| AREA TESTED
|
DESCRIPTION OF
TEST |
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
| body
|
Generic Test
for Unsolicited Bulk Email |
GTUBE
|
1000.000
|
| body
|
Incorporates a
tracking ID number |
TRACKER_ID
|
2.699 2.696
2.000 2.003 |
| body
|
Weird repeated
double-quotation marks |
WEIRD_QUOTING
|
2.799 2.796
1.428 1.396 |
| body
|
Body contains a
ROT13-encoded email address |
EMAIL_ROT13
|
1.600 1.680
1.850 2.000 |
| body
|
HTML and text
parts are different |
MPART_ALT_DIFF
|
2.498 1.143
1.456 0.739 |
| body
|
HTML and text
parts are different |
MPART_ALT_DIFF_COUNT |
2.899 1.882
1.500 1.110 |
| body
|
Message body
has 80-90% blank lines |
BLANK_LINES_80_90 |
1 |
| body
|
eval:tvd_vertical_words('0','10') |
TVD_SPACE_RATIO
|
2.899 2.899
2.307 2.219 |
| body
|
eval:check_ma_non_text() |
MULTIPART_ALT_NON_TEXT |
2.699 2.696
2.699 2.696 |
| body
|
Character set
indicates a foreign language |
CHARSET_FARAWAY
|
3.200
|
| rawbody
|
Extra blank
lines in base64 encoding |
MIME_BASE64_BLANKS |
0.221 0.001
0.016 0.041 |
| rawbody
|
Message text
disguised using base64 encoding |
MIME_BASE64_TEXT |
2.701 2.796
1.709 1.753 |
| body
|
Missing blank
line between MIME header and body |
MISSING_MIME_HB_SEP |
2.599 2.699
2.205 2.119 |
| body
|
Multipart
message mostly text/html MIME |
MIME_HTML_MOSTLY |
0.001
|
| body
|
Message only
has text/html MIME parts |
MIME_HTML_ONLY
|
2.299 1.672
1.925 1.457 |
| rawbody
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE |
2.499 1.819
1.500 1.396 |
| body
|
MIME character
set is an unknown ISO charset |
MIME_BAD_ISO_CHARSET |
3.363 2.831
2.768 0.346 |
| body
|
IP to HTTPS
link found in HTML |
HTTPS_IP_MISMATCH |
2.697 2.896
2.899 2.897 |
| body
|
Message
contained a URI which was truncated |
URI_TRUNCATED
|
0.001
|
| header
|
Passed through
trusted hosts only via SMTP |
ALL_TRUSTED
|
-1.360 -1.440
-1.665 -1.800 |
| header
|
Informational:
message was not relayed via SMTP |
NO_RELAYS
|
-0.001
|
| header
|
NJABL: sender
is confirmed open relay |
RCVD_IN_NJABL_RELAY |
0 1.841 0 2.696
|
| header
|
NJABL: sender
is confirmed spam source |
RCVD_IN_NJABL_SPAM |
0 3.096 0 2.072
|
| header
|
NJABL: sent
through multi-stage open relay |
RCVD_IN_NJABL_MULTI |
1 |
| header
|
NJABL: sender
is an open formmail |
RCVD_IN_NJABL_CGI |
1 |
| header
|
NJABL: sender
is an open proxy |
RCVD_IN_NJABL_PROXY |
0 1.693 0 1.643
|
| header
|
SORBS: sender
is open HTTP proxy server |
RCVD_IN_SORBS_HTTP |
0 0.001 0 0.001
|
| header
|
SORBS: sender
is open SOCKS proxy server |
RCVD_IN_SORBS_SOCKS |
0 0.182 0 0.801
|
| header
|
SORBS: sender
is open proxy server |
RCVD_IN_SORBS_MISC |
0 0.001 0 0.353
|
| header
|
SORBS: sender
is open SMTP relay |
RCVD_IN_SORBS_SMTP |
1 |
| header
|
SORBS: sender
is a abuseable web server |
RCVD_IN_SORBS_WEB |
0 1.117 0 0.619
|
| header
|
SORBS: sender
demands to never be tested |
RCVD_IN_SORBS_BLOCK |
1 |
| header
|
SORBS: sender
is on a hijacked network |
RCVD_IN_SORBS_ZOMBIE |
1 |
| header
|
SORBS: sent
directly from dynamic IP address |
RCVD_IN_SORBS_DUL |
0 1.615 0 0.877
|
| header
|
Received via a
relay in Spamhaus SBL |
RCVD_IN_SBL
|
0 2.810 0 1.551
|
| header
|
Received via a
relay in Spamhaus XBL |
RCVD_IN_XBL
|
0 2.896 0 3.033
|
| header
|
Received via a
relay in Spamhaus PBL |
RCVD_IN_PBL
|
0 0.509 0 0.905
|
| header
|
Envelope sender
in dsn.rfc-ignorant.org |
DNS_FROM_RFC_DSN |
0 2.527 0 1.495
|
| header
|
Envelope sender
in bogusmx.rfc-ignorant.org |
DNS_FROM_RFC_BOGUSMX |
0 2.125 0 1.482
|
| header
|
CompleteWhois:
sender on bogons IP block |
RCVD_IN_WHOIS_BOGONS |
1 |
| header
|
CompleteWhois:
sender on hijacked IP block |
RCVD_IN_WHOIS_HIJACKED |
0 1.000 0 1.000
|
| header
|
CompleteWhois:
sender on invalid IP block |
RCVD_IN_WHOIS_INVALID |
0 1.199 0 0.400
|
| header
|
Received via a
relay in list.dsbl.org |
RCVD_IN_DSBL
|
0 0.753 0 0.961
|
| header
|
Envelope sender
listed in dnsbl.ahbl.org |
DNS_FROM_AHBL_RHSBL |
0 2.025 0 0.692
|
| header
|
Envelope sender
in blackholes.securitysage.com |
DNS_FROM_SECURITYSAGE |
0 0.127 0 0.001
|
| header
|
Received via a
relay in bl.spamcop.net |
RCVD_IN_BL_SPAMCOP_NET |
0 2.188 0 1.960
|
| header
|
Relay in RBL,
http://www.mail-abuse.org/rbl/ |
RCVD_IN_MAPS_RBL |
1 |
| header
|
Relay in DUL,
http://www.mail-abuse.org/dul/ |
RCVD_IN_MAPS_DUL |
1 |
| header
|
Relay in RSS,
http://www.mail-abuse.org/rss/ |
RCVD_IN_MAPS_RSS |
1 |
| header
|
Relay in NML,
http://www.mail-abuse.org/nml/ |
RCVD_IN_MAPS_NML |
1 |
| header
|
Sender is in
Bonded Sender Program (trusted relay)
|
RCVD_IN_BSP_TRUSTED |
0 -4.3 0 -4.3
|
| header
|
Sender is in
Bonded Sender Program (other relay) |
RCVD_IN_BSP_OTHER |
0 -0.1 0 -0.1
|
| header
|
ISIPP IADB
lists as vouched-for sender |
RCVD_IN_IADB_VOUCHED |
0 -2.2 0 -2.2
|
| header
|
Habeas
Accredited Confirmed Opt-In or Better
|
HABEAS_ACCREDITED_COI |
0 -8.0 0 -8.0
|
| header
|
Habeas
Accredited Opt-In or Better |
HABEAS_ACCREDITED_SOI |
0 -4.3 0 -4.3
|
| header
|
Habeas Checked
|
HABEAS_CHECKED
|
0 -0.2 0 -0.2
|
| header
|
Subject
contains a gappy version of 'cialis'
|
SUBJECT_DRUG_GAP_C |
0.001 0.001
0.508 0.003 |
| header
|
Subject
contains a gappy version of 'levitra'
|
SUBJECT_DRUG_GAP_L |
1.047 1.831
2.407 2.515 |
| header
|
Subject
contains a gappy version of 'soma' |
SUBJECT_DRUG_GAP_S |
1 |
| header
|
Subject
contains a gappy version of 'valium'
|
SUBJECT_DRUG_GAP_VA |
1.876 2.596
1.035 1.014 |
| header
|
Subject
contains a gappy version of 'xanax' |
SUBJECT_DRUG_GAP_X |
1.478 2.052
2.298 1.766 |
| body
|
Talks about
price per dose |
DRUG_DOSAGE
|
2.514 0.128
1.621 1.623 |
| body
|
Mentions an
E.D. drug |
DRUG_ED_CAPS
|
0.329 1.540
2.417 0.322 |
| body
|
Talks about an
E.D. drug using its chemical name |
DRUG_ED_SILD
|
0.001 0.001
1.026 1.185 |
| body
|
Mentions
Generic Viagra |
DRUG_ED_GENERIC
|
3.286 3.314
2.001 1.558 |
| body
|
Fast Viagra
Delivery |
DRUG_ED_ONLINE
|
1 |
| body
|
Online Pharmacy
|
ONLINE_PHARMACY
|
2.701 1.484
0.057 0.001 |
| body
|
No prescription
needed |
NO_PRESCRIPTION
|
2.573 2.757
2.944 2.619 |
| body
|
Attempts to
disguise the word 'viagra' |
VIA_GAP_GRA
|
2.203 1.053
2.004 0.133 |
| body
|
Two or more
drugs crammed together into one word
|
DRUGS_SMEAR1
|
1 |
| header
|
Delivered to
trusted network by a host with no rDNS
|
RDNS_NONE
|
0.1 |
| header
|
Relay HELO'd
with suspicious hostname (mail.com) |
FAKE_HELO_MAIL_COM_DOM |
3.199 3.196
2.812 3.199 |
| header
|
Relay HELO'd
using suspicious hostname (IP addr 1)
|
HELO_DYNAMIC_IPADDR |
4.399 2.935
2.643 2.426 |
| header
|
Relay HELO'd
using suspicious hostname (DHCP) |
HELO_DYNAMIC_DHCP |
2.298 1.520
1.536 1.398 |
| header
|
Relay HELO'd
using suspicious hostname (HCC) |
HELO_DYNAMIC_HCC |
4.299 4.295
4.299 4.295 |
| header
|
Relay HELO'd
using suspicious hostname (Rogers) |
HELO_DYNAMIC_ROGERS |
1 |
| header
|
Relay HELO'd
using suspicious hostname (T-Dialin)
|
HELO_DYNAMIC_DIALIN |
3.999 3.995
3.999 3.384 |
| header
|
Relay HELO'd
using suspicious hostname (Hex IP) |
HELO_DYNAMIC_HEXIP |
3.099 3.099
3.100 2.204 |
| header
|
Relay HELO'd
using suspicious hostname (Split IP)
|
HELO_DYNAMIC_SPLIT_IP |
4.199 4.199
4.199 3.493 |
| header
|
Relay HELO'd
using suspicious hostname (IP addr 2)
|
HELO_DYNAMIC_IPADDR2 |
4.399 4.395
4.400 4.395 |
| header
|
Relay HELO'd
using suspicious hostname (Chello.nl)
|
HELO_DYNAMIC_CHELLO_NL |
3.600 3.599
3.599 3.595 |
| header
|
Relay HELO'd
using suspicious hostname (Home.nl) |
HELO_DYNAMIC_HOME_NL |
3.499 3.496
3.499 3.463 |
| header
|
Host HELO did
not match rDNS: msn.com |
FAKE_HELO_MSN
|
1 |
| header
|
Host HELO did
not match rDNS: mail.com |
FAKE_HELO_MAIL_COM |
1.755 0.220
2.600 1.317 |
| header
|
Host HELO did
not match rDNS: email.com |
FAKE_HELO_EMAIL_COM |
1 |
| header
|
Host HELO did
not match rDNS: excite.com |
FAKE_HELO_EXCITE |
2.599 2.552
2.599 2.598 |
| header
|
Host HELO did
not match rDNS: lycos.com |
FAKE_HELO_LYCOS
|
2.459 2.432
2.497 2.599 |
| header
|
Host HELO did
not match rDNS: yahoo.ca |
FAKE_HELO_YAHOO_CA |
1 |
| header
|
Partial message
|
FRAGMENTED_MESSAGE |
2.5 |
| header
|
From: contains
empty name |
FROM_BLANK_NAME
|
