This is the current list of tests SpamAssassin performs on mail messages to
determine if they're spam or not. If you wish to change the score from the
default, add a line like this to your ~/.spamassassin/user_prefs:
Note that these are the scores for the current stable release of SpamAssassin;
they may be different from the ones you're running on your servers, if SpamAssassin
is installed there.
The 'More Info' links, if present, lead to a section of our Wiki for collaborative
documentation of rules; some of the rules include additional user-contributed
documentation there. If you feel like adding a page describing a rule in
further detail, feel free to create a page at that link, using the RuleDescriptionTemplate format.
|
AREA TESTED
|
LOCALE
|
DESCRIPTION OF TEST
|
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
MORE INFO
(additional wiki docs)
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000.000
|
Wiki
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
2.000 1.295 2.292 1.032
|
Wiki
|
|
body
|
|
Weird repeated double-quotation marks
|
WEIRD_QUOTING
|
1.120 1.200 1.295 1.341
|
Wiki
|
|
rawbody
|
|
Extra blank lines in base64 encoding
|
MIME_BASE64_BLANKS
|
0 0 0.184 0.224
|
Wiki
|
|
rawbody
|
|
base64 attachment does not have a file name
|
MIME_BASE64_NO_NAME
|
0 0 0 0.224
|
Wiki
|
|
rawbody
|
|
Message text disguised using base64 encoding
|
MIME_BASE64_TEXT
|
2.048 1.522 2.749 1.885
|
Wiki
|
|
rawbody
|
|
MIME section missing boundary
|
MIME_MISSING_BOUNDARY
|
1
|
Wiki
|
|
body
|
|
Missing blank line between MIME header and body
|
MISSING_MIME_HB_SEP
|
1
|
Wiki
|
|
body
|
|
Multipart message mostly text/html MIME
|
MIME_HTML_MOSTLY
|
1.703 0.699 2.309 1.102
|
Wiki
|
|
body
|
|
Message only has text/html MIME parts
|
MIME_HTML_ONLY
|
0.414 0.001 0.389 0.001
|
Wiki
|
|
rawbody
|
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE
|
0.159 0 0.234 0
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF
|
0.425 0.137 1.142 0
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF_COUNT
|
1.649 0 1.607 0.708
|
Wiki
|
|
body
|
|
MIME character set is an unknown ISO charset
|
MIME_BAD_ISO_CHARSET
|
3.360 3.360 3.885 4.185
|
Wiki
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
Wiki
|
|
body
|
|
Body contains a ROT13-encoded email address
|
EMAIL_ROT13
|
1.600 1.680 1.850 2.000
|
Wiki
|
|
body
|
|
Message body has 70-80% blank lines
|
BLANK_LINES_70_80
|
1.499 1.236 1.757 1.805
|
Wiki
|
|
body
|
|
Message body has 80-90% blank lines
|
BLANK_LINES_80_90
|
0.272 0.107 0.810 0
|
Wiki
|
|
body
|
|
Message body has 90-100% blank lines
|
BLANK_LINES_90_100
|
1
|
Wiki
|
|
body
|
|
Message body has many words used only once
|
UNIQUE_WORDS
|
2.066 1.336 2.543 2.347
|
Wiki
|
|
body
|
|
Message body mentions many internet domains
|
DOMAIN_RATIO
|
0 0 0.184 0
|
Wiki
|
|
body
|
|
IP to HTTPS link found in HTML
|
HTTPS_IP_MISMATCH
|
1.920 1.920 2.220 2.400
|
Wiki
|
|
rawbody
|
|
Message looks to contain HTML-interrupted text
|
INTERRUPTUS
|
1.154 0.533 1.106 0.182
|
Wiki
|
|
body
|
|
eval:check_ma_non_text()
|
MULTIPART_ALT_NON_TEXT
|
1
|
Wiki
|
|
header
|
|
Passed through trusted hosts only via SMTP
|
ALL_TRUSTED
|
-1.360 -1.440 -1.665 -1.800
|
Wiki
|
|
header
|
|
Informational: message was not relayed via SMTP
|
NO_RELAYS
|
-0.001
