This is the current list of tests SpamAssassin performs on mail messages to
determine if they're spam or not. If you wish to change the score from the
default, add a line like this to your ~/.spamassassin/user_prefs:
score NAME_OF_TEST 3.0
Where 3.0 is the hits you wish that test to incur, and NAME_OF_TEST is
the test name from the TEST NAME column below.
If you wish to disable a test, set the score to 0 by adding a line like
this to your ~/.spamassassin/user_prefs:
score NAME_OF_TEST 0
Note that these are the scores for the current stable release of SpamA
they may be different from the ones you're running on your servers, if SpamAssassin
is installed there.
The 'More Info' links, if present, lead to a section of our Wiki for collaborative
do some of the rules include additional user-contributed
documentation there. If you feel like adding a page describing a rule in
further detail, feel free to create a page at that link, using the
AREA&TESTED
DESCRIPTION OF TEST
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
(additional wiki docs)
Generic Test for Unsolicited Bulk Email
Incorporates a tracking ID number
TRACKER_ID
2.026 1.102 1.750 1.306
Weird repeated double-quotation marks
WEIRD_QUOTING
0.001 0.001 0.001 0.001
Body contains a ROT13-encoded email address
EMAIL_ROT13
HTML and text parts are different
MPART_ALT_DIFF
2.246 0.724 0.595 0.790
HTML and text parts are different
MPART_ALT_DIFF_COUNT
2.799 1.483 1.199 1.112
Message body has 80-90% blank lines
BLANK_LINES_80_90
eval:check_ma_non_text()
MULTIPART_ALT_NON_TEXT
Character set indicates a foreign language
CHARSET_FARAWAY
Extra blank lines in base64 encoding
MIME_BASE64_BLANKS
0.001 0.001 0.001 0.001
Message text disguised using base64 encoding
MIME_BASE64_TEXT
0.001 0.001 0.001 1.741
Missing blank line between MIME header and body
MISSING_MIME_HB_SEP
0.001 0.001 0.001 0.001
Multipart message mostly text/html MIME
MIME_HTML_MOSTLY
0.354 0.001 0.725 0.428
Message only has text/html MIME parts
MIME_HTML_ONLY
2.199 1.105 1.199 0.723
Quoted-printable line longer than 76 chars
MIME_QP_LONG_LINE
MIME character set is an unknown ISO charset
MIME_BAD_ISO_CHARSET
IP to HTTPS link found in HTML
HTTPS_IP_MISMATCH
Message contained a URI which was truncated
URI_TRUNCATED
Passed through trusted hosts only via SMTP
ALL_TRUSTED
Informational: message was not relayed via SMTP
NJABL: sender is confirmed open relay
RCVD_IN_NJABL_RELAY
0 1.881 0 2.499
NJABL: sender is confirmed spam source
RCVD_IN_NJABL_SPAM
0 1.466 0 1.249
NJABL: sent through multi-stage open relay
RCVD_IN_NJABL_MULTI
NJABL: sender is an open formmail
RCVD_IN_NJABL_CGI
NJABL: sender is an open proxy
RCVD_IN_NJABL_PROXY
0 0.208 0 2.224
SORBS: sender is open HTTP proxy server
RCVD_IN_SORBS_HTTP
0 2.499 0 0.001
SORBS: sender is open SOCKS proxy server
RCVD_IN_SORBS_SOCKS
0 2.443 0 1.927
SORBS: sender is open proxy server
RCVD_IN_SORBS_MISC
SORBS: sender is open SMTP relay
RCVD_IN_SORBS_SMTP
SORBS: sender is an abusable web server
RCVD_IN_SORBS_WEB
0 0.614 0 0.770
SORBS: sender demands to never be tested
RCVD_IN_SORBS_BLOCK
SORBS: sender is on a hijacked network
RCVD_IN_SORBS_ZOMBIE
SORBS: sent directly from dynamic IP address
RCVD_IN_SORBS_DUL
0 0.001 0 0.001
Received via a relay in Spamhaus SBL
RCVD_IN_SBL
0 2.596 0 0.141
Received via a relay in Spamhaus XBL
RCVD_IN_XBL
0 0.724 0 0.375
Received via a relay in Spamhaus PBL
RCVD_IN_PBL
0 3.558 0 3.335
Envelope sender in dsn.rfc-ignorant.org
DNS_FROM_RFC_DSN
0 0.001 0 0.001
Envelope sender in bogusmx.rfc-ignorant.org
DNS_FROM_RFC_BOGUSMX
0 1.464 0 1.668
Envelope sender listed in dnsbl.ahbl.org
DNS_FROM_AHBL_RHSBL
0 2.438 0 2.699
Received via a relay in bl.spamcop.net
RCVD_IN_BL_SPAMCOP_NET
0 1.246 0 1.347
Relay in RBL, http://www./enduserinfo_rbl.html
RCVD_IN_MAPS_RBL
Relay in DUL, http://www./enduserinfo_dul.html
RCVD_IN_MAPS_DUL
Relay in RSS, http://www./enduserinfo_rss.html
RCVD_IN_MAPS_RSS
Relay in OPS, http://www./enduserinfo_ops.html
RCVD_IN_MAPS_OPS
Relay in NML, http://www./enduserinfo_nml.html
RCVD_IN_MAPS_NML
ISIPP IADB lists as vouched-for sender
RCVD_IN_IADB_VOUCHED
0 -2.2 0 -2.2
Subject contains a gappy version of 'cialis'
SUBJECT_DRUG_GAP_C
2.108 0.989 1.348 2.140
Subject contains a gappy version of 'levitra'
SUBJECT_DRUG_GAP_L
2.799 2.304 1.402 1.561
Subject contains a gappy version of 'soma'
SUBJECT_DRUG_GAP_S
Subject contains a gappy version of 'valium'
SUBJECT_DRUG_GAP_VA
Subject contains a gappy version of 'xanax'
SUBJECT_DRUG_GAP_X
Talks about price per dose
DRUG_DOSAGE
Mentions an E.D. drug
DRUG_ED_CAPS
2.799 1.023 2.516 0.936
Talks about an E.D. drug using its chemical name
DRUG_ED_SILD
0.001 0.170 0.113 1.794
Mentions Generic Viagra
DRUG_ED_GENERIC
Fast Viagra Delivery
DRUG_ED_ONLINE
0.696 1.152 1.221 0.608
Online Pharmacy
ONLINE_PHARMACY
0.843 2.371 0.008 0.650
No prescription needed
NO_PRESCRIPTION
1.915 1.102 2.280 2.399
Attempts to disguise the word 'viagra'
VIA_GAP_GRA
Two or more drugs crammed together into one word
DRUGS_SMEAR1
3.300 2.051 3.148 0.235
Relay HELO'd with suspicious hostname ()
FAKE_HELO_MAIL_COM_DOM
1.887 0.152 1.370 2.136
Relay HELO'd using suspicious hostname (Rogers)
HELO_DYNAMIC_ROGERS
Relay HELO'd using suspicious hostname (T-Dialin)
HELO_DYNAMIC_DIALIN
2.629 3.233 2.186 1.366
Relay HELO'd using suspicious hostname (Hex IP)
HELO_DYNAMIC_HEXIP
2.321 0.511 1.773 1.789
Relay HELO'd using suspicious hostname (Split IP)
HELO_DYNAMIC_SPLIT_IP
3.031 2.893 4.225 3.482
Relay HELO'd using suspicious hostname (IP addr 2)
HELO_DYNAMIC_IPADDR2
2.815 3.888 3.728 3.607
Relay HELO'd using suspicious hostname (Chello.nl)
HELO_DYNAMIC_CHELLO_NL
2.412 1.918 2.019 2.428
Relay HELO'd using suspicious hostname (Home.nl)
HELO_DYNAMIC_HOME_NL
2.385 1.530 1.024 1.459
Sender email is freemail
FREEMAIL_FROM
Envelope-from freemail username ends in digit
FREEMAIL_ENVFROM_END_DIGIT
2.602 2.223 1.770 1.553
Reply-To freemail username ends in digit
FREEMAIL_REPLYTO_END_DIGIT
1.221 0.980 1.179 1.151
Partial message