2.215 2.212
2.100 0.760 |
| header
|
From: starts
with many numbers |
FROM_STARTS_WITH_NUMS |
2.302 0.723
1.232 1.499 |
| header
|
From address is
"at something-offers" |
FROM_OFFERS
|
2.601 1.145
2.699 0.001 |
| header
|
From: has no
local-part before @ sign |
FROM_NO_USER
|
2.199 0.499
2.081 1.483 |
| header
|
Subject has
exclamation mark and question mark |
PLING_QUERY
|
2.160 1.333
1.400 1.390 |
| header
|
Spam tool
Message-Id: (caps variant) |
MSGID_SPAM_CAPS
|
4.199 4.195
4.199 4.195 |
| header
|
Spam tool
Message-Id: (letters variant) |
MSGID_SPAM_LETTERS |
2.861 1.637
0.866 1.188 |
| header
|
Message-ID has
ALLCAPS@yahoo.com |
MSGID_YAHOO_CAPS |
1.197 0.448
2.921 3.107 |
| header
|
Message-ID is
unusually short |
MSGID_SHORT
|
0.200 0.232
0.690 1.078 |
| header
|
Message-ID
contains multiple '@' characters |
MSGID_MULTIPLE_AT |
1.221 1.211
1.571 1.449 |
| header
|
Date header
uses unusual Y2K formatting |
DATE_SPAMWARE_Y2K |
2.057 1.031
2.912 2.883 |
| header
|
Invalid Date:
header (not RFC 2822) |
INVALID_DATE
|
2.303 1.651
1.329 1.245 |
| header
|
Invalid Date:
header (timezone does not exist) |
INVALID_DATE_TZ_ABSURD |
0.197 0.243
2.284 2.191 |
| header
|
Invalid date in
header (wrong CST timezone) |
INVALID_TZ_CST
|
1.704 0.862
1.583 2.079 |
| header
|
Invalid date in
header (wrong EST timezone) |
INVALID_TZ_EST
|
2.601 2.065
2.265 2.696 |
| header
|
Subject
contains an English UCE tag |
ENGLISH_UCE_SUBJECT |
1 |
| header
|
Subject
contains a Japanese UCE tag |
JAPANESE_UCE_SUBJECT |
1 |
| header
|
Subject:
contains Korean unsolicited email tag
|
KOREAN_UCE_SUBJECT |
3.099 1.111
2.114 2.962 |
| header
|
Contains forged
hostname for a DSL IP in Brazil |
FORGED_TELESP_RCVD |
1 |
| header
|
Character set
doesn't exist |
NONEXISTENT_CHARSET |
1 |
| header
|
Missing
Message-Id: header |
MISSING_MID
|
0.001
|
| header
|
Missing Date:
header |
MISSING_DATE
|
0.001
|
| header
|
Subject:
contains G.a.p.p.y-T.e.x.t |
GAPPY_SUBJECT
|
2.104 2.001
0.941 1.020 |
| header
|
Message has
Prevent-NonDelivery-Report header |
PREVENT_NONDELIVERY |
1.515 1.640
1.737 1.600 |
| header
|
Message has
X-IP header |
X_IP
|
2.840 1.943
2.744 3.177 |
| header
|
Subject
contains "As Seen" |
SUBJ_AS_SEEN
|
1 |
| header
|
Subject starts
with dollar amount |
SUBJ_DOLLARS
|
2.399 0.842
1.501 1.421 |
| header
|
Subject
contains "Your Bills" or similar |
SUBJ_YOUR_DEBT
|
2.899 2.896
2.576 2.622 |
| header
|
Subject
contains "Your Family" |
SUBJ_YOUR_FAMILY |
2.799 2.647
2.000 1.043 |
| header
|
Received
contains a faked HELO hostname |
RCVD_FAKE_HELO_DOTCOM |
2.789 2.775
2.899 2.592 |
| header
|
Subject talks
about losing pounds |
SUBJECT_DIET
|
2.527 1.621
2.084 1.466 |
| header
|
Header has
extraneous Content-type:...type= entry
|
EXTRA_MPART_TYPE |
1.0 |
| header
|
Spam tool
pattern in MIME boundary |
MIME_BOUND_DD_DIGITS |
3.869 4.199
3.386 1.466 |
| header
|
Spam tool
pattern in MIME boundary |
MIME_BOUND_DIGITS_15 |
2.899 2.896
2.899 2.896 |
| header
|
Spam tool
pattern in MIME boundary |
MIME_BOUND_MANY_HEX |
0.001 0.001
1.472 0.803 |
| header
|
To: has a
malformed address |
TO_MALFORMED
|
0.001 0.001
0.001 1.170 |
| header
|
Received line
contains spam-sign (lowercase smtp) |
WITH_LC_SMTP
|
1 |
| header
|
Subject line
starts with Buy or Buying |
SUBJ_BUY
|
2.702 0.900
0.999 0.001 |
| header
|
Received
headers forged (AM/PM) |
RCVD_AM_PM
|
1.529 1.688
2.833 0.545 |
| header
|
Received header
contains faked 'mr.outblaze.com' |
FAKE_OUTBLAZE_RCVD |
3.499 3.496
3.304 2.271 |
| header
|
Headers contain
an unclosed bracket |
UNCLOSED_BRACKET |
2.687 2.083
1.580 2.206 |
| header
|
From: domain
has series of non-vowel letters |
FROM_DOMAIN_NOVOWEL |
3.000 3.099
2.999 2.592 |
| header
|
From: localpart
has series of non-vowel letters |
FROM_LOCAL_NOVOWEL |
3.199 3.196
3.199 3.196 |
| header
|
From: localpart
has long hexadecimal sequence |
FROM_LOCAL_HEX
|
2.602 2.733
1.432 1.399 |
| header
|
From: localpart
has long digit sequence |
FROM_LOCAL_DIGITS |
0.001
|
| header
|
Cc: after
X-Priority: (bulk email fingerprint)
|
X_PRIORITY_CC
|
2.599 1.492
2.599 2.596 |
| header
|
Message has bad
MIME encoding in the header |
BAD_ENC_HEADER
|
3.499 2.870
1.947 1.810 |
| header
|
A foreign
language charset used in headers |
CHARSET_FARAWAY_HEADER |
3.200
|
| header
|
Subject: has
too many raw illegal characters |
SUBJ_ILLEGAL_CHARS |
1.173 1.527
1.954 1.586 |
| header
|
From: has too
many raw illegal characters |
FROM_ILLEGAL_CHARS |
2.922 3.999
3.999 3.995 |
| header
|
Headers have
too many raw illegal characters |
HEAD_ILLEGAL_CHARS |
3.799 3.729
3.799 3.622 |
| header
|
hotmail.com
'From' address, but no 'Received:' |
FORGED_HOTMAIL_RCVD2 |
1.947 1.117
1.498 1.502 |
| header
|
'From'
yahoo.com does not match 'Received' headers
|
FORGED_YAHOO_RCVD |
2.299 1.408
1.889 2.297 |
| header
|
Recipient list
is sorted by address |
SORTED_RECIPS
|
2.925 1.800
1.972 1.125 |
| header
|
Similar
addresses in recipient list |
SUSPICIOUS_RECIPS |
3.199 3.196
2.299 2.912 |
| header
|
Missing To:
header |
MISSING_HEADERS
|
1.899 1.581
1.500 1.292 |
| header
|
Received: says
mail sent around the world (HELO) |
ROUND_THE_WORLD_LOCAL |
2.699 2.696
2.700 2.696 |
| header
|
Date: is 3 to 6
hours before Received: date |
DATE_IN_PAST_03_06 |
2.299 1.394
1.306 0.044 |
| header
|
Date: is 6 to
12 hours before Received: date |
DATE_IN_PAST_06_12 |
2.504 1.854
1.499 1.069 |
| header
|
Date: is 12 to
24 hours before Received: date |
DATE_IN_PAST_12_24 |
2.499 1.770
1.503 0.992 |
| header
|
Date: is 24 to
48 hours before Received: date |
DATE_IN_PAST_24_48 |
2.300 1.627
1.498 1.219 |
| header
|
Date: is 96
hours or more before Received: date |
DATE_IN_PAST_96_XX |
2.952 2.320
1.800 1.690 |
| header
|
Date: is 3 to 6
hours after Received: date |
DATE_IN_FUTURE_03_06 |
2.303 0.416
1.461 0.274 |
| header
|
Date: is 6 to
12 hours after Received: date |
DATE_IN_FUTURE_06_12 |
3.099 3.099
2.136 1.897 |
| header
|
Date: is 12 to
24 hours after Received: date |
DATE_IN_FUTURE_12_24 |
3.300 3.299
3.000 2.189 |
| header
|
Date: is 24 to
48 hours after Received: date |
DATE_IN_FUTURE_24_48 |
3.599 2.800
3.599 3.196 |
| header
|
Date: is 48 to
96 hours after Received: date |
DATE_IN_FUTURE_48_96 |
3.199 3.182
3.199 3.199 |
| header
|
Date: is 96
hours or more after Received: date |
DATE_IN_FUTURE_96_XX |
3.899 3.899
2.598 1.439 |
| header
|
Headers contain
an unresolved template |
UNRESOLVED_TEMPLATE |
2.801 3.325
3.499 3.132 |
| header
|
Subject is all
capitals |
SUBJ_ALL_CAPS
|
2.299 1.806
1.926 2.077 |
| header
|
Local part of
To: address appears in Subject |
LOCALPART_IN_SUBJECT |
2.499 2.497
1.641 2.020 |
| header
|
Message-Id is
fake (in Outlook Express format) |
MSGID_OUTLOOK_INVALID |
2.899 2.896
2.899 2.899 |
| header
|
Multiple
Content-Type headers found |
HEADER_COUNT_CTYPE |
2.699 0.671
2.390 3.026 |
| header
|
Message headers
are very long |
HEAD_LONG
|
2.5 |
| header
|
Missing blank
line between message header and body
|
MISSING_HB_SEP
|
2.5 |
| header
|
Informational:
message has unparseable relay lines |
UNPARSEABLE_RELAY |
0.001
|
| header
|
Received: HELO
and IP do not match, but should |
RCVD_HELO_IP_MISMATCH |
2.401 2.320
2.627 2.837 |
| header
|
Received:
contains an IP address used for HELO
|
RCVD_NUMERIC_HELO |
2.599 2.599
2.272 2.067 |
| header
|
Received:
contains illegal IP address |
RCVD_ILLEGAL_IP
|
3.199 3.196
2.902 1.908 |
| header
|
Host HELO'd as
a big ISP, but had no rDNS |
NO_RDNS_DOTCOM_HELO |
2.411 0.799
0.000 0.001 |
| rawbody
|
Javascript to
hide URLs in browser |
HIDE_WIN_STATUS
|
2.499 2.213
2.499 2.499 |
| body
|
HTML included
in message |
HTML_MESSAGE
|
0.001
|
| body
|
HTML comment is
very short |
HTML_COMMENT_SHORT |
0.001 0.001
0.032 0.727 |
| body
|
HTML message is
a saved web page |
HTML_COMMENT_SAVED_URL |
1.677 1.820
0.492 0.114 |
| body
|
HTML with
embedded plugin object |
HTML_EMBEDS
|
1.083 0.440
0.001 0.056 |
| body
|
HTML contains
far too many close tags |
HTML_EXTRA_CLOSE |
1.041 1.089
2.502 2.809 |
| body
|
HTML font size
is large |
HTML_FONT_SIZE_LARGE |
0.147 0.001
0.001 0.001 |
| body
|
HTML font size
