
HTML_OBFUSCATE_30_40
|
1
|
Wiki
|
|
body
|
|
Message is 50% to 60% HTML obfuscation
|
HTML_OBFUSCATE_50_60
|
1
|
Wiki
|
|
body
|
|
Message is 70% to 80% HTML obfuscation
|
HTML_OBFUSCATE_70_80
|
1
|
Wiki
|
|
body
|
|
Message is 90% to 100% HTML obfuscation
|
HTML_OBFUSCATE_90_100
|
1
|
Wiki
|
|
body
|
|
HTML has unbalanced "body" tags
|
HTML_TAG_BALANCE_BODY
|
1.247 0.712 0.628 1.157
|
Wiki
|
|
body
|
|
HTML has unbalanced "head" tags
|
HTML_TAG_BALANCE_HEAD
|
0.520 0.000 0.600 0.817
|
Wiki
|
|
body
|
|
HTML has "bgsound" tag
|
HTML_TAG_EXIST_BGSOUND
|
1
|
Wiki
|
|
body
|
|
HTML message is 40% to 50% bad tags
|
HTML_BADTAG_40_50
|
1
|
Wiki
|
|
body
|
|
HTML message is 50% to 60% bad tags
|
HTML_BADTAG_50_60
|
1
|
Wiki
|
|
body
|
|
HTML message is 60% to 70% bad tags
|
HTML_BADTAG_60_70
|
1
|
Wiki
|
|
body
|
|
HTML message is 90% to 100% bad tags
|
HTML_BADTAG_90_100
|
1
|
Wiki
|
|
body
|
|
30% to 40% of HTML elements are non-standard
|
HTML_NONELEMENT_30_40
|
0.000 0.001 0.308 0.001
|
Wiki
|
|
body
|
|
40% to 50% of HTML elements are non-standard
|
HTML_NONELEMENT_40_50
|
1
|
Wiki
|
|
body
|
|
60% to 70% of HTML elements are non-standard
|
HTML_NONELEMENT_60_70
|
1
|
Wiki
|
|
body
|
|
80% to 90% of HTML elements are non-standard
|
HTML_NONELEMENT_80_90
|
1
|
Wiki
|
|
body
|
|
Message has HTML IFRAME tag with SRC URI
|
HTML_IFRAME_SRC
|
1
|
Wiki
|
|
header
|
|
Envelope sender has no MX or A DNS records
|
NO_DNS_FOR_FROM
|
0 0.379 0 0.001
|
Wiki
|
|
body
|
|
Removal phrase right before a link
|
REMOVE_BEFORE_LINK
|
0.406 1.587 1.799 1.800
|
Wiki
|
|
body
|
|
One hundred percent guaranteed
|
GUARANTEED_100_PERCENT
|
2.699 2.699 2.480 2.699
|
Wiki
|
|
body
|
|
Dear Friend? That's not very dear!
|
DEAR_FRIEND
|
2.683 2.604 1.801 2.577
|
Wiki
|
|
body
|
|
Contains 'Dear (something)'
|
DEAR_SOMETHING
|
1.999 1.731 1.787 1.973
|
Wiki
|
|
body
|
|
Talks about lots of money
|
BILLION_DOLLARS
|
0.001 1.451 1.229 1.638
|
Wiki
|
|
body
|
|
Claims you can be removed from the list
|
EXCUSE_4
|
2.399 1.687 2.399 1.325
|
Wiki
|
|
body
|
|
Claims you wanted this ad
|
EXCUSE_24
|
2.799
|
Wiki
|
|
body
|
|
Talks about how to be removed from mailings
|
EXCUSE_REMOVE
|
2.907 2.992 3.299 3.299
|
Wiki
|
|
body
|
|
Tells you about a strong buy
|
STRONG_BUY
|
1
|
Wiki
|
|
body
|
|
Offers a alert about a stock
|
STOCK_ALERT
|
1
|
Wiki
|
|
body
|
|
Not registered investment advisor
|
NOT_ADVISOR
|
1
|
Wiki
|
|
body
|
|
'Prestigious Non-Accredited Universities'
|
PREST_NON_ACCREDITED
|
1
|
Wiki
|
|
body
|
|
Information on growing body parts
|
BODY_ENHANCEMENT
|
0.927 1.611 0.974 0.001
|
Wiki
|
|
body
|
|
Information on getting larger body parts
|
BODY_ENHANCEMENT2
|
1.691 1.507 1.865 1.541
|
Wiki
|
|
body
|
|
Impotence cure
|
IMPOTENCE
|
1.539 2.144 3.028 1.374
|
Wiki
|
|
body
|
|
Talks about a million North American dollars
|
NA_DOLLARS
|
3.599
|
Wiki
|
|
body
|
|
Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)
|
US_DOLLARS_3
|
2.599 2.523 1.780 1.754
|
Wiki
|
|
body
|
|
Talks about millions of dollars
|
MILLION_USD
|
3.799 2.477 3.221 3.247
|
Wiki
|
|
body
|
|
Contains urgent matter
|
URG_BIZ
|
1.750 0.941 0.568 0.573
|
Wiki
|
|
body
|
|
Money back guarantee
|
MONEY_BACK
|
2.910 2.486 0.601 1.232
|
Wiki
|
|
body
|
|
Free express or no-obligation quote
|
FREE_QUOTE_INSTANT
|
2.700 2.699 2.699 1.297
|
Wiki
|
|
body
|
|
Eliminate Bad Credit
|
BAD_CREDIT
|
2.799 1.658 1.279 2.415
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_YOUR_HOME
|
1
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_NOW
|
1
|
Wiki
|
|
body
|
|
No Medical Exams
|
NO_MEDICAL
|
2.199 1.254 2.199 1.773
|
Wiki
|
|
body
|
|
Lose Weight Spam
|
DIET_1
|
0.714 0.000 0.399 0.001
|
Wiki
|
|
body
|
|
Freedom of a financial nature
|
FIN_FREE
|
2.699 2.289 2.699 2.700
|
Wiki
|
|
body
|
|
Stock Disclaimer Statement
|
FORWARD_LOOKING
|
1
|
Wiki
|
|
body
|
|
One Time Rip Off
|
ONE_TIME
|
1.840 1.175 1.830 0.714
|
Wiki
|
|
body
|
|
Join Millions of Americans
|
JOIN_MILLIONS
|
0.700 0.128 1.549 1.026
|
Wiki
|
|
body
|
|
Claims you registered with a partner
|
MARKETING_PARTNERS
|
0.553 0.235 0.689 0.001
|
Wiki
|
|
body
|
|
Lowest Price
|
LOW_PRICE
|
0.161 0.600 0.001 1.464
|
Wiki
|
|
body
|
|
People just leave money laying around
|
UNCLAIMED_MONEY
|
2.699 2.699 2.699 2.427
|
Wiki
|
|
body
|
|
Message seems to contain rot13ed address
|
OBSCURED_EMAIL
|
1
|
Wiki
|
|
body
|
|
Talks about Oprah with an exclamation!
