SpamAssassin

The Apache SpamAssassin Project

The Powerful #1 Open-Source Spam Filter

Tests Performed: v3.3.x

This is the current list of tests SpamAssassin performs on mail messages to determine if they're spam or not. If you wish to change the score from the default, add a line like this to your ~/.spamassassin/user_prefs:

score NAME_OF_TEST 3.0

Where 3.0 is the hits you wish that test to incur, and NAME_OF_TEST is the test name from the TEST NAME column below.

If you wish to disable a test, set the score to 0 by adding a line like this to your ~/.spamassassin/user_prefs:

score NAME_OF_TEST 0

Note that these are the scores for the current stable release of SpamAssassin; they may be different from the ones you're running on your servers, if SpamAssassin is installed there.

The 'More Info' links, if present, lead to a section of our Wiki for collaborative documentation of rules; some of the rules include additional user-contributed documentation there. If you feel like adding a page describing a rule in further detail, feel free to create a page at that link, using the RuleDescriptionTemplate format.


AREA TESTED LOCALE DESCRIPTION OF TEST TEST NAME DEFAULT SCORES
(local, net, with bayes, with bayes+net)
MORE INFO
(additional wiki docs)
body Generic Test for Unsolicited Bulk Email GTUBE 1000.000 Wiki
body Incorporates a tracking ID number TRACKER_ID 2.026 1.102 1.750 1.306 Wiki
body Weird repeated double-quotation marks WEIRD_QUOTING 0.001 0.001 0.001 0.001 Wiki
body Body contains a ROT13-encoded email address EMAIL_ROT13 1 Wiki
body HTML and text parts are different MPART_ALT_DIFF 2.246 0.724 0.595 0.790 Wiki
body HTML and text parts are different MPART_ALT_DIFF_COUNT 2.799 1.483 1.199 1.112 Wiki
body Message body has 80-90% blank lines BLANK_LINES_80_90 1 Wiki
body eval:check_ma_non_text() MULTIPART_ALT_NON_TEXT 1 Wiki
body Character set indicates a foreign language CHARSET_FARAWAY 3.200 Wiki
rawbody Extra blank lines in base64 encoding MIME_BASE64_BLANKS 0.001 0.001 0.001 0.001 Wiki
rawbody Message text disguised using base64 encoding MIME_BASE64_TEXT 0.001 0.001 0.001 1.741 Wiki
body Missing blank line between MIME header and body MISSING_MIME_HB_SEP 0.001 0.001 0.001 0.001 Wiki
body Multipart message mostly text/html MIME MIME_HTML_MOSTLY 0.354 0.001 0.725 0.428 Wiki
body Message only has text/html MIME parts MIME_HTML_ONLY 2.199 1.105 1.199 0.723 Wiki
rawbody Quoted-printable line longer than 76 chars MIME_QP_LONG_LINE 0.001 Wiki
body MIME character set is an unknown ISO charset MIME_BAD_ISO_CHARSET 1 Wiki
body IP to HTTPS link found in HTML HTTPS_IP_MISMATCH 1 Wiki
body Message contained a URI which was truncated URI_TRUNCATED 0.001 Wiki
header Passed through trusted hosts only via SMTP ALL_TRUSTED -1.000 Wiki
header Informational: message was not relayed via SMTP NO_RELAYS -0.001 Wiki
header NJABL: sender is confirmed open relay RCVD_IN_NJABL_RELAY 0 1.881 0 2.499 Wiki
header NJABL: sender is confirmed spam source RCVD_IN_NJABL_SPAM 0 1.466 0 1.249 Wiki
header NJABL: sent through multi-stage open relay RCVD_IN_NJABL_MULTI 1 Wiki
header NJABL: sender is an open formmail RCVD_IN_NJABL_CGI 1 Wiki
header NJABL: sender is an open proxy RCVD_IN_NJABL_PROXY 0 0.208 0 2.224 Wiki
header SORBS: sender is open HTTP proxy server RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 Wiki
header SORBS: sender is open SOCKS proxy server RCVD_IN_SORBS_SOCKS 0 2.443 0 1.927 Wiki
header SORBS: sender is open proxy server RCVD_IN_SORBS_MISC 1 Wiki
header SORBS: sender is open SMTP relay RCVD_IN_SORBS_SMTP 1 Wiki
header SORBS: sender is an abusable web server RCVD_IN_SORBS_WEB 0 0.614 0 0.770 Wiki
header SORBS: sender demands to never be tested RCVD_IN_SORBS_BLOCK 1 Wiki
header SORBS: sender is on a hijacked network RCVD_IN_SORBS_ZOMBIE 1 Wiki
header SORBS: sent directly from dynamic IP address RCVD_IN_SORBS_DUL 0 0.001 0 0.001 Wiki
header Received via a relay in Spamhaus SBL RCVD_IN_SBL 0 2.596 0 0.141 Wiki
header Received via a relay in Spamhaus XBL RCVD_IN_XBL 0 0.724 0 0.375 Wiki
header Received via a relay in Spamhaus PBL RCVD_IN_PBL 0 3.558 0 3.335 Wiki
header Envelope sender in dsn.rfc-ignorant.org DNS_FROM_RFC_DSN 0 0.001 0 0.001 Wiki
header Envelope sender in bogusmx.rfc-ignorant.org DNS_FROM_RFC_BOGUSMX 0 1.464 0 1.668 Wiki
header Envelope sender listed in dnsbl.ahbl.org DNS_FROM_AHBL_RHSBL 0 2.438 0 2.699 Wiki
header Received via a relay in bl.spamcop.net RCVD_IN_BL_SPAMCOP_NET 0 1.246 0 1.347 Wiki
header Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html RCVD_IN_MAPS_RBL 1 Wiki
header Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html RCVD_IN_MAPS_DUL 1 Wiki
header Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html RCVD_IN_MAPS_RSS 1 Wiki
header Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html RCVD_IN_MAPS_OPS 1 Wiki
header Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html RCVD_IN_MAPS_NML 1 Wiki
header ISIPP IADB lists as vouched-for sender RCVD_IN_IADB_VOUCHED 0 -2.2 0 -2.2 Wiki
header Subject contains a gappy version of 'cialis' SUBJECT_DRUG_GAP_C 2.108 0.989 1.348 2.140 Wiki
header Subject contains a gappy version of 'levitra' SUBJECT_DRUG_GAP_L 2.799 2.304 1.402 1.561 Wiki
header Subject contains a gappy version of 'soma' SUBJECT_DRUG_GAP_S 1 Wiki
header Subject contains a gappy version of 'valium' SUBJECT_DRUG_GAP_VA 1 Wiki
header Subject contains a gappy version of 'xanax' SUBJECT_DRUG_GAP_X 1 Wiki
body Talks about price per dose DRUG_DOSAGE 1 Wiki
body Mentions an E.D. drug DRUG_ED_CAPS 2.799 1.023 2.516 0.936 Wiki
body Talks about an E.D. drug using its chemical name DRUG_ED_SILD 0.001 0.170 0.113 1.794 Wiki
body Mentions Generic Viagra DRUG_ED_GENERIC 1 Wiki
body Fast Viagra Delivery DRUG_ED_ONLINE 0.696 1.152 1.221 0.608 Wiki
body Online Pharmacy ONLINE_PHARMACY 0.843 2.371 0.008 0.650 Wiki
body No prescription needed NO_PRESCRIPTION 1.915 1.102 2.280 2.399 Wiki
body Attempts to disguise the word 'viagra' VIA_GAP_GRA 1 Wiki
body Two or more drugs crammed together into one word DRUGS_SMEAR1 3.300 2.051 3.148 0.235 Wiki
header Relay HELO'd with suspicious hostname (mail.com) FAKE_HELO_MAIL_COM_DOM 1.887 0.152 1.370 2.136 Wiki
header Relay HELO'd using suspicious hostname (Rogers) HELO_DYNAMIC_ROGERS 1 Wiki
header Relay HELO'd using suspicious hostname (T-Dialin) HELO_DYNAMIC_DIALIN 2.629 3.233 2.186 1.366 Wiki
header Relay HELO'd using suspicious hostname (Hex IP) HELO_DYNAMIC_HEXIP 2.321 0.511 1.773 1.789 Wiki
header Relay HELO'd using suspicious hostname (Split IP) HELO_DYNAMIC_SPLIT_IP 3.031 2.893 4.225 3.482 Wiki
header Relay HELO'd using suspicious hostname (IP addr 2) HELO_DYNAMIC_IPADDR2 2.815 3.888 3.728 3.607 Wiki
header Relay HELO'd using suspicious hostname (Chello.nl) HELO_DYNAMIC_CHELLO_NL 2.412 1.918 2.019 2.428 Wiki
header Relay HELO'd using suspicious hostname (Home.nl) HELO_DYNAMIC_HOME_NL 2.385 1.530 1.024 1.459 Wiki
header Sender email is freemail FREEMAIL_FROM 0.001 Wiki
header Envelope-from freemail username ends in digit FREEMAIL_ENVFROM_END_DIGIT 2.602 2.223 1.770 1.553 Wiki