is huge |
HTML_FONT_SIZE_HUGE |
0.804 0.389
0.001 0.057 |
| body
|
HTML font color
similar to background |
HTML_FONT_LOW_CONTRAST |
0.131 0.543
0.663 0.124 |
| body
|
HTML font face
is not a word |
HTML_FONT_FACE_BAD |
0.923 0.606
0.650 0.884 |
| body
|
HTML includes a
form which sends mail |
HTML_FORMACTION_MAILTO |
1 |
| body
|
HTML: images
with 0-400 bytes of words |
HTML_IMAGE_ONLY_04 |
2.502 1.462
1.875 2.041 |
| body
|
HTML: images
with 400-800 bytes of words |
HTML_IMAGE_ONLY_08 |
2.554 2.432
2.045 1.787 |
| body
|
HTML: images
with 800-1200 bytes of words |
HTML_IMAGE_ONLY_12 |
2.552 2.245
2.779 2.460 |
| body
|
HTML: images
with 1200-1600 bytes of words |
HTML_IMAGE_ONLY_16 |
2.646 2.498
2.078 1.526 |
| body
|
HTML: images
with 1600-2000 bytes of words |
HTML_IMAGE_ONLY_20 |
2.401 1.808
1.500 1.546 |
| body
|
HTML: images
with 2000-2400 bytes of words |
HTML_IMAGE_ONLY_24 |
2.400 2.207
1.501 1.552 |
| body
|
HTML: images
with 2400-2800 bytes of words |
HTML_IMAGE_ONLY_28 |
2.500 1.519
2.115 1.561 |
| body
|
HTML: images
with 2800-3200 bytes of words |
HTML_IMAGE_ONLY_32 |
2.353 1.318
2.004 1.778 |
| body
|
HTML has a low
ratio of text to image area |
HTML_IMAGE_RATIO_02 |
1.518 0.550
0.573 0.383 |
| body
|
HTML has a low
ratio of text to image area |
HTML_IMAGE_RATIO_04 |
1.561 0.170
0.863 0.172 |
| body
|
HTML has a low
ratio of text to image area |
HTML_IMAGE_RATIO_06 |
0.401 0.001
0.501 0.001 |
| body
|
HTML has a low
ratio of text to image area |
HTML_IMAGE_RATIO_08 |
0.203 0.001
0.179 0.001 |
| body
|
Message is 5%
to 10% HTML obfuscation |
HTML_OBFUSCATE_05_10 |
0.638 0.572
0.000 0.001 |
| body
|
Message is 10%
to 20% HTML obfuscation |
HTML_OBFUSCATE_10_20 |
2.600 3.196
2.487 2.601 |
| body
|
Message is 20%
to 30% HTML obfuscation |
HTML_OBFUSCATE_20_30 |
3.199 2.747
3.199 3.196 |
| body
|
Message is 30%
to 40% HTML obfuscation |
HTML_OBFUSCATE_30_40 |
2.599 2.599
2.214 1.362 |
| body
|
Message is 50%
to 60% HTML obfuscation |
HTML_OBFUSCATE_50_60 |
1 |
| body
|
Message is 70%
to 80% HTML obfuscation |
HTML_OBFUSCATE_70_80 |
1 |
| body
|
Message is 90%
to 100% HTML obfuscation |
HTML_OBFUSCATE_90_100 |
1 |
| body
|
HTML has
unbalanced "body" tags |
HTML_TAG_BALANCE_BODY |
1.253 0.807
1.082 1.263 |
| body
|
HTML has
unbalanced "head" tags |
HTML_TAG_BALANCE_HEAD |
2.498 1.370
0.533 1.334 |
| body
|
HTML has
"bgsound" tag |
HTML_TAG_EXIST_BGSOUND |
1 |
| body
|
HTML message is
40% to 50% bad tags |
HTML_BADTAG_40_50 |
1 |
| body
|
HTML message is
50% to 60% bad tags |
HTML_BADTAG_50_60 |
1 |
| body
|
HTML message is
60% to 70% bad tags |
HTML_BADTAG_60_70 |
1 |
| body
|
HTML message is
90% to 100% bad tags |
HTML_BADTAG_90_100 |
1 |
| body
|
30% to 40% of
HTML elements are non-standard |
HTML_NONELEMENT_30_40 |
1.024 1.775
0.074 0.001 |
| body
|
40% to 50% of
HTML elements are non-standard |
HTML_NONELEMENT_40_50 |
0.322 0.001
1.707 0.944 |
| body
|
60% to 70% of
HTML elements are non-standard |
HTML_NONELEMENT_60_70 |
1 |
| body
|
80% to 90% of
HTML elements are non-standard |
HTML_NONELEMENT_80_90 |
1 |
| body
|
Message has
HTML IFRAME tag with SRC URI |
HTML_IFRAME_SRC
|
0.001 0.001
0.000 0.043 |
| header
|
Envelope sender
has no MX or A DNS records |
NO_DNS_FOR_FROM
|
0 1.407 0 1.496
|
| header
|
Received: says
mail sent around the world (DNS) |
ROUND_THE_WORLD
|
1 |
| body
|
Removal phrase
right before a link |
REMOVE_BEFORE_LINK |
0.001 0.001
0.010 0.001 |
| body
|
One hundred
percent guaranteed |
GUARANTEED_100_PERCENT |
0.571 0.965
0.001 0.012 |
| body
|
Dear Friend?
That's not very dear! |
DEAR_FRIEND
|
2.649 2.696
2.699 2.699 |
| body
|
Contains 'Dear
(something)' |
DEAR_SOMETHING
|
2.799 2.234
1.721 1.605 |
| body
|
Talks about
lots of money |
BILLION_DOLLARS
|
2.658 0.001
1.603 1.875 |
| body
|
Claims you can
be removed from the list |
EXCUSE_4
|
1.999 1.934
0.001 1.336 |
| body
|
Claims you
wanted this ad |
EXCUSE_24
|
2.599 2.599
2.600 2.596 |
| body
|
Talks about how
to be removed from mailings |
EXCUSE_REMOVE
|
2.999 1.477
2.999 0.001 |
| body
|
Tells you about
a strong buy |
STRONG_BUY
|
3.599 2.478
2.623 2.488 |
| body
|
Offers a alert
about a stock |
STOCK_ALERT
|
2.899 2.889
2.899 2.897 |
| body
|
Not registered
investment advisor |
NOT_ADVISOR
|
1 |
| body
|
'Prestigious
Non-Accredited Universities' |
PREST_NON_ACCREDITED |
1 |
| body
|
Information on
growing body parts |
BODY_ENHANCEMENT |
1.799 1.608
1.499 0.309 |
| body
|
Information on
getting larger body parts |
BODY_ENHANCEMENT2 |
1.659 0.714
0.122 0.001 |
| body
|
Impotence cure
|
IMPOTENCE
|
2.608 1.678
2.862 1.886 |
| body
|
Talks about a
million North American dollars |
NA_DOLLARS
|
2.385 1.129
1.506 1.329 |
| body
|
Mentions
millions of (dollar) ((dollar) NN,NNN,NNN.NN)
|
US_DOLLARS_3
|
2.342 1.165
1.046 0.630 |
| body
|
Talks about
millions of dollars |
MILLION_USD
|
2.391 1.777
1.501 1.528 |
| body
|
Contains urgent
matter |
URG_BIZ
|
2.384 0.667
1.511 1.585 |
| body
|
Money back
guarantee |
MONEY_BACK
|
0.939 0.001
0.001 0.001 |
| body
|
Free express or
no-obligation quote |
FREE_QUOTE_INSTANT |
2.500 2.499
1.499 1.496 |
| body
|
Eliminate Bad
Credit |
BAD_CREDIT
|
2.602 0.325
1.500 0.001 |
| body
|
Home
refinancing |
REFINANCE_YOUR_HOME |
2.699 0.001
2.699 2.039 |
| body
|
Home
refinancing |
REFINANCE_NOW
|
2.393 0.169
1.933 0.556 |
| body
|
No Medical
Exams |
NO_MEDICAL
|
1 |
| body
|
Lose Weight
Spam |
DIET_1
|
2.472 0.336
1.442 0.083 |
| body
|
Freedom of a
financial nature |
FIN_FREE
|
2.599 2.599
2.599 2.596 |
| body
|
Stock
Disclaimer Statement |
FORWARD_LOOKING
|
1 |
| body
|
One Time Rip
Off |
ONE_TIME
|
1 |
| body
|
Join Millions
of Americans |
JOIN_MILLIONS
|
1.398 1.807
2.912 1.777 |
| body
|
Claims you
registered with a partner |
MARKETING_PARTNERS |
2.599 2.355
1.614 1.295 |
| body
|
Lowest Price
|
LOW_PRICE
|
1.903 1.159
0.743 0.001 |
| body
|
People just
leave money laying around |
UNCLAIMED_MONEY
|
3.099 2.985
2.943 3.096 |
| body
|
Message seems
to contain rot13ed address |
OBSCURED_EMAIL
|
1.899 0.012
0.000 0.001 |
| body
|
Talks about
Oprah with an exclamation! |
BANG_OPRAH
|
1 |
| body
|
Talks about
'acting now' with capitals |
ACT_NOW_CAPS
|
0.948 0.001
1.259 0.792 |
| body
|
Talks about a
bigger drive for sex |
MORE_SEX
|
3.699 2.321
1.631 1.183 |
| body
|
Something is
emphatically guaranteed |
BANG_GUAR
|
2.002 1.237
1.500 0.939 |
| body
|
Message
mentions investment advice |
INVESTMENT_ADVICE |
0.001 0.001
0.421 0.042 |
| body
|
Message talks
about enhancing men |
MALE_ENHANCE
|
2.600 2.596
2.599 2.596 |
| body
|
Message says
that prices aren't too expensive |
PRICES_ARE_AFFORDABLE |
2.195 0.001
2.444 0.001 |
| body
|
Message talks
about a replica watch |
REPLICA_WATCH
|
3.399 3.396
3.399 3.396 |
| body
|
Message puts
emphasis on the watch manufacturer |
EM_ROLEX
|
1 |
| body
|
Possible porn -
Free Porn |
FREE_PORN
|
1 |
| body
|
Possible porn -
Cum Shot |
CUM_SHOT
|
2.799 2.796
2.632 2.799 |
| body
|
Possible porn -
Live Porn |
LIVE_PORN
|
1 |
| header
|
Subject
indicates sexually-explicit content |
SUBJECT_SEXUAL
|
2.900 0.116
1.499 0.001 |
| header
|
Bulk email
fingerprint (eGroups) found |
RATWARE_EGROUPS
|
2.673 2.379
3.181 2.001 |
| header
|
X-Mailer has
malformed Outlook Express version |
RATWARE_OE_MALFORMED |
0.581 2.095
2.624 2.927 |
| header
|
Bulk email
fingerprint (Mozilla malformed) found
|
RATWARE_MOZ_MALFORMED |
1 |
| header
|
Bulk email
fingerprint (mPOP Web-Mail) |
RATWARE_MPOP_WEBMAIL |
1 |
| rawbody
|
Contains a
hashbuster in Send-Safe format |
RATWARE_HASH_DASH |
1 |
| header
|
Bulk email
fingerprint (Gecko faked) found |
RATWARE_GECKO_BUILD |
1 |
| header
|
Bulk email
fingerprint (X-Message-Info) found |
X_MESSAGE_INFO
|
3.499 3.496
3.330 1.597 |
| header
|
Bulk email
fingerprint (header-based) found |
HEADER_SPAM
|
3.399 3.396
3.399 3.396 |
| header
|
Bulk email
fingerprint (Received PF) found |
RATWARE_RCVD_PF
|
3.899 3.895
3.900 3.847 |
| header
|
Bulk email
fingerprint (Received @) found |
RATWARE_RCVD_AT
|
1.918 0.650
1.741 0.213 |
| header
|
Bulk email
fingerprint (envfrom) found |
RATWARE_EFROM
|
3.799 3.795
3.799 1.529 |
| uri