|
BANG_OPRAH
|
1
|
Wiki
|
|
body
|
|
Talks about 'acting now' with capitals
|
ACT_NOW_CAPS
|
1.404 2.399 0.925 2.211
|
Wiki
|
|
body
|
|
Talks about a bigger drive for sex
|
MORE_SEX
|
2.799 2.765 2.568 1.413
|
Wiki
|
|
body
|
|
Something is emphatically guaranteed
|
BANG_GUAR
|
2.202 2.377 1.690 2.704
|
Wiki
|
|
body
|
|
Message mentions investment advice
|
INVESTMENT_ADVICE
|
0.200 2.160 2.199 2.199
|
Wiki
|
|
body
|
|
Message talks about enhancing men
|
MALE_ENHANCE
|
3.100 3.099 3.099 0.851
|
Wiki
|
|
body
|
|
Message says that prices aren't too expensive
|
PRICES_ARE_AFFORDABLE
|
0.794 0.851 1.112 0.551
|
Wiki
|
|
body
|
|
Message talks about a replica watch
|
REPLICA_WATCH
|
3.487 3.164 4.074 3.775
|
Wiki
|
|
body
|
|
Message puts emphasis on the watch manufacturer
|
EM_ROLEX
|
0.595 1.309 2.068 0.618
|
Wiki
|
|
body
|
|
Possible porn - Free Porn
|
FREE_PORN
|
1
|
Wiki
|
|
body
|
|
Possible porn - Cum Shot
|
CUM_SHOT
|
1
|
Wiki
|
|
body
|
|
Possible porn - Live Porn
|
LIVE_PORN
|
1
|
Wiki
|
|
header
|
|
Subject indicates sexually-explicit content
|
SUBJECT_SEXUAL
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (eGroups) found
|
RATWARE_EGROUPS
|
1.898 1.258 1.406 1.621
|
Wiki
|
|
header
|
|
X-Mailer has malformed Outlook Express version
|
RATWARE_OE_MALFORMED
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Mozilla malformed) found
|
RATWARE_MOZ_MALFORMED
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (mPOP Web-Mail)
|
RATWARE_MPOP_WEBMAIL
|
1.153 1.338 1.229 1.999
|
Wiki
|
|
rawbody
|
|
Contains a hashbuster in Send-Safe format
|
RATWARE_HASH_DASH
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Gecko faked) found
|
RATWARE_GECKO_BUILD
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (X-Message-Info) found
|
X_MESSAGE_INFO
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (header-based) found
|
HEADER_SPAM
|
2.499 2.499 1.994 0.585
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received PF) found
|
RATWARE_RCVD_PF
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received @) found
|
RATWARE_RCVD_AT
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (envfrom) found
|
RATWARE_EFROM
|
2.999
|
Wiki
|
|
uri
|
|
/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i
|
HIGH_CODEPAGE_URI
|
1
|
Wiki
|
|
uri
|
|
Uses a numeric IP address in URL
|
NUMERIC_HTTP_ADDR
|
0.000 0.001 0.001 1.242
|
Wiki
|
|
uri
|
|
Uses %-escapes inside a URL's hostname
|
HTTP_ESCAPED_HOST
|
0.807 1.621 0.483 1.125
|
Wiki
|
|
uri
|
|
Completely unnecessary %-escapes inside a URL
|
HTTP_EXCESSIVE_ESCAPES
|
0.001 1.516 0.000 1.572
|
Wiki
|
|
uri
|
|
Dotted-decimal IP address followed by CGI
|
IP_LINK_PLUS
|
0.001 0.001 0.246 0.012
|
Wiki
|
|
uri
|
|
Uses non-standard port number for HTTP
|
WEIRD_PORT
|
0.001 0.001 0.097 0.001
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_RD_REDIR
|
1
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_DRS_REDIR
|
1
|
Wiki
|
|
uri
|
|
Contains an URL-encoded hostname (HTTP77)
|
HTTP_77
|
1
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle
|
SPOOF_COM2OTH
|
2.999 2.999 2.877 2.723
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle and end
|
SPOOF_COM2COM
|
0.001 1.632 1.952 2.048
|
Wiki
|
|
uri
|
|
URI contains ".net" or ".org", then ".com"
|
SPOOF_NET2COM
|
1
|
Wiki
|
|
uri
|
|
URI hostname has long hexadecimal sequence
|
URI_HEX
|
2.800 1.313 1.206 1.122
|
Wiki
|
|
uri
|
|
URI hostname has long non-vowel sequence
|
URI_NOVOWEL
|
0.500
|
Wiki
|
|
uri
|
|
URI contains suspicious unsubscribe link
|
URI_UNSUBSCRIBE
|
1
|
Wiki
|
|
uri
|
|
CGI in .info TLD other than third-level "www"
|
URI_NO_WWW_INFO_CGI
|
2.299 2.299 0.292 2.071
|
Wiki
|
|
uri
|
|
CGI in .biz TLD other than third-level "www"
|
URI_NO_WWW_BIZ_CGI
|
2.399 2.399 2.400 2.399
|
Wiki
|
|
uri
|
|
Uses a dotted-decimal IP address in URL
|
NORMAL_HTTP_TO_IP
|
0.159 0.001 0.795 0.001
|
Wiki
|
|
body
|
|
Bayes spam probability is 0 to 1%
|
BAYES_00
|
0 0 -1.5 -1.9
|
Wiki
|
|
body
|
|
Bayes spam probability is 1 to 5%
|
BAYES_05
|
0 0 -0.3 -0.5
|
Wiki
|
|
body
|
|
Bayes spam probability is 5 to 20%
|
BAYES_20
|
0 0 -0.001 -0.001
|
Wiki
|
|
body
|
|
Bayes spam probability is 20 to 40%
|
BAYES_40
|
0 0 -0.001 -0.001
|
Wiki
|
|
body
|
|
Bayes spam probability is 40 to 60%
|
BAYES_50
|
0 0 2.0 0.8
|
Wiki
|
|
body
|
|
Bayes spam probability is 60 to 80%
|
BAYES_60
|
0 0 2.5 1.5
|
Wiki
|
|
body
|
|
Bayes spam probability is 80 to 95%
|
BAYES_80
|
0 0 2.7 2.0
|
Wiki
|
|
body
|
|
Bayes spam probability is 95 to 99%
|
BAYES_95
|
0 0 3.2 3.0
|
Wiki
|
|
body
|
|
Bayes spam probability is 99 to 100%
|
BAYES_99
|
0 0 3.8 3.5
|
Wiki
|
|
header
|
|
Message would have been caught by accessdb
|
ACCESSDB
|
1
|
Wiki
|
|
body
|
|
Message includes Microsoft executable program
|
MICROSOFT_EXECUTABLE
|
0.1
|
Wiki
|
|
body
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.1
|
Wiki
|
|
full
|
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.1 0 1.1
|
Wiki
|
|
full
|
|
DCC reputation between 0 and 12 % (mostly ham)
|
DCC_REPUT_00_12
|
0 -0.8 0 -0.4
|
Wiki
|
|
full
|
|
eval:check_dcc_reputation_range(13,19)
|
DCC_REPUT_13_19
|
0 -0.1 0 -0.1
|
Wiki
|
|
full
|
|
DCC reputation between 70 and 89 %
|
DCC_REPUT_70_89
|
0 0.1 0 0.1
|
Wiki
|
|
full
|
|
DCC reputation between 90 and 94 %
|
DCC_REPUT_90_94
|
0 0.4 0 0.6
|
Wiki
|
|
full
|
|
DCC reputation between 95 and 98 % (mostly spam)
|
DCC_REPUT_95_98
|
0 0.7 0 1.0
|
Wiki
|
|
full
|
|
DCC reputation between 99 % or higher (spam)
|
DCC_REPUT_99_100
|
0 1.2 0 1.4
|
Wiki
|
|
full
|
|
Message has a DKIM or DK signature, not necessarily valid
|
DKIM_SIGNED
|
0.1
|
Wiki
|
|
full
|
|
Message has at least one valid DKIM or DK signature
|
DKIM_VALID
|
-0.1
|
Wiki
|
|
full
|
|
Message has a valid DKIM or DK signature from author's domain
|
DKIM_VALID_AU
|
-0.1
|
Wiki
|
|
header
|
|
No valid author signature and domain not in DNS
|
DKIM_ADSP_NXDOMAIN
|
0 0.8 0 0.9
|
Wiki
|
|
header
|
|
No valid author signature, domain signs all mail and suggests discarding the rest
|
DKIM_ADSP_DISCARD
|
0 1.8 0 1.8
|
Wiki
|
|
header
|
|
No valid author signature, domain signs all mail
|
DKIM_ADSP_ALL
|
0 1.1 0 0.8
|
Wiki
|
|
header
|
|
No valid author signature, adsp_override is CUSTOM_LOW
|
DKIM_ADSP_CUSTOM_LOW
|
0.001
|
Wiki
|
|
header
|
|
No valid author signature, adsp_override is CUSTOM_MED
|
DKIM_ADSP_CUSTOM_MED
|
0.001
|
Wiki
|
|
header
|
|
No valid author signature, adsp_override is CUSTOM_HIGH
|
DKIM_ADSP_CUSTOM_HIGH
|
0.001
|
Wiki
|
|
full
|
|
eval:check_dkim_valid()
|
DKIM_VERIFIED
|
1
|
Wiki
|
|
header
|
|
eval:check_dkim_testing()
|
DKIM_POLICY_TESTING
|
1
|
Wiki
|
|
header
|
|
eval:check_dkim_signsome()
|
DKIM_POLICY_SIGNSOME
|
1
|
Wiki
|
|
header
|
|
eval:check_dkim_signall()
|
DKIM_POLICY_SIGNALL
|
1
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (20 bits)
|
HASHCASH_20
|
-0.5
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (21 bits)
|
HASHCASH_21
|
-0.7
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (22 bits)
|
HASHCASH_22
|
-1.0
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (23 bits)
|
HASHCASH_23
|
-2.0
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (24 bits)
|
HASHCASH_24
|
-3.0
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (25 bits)
|
HASHCASH_25
|
-4.0
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (>25 bits)
|
HASHCASH_HIGH
|
-5.0
|
Wiki
|
|
header
|
|
Hashcash token already spent in another mail
|
HASHCASH_2SPEND
|
0.1
|
Wiki
|
|
full
|
|
Listed in Pyzor (http://pyzor.sf.net/)
|
PYZOR_CHECK
|
0 1.985 0 1.392