FRAGMENTED_MESSAGE
From: contains empty name
FROM_BLANK_NAME
2.099 2.099 2.099 0.723
From: starts with many numbers
FROM_STARTS_WITH_NUMS
2.801 0.553 1.201 0.738
From address is &at something-offers&
FROM_OFFERS
2.699 2.699 2.510 2.699
From: has no local-part before @ sign
FROM_NO_USER
0.001 2.599 0.019 0.798
Spam tool Message-Id: (caps variant)
MSGID_SPAM_CAPS
2.366 1.997 3.099 3.099
Spam tool Message-Id: (letters variant)
MSGID_SPAM_LETTERS
Message-ID has
MSGID_YAHOO_CAPS
0.797 1.413 2.278 1.411
Message-ID is unusually short
MSGID_SHORT
0.001 0.337 0.001 0.001
Message-ID contains multiple '@' characters
MSGID_MULTIPLE_AT
Date header uses unusual Y2K formatting
DATE_SPAMWARE_Y2K
Invalid Date: header (not RFC 2822)
INVALID_DATE
1.701 0.432 1.200 1.096
Invalid Date: header (timezone does not exist)
INVALID_DATE_TZ_ABSURD
0.262 0.632 0.706 0.491
Invalid date in header (wrong CST timezone)
INVALID_TZ_CST
Invalid date in header (wrong EST timezone)
INVALID_TZ_EST
Subject contains an English UCE tag
ENGLISH_UCE_SUBJECT
0.953 1.542 2.569 2.899
Subject contains a Japanese UCE tag
JAPANESE_UCE_SUBJECT
Subject: contains Korean unsolicited email tag
KOREAN_UCE_SUBJECT
Contains forged hostname for a DSL IP in Brazil
FORGED_TELESP_RCVD
2.499 2.499 2.499 1.841
Character set doesn't exist
NONEXISTENT_CHARSET
Message has Prevent-NonDelivery-Report header
PREVENT_NONDELIVERY
Message has X-IP header
0.001 0.001 0.001 0.001
Subject contains &As Seen&
SUBJ_AS_SEEN
2.711 3.099 3.099 1.461
Subject starts with dollar amount
SUBJ_DOLLARS
0.600 0.001 0.601 1.800
Subject contains &Your Bills& or similar
SUBJ_YOUR_DEBT
3.299 3.045 1.199 0.987
Subject contains &Your Family&
SUBJ_YOUR_FAMILY
2.910 2.999 2.999 2.999
Received contains a faked HELO hostname
RCVD_FAKE_HELO_DOTCOM
2.799 2.389 2.605 1.189
Subject talks about losing pounds
SUBJECT_DIET
1.927 1.563 0.817 1.466
Header has extraneous Content-type:...type= entry
EXTRA_MPART_TYPE
Spam tool pattern in MIME boundary
MIME_BOUND_DD_DIGITS
3.016 0.349 2.417 1.373
Spam tool pattern in MIME boundary
MIME_BOUND_DIGITS_15
0.432 1.225 1.241 0.798
Spam tool pattern in MIME boundary
MIME_BOUND_MANY_HEX
To: has a malformed address
TO_MALFORMED
0.892 1.247 2.099 2.099
Received line contains spam-sign (lowercase smtp)
WITH_LC_SMTP
Subject line starts with Buy or Buying
0.594 1.498 0.001 0.639
Received headers forged (AM/PM)
RCVD_AM_PM
Received header contains faked ''
FAKE_OUTBLAZE_RCVD
Headers contain an unclosed bracket
UNCLOSED_BRACKET
2.699 1.329 1.425 1.496
From: domain has series of non-vowel letters
FROM_DOMAIN_NOVOWEL
From: localpart has series of non-vowel letters
FROM_LOCAL_NOVOWEL
From: localpart has long hexadecimal sequence
FROM_LOCAL_HEX
0.000 0.331 0.001 0.006
From: localpart has long digit sequence
FROM_LOCAL_DIGITS
Cc: after X-Priority: (bulk email fingerprint)
X_PRIORITY_CC
Message has bad MIME encoding in the header
BAD_ENC_HEADER
3.099 1.716 1.805 1.988
Received: contains illegal IP address
RCVD_ILLEGAL_IP
A foreign language charset used in headers
CHARSET_FARAWAY_HEADER
From: has too many raw illegal characters
FROM_ILLEGAL_CHARS
2.192 2.059 0.240 0.036
Headers have too many raw illegal characters
HEAD_ILLEGAL_CHARS
'From' address, but no 'Received:'
FORGED_HOTMAIL_RCVD2
0.001 1.187 0.698 0.874
'From'
does not match 'Received' headers
FORGED_YAHOO_RCVD
2.397 1.022 2.599 1.630
Recipient list is sorted by address
SORTED_RECIPS
1.801 2.474 1.791 2.499
Similar addresses in recipient list
SUSPICIOUS_RECIPS
2.499 2.497 2.139 2.510
Missing To: header
MISSING_HEADERS
0.915 1.207 1.204 1.021
Date: is 3 to 6 hours before Received: date
DATE_IN_PAST_03_06
2.399 1.076 1.200 1.592
Date: is 6 to 12 hours before Received: date
DATE_IN_PAST_06_12
1.699 1.103 1.274 1.543
Date: is 12 to 24 hours before Received: date
DATE_IN_PAST_12_24
0.001 0.804 1.190 1.049
Date: is 24 to 48 hours before Received: date
DATE_IN_PAST_24_48
1.109 0.485 0.624 1.340
Date: is 96 hours or more before Received: date
DATE_IN_PAST_96_XX
2.600 2.070 1.233 3.405
Date: is 3 to 6 hours after Received: date
DATE_IN_FUTURE_03_06
3.399 2.426 2.997 3.027
Date: is 6 to 12 hours after Received: date
DATE_IN_FUTURE_06_12
2.899 0.001 2.222 1.947
Date: is 12 to 24 hours after Received: date
DATE_IN_FUTURE_12_24
2.603 2.489 3.199 3.199
Date: is 24 to 48 hours after Received: date
DATE_IN_FUTURE_24_48
2.598 1.248 0.001 2.048
Date: is 48 to 96 hours after Received: date
DATE_IN_FUTURE_48_96
2.384 0.813 1.078 2.181
Date: is 96 hours or more after Received: date
DATE_IN_FUTURE_96_XX
2.614 3.028 2.851 3.087
Headers contain an unresolved template
UNRESOLVED_TEMPLATE
3.035 0.716 2.424 1.252
Subject is all capitals
SUBJ_ALL_CAPS
0.518 1.625 1.197 1.506
Local part of To: address appears in Subject
LOCALPART_IN_SUBJECT
0.001 0.730 1.199 1.107
Message-Id is fake (in Outlook Express format)
MSGID_OUTLOOK_INVALID
Multiple Content-Type headers found
HEADER_COUNT_CTYPE
Message headers are very long
Missing blank line between message header and body
MISSING_HB_SEP
Informational: message has unparseable relay lines
UNPARSEABLE_RELAY
Received: HELO and IP do not match, but should
RCVD_HELO_IP_MISMATCH
1.680 1.186 2.362 2.368
Received: contains an IP address used for HELO
RCVD_NUMERIC_HELO
0.001 0.865 0.001 1.164
Host HELO'd as a big ISP, but had no rDNS
NO_RDNS_DOTCOM_HELO
3.100 0.433 3.099 0.823
Javascript to hide URLs in browser
HIDE_WIN_STATUS
0.001 1.353 0.754 1.380
HTML included in message
HTML_MESSAGE
HTML comment is very short
HTML_COMMENT_SHORT
HTML message is a saved web page
HTML_COMMENT_S***ED_URL
0.198 0.357 0.899 1.391
HTML with embedded plugin object
HTML_EMBEDS
0.001 0.001 1.171 1.799
HTML contains far too many close tags
HTML_EXTRA_CLOSE
HTML font size is large
HTML_FONT_SIZE_LARGE
HTML font size is huge
HTML_FONT_SIZE_HUGE
HTML font color similar to background
HTML_FONT_LOW_CO***AST
0.713 0.001 0.786 0.001
HTML font face is not a word
HTML_FONT_FACE_BAD
0.001 0.289 0.286 0.981
HTML includes a form which sends mail