|
/^https?:\/\/[^\/]*\&\#(?:\d{4,}|
[3456789]\d\d);/i |
HIGH_CODEPAGE_URI |
2.5 |
| uri
|
Uses a numeric
IP address in URL |
NUMERIC_HTTP_ADDR |
0.919 0.001
0.312 0.001 |
| uri
|
Uses %-escapes
inside a URL's hostname |
HTTP_ESCAPED_HOST |
0.001 0.001
0.071 0.134 |
| uri
|
Completely
unnecessary %-escapes inside a URL |
HTTP_EXCESSIVE_ESCAPES |
2.701 0.964
1.500 0.001 |
| uri
|
Dotted-decimal
IP address followed by CGI |
IP_LINK_PLUS
|
0.000 0.001
0.001 0.001 |
| uri
|
Uses
non-standard port number for HTTP |
WEIRD_PORT
|
1.599 1.499
1.089 0.001 |
| uri
|
Has Yahoo
Redirect URI |
YAHOO_RD_REDIR
|
0.001 0.000
3.000 0.000 |
| uri
|
Has Yahoo
Redirect URI |
YAHOO_DRS_REDIR
|
1.007 0.313
1.189 1.103 |
| uri
|
Contains an
URL-encoded hostname (HTTP77) |
HTTP_77
|
3.199 0.001
3.199 1.414 |
| uri
|
URI contains
".com" in middle |
SPOOF_COM2OTH
|
2.840 0.848
1.996 2.044 |
| uri
|
URI contains
".com" in middle and end |
SPOOF_COM2COM
|
0.001 0.341
2.051 2.272 |
| uri
|
URI contains
".net" or ".org", then ".com" |
SPOOF_NET2COM
|
2.899 2.896
2.037 1.586 |
| uri
|
URI hostname
has long hexadecimal sequence |
URI_HEX
|
1.777 1.316
1.395 0.368 |
| uri
|
URI hostname
has long non-vowel sequence |
URI_NOVOWEL
|
2.899 2.543
1.764 1.620 |
| uri
|
URI contains
suspicious unsubscribe link |
URI_UNSUBSCRIBE
|
2.794 3.092
1.538 2.737 |
| uri
|
CGI in .info
TLD other than third-level "www" |
URI_NO_WWW_INFO_CGI |
2.720 0.601
3.138 1.043 |
| uri
|
CGI in .biz TLD
other than third-level "www" |
URI_NO_WWW_BIZ_CGI |
1 |
| uri
|
Uses a
dotted-decimal IP address in URL |
NORMAL_HTTP_TO_IP |
0.101 0.001
0.001 0.001 |
| body
|
Bayesian spam
probability is 0 to 1% |
BAYES_00
|
0 0 -2.312
-2.599 |
| body
|
Bayesian spam
probability is 1 to 5% |
BAYES_05
|
0 0 -1.110
-1.110 |
| body
|
Bayesian spam
probability is 5 to 20% |
BAYES_20
|
0 0 -0.740
-0.740 |
| body
|
Bayesian spam
probability is 20 to 40% |
BAYES_40
|
0 0 -0.185
-0.185 |
| body
|
Bayesian spam
probability is 40 to 60% |
BAYES_50
|
0 0 0.001 0.001
|
| body
|
Bayesian spam
probability is 60 to 80% |
BAYES_60
|
0 0 1.0 1.0
|
| body
|
Bayesian spam
probability is 80 to 95% |
BAYES_80
|
0 0 2.0 2.0
|
| body
|
Bayesian spam
probability is 95 to 99% |
BAYES_95
|
0 0 3.0 3.0
|
| body
|
Bayesian spam
probability is 99 to 100% |
BAYES_99
|
0 0 3.5 3.5
|
| header
|
Message would
have been caught by accessdb |
ACCESSDB
|
1 |
| body
|
Message
includes Microsoft executable program
|
MICROSOFT_EXECUTABLE |
0.100
|
| body
|
MIME filename
does not match content |
MIME_SUSPECT_NAME |
0.100
|
| full
|
Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.37 0 2.17
|
| header
|
Domain Keys
Identified Mail: message has a signature
|
DKIM_SIGNED
|
0.001
|
| header
|
Domain Keys
Identified Mail: signature passes verification
|
DKIM_VERIFIED
|
-0.001
|
| header
|
Domain Keys
Identified Mail: policy says domain is testing
DK |
DKIM_POLICY_TESTING |
0.001
|
| header
|
Domain Keys
Identified Mail: policy says domain signs some
mails |
DKIM_POLICY_SIGNSOME |
0.001
|
| header
|
Domain Keys
Identified Mail: policy says domain signs all
mails |
DKIM_POLICY_SIGNALL |
0.001
|
| header
|
Domain Keys:
message has a signature |
DK_SIGNED
|
0.001
|
| header
|
Domain Keys:
signature passes verification |
DK_VERIFIED
|
-0.001
|
| header
|
Domain Keys:
policy says domain is testing DK |
DK_POLICY_TESTING |
0.001
|
| header
|
Domain Keys:
policy says domain signs some mails |
DK_POLICY_SIGNSOME |
0.001
|
| header
|
Domain Keys:
policy says domain signs all mails |
DK_POLICY_SIGNALL |
0.001
|
| header
|
Contains valid
Hashcash token (20 bits) |
HASHCASH_20
|
-0.500
|
| header
|
Contains valid
Hashcash token (21 bits) |
HASHCASH_21
|
-0.700
|
| header
|
Contains valid
Hashcash token (22 bits) |
HASHCASH_22
|
-1.000
|
| header
|
Contains valid
Hashcash token (23 bits) |
HASHCASH_23
|
-2.000
|
| header
|
Contains valid
Hashcash token (24 bits) |
HASHCASH_24
|
-3.000
|
| header
|
Contains valid
Hashcash token (25 bits) |
HASHCASH_25
|
-4.000
|
| header
|
Contains valid
Hashcash token (>25 bits) |
HASHCASH_HIGH
|
-5.000
|
| header
|
Hashcash token
already spent in another mail |
HASHCASH_2SPEND
|
0.100
|
| full
|
Listed in Pyzor
(http://pyzor.sf.net/) |
PYZOR_CHECK
|
0 2.834 0 3.700
|
| full
|
Listed in
Razor2 (http://razor.sf.net/) |
RAZOR2_CHECK
|
0 0.5 0 0.5
|
| full
|
Razor2 gives
confidence level above 50% |
RAZOR2_CF_RANGE_51_100 |
0 0.5 0 0.5
|
| full
|
Razor2 gives
engine 4 confidence level above 50% |
RAZOR2_CF_RANGE_E4_51_100 |
0 1.5 0 1.5
|
| full
|
Razor2 gives
engine 8 confidence level above 50% |
RAZOR2_CF_RANGE_E8_51_100 |
0 1.5 0 1.5
|
| header
|
Attempt to
obfuscate words in Subject: |
SUBJECT_FUZZY_MEDS |
3.800 2.812
3.799 3.799 |
| header
|
Attempt to
obfuscate words in Subject: |
SUBJECT_FUZZY_CHEAP |
1 |
| header
|
Attempt to
obfuscate words in Subject: |
SUBJECT_FUZZY_PENIS |
3.099 1.308
3.100 3.096 |
| header
|
Attempt to
obfuscate words in Subject: |
SUBJECT_FUZZY_TION |
1.100 0.410
0.749 0.156 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_AFFORDABLE |
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_AMBIEN
|
1.520 0.962
0.195 1.026 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_BILLION
|
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_CPILL
|
0.001
|
| body
|
Attempt to
obfuscate words in spam |
FUZZY_CREDIT
|
1.696 0.522
0.740 1.238 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_ERECT
|
2.529 0.708
1.736 0.804 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_GUARANTEE
|
2.496 0.962
2.899 1.252 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_MEDICATION |
0.307 0.001
2.637 2.717 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_MILLION
|
2.173 2.325
1.797 2.529 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_MONEY
|
2.799 2.796
2.799 2.799 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_MORTGAGE
|
3.299 3.296
3.036 1.880 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_OBLIGATION |
2.799 2.796
2.799 2.469 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_OFFERS
|
3.299 1.032
2.199 1.246 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_PHARMACY
|
2.999 2.999
2.090 1.704 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_PHENT
|
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_PRESCRIPT
|
2.699 2.644
1.704 1.604 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_PRICES
|
2.801 2.458
1.665 1.304 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_REFINANCE
|
2.102 0.001
0.505 0.001 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_REMOVE
|
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_ROLEX
|
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_SOFTWARE
|
2.797 2.860
3.169 3.471 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_THOUSANDS
|
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_VLIUM
|
0.001
|
| body
|
Attempt to
obfuscate words in spam |
FUZZY_VIOXX
|
1 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_VPILL
|
1.004 0.001
0.480 0.687 |
| body
|
Attempt to
obfuscate words in spam |
FUZZY_XPILL
|
3.399 3.314
1.549 1.746 |
| header
|
SPF: sender
matches SPF record |
SPF_PASS
|
-0.001
|
| header
|
SPF: sender
does not match SPF record (neutral) |
SPF_NEUTRAL
|
2.199 1.210
0.756 0.686 |
| header
|
SPF: sender
does not match SPF record (fail) |
SPF_FAIL
|
2.600 0.992
1.669 0.693 |
| header
|
SPF: sender
does not match SPF record (softfail)
|
SPF_SOFTFAIL
|
2.301 0.654
0.698 0.596 |
| header
|
SPF: HELO
matches SPF record |
SPF_HELO_PASS
|
-0.001
|
| header
|
SPF: HELO does
not match SPF record (neutral) |
SPF_HELO_NEUTRAL |
2.231 2.000
0.744 0.576 |
| header
|
SPF: HELO does
not match SPF record (fail) |
SPF_HELO_FAIL
|
2.298 0.365
0.540 0.001 |
| header
|
SPF: HELO does
not match SPF record (softfail) |
SPF_HELO_SOFTFAIL |
2.599 1.533
1.427 0.841 |
| body
|
Message written
in an undesired language |
UNWANTED_LANGUAGE_BODY |
2.800
|
| body
|
Body includes 8
consecutive 8-bit characters |
BODY_8BITS
|
1.500
|
| body
|
Contains an URL
listed in the SBL blocklist |
URIBL_SBL
|
0 2.468 0 1.499
|
| body
|
Contains an URL
listed in the SC SURBL blocklist |
URIBL_SC_SURBL