|
Wiki
|
|
full
|
|
Listed in Razor2 (http://razor.sf.net/)
|
RAZOR2_CHECK
|
0 1.729 0 0.922
|
Wiki
|
|
full
|
|
Razor2 gives confidence level above 50%
|
RAZOR2_CF_RANGE_51_100
|
0 0.365 0 0.500
|
Wiki
|
|
full
|
|
Razor2 gives engine 4 confidence level above 50%
|
RAZOR2_CF_RANGE_E4_51_100
|
0 0.467 0 0.642
|
Wiki
|
|
full
|
|
Razor2 gives engine 8 confidence level above 50%
|
RAZOR2_CF_RANGE_E8_51_100
|
0 2.430 0 1.886
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_MEDS
|
1
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_CHEAP
|
0.641 1.831 0.833 0.001
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_PENIS
|
1
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_TION
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AFFORDABLE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AMBIEN
|
2.199 1.851 0.925 0.552
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_BILLION
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CPILL
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CREDIT
|
1.699 1.413 0.601 1.678
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ERECT
|
2.356 1.306 2.360 1.859
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_GUARANTEE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MEDICATION
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MILLION
|
2.599 2.599 1.659 2.505
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MONEY
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MORTGAGE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OBLIGATION
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OFFERS
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHARMACY
|
2.960 3.299 1.967 1.353
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHENT
|
2.799 1.647 1.540 2.662
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRESCRIPT
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRICES
|
1.821 0.720 2.210 2.311
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REFINANCE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REMOVE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ROLEX
|
3.399 1.038 3.399 1.964
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_SOFTWARE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_THOUSANDS
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VLIUM
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VIOXX
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VPILL
|
0.001 0.494 0.796 1.014
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_XPILL
|
2.202 1.752 2.799 2.799
|
Wiki
|
|
header
|
|
SPF: sender matches SPF record
|
SPF_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (neutral)
|
SPF_NEUTRAL
|
0 0.652 0 0.779
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (fail)
|
SPF_FAIL
|
0 0.919 0 0.001
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (softfail)
|
SPF_SOFTFAIL
|
0 0.972 0 0.665
|
Wiki
|
|
header
|
|
SPF: HELO matches SPF record
|
SPF_HELO_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (neutral)
|
SPF_HELO_NEUTRAL
|
0 0.001 0 0.112
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (fail)
|
SPF_HELO_FAIL
|
0 0.001 0 0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (softfail)
|
SPF_HELO_SOFTFAIL
|
0 0.896 0 0.732
|
Wiki
|
|
body
|
|
Message written in an undesired language
|
UNWANTED_LANGUAGE_BODY
|
2.800
|
Wiki
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the SBL blocklist
|
URIBL_SBL
|
0 0.644 0 1.623
|
Wiki
|
|
body
|
|
Contains an URL listed in the SC SURBL blocklist
|
URIBL_SC_SURBL
|
0 0.001 0 0.568
|
Wiki
|
|
body
|
|
Contains an URL listed in the WS SURBL blocklist
|
URIBL_WS_SURBL
|
0 1.659 0 1.608
|
Wiki
|
|
body
|
|
Contains an URL listed in the PH SURBL blocklist
|
URIBL_PH_SURBL
|
0 0.001 0 0.610
|
Wiki
|
|
body
|
|
Contains an URL listed in the OB SURBL blocklist
|
URIBL_OB_SURBL
|
0 0.785 0 0.122
|
Wiki
|
|
body
|
|
Contains an URL listed in the AB SURBL blocklist
|
URIBL_AB_SURBL
|
0 4.499 0 4.499
|
Wiki
|
|
body
|
|
Contains an URL listed in the JP SURBL blocklist
|
URIBL_JP_SURBL
|
0 1.948 0 1.250
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL blacklist
|
URIBL_BLACK
|
0 1.775 0 1.725
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL greylist
|
URIBL_GREY
|
0 1.084 0 0.424
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL redlist
|
URIBL_RED
|
0.001
|
Wiki
|
|
header
|
|
From: address is in the auto white-list
|
AWL
|
1
|
Wiki
|
|
header
|
|
Not all rules were run, due to a shortcircuited rule
|
SHORTCIRCUIT
|
1
|
Wiki
|
|
header
|
|
From: address is in the user's black-list
|
USER_IN_BLACKLIST
|
100.000
|
Wiki
|
|
header
|
|
From: address is in the user's white-list
|
USER_IN_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default white-list
|
USER_IN_DEF_WHITELIST
|
-15.000
|
Wiki
|
|
header
|
|
User is listed in 'blacklist_to'
|
USER_IN_BLACKLIST_TO
|
10.000
|
Wiki
|
|
header
|
|
User is listed in 'whitelist_to'
|
USER_IN_WHITELIST_TO
|
-6.000
|
Wiki
|
|
header
|
|
User is listed in 'more_spam_to'
|
USER_IN_MORE_SPAM_TO
|
-20.000
|
Wiki
|
|
header
|
|
User is listed in 'all_spam_to'
|
USER_IN_ALL_SPAM_TO
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the user's DKIM whitelist
|
USER_IN_DKIM_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DKIM white-list
|
USER_IN_DEF_DKIM_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's SPF whitelist
|
USER_IN_SPF_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default SPF white-list
|
USER_IN_DEF_SPF_WL
|
-7.500
|
Wiki
|
|
header
|
|
Subject: contains string in the user's white-list
|
SUBJECT_IN_WHITELIST
|
-100
|
Wiki
|
|
header
|
|
Subject: contains string in the user's black-list
|
SUBJECT_IN_BLACKLIST
|
100
|
Wiki
|
|
header
|
|
From address contains an apostrophe
|
APOSTROPHE_FROM
|
0.148 0.786 0.651 0.545
|
Wiki
|
|
header
|
|
HELO from home - untrusted
|
AXB_HELO_HOME_UN
|
1
|
Wiki
|
|
header
|
|
Barbera Fingerprint
|
AXB_XMID_1212
|
1
|
Wiki
|
|
header
|
|
Brunello Fingerprint
|
AXB_XMID_1510
|
1
|
Wiki
|
|
header
|
|
Amarone Fingerprint
|
AXB_XMID_OEGOESNULL
|
1
|
Wiki
|
|
header
|
|
Nebbiolo fingerprint
|
AXB_XM_SENDMAIL_NOT
|
1
|
Wiki
|
|
header
|
|
Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
|
AXB_XR_STULDAP
|
1
|
Wiki
|
|
body
|
|
Talks about banking laws
|
BANKING_LAWS
|
2.399 2.004 2.157 1.099
|
Wiki
|
|
body
|
|
eval:check_base64_length('78','79')
|
BASE64_LENGTH_78_79
|
2.370 2.636 0.762 2.667
|
Wiki
|
|
body
|
|
eval:check_base64_length('79')
|
BASE64_LENGTH_79_INF
|
1.379 2.019 0.583 1.502
|
Wiki
|
|
header
|
|
Date =~ /[-+](?!(?:0\d| 1[0-4])(?:[03]0| [14]5))\d{4}/
|
BUG6152_INVALID_DATE_TZ_ABSURD
|
1.802 1.448 0.024 0.766
|
Wiki
|
|
header
|
|
Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_B
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
/\bCurrent Price:/
|
CURR_PRICE
|
0.001
|
Wiki
|
|
body
|
|
Dear Beneficiary:
|
DEAR_BENEFICIARY
|
1
|
Wiki
|
|
body
|
|
Message contains Dear email address
|
DEAR_EMAIL
|
1
|
Wiki
|
|
body
|
|
/\bdear.{1,20}winner/i
|
DEAR_WINNER
|
3.099 3.099 2.309 3.099
|
Wiki
|
|
header
|
|
X-mailer pattern common to anal porn site spam
|
DOS_ANAL_SPAM_MAILER
|
1
|
Wiki
|
|
header
|
|
Received from the same IP twice in a row (only one external relay; empty or IP helo)
|
DOS_RCVD_IP_TWICE_C
|
2.599 2.060 3.292 0.096
|
Wiki
|
|
uri
|
|
Found an asterisk in a URI
|
DOS_URI_ASTERISK
|
1
|
Wiki
|
|
header
|
|
Subject =~ /\bhoodia\b/i
|
DRUGS_HDIA
|
1
|
Wiki
|
|
body
|
|
Add / Gain inches
|
FB_ADD_INCHES
|
1
|
Wiki
|
|
body
|
|
It's almost sex, but not!