header Reply-To freemail username ends in digit FREEMAIL_REPLYTO_END_DIGIT 1.221 0.980 1.179 1.151 Wiki
header Partial message FRAGMENTED_MESSAGE 1 Wiki
header From: contains empty name FROM_BLANK_NAME 2.099 2.099 2.099 0.723 Wiki
header From: starts with many numbers FROM_STARTS_WITH_NUMS 2.801 0.553 1.201 0.738 Wiki
header From address is "at something-offers" FROM_OFFERS 2.699 2.699 2.510 2.699 Wiki
header From: has no local-part before @ sign FROM_NO_USER 0.001 2.599 0.019 0.798 Wiki
header Spam tool Message-Id: (caps variant) MSGID_SPAM_CAPS 2.366 1.997 3.099 3.099 Wiki
header Spam tool Message-Id: (letters variant) MSGID_SPAM_LETTERS 1 Wiki
header Message-ID has ALLCAPS@yahoo.com MSGID_YAHOO_CAPS 0.797 1.413 2.278 1.411 Wiki
header Message-ID is unusually short MSGID_SHORT 0.001 0.337 0.001 0.001 Wiki
header Message-ID contains multiple '@' characters MSGID_MULTIPLE_AT 0.001 Wiki
header Date header uses unusual Y2K formatting DATE_SPAMWARE_Y2K 1 Wiki
header Invalid Date: header (not RFC 2822) INVALID_DATE 1.701 0.432 1.200 1.096 Wiki
header Invalid Date: header (timezone does not exist) INVALID_DATE_TZ_ABSURD 0.262 0.632 0.706 0.491 Wiki
header Invalid date in header (wrong CST timezone) INVALID_TZ_CST 1 Wiki
header Invalid date in header (wrong EST timezone) INVALID_TZ_EST 1 Wiki
header Subject contains an English UCE tag ENGLISH_UCE_SUBJECT 0.953 1.542 2.569 2.899 Wiki
header Subject contains a Japanese UCE tag JAPANESE_UCE_SUBJECT 1 Wiki
header Subject: contains Korean unsolicited email tag KOREAN_UCE_SUBJECT 1 Wiki
header Contains forged hostname for a DSL IP in Brazil FORGED_TELESP_RCVD 2.499 2.499 2.499 1.841 Wiki
header Character set doesn't exist NONEXISTENT_CHARSET 1 Wiki
header Message has Prevent-NonDelivery-Report header PREVENT_NONDELIVERY 1 Wiki
header Message has X-IP header X_IP 0.001 0.001 0.001 0.001 Wiki
header Subject contains "As Seen" SUBJ_AS_SEEN 2.711 3.099 3.099 1.461 Wiki
header Subject starts with dollar amount SUBJ_DOLLARS 0.600 0.001 0.601 1.800 Wiki
header Subject contains "Your Bills" or similar SUBJ_YOUR_DEBT 3.299 3.045 1.199 0.987 Wiki
header Subject contains "Your Family" SUBJ_YOUR_FAMILY 2.910 2.999 2.999 2.999 Wiki
header Received contains a faked HELO hostname RCVD_FAKE_HELO_DOTCOM 2.799 2.389 2.605 1.189 Wiki
header Subject talks about losing pounds SUBJECT_DIET 1.927 1.563 0.817 1.466 Wiki
header Header has extraneous Content-type:...type= entry EXTRA_MPART_TYPE 1.0 Wiki
header Spam tool pattern in MIME boundary MIME_BOUND_DD_DIGITS 3.016 0.349 2.417 1.373 Wiki
header Spam tool pattern in MIME boundary MIME_BOUND_DIGITS_15 0.432 1.225 1.241 0.798 Wiki
header Spam tool pattern in MIME boundary MIME_BOUND_MANY_HEX 1 Wiki
header To: has a malformed address TO_MALFORMED 0.892 1.247 2.099 2.099 Wiki
header Received line contains spam-sign (lowercase smtp) WITH_LC_SMTP 1 Wiki
header Subject line starts with Buy or Buying SUBJ_BUY 0.594 1.498 0.001 0.639 Wiki
header Received headers forged (AM/PM) RCVD_AM_PM 1 Wiki
header Received header contains faked 'mr.outblaze.com' FAKE_OUTBLAZE_RCVD 1 Wiki
header Headers contain an unclosed bracket UNCLOSED_BRACKET 2.699 1.329 1.425 1.496 Wiki
header From: domain has series of non-vowel letters FROM_DOMAIN_NOVOWEL 0.500 Wiki
header From: localpart has series of non-vowel letters FROM_LOCAL_NOVOWEL 0.500 Wiki
header From: localpart has long hexadecimal sequence FROM_LOCAL_HEX 0.000 0.331 0.001 0.006 Wiki
header From: localpart has long digit sequence FROM_LOCAL_DIGITS 0.001 Wiki
header Cc: after X-Priority: (bulk email fingerprint) X_PRIORITY_CC 1 Wiki
header Message has bad MIME encoding in the header BAD_ENC_HEADER 3.099 1.716 1.805 1.988 Wiki
header Received: contains illegal IP address RCVD_ILLEGAL_IP 3.399 Wiki
header A foreign language charset used in headers CHARSET_FARAWAY_HEADER 3.200 Wiki
header From: has too many raw illegal characters FROM_ILLEGAL_CHARS 2.192 2.059 0.240 0.036 Wiki
header Headers have too many raw illegal characters HEAD_ILLEGAL_CHARS 1 Wiki
header hotmail.com 'From' address, but no 'Received:' FORGED_HOTMAIL_RCVD2 0.001 1.187 0.698 0.874 Wiki
header 'From' yahoo.com does not match 'Received' headers FORGED_YAHOO_RCVD 2.397 1.022 2.599 1.630 Wiki
header Recipient list is sorted by address SORTED_RECIPS 1.801 2.474 1.791 2.499 Wiki
header Similar addresses in recipient list SUSPICIOUS_RECIPS 2.499 2.497 2.139 2.510 Wiki
header Missing To: header MISSING_HEADERS 0.915 1.207 1.204 1.021 Wiki
header Date: is 3 to 6 hours before Received: date DATE_IN_PAST_03_06 2.399 1.076 1.200 1.592 Wiki
header Date: is 6 to 12 hours before Received: date DATE_IN_PAST_06_12 1.699 1.103 1.274 1.543 Wiki
header Date: is 12 to 24 hours before Received: date DATE_IN_PAST_12_24 0.001 0.804 1.190 1.049 Wiki
header Date: is 24 to 48 hours before Received: date DATE_IN_PAST_24_48 1.109 0.485 0.624 1.340 Wiki
header Date: is 96 hours or more before Received: date DATE_IN_PAST_96_XX 2.600 2.070 1.233 3.405 Wiki
header Date: is 3 to 6 hours after Received: date DATE_IN_FUTURE_03_06 3.399 2.426 2.997 3.027 Wiki
header Date: is 6 to 12 hours after Received: date DATE_IN_FUTURE_06_12 2.899 0.001 2.222 1.947 Wiki
header Date: is 12 to 24 hours after Received: date DATE_IN_FUTURE_12_24 2.603 2.489 3.199 3.199 Wiki
header Date: is 24 to 48 hours after Received: date DATE_IN_FUTURE_24_48 2.598 1.248 0.001 2.048 Wiki
header Date: is 48 to 96 hours after Received: date DATE_IN_FUTURE_48_96 2.384 0.813 1.078 2.181 Wiki
header Date: is 96 hours or more after Received: date DATE_IN_FUTURE_96_XX 2.614 3.028 2.851 3.087 Wiki
header Headers contain an unresolved template UNRESOLVED_TEMPLATE 3.035 0.716 2.424 1.252 Wiki
header Subject is all capitals SUBJ_ALL_CAPS 0.518 1.625 1.197 1.506 Wiki
header Local part of To: address appears in Subject LOCALPART_IN_SUBJECT 0.001 0.730 1.199 1.107 Wiki
header Message-Id is fake (in Outlook Express format) MSGID_OUTLOOK_INVALID 3.899 Wiki
header Multiple Content-Type headers found HEADER_COUNT_CTYPE 1 Wiki
header Message headers are very long HEAD_LONG 1 Wiki
header Missing blank line between message header and body MISSING_HB_SEP 1 Wiki
header Informational: message has unparseable relay lines UNPARSEABLE_RELAY 0.001 Wiki
header Received: HELO and IP do not match, but should RCVD_HELO_IP_MISMATCH 1.680 1.186 2.362 2.368 Wiki
header Received: contains an IP address used for HELO RCVD_NUMERIC_HELO 0.001 0.865 0.001 1.164 Wiki
header Host HELO'd as a big ISP, but had no rDNS NO_RDNS_DOTCOM_HELO 3.100 0.433 3.099 0.823 Wiki
rawbody Javascript to hide URLs in browser HIDE_WIN_STATUS 0.001 1.353 0.754 1.380 Wiki
body HTML included in message HTML_MESSAGE 0.001 Wiki
body HTML comment is very short HTML_COMMENT_SHORT 1 Wiki
body HTML message is a saved web page HTML_COMMENT_SAVED_URL 0.198 0.357 0.899 1.391 Wiki
body HTML with embedded plugin object HTML_EMBEDS 0.001 0.001 1.171 1.799 Wiki
body HTML contains far too many close tags HTML_EXTRA_CLOSE 0.001 Wiki
body HTML font size is large HTML_FONT_SIZE_LARGE 0.001 Wiki