HTML_FORMACTION_MAILTO
HTML: images with 0-400 bytes of words
HTML_IMAGE_ONLY_04
1.680 0.342 1.799 1.172
HTML: images with 400-800 bytes of words
HTML_IMAGE_ONLY_08
0.585 1.781 1.845 1.651
HTML: images with 800-1200 bytes of words
HTML_IMAGE_ONLY_12
1.381 1.629 1.400 2.059
HTML: images with
bytes of words
HTML_IMAGE_ONLY_16
1.969 1.048 1.199 1.092
HTML: images with
bytes of words
HTML_IMAGE_ONLY_20
2.109 0.700 1.300 1.546
HTML: images with
bytes of words
HTML_IMAGE_ONLY_24
2.799 1.282 1.328 1.618
HTML: images with
bytes of words
HTML_IMAGE_ONLY_28
2.799 0.726 1.512 1.404
HTML: images with
bytes of words
HTML_IMAGE_ONLY_32
2.196 0.001 1.172 0.001
HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_02
2.199 0.805 1.200 0.437
HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_04
2.089 0.610 0.607 0.556
HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_06
0.001 0.001 0.001 0.001
HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_08
0.001 0.001 0.001 0.001
Message is 5% to 10% HTML obfuscation
HTML_OBFUSCATE_05_10
0.601 0.001 0.718 0.260
Message is 10% to 20% HTML obfuscation
HTML_OBFUSCATE_10_20
0.174 1.162 0.588 0.093
Message is 20% to 30% HTML obfuscation
HTML_OBFUSCATE_20_30
2.499 2.441 1.449 1.999
Message is 30% to 40% HTML obfuscation
HTML_OBFUSCATE_30_40
Message is 50% to 60% HTML obfuscation
HTML_OBFUSCATE_50_60
Message is 70% to 80% HTML obfuscation
HTML_OBFUSCATE_70_80
Message is 90% to 100% HTML obfuscation
HTML_OBFUSCATE_90_100
HTML has unbalanced &body& tags
HTML_TAG_BALANCE_BODY
1.247 0.712 0.628 1.157
HTML has unbalanced &head& tags
HTML_TAG_BALANCE_HEAD
0.520 0.000 0.600 0.817
HTML has &bgsound& tag
HTML_TAG_EXIST_BGSOUND
HTML message is 40% to 50% bad tags
HTML_BADTAG_40_50
HTML message is 50% to 60% bad tags
HTML_BADTAG_50_60
HTML message is 60% to 70% bad tags
HTML_BADTAG_60_70
HTML message is 90% to 100% bad tags
HTML_BADTAG_90_100
30% to 40% of HTML elements are non-standard
HTML_NONELEMENT_30_40
0.000 0.001 0.308 0.001
40% to 50% of HTML elements are non-standard
HTML_NONELEMENT_40_50
60% to 70% of HTML elements are non-standard
HTML_NONELEMENT_60_70
80% to 90% of HTML elements are non-standard
HTML_NONELEMENT_80_90
Message has HTML IFRAME tag with SRC URI
HTML_IFRAME_SRC
Envelope sender has no MX or A DNS records
NO_DNS_FOR_FROM
0 0.379 0 0.001
Removal phrase right before a link
REMOVE_BEFORE_LINK
0.406 1.587 1.799 1.800
One hundred percent guaranteed
GUARANTEED_100_PERCENT
2.699 2.699 2.480 2.699
Dear Friend? That's not very dear!
DEAR_FRIEND
2.683 2.604 1.801 2.577
Contains 'Dear (something)'
DEAR_SOMETHING
1.999 1.731 1.787 1.973
Talks about lots of money
BILLION_DOLLARS
0.001 1.451 1.229 1.638
Claims you can be removed from the list
2.399 1.687 2.399 1.325
Claims you wanted this ad
Talks about how to be removed from mailings
EXCUSE_REMOVE
2.907 2.992 3.299 3.299
Tells you about a strong buy
STRONG_BUY
Offers a alert about a stock
STOCK_ALERT
Not registered investment advisor
NOT_ADVISOR
'Prestigious Non-Accredited Universities'
PREST_NON_ACCREDITED
Information on growing body parts
BODY_ENHANCEMENT
0.927 1.611 0.974 0.001
Information on getting larger body parts
BODY_ENHANCEMENT2
1.691 1.507 1.865 1.541
Impotence cure
1.539 2.144 3.028 1.374
Talks about a million North American dollars
NA_DOLLARS
Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)
US_DOLLARS_3
2.599 2.523 1.780 1.754
Talks about millions of dollars
MILLION_USD
3.799 2.477 3.221 3.247
Contains urgent matter
1.750 0.941 0.568 0.573
Money back guarantee
MONEY_BACK
2.910 2.486 0.601 1.232
Free express or no-obligation quote
FREE_QUOTE_INSTANT
2.700 2.699 2.699 1.297
Eliminate Bad Credit
BAD_CREDIT
2.799 1.658 1.279 2.415
Home refinancing
REFINANCE_YOUR_HOME
Home refinancing
REFINANCE_NOW
No Medical Exams
NO_MEDICAL
2.199 1.254 2.199 1.773
Lose Weight Spam
0.714 0.000 0.399 0.001
Freedom of a financial nature
2.699 2.289 2.699 2.700
Stock Disclaimer Statement
FORWARD_LOOKING
One Time Rip Off
1.840 1.175 1.830 0.714
Join Millions of Americans
JOIN_MILLIONS
0.700 0.128 1.549 1.026
Claims you registered with a partner
MARKETING_PARTNERS
0.553 0.235 0.689 0.001
Lowest Price
0.161 0.600 0.001 1.464
People just leave money laying around
UNCLAIMED_MONEY
2.699 2.699 2.699 2.427
Message seems to contain rot13ed address
OBSCURED_EMAIL
Talks about Oprah with an exclamation!
BANG_OPRAH
Talks about 'acting now' with capitals
ACT_NOW_CAPS
1.404 2.399 0.925 2.211
Talks about a bigger drive for sex
2.799 2.765 2.568 1.413
Something is emphatically guaranteed
2.202 2.377 1.690 2.704
Message mentions investment advice
INVESTMENT_ADVICE
0.200 2.160 2.199 2.199
Message talks about enhancing men
MALE_ENHANCE
3.100 3.099 3.099 0.851
Message says that prices aren't too expensive
PRICES_ARE_AFFORDABLE
0.794 0.851 1.112 0.551
Message talks about a replica watch
REPLICA_WATCH
3.487 3.164 4.074 3.775
Message puts emphasis on the watch manufacturer
0.595 1.309 2.068 0.618
Possible porn - Free Porn
Possible porn - Cum Shot
Possible porn - Live Porn
Subject indicates sexually-explicit content
SUBJECT_SEXUAL
Bulk email fingerprint (eGroups) found
RATWARE_EGROUPS
1.898 1.258 1.406 1.621
X-Mailer has malformed Outlook Express version
RATWARE_OE_MALFORMED
Bulk email fingerprint (Mozilla malformed) found
RATWARE_MOZ_MALFORMED
Bulk email fingerprint (mPOP Web-Mail)
RATWARE_MPOP_WEBMAIL
1.153 1.338 1.229 1.999
Contains a hashbuster in Send-Safe format
RATWARE_HASH_DASH
Bulk email fingerprint (Gecko faked) found
RATWARE_GECKO_BUILD
Bulk email fingerprint (X-Message-Info) found
X_MESSAGE_INFO
Bulk email fingerprint (header-based) found
HEADER_SPAM
2.499 2.499 1.994 0.585
Bulk email fingerprint (Received PF) found
RATWARE_RCVD_PF
Bulk email fingerprint (Received @) found
RATWARE_RCVD_AT
Bulk email fingerprint (envfrom) found
RATWARE_EFROM
/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i
HIGH_CODEPAGE_URI
Uses a numeric IP address in URL
NUMERIC_HTTP_ADDR
0.000 0.001 0.001 1.242
Uses %-escapes inside a URL's hostname
HTTP_ESCAPED_HOST
0.807 1.621 0.483 1.125
Completely unnecessary %-escapes inside a URL
HTTP_EXCESSIVE_ESCAPES
0.001 1.516 0.000 1.572
Dotted-decimal IP address followed by CGI
IP_LINK_PLUS
0.001 0.001 0.246 0.012
Uses non-standard port number for HTTP
WEIRD_PORT
0.001 0.001 0.097 0.001
Has Yahoo Redirect URI
YAHOO_RD_REDIR
Has Yahoo Redirect URI
YAHOO_DRS_REDIR
Contains an URL-encoded hostname (HTTP77)
URI contains &.com& in middle
SPOOF_COM2OTH
2.999 2.999 2.877 2.723
URI contains &.com& in middle and end
SPOOF_COM2COM
0.001 1.632 1.952 2.048
URI contains &.net& or &.org&, then &.com&
SPOOF_NET2COM
URI hostname has long hexadecimal sequence
2.800 1.313 1.206 1.122
URI hostname has long non-vowel sequence
URI_NOVOWEL
URI contains suspicious unsubscribe link
URI_UNSUBSCRIBE
CGI in .info TLD other than third-level &www&
URI_NO_WWW_INFO_CGI
2.299 2.299 0.292 2.071
CGI in .biz TLD other than third-level &www&
URI_NO_WWW_BIZ_CGI
2.399 2.399 2.400 2.399
Uses a dotted-decimal IP address in URL
NORMAL_HTTP_TO_IP
0.159 0.001 0.795 0.001
Bayes spam probability is 0 to 1%
0 0 -1.5 -1.9
Bayes spam probability is 1 to 5%
0 0 -0.3 -0.5
Bayes spam probability is 5 to 20%
0 0 -0.001 -0.001
Bayes spam probability is 20 to 40%
0 0 -0.001 -0.001
Bayes spam probability is 40 to 60%
0 0 2.0 0.8
Bayes spam probability is 60 to 80%
0 0 2.5 1.5
Bayes spam probability is 80 to 95%
0 0 2.7 2.0
Bayes spam probability is 95 to 99%
0 0 3.2 3.0
Bayes spam probability is 99 to 100%
0 0 3.8 3.5
Message would have been caught by accessdb
Message includes Microsoft executable program
MICROSOFT_EXECUTABLE
MIME filename does not match content
MIME_SUSPECT_NAME
Listed in DCC (/anti-spam/dcc/)
0 1.1 0 1.1
DCC reputation between 0 and 12 % (mostly ham)
DCC_REPUT_00_12
0 -0.8 0 -0.4
eval:check_dcc_reputation_range(13,19)
DCC_REPUT_13_19
0 -0.1 0 -0.1
DCC reputation between 70 and 89 %
DCC_REPUT_70_89
0 0.1 0 0.1
DCC reputation between 90 and 94 %
DCC_REPUT_90_94
0 0.4 0 0.6
DCC reputation between 95 and 98 % (mostly spam)
DCC_REPUT_95_98
0 0.7 0 1.0
DCC reputation between 99 % or higher (spam)
DCC_REPUT_99_100
0 1.2 0 1.4
Message has a DKIM or DK signature, not necessarily valid
DKIM_SIGNED
Message has at least one valid DKIM or DK signature
DKIM_VALID
Message has a valid DKIM or DK signature from author's domain
DKIM_VALID_AU
No valid author signature and domain not in DNS
DKIM_ADSP_NXDOMAIN
0 0.8 0 0.9
No valid author signature, domain signs all mail and suggests discarding the rest
DKIM_ADSP_DISCARD
0 1.8 0 1.8
No valid author signature, domain signs all mail
DKIM_ADSP_ALL
0 1.1 0 0.8
No valid author signature, adsp_override is CUSTOM_LOW
DKIM_ADSP_CUSTOM_LOW
No valid author signature, adsp_override is CUSTOM_MED
DKIM_ADSP_CUSTOM_MED
No valid author signature, adsp_override is CUSTOM_HIGH
DKIM_ADSP_CUSTOM_HIGH
eval:check_dkim_valid()
DKIM_VERIFIED
eval:check_dkim_testing()
DKIM_POLICY_TESTING
eval:check_dkim_signsome()
DKIM_POLICY_SIGNSOME
eval:check_dkim_signall()
DKIM_POLICY_SIGNALL
Contains valid Hashcash token (20 bits)
HASHCASH_20
Contains valid Hashcash token (21 bits)
HASHCASH_21
Contains valid Hashcash token (22 bits)
HASHCASH_22
Contains valid Hashcash token (23 bits)
HASHCASH_23
Contains valid Hashcash token (24 bits)
HASHCASH_24
Contains valid Hashcash token (25 bits)
HASHCASH_25
Contains valid Hashcash token (&25 bits)
HASHCASH_HIGH
Hashcash token already spent in another mail
HASHCASH_2SPEND
Listed in Pyzor (http://pyzor.sf.net/)
PYZOR_CHECK
0 1.985 0 1.392
Listed in Razor2 (http://razor.sf.net/)
RAZOR2_CHECK
0 1.729 0 0.922
Razor2 gives confidence level above 50%
RAZOR2_CF_RANGE_51_100
0 0.365 0 0.500
Razor2 gives engine 4 confidence level above 50%
RAZOR2_CF_RANGE_E4_51_100
0 0.467 0 0.642
Razor2 gives engine 8 confidence level above 50%
RAZOR2_CF_RANGE_E8_51_100
0 2.430 0 1.886
Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_MEDS
Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_CHEAP
0.641 1.831 0.833 0.001
Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_PENIS
Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_TION
Attempt to obfuscate words in spam
FUZZY_AFFORDABLE
Attempt to obfuscate words in spam
FUZZY_AMBIEN
2.199 1.851 0.925 0.552
Attempt to obfuscate words in spam
FUZZY_BILLION
Attempt to obfuscate words in spam
FUZZY_CPILL
0.001 0.001 0.001 0.001
Attempt to obfuscate words in spam
FUZZY_CREDIT
1.699 1.413 0.601 1.678
Attempt to obfuscate words in spam
FUZZY_ERECT
2.356 1.306 2.360 1.859
Attempt to obfuscate words in spam
FUZZY_GUARANTEE
Attempt to obfuscate words in spam
FUZZY_MEDICATION
Attempt to obfuscate words in spam
FUZZY_MILLION
2.599 2.599 1.659 2.505
Attempt to obfuscate words in spam
FUZZY_MONEY
Attempt to obfuscate words in spam
FUZZY_MORTGAGE
Attempt to obfuscate words in spam
FUZZY_OBLIGATION
Attempt to obfuscate words in spam
FUZZY_OFFERS
Attempt to obfuscate words in spam
FUZZY_PHARMACY
2.960 3.299 1.967 1.353
Attempt to obfuscate words in spam
FUZZY_PHENT
2.799 1.647 1.540 2.662
Attempt to obfuscate words in spam
FUZZY_PRESCRIPT
Attempt to obfuscate words in spam
FUZZY_PRICES
1.821 0.720 2.210 2.311
Attempt to obfuscate words in spam
FUZZY_REFINANCE
Attempt to obfuscate words in spam
FUZZY_REMOVE
Attempt to obfuscate words in spam
FUZZY_ROLEX
3.399 1.038 3.399 1.964
Attempt to obfuscate words in spam
FUZZY_SOFTWARE
Attempt to obfuscate words in spam
FUZZY_THOUSANDS
Attempt to obfuscate words in spam
FUZZY_VLIUM
Attempt to obfuscate words in spam
FUZZY_VIOXX
Attempt to obfuscate words in spam
FUZZY_VPILL
0.001 0.494 0.796 1.014
Attempt to obfuscate words in spam
FUZZY_XPILL
2.202 1.752 2.799 2.799
SPF: sender matches SPF record
SPF: sender does not match SPF record (neutral)
SPF_NEUTRAL
0 0.652 0 0.779
SPF: sender does not match SPF record (fail)
0 0.919 0 0.001
SPF: sender does not match SPF record (softfail)
SPF_SOFTFAIL
0 0.972 0 0.665
SPF: HELO matches SPF record
SPF_HELO_PASS
SPF: HELO does not match SPF record (neutral)
SPF_HELO_NEUTRAL
0 0.001 0 0.112
SPF: HELO does not match SPF record (fail)
SPF_HELO_FAIL
0 0.001 0 0.001
SPF: HELO does not match SPF record (softfail)
SPF_HELO_SOFTFAIL
0 0.896 0 0.732
Message written in an undesired language
UNWANTED_LANGUAGE_BODY
Body includes 8 consecutive 8-bit characters
BODY_8BITS
Contains an URL listed in the SBL blocklist
0 0.644 0 1.623
Contains an URL listed in the SC SURBL blocklist
URIBL_SC_SURBL
0 0.001 0 0.568
Contains an URL listed in the WS SURBL blocklist
URIBL_WS_SURBL
0 1.659 0 1.608
Contains an URL listed in the PH SURBL blocklist
URIBL_PH_SURBL
0 0.001 0 0.610
Contains an URL listed in the OB SURBL blocklist
URIBL_OB_SURBL
0 0.785 0 0.122
Contains an URL listed in the AB SURBL blocklist
URIBL_AB_SURBL
0 4.499 0 4.499
Contains an URL listed in the JP SURBL blocklist
URIBL_JP_SURBL
0 1.948 0 1.250
Contains an URL listed in the URIBL blacklist
URIBL_BLACK
0 1.775 0 1.725
Contains an URL listed in the URIBL greylist
URIBL_GREY
0 1.084 0 0.424
Contains an URL listed in the URIBL redlist
From: address is in the auto white-list
Not all rules were run, due to a shortcircuited rule
SHORTCIRCUIT
From: address is in the user's black-list
USER_IN_BLACKLIST
From: address is in the user's white-list
USER_IN_WHITELIST
From: address is in the default white-list
USER_IN_DEF_WHITELIST
User is listed in 'blacklist_to'
USER_IN_BLACKLIST_TO
User is listed in 'whitelist_to'
USER_IN_WHITELIST_TO
User is listed in 'more_spam_to'
USER_IN_MORE_SPAM_TO
User is listed in 'all_spam_to'
USER_IN_ALL_SPAM_TO
From: address is in the user's DKIM whitelist
USER_IN_DKIM_WHITELIST
From: address is in the default DKIM white-list
USER_IN_DEF_DKIM_WL
From: address is in the user's SPF whitelist
USER_IN_SPF_WHITELIST
From: address is in the default SPF white-list
USER_IN_DEF_SPF_WL
Subject: contains string in the user's white-list
SUBJECT_IN_WHITELIST
Subject: contains string in the user's black-list
SUBJECT_IN_BLACKLIST
From address contains an apostrophe
APOSTROPHE_FROM
0.148 0.786 0.651 0.545
HELO from home - untrusted
AXB_HELO_HOME_UN
Barbera Fingerprint
AXB_XMID_1212
Brunello Fingerprint
AXB_XMID_1510
Amarone Fingerprint
AXB_XMID_OEGOESNULL
Nebbiolo fingerprint
AXB_XM_SENDMAIL_NOT
Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
AXB_XR_STULDAP
Talks about banking laws
BANKING_LAWS
2.399 2.004 2.157 1.099
eval:check_base64_length('78','79')
BASE64_LENGTH_78_79
2.370 2.636 0.762 2.667
eval:check_base64_length('79')
BASE64_LENGTH_79_INF
1.379 2.019 0.583 1.502
Date =~ /[-+](?!(?:0\d| 1[0-4])(?:[03]0| [14]5))\d{4}/
BUG6152_INVALID_DATE_TZ_ABSURD
1.802 1.448 0.024 0.766
Content-Type =~ /multipart.{0,200}boundary=\&----=_NextPart_000_-9A-F]{5}\.[0-9A-F]{7}0\&/
CTYPE_001C_B
0.001 0.001 0.001 0.001
/\bCurrent Price:/
CURR_PRICE
Dear Beneficiary:
DEAR_BENEFICIARY
Message contains Dear email address
DEAR_EMAIL
/\bdear.{1,20}winner/i
DEAR_WINNER
3.099 3.099 2.309 3.099
X-mailer pattern common to anal porn site spam
DOS_ANAL_SPAM_MAILER
Received from the same IP twice in a row (onl empty or IP helo)
DOS_RCVD_IP_TWICE_C
2.599 2.060 3.292 0.096
Found an asterisk in a URI
DOS_URI_ASTERISK
Subject =~ /\bhoodia\b/i
DRUGS_HDIA
Add / Gain inches
FB_ADD_INCHES
It's almost sex, but not!
FB_ALMOST_SEX
Broken AnaTrim phrase.
FB_ANA_TRIM
Phrase: A_U_N_I
Phrase: [BM]Illi0n
FB_BILLI0N
Phrase: C0mpany
FB_C0MPANY
Phrase: can last longer
FB_CAN_LONGER
Uses a mis-spelled version of cialis.
FB_CIALIS_LEO3
1.688 3.055 2.465 3.245
Looks like double 0 words
FB_DOUBLE_0WORDS
Phrase: email hier
FB_EMAIL_HIER
Phrase: extra inches
FB_EXTRA_INCHES
0.289 0.000 2.603 0.001
Looks like numbers with O's insted of 0's
FB_FAKE_NUMBERS
Looks like fake numbers (4)
FB_FAKE_NUMS4
Phrase: Farmacy
FB_FHARMACY
Phrase: forward look with 0's
FB_FORWARD_LOOK
Too much spacing in Address
FB_GAPPY_ADDRESS
Looks like trying to sell meds
FB_GET_MEDS
2.314 2.027 1.195 0.935
Looks like generic viagra
2.340 0.691 2.568 2.301
Phrase hey bro,
FB_HEY_BRO_COMMA
Phrase: HGH
FB_HG_H_CAP
Phrase (dollar) x home loan
FB_HOMELOAN
Phrase: impress ... girl
FB_IMPRESS_GIRL
Phrase: Increase your energy
FB_INCREASE_YOUR
2.699 2.700 2.335 2.343
Phrase: independent reward
FB_INDEPEND_RWD
Phrase: L0an
Special people leave special signs!
FB_LETTERS_21B
Phrase: LOSE WEIGHT
FB_LOSE_WEIGHT_CAP
0.001 0.001 2.187 0.001
Phrase: lower your monthly payments
FB_LOWER_PAYM
Phrase: more size
FB_MORE_SIZE
Looks like a fake phone number (1)
FB_NOT_PHONE_NUM1
Looks like a fake phone number (3)
FB_NOT_PHONE_NUM3
Looks like school but it's not!
FB_NOT_SCHOOL
Phrase: no prescription needed.
FB_NO_SCRIP_NEEDED
1.656 1.469 2.133 0.922
Speaks of teenager.
Speaks of 20+ year old.
Looks like money but has odd spacing.
FB_ODD_SPACED_MONEY
Mis-spelled online
Phrase: p1ll
Phrase: penis growth
FB_PENIS_GROWTH
Phrase: Dollar, with pipes or 0's.
FB_PIPEDOLLAR
Looks like illion, but it's not
FB_PIPE_ILLION
Talks about prolonged hardness
FB_PROLONGED_HARD
Phrase: quality replica
FB_QUALITY_REPLICA
3.313 3.149 2.005 2.308
Refcode with spacing
FB_REF_CODE_SPACE
Phrase: Replica Rolex
FB_REPLICA_ROLEX
1.674 0.710 1.115 3.175
Phrase: REPLICA
FB_REPLIC_CAP
Looks like refi.
Phrase: Roller is th
FB_ROLLER_IS_T
Phrase: rolx
Phrase: save ... prescription.
FB_S***E_PERSC
2.799 0.367 1.864 1.492
Phrase: Softabs
FB_SOFTTABS
2.887 3.174 3.378 1.584
Phrase: F R E E
FB_SPACED_FREE
2.499 2.499 2.203 0.395
Phone number with -- spacing. (B)
FB_SPACED_PHN_3B
Looks like a s p a c e d zipcode.
FB_SPACEY_ZIP
Phrase: SPUR-M
Phrase: ssex
Looks like stocks exploding.
FB_STOCK_EXPLODE
Mis-spelled symbol.
Phrase: this advertiser
FB_THIS_ADVERT
3.599 3.600 2.999 3.599
Phrase: thousand personal
FB_THOUS_PERSONAL
Phrase: to stop further distribution
FB_TO_STOP_DISTRO
Phrase: Ultra Allure
FB_ULTRA_ALLURE
2.352 1.074 2.334 0.829
Phrase: lock to your girlfriend
FB_UNLOCK_YOUR_G
Pattern Replacement PROV_D
FB_UNRESOLV_PROV
Phrase: yourself master
FB_YOURSELF_MASTER
Phrase: Your refi
FB_YOUR_REFI
Bad X-Mailer version
FH_BAD_OEV1441
The date is not 19xx.
FH_DATE_IS_19XX
0.000 1.598 2.373 0.277
RCVD line looks faked (A)
FH_FAKE_RCVD_LINE
2.167 1.431 2.525 1.778
RCVD line looks faked (B)
FH_FAKE_RCVD_LINE_B
4.000 3.372 3.999 3.999
E-mail address doesn't have TLD (.com, etc.)
FH_FROMEML_NOTLD
1.708 0.180 0.975 1.082
From name has &cash&
FH_FROM_CASH
2.599 2.436 2.599 1.739
From name says Get
FH_FROM_GET_NAME
From name is giveaway.
FH_FROM_GIVEAWAY
2.599 1.817 1.810 1.655
From has Hoodia!!?
FH_FROM_HOODIA
Has X-AIMC-AUTH header
FH_HAS_XAIMC
1.602 1.899 0.561 1.899
FH_HAS_XID
3.299 3.215 3.003 1.782
Helo is almost an IP addr.
FH_HELO_ALMOST_IP
3.699 3.268 3.457 0.688
Helo ends with a dot.
FH_HELO_ENDS_DOT
Helo is 6-10 hex chr's.
FH_HELO_EQ_610HEX
Helo is d-d-d-
FH_HELO_EQ_CHARTER
0.607 0.286 0.093 2.683
Helo is d-d-d-d
FH_HELO_EQ_D_D_D_D
2.361 1.117 2.815 3.177
Faked helo of gmail-smtp-in
FH_HELO_GMAILSMTP
Host is dynamicip
FH_HOST_EQ_DYNAMICIP
2.632 2.454 3.299 3.298
Host is pacbell.net dsl
FH_HOST_EQ_PACBELL_D
0.001 0.927 0.559 1.703
Host is pool-.+verizon.net
FH_HOST_EQ_VERIZON_P
2.681 1.237 3.671 1.323
HOST dns says &in-addr.arpa&
FH_HOST_IN_ADDRARPA
3.199 2.933 2.452 2.157
Special MSGID
FH_MSGID_000000
Special MSGID
FH_MSGID_01C67
MESSAGE ID seen often!!!
FH_MSGID_01C70XXX
Broken Replace Template
FH_MSGID_REPLACE
Common sign in msg-id's 12/21/2006
FH_MSGID_XXBLAH
Message-Id = @xxx
FH_MSGID_XXX
2.399 1.632 2.376 1.482
Subject is Re: new \d\d\d
FH_RE_NEW_DDD
Broken Replace Template
FH_XMAIL_REPLACE
Fill in a form with personal information
FILL_THIS_FORM_LONG
3.800 3.476 2.300 3.404
Looks like Fake Outlook?
FM_XMAIL_F_OUT
X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10| 127| 169\.254| 172\.(?:1[6-9]| 2[0-9]| 3[01])| 192\.168)\.)| )[^\[]+(dollar) /
FORGED_RELAY_MUA_TO_MX
ReplaceTags: Adobe
FRT_ADOBE2
0.001 1.099 0.221 0.877
ReplaceTags: Approve
FRT_APPROV
ReplaceTags: Bigger / Larger, Penis / Member
FRT_BIGGERMEM1
2.523 0.146 2.372 1.758
ReplaceTags: Diploma
FRT_DIPLOMA
0.000 1.548 0.787 1.599
ReplaceTags: Discount
FRT_DISCOUNT
ReplaceTags: Dollar
FRT_DOLLAR
ReplaceTags: Establish (2)
FRT_ESTABLISH2
ReplaceTags: Fuck (2)
ReplaceTags: Guarantee (1)
FRT_GUARANTEE1
ReplaceTags: Investor
FRT_INVESTOR
ReplaceTags: Levitra
FRT_LEVITRA
ReplaceTags: Meeting
FRT_MEETING
ReplaceTags: Offer (2)
FRT_OFFER2
1.681 1.109 2.048 0.926
ReplaceTags: Oppertun (2)
FRT_OPPORTUN2
ReplaceTags: Penis
FRT_PENIS1
2.299 2.293 1.029 0.731
ReplaceTags: Pharmac
FRT_PHARMAC
ReplaceTags: Price
ReplaceTags: Refinance (1)
FRT_REFINANCE1
ReplaceTags: Rolex
2.699 2.183 1.440 2.699
ReplaceTags: Sexual
FRT_SEXUAL
ReplaceTags: Soma
0.000 3.280 2.099 2.871
ReplaceTags: Soma (2)
0.001 0.001 0.001 0.001
ReplaceTags: Strong (1)
FRT_STRONG1
ReplaceTags: Strong (2)
FRT_STRONG2
ReplaceTags: Symbol
FRT_SYMBOL
ReplaceTags: Today (2)
FRT_TODAY2
0.480 0.693 1.988 0.905
ReplaceTags: Valium
FRT_VALIUM1
ReplaceTags: Valium (2)
FRT_VALIUM2
ReplaceTags: Weight (2)
FRT_WEIGHT2
ReplaceTags: Xanax (1)
FRT_XANAX1
ReplaceTags: Xanax (2)
FRT_XANAX2
Looks like 3 &e& small tags.
FR_3TAG_3TAG
Almost looks like viagra.
FR_ALMOST_VIAG2
2.299 1.594 2.299 1.531
Phrase class=cantseetext
FR_CANTSEETEXT
Sign often seen in spams
HTML Title is only numbers
FR_TITLE_NUMS
2.899 2.695 2.899 2.899
X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/
FSL_FAKE_GMAIL_RCVD
3.099 2.974 1.002 2.104
X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
FSL_FAKE_HOTMAIL_RVCD
2.631 1.816 2.011 2.365
/\/geocities\.com\/\S+(dollar) /
FSL_GEO_ABUSE
2.699 2.699 2.313 2.167
X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i
FSL_HELO_BARE_IP_1
2.598 1.426 3.099 2.347
X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device| speedtouch)\.lan\b/i
FSL_HELO_DEVICE
1.682 0.001 0.884 0.806
X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
FSL_HELO_NON_FQDN_1
2.361 0.001 1.783 0.001
X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
FSL_HELO_SETUP
/\/\S+\.(?:w| eu| fm)\.interia\.pl/
FSL_INTERIA_ABUSE
3.899 2.664 3.080 3.106
/cid\-\S+\.spaces\.live\.com/
FSL_LSPACES_ABUSE
/\/groups\.yahoo\.com\/group\/\S+\/message\/1(dollar) /
FSL_YG_ABUSE
Subject has &a bigger&
FS_ABIGGER
1.693 1.354 2.477 1.112
Subject says approve you
FS_APPROVE_YOU
2.499 1.272 1.942 1.873
Subject says &At No Cost&
FS_AT_NO_COST
Phrase: Cheap in Caps in Subject.
FS_CHEAP_CAP
Subject talks about money bonus!
FS_DOLLAR_BONUS
Phrase: ejaculation in subject.
FS_EJACULA
Phrase: erection in subject.
FS_ERECTION
Phrase: Huge Cock
FS_HUGECOCK
Larger than 100% in subj.
FS_LARGE_PERCENT2
2.645 2.699 0.001 1.960
Subject says low rates
FS_LOW_RATES
Subj starts with New software uploaded
FS_NEW_SOFT_UPLOAD
Subject looks like Fharmacy spams.
FS_NEW_XXX
Subject almost says No prescription
FS_NO_SCRIP
Subject says Nude
2.399 1.653 1.288 1.101
what could this word be?
FS_OBFU_PRMCY
2.400 0.384 0.204 1.248
Subject mis-spelled prescription
FS_PERSCRIPTION
Looks like Phramacy subject.
FS_PHARMASUB2
2.980 1.345 2.956 0.549
Subject says Ramrod
Subject says &replica&
FS_REPLICA
1.630 3.599 2.028 3.599
Subject says Replica watch
FS_REPLICAWATCH
3.237 1.715 1.733 3.015
Phrase: re approved
FS_RE_APPROV
Subject starts with Do you dream,have,want,love, etc.