|
0 2.523 0 0.474
|
| body
|
Contains an URL
listed in the WS SURBL blocklist |
URIBL_WS_SURBL
|
0 2.100 0 1.500
|
| body
|
Contains an URL
listed in the PH SURBL blocklist |
URIBL_PH_SURBL
|
0 2.035 0 1.787
|
| body
|
Contains an URL
listed in the OB SURBL blocklist |
URIBL_OB_SURBL
|
0 2.132 0 1.500
|
| body
|
Contains an URL
listed in the AB SURBL blocklist |
URIBL_AB_SURBL
|
0 1.613 0 1.860
|
| body
|
Contains an URL
listed in the JP SURBL blocklist |
URIBL_JP_SURBL
|
0 2.857 0 1.501
|
| body
|
Contains an URL
listed in the URIBL blacklist |
URIBL_BLACK
|
0 1.961 0 1.955
|
| body
|
Contains an URL
listed in the URIBL greylist |
URIBL_GREY
|
0.25
|
| body
|
Contains an URL
listed in the URIBL redlist |
URIBL_RED
|
0.001
|
| header
|
From: address
is in the auto white-list |
AWL
|
1 |
| header
|
From: address
is in the user's black-list |
USER_IN_BLACKLIST |
100.000
|
| header
|
From: address
is in the user's white-list |
USER_IN_WHITELIST |
-100.000
|
| header
|
From: address
is in the default white-list |
USER_IN_DEF_WHITELIST |
-15.000
|
| header
|
User is listed
in 'blacklist_to' |
USER_IN_BLACKLIST_TO |
10.000
|
| header
|
User is listed
in 'whitelist_to' |
USER_IN_WHITELIST_TO |
-6.000
|
| header
|
User is listed
in 'more_spam_to' |
USER_IN_MORE_SPAM_TO |
-20.000
|
| header
|
User is listed
in 'all_spam_to' |
USER_IN_ALL_SPAM_TO |
-100.000
|
| header
|
From: address
is in the user's DK whitelist |
USER_IN_DK_WHITELIST |
-100.000
|
| header
|
From: address
is in the default DK white-list |
USER_IN_DEF_DK_WL |
-7.500
|
| header
|
From: address
is in the user's DKIM whitelist |
USER_IN_DKIM_WHITELIST |
-100.000
|
| header
|
From: address
is in the default DKIM white-list |
USER_IN_DEF_DKIM_WL |
-7.500
|
| header
|
From: address
is in the user's SPF whitelist |
USER_IN_SPF_WHITELIST |
-100.000
|
| header
|
From: address
is in the default SPF white-list |
USER_IN_DEF_SPF_WL |
-7.500
|
| header
|
Subject:
contains string in the user's white-list
|
SUBJECT_IN_WHITELIST |
-100
|
| header
|
Subject:
contains string in the user's black-list
|
SUBJECT_IN_BLACKLIST |
100 |
| header
|
From address
contains an apostrophe |
APOSTROPHE_FROM
|
0.002 0.001
1.597 0.001 |
| header
|
Message-Id =~
/^<[0-9]{12}\.[0-9]{12}\@/ |
AXB_XMID_1212
|
3.899 3.899
3.899 3.496 |
| header
|
Message-Id =~
/<[0-9A-F]{15}\.[0-9A-F]{10}\@/ |
AXB_XMID_1510
|
4.299 4.295
3.893 3.015 |
| header
|
Message-ID =~
/^<[0-9-a-f]{12}\(dollar) [0-9-a-f]{8}\(dollar)
[0]{8}\@/ |
AXB_XMID_OEGOESNULL |
4.291 4.216
1.083 2.034 |
| header
|
Received =~
/\([123456790]{1,2}\.[0-9]{1,2}\.[0-9]{1}\/[0-9]{1,2}\.[0-9]{2}\.[0-9]{1}\)/
|
AXB_XM_SENDMAIL_NOT |
1 |
| header
|
Received =~
/\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
|
AXB_XR_STULDAP
|
3.199 3.196
3.199 3.004 |
| header
|
Thread-Index =~
/(?:\*| \<\>| \)| \()/ |
AXB_XTIDX_CHAIN
|
1 |
| body
|
Talks about
banking laws |
BANKING_LAWS
|
3.099 3.096
2.900 2.002 |
| body
|
eval:check_base64_length('78','79') |
BASE64_LENGTH_78_79 |
3.699 3.699
3.133 2.783 |
| body
|
eval:check_base64_length('79') |
BASE64_LENGTH_79_INF |
3.900 2.763
2.962 1.496 |
| body
|
/^\xEF\xBB\xBFMessage-ID:/ |
BROKEN_RATWARE_BOM |
2.699 2.267
2.440 2.473 |
| header
|
Content-Type =~
/multipart.{0,200}boundary=\"----=_NextPart_000_0001_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_A
|
2.299 2.319
1.500 1.498 |
| header
|
Content-Type =~
/multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_B
|
1 |
| body
|
/\bCurrent
Price:/ |
CURR_PRICE
|
4.161 2.659
1.412 1.588 |
| body
|
/\bdear.{1,20}winner/i |
DEAR_WINNER
|
3.199 3.196
3.199 3.197 |
| full
|
/<DIV
align=3Dcenter><A href=3D=\n/ |
DIV_CENTER_A_HREF |
3.799 3.795
3.799 2.590 |
| header
|
Sender from new
domain (Day Old Bread) |
DNS_FROM_DOB
|
0 0.341 0 0.732
|
| header
|
Envelope sender
listed in bl.open-whois.org. |
DNS_FROM_OPENWHOIS |
0 2.431 0 1.130
|
| body
|
Provision for
income taxes |
DOS_PROVISION4
|
1.5 |
| body
|
Report of
financial income |
DOS_REPORT_FIN_INC |
0.5 |
| body
|
Pump and dump
stock spam |
DOS_STOCK_CDYV_GENERIC |
2.5 |
| uri
|
Found an
asterisk in a URI |
DOS_URI_ASTERISK |
1 |
| header
|
Subject =~
/\bhoodia\b/i |
DRUGS_HDIA
|
2.529 2.501
2.483 2.697 |
| body
|
Add / Gain
inches |
FB_ADD_INCHES
|
2.999 2.999
2.620 2.131 |
| body
|
It's almost
sex, but not! |
FB_ALMOST_SEX
|
3.099 3.096
2.841 2.110 |
| body
|
Broken AnaTrim
phrase. |
FB_ANA_TRIM
|
3.999 3.995
3.797 3.764 |
| body
|
Phrase: A_U_N_I
|
FB_ANUI
|
0.431 1.618
2.634 0.823 |
| body
|
Phrase:
[BM]Illi0n |
FB_BILLI0N
|
1 |
| body
|
Phrase: C0mpany
|
FB_C0MPANY
|
2.799 2.106
2.799 2.455 |
| body
|
Phrase: can
last longer |
FB_CAN_LONGER
|
1.403 1.309
0.474 0.442 |
| body
|
Uses a
mis-spelled version of cialis. |
FB_CIALIS_LEO3
|
2.628 2.815
3.001 1.441 |
| body
|
Looks like
double 0 words |
FB_DOUBLE_0WORDS |
3.599 3.595
3.599 3.533 |
| body
|
Phrase: email
hier |
FB_EMAIL_HIER
|
0.342 1.203
2.941 2.189 |
| body
|
Phrase: extra
inches |
FB_EXTRA_INCHES
|
1.234 3.096
2.081 2.442 |
| body
|
Looks like
numbers with O's insted of 0's |
FB_FAKE_NUMBERS
|
1 |
| body
|
Looks like fake
numbers (4) |
FB_FAKE_NUMS4
|
1 |
| body
|
Phrase: Farmacy
|
FB_FHARMACY
|
3.699 3.695
2.819 3.576 |
| body
|
Phrase: forward
look with 0's |
FB_FORWARD_LOOK
|
0.000 0.000
3.000 1.000 |
| body
|
Too much
spacing in Address |
FB_GAPPY_ADDRESS |
3.399 3.399
3.399 2.674 |
| body
|
Looks like
trying to sell meds |
FB_GET_MEDS
|
3.599 1.097
1.501 0.803 |
| body
|
Looks like
generic viagra |
FB_GVR
|
0.469 0.001
0.001 0.127 |
| body
|
Phrase hey bro,
|
FB_HEY_BRO_COMMA |
3.099 2.783
3.099 2.331 |
| body
|
Phrase: HGH
|
FB_HG_H_CAP
|
1.885 0.887
0.007 0.274 |
| body
|
Phrase (dollar)
x home loan |
FB_HOMELOAN
|
2.487 2.014
2.003 0.710 |
| body
|
Phrase: impress
... girl |
FB_IMPRESS_GIRL
|
2.197 1.757
1.964 2.581 |
| body
|
Phrase:
Increase your energy |
FB_INCREASE_YOUR |
3.399 3.396
3.399 3.396 |
| body
|
Phrase:
independent reward |
FB_INDEPEND_RWD
|
3.599 3.599
3.600 3.595 |
| body
|
Phrase: L0an
|
FB_L0AN
|
1 |
| body
|
Special people
leave special signs! |
FB_LETTERS_21B
|
3.999 3.999
3.999 3.995 |
| body
|
Phrase: lower
your monthly payments |
FB_LOWER_PAYM
|
3.000 2.996
2.999 2.996 |
| body
|
Phrase: Med1cat
|
FB_MED1CAT
|
1 |
| body
|
Talks about
meds and % |
FB_MEDS_PERCENT
|
1 |
| body
|
Phrase: more
size |
FB_MORE_SIZE
|
1.166 1.422
2.013 0.397 |
| body
|
Looks like a
fake phone number (1) |
FB_NOT_PHONE_NUM1 |
2.600 2.599
2.599 2.596 |
| body
|
Looks like a
fake phone number (3) |
FB_NOT_PHONE_NUM3 |
2.599 2.596
2.599 2.599 |
| body
|
Looks like
school but it's not! |
FB_NOT_SCHOOL
|
3.099 2.312
1.868 2.961 |
| body
|
Phrase: no
prescription needed. |
FB_NO_SCRIP_NEEDED |
3.088 2.458
2.403 3.228 |
| body
|
Speaks of
teenager. |
FB_NUMYO
|
2.400 2.397
2.399 2.397 |
| body
|
Speaks of 20+
year old. |
FB_NUMYO2
|
1 |
| body
|
Looks like
money but has odd spacing. |
FB_ODD_SPACED_MONEY |
2.303 2.723
2.697 1.959 |
| body
|
Mis-spelled
online |
FB_ONIINE
|
1 |
| body
|
Phrase: p1ll
|
FB_P1LL
|
0.467 1.088
1.552 1.814 |
| body
|
Phrase: penis
growth |
FB_PENIS_GROWTH
|
1 |
| body
|
Phrase: Dollar,
with pipes or 0's. |
FB_PIPEDOLLAR
|
2.599 2.430
2.599 2.599 |
| body
|
Looks like
illion, but it's not |
FB_PIPE_ILLION
|
1 |
| body
|
Talks about
prolonged hardness |
FB_PROLONGED_HARD |
1 |
| body
|
Phrase: quality
replica |
FB_QUALITY_REPLICA |
3.899 3.899
3.899 2.949 |
| body
|
Refcode with
spacing |
FB_REF_CODE_SPACE |
3.599
|
| body
|
Phrase: REPLICA
|
FB_REPLIC_CAP
|
4.000 3.995
3.567 3.242 |
| body
|
Looks like
refi. |
FB_RE_FI
|
2.699 2.696
2.699 2.696 |
| body
|
Phrase: Roller
is th |
FB_ROLLER_IS_T
|
1 |
| body
|
Phrase: rolx
|
FB_ROLX
|
0.000 0.000
3.000 1.000 |
| body
|
Phrase: Softabs
|
FB_SOFTTABS
|
4.299 4.281
4.064 3.513 |
| body
|
Phrase: F R E E
|
FB_SPACED_FREE
|
1 |
| body
|
Phone number
with -- spacing. (B) |
FB_SPACED_PHN_3B |
2.899 2.896
2.899 2.896 |
| body
|
Looks like a s
p a c e d zipcode. |
FB_SPACEY_ZIP
|
2.687 1.785
3.099 1.680 |
| body
|
Phrase: SPUR-M
|
FB_SPUR_M
|
1 |
| body
|
Phrase: ssex
|
FB_SSEX
|
2.019 2.001
2.556 2.489 |
| body
|
Looks like