body HTML font size is huge HTML_FONT_SIZE_HUGE 0.001 Wiki
body HTML font color similar to background HTML_FONT_LOW_CONTRAST 0.713 0.001 0.786 0.001 Wiki
body HTML font face is not a word HTML_FONT_FACE_BAD 0.001 0.289 0.286 0.981 Wiki
body HTML includes a form which sends mail HTML_FORMACTION_MAILTO 1 Wiki
body HTML: images with 0-400 bytes of words HTML_IMAGE_ONLY_04 1.680 0.342 1.799 1.172 Wiki
body HTML: images with 400-800 bytes of words HTML_IMAGE_ONLY_08 0.585 1.781 1.845 1.651 Wiki
body HTML: images with 800-1200 bytes of words HTML_IMAGE_ONLY_12 1.381 1.629 1.400 2.059 Wiki
body HTML: images with 1200-1600 bytes of words HTML_IMAGE_ONLY_16 1.969 1.048 1.199 1.092 Wiki
body HTML: images with 1600-2000 bytes of words HTML_IMAGE_ONLY_20 2.109 0.700 1.300 1.546 Wiki
body HTML: images with 2000-2400 bytes of words HTML_IMAGE_ONLY_24 2.799 1.282 1.328 1.618 Wiki
body HTML: images with 2400-2800 bytes of words HTML_IMAGE_ONLY_28 2.799 0.726 1.512 1.404 Wiki
body HTML: images with 2800-3200 bytes of words HTML_IMAGE_ONLY_32 2.196 0.001 1.172 0.001 Wiki
body HTML has a low ratio of text to image area HTML_IMAGE_RATIO_02 2.199 0.805 1.200 0.437 Wiki
body HTML has a low ratio of text to image area HTML_IMAGE_RATIO_04 2.089 0.610 0.607 0.556 Wiki
body HTML has a low ratio of text to image area HTML_IMAGE_RATIO_06 0.001 0.001 0.001 0.001 Wiki
body HTML has a low ratio of text to image area HTML_IMAGE_RATIO_08 0.001 0.001 0.001 0.001 Wiki
body Message is 5% to 10% HTML obfuscation HTML_OBFUSCATE_05_10 0.601 0.001 0.718 0.260 Wiki
body Message is 10% to 20% HTML obfuscation HTML_OBFUSCATE_10_20 0.174 1.162 0.588 0.093 Wiki
body Message is 20% to 30% HTML obfuscation HTML_OBFUSCATE_20_30 2.499 2.441 1.449 1.999 Wiki
body Message is 30% to 40% HTML obfuscation HTML_OBFUSCATE_30_40 1 Wiki
body Message is 50% to 60% HTML obfuscation HTML_OBFUSCATE_50_60 1 Wiki
body Message is 70% to 80% HTML obfuscation HTML_OBFUSCATE_70_80 1 Wiki
body Message is 90% to 100% HTML obfuscation HTML_OBFUSCATE_90_100 1 Wiki
body HTML has unbalanced "body" tags HTML_TAG_BALANCE_BODY 1.247 0.712 0.628 1.157 Wiki
body HTML has unbalanced "head" tags HTML_TAG_BALANCE_HEAD 0.520 0.000 0.600 0.817 Wiki
body HTML has "bgsound" tag HTML_TAG_EXIST_BGSOUND 1 Wiki
body HTML message is 40% to 50% bad tags HTML_BADTAG_40_50 1 Wiki
body HTML message is 50% to 60% bad tags HTML_BADTAG_50_60 1 Wiki
body HTML message is 60% to 70% bad tags HTML_BADTAG_60_70 1 Wiki
body HTML message is 90% to 100% bad tags HTML_BADTAG_90_100 1 Wiki
body 30% to 40% of HTML elements are non-standard HTML_NONELEMENT_30_40 0.000 0.001 0.308 0.001 Wiki
body 40% to 50% of HTML elements are non-standard HTML_NONELEMENT_40_50 1 Wiki
body 60% to 70% of HTML elements are non-standard HTML_NONELEMENT_60_70 1 Wiki
body 80% to 90% of HTML elements are non-standard HTML_NONELEMENT_80_90 1 Wiki
body Message has HTML IFRAME tag with SRC URI HTML_IFRAME_SRC 1 Wiki
header Envelope sender has no MX or A DNS records NO_DNS_FOR_FROM 0 0.379 0 0.001 Wiki
body Removal phrase right before a link REMOVE_BEFORE_LINK 0.406 1.587 1.799 1.800 Wiki
body One hundred percent guaranteed GUARANTEED_100_PERCENT 2.699 2.699 2.480 2.699 Wiki
body Dear Friend? That's not very dear! DEAR_FRIEND 2.683 2.604 1.801 2.577 Wiki
body Contains 'Dear (something)' DEAR_SOMETHING 1.999 1.731 1.787 1.973 Wiki
body Talks about lots of money BILLION_DOLLARS 0.001 1.451 1.229 1.638 Wiki
body Claims you can be removed from the list EXCUSE_4 2.399 1.687 2.399 1.325 Wiki
body Claims you wanted this ad EXCUSE_24 2.799 Wiki
body Talks about how to be removed from mailings EXCUSE_REMOVE 2.907 2.992 3.299 3.299 Wiki
body Tells you about a strong buy STRONG_BUY 1 Wiki
body Offers a alert about a stock STOCK_ALERT 1 Wiki
body Not registered investment advisor NOT_ADVISOR 1 Wiki
body 'Prestigious Non-Accredited Universities' PREST_NON_ACCREDITED 1 Wiki
body Information on growing body parts BODY_ENHANCEMENT 0.927 1.611 0.974 0.001 Wiki
body Information on getting larger body parts BODY_ENHANCEMENT2 1.691 1.507 1.865 1.541 Wiki
body Impotence cure IMPOTENCE 1.539 2.144 3.028 1.374 Wiki
body Talks about a million North American dollars NA_DOLLARS 3.599 Wiki
body Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN) US_DOLLARS_3 2.599 2.523 1.780 1.754 Wiki
body Talks about millions of dollars MILLION_USD 3.799 2.477 3.221 3.247 Wiki
body Contains urgent matter URG_BIZ 1.750 0.941 0.568 0.573 Wiki
body Money back guarantee MONEY_BACK 2.910 2.486 0.601 1.232 Wiki
body Free express or no-obligation quote FREE_QUOTE_INSTANT 2.700 2.699 2.699 1.297 Wiki
body Eliminate Bad Credit BAD_CREDIT 2.799 1.658 1.279 2.415 Wiki
body Home refinancing REFINANCE_YOUR_HOME 1 Wiki
body Home refinancing REFINANCE_NOW 1 Wiki
body No Medical Exams NO_MEDICAL 2.199 1.254 2.199 1.773 Wiki
body Lose Weight Spam DIET_1 0.714 0.000 0.399 0.001 Wiki
body Freedom of a financial nature FIN_FREE 2.699 2.289 2.699 2.700 Wiki
body Stock Disclaimer Statement FORWARD_LOOKING 1 Wiki
body One Time Rip Off ONE_TIME 1.840 1.175 1.830 0.714 Wiki
body Join Millions of Americans JOIN_MILLIONS 0.700 0.128 1.549 1.026 Wiki
body Claims you registered with a partner MARKETING_PARTNERS 0.553 0.235 0.689 0.001 Wiki
body Lowest Price LOW_PRICE 0.161 0.600 0.001 1.464 Wiki
body People just leave money laying around UNCLAIMED_MONEY 2.699 2.699 2.699 2.427 Wiki
body Message seems to contain rot13ed address OBSCURED_EMAIL 1 Wiki
body Talks about Oprah with an exclamation! BANG_OPRAH 1 Wiki
body Talks about 'acting now' with capitals ACT_NOW_CAPS 1.404 2.399 0.925 2.211 Wiki
body Talks about a bigger drive for sex MORE_SEX 2.799 2.765 2.568 1.413 Wiki
body Something is emphatically guaranteed BANG_GUAR 2.202 2.377 1.690 2.704 Wiki
body Message mentions investment advice INVESTMENT_ADVICE 0.200 2.160 2.199 2.199 Wiki
body Message talks about enhancing men MALE_ENHANCE 3.100 3.099 3.099 0.851 Wiki
body Message says that prices aren't too expensive PRICES_ARE_AFFORDABLE 0.794 0.851 1.112 0.551 Wiki
body Message talks about a replica watch REPLICA_WATCH 3.487 3.164 4.074 3.775 Wiki
body Message puts emphasis on the watch manufacturer EM_ROLEX 0.595 1.309 2.068 0.618 Wiki
body Possible porn - Free Porn FREE_PORN 1 Wiki
body Possible porn - Cum Shot CUM_SHOT 1 Wiki
body Possible porn - Live Porn LIVE_PORN 1 Wiki
header Subject indicates sexually-explicit content SUBJECT_SEXUAL 1 Wiki
header Bulk email fingerprint (eGroups) found RATWARE_EGROUPS 1.898 1.258 1.406 1.621 Wiki
header X-Mailer has malformed Outlook Express version RATWARE_OE_MALFORMED 1 Wiki
header Bulk email fingerprint (Mozilla malformed) found RATWARE_MOZ_MALFORMED 1 Wiki
header Bulk email fingerprint (mPOP Web-Mail) RATWARE_MPOP_WEBMAIL 1.153 1.338 1.229 1.999 Wiki
rawbody Contains a hashbuster in Send-Safe format RATWARE_HASH_DASH 1 Wiki
header Bulk email fingerprint (Gecko faked) found RATWARE_GECKO_BUILD 1 Wiki
header Bulk email fingerprint (X-Message-Info) found X_MESSAGE_INFO 1 Wiki
header Bulk email fingerprint (header-based) found HEADER_SPAM 2.499 2.499 1.994 0.585 Wiki