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed open relay
|
RCVD_IN_NJABL_RELAY
|
1
|
Wiki
|
|
header
|
|
NJABL: dialup sender did non-local SMTP
|
RCVD_IN_NJABL_DUL
|
0 1.713 0 1.946
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed spam source
|
RCVD_IN_NJABL_SPAM
|
0 1.905 0 2.775
|
Wiki
|
|
header
|
|
NJABL: sent through multi-stage open relay
|
RCVD_IN_NJABL_MULTI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open formmail
|
RCVD_IN_NJABL_CGI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open proxy
|
RCVD_IN_NJABL_PROXY
|
0 0.327 0 0.721
|
Wiki
|
|
header
|
|
SORBS: sender is open HTTP proxy server
|
RCVD_IN_SORBS_HTTP
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is open SOCKS proxy server
|
RCVD_IN_SORBS_SOCKS
|
0 1.823 0 2.159
|
Wiki
|
|
header
|
|
SORBS: sender is open proxy server
|
RCVD_IN_SORBS_MISC
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is open SMTP relay
|
RCVD_IN_SORBS_SMTP
|
0 0 0 0.201
|
Wiki
|
|
header
|
|
SORBS: sender is a abuseable web server
|
RCVD_IN_SORBS_WEB
|
0 1.236 0 1.456
|
Wiki
|
|
header
|
|
SORBS: sender demands to never be tested
|
RCVD_IN_SORBS_BLOCK
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is on a hijacked network
|
RCVD_IN_SORBS_ZOMBIE
|
0 0.240 0 0.258
|
Wiki
|
|
header
|
|
SORBS: sent directly from dynamic IP address
|
RCVD_IN_SORBS_DUL
|
0 1.988 0 2.046
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus SBL
|
RCVD_IN_SBL
|
0 2.712 0 3.160
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus XBL
|
RCVD_IN_XBL
|
0 3.114 0 3.897
|
Wiki
|
|
header
|
|
Envelope sender in dsn.rfc-ignorant.org
|
DNS_FROM_RFC_DSN
|
0 2.872 0 2.597
|
Wiki
|
|
header
|
|
Envelope sender in postmaster.rfc-ignorant.org
|
DNS_FROM_RFC_POST
|
0 1.440 0 1.708
|
Wiki
|
|
header
|
|
Envelope sender in abuse.rfc-ignorant.org
|
DNS_FROM_RFC_ABUSE
|
0 0.479 0 0.200
|
Wiki
|
|
header
|
|
Envelope sender in whois.rfc-ignorant.org
|
DNS_FROM_RFC_WHOIS
|
0 0.879 0 1.447
|
Wiki
|
|
header
|
|
Envelope sender in bogusmx.rfc-ignorant.org
|
DNS_FROM_RFC_BOGUSMX
|
0 2.034 0 1.945
|
Wiki
|
|
header
|
|
CompleteWhois: sender on bogons IP block
|
RCVD_IN_WHOIS_BOGONS
|
0 1.811 0 2.430
|
Wiki
|
|
header
|
|
CompleteWhois: sender on hijacked IP block
|
RCVD_IN_WHOIS_HIJACKED
|
0 1.0 0 1.0
|
Wiki
|
|
header
|
|
CompleteWhois: sender on invalid IP block
|
RCVD_IN_WHOIS_INVALID
|
0 2.151 0 2.234
|
Wiki
|
|
header
|
|
Received via a relay in list.dsbl.org
|
RCVD_IN_DSBL
|
0 1.801 0 2.600
|
Wiki
|
|
header
|
|
From: sender listed in dnsbl.ahbl.org
|
DNS_FROM_AHBL_RHSBL
|
0 0.306 0 0.231
|
Wiki
|
|
header
|
|
Envelope sender in blackholes.securitysage.com
|
DNS_FROM_SECURITYSAGE
|
0 2.001 0 1.513
|
Wiki
|
|
header
|
|
Received via a relay in bl.spamcop.net
|
RCVD_IN_BL_SPAMCOP_NET
|
0 1.332 0 1.558
|
Wiki
|
|
header
|
|
Relay in RBL, http://www.mail-abuse.org/rbl/
|
RCVD_IN_MAPS_RBL
|
1
|
Wiki
|
|
header
|
|
Relay in DUL, http://www.mail-abuse.org/dul/
|
RCVD_IN_MAPS_DUL
|
1
|
Wiki
|
|
header
|
|
Relay in RSS, http://www.mail-abuse.org/rss/
|
RCVD_IN_MAPS_RSS
|
1
|
Wiki
|
|
header
|
|
Relay in NML, http://www.mail-abuse.org/nml/
|
RCVD_IN_MAPS_NML
|
1
|
Wiki
|
|
header
|
|
Sender is in Bonded Sender Program (trusted relay)
|
RCVD_IN_BSP_TRUSTED
|
0 -4.3 0 -4.3
|
Wiki
|
|
header
|
|
Sender is in Bonded Sender Program (other relay)