stocks exploding. |
FB_STOCK_EXPLODE |
2.699 2.696
1.927 1.833 |
| body
|
Mis-spelled
symbol. |
FB_SYMBLO
|
1 |
| body
|
Phrase: this
advertiser |
FB_THIS_ADVERT
|
1 |
| body
|
Phrase:
thousand personal |
FB_THOUS_PERSONAL |
0.000 0.000
3.000 1.000 |
| body
|
Phrase: to stop
further distribution |
FB_TO_STOP_DISTRO |
3.099 3.096
3.099 3.096 |
| body
|
Phrase: Ultra
Allure |
FB_ULTRA_ALLURE
|
2.999 2.841
2.374 2.999 |
| body
|
Phrase: lock to
your girlfriend |
FB_UNLOCK_YOUR_G |
2.699 2.696
2.618 2.002 |
| body
|
Pattern
Replacement PROV_D |
FB_UNRESOLV_PROV |
1.606 1.132
2.429 0.765 |
| body
|
Looks like a
word ending with a (dollar) |
FB_WORD1_END_DOLLAR |
1 |
| body
|
Phrase:
yourself master |
FB_YOURSELF_MASTER |
0.421 1.248
1.557 2.011 |
| body
|
Phrase: Your
refi |
FB_YOUR_REFI
|
2.701 3.306
3.300 3.518 |
| header
|
Bad X-Mailer
version |
FH_BAD_OEV1441
|
0.974 2.393
2.440 2.401 |
| header
|
The date is not
19xx. |
FH_DATE_IS_19XX
|
1.947 1.970
2.512 2.199 |
| header
|
The date is
grossly in the future. |
FH_DATE_PAST_20XX |
2.075 3.384
3.554 3.188 |
| header
|
RCVD line looks
faked (A) |
FH_FAKE_RCVD_LINE |
2.230 2.215
2.670 2.470 |
| header
|
E-mail address
doesn't have TLD (.com, etc.) |
FH_FROMEML_NOTLD |
2.699 2.196
2.699 2.696 |
| header
|
From name has
"cash" |
FH_FROM_CASH
|
2.999 2.996
2.999 2.996 |
| header
|
From name says
Get |
FH_FROM_GET_NAME |
1 |
| header
|
From name is
giveaway. |
FH_FROM_GIVEAWAY |
2.799 2.796
2.799 1.597 |
| header
|
From has
Hoodia!!? |
FH_FROM_HOODIA
|
2.699 2.696
2.699 2.696 |
| header
|
Has X-AIMC-AUTH
header |
FH_HAS_XAIMC
|
2.699 2.699
2.699 2.696 |
| header
|
Has X-ID
|
FH_HAS_XID
|
2.400 2.399
2.399 2.397 |
| header
|
Helo is almost
an IP addr. |
FH_HELO_ALMOST_IP |
3.222 3.727
3.463 3.565 |
| header
|
Helo ends with
a dot. |
FH_HELO_ENDS_DOT |
3.599 3.020
1.395 2.308 |
| header
|
Helo is 6-10
hex chr's. |
FH_HELO_EQ_610HEX |
4.099 4.099
4.099 4.095 |
| header
|
Helo is d-d-d-d
charter.com |
FH_HELO_EQ_CHARTER |
0.359 1.258
1.495 1.044 |
| header
|
Helo is d-d-d-d
|
FH_HELO_EQ_D_D_D_D |
2.399 0.498
0.561 0.001 |
| header
|
Faked helo of
gmail-smtp-in |
FH_HELO_GMAILSMTP |
1 |
| header
|
The host almost
looks like an IP addr. |
FH_HOST_ALMOST_IP |
4.099 3.791
2.170 1.751 |
| header
|
Host is
dynamicip |
FH_HOST_EQ_DYNAMICIP |
0.964 3.097
3.103 4.058 |
| header
|
Host starts
with d-d-d-d |
FH_HOST_EQ_D_D_D_D |
2.599 1.992
1.692 1.212 |
| header
|
Host is d-d-d-d
|
FH_HOST_EQ_D_D_D_DB |
0.102 0.095
0.055 0.223 |
| header
|
Host is
pacbell.net dsl |
FH_HOST_EQ_PACBELL_D |
0.005 0.893
1.479 1.670 |
| header
|
Host is
pool-.+verizon.net |
FH_HOST_EQ_VERIZON_P |
2.101 1.105
0.001 0.001 |
| header
|
Special MSGID
|
FH_MSGID_000000
|
4.399 4.299
2.809 3.236 |
| header
|
Special MSGID
|
FH_MSGID_01C67
|
3.299 0.495
1.500 0.001 |
| header
|
MESSAGE ID seen
often!!! |
FH_MSGID_01C70XXX |
3.899 3.895
2.757 3.899 |
| header
|
Broken Replace
Template |
FH_MSGID_REPLACE |
1.282 2.079
2.223 2.512 |
| header
|
Common sign in
msg-id's 12/21/2006 |
FH_MSGID_XXBLAH
|
4.499 4.495
4.319 3.390 |
| header
|
Message-Id =
@xxx |
FH_MSGID_XXX
|
3.200 3.196
3.200 2.682 |
| header
|
Subject is Re:
new \d\d\d |
FH_RE_NEW_DDD
|
2.251 1.209
1.526 2.687 |
| header
|
Broken Replace
Template |
FH_XMAIL_REPLACE |
1.254 2.142
1.662 1.065 |
| header
|
Special
X-Mailer Version |
FH_XMAIL_RND_833 |
1 |
| header
|
Looks like Fake
Outlook? |
FM_XMAIL_F_OUT
|
4.199 4.199
2.643 1.815 |
| body
|
ReplaceTags:
Adobe |
FRT_ADOBE2
|
1 |
| body
|
ReplaceTags:
Bigger / Larger, Penis / Member |
FRT_BIGGERMEM1
|
0.000 0.001
1.205 1.782 |
| body
|
ReplaceTags:
Diploma |
FRT_DIPLOMA
|
1 |
| body
|
ReplaceTags:
Discount |
FRT_DISCOUNT
|
2.999 2.996
1.498 1.810 |
| body
|
ReplaceTags:
Dollar |
FRT_DOLLAR
|
2.529 2.596
2.133 2.366 |
| body
|
ReplaceTags:
Establish (2) |
FRT_ESTABLISH2
|
1 |
| body
|
ReplaceTags:
Fuck (2) |
FRT_FUCK2
|
1 |
| body
|
ReplaceTags:
Guarantee (1) |
FRT_GUARANTEE1
|
2.503 2.819
2.144 1.253 |
| body
|
ReplaceTags:
Investor |
FRT_INVESTOR
|
1 |
| body
|
ReplaceTags:
Levitra |
FRT_LEVITRA
|
0.001 0.745
1.685 1.814 |
| body
|
ReplaceTags:
Meeting |
FRT_MEETING
|
2.700 2.699
2.699 2.699 |
| body
|
ReplaceTags:
Offer (2) |
FRT_OFFER2
|
2.700 1.590
1.097 1.287 |
| body
|
ReplaceTags:
Oppertun (1) |
FRT_OPPORTUN1
|
1 |
| body
|
ReplaceTags:
Oppertun (2) |
FRT_OPPORTUN2
|
2.699 2.699
2.699 2.689 |
| body
|
ReplaceTags:
Penis |
FRT_PENIS1
|
3.799 3.074
3.002 2.486 |
| body
|
ReplaceTags:
Price |
FRT_PRICE
|
3.699 2.531
3.072 3.491 |
| body
|
ReplaceTags:
Refinance (1) |
FRT_REFINANCE1
|
2.799 2.727
0.994 0.921 |
| body
|
ReplaceTags:
Rolex |
FRT_ROLEX
|
3.099 3.096
3.099 3.096 |
| body
|
ReplaceTags:
Sexual |
FRT_SEXUAL
|
3.199 3.196
3.199 3.142 |
| body
|
ReplaceTags:
Soma |
FRT_SOMA
|
1 |
| body
|
ReplaceTags:
Soma (2) |
FRT_SOMA2
|
1 |
| body
|
ReplaceTags:
Strong (1) |
FRT_STRONG1
|
3.699 2.919
2.712 2.976 |
| body
|
ReplaceTags:
Strong (2) |
FRT_STRONG2
|
1.302 0.001
2.745 3.096 |
| body
|
ReplaceTags:
Symbol |
FRT_SYMBOL
|
1.902 3.561
2.587 2.943 |
| body
|
ReplaceTags:
Today (2) |
FRT_TODAY2
|
2.523 2.460
3.246 2.382 |
| body
|
ReplaceTags:
Valium |
FRT_VALIUM1
|
3.096 3.049
0.664 1.590 |
| body
|
ReplaceTags:
Valium (2) |
FRT_VALIUM2
|
1.903 1.933
1.328 1.301 |
| body
|
ReplaceTags:
Weight (2) |
FRT_WEIGHT2
|
2.529 2.930
3.099 2.121 |
| body
|
ReplaceTags:
Xanax (1) |
FRT_XANAX1
|
3.799 3.799
2.265 2.423 |
| body
|
ReplaceTags:
Xanax (2) |
FRT_XANAX2
|
0.001
|
| rawbody
|
Looks like 3
<e> small tags. |
FR_3TAG_3TAG
|
2.405 0.998
2.599 1.053 |
| rawbody
|
Almost looks
like viagra. |
FR_ALMOST_VIAG2
|
2.402 2.376
2.051 1.990 |
| rawbody
|
Phrase
class=cantseetext |
FR_CANTSEETEXT
|
1 |
| rawbody
|
Sign often seen
in spams |
FR_MIDER
|
1.233 1.706
0.792 2.068 |
| header
|
Subject says
"At No Cost" |
FS_AT_NO_COST
|
2.600 2.596
2.599 1.561 |
| header
|
Phrase: Cheap
in Caps in Subject. |
FS_CHEAP_CAP
|
0.001 0.001
0.005 0.001 |
| header
|
Subject talks
about money bonus! |
FS_DOLLAR_BONUS
|
2.699 2.696
2.699 2.673 |
| header
|
Phrase:
ejaculation in subject. |
FS_EJACULA
|
2.999 2.996
2.999 1.803 |
| header
|
Phrase:
erection in subject. |
FS_ERECTION
|
2.699 2.020
2.042 2.643 |
| header
|
Phrase: Huge
Cock |
FS_HUGECOCK
|
1 |
| header
|
Larger than
100% in subj. |
FS_LARGE_PERCENT2 |
2.999 1.037
2.363 0.412 |
| header
|
Phrase: lower
your |
FS_LOWER_YOUR
|
1 |
| header
|
Subject says
low rates |
FS_LOW_RATES
|
2.799 1.763
1.849 2.001 |
| header
|
Subj starts
with New software uploaded |
FS_NEW_SOFT_UPLOAD |
1.177 1.154
3.476 1.790 |
| header
|
Subject looks
like Fharmacy spams. |
FS_NEW_XXX
|
0.009 0.616
0.125 1.100 |
| header
|
Subject almost
says No prescription |
FS_NO_SCRIP
|
1.432 2.422
1.384 1.577 |
| header
|
what could this
word be? |
FS_OBFU_PRMCY
|
1.681 0.722
3.191 1.460 |
| header
|
Subject
mis-spelled prescription |
FS_PERSCRIPTION
|
1 |
| header
|
Looks like
Phramacy subject. |
FS_PHARMASUB2
|
3.899 3.895
3.899 3.896 |
| header
|
Subject says
Ramrod |
FS_RAMROD
|
1.076 2.820
2.317 2.777 |
| header
|
Subject says
"replica" |
FS_REPLICA
|
2.800 1.179
1.403 1.041 |
| header
|
Subject says
Replica watch |
FS_REPLICAWATCH
|
3.524 3.799
2.094 2.502 |
| header
|
Phrase: re
approved |
FS_RE_APPROV
|
1 |
| header
|
Subject starts
with Do you dream,have,want,love, etc.
|
FS_START_DOYOU2
|
3.099 3.099
3.099 3.097 |
| header
|
Subject starts
with Lose |
FS_START_LOSE
|
2.599 2.596
2.034 2.167 |
| header
|
Subject says
something bad about teens |
FS_TEEN_BAD
|
2.501 2.596
2.441 2.549 |
| header
|
Phrase: subject
= tip ddd |
FS_TIP_DDD
|
0.001 0.021
1.726 0.101 |
| header
|
Subject says
Weight Loss |
FS_WEIGHT_LOSS
|
1 |
| header
|
Subject says
will help |
FS_WILL_HELP
|
3.299 3.299
3.299 3.296 |
| header
|
Subject says
With ... small |
FS_WITH_SMALL
|
1 |
| body
|
/<inter
W3><post
P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
|
FUZZY_MERIDIA
|
0.001 0.778
1.936 2.374 |
| uri
|
Sub-dir seen
often in spam (2). |
FU_COMMON_SUBS2
|
2.403 2.057
2.136 1.498 |
| uri
|
Ends with
clk/d+.d+.d+ |
FU_ENDS_NUMS_DOTS_CLK |
3.200 3.196
3.199 3.196 |
| uri
|
ET Phone Home?