|
FB_ALMOST_SEX
|
1
|
Wiki
|
|
body
|
|
Broken AnaTrim phrase.
|
FB_ANA_TRIM
|
1
|
Wiki
|
|
body
|
|
Phrase: A_U_N_I
|
FB_ANUI
|
1
|
Wiki
|
|
body
|
|
Phrase: [BM]Illi0n
|
FB_BILLI0N
|
1
|
Wiki
|
|
body
|
|
Phrase: C0mpany
|
FB_C0MPANY
|
1
|
Wiki
|
|
body
|
|
Phrase: can last longer
|
FB_CAN_LONGER
|
1
|
Wiki
|
|
body
|
|
Uses a mis-spelled version of cialis.
|
FB_CIALIS_LEO3
|
1.688 3.055 2.465 3.245
|
Wiki
|
|
body
|
|
Looks like double 0 words
|
FB_DOUBLE_0WORDS
|
1
|
Wiki
|
|
body
|
|
Phrase: email hier
|
FB_EMAIL_HIER
|
1
|
Wiki
|
|
body
|
|
Phrase: extra inches
|
FB_EXTRA_INCHES
|
0.289 0.000 2.603 0.001
|
Wiki
|
|
body
|
|
Looks like numbers with O's insted of 0's
|
FB_FAKE_NUMBERS
|
1
|
Wiki
|
|
body
|
|
Looks like fake numbers (4)
|
FB_FAKE_NUMS4
|
1
|
Wiki
|
|
body
|
|
Phrase: Farmacy
|
FB_FHARMACY
|
1
|
Wiki
|
|
body
|
|
Phrase: forward look with 0's
|
FB_FORWARD_LOOK
|
1
|
Wiki
|
|
body
|
|
Too much spacing in Address
|
FB_GAPPY_ADDRESS
|
1
|
Wiki
|
|
body
|
|
Looks like trying to sell meds
|
FB_GET_MEDS
|
2.314 2.027 1.195 0.935
|
Wiki
|
|
body
|
|
Looks like generic viagra
|
FB_GVR
|
2.340 0.691 2.568 2.301
|
Wiki
|
|
body
|
|
Phrase hey bro,
|
FB_HEY_BRO_COMMA
|
1
|
Wiki
|
|
body
|
|
Phrase: HGH
|
FB_HG_H_CAP
|
1
|
Wiki
|
|
body
|
|
Phrase (dollar) x home loan
|
FB_HOMELOAN
|
1
|
Wiki
|
|
body
|
|
Phrase: impress ... girl
|
FB_IMPRESS_GIRL
|
1
|
Wiki
|
|
body
|
|
Phrase: Increase your energy
|
FB_INCREASE_YOUR
|
2.699 2.700 2.335 2.343
|
Wiki
|
|
body
|
|
Phrase: independent reward
|
FB_INDEPEND_RWD
|
2.799
|
Wiki
|
|
body
|
|
Phrase: L0an
|
FB_L0AN
|
1
|
Wiki
|
|
body
|
|
Special people leave special signs!
|
FB_LETTERS_21B
|
1
|
Wiki
|
|
body
|
|
Phrase: LOSE WEIGHT
|
FB_LOSE_WEIGHT_CAP
|
0.001 0.001 2.187 0.001
|
Wiki
|
|
body
|
|
Phrase: lower your monthly payments
|
FB_LOWER_PAYM
|
1
|
Wiki
|
|
body
|
|
Phrase: more size
|
FB_MORE_SIZE
|
1
|
Wiki
|
|
body
|
|
Looks like a fake phone number (1)
|
FB_NOT_PHONE_NUM1
|
1
|
Wiki
|
|
body
|
|
Looks like a fake phone number (3)
|
FB_NOT_PHONE_NUM3
|
1
|
Wiki
|
|
body
|
|
Looks like school but it's not!
|
FB_NOT_SCHOOL
|
1
|
Wiki
|
|
body
|
|
Phrase: no prescription needed.
|
FB_NO_SCRIP_NEEDED
|
1.656 1.469 2.133 0.922
|
Wiki
|
|
body
|
|
Speaks of teenager.
|
FB_NUMYO
|
1
|
Wiki
|
|
body
|
|
Speaks of 20+ year old.
|
FB_NUMYO2
|
1
|
Wiki
|
|
body
|
|
Looks like money but has odd spacing.
|
FB_ODD_SPACED_MONEY
|
1
|
Wiki
|
|
body
|
|
Mis-spelled online
|
FB_ONIINE
|
1
|
Wiki
|
|
body
|
|
Phrase: p1ll
|
FB_P1LL
|
1
|
Wiki
|
|
body
|
|
Phrase: penis growth
|
FB_PENIS_GROWTH
|
1
|
Wiki
|
|
body
|
|
Phrase: Dollar, with pipes or 0's.
|
FB_PIPEDOLLAR
|
1
|
Wiki
|
|
body
|
|
Looks like illion, but it's not
|
FB_PIPE_ILLION
|
1
|
Wiki
|
|
body
|
|
Talks about prolonged hardness
|
FB_PROLONGED_HARD
|
1
|
Wiki
|
|
body
|
|
Phrase: quality replica
|
FB_QUALITY_REPLICA
|
3.313 3.149 2.005 2.308
|
Wiki
|
|
body
|
|
Refcode with spacing
|
FB_REF_CODE_SPACE
|
1
|
Wiki
|
|
body
|
|
Phrase: Replica Rolex
|
FB_REPLICA_ROLEX
|
1.674 0.710 1.115 3.175
|
Wiki
|
|
body
|
|
Phrase: REPLICA
|
FB_REPLIC_CAP
|
1
|
Wiki
|
|
body
|
|
Looks like refi.
|
FB_RE_FI
|
1
|
Wiki
|
|
body
|
|
Phrase: Roller is th
|
FB_ROLLER_IS_T
|
1
|
Wiki
|
|
body
|
|
Phrase: rolx
|
FB_ROLX
|
1
|
Wiki
|
|
body
|
|
Phrase: save ... prescription.
|
FB_SAVE_PERSC
|
2.799 0.367 1.864 1.492
|
Wiki
|
|
body
|
|
Phrase: Softabs
|
FB_SOFTTABS
|
2.887 3.174 3.378 1.584
|
Wiki
|
|
body
|
|
Phrase: F R E E
|
FB_SPACED_FREE
|
2.499 2.499 2.203 0.395
|
Wiki
|
|
body
|
|
Phone number with -- spacing. (B)
|
FB_SPACED_PHN_3B
|
0.001
|
Wiki
|
|
body
|
|
Looks like a s p a c e d zipcode.
|
FB_SPACEY_ZIP
|
1
|
Wiki
|
|
body
|
|
Phrase: SPUR-M
|
FB_SPUR_M
|
1
|
Wiki
|
|
body
|
|
Phrase: ssex
|
FB_SSEX
|
1
|
Wiki
|
|
body
|
|
Looks like stocks exploding.
|
FB_STOCK_EXPLODE
|
1
|
Wiki
|
|
body
|
|
Mis-spelled symbol.
|
FB_SYMBLO
|
1
|
Wiki
|
|
body
|
|
Phrase: this advertiser
|
FB_THIS_ADVERT
|
3.599 3.600 2.999 3.599
|
Wiki
|
|
body
|
|
Phrase: thousand personal
|
FB_THOUS_PERSONAL
|
1
|
Wiki
|
|
body
|
|
Phrase: to stop further distribution
|
FB_TO_STOP_DISTRO
|
3.399
|
Wiki
|
|
body
|
|
Phrase: Ultra Allure
|
FB_ULTRA_ALLURE
|
2.352 1.074 2.334 0.829
|
Wiki
|
|
body
|
|
Phrase: lock to your girlfriend
|
FB_UNLOCK_YOUR_G
|
1
|
Wiki
|
|
body
|
|
Pattern Replacement PROV_D
|
FB_UNRESOLV_PROV
|
1
|
Wiki
|
|
body
|
|
Phrase: yourself master
|
FB_YOURSELF_MASTER
|
1
|
Wiki
|
|
body
|
|
Phrase: Your refi
|
FB_YOUR_REFI
|
1
|
Wiki
|
|
header
|
|
Bad X-Mailer version
|
FH_BAD_OEV1441
|
1
|
Wiki
|
|
header
|
|
The date is not 19xx.