header Bulk email fingerprint (Received PF) found RATWARE_RCVD_PF 1 Wiki
header Bulk email fingerprint (Received @) found RATWARE_RCVD_AT 1 Wiki
header Bulk email fingerprint (envfrom) found RATWARE_EFROM 2.999 Wiki
uri /^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i HIGH_CODEPAGE_URI 1 Wiki
uri Uses a numeric IP address in URL NUMERIC_HTTP_ADDR 0.000 0.001 0.001 1.242 Wiki
uri Uses %-escapes inside a URL's hostname HTTP_ESCAPED_HOST 0.807 1.621 0.483 1.125 Wiki
uri Completely unnecessary %-escapes inside a URL HTTP_EXCESSIVE_ESCAPES 0.001 1.516 0.000 1.572 Wiki
uri Dotted-decimal IP address followed by CGI IP_LINK_PLUS 0.001 0.001 0.246 0.012 Wiki
uri Uses non-standard port number for HTTP WEIRD_PORT 0.001 0.001 0.097 0.001 Wiki
uri Has Yahoo Redirect URI YAHOO_RD_REDIR 1 Wiki
uri Has Yahoo Redirect URI YAHOO_DRS_REDIR 1 Wiki
uri Contains an URL-encoded hostname (HTTP77) HTTP_77 1 Wiki
uri URI contains ".com" in middle SPOOF_COM2OTH 2.999 2.999 2.877 2.723 Wiki
uri URI contains ".com" in middle and end SPOOF_COM2COM 0.001 1.632 1.952 2.048 Wiki
uri URI contains ".net" or ".org", then ".com" SPOOF_NET2COM 1 Wiki
uri URI hostname has long hexadecimal sequence URI_HEX 2.800 1.313 1.206 1.122 Wiki
uri URI hostname has long non-vowel sequence URI_NOVOWEL 0.500 Wiki
uri URI contains suspicious unsubscribe link URI_UNSUBSCRIBE 1 Wiki
uri CGI in .info TLD other than third-level "www" URI_NO_WWW_INFO_CGI 2.299 2.299 0.292 2.071 Wiki
uri CGI in .biz TLD other than third-level "www" URI_NO_WWW_BIZ_CGI 2.399 2.399 2.400 2.399 Wiki
uri Uses a dotted-decimal IP address in URL NORMAL_HTTP_TO_IP 0.159 0.001 0.795 0.001 Wiki
body Bayes spam probability is 0 to 1% BAYES_00 0 0 -1.5 -1.9 Wiki
body Bayes spam probability is 1 to 5% BAYES_05 0 0 -0.3 -0.5 Wiki
body Bayes spam probability is 5 to 20% BAYES_20 0 0 -0.001 -0.001 Wiki
body Bayes spam probability is 20 to 40% BAYES_40 0 0 -0.001 -0.001 Wiki
body Bayes spam probability is 40 to 60% BAYES_50 0 0 2.0 0.8 Wiki
body Bayes spam probability is 60 to 80% BAYES_60 0 0 2.5 1.5 Wiki
body Bayes spam probability is 80 to 95% BAYES_80 0 0 2.7 2.0 Wiki
body Bayes spam probability is 95 to 99% BAYES_95 0 0 3.2 3.0 Wiki
body Bayes spam probability is 99 to 100% BAYES_99 0 0 3.8 3.5 Wiki
header Message would have been caught by accessdb ACCESSDB 1 Wiki
body Message includes Microsoft executable program MICROSOFT_EXECUTABLE 0.1 Wiki
body MIME filename does not match content MIME_SUSPECT_NAME 0.1 Wiki
full Listed in DCC (http://rhyolite.com/anti-spam/dcc/) DCC_CHECK 0 1.1 0 1.1 Wiki
full DCC reputation between 0 and 12 % (mostly ham) DCC_REPUT_00_12 0 -0.8 0 -0.4 Wiki
full eval:check_dcc_reputation_range(13,19) DCC_REPUT_13_19 0 -0.1 0 -0.1 Wiki
full DCC reputation between 70 and 89 % DCC_REPUT_70_89 0 0.1 0 0.1 Wiki
full DCC reputation between 90 and 94 % DCC_REPUT_90_94 0 0.4 0 0.6 Wiki
full DCC reputation between 95 and 98 % (mostly spam) DCC_REPUT_95_98 0 0.7 0 1.0 Wiki
full DCC reputation between 99 % or higher (spam) DCC_REPUT_99_100 0 1.2 0 1.4 Wiki
full Message has a DKIM or DK signature, not necessarily valid DKIM_SIGNED 0.1 Wiki
full Message has at least one valid DKIM or DK signature DKIM_VALID -0.1 Wiki
full Message has a valid DKIM or DK signature from author's domain DKIM_VALID_AU -0.1 Wiki
header No valid author signature and domain not in DNS DKIM_ADSP_NXDOMAIN 0 0.8 0 0.9 Wiki
header No valid author signature, domain signs all mail and suggests discarding the rest DKIM_ADSP_DISCARD 0 1.8 0 1.8 Wiki
header No valid author signature, domain signs all mail DKIM_ADSP_ALL 0 1.1 0 0.8 Wiki
header No valid author signature, adsp_override is CUSTOM_LOW DKIM_ADSP_CUSTOM_LOW 0.001 Wiki
header No valid author signature, adsp_override is CUSTOM_MED DKIM_ADSP_CUSTOM_MED 0.001 Wiki
header No valid author signature, adsp_override is CUSTOM_HIGH DKIM_ADSP_CUSTOM_HIGH 0.001 Wiki
full eval:check_dkim_valid() DKIM_VERIFIED 1 Wiki
header eval:check_dkim_testing() DKIM_POLICY_TESTING 1 Wiki
header eval:check_dkim_signsome() DKIM_POLICY_SIGNSOME 1 Wiki
header eval:check_dkim_signall() DKIM_POLICY_SIGNALL 1 Wiki
header Contains valid Hashcash token (20 bits) HASHCASH_20 -0.5 Wiki
header Contains valid Hashcash token (21 bits) HASHCASH_21 -0.7 Wiki
header Contains valid Hashcash token (22 bits) HASHCASH_22 -1.0 Wiki
header Contains valid Hashcash token (23 bits) HASHCASH_23 -2.0 Wiki
header Contains valid Hashcash token (24 bits) HASHCASH_24 -3.0 Wiki
header Contains valid Hashcash token (25 bits) HASHCASH_25 -4.0 Wiki
header Contains valid Hashcash token (>25 bits) HASHCASH_HIGH -5.0 Wiki
header Hashcash token already spent in another mail HASHCASH_2SPEND 0.1 Wiki
full Listed in Pyzor (http://pyzor.sf.net/) PYZOR_CHECK 0 1.985 0 1.392 Wiki
full Listed in Razor2 (http://razor.sf.net/) RAZOR2_CHECK 0 1.729 0 0.922 Wiki
full Razor2 gives confidence level above 50% RAZOR2_CF_RANGE_51_100 0 0.365 0 0.500 Wiki
full Razor2 gives engine 4 confidence level above 50% RAZOR2_CF_RANGE_E4_51_100 0 0.467 0 0.642 Wiki
full Razor2 gives engine 8 confidence level above 50% RAZOR2_CF_RANGE_E8_51_100 0 2.430 0 1.886 Wiki
header Attempt to obfuscate words in Subject: SUBJECT_FUZZY_MEDS 1 Wiki
header Attempt to obfuscate words in Subject: SUBJECT_FUZZY_CHEAP 0.641 1.831 0.833 0.001 Wiki
header Attempt to obfuscate words in Subject: SUBJECT_FUZZY_PENIS 1 Wiki
header Attempt to obfuscate words in Subject: SUBJECT_FUZZY_TION 1 Wiki
body Attempt to obfuscate words in spam FUZZY_AFFORDABLE 1 Wiki
body Attempt to obfuscate words in spam FUZZY_AMBIEN 2.199 1.851 0.925 0.552 Wiki
body Attempt to obfuscate words in spam FUZZY_BILLION 1 Wiki
body Attempt to obfuscate words in spam FUZZY_CPILL 0.001 0.001 0.001 0.001 Wiki
body Attempt to obfuscate words in spam FUZZY_CREDIT 1.699 1.413 0.601 1.678 Wiki
body Attempt to obfuscate words in spam FUZZY_ERECT 2.356 1.306 2.360 1.859 Wiki
body Attempt to obfuscate words in spam FUZZY_GUARANTEE 1 Wiki
body Attempt to obfuscate words in spam FUZZY_MEDICATION 1 Wiki
body Attempt to obfuscate words in spam FUZZY_MILLION 2.599 2.599 1.659 2.505 Wiki
body Attempt to obfuscate words in spam FUZZY_MONEY 1 Wiki
body Attempt to obfuscate words in spam FUZZY_MORTGAGE 1 Wiki
body Attempt to obfuscate words in spam FUZZY_OBLIGATION 1 Wiki
body Attempt to obfuscate words in spam FUZZY_OFFERS 1 Wiki
body Attempt to obfuscate words in spam FUZZY_PHARMACY 2.960 3.299 1.967 1.353 Wiki
body Attempt to obfuscate words in spam FUZZY_PHENT 2.799 1.647 1.540 2.662 Wiki
body Attempt to obfuscate words in spam FUZZY_PRESCRIPT 1 Wiki
body Attempt to obfuscate words in spam FUZZY_PRICES 1.821 0.720 2.210 2.311 Wiki
body Attempt to obfuscate words in spam FUZZY_REFINANCE 1 Wiki
body Attempt to obfuscate words in spam FUZZY_REMOVE 1 Wiki
body Attempt to obfuscate words in spam FUZZY_ROLEX 3.399 1.038 3.399 1.964 Wiki
body Attempt to obfuscate words in spam FUZZY_SOFTWARE 1 Wiki
body Attempt to obfuscate words in spam FUZZY_THOUSANDS 1 Wiki
body Attempt to obfuscate words in spam FUZZY_VLIUM 1 Wiki