|
FU_END_ET
|
3.599 3.599
3.599 3.500 |
| uri
|
URL has hoodia
in it. |
FU_HOODIA
|
1.177 1.484
0.751 1.652 |
| uri
|
URL has a long
file name with .aspx extension. |
FU_LONG_QUERY3
|
1.662 0.001
1.649 0.001 |
| uri
|
URL has /gal/
|
FU_MIDER
|
3.767 2.024
1.458 1.110 |
| uri
|
URL with
[a-z]{2}.geocities.com |
FU_UKGEOCITIES
|
3.299 3.296
3.299 3.296 |
| uri
|
URI style
tracker (T) |
FU_URI_TRACKER_T |
3.899 3.895
2.400 3.193 |
| uri
|
/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
|
GEO_QUERY_STRING |
2.699 2.696
2.699 2.696 |
| header
|
Multiple
Subject headers found |
HEADER_COUNT_SUBJECT |
3.099 3.099
3.100 3.096 |
| header
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend
/i |
HELO_FRIEND
|
0.001
|
| header
|
X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=\S+\.(?:home| lan) /i |
HELO_LH_HOME
|
2.602 3.169
2.689 3.714 |
| header
|
X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=localhost\.localdomain /i |
HELO_LH_LD
|
0.800 0.792
1.184 1.215 |
| header
|
X-Spam-Relays-Untrusted =~ /^[^\]]+
helo=localhost /i |
HELO_LOCALHOST
|
4.499 4.499
3.998 3.941 |
| header
|
X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|
oem\S*) /i |
HELO_OEM
|
3.299 3.296
3.043 2.195 |
| body
|
Somebody has
uploaded some new software for you |
HS_BODY_UPLOADED_SOFTWARE |
0.043 1.992
2.046 2.658 |
| body
|
Contains a drug
and price-like pattern. |
HS_DRUG_DOLLAR_1 |
1.033 1.350
1.929 0.090 |
| body
|
Contains a drug
and price-like pattern. |
HS_DRUG_DOLLAR_2 |
0.304 1.119
2.748 1.617 |
| body
|
Contains a drug
and price-like pattern. |
HS_DRUG_DOLLAR_3 |
2.349 1.901
1.317 1.378 |
| uri
|
Links to common
unsubscribe script: 'getmeoff.php' |
HS_GETMEOFF
|
0.000 0.000
3.000 1.000 |
| uri
|
Link contains a
common tracker pattern. |
HS_INDEX_PARAM
|
0.001
|
| body
|
Talks about
meeting up for sex. |
HS_MEETUP_FOR_SEX |
0.000 0.000
3.000 1.000 |
| header
|
Subject starts
with 'New software uploaded by' |
HS_SUBJ_NEW_SOFTWARE |
1.118 0.253
2.395 3.599 |
| header
|
Subject
contains the phrase 'Online pharmaceutical'
|
HS_SUBJ_ONLINE_PHARMACEUTICAL |
0 0 0.001 0.001
|
| body
|
eval:check_https_http_mismatch('1','10')
|
HTTPS_HTTP_MISMATCH |
1 |
| header
|
Received =~ /by
\S+ \(Qmailv1\) with ESMTP/ |
JM_RCVD_QMAILV1
|
3.999 3.995
3.999 3.996 |
| body
|
/(?:OTC| OTCBB|
OTC Pink Sheets):/is |
KAM_STOCKOTC
|
3.999 2.328
3.947 3.964 |
| body
|
/(?:Conforce
International| CFRI)/is |
KAM_STOCKTIP14
|
1 |
| body
|
/(?:Nano
Superlattice Technology| NSLT)/is |
KAM_STOCKTIP15
|
0.001
|
| body
|
/(?:PREMIER
INFORMATION| (^| \b)PIFR((dollar) | \b))/is
|
KAM_STOCKTIP20
|
1 |
| body
|
/(?:Harbin
Pingchuan| P G C N| PGCN)/is |
KAM_STOCKTIP21
|
1 |
| body
|
/(?:Remington
Ventures| RMVN)/is |
KAM_STOCKTIP4
|
1 |
| body
|
/(?:China World
Trade Corporation| CWTD)/is |
KAM_STOCKTIP6
|
1 |
| body
|
/long\W+term\W+(target| projected)(\W+price)?/i
|
LONG_TERM_PRICE
|
0.001 0.212
0.001 0.001 |
| body
|
A loop hole in
the banking laws? |
LOOPHOLE_1
|
2.188 2.474
2.623 2.210 |
| header
|
Date =~
/\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /
|
L_SPAM_TOOL_13
|
4.499 4.499
4.499 4.495 |
| header
|
Message-ID =~
/^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /
|
MID_DEGREES
|
4.199 4.195
4.057 3.700 |
| header
|
Content-Type =~
/boundary="=====================_\d+==\.REL"/s
|
MIME_BOUND_EQ_REL |
0.123 0.845
2.457 2.832 |
| full
|
Message has NUL
(ASCII 0) byte in message |
NULL_IN_BODY
|
2.802 1.489
3.699 2.425 |
| header
|
Claims to be
sent by an unusual build of Outlook (3416)
|
OUTLOOK_3416
|
1.702 1.695
1.821 1.744 |
| header
|
Received =~
/\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar)
\%&'()*:<=>?\@\[\]^\`{| }~]| ;\S)/ |
RCVD_BAD_ID
|
2.100 2.088
3.266 2.837 |
| header
|
Forged
'Received' header found ('wrote:' spam)
|
RCVD_FORGED_WROTE |
4.365 4.479
4.499 2.523 |
| header
|
Received =~
/from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+)
with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for
\S+@\1;/s |
RCVD_FORGED_WROTE2 |
2.052 2.736
1.391 4.325 |
| header
|
Sender listed
at http://www.dnswl.org/, high trust
|
RCVD_IN_DNSWL_HI |
0 -8 0 -8
|
| header
|
Sender listed
at http://www.dnswl.org/, low trust |
RCVD_IN_DNSWL_LOW |
0 -1 0 -1
|
| header
|
Sender listed
at http://www.dnswl.org/, medium trust
|
RCVD_IN_DNSWL_MED |
0 -4 0 -4
|
| header
|
Received via
relay in new domain (Day Old Bread) |
RCVD_IN_DOB
|
0 0.835 0 1.103
|
| header
|
IADB: Sender
publishes Domain Keys record |
RCVD_IN_IADB_DK
|
1 |
| header
|
IADB: All
mailing list mail is confirmed opt-in
|
RCVD_IN_IADB_DOPTIN |
0 -4 0 -4
|
| header
|
IADB: Confirmed
opt-in used more than 50% of the time
|
RCVD_IN_IADB_DOPTIN_GT50 |
1 |
| header
|
IADB: Confirmed
opt-in used less than 50% of the time
|
RCVD_IN_IADB_DOPTIN_LT50 |
1 |
| header
|
IADB:
Participates in Email Deliverability Database
|
RCVD_IN_IADB_EDDB |
0 -0.001 0
-0.293 |
| header
|
IADB: Member of
Email Processing Industry Alliance |
RCVD_IN_IADB_EPIA |
0 -0.135 0
-0.001 |
| header
|
IADB: Sender
has been certified by GoodMail |
RCVD_IN_IADB_GOODMAIL |
0 -0.001 0
-0.001 |
| header
|
Participates in
the IADB system |
RCVD_IN_IADB_LISTED |
0 -0.001 0
-0.001 |
| header
|
IADB: Adds
relationship addrs w/out opt-in |
RCVD_IN_IADB_LOOSE |
0 -0.001 0
-0.001 |
| header
|
IADB: Complies
with Michigan's CPEAR law |
RCVD_IN_IADB_MI_CPEAR |
0 -0.001 0
-0.001 |
| header
|
IADB: Checked
lists against Michigan's CPR within 30 days
|
RCVD_IN_IADB_MI_CPR_30 |
0 -0.001 0
-0.001 |
| header
|
IADB: Sends no
material under Michigan's CPR |
RCVD_IN_IADB_MI_CPR_MAT |
1 |
| header
|
IADB: Mailing
list email only, confirmed opt-in |
RCVD_IN_IADB_ML_DOPTIN |
0 -6 0 -6
|
| header
|
IADB: Has
absolutely no mailing controls in place
|
RCVD_IN_IADB_NOCONTROL |
0 -0.001 0
-0.001 |
| header
|
IADB:
One-to-one/transactional email only |
RCVD_IN_IADB_OOO |
1 |
| header
|
IADB: All
mailing list mail is opt-in |
RCVD_IN_IADB_OPTIN |
1 |
| header
|
IADB: Opt-in
used more than 50% of the time |
RCVD_IN_IADB_OPTIN_GT50 |
0 -0.499 0
-0.245 |
| header
|
IADB: Opt-in
used less than 50% of the time |
RCVD_IN_IADB_OPTIN_LT50 |
1 |
| header
|
IADB: Scrapes
addresses, pure opt-out only |
RCVD_IN_IADB_OPTOUTONLY |
0 -0.001 0
-0.001 |
| header
|
IADB: Sender
has reverse DNS record |
RCVD_IN_IADB_RDNS |
1 |
| header
|
IADB: Sender
publishes Sender ID record |
RCVD_IN_IADB_SENDERID |
0 -0.001 0
-0.001 |
| header
|
IADB: Sender
publishes SPF record |
RCVD_IN_IADB_SPF |
0 -0.001 0
-0.078 |
| header
|
IADB: Accepts
unverified sign-ups |
RCVD_IN_IADB_UNVERIFIED_1 |
0 -0.001 0
-0.001 |
| header
|
IADB: Accepts
unverified sign-ups, gives chance to opt out
|
RCVD_IN_IADB_UNVERIFIED_2 |
0 -0.001 0
-0.001 |
| header
|
IADB: Complies
with Utah's CPEAR law |
RCVD_IN_IADB_UT_CPEAR |
0 -0.001 0
-0.001 |
| header
|
IADB: Checked
lists against Utah's CPR within 30 days
|
RCVD_IN_IADB_UT_CPR_30 |
0 -0.001 0
-0.001 |
| header
|
IADB: Sends no
material under Utah's CPR |
RCVD_IN_IADB_UT_CPR_MAT |
1 |
| header
|
Forged Received
header (contains post.com or mail.com)
|
RCVD_MAIL_COM
|
1.082 1.452
2.532 0.930 |
| body
|
/short\W+term\W+(target| projected)(\W+price)?/i
|
SHORT_TERM_PRICE |
0.540 1.950
0.655 0.676 |
| header
|
Received =~ /
by \d+\.\d+\.\d+\.\d+
\(\d\.\d\d\.\d\/\d\.\d\d\.\d\) with SMTP id
[\dA-Za-z]+\;/ |
STOX_RCVD_N_NN_N |
1 |
| header
|
Content-Type =~
/text\/plain; .* reply-type=original/
|
STOX_REPLY_TYPE
|
0.001
|
| header
|
Received =~
/from 192.168.0.\d+ \(203-219-/ |
TEMPLATE_203_RCVD |
1 |
| header
|
Scora:
Message-Id ends after left-bracket + digits
|
TT_MSGID_TRUNC
|
0.001 1.874
1.924 1.364 |
| body
|
/\bact of
(?:193| nineteen thirty)/i |
TVD_ACT_193
|
2.273 3.420
3.499 2.622 |
| body
|
/you.{1,2}re
.{0,20}approved/i |
TVD_APPROVED
|
2.999 2.558
1.550 1.731 |
| body
|
/approved
.{0,20}loan/i |
TVD_APP_LOAN
|
1 |
| body
|
/^dear
homeowner/i |
TVD_DEAR_HOMEOWNER |
2.599 2.599
2.599 2.596 |
| header
|
EnvelopeFrom =~
/\'/ |
TVD_ENVFROM_APOST |
4.199 3.307
0.465 0.088 |
| header
|
Content-Type =~
/^text\/plain(?:; (?:format=flowed|
charset="Windows-1252"|
reply-type=original)){3}/i |
TVD_FINGER_02
|
2.796 2.720
3.199 2.134 |
| rawbody
|
/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
|
TVD_FLOAT_GENERAL |
3.599 1.114
0.591 0.001 |
| body
|
/<inter
W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
|
TVD_FUZZY_DEGREE |
1 |
| body
|
/(?!finance)<F><I><N><A><N><C><E>/i |
TVD_FUZZY_FINANCE |
1 |
| body
|
/<inter
W2><post P2>(?!fixed
rate)<F><I><X><E><D>\s+<R><A><T><E>/i
|
TVD_FUZZY_FIXED_RATE |
1 |
| body
|
/<inter
W2><post
P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
|
TVD_FUZZY_MICROCAP |
1 |
| body
|
/<inter
W2><post
P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
|
TVD_FUZZY_PHARMACEUTICAL |
1 |
| body
|
/<inter
W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i
|
TVD_FUZZY_SYMBOL |
3.099 1.435
2.086 1.699 |
| body
|
/\bsize of
.{1,20}(?:penis| dick| manhood)/i |
TVD_INCREASE_SIZE |
1 |
| body
|
/\blink to
save\b/i |
TVD_LINK_SAVE
|
1 |
| body
|
/\baccounts?