|
FH_DATE_IS_19XX
|
0.000 1.598 2.373 0.277
|
Wiki
|
|
header
|
|
RCVD line looks faked (A)
|
FH_FAKE_RCVD_LINE
|
2.167 1.431 2.525 1.778
|
Wiki
|
|
header
|
|
RCVD line looks faked (B)
|
FH_FAKE_RCVD_LINE_B
|
4.000 3.372 3.999 3.999
|
Wiki
|
|
header
|
|
E-mail address doesn't have TLD (.com, etc.)
|
FH_FROMEML_NOTLD
|
1.708 0.180 0.975 1.082
|
Wiki
|
|
header
|
|
From name has "cash"
|
FH_FROM_CASH
|
2.599 2.436 2.599 1.739
|
Wiki
|
|
header
|
|
From name says Get
|
FH_FROM_GET_NAME
|
2.699
|
Wiki
|
|
header
|
|
From name is giveaway.
|
FH_FROM_GIVEAWAY
|
2.599 1.817 1.810 1.655
|
Wiki
|
|
header
|
|
From has Hoodia!!?
|
FH_FROM_HOODIA
|
1
|
Wiki
|
|
header
|
|
Has X-AIMC-AUTH header
|
FH_HAS_XAIMC
|
1.602 1.899 0.561 1.899
|
Wiki
|
|
header
|
|
Has X-ID
|
FH_HAS_XID
|
3.299 3.215 3.003 1.782
|
Wiki
|
|
header
|
|
Helo is almost an IP addr.
|
FH_HELO_ALMOST_IP
|
3.699 3.268 3.457 0.688
|
Wiki
|
|
header
|
|
Helo ends with a dot.
|
FH_HELO_ENDS_DOT
|
1
|
Wiki
|
|
header
|
|
Helo is 6-10 hex chr's.
|
FH_HELO_EQ_610HEX
|
1
|
Wiki
|
|
header
|
|
Helo is d-d-d-d charter.com
|
FH_HELO_EQ_CHARTER
|
0.607 0.286 0.093 2.683
|
Wiki
|
|
header
|
|
Helo is d-d-d-d
|
FH_HELO_EQ_D_D_D_D
|
2.361 1.117 2.815 3.177
|
Wiki
|
|
header
|
|
Faked helo of gmail-smtp-in
|
FH_HELO_GMAILSMTP
|
1
|
Wiki
|
|
header
|
|
Host is dynamicip
|
FH_HOST_EQ_DYNAMICIP
|
2.632 2.454 3.299 3.298
|
Wiki
|
|
header
|
|
Host is pacbell.net dsl
|
FH_HOST_EQ_PACBELL_D
|
0.001 0.927 0.559 1.703
|
Wiki
|
|
header
|
|
Host is pool-.+verizon.net
|
FH_HOST_EQ_VERIZON_P
|
2.681 1.237 3.671 1.323
|
Wiki
|
|
header
|
|
HOST dns says "in-addr.arpa"
|
FH_HOST_IN_ADDRARPA
|
3.199 2.933 2.452 2.157
|
Wiki
|
|
header
|
|
Special MSGID
|
FH_MSGID_000000
|
1
|
Wiki
|
|
header
|
|
Special MSGID
|
FH_MSGID_01C67
|
1
|
Wiki
|
|
header
|
|
MESSAGE ID seen often!!!
|
FH_MSGID_01C70XXX
|
1
|
Wiki
|
|
header
|
|
Broken Replace Template
|
FH_MSGID_REPLACE
|
1
|
Wiki
|
|
header
|
|
Common sign in msg-id's 12/21/2006
|
FH_MSGID_XXBLAH
|
1
|
Wiki
|
|
header
|
|
Message-Id = @xxx
|
FH_MSGID_XXX
|
2.399 1.632 2.376 1.482
|
Wiki
|
|
header
|
|
Subject is Re: new \d\d\d
|
FH_RE_NEW_DDD
|
1
|
Wiki
|
|
header
|
|
Broken Replace Template
|
FH_XMAIL_REPLACE
|
1
|
Wiki
|
|
body
|
|
Fill in a form with personal information
|
FILL_THIS_FORM_LONG
|
3.800 3.476 2.300 3.404
|
Wiki
|
|
header
|
|
Looks like Fake Outlook?
|
FM_XMAIL_F_OUT
|
1
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10| 127| 169\.254| 172\.(?:1[6-9]| 2[0-9]| 3[01])| 192\.168)\.)| )[^\[]+(dollar) /
|
FORGED_RELAY_MUA_TO_MX
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Adobe
|
FRT_ADOBE2
|
0.001 1.099 0.221 0.877
|
Wiki
|
|
body
|
|
ReplaceTags: Approve
|
FRT_APPROV
|
2.499
|
Wiki
|
|
body
|
|
ReplaceTags: Bigger / Larger, Penis / Member
|
FRT_BIGGERMEM1
|
2.523 0.146 2.372 1.758
|
Wiki
|
|
body
|
|
ReplaceTags: Diploma
|
FRT_DIPLOMA
|
0.000 1.548 0.787 1.599
|
Wiki
|
|
body
|
|
ReplaceTags: Discount
|
FRT_DISCOUNT
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Dollar
|
FRT_DOLLAR
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Establish (2)
|
FRT_ESTABLISH2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Fuck (2)
|
FRT_FUCK2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Guarantee (1)
|
FRT_GUARANTEE1
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Investor
|
FRT_INVESTOR
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Levitra
|
FRT_LEVITRA
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Meeting
|
FRT_MEETING
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Offer (2)
|
FRT_OFFER2
|
1.681 1.109 2.048 0.926
|
Wiki
|
|
body
|
|
ReplaceTags: Oppertun (2)
|
FRT_OPPORTUN2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Penis
|
FRT_PENIS1
|
2.299 2.293 1.029 0.731
|
Wiki
|
|
body
|
|
ReplaceTags: Pharmac
|
FRT_PHARMAC
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Price
|
FRT_PRICE
|
0.001
|
Wiki
|
|
body
|
|
ReplaceTags: Refinance (1)
|
FRT_REFINANCE1
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Rolex
|
FRT_ROLEX
|
2.699 2.183 1.440 2.699
|
Wiki
|
|
body
|
|
ReplaceTags: Sexual
|
FRT_SEXUAL
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Soma
|
FRT_SOMA
|
0.000 3.280 2.099 2.871
|
Wiki
|
|
body
|
|
ReplaceTags: Soma (2)
|
FRT_SOMA2
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
ReplaceTags: Strong (1)
|
FRT_STRONG1
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Strong (2)
|
FRT_STRONG2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Symbol
|
FRT_SYMBOL
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Today (2)
|
FRT_TODAY2
|
0.480 0.693 1.988 0.905
|
Wiki
|
|
body
|
|
ReplaceTags: Valium
|
FRT_VALIUM1
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Valium (2)
|
FRT_VALIUM2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Weight (2)
|
FRT_WEIGHT2
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Xanax (1)
|
FRT_XANAX1
|
1
|
Wiki
|
|
body
|
|
ReplaceTags: Xanax (2)
|
FRT_XANAX2
|
1
|
Wiki
|
|
rawbody
|
|
Looks like 3 <e> small tags.
|
FR_3TAG_3TAG
|
1
|
Wiki
|
|
rawbody
|
|
Almost looks like viagra.
|
FR_ALMOST_VIAG2
|
2.299 1.594 2.299 1.531
|
Wiki
|
|
rawbody
|
|
Phrase class=cantseetext
|
FR_CANTSEETEXT
|
1
|
Wiki
|
|
rawbody
|
|
Sign often seen in spams
|
FR_MIDER
|
1
|
Wiki
|
|
rawbody
|
|
HTML Title is only numbers
|
FR_TITLE_NUMS
|
2.899 2.695 2.899 2.899
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/
|
FSL_FAKE_GMAIL_RCVD
|
3.099 2.974 1.002 2.104
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
|
FSL_FAKE_HOTMAIL_RVCD
|
2.631 1.816 2.011 2.365
|
Wiki
|
|
uri
|
|
/\/geocities\.com\/\S+(dollar) /
|
FSL_GEO_ABUSE
|
2.699 2.699 2.313 2.167
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
|
FSL_HELO_BARE_IP_1
|
2.598 1.426 3.099 2.347
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device| speedtouch)\.lan\b/i
|
FSL_HELO_DEVICE
|
1.682 0.001 0.884 0.806
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
|
FSL_HELO_NON_FQDN_1
|
2.361 0.001 1.783 0.001
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
|
FSL_HELO_SETUP
|
1
|
Wiki
|
|
uri
|
|
/\/\S+\.(?:w| eu| fm)\.interia\.pl/
|
FSL_INTERIA_ABUSE
|
3.899 2.664 3.080 3.106
|
Wiki
|
|
uri
|
|
/cid\-\S+\.spaces\.live\.com/
|
FSL_LSPACES_ABUSE
|
1
|
Wiki
|
|
uri
|
|
/\/groups\.yahoo\.com\/group\/\S+\/message\/1(dollar) /
|
FSL_YG_ABUSE
|
4.199
|
Wiki
|
|
header
|
|
Subject has "a bigger"
|
FS_ABIGGER
|
1.693 1.354 2.477 1.112
|
Wiki
|
|
header
|
|
Subject says approve you
|
FS_APPROVE_YOU
|
2.499 1.272 1.942 1.873
|
Wiki
|
|
header
|
|
Subject says "At No Cost"
|
FS_AT_NO_COST
|
2.499
|
Wiki
|
|
header
|
|
Phrase: Cheap in Caps in Subject.