body Attempt to obfuscate words in spam FUZZY_VIOXX 1 Wiki
body Attempt to obfuscate words in spam FUZZY_VPILL 0.001 0.494 0.796 1.014 Wiki
body Attempt to obfuscate words in spam FUZZY_XPILL 2.202 1.752 2.799 2.799 Wiki
header SPF: sender matches SPF record SPF_PASS -0.001 Wiki
header SPF: sender does not match SPF record (neutral) SPF_NEUTRAL 0 0.652 0 0.779 Wiki
header SPF: sender does not match SPF record (fail) SPF_FAIL 0 0.919 0 0.001 Wiki
header SPF: sender does not match SPF record (softfail) SPF_SOFTFAIL 0 0.972 0 0.665 Wiki
header SPF: HELO matches SPF record SPF_HELO_PASS -0.001 Wiki
header SPF: HELO does not match SPF record (neutral) SPF_HELO_NEUTRAL 0 0.001 0 0.112 Wiki
header SPF: HELO does not match SPF record (fail) SPF_HELO_FAIL 0 0.001 0 0.001 Wiki
header SPF: HELO does not match SPF record (softfail) SPF_HELO_SOFTFAIL 0 0.896 0 0.732 Wiki
body Message written in an undesired language UNWANTED_LANGUAGE_BODY 2.800 Wiki
body Body includes 8 consecutive 8-bit characters BODY_8BITS 1.500 Wiki
body Contains an URL listed in the SBL blocklist URIBL_SBL 0 0.644 0 1.623 Wiki
body Contains an URL listed in the SC SURBL blocklist URIBL_SC_SURBL 0 0.001 0 0.568 Wiki
body Contains an URL listed in the WS SURBL blocklist URIBL_WS_SURBL 0 1.659 0 1.608 Wiki
body Contains an URL listed in the PH SURBL blocklist URIBL_PH_SURBL 0 0.001 0 0.610 Wiki
body Contains an URL listed in the OB SURBL blocklist URIBL_OB_SURBL 0 0.785 0 0.122 Wiki
body Contains an URL listed in the AB SURBL blocklist URIBL_AB_SURBL 0 4.499 0 4.499 Wiki
body Contains an URL listed in the JP SURBL blocklist URIBL_JP_SURBL 0 1.948 0 1.250 Wiki
body Contains an URL listed in the URIBL blacklist URIBL_BLACK 0 1.775 0 1.725 Wiki
body Contains an URL listed in the URIBL greylist URIBL_GREY 0 1.084 0 0.424 Wiki
body Contains an URL listed in the URIBL redlist URIBL_RED 0.001 Wiki
header From: address is in the auto white-list AWL 1 Wiki
header Not all rules were run, due to a shortcircuited rule SHORTCIRCUIT 1 Wiki
header From: address is in the user's black-list USER_IN_BLACKLIST 100.000 Wiki
header From: address is in the user's white-list USER_IN_WHITELIST -100.000 Wiki
header From: address is in the default white-list USER_IN_DEF_WHITELIST -15.000 Wiki
header User is listed in 'blacklist_to' USER_IN_BLACKLIST_TO 10.000 Wiki
header User is listed in 'whitelist_to' USER_IN_WHITELIST_TO -6.000 Wiki
header User is listed in 'more_spam_to' USER_IN_MORE_SPAM_TO -20.000 Wiki
header User is listed in 'all_spam_to' USER_IN_ALL_SPAM_TO -100.000 Wiki
header From: address is in the user's DKIM whitelist USER_IN_DKIM_WHITELIST -100.000 Wiki
header From: address is in the default DKIM white-list USER_IN_DEF_DKIM_WL -7.500 Wiki
header From: address is in the user's SPF whitelist USER_IN_SPF_WHITELIST -100.000 Wiki
header From: address is in the default SPF white-list USER_IN_DEF_SPF_WL -7.500 Wiki
header Subject: contains string in the user's white-list SUBJECT_IN_WHITELIST -100 Wiki
header Subject: contains string in the user's black-list SUBJECT_IN_BLACKLIST 100 Wiki
header From address contains an apostrophe APOSTROPHE_FROM 0.148 0.786 0.651 0.545 Wiki
header HELO from home - untrusted AXB_HELO_HOME_UN 1 Wiki
header Barbera Fingerprint AXB_XMID_1212 1 Wiki
header Brunello Fingerprint AXB_XMID_1510 1 Wiki
header Amarone Fingerprint AXB_XMID_OEGOESNULL 1 Wiki
header Nebbiolo fingerprint AXB_XM_SENDMAIL_NOT 1 Wiki
header Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/ AXB_XR_STULDAP 1 Wiki
body Talks about banking laws BANKING_LAWS 2.399 2.004 2.157 1.099 Wiki
body eval:check_base64_length('78','79') BASE64_LENGTH_78_79 2.370 2.636 0.762 2.667 Wiki
body eval:check_base64_length('79') BASE64_LENGTH_79_INF 1.379 2.019 0.583 1.502 Wiki
header Date =~ /[-+](?!(?:0\d| 1[0-4])(?:[03]0| [14]5))\d{4}/ BUG6152_INVALID_DATE_TZ_ABSURD 1.802 1.448 0.024 0.766 Wiki
header Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ CTYPE_001C_B 0.001 0.001 0.001 0.001 Wiki
body /\bCurrent Price:/ CURR_PRICE 0.001 Wiki
body Dear Beneficiary: DEAR_BENEFICIARY 1 Wiki
body Message contains Dear email address DEAR_EMAIL 1 Wiki
body /\bdear.{1,20}winner/i DEAR_WINNER 3.099 3.099 2.309 3.099 Wiki
header X-mailer pattern common to anal porn site spam DOS_ANAL_SPAM_MAILER 1 Wiki
header Received from the same IP twice in a row (only one external relay; empty or IP helo) DOS_RCVD_IP_TWICE_C 2.599 2.060 3.292 0.096 Wiki
uri Found an asterisk in a URI DOS_URI_ASTERISK 1 Wiki
header Subject =~ /\bhoodia\b/i DRUGS_HDIA 1 Wiki
body Add / Gain inches FB_ADD_INCHES 1 Wiki
body It's almost sex, but not! FB_ALMOST_SEX 1 Wiki
body Broken AnaTrim phrase. FB_ANA_TRIM 1 Wiki
body Phrase: A_U_N_I FB_ANUI 1 Wiki
body Phrase: [BM]Illi0n FB_BILLI0N 1 Wiki
body Phrase: C0mpany FB_C0MPANY 1 Wiki
body Phrase: can last longer FB_CAN_LONGER 1 Wiki
body Uses a mis-spelled version of cialis. FB_CIALIS_LEO3 1.688 3.055 2.465 3.245 Wiki
body Looks like double 0 words FB_DOUBLE_0WORDS 1 Wiki
body Phrase: email hier FB_EMAIL_HIER 1 Wiki
body Phrase: extra inches FB_EXTRA_INCHES 0.289 0.000 2.603 0.001 Wiki
body Looks like numbers with O's insted of 0's FB_FAKE_NUMBERS 1 Wiki
body Looks like fake numbers (4) FB_FAKE_NUMS4 1 Wiki
body Phrase: Farmacy FB_FHARMACY 1 Wiki
body Phrase: forward look with 0's FB_FORWARD_LOOK 1 Wiki
body Too much spacing in Address FB_GAPPY_ADDRESS 1 Wiki
body Looks like trying to sell meds FB_GET_MEDS 2.314 2.027 1.195 0.935 Wiki
body Looks like generic viagra FB_GVR 2.340 0.691 2.568 2.301 Wiki
body Phrase hey bro, FB_HEY_BRO_COMMA 1 Wiki
body Phrase: HGH FB_HG_H_CAP 1 Wiki
body Phrase (dollar) x home loan FB_HOMELOAN 1 Wiki
body Phrase: impress ... girl FB_IMPRESS_GIRL 1 Wiki
body Phrase: Increase your energy FB_INCREASE_YOUR 2.699 2.700 2.335 2.343 Wiki
body Phrase: independent reward FB_INDEPEND_RWD 2.799 Wiki
body Phrase: L0an FB_L0AN 1 Wiki
body Special people leave special signs! FB_LETTERS_21B 1 Wiki
body Phrase: LOSE WEIGHT FB_LOSE_WEIGHT_CAP 0.001 0.001 2.187 0.001 Wiki
body Phrase: lower your monthly payments FB_LOWER_PAYM 1 Wiki
body Phrase: more size FB_MORE_SIZE 1 Wiki
body Looks like a fake phone number (1) FB_NOT_PHONE_NUM1 1 Wiki
body Looks like a fake phone number (3) FB_NOT_PHONE_NUM3 1 Wiki
body Looks like school but it's not! FB_NOT_SCHOOL 1 Wiki
body Phrase: no prescription needed. FB_NO_SCRIP_NEEDED 1.656 1.469 2.133 0.922 Wiki
body Speaks of teenager. FB_NUMYO 1 Wiki
body Speaks of 20+ year old. FB_NUMYO2 1 Wiki
body Looks like money but has odd spacing. FB_ODD_SPACED_MONEY 1 Wiki
body Mis-spelled online FB_ONIINE 1 Wiki
body Phrase: p1ll FB_P1LL 1 Wiki
body Phrase: penis growth FB_PENIS_GROWTH 1 Wiki
body Phrase: Dollar, with pipes or 0's. FB_PIPEDOLLAR 1 Wiki
body Looks like illion, but it's not FB_PIPE_ILLION 1 Wiki
body Talks about prolonged hardness FB_PROLONGED_HARD 1 Wiki
body Phrase: quality replica FB_QUALITY_REPLICA 3.313 3.149 2.005 2.308 Wiki
body Refcode with spacing FB_REF_CODE_SPACE 1 Wiki
body Phrase: Replica Rolex FB_REPLICA_ROLEX 1.674 0.710 1.115 3.175 Wiki