|
RCVD_IN_BSP_OTHER
|
0 -0.1 0 -0.1
|
Wiki
|
|
header
|
|
ISIPP IADB lists as vouched-for sender
|
RCVD_IN_IADB_VOUCHED
|
0 -1.825 0 -2.200
|
Wiki
|
|
header
|
|
Habeas Accredited Confirmed Opt-In or Better
|
HABEAS_ACCREDITED_COI
|
0 -8.0 0 -8.0
|
Wiki
|
|
header
|
|
Habeas Accredited Opt-In or Better
|
HABEAS_ACCREDITED_SOI
|
0 -4.3 0 -4.3
|
Wiki
|
|
header
|
|
Habeas Checked
|
HABEAS_CHECKED
|
0 -0.2 0 -0.2
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'cialis'
|
SUBJECT_DRUG_GAP_C
|
2.880 1.035 3.140 0.614
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'levitra'
|
SUBJECT_DRUG_GAP_L
|
1.840 1.840 2.118 2.300
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'phentermine'
|
SUBJECT_DRUG_GAP_P
|
0.542 0.563 0.834 0.699
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'soma'
|
SUBJECT_DRUG_GAP_S
|
1.729 0.378 2.498 1.581
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'valium'
|
SUBJECT_DRUG_GAP_VA
|
2.437 2.442 2.743 2.619
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'vicodin'
|
SUBJECT_DRUG_GAP_VIC
|
2.720 2.720 3.145 2.656
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'xanax'
|
SUBJECT_DRUG_GAP_X
|
2.262 2.334 2.447 2.401
|
Wiki
|
|
body
|
|
Talks about price per dose
|
DRUG_DOSAGE
|
2.337 1.592 2.745 2.242
|
Wiki
|
|
body
|
|
Mentions an E.D. drug
|
DRUG_ED_CAPS
|
0.547 0.352 1.011 0.501
|
Wiki
|
|
body
|
|
Viagra and other drugs
|
DRUG_ED_COMBO
|
1.280 1.280 1.353 1.375
|
Wiki
|
|
body
|
|
Talks about an E.D. drug using its chemical name
|
DRUG_ED_SILD
|
1.440 0 1.594 0
|
Wiki
|
|
body
|
|
Mentions Generic Viagra
|
DRUG_ED_GENERIC
|
2.140 1.814 2.461 1.807
|
Wiki
|
|
body
|
|
Fast Viagra Delivery
|
DRUG_ED_ONLINE
|
2.160 2.160 2.498 2.700
|
Wiki
|
|
body
|
|
Deep discount medications
|
DEEP_DISC_MEDS
|
1.440 1.132 1.665 1.177
|
Wiki
|
|
body
|
|
Online Pharmacy
|
ONLINE_PHARMACY
|
2.720 2.102 3.145 2.043
|
Wiki
|
|
body
|
|
No prescription needed
|
NO_PRESCRIPTION
|
3.200 2.888 3.700 3.887
|
Wiki
|
|
body
|
|
Attempts to disguise the word 'viagra'
|
VIA_GAP_GRA
|
2.480 2.419 2.867 2.529
|
Wiki
|
|
body
|
|
Two or more drugs crammed together into one word
|
DRUGS_SMEAR1
|
1.310 1.372 1.576 1.337
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: msn.com
|
FAKE_HELO_MSN
|
2.080 2.060 2.358 2.509
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: mail.com
|
FAKE_HELO_MAIL_COM
|
1.920 1.920 2.220 2.369
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: email.com
|
FAKE_HELO_EMAIL_COM
|
1.440 1.440 1.665 1.335
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: eudoramail.com
|
FAKE_HELO_EUDORAMAIL
|
1.360 1.440 1.665 1.705
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: excite.com
|
FAKE_HELO_EXCITE
|
1
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: lycos.com
|
FAKE_HELO_LYCOS
|
1
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: yahoo.ca
|
FAKE_HELO_YAHOO_CA
|
1.186 1.353 1.466 1.599
|
Wiki
|
|
header
|
|
Relay HELO'd with suspicious hostname (mail.com)
|
FAKE_HELO_MAIL_COM_DOM
|
2.160 2.160 2.498 2.700
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 1)
|
HELO_DYNAMIC_IPADDR
|
3.360 3.360 3.885 4.200
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (DHCP)
|
HELO_DYNAMIC_DHCP
|
3.280 2.664 3.792 3.066
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (HCC)