(?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+|
notif(?:y| ication)| updated| verifications?|
credited)\b/i |
TVD_PH_BODY_ACCOUNTS_PRE |
1 |
| body
|
Message has a
phrase standard for phishing mails |
TVD_PH_REC
|
2.702 2.996
2.996 2.996 |
| body
|
Message has a
phrase standard for phishing mails |
TVD_PH_SEC
|
1 |
| header
|
Subject =~
/\b(?:(?:re-?)?activat[a-z]*| secure| verify|
restore| flagged| limited| unusual| report|
notif(?:y| ication)| suspen(?:d| ded| sion)|
confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i
|
TVD_PH_SUBJ_ACCOUNTS_POST |
2.999 2.996
2.999 2.996 |
| header
|
Subject =~
/^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert|
response| assistance| proposal| reply| warning|
noti(?:ce| fication)| greeting| matter))/i
|
TVD_PH_SUBJ_URGENT |
2.616 2.102
2.799 2.797 |
| body
|
/\bquality
med(?:ication)?s\b/i |
TVD_QUAL_MEDS
|
2.626 4.123
2.647 3.568 |
| header
|
Content-Type =~
/\bboundary\b.{1,40}qzsoft_directmail_seperator/i
|
TVD_RATWARE_CB
|
2.839 2.914
2.465 2.645 |
| header
|
Content-Type =~
/\bboundary\s*=\s*"?-+\d+=+\.MRA/ |
TVD_RATWARE_CB_2 |
1 |
| header
|
Message-ID =~
/^[^<]*<[a-z]+\@/ |
TVD_RATWARE_MSGID_02 |
2.139 1.688
1.557 0.581 |
| header
|
Received =~
/^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
|
TVD_RCVD_IP
|
0.502 1.617
2.270 1.931 |
| header
|
Received =~
/^from\s+(?:\d+\.){3}\d+\s/ |
TVD_RCVD_IP4
|
4.099 3.344
2.901 3.183 |
| header
|
Received =~
/^from\s+(?!localhost)[^\s.a-z0-9-]+\s/
|
TVD_RCVD_SINGLE
|
2.999 0.303
2.999 1.351 |
| header
|
Received =~
/\(\[(?!UNIX:)[^\[\]]*\s/ |
TVD_RCVD_SPACE_BRACKET |
1 |
| body
|
/\bSection
(?:27A| 21B)/i |
TVD_SECTION
|
2.956 3.317
1.541 3.499 |
| body
|
m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|
(dollar) )!i |
TVD_SILLY_URI_OBFU |
1 |
| header
|
Subject =~
/^(?:(?:Re| Fw)[^:]{0,5}:
)?[A-Z]+[a-z]+[A-Z]+(dollar) / |
TVD_SPACED_SUBJECT_WORD3 |
2.802 3.599
2.276 2.412 |
| body
|
eval:check_stock_info('2') |
TVD_STOCK1
|
4.199 3.792
4.199 3.753 |
| header
|
Subject has
spammy looking monetary reference |
TVD_SUBJ_ACC_NUM |
1 |
| header
|
Subject =~
/^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) /
|
TVD_SUBJ_FINGER_03 |
1 |
| header
|
Subject =~
/^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|
indebted)\s+(?:\w+\s+)+an\s*other/i |
TVD_SUBJ_OWE
|
3.199 3.196
3.199 3.196 |
| header
|
Subject =~
/(?:wipe out| remove| get (?:rid| out) of|
eradicate) .{0,20}(?:owe| debt| obligation)/i
|
TVD_SUBJ_WIPE_DEBT |
2.899 2.896
2.899 2.663 |
| body
|
/Online
Ph.rmacy/i |
TVD_VISIT_PHARMA |
2.297 0.001
0.001 0.001 |
| rawbody
|
/<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
|
TVD_VIS_HIDDEN
|
2.600 1.908
2.368 0.839 |
| body
|
URI in
combined-HIB.dnsiplists.completewhois.com
|
URIBL_COMPLETEWHOIS |
1 |
| body
|
Contains an URI
listed in abuse.rfc-ignorant.org |
URIBL_RHS_ABUSE
|
1 |
| body
|
Contains an URI
listed in rhsbl.ahbl.org. |
URIBL_RHS_AHBL
|
1 |
| body
|
Contains an URI
listed in bogusmx.rfc-ignorant.org |
URIBL_RHS_BOGUSMX |
1 |
| body
|
Contains an URI
of a new domain (Day Old Bread) |
URIBL_RHS_DOB
|
0 0.901 0 1.083
|
| body
|
Contains an URI
listed in dsn.rfc-ignorant.org |
URIBL_RHS_DSN
|
1 |
| body
|
Contains an URI
in postmaster.rfc-ignorant.org |
URIBL_RHS_POST
|
1 |
| body
|
Contains an URI
TLD in whois.rfc-ignorant.org |
URIBL_RHS_TLD_WHOIS |
1 |
| body
|
Contains an URI
listed in [black] uribl.com |
URIBL_RHS_URIBL_BLACK |
1 |
| body
|
Contains an URI
listed in [grey] uribl.com |
URIBL_RHS_URIBL_GREY |
1 |
| body
|
Contains an URI
listed in whois.rfc-ignorant.org |
URIBL_RHS_WHOIS
|
1 |
| body
|
URL listed in
XS SURBL - TEsting |
URIBL_XS_SURBL
|
1 |
| uri
|
/\/l\.php\?\d/
|
URI_L_PHP
|
3.099 3.096
3.099 2.905 |
| body
|
URL registered
to 1&1 Private Registration |
WHOIS_1AND1PR
|
1 |
| body
|
URL registered
as an AIT Private Registration |
WHOIS_AITPRIV
|
0 3.995 0 3.510
|
| body
|
URL registered
to contactprivacy.com |
WHOIS_CONTACTPRIV |
0 2.696 0 2.696
|
| body
|
Contains URL
registered to Domains by Proxy |
WHOIS_DMNBYPROXY |
0 0.260 0 0.478
|
| body
|
URL registered
to Domain Escrow Services |
WHOIS_DOMESCROW
|
0 0.000 0 1.000
|
| body
|
URL registered
to DomainPrivacyCorp.com |
WHOIS_DOMPRIVCORP |
0 0.000 0 1.000
|
| body
|
URL registered
as a DreamHost Private Registration |
WHOIS_DREAMPRIV
|
0 0.000 0 1.000
|
| body
|
URL registered
as an DROA Private Registration |
WHOIS_DROA
|
1 |
| body
|
URL registered
to Dynadot Privacy |
WHOIS_DYNADOT
|
0 0.000 0 1.000
|
| body
|
URL registered
to Finexe Domain Proxy Service |
WHOIS_FINEXE
|
0 0.000 0 1.000
|
| body
|
URL registered
to GKG.NET Domain Proxy Service |
WHOIS_GKGPROXY
|
1 |
| body
|
Contains URL
registered to WHOIS ID Shield |
WHOIS_IDSHIELD
|
1 |
| body
|
URL registered
to Whois ID Theft Protection |
WHOIS_IDTHEFTPROT |
1 |
| body
|
URL registered
to Katz Global Domain Name Trust |
WHOIS_KATZ
|
1 |
| body
|
URL registered
to Domain Listing Agent |
WHOIS_LISTINGAG
|
1 |
| body
|
URL registered
to LNOA WHOIS Privacy |
WHOIS_LNOA
|
1 |
| body
|
URL registered
to MapName |
WHOIS_MAPNAME
|
1 |
| body
|
URL registered
to Moniker Privacy Protection |
WHOIS_MONIKER_PRIV |
0 2.596 0 2.596
|
| body
|
URL registered
to myprivateregistration.com |
WHOIS_MYPRIVREG
|
0 0.156 0 1.499
|
| body
|
URL registered
to NameKing |
WHOIS_NAMEKING
|
0 1.477 0 1.409
|
| body
|
Contains URL
registered to NameSecure |
WHOIS_NAMESECURE |
1 |
| body
|
URL registered
to NetIdentity |
WHOIS_NETID
|
0 0.000 0 1.000
|
| body
|
URL registered
as a NetSol Private Registration |
WHOIS_NETSOLPR
|
0 0.001 0 0.001
|
| body
|
URL registered
to NOLDC, Inc. |
WHOIS_NOLDC
|
1 |
| body
|
URL registered
to Nominet Private Registrant |
WHOIS_NOMINET
|
0 0.000 0 1.000
|
| body
|
Contains URL
registered to PrivacyPost |
WHOIS_PRIVACYPOST |
0 0.647 0 0.001
|
| body
|
URL registered
to privacy-domain.com |
WHOIS_PRIVDOMAIN |
0 0.000 0 1.000
|
| body
|
URL registered
to WHOIS Privacy Protection |
WHOIS_PRIVPROT
|
0 2.801 0 1.501
|
| body
|
URL registered
to R4L Privacy |
WHOIS_REGISTER4LESS |
0 0.000 0 1.000
|
| body
|
Contains URL
registered to RegisterFly |
WHOIS_REGISTERFLY |
0 3.196 0 1.645
|
| body
|
URL registered
to RegTek Whois Envoy |
WHOIS_REGTEK
|
0 0.000 0 1.000
|
| body
|
Contains URL
registered to SafeNames |
WHOIS_SAFENAMES
|
0 0.000 0 1.000
|
| body
|
URL registered
to Secure WHOIS Information Services
|
WHOIS_SECINFOSERV |
1 |
| body
|
Contains URL
registered to SecureWhois |
WHOIS_SECUREWHOIS |
0 2.696 0 2.696
|
| body
|
URL registered
to SpamFreeReg.com |
WHOIS_SPAMFREE
|
1 |
| body
|
URL registered
as an SRSPlus Private Registration |
WHOIS_SRSPLUS
|
1 |
| body
|
Contains URL
registered to Unlisted-Whois.com |
WHOIS_UNLISTED
|
0 2.170 0 2.839
|
| body
|
URL registered
to WhoisGuard |
WHOIS_WHOISGUARD |
0 3.399 0 2.025
|
| body
|
URL registered
to WhoisProtector |
WHOIS_WHOISPROT
|
0 0.000 0 1.000
|
| header
|
X-Library =~
/^Indy/ |
X_LIBRARY
|
2.700 2.696
2.899 2.752 |
| body
|
/Your cr[d\.]*
(?:scor| rat)ing doesn.t matter/ |
YOUR_CRD_RATING
|
3.099 3.096
3.099 2.848 |