FS_START_DOYOU2
2.799 2.799 2.799 2.800
Subject starts with Lose
FS_START_LOSE
0.249 0.176 1.424 1.809
Subject says something bad about teens
FS_TEEN_BAD
Phrase: subject = tip ddd
FS_TIP_DDD
Subject says Weight Loss
FS_WEIGHT_LOSS
1.894 1.541 2.501 2.036
Subject says will help
FS_WILL_HELP
2.599 0.893 2.484 0.734
Subject says With ... small
FS_WITH_SMALL
/&inter W3&&post P2&\b(?!meridia)&M&&E&&R&&I&&D&&I&&A&\b/i
FUZZY_MERIDIA
Sub-dir seen often in spam (2).
FU_COMMON_SUBS2
2.801 2.650 2.823 0.292
Ends with clk/d+.d+.d+
FU_ENDS_NUMS_DOTS_CLK
ET Phone Home?
URL has hoodia in it.
URL has a long file name with .aspx extension.
FU_LONG_QUERY3
URL has /gal/
URL with [a-z]{2}.
FU_UKGEOCITIES
URI style tracker (T)
FU_URI_TRACKER_T
/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
GEO_QUERY_STRING
Misspaced headers
HDRS_MISSP
Multiple Subject headers found
HEADER_COUNT_SUBJECT
X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
HELO_FRIEND
X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home| lan) /i
HELO_LH_HOME
0.001 2.023 0.537 1.736
X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
HELO_LH_LD
X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
HELO_LOCALHOST
2.639 3.603 2.915 3.828
X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc| oem\S*) /i
2.899 2.899 1.234 0.270
From name contains drugs
HK_NAME_DRUGS
4.299 0.001 3.077 0.552
From name mentions free stuff
HK_NAME_FREE
Envelope sender username looks random
HK_RANDOM_ENVFROM
2.638 0.626 1.798 0.001
/\bnext of kin\b/i
HK_SCAM_N2
Bobax? Message-Id: &&
HS_BOBAX_MID_2
2.762 2.612 1.243 1.437
Somebody has uploaded some new software for you
HS_BODY_UPLOADED_SOFTWARE
Contains a drug and price-like pattern.
HS_DRUG_DOLLAR_1
Contains a drug and price-like pattern.
HS_DRUG_DOLLAR_2
Contains a drug and price-like pattern.
HS_DRUG_DOLLAR_3
Links to common unsubscribe script: 'getmeoff.php'
HS_GETMEOFF
Link contains a common tracker pattern.
HS_INDEX_PARAM
1.105 0.023 1.203 0.574
Talks about meeting up for sex.
HS_MEETUP_FOR_SEX
Subject starts with 'New software uploaded by'
HS_SUBJ_NEW_SOFTWARE
Subject contains the phrase 'Online pharmaceutical'
HS_SUBJ_ONLINE_PHARMACEUTICAL
Contains VPXL, yet the recommended dose is only 2 tablets.
3.211 1.399 2.696 1.948
eval:check_https_http_mismatch('1','10')
HTTPS_HTTP_MISMATCH
0.557 0.000 1.778 1.989
/(?:\&| \?)btnI=ec(?:(dollar) | \&)/
JM_I_FEEL_LUCKY
Received =~ /by \S+ \(Qmailv1\) with ESMTP/
JM_RCVD_QMAILV1
Date:raw =~ /^\t/
KB_DATE_CONTAINS_TAB
3.800 3.799 3.799 2.751
ALL =~ /^Message-Id: &....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary=&----=_NextPart_000_...._\1\./msi
KB_RATWARE_OUTLOOK_08
ALL =~ /^Message-Id: &....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary=&----=_NextPart_000_...._\1\.\2/msi
KB_RATWARE_OUTLOOK_12
ALL =~ /^Message-Id: &....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary=&----=_NextPart_000_...._\1\.\2/msi
KB_RATWARE_OUTLOOK_16
ALL =~ /^Message-Id: &....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary=&----=_NextPart_000_...._\1\.\2&/msi
KB_RATWARE_OUTLOOK_MID
4.400 4.400 2.503 1.499
LIVEFILESTORE
3.300 2.570 3.183 0.771
/long\W+term\W+(target| projected)(\W+price)?/i
LONG_TERM_PRICE
A loop hole in the banking laws?
LOOPHOLE_1
Claims Agent
LOTTO_AGENT
Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /
L_SPAM_TOOL_13
0.539 0.485 0.494 1.333
Message-ID =~ /^&\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+&(dollar) /
MID_DEGREES
Content-Type =~ /boundary=&=====================_\d+==\.REL&/s
MIME_BOUND_EQ_REL
Message has NUL (ASCII 0) byte in message
NULL_IN_BODY
0.511 0.498 2.056 1.596
Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!&\#\(dollar) \%&'()*:&=&?\@\[\]^\`{| }~]| ;\S)/
RCVD_BAD_ID
Forged 'Received' header found ('wrote:' spam)
RCVD_FORGED_WROTE
Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
RCVD_FORGED_WROTE2
eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')
RCVD_IN_BRBL_LASTEXT
0 1.644 0 1.449
Received via a relay in Spamhaus CSS
RCVD_IN_CSS
0 1.0 0 1.0
Sender listed at http://www.dnswl.org/, high trust
RCVD_IN_DNSWL_HI
Sender listed at http://www.dnswl.org/, low trust
RCVD_IN_DNSWL_LOW
0 -0.7 0 -0.7
Sender listed at http://www.dnswl.org/, medium trust
RCVD_IN_DNSWL_MED
0 -2.3 0 -2.3
Sender listed at http://www.dnswl.org/, low trust
RCVD_IN_DNSWL_NONE
0 -0..0001
IADB: Sender publishes Domain Keys record
RCVD_IN_IADB_DK
0 -0.223 0 -0.095
IADB: All mailing list mail is confirmed opt-in
RCVD_IN_IADB_DOPTIN
IADB: Confirmed opt-in used more than 50% of the time
RCVD_IN_IADB_DOPTIN_GT50
IADB: Confirmed opt-in used less than 50% of the time
RCVD_IN_IADB_DOPTIN_LT50
0 -0.001 0 -0.001
IADB: Participates in Email Deliverability Database
RCVD_IN_IADB_EDDB
IADB: Member of Email Processing Industry Alliance
RCVD_IN_IADB_EPIA
IADB: Sender has been certified by GoodMail
RCVD_IN_IADB_GOODMAIL
Participates in the IADB system
RCVD_IN_IADB_LISTED
0 -0.380 0 -0.001
IADB: Adds relationship addrs w/out opt-in
RCVD_IN_IADB_LOOSE
IADB: Complies with Michigan's CPEAR law
RCVD_IN_IADB_MI_CPEAR
IADB: Checked lists against Michigan's CPR within 30 days
RCVD_IN_IADB_MI_CPR_30
IADB: Sends no material under Michigan's CPR
RCVD_IN_IADB_MI_CPR_MAT
0 -0.332 0 -0.000
IADB: Mailing list email only, confirmed opt-in
RCVD_IN_IADB_ML_DOPTIN
IADB: Has absolutely no mailing controls in place
RCVD_IN_IADB_NOCO***OL
IADB: One-to-one/transactional email only
RCVD_IN_IADB_OOO
IADB: All mailing list mail is opt-in
RCVD_IN_IADB_OPTIN
0 -2.057 0 -1.470
IADB: Opt-in used more than 50% of the time
RCVD_IN_IADB_OPTIN_GT50
0 -1.208 0 -0.007
IADB: Opt-in used less than 50% of the time
RCVD_IN_IADB_OPTIN_LT50
IADB: Scrapes addresses, pure opt-out only
RCVD_IN_IADB_OPTOUTONLY
IADB: Sender has reverse DNS record
RCVD_IN_IADB_RDNS
0 -0.167 0 -0.235
IADB: Sender publishes Sender ID record
RCVD_IN_IADB_SENDERID
0 -0.001 0 -0.001
IADB: Sender publishes SPF record
RCVD_IN_IADB_SPF
0 -0.001 0 -0.059
IADB: Accepts unverified sign-ups
RCVD_IN_IADB_UNVERIFIED_1
IADB: Accepts unverified sign-ups, gives chance to opt out
RCVD_IN_IADB_UNVERIFIED_2
IADB: Complies with Utah's CPEAR law
RCVD_IN_IADB_UT_CPEAR
IADB: Checked lists against Utah's CPR within 30 days
RCVD_IN_IADB_UT_CPR_30
IADB: Sends no material under Utah's CPR
RCVD_IN_IADB_UT_CPR_MAT
0 -0.095 0 -0.001
Received via a relay in PSBL
RCVD_IN_PSBL
0 2.700 0 2.700
Sender is in Return Path Certified (trusted relay)
RCVD_IN_RP_CERTIFIED
0.0 -3.0 0.0 -3.0
Relay in RNBL, https://senderscore.org/blacklistlookup/
RCVD_IN_RP_RNBL
0 1.284 0 1.310
Sender is in Return Path Safe (trusted relay)
RCVD_IN_RP_SAFE
0.0 -2.0 0.0 -2.0
Forged Received header ( )
RCVD_MAIL_COM
Sender's public rDNS is &localhost&
RDNS_LOCALHOST
3.700 0.969 2.345 0.001
Email.Spam.Gen3177.Sanesecurity.