|
FS_CHEAP_CAP
|
1
|
Wiki
|
|
header
|
|
Subject talks about money bonus!
|
FS_DOLLAR_BONUS
|
1
|
Wiki
|
|
header
|
|
Phrase: ejaculation in subject.
|
FS_EJACULA
|
1
|
Wiki
|
|
header
|
|
Phrase: erection in subject.
|
FS_ERECTION
|
1
|
Wiki
|
|
header
|
|
Phrase: Huge Cock
|
FS_HUGECOCK
|
1
|
Wiki
|
|
header
|
|
Larger than 100% in subj.
|
FS_LARGE_PERCENT2
|
2.645 2.699 0.001 1.960
|
Wiki
|
|
header
|
|
Subject says low rates
|
FS_LOW_RATES
|
1
|
Wiki
|
|
header
|
|
Subj starts with New software uploaded
|
FS_NEW_SOFT_UPLOAD
|
1
|
Wiki
|
|
header
|
|
Subject looks like Fharmacy spams.
|
FS_NEW_XXX
|
1
|
Wiki
|
|
header
|
|
Subject almost says No prescription
|
FS_NO_SCRIP
|
1
|
Wiki
|
|
header
|
|
Subject says Nude
|
FS_NUDE
|
2.399 1.653 1.288 1.101
|
Wiki
|
|
header
|
|
what could this word be?
|
FS_OBFU_PRMCY
|
2.400 0.384 0.204 1.248
|
Wiki
|
|
header
|
|
Subject mis-spelled prescription
|
FS_PERSCRIPTION
|
1
|
Wiki
|
|
header
|
|
Looks like Phramacy subject.
|
FS_PHARMASUB2
|
2.980 1.345 2.956 0.549
|
Wiki
|
|
header
|
|
Subject says Ramrod
|
FS_RAMROD
|
1
|
Wiki
|
|
header
|
|
Subject says "replica"
|
FS_REPLICA
|
1.630 3.599 2.028 3.599
|
Wiki
|
|
header
|
|
Subject says Replica watch
|
FS_REPLICAWATCH
|
3.237 1.715 1.733 3.015
|
Wiki
|
|
header
|
|
Phrase: re approved
|
FS_RE_APPROV
|
1
|
Wiki
|
|
header
|
|
Subject starts with Do you dream,have,want,love, etc.
|
FS_START_DOYOU2
|
2.799 2.799 2.799 2.800
|
Wiki
|
|
header
|
|
Subject starts with Lose
|
FS_START_LOSE
|
0.249 0.176 1.424 1.809
|
Wiki
|
|
header
|
|
Subject says something bad about teens
|
FS_TEEN_BAD
|
1
|
Wiki
|
|
header
|
|
Phrase: subject = tip ddd
|
FS_TIP_DDD
|
1
|
Wiki
|
|
header
|
|
Subject says Weight Loss
|
FS_WEIGHT_LOSS
|
1.894 1.541 2.501 2.036
|
Wiki
|
|
header
|
|
Subject says will help
|
FS_WILL_HELP
|
2.599 0.893 2.484 0.734
|
Wiki
|
|
header
|
|
Subject says With ... small
|
FS_WITH_SMALL
|
1
|
Wiki
|
|
body
|
|
/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
|
FUZZY_MERIDIA
|
1
|
Wiki
|
|
uri
|
|
Sub-dir seen often in spam (2).
|
FU_COMMON_SUBS2
|
2.801 2.650 2.823 0.292
|
Wiki
|
|
uri
|
|
Ends with clk/d+.d+.d+
|
FU_ENDS_NUMS_DOTS_CLK
|
1
|
Wiki
|
|
uri
|
|
ET Phone Home?
|
FU_END_ET
|
1
|
Wiki
|
|
uri
|
|
URL has hoodia in it.
|
FU_HOODIA
|
1
|
Wiki
|
|
uri
|
|
URL has a long file name with .aspx extension.
|
FU_LONG_QUERY3
|
1
|
Wiki
|
|
uri
|
|
URL has /gal/
|
FU_MIDER
|
1
|
Wiki
|
|
uri
|
|
URL with [a-z]{2}.geocities.com
|
FU_UKGEOCITIES
|
1
|
Wiki
|
|
uri
|
|
URI style tracker (T)
|
FU_URI_TRACKER_T
|
1
|
Wiki
|
|
uri
|
|
/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
|
GEO_QUERY_STRING
|
1
|
Wiki
|
|
header
|
|
Misspaced headers
|
HDRS_MISSP
|
1
|
Wiki
|
|
header
|
|
Multiple Subject headers found
|
HEADER_COUNT_SUBJECT
|
1
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
|
HELO_FRIEND
|
1
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home| lan) /i
|
HELO_LH_HOME
|
0.001 2.023 0.537 1.736
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
|
HELO_LH_LD
|
1
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
|
HELO_LOCALHOST
|
2.639 3.603 2.915 3.828
|
Wiki
|
|
header
|
|
X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc| oem\S*) /i
|
HELO_OEM
|
2.899 2.899 1.234 0.270
|
Wiki
|
|
header
|
|
From name contains drugs
|
HK_NAME_DRUGS
|
4.299 0.001 3.077 0.552
|
Wiki
|
|
header
|
|
From name mentions free stuff
|
HK_NAME_FREE
|
1
|
Wiki
|
|
header
|
|
Envelope sender username looks random
|
HK_RANDOM_ENVFROM
|
2.638 0.626 1.798 0.001
|
Wiki
|
|
body
|
|
/\bnext of kin\b/i
|
HK_SCAM_N2
|
1
|
Wiki
|
|
header
|
|
Bobax? Message-Id: <0IX000EJXVWDA000@example.com>
|
HS_BOBAX_MID_2
|
2.762 2.612 1.243 1.437
|
Wiki
|
|
body
|
|
Somebody has uploaded some new software for you
|
HS_BODY_UPLOADED_SOFTWARE
|
1
|
Wiki
|
|
body
|
|
Contains a drug and price-like pattern.
|
HS_DRUG_DOLLAR_1
|
0.001
|
Wiki
|
|
body
|
|
Contains a drug and price-like pattern.
|
HS_DRUG_DOLLAR_2
|
0.001
|
Wiki
|
|
body
|
|
Contains a drug and price-like pattern.
|
HS_DRUG_DOLLAR_3
|
0.001
|
Wiki
|
|
uri
|
|
Links to common unsubscribe script: 'getmeoff.php'
|
HS_GETMEOFF
|
1
|
Wiki
|
|
uri
|
|
Link contains a common tracker pattern.
|
HS_INDEX_PARAM
|
1.105 0.023 1.203 0.574
|
Wiki
|
|
body
|
|
Talks about meeting up for sex.
|
HS_MEETUP_FOR_SEX
|
1
|
Wiki
|
|
header
|
|
Subject starts with 'New software uploaded by'
|
HS_SUBJ_NEW_SOFTWARE
|
1
|
Wiki
|
|
header
|
|
Subject contains the phrase 'Online pharmaceutical'
|
HS_SUBJ_ONLINE_PHARMACEUTICAL
|
1
|
Wiki
|
|
body
|
|
Contains VPXL, yet the recommended dose is only 2 tablets.