body Phrase: REPLICA FB_REPLIC_CAP 1 Wiki
body Looks like refi. FB_RE_FI 1 Wiki
body Phrase: Roller is th FB_ROLLER_IS_T 1 Wiki
body Phrase: rolx FB_ROLX 1 Wiki
body Phrase: save ... prescription. FB_SAVE_PERSC 2.799 0.367 1.864 1.492 Wiki
body Phrase: Softabs FB_SOFTTABS 2.887 3.174 3.378 1.584 Wiki
body Phrase: F R E E FB_SPACED_FREE 2.499 2.499 2.203 0.395 Wiki
body Phone number with -- spacing. (B) FB_SPACED_PHN_3B 0.001 Wiki
body Looks like a s p a c e d zipcode. FB_SPACEY_ZIP 1 Wiki
body Phrase: SPUR-M FB_SPUR_M 1 Wiki
body Phrase: ssex FB_SSEX 1 Wiki
body Looks like stocks exploding. FB_STOCK_EXPLODE 1 Wiki
body Mis-spelled symbol. FB_SYMBLO 1 Wiki
body Phrase: this advertiser FB_THIS_ADVERT 3.599 3.600 2.999 3.599 Wiki
body Phrase: thousand personal FB_THOUS_PERSONAL 1 Wiki
body Phrase: to stop further distribution FB_TO_STOP_DISTRO 3.399 Wiki
body Phrase: Ultra Allure FB_ULTRA_ALLURE 2.352 1.074 2.334 0.829 Wiki
body Phrase: lock to your girlfriend FB_UNLOCK_YOUR_G 1 Wiki
body Pattern Replacement PROV_D FB_UNRESOLV_PROV 1 Wiki
body Phrase: yourself master FB_YOURSELF_MASTER 1 Wiki
body Phrase: Your refi FB_YOUR_REFI 1 Wiki
header Bad X-Mailer version FH_BAD_OEV1441 1 Wiki
header The date is not 19xx. FH_DATE_IS_19XX 0.000 1.598 2.373 0.277 Wiki
header RCVD line looks faked (A) FH_FAKE_RCVD_LINE 2.167 1.431 2.525 1.778 Wiki
header RCVD line looks faked (B) FH_FAKE_RCVD_LINE_B 4.000 3.372 3.999 3.999 Wiki
header E-mail address doesn't have TLD (.com, etc.) FH_FROMEML_NOTLD 1.708 0.180 0.975 1.082 Wiki
header From name has "cash" FH_FROM_CASH 2.599 2.436 2.599 1.739 Wiki
header From name says Get FH_FROM_GET_NAME 2.699 Wiki
header From name is giveaway. FH_FROM_GIVEAWAY 2.599 1.817 1.810 1.655 Wiki
header From has Hoodia!!? FH_FROM_HOODIA 1 Wiki
header Has X-AIMC-AUTH header FH_HAS_XAIMC 1.602 1.899 0.561 1.899 Wiki
header Has X-ID FH_HAS_XID 3.299 3.215 3.003 1.782 Wiki
header Helo is almost an IP addr. FH_HELO_ALMOST_IP 3.699 3.268 3.457 0.688 Wiki
header Helo ends with a dot. FH_HELO_ENDS_DOT 1 Wiki
header Helo is 6-10 hex chr's. FH_HELO_EQ_610HEX 1 Wiki
header Helo is d-d-d-d charter.com FH_HELO_EQ_CHARTER 0.607 0.286 0.093 2.683 Wiki
header Helo is d-d-d-d FH_HELO_EQ_D_D_D_D 2.361 1.117 2.815 3.177 Wiki
header Faked helo of gmail-smtp-in FH_HELO_GMAILSMTP 1 Wiki
header Host is dynamicip FH_HOST_EQ_DYNAMICIP 2.632 2.454 3.299 3.298 Wiki
header Host is pacbell.net dsl FH_HOST_EQ_PACBELL_D 0.001 0.927 0.559 1.703 Wiki
header Host is pool-.+verizon.net FH_HOST_EQ_VERIZON_P 2.681 1.237 3.671 1.323 Wiki
header HOST dns says "in-addr.arpa" FH_HOST_IN_ADDRARPA 3.199 2.933 2.452 2.157 Wiki
header Special MSGID FH_MSGID_000000 1 Wiki
header Special MSGID FH_MSGID_01C67 1 Wiki
header MESSAGE ID seen often!!! FH_MSGID_01C70XXX 1 Wiki
header Broken Replace Template FH_MSGID_REPLACE 1 Wiki
header Common sign in msg-id's 12/21/2006 FH_MSGID_XXBLAH 1 Wiki
header Message-Id = @xxx FH_MSGID_XXX 2.399 1.632 2.376 1.482 Wiki
header Subject is Re: new \d\d\d FH_RE_NEW_DDD 1 Wiki
header Broken Replace Template FH_XMAIL_REPLACE 1 Wiki
body Fill in a form with personal information FILL_THIS_FORM_LONG 3.800 3.476 2.300 3.404 Wiki
header Looks like Fake Outlook? FM_XMAIL_F_OUT 1 Wiki
header X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10| 127| 169\.254| 172\.(?:1[6-9]| 2[0-9]| 3[01])| 192\.168)\.)| )[^\[]+(dollar) / FORGED_RELAY_MUA_TO_MX 1 Wiki
body ReplaceTags: Adobe FRT_ADOBE2 0.001 1.099 0.221 0.877 Wiki
body ReplaceTags: Approve FRT_APPROV 2.499 Wiki
body ReplaceTags: Bigger / Larger, Penis / Member FRT_BIGGERMEM1 2.523 0.146 2.372 1.758 Wiki
body ReplaceTags: Diploma FRT_DIPLOMA 0.000 1.548 0.787 1.599 Wiki
body ReplaceTags: Discount FRT_DISCOUNT 1 Wiki
body ReplaceTags: Dollar FRT_DOLLAR 1 Wiki
body ReplaceTags: Establish (2) FRT_ESTABLISH2 1 Wiki
body ReplaceTags: Fuck (2) FRT_FUCK2 1 Wiki
body ReplaceTags: Guarantee (1) FRT_GUARANTEE1 1 Wiki
body ReplaceTags: Investor FRT_INVESTOR 1 Wiki
body ReplaceTags: Levitra FRT_LEVITRA 1 Wiki
body ReplaceTags: Meeting FRT_MEETING 1 Wiki
body ReplaceTags: Offer (2) FRT_OFFER2 1.681 1.109 2.048 0.926 Wiki
body ReplaceTags: Oppertun (2) FRT_OPPORTUN2 1 Wiki
body ReplaceTags: Penis FRT_PENIS1 2.299 2.293 1.029 0.731 Wiki
body ReplaceTags: Pharmac FRT_PHARMAC 1 Wiki
body ReplaceTags: Price FRT_PRICE 0.001 Wiki
body ReplaceTags: Refinance (1) FRT_REFINANCE1 1 Wiki
body ReplaceTags: Rolex FRT_ROLEX 2.699 2.183 1.440 2.699 Wiki
body ReplaceTags: Sexual FRT_SEXUAL 1 Wiki
body ReplaceTags: Soma FRT_SOMA 0.000 3.280 2.099 2.871 Wiki
body ReplaceTags: Soma (2) FRT_SOMA2 0.001 0.001 0.001 0.001 Wiki
body ReplaceTags: Strong (1) FRT_STRONG1 1 Wiki
body ReplaceTags: Strong (2) FRT_STRONG2 1 Wiki
body ReplaceTags: Symbol FRT_SYMBOL 1 Wiki
body ReplaceTags: Today (2) FRT_TODAY2 0.480 0.693 1.988 0.905 Wiki
body ReplaceTags: Valium FRT_VALIUM1 1 Wiki
body ReplaceTags: Valium (2) FRT_VALIUM2 1 Wiki
body ReplaceTags: Weight (2) FRT_WEIGHT2 1 Wiki
body ReplaceTags: Xanax (1) FRT_XANAX1 1 Wiki
body ReplaceTags: Xanax (2) FRT_XANAX2 1 Wiki
rawbody Looks like 3 <e> small tags. FR_3TAG_3TAG 1 Wiki
rawbody Almost looks like viagra. FR_ALMOST_VIAG2 2.299 1.594 2.299 1.531 Wiki
rawbody Phrase class=cantseetext FR_CANTSEETEXT 1 Wiki
rawbody Sign often seen in spams FR_MIDER 1 Wiki
rawbody HTML Title is only numbers FR_TITLE_NUMS 2.899 2.695 2.899 2.899 Wiki
header X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/ FSL_FAKE_GMAIL_RCVD 3.099 2.974 1.002 2.104 Wiki
header X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ FSL_FAKE_HOTMAIL_RVCD 2.631 1.816 2.011 2.365 Wiki
uri /\/geocities\.com\/\S+(dollar) / FSL_GEO_ABUSE 2.699 2.699 2.313 2.167 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i FSL_HELO_BARE_IP_1 2.598 1.426 3.099 2.347 Wiki
header X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device| speedtouch)\.lan\b/i FSL_HELO_DEVICE 1.682 0.001 0.884 0.806 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001 Wiki
header X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i FSL_HELO_SETUP 1 Wiki
uri /\/\S+\.(?:w| eu| fm)\.interia\.pl/ FSL_INTERIA_ABUSE 3.899 2.664 3.080 3.106 Wiki
uri /cid\-\S+\.spaces\.live\.com/ FSL_LSPACES_ABUSE 1 Wiki
uri /\/groups\.yahoo\.com\/group\/\S+\/message\/1(dollar) / FSL_YG_ABUSE 4.199 Wiki
header Subject has "a bigger" FS_ABIGGER 1.693 1.354 2.477 1.112 Wiki
header Subject says approve you FS_APPROVE_YOU 2.499 1.272 1.942 1.873 Wiki
header Subject says "At No Cost" FS_AT_NO_COST 2.499 Wiki
header Phrase: Cheap in Caps in Subject. FS_CHEAP_CAP 1 Wiki
header Subject talks about money bonus! FS_DOLLAR_BONUS 1 Wiki
header Phrase: ejaculation in subject. FS_EJACULA 1 Wiki
header Phrase: erection in subject. FS_ERECTION 1 Wiki
header Phrase: Huge Cock FS_HUGECOCK 1 Wiki
header Larger than 100% in subj. FS_LARGE_PERCENT2 2.645 2.699 0.001 1.960 Wiki
header Subject says low rates FS_LOW_RATES 1 Wiki
header Subj starts with New software uploaded FS_NEW_SOFT_UPLOAD 1 Wiki
header Subject looks like Fharmacy spams. FS_NEW_XXX 1 Wiki
header Subject almost says No prescription FS_NO_SCRIP 1 Wiki
header Subject says Nude FS_NUDE 2.399 1.653 1.288 1.101 Wiki
header what could this word be? FS_OBFU_PRMCY 2.400 0.384 0.204 1.248 Wiki
header Subject mis-spelled prescription FS_PERSCRIPTION 1 Wiki
header Looks like Phramacy subject. FS_PHARMASUB2 2.980 1.345 2.956 0.549 Wiki
header Subject says Ramrod FS_RAMROD 1 Wiki
header Subject says "replica" FS_REPLICA 1.630 3.599 2.028 3.599 Wiki
header Subject says Replica watch FS_REPLICAWATCH 3.237 1.715 1.733 3.015 Wiki
header Phrase: re approved FS_RE_APPROV 1 Wiki
header Subject starts with Do you dream,have,want,love, etc. FS_START_DOYOU2 2.799 2.799 2.799 2.800 Wiki
header Subject starts with Lose FS_START_LOSE 0.249 0.176 1.424 1.809 Wiki
header Subject says something bad about teens FS_TEEN_BAD 1 Wiki
header Phrase: subject = tip ddd FS_TIP_DDD 1 Wiki
header Subject says Weight Loss FS_WEIGHT_LOSS 1.894 1.541 2.501 2.036 Wiki
header Subject says will help FS_WILL_HELP 2.599 0.893 2.484 0.734 Wiki
header Subject says With ... small FS_WITH_SMALL 1 Wiki
body /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i FUZZY_MERIDIA 1 Wiki
uri Sub-dir seen often in spam (2). FU_COMMON_SUBS2 2.801 2.650 2.823 0.292 Wiki
uri Ends with clk/d+.d+.d+ FU_ENDS_NUMS_DOTS_CLK 1 Wiki
uri ET Phone Home? FU_END_ET 1 Wiki
uri URL has hoodia in it. FU_HOODIA 1 Wiki
uri URL has a long file name with .aspx extension. FU_LONG_QUERY3 1 Wiki
uri URL has /gal/ FU_MIDER 1 Wiki
uri URL with [a-z]{2}.geocities.com FU_UKGEOCITIES 1 Wiki
uri URI style tracker (T) FU_URI_TRACKER_T 1 Wiki
uri /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i GEO_QUERY_STRING 1 Wiki
header Misspaced headers HDRS_MISSP 1 Wiki
header Multiple Subject headers found HEADER_COUNT_SUBJECT 1 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i HELO_FRIEND 1 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home| lan) /i HELO_LH_HOME 0.001 2.023 0.537 1.736 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i HELO_LH_LD 1 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i HELO_LOCALHOST 2.639 3.603 2.915 3.828 Wiki
header X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc| oem\S*) /i HELO_OEM 2.899 2.899 1.234 0.270 Wiki
header From name contains drugs HK_NAME_DRUGS 4.299 0.001 3.077 0.552 Wiki
header From name mentions free stuff HK_NAME_FREE 1 Wiki
header Envelope sender username looks random HK_RANDOM_ENVFROM 2.638 0.626 1.798 0.001 Wiki
body /\bnext of kin\b/i HK_SCAM_N2 1 Wiki
header Bobax? Message-Id: <0IX000EJXVWDA000@example.com> HS_BOBAX_MID_2 2.762 2.612 1.243 1.437 Wiki
body Somebody has uploaded some new software for you HS_BODY_UPLOADED_SOFTWARE 1 Wiki
body Contains a drug and price-like pattern. HS_DRUG_DOLLAR_1 0.001 Wiki
body Contains a drug and price-like pattern. HS_DRUG_DOLLAR_2 0.001 Wiki
body Contains a drug and price-like pattern. HS_DRUG_DOLLAR_3 0.001 Wiki
uri Links to common unsubscribe script: 'getmeoff.php' HS_GETMEOFF 1 Wiki
uri Link contains a common tracker pattern. HS_INDEX_PARAM 1.105 0.023 1.203 0.574 Wiki
body Talks about meeting up for sex. HS_MEETUP_FOR_SEX 1 Wiki
header Subject starts with 'New software uploaded by' HS_SUBJ_NEW_SOFTWARE 1 Wiki
header Subject contains the phrase 'Online pharmaceutical' HS_SUBJ_ONLINE_PHARMACEUTICAL 1 Wiki
body Contains VPXL, yet the recommended dose is only 2 tablets. HS_VPXL 3.211 1.399 2.696 1.948 Wiki
body eval:check_https_http_mismatch('1','10') HTTPS_HTTP_MISMATCH 0.557 0.000 1.778 1.989 Wiki
uri /(?:\&| \?)btnI=ec(?:(dollar) | \&)/ JM_I_FEEL_LUCKY 1 Wiki
header Received =~ /by \S+ \(Qmailv1\) with ESMTP/ JM_RCVD_QMAILV1 1 Wiki
header Date:raw =~ /^\t/ KB_DATE_CONTAINS_TAB 3.800 3.799 3.799 2.751 Wiki
header ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\./msi KB_RATWARE_OUTLOOK_08 1 Wiki
header ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi KB_RATWARE_OUTLOOK_12 1 Wiki
header ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi KB_RATWARE_OUTLOOK_16 1 Wiki
header ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi KB_RATWARE_OUTLOOK_MID 4.400 4.400 2.503 1.499 Wiki
uri m~livefilestore.com/~ LIVEFILESTORE 3.300 2.570 3.183 0.771 Wiki
body /long\W+term\W+(target| projected)(\W+price)?/i LONG_TERM_PRICE 0.001 Wiki
body A loop hole in the banking laws? LOOPHOLE_1 1 Wiki
body Claims Agent LOTTO_AGENT 1 Wiki
header Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) / L_SPAM_TOOL_13 0.539 0.485 0.494 1.333 Wiki
header Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) / MID_DEGREES 1 Wiki
header Content-Type =~ /boundary="=====================_\d+==\.REL"/s MIME_BOUND_EQ_REL 1 Wiki
full Message has NUL (ASCII 0) byte in message NULL_IN_BODY 0.511 0.498 2.056 1.596 Wiki
header Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar) \%&'()*:<=>?\@\[\]^\`{| }~]| ;\S)/ RCVD_BAD_ID 1 Wiki
header Forged 'Received' header found ('wrote:' spam) RCVD_FORGED_WROTE 1 Wiki
header Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s RCVD_FORGED_WROTE2 1 Wiki
header eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org') RCVD_IN_BRBL_LASTEXT 0 1.644 0 1.449 Wiki
header Received via a relay in Spamhaus CSS RCVD_IN_CSS 0 1.0 0 1.0 Wiki
header Sender listed at http://www.dnswl.org/, high trust RCVD_IN_DNSWL_HI 0 -5 0 -5 Wiki
header Sender listed at http://www.dnswl.org/, low trust RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7 Wiki
header Sender listed at http://www.dnswl.org/, medium trust RCVD_IN_DNSWL_MED 0 -2.3 0 -2.3 Wiki
header Sender listed at http://www.dnswl.org/, low trust RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001 Wiki
header IADB: Sender publishes Domain Keys record RCVD_IN_IADB_DK 0 -0.223 0 -0.095 Wiki
header IADB: All mailing list mail is confirmed opt-in RCVD_IN_IADB_DOPTIN 0 -4 0 -4 Wiki
header IADB: Confirmed opt-in used more than 50% of the time RCVD_IN_IADB_DOPTIN_GT50 1 Wiki
header IADB: Confirmed opt-in used less than 50% of the time RCVD_IN_IADB_DOPTIN_LT50 0 -0.001 0 -0.001 Wiki
header IADB: Participates in Email Deliverability Database RCVD_IN_IADB_EDDB 1 Wiki
header IADB: Member of Email Processing Industry Alliance RCVD_IN_IADB_EPIA 1 Wiki
header IADB: Sender has been certified by GoodMail RCVD_IN_IADB_GOODMAIL 1 Wiki
header Participates in the IADB system RCVD_IN_IADB_LISTED 0 -0.380 0 -0.001 Wiki
header IADB: Adds relationship addrs w/out opt-in RCVD_IN_IADB_LOOSE 1 Wiki
header IADB: Complies with Michigan's CPEAR law RCVD_IN_IADB_MI_CPEAR 1 Wiki
header IADB: Checked lists against Michigan's CPR within 30 days RCVD_IN_IADB_MI_CPR_30 1 Wiki
header IADB: Sends no material under Michigan's CPR RCVD_IN_IADB_MI_CPR_MAT 0 -0.332 0 -0.000 Wiki
header IADB: Mailing list email only, confirmed opt-in RCVD_IN_IADB_ML_DOPTIN 0 -6 0 -6 Wiki
header IADB: Has absolutely no mailing controls in place RCVD_IN_IADB_NOCONTROL 1 Wiki
header IADB: One-to-one/transactional email only RCVD_IN_IADB_OOO 1 Wiki
header IADB: All mailing list mail is opt-in RCVD_IN_IADB_OPTIN 0 -2.057 0 -1.470 Wiki
header IADB: Opt-in used more than 50% of the time RCVD_IN_IADB_OPTIN_GT50 0 -1.208 0 -0.007 Wiki
header IADB: Opt-in used less than 50% of the time RCVD_IN_IADB_OPTIN_LT50 1 Wiki
header IADB: Scrapes addresses, pure opt-out only RCVD_IN_IADB_OPTOUTONLY 1 Wiki
header IADB: Sender has reverse DNS record RCVD_IN_IADB_RDNS 0 -0.167 0 -0.235 Wiki
header IADB: Sender publishes Sender ID record RCVD_IN_IADB_SENDERID 0 -0.001 0 -0.001 Wiki
header IADB: Sender publishes SPF record RCVD_IN_IADB_SPF 0 -0.001 0 -0.059 Wiki
header IADB: Accepts unverified sign-ups RCVD_IN_IADB_UNVERIFIED_1 1 Wiki
header IADB: Accepts unverified sign-ups, gives chance to opt out RCVD_IN_IADB_UNVERIFIED_2 1 Wiki
header IADB: Complies with Utah's CPEAR law RCVD_IN_IADB_UT_CPEAR 1 Wiki
header IADB: Checked lists against Utah's CPR within 30 days RCVD_IN_IADB_UT_CPR_30 1 Wiki
header IADB: Sends no material under Utah's CPR RCVD_IN_IADB_UT_CPR_MAT 0 -0.095 0 -0.001 Wiki
header Received via a relay in PSBL RCVD_IN_PSBL 0 2.700 0 2.700 Wiki
header Sender is in Return Path Certified (trusted relay) RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0 Wiki
header Relay in RNBL, https://senderscore.org/blacklistlookup/ RCVD_IN_RP_RNBL 0 1.284 0 1.310 Wiki
header Sender is in Return Path Safe (trusted relay) RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0 Wiki
header Forged Received header (contains post.com or mail.com) RCVD_MAIL_COM 1 Wiki
header Sender's public rDNS is "localhost" RDNS_LOCALHOST 3.700 0.969 2.345 0.001 Wiki
body Email.Spam.Gen3177.Sanesecurity.08051611 SANE_04e8bf28eb445199a7f11b943c44d209 1.712 3.185 2.654 1.337 Wiki
body Email.Spam.Gen3234.Sanesecurity.08052309 SANE_1c4f3286fa4aed6424ced88bfaf8b09c 3.199 2.040 3.199 1.502 Wiki
body Email.Spam.Sanesecurity.Url_2496 SANE_2b173a7fb7518c75ac8a2d294d773fd8 2.976 1.117 1.951 0.942 Wiki
body Email.Spam.Gen158.Sanesecurity.07012700 SANE_3b92eda751c992f230f215fb7eb36844 0.001 0.626 0.585 3.040 Wiki
body Email.Spam.Gen1941.Sanesecurity.07112519 SANE_4ef8302546bf270a19baf98508afacc4 2.231 3.464 2.266 3.543 Wiki
body Email.Spam.Gen2507.Sanesecurity.08021303 SANE_7429530a7398f43f1f1b795f9420714e 3.999 1.655 2.776 1.479 Wiki
body Email.Malware.Sanesecurity.07011300 SANE_91eb43f705d25c804374a746d7519660 3.099 2.803 2.746 1.572 Wiki
body Email.Spam.Sanesecurity.Url_2499 SANE_d0d2b0f6373bf91253d66dd74c594b87 3.799 2.040 2.710 1.494 Wiki
body /short\W+term\W+(target| projected)(\W+price)?/i SHORT_TERM_PRICE 0.001 Wiki
header Content-Type =~ /text\/plain; .* reply-type=original/ STOX_REPLY_TYPE 1.898 0.212 0.141 0.439 Wiki
header From starts with a tab TAB_IN_FROM 1 Wiki
header X-Mailer =~ /^The Bat! .{0,20} UNREG(dollar) / THEBAT_UNREG 2.599 1.843 2.324 1.524 Wiki
header Scora: Message-Id ends after left-bracket + digits TT_MSGID_TRUNC 0.748 0.023 1.434 1.448 Wiki
body /\bact of (?:193| nineteen thirty)/i TVD_ACT_193 1 Wiki
body /you.{1,2}re .{0,20}approved/i TVD_APPROVED 2.356 2.599 2.599 2.090 Wiki
body /^dear homeowner/i TVD_DEAR_HOMEOWNER 1 Wiki
header EnvelopeFrom =~ /\'/ TVD_ENVFROM_APOST 1 Wiki
header Content-Type =~ /^text\/plain(?:; (?:format=flowed| charset="Windows-1252"| reply-type=original)){3}/i TVD_FINGER_02 0.001 1.544 1.394 1.215 Wiki
rawbody /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i TVD_FLOAT_GENERAL 1 Wiki
body /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i TVD_FUZZY_DEGREE 1 Wiki
body /(?!finance)<F><I><N><A><N><C><E>/i TVD_FUZZY_FINANCE 1 Wiki
body /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i TVD_FUZZY_FIXED_RATE 1 Wiki
body /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i TVD_FUZZY_MICROCAP 1 Wiki
body /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i TVD_FUZZY_PHARMACEUTICAL 1 Wiki
body /<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i TVD_FUZZY_SYMBOL 1 Wiki
body /\bsize of .{1,20}(?:penis| dick| manhood)/i TVD_INCREASE_SIZE 1.529 0.601 1.055 0.001 Wiki
body /\blink to save\b/i TVD_LINK_SAVE 1 Wiki
header Subject =~ /(?:Jan| Feb| Mar| Apr| May| Jun| Jul| Aug| Sep| Oct| Nov| Dec)\S* \d+% OFF/ TVD_PCT_OFF 1 Wiki
body /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/i TVD_PH_BODY_ACCOUNTS_PRE 1.201 1.527 1.327 2.393 Wiki
body Message has a phrase standard for phishing mails TVD_PH_REC 3.127 2.026 3.266 1.784 Wiki
body Message has a phrase standard for phishing mails TVD_PH_SEC 0.291 1.498 0.869 1.764 Wiki
header Subject =~ /\b(?:(?:re-?)?activat[a-z]*| secure| verify| restore| flagged| limited| unusual| update| report| notif(?:y| ication)| suspen(?:d| ded| sion)| co(?:n| m)firm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i TVD_PH_SUBJ_ACCOUNTS_POST 2.602 2.607 2.497 3.099 Wiki
header Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i TVD_PH_SUBJ_SEC_MEASURES 2.284 1.522 1.675 1.145 Wiki
header Subject =~ /^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert| response| assistance| proposal| reply| warning| noti(?:ce| fication)| greeting| matter))/i TVD_PH_SUBJ_URGENT 1.251 2.326 2.255 2.800 Wiki
body /\bquality med(?:ication)?s\b/i TVD_QUAL_MEDS 2.697 2.397 2.799 2.483 Wiki
header Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i TVD_RATWARE_CB 1 Wiki
header Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ TVD_RATWARE_CB_2 1 Wiki
header Message-ID =~ /^[^<]*<[a-z]+\@/ TVD_RATWARE_MSGID_02 1 Wiki
header Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ TVD_RCVD_IP 0.001 0.054 0.001 0.695 Wiki
header Received =~ /^from\s+(?:\d+\.){3}\d+\s/ TVD_RCVD_IP4 0.159 1.495 0.674 1.596 Wiki
header Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/ TVD_RCVD_SINGLE 0.242 1.213 0.001 2.172 Wiki
header Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/ TVD_RCVD_SPACE_BRACKET 0.001 0.001 0.001 0.001 Wiki
body /\bSection (?:27A| 21B)/i TVD_SECTION 1 Wiki
body m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!i TVD_SILLY_URI_OBFU 1 Wiki
header Subject =~ /^(?:(?:Re| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) / TVD_SPACED_SUBJECT_WORD3 1 Wiki
body eval:check_stock_info('2') TVD_STOCK1 1 Wiki
header Subject has spammy looking monetary reference TVD_SUBJ_ACC_NUM 0.001 2.199 2.199 2.198 Wiki
header Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) / TVD_SUBJ_FINGER_03 1 Wiki
header Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe| indebted)\s+(?:\w+\s+)+an\s*other/i TVD_SUBJ_OWE 1 Wiki
header Subject =~ /(?:wipe out| remove| get (?:rid| out) of| eradicate) .{0,20}(?:owe| debt| obligation)/i TVD_SUBJ_WIPE_DEBT 2.599 2.291 2.599 1.004 Wiki
body /Online Ph.rmacy/i TVD_VISIT_PHARMA 1.957 1.196 0.417 1.406 Wiki
rawbody /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i TVD_VIS_HIDDEN 1 Wiki
body Contains an URI of a new domain (Day Old Bread) URIBL_RHS_DOB 0 0.276 0 1.514 Wiki
body Obfuscated URI URI_OBFU_WWW 3.099 3.099 2.306 2.475 Wiki
header X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*(dollar) / X_MAILER_CME_6543_MSN 2.886 2.004 3.002 3.348 Wiki

An Apache Project

Site Built With WebMake

Copyright © 2003-2014 The Apache Software Foundation. All rights reserved.
Apache SpamAssassin, SpamAssassin, and the SpamAssassin logo are trademarks of The Apache Software Foundation.