SANE_04e8bf28ebf11b943c44d209
1.712 3.185 2.654 1.337
Email.Spam.Gen3234.Sanesecurity.
SANE_1c4f3286fa4aed6424ced88bfaf8b09c
3.199 2.040 3.199 1.502
Email.Spam.Sanesecurity.Url_2496
SANE_2b173a7fba2d294d773fd8
2.976 1.117 1.951 0.942
Email.Spam.Gen158.Sanesecurity.
SANE_3b92eda751c992f230f215fb7eb36844
0.001 0.626 0.585 3.040
Email.Spam.Gen1941.Sanesecurity.
SANE_4ef0a19baf98508afacc4
2.231 3.464 2.266 3.543
Email.Spam.Gen2507.Sanesecurity.
SANE_8f43f1f1b795f9420714e
3.999 1.655 2.776 1.479
Email.Malware.Sanesecurity.
SANE_91eb43f705d25cd7519660
3.099 2.803 2.746 1.572
Email.Spam.Sanesecurity.Url_2499
SANE_d0d2b0fd66dd74c594b87
3.799 2.040 2.710 1.494
/short\W+term\W+(target| projected)(\W+price)?/i
SHORT_TERM_PRICE
Content-Type =~ /text\/ .* reply-type=original/
STOX_REPLY_TYPE
1.898 0.212 0.141 0.439
From starts with a tab
TAB_IN_FROM
X-Mailer =~ /^The Bat! .{0,20} UNREG(dollar) /
THEBAT_UNREG
2.599 1.843 2.324 1.524
Scora: Message-Id ends after left-bracket + digits
TT_MSGID_TRUNC
0.748 0.023 1.434 1.448
/\bact of (?:193| nineteen thirty)/i
TVD_ACT_193
/you.{1,2}re .{0,20}approved/i
TVD_APPROVED
2.356 2.599 2.599 2.090
/^dear homeowner/i
TVD_DEAR_HOMEOWNER
EnvelopeFrom =~ /\'/
TVD_ENVFROM_APOST
Content-Type =~ /^text\/plain(?:; (?:format=flowed| charset=&Windows-1252&| reply-type=original)){3}/i
TVD_FINGER_02
0.001 1.544 1.394 1.215
/\bstyle\s*=\s*&[^&]*\bfloat\s*:\s*[a-z]+\s*&&\s*[a-zA-Z]+\s*&/i
TVD_FLOAT_GENERAL
/&inter W1&&post P1&\b(?!degree)&D&&E&&G&&R&&E&&E&\b/i
TVD_FUZZY_DEGREE
/(?!finance)&F&&I&&N&&A&&N&&C&&E&/i
TVD_FUZZY_FINANCE
/&inter W2&&post P2&(?!fixed rate)&F&&I&&X&&E&&D&\s+&R&&A&&T&&E&/i
TVD_FUZZY_FIXED_RATE
/&inter W2&&post P2&(?!microcap)(?!micro-cap)&M&&I&&C&&R&&O&-?&C&&A&&P&/i
TVD_FUZZY_MICROCAP
/&inter W2&&post P2&(?!pharmaceutical)&P&&H&&A&&R&&M&&A&&C&&E&&U&&T&&I&&C&&A&&L&/i
TVD_FUZZY_PHARMACEUTICAL
/&inter W2&&post P2&(?!symbol)&S&&Y&&M&&B&&O&&L&/i
TVD_FUZZY_SYMBOL
/\bsize of .{1,20}(?:penis| dick| manhood)/i
TVD_INCREASE_SIZE
1.529 0.601 1.055 0.001
/\blink to save\b/i
TVD_LINK_S***E
Subject =~ /(?:Jan| Feb| Mar| Apr| May| Jun| Jul| Aug| Sep| Oct| Nov| Dec)\S* \d+% OFF/
TVD_PCT_OFF
/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/i
TVD_PH_BODY_ACCOUNTS_PRE
1.201 1.527 1.327 2.393
Message has a phrase standard for phishing mails
TVD_PH_REC
3.127 2.026 3.266 1.784
Message has a phrase standard for phishing mails
TVD_PH_SEC
0.291 1.498 0.869 1.764
Subject =~ /\b(?:(?:re-?)?activat[a-z]*| secure| verify| restore| flagged| limited| unusual| update| report| notif(?:y| ication)| suspen(?:d| ded| sion)| co(?:n| m)firm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
TVD_PH_SUBJ_ACCOUNTS_POST
2.602 2.607 2.497 3.099
Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i
TVD_PH_SUBJ_SEC_MEASURES
2.284 1.522 1.675 1.145
Subject =~ /^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert| response| assistance| proposal| reply| warning| noti(?:ce| fication)| greeting| matter))/i
TVD_PH_SUBJ_URGENT
1.251 2.326 2.255 2.800
/\bquality med(?:ication)?s\b/i
TVD_QUAL_MEDS
2.697 2.397 2.799 2.483
Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
TVD_RATWARE_CB
Content-Type =~ /\bboundary\s*=\s*&?-+\d+=+\.MRA/
TVD_RATWARE_CB_2
Message-ID =~ /^[^&]*&[a-z]+\@/
TVD_RATWARE_MSGID_02
Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
TVD_RCVD_IP
0.001 0.054 0.001 0.695
Received =~ /^from\s+(?:\d+\.){3}\d+\s/
TVD_RCVD_IP4
0.159 1.495 0.674 1.596
Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
TVD_RCVD_SINGLE
0.242 1.213 0.001 2.172
Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/
TVD_RCVD_SPACE_BRACKET
0.001 0.001 0.001 0.001
/\bSection (?:27A| 21B)/i
TVD_SECTION
m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s&'\@?\)&-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!i
TVD_SILLY_URI_OBFU
Subject =~ /^(?:(?:Re| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) /
TVD_SPACED_SUBJECT_WORD3
eval:check_stock_info('2')
TVD_STOCK1
Subject has spammy looking monetary reference
TVD_SUBJ_ACC_NUM
0.001 2.199 2.199 2.198
Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) /
TVD_SUBJ_FINGER_03
Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe| indebted)\s+(?:\w+\s+)+an\s*other/i
TVD_SUBJ_OWE
Subject =~ /(?:wipe out| remove| get (?:rid| out) of| eradicate) .{0,20}(?:owe| debt| obligation)/i
TVD_SUBJ_WIPE_DEBT
2.599 2.291 2.599 1.004
/Online Ph.rmacy/i
TVD_VISIT_PHARMA
1.957 1.196 0.417 1.406
/&TEXTAREA[^&]+style\s*=\s*&visibility:\s*hidden\b/i
TVD_VIS_HIDDEN
Contains an URI of a new domain (Day Old Bread)
URIBL_RHS_DOB
0 0.276 0 1.514
Obfuscated URI
URI_OBFU_WWW
3.099 3.099 2.306 2.475
X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*(dollar) /
X_MAILER_CME_6543_MSN
2.886 2.004 3.002 3.348
Copyright &
The Apache Software Foundation. All rights reserved.
Apache SpamAssassin, SpamAssassin, and the SpamAssassin logo are trademarks of The Apache Software Foundation.