|
HS_VPXL
|
3.211 1.399 2.696 1.948
|
Wiki
|
|
body
|
|
eval:check_https_http_mismatch('1','10')
|
HTTPS_HTTP_MISMATCH
|
0.557 0.000 1.778 1.989
|
Wiki
|
|
uri
|
|
/(?:\&| \?)btnI=ec(?:(dollar) | \&)/
|
JM_I_FEEL_LUCKY
|
1
|
Wiki
|
|
header
|
|
Received =~ /by \S+ \(Qmailv1\) with ESMTP/
|
JM_RCVD_QMAILV1
|
1
|
Wiki
|
|
header
|
|
Date:raw =~ /^\t/
|
KB_DATE_CONTAINS_TAB
|
3.800 3.799 3.799 2.751
|
Wiki
|
|
header
|
|
ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\./msi
|
KB_RATWARE_OUTLOOK_08
|
1
|
Wiki
|
|
header
|
|
ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
|
KB_RATWARE_OUTLOOK_12
|
1
|
Wiki
|
|
header
|
|
ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
|
KB_RATWARE_OUTLOOK_16
|
1
|
Wiki
|
|
header
|
|
ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
|
KB_RATWARE_OUTLOOK_MID
|
4.400 4.400 2.503 1.499
|
Wiki
|
|
uri
|
|
m~livefilestore.com/~
|
LIVEFILESTORE
|
3.300 2.570 3.183 0.771
|
Wiki
|
|
body
|
|
/long\W+term\W+(target| projected)(\W+price)?/i
|
LONG_TERM_PRICE
|
0.001
|
Wiki
|
|
body
|
|
A loop hole in the banking laws?
|
LOOPHOLE_1
|
1
|
Wiki
|
|
body
|
|
Claims Agent
|
LOTTO_AGENT
|
1
|
Wiki
|
|
header
|
|
Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /
|
L_SPAM_TOOL_13
|
0.539 0.485 0.494 1.333
|
Wiki
|
|
header
|
|
Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /
|
MID_DEGREES
|
1
|
Wiki
|
|
header
|
|
Content-Type =~ /boundary="=====================_\d+==\.REL"/s
|
MIME_BOUND_EQ_REL
|
1
|
Wiki
|
|
full
|
|
Message has NUL (ASCII 0) byte in message
|
NULL_IN_BODY
|
0.511 0.498 2.056 1.596
|
Wiki
|
|
header
|
|
Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar) \%&'()*:<=>?\@\[\]^\`{| }~]| ;\S)/
|
RCVD_BAD_ID
|
1
|
Wiki
|
|
header
|
|
Forged 'Received' header found ('wrote:' spam)
|
RCVD_FORGED_WROTE
|
1
|
Wiki
|
|
header
|
|
Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
|
RCVD_FORGED_WROTE2
|
1
|
Wiki
|
|
header
|
|
eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')
|
RCVD_IN_BRBL_LASTEXT
|
0 1.644 0 1.449
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus CSS
|
RCVD_IN_CSS
|
0 1.0 0 1.0
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, high trust
|
RCVD_IN_DNSWL_HI
|
0 -5 0 -5
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, low trust
|
RCVD_IN_DNSWL_LOW
|
0 -0.7 0 -0.7
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, medium trust
|
RCVD_IN_DNSWL_MED
|
0 -2.3 0 -2.3
|
Wiki
|
|
header
|
|
Sender listed at http://www.dnswl.org/, low trust
|
RCVD_IN_DNSWL_NONE
|
0 -0.0001 0 -0.0001
|
Wiki
|
|
header
|
|
IADB: Sender publishes Domain Keys record
|
RCVD_IN_IADB_DK
|
0 -0.223 0 -0.095
|
Wiki
|
|
header
|
|
IADB: All mailing list mail is confirmed opt-in
|
RCVD_IN_IADB_DOPTIN
|
0 -4 0 -4
|
Wiki
|
|
header
|
|
IADB: Confirmed opt-in used more than 50% of the time
|
RCVD_IN_IADB_DOPTIN_GT50
|
1
|
Wiki
|
|
header
|
|
IADB: Confirmed opt-in used less than 50% of the time
|
RCVD_IN_IADB_DOPTIN_LT50
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Participates in Email Deliverability Database
|
RCVD_IN_IADB_EDDB
|
1
|
Wiki
|
|
header
|
|
IADB: Member of Email Processing Industry Alliance
|
RCVD_IN_IADB_EPIA
|
1
|
Wiki
|
|
header
|
|
IADB: Sender has been certified by GoodMail
|
RCVD_IN_IADB_GOODMAIL
|
1
|
Wiki
|
|
header
|
|
Participates in the IADB system
|
RCVD_IN_IADB_LISTED
|
0 -0.380 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Adds relationship addrs w/out opt-in
|
RCVD_IN_IADB_LOOSE
|
1
|
Wiki
|
|
header
|
|
IADB: Complies with Michigan's CPEAR law
|
RCVD_IN_IADB_MI_CPEAR
|
1
|
Wiki
|
|
header
|
|
IADB: Checked lists against Michigan's CPR within 30 days
|
RCVD_IN_IADB_MI_CPR_30
|
1
|
Wiki
|
|
header
|
|
IADB: Sends no material under Michigan's CPR
|
RCVD_IN_IADB_MI_CPR_MAT
|
0 -0.332 0 -0.000
|
Wiki
|
|
header
|
|
IADB: Mailing list email only, confirmed opt-in
|
RCVD_IN_IADB_ML_DOPTIN
|
0 -6 0 -6
|
Wiki
|
|
header
|
|
IADB: Has absolutely no mailing controls in place
|
RCVD_IN_IADB_NOCONTROL
|
1
|
Wiki
|
|
header
|
|
IADB: One-to-one/transactional email only
|
RCVD_IN_IADB_OOO
|
1
|
Wiki
|
|
header
|
|
IADB: All mailing list mail is opt-in
|
RCVD_IN_IADB_OPTIN
|
0 -2.057 0 -1.470
|
Wiki
|
|
header
|
|
IADB: Opt-in used more than 50% of the time
|
RCVD_IN_IADB_OPTIN_GT50
|
0 -1.208 0 -0.007
|
Wiki
|
|
header
|
|
IADB: Opt-in used less than 50% of the time
|
RCVD_IN_IADB_OPTIN_LT50
|
1
|
Wiki
|
|
header
|
|
IADB: Scrapes addresses, pure opt-out only
|
RCVD_IN_IADB_OPTOUTONLY
|
1
|
Wiki
|
|
header
|
|
IADB: Sender has reverse DNS record
|
RCVD_IN_IADB_RDNS
|
0 -0.167 0 -0.235
|
Wiki
|
|
header
|
|
IADB: Sender publishes Sender ID record
|
RCVD_IN_IADB_SENDERID
|
0 -0.001 0 -0.001
|
Wiki
|
|
header
|
|
IADB: Sender publishes SPF record
|
RCVD_IN_IADB_SPF
|
0 -0.001 0 -0.059
|
Wiki
|
|
header
|
|
IADB: Accepts unverified sign-ups
|
RCVD_IN_IADB_UNVERIFIED_1
|
1
|
Wiki
|
|
header
|
|
IADB: Accepts unverified sign-ups, gives chance to opt out
|
RCVD_IN_IADB_UNVERIFIED_2
|
1
|
Wiki
|
|
header
|
|
IADB: Complies with Utah's CPEAR law
|
RCVD_IN_IADB_UT_CPEAR
|
1
|
Wiki
|
|
header
|
|
IADB: Checked lists against Utah's CPR within 30 days
|
RCVD_IN_IADB_UT_CPR_30
|
1
|
Wiki
|
|
header
|
|
IADB: Sends no material under Utah's CPR
|
RCVD_IN_IADB_UT_CPR_MAT
|
0 -0.095 0 -0.001
|
Wiki
|
|
header
|
|
Received via a relay in PSBL
|
RCVD_IN_PSBL
|
0 2.700 0 2.700
|
Wiki
|
|
header
|
|
Sender is in Return Path Certified (trusted relay)
|
RCVD_IN_RP_CERTIFIED
|
0.0 -3.0 0.0 -3.0
|
Wiki
|
|
header
|
|
Relay in RNBL, https://senderscore.org/blacklistlookup/
|
RCVD_IN_RP_RNBL
|
0 1.284 0 1.310
|
Wiki
|
|
header
|
|
Sender is in Return Path Safe (trusted relay)
|
RCVD_IN_RP_SAFE
|
0.0 -2.0 0.0 -2.0
|
Wiki
|
|
header
|
|
Forged Received header (contains post.com or mail.com)
|
RCVD_MAIL_COM
|
1
|
Wiki
|
|
header
|
|
Sender's public rDNS is "localhost"
|
RDNS_LOCALHOST
|
3.700 0.969 2.345 0.001
|
Wiki
|
|
body
|
|
Email.Spam.Gen3177.Sanesecurity.08051611
|
SANE_04e8bf28eb445199a7f11b943c44d209
|
1.712 3.185 2.654 1.337