|
HELO_DYNAMIC_HCC
|
3.280 3.280 3.792 4.100
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (ATTBI.com)
|
HELO_DYNAMIC_ATTBI
|
2.400 2.400 2.775 2.692
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Rogers)
|
HELO_DYNAMIC_ROGERS
|
1.840 1.203 2.127 1.580
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Adelphia)
|
HELO_DYNAMIC_ADELPHIA
|
1.680 1.680 1.942 1.787
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (T-Dialin)
|
HELO_DYNAMIC_DIALIN
|
2.080 2.080 2.405 2.600
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Hex IP)
|
HELO_DYNAMIC_HEXIP
|
1.280 1.280 1.480 1.600
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Split IP)
|
HELO_DYNAMIC_SPLIT_IP
|
2.880 2.880 3.330 2.191
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (YahooBB)
|
HELO_DYNAMIC_YAHOOBB
|
2.240 2.240 2.590 2.800
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (OptOnline)
|
HELO_DYNAMIC_OOL
|
1.840 1.839 2.127 2.012
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 2)
|
HELO_DYNAMIC_IPADDR2
|
3.280 3.213 3.792 3.818
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (RR 2)
|
HELO_DYNAMIC_RR2
|
1.440 1.440 1.665 1.605
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Comcast)
|
HELO_DYNAMIC_COMCAST
|
2.800 2.800 3.237 3.500
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Telia)
|
HELO_DYNAMIC_TELIA
|
1
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (VTR)
|
HELO_DYNAMIC_VTR
|
1.440 1.492 1.757 1.287
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.no)
|
HELO_DYNAMIC_CHELLO_NO
|
1
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.nl)
|
HELO_DYNAMIC_CHELLO_NL
|
1.624 0 2.035 0.170
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Veloxzone)
|
HELO_DYNAMIC_VELOX
|
1
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (NTL)
|
HELO_DYNAMIC_NTL
|
1.360 1.360 1.573 1.481
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Home.nl)
|
HELO_DYNAMIC_HOME_NL
|
1.600 1.600 1.850 2.000
|
Wiki
|
|
header
|
|
Message headers are very long
|
HEAD_LONG
|
2.5
|
Wiki
|
|
header
|
|
Partial message
|
FRAGMENTED_MESSAGE
|
2.5
|
Wiki
|
|
header
|
|
Missing blank line between message header and body
|
MISSING_HB_SEP
|
2.5
|
Wiki
|
|
header
|
|
Informational: message has unparseable relay lines
|
UNPARSEABLE_RELAY
|
0.001
|
Wiki
|
|
header
|
|
From: does not include a real name
|
NO_REAL_NAME
|
0 0.550 0 0.961
|
Wiki
|
|
header
|
|
From: contains empty name
|
FROM_BLANK_NAME
|
1.659 1.467 0.936 1.534
|
Wiki
|
|
header
|
|
From: ends in many numbers
|
FROM_ENDS_IN_NUMS
|
1.880 2.160 2.405 2.530
|
Wiki
|
|
header
|
|
From: starts with many numbers
|
FROM_STARTS_WITH_NUMS
|
1.337 0.283 1.829 0.724
|
Wiki
|
|
header
|
|
From: contains numbers mixed in with letters
|
FROM_HAS_MIXED_NUMS
|
1.760 1.510 2.127 2.155
|
Wiki
|
|
header
|
|
From: contains an underline and numbers/letters
|
FROM_HAS_ULINE_NUMS
|
0.744 0.217 0.310 0.291
|
Wiki
|
|
header
|
|
From numeric address (except US/Canada phones)
|
FROM_ALL_NUMS
|
1.972 1.920 2.312 2.500
|
Wiki
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
1.680 1.641 1.865 1.960
|
Wiki
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
1
|
Wiki
|
|
header
|
|
To: has no local-part before @ sign
|
TO_NO_USER
|
1
|
Wiki
|
|
header
|
|
To: is empty
|
TO_EMPTY
|
0 0 0.115 0.268
|
Wiki