|
Wiki
|
|
body
|
|
Email.Spam.Gen3234.Sanesecurity.08052309
|
SANE_1c4f3286fa4aed6424ced88bfaf8b09c
|
3.199 2.040 3.199 1.502
|
Wiki
|
|
body
|
|
Email.Spam.Sanesecurity.Url_2496
|
SANE_2b173a7fb7518c75ac8a2d294d773fd8
|
2.976 1.117 1.951 0.942
|
Wiki
|
|
body
|
|
Email.Spam.Gen158.Sanesecurity.07012700
|
SANE_3b92eda751c992f230f215fb7eb36844
|
0.001 0.626 0.585 3.040
|
Wiki
|
|
body
|
|
Email.Spam.Gen1941.Sanesecurity.07112519
|
SANE_4ef8302546bf270a19baf98508afacc4
|
2.231 3.464 2.266 3.543
|
Wiki
|
|
body
|
|
Email.Spam.Gen2507.Sanesecurity.08021303
|
SANE_7429530a7398f43f1f1b795f9420714e
|
3.999 1.655 2.776 1.479
|
Wiki
|
|
body
|
|
Email.Malware.Sanesecurity.07011300
|
SANE_91eb43f705d25c804374a746d7519660
|
3.099 2.803 2.746 1.572
|
Wiki
|
|
body
|
|
Email.Spam.Sanesecurity.Url_2499
|
SANE_d0d2b0f6373bf91253d66dd74c594b87
|
3.799 2.040 2.710 1.494
|
Wiki
|
|
body
|
|
/short\W+term\W+(target| projected)(\W+price)?/i
|
SHORT_TERM_PRICE
|
0.001
|
Wiki
|
|
header
|
|
Content-Type =~ /text\/plain; .* reply-type=original/
|
STOX_REPLY_TYPE
|
1.898 0.212 0.141 0.439
|
Wiki
|
|
header
|
|
From starts with a tab
|
TAB_IN_FROM
|
1
|
Wiki
|
|
header
|
|
X-Mailer =~ /^The Bat! .{0,20} UNREG(dollar) /
|
THEBAT_UNREG
|
2.599 1.843 2.324 1.524
|
Wiki
|
|
header
|
|
Scora: Message-Id ends after left-bracket + digits
|
TT_MSGID_TRUNC
|
0.748 0.023 1.434 1.448
|
Wiki
|
|
body
|
|
/\bact of (?:193| nineteen thirty)/i
|
TVD_ACT_193
|
1
|
Wiki
|
|
body
|
|
/you.{1,2}re .{0,20}approved/i
|
TVD_APPROVED
|
2.356 2.599 2.599 2.090
|
Wiki
|
|
body
|
|
/^dear homeowner/i
|
TVD_DEAR_HOMEOWNER
|
1
|
Wiki
|
|
header
|
|
EnvelopeFrom =~ /\'/
|
TVD_ENVFROM_APOST
|
1
|
Wiki
|
|
header
|
|
Content-Type =~ /^text\/plain(?:; (?:format=flowed| charset="Windows-1252"| reply-type=original)){3}/i
|
TVD_FINGER_02
|
0.001 1.544 1.394 1.215
|
Wiki
|
|
rawbody
|
|
/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
|
TVD_FLOAT_GENERAL
|
1
|
Wiki
|
|
body
|
|
/<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
|
TVD_FUZZY_DEGREE
|
1
|
Wiki
|
|
body
|
|
/(?!finance)<F><I><N><A><N><C><E>/i
|
TVD_FUZZY_FINANCE
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
|
TVD_FUZZY_FIXED_RATE
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
|
TVD_FUZZY_MICROCAP
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
|
TVD_FUZZY_PHARMACEUTICAL
|
1
|
Wiki
|
|
body
|
|
/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
|
TVD_FUZZY_SYMBOL
|
1
|
Wiki
|
|
body
|
|
/\bsize of .{1,20}(?:penis| dick| manhood)/i
|
TVD_INCREASE_SIZE
|
1.529 0.601 1.055 0.001
|
Wiki
|
|
body
|
|
/\blink to save\b/i
|
TVD_LINK_SAVE
|
1
|
Wiki
|
|
header
|
|
Subject =~ /(?:Jan| Feb| Mar| Apr| May| Jun| Jul| Aug| Sep| Oct| Nov| Dec)\S* \d+% OFF/
|
TVD_PCT_OFF
|
1
|
Wiki
|
|
body
|
|
/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/i
|
TVD_PH_BODY_ACCOUNTS_PRE
|
1.201 1.527 1.327 2.393
|
Wiki
|
|
body
|
|
Message has a phrase standard for phishing mails
|
TVD_PH_REC
|
3.127 2.026 3.266 1.784
|
Wiki
|
|
body
|
|
Message has a phrase standard for phishing mails
|
TVD_PH_SEC
|
0.291 1.498 0.869 1.764
|
Wiki
|
|
header
|
|
Subject =~ /\b(?:(?:re-?)?activat[a-z]*| secure| verify| restore| flagged| limited| unusual| update| report| notif(?:y| ication)| suspen(?:d| ded| sion)| co(?:n| m)firm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
|
TVD_PH_SUBJ_ACCOUNTS_POST
|
2.602 2.607 2.497 3.099
|
Wiki
|
|
header
|
|
Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i
|
TVD_PH_SUBJ_SEC_MEASURES
|
2.284 1.522 1.675 1.145
|
Wiki
|
|
header
|
|
Subject =~ /^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert| response| assistance| proposal| reply| warning| noti(?:ce| fication)| greeting| matter))/i
|
TVD_PH_SUBJ_URGENT
|
1.251 2.326 2.255 2.800
|
Wiki
|
|
body
|
|
/\bquality med(?:ication)?s\b/i
|
TVD_QUAL_MEDS
|
2.697 2.397 2.799 2.483
|
Wiki
|
|
header
|
|
Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
|
TVD_RATWARE_CB
|
1
|
Wiki
|
|
header
|
|
Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
|
TVD_RATWARE_CB_2
|
1
|
Wiki
|
|
header
|
|
Message-ID =~ /^[^<]*<[a-z]+\@/
|
TVD_RATWARE_MSGID_02
|
1
|
Wiki
|
|
header
|
|
Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
|
TVD_RCVD_IP
|
0.001 0.054 0.001 0.695
|
Wiki
|
|
header
|
|
Received =~ /^from\s+(?:\d+\.){3}\d+\s/
|
TVD_RCVD_IP4
|
0.159 1.495 0.674 1.596
|
Wiki
|
|
header
|
|
Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
|
TVD_RCVD_SINGLE
|
0.242 1.213 0.001 2.172
|
Wiki
|
|
header
|
|
Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
|
TVD_RCVD_SPACE_BRACKET
|
0.001 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
/\bSection (?:27A| 21B)/i
|
TVD_SECTION
|
1
|
Wiki
|
|
body
|
|
m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!i
|
TVD_SILLY_URI_OBFU
|
1
|
Wiki
|
|
header
|
|
Subject =~ /^(?:(?:Re| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) /
|
TVD_SPACED_SUBJECT_WORD3
|
1
|
Wiki
|
|
body
|
|
eval:check_stock_info('2')
|
TVD_STOCK1
|
1
|
Wiki
|
|
header
|
|
Subject has spammy looking monetary reference
|
TVD_SUBJ_ACC_NUM
|
0.001 2.199 2.199 2.198
|
Wiki
|
|
header
|
|
Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) /
|
TVD_SUBJ_FINGER_03
|
1
|
Wiki
|
|
header
|
|
Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe| indebted)\s+(?:\w+\s+)+an\s*other/i
|
TVD_SUBJ_OWE
|
1
|
Wiki
|
|
header
|
|
Subject =~ /(?:wipe out| remove| get (?:rid| out) of| eradicate) .{0,20}(?:owe| debt| obligation)/i
|
TVD_SUBJ_WIPE_DEBT
|
2.599 2.291 2.599 1.004
|
Wiki
|
|
body
|
|
/Online Ph.rmacy/i
|
TVD_VISIT_PHARMA
|
1.957 1.196 0.417 1.406
|
Wiki
|
|
rawbody
|
|
/<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
|
TVD_VIS_HIDDEN
|
1
|
Wiki
|
|
body
|
|
Contains an URI of a new domain (Day Old Bread)
|
URIBL_RHS_DOB
|
0 0.276 0 1.514
|
Wiki
|
|
body
|
|
Obfuscated URI
|
URI_OBFU_WWW
|
3.099 3.099 2.306 2.475
|
Wiki
|
|
header
|
|
X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*(dollar) /
|
X_MAILER_CME_6543_MSN
|
2.886 2.004 3.002 3.348
|
Wiki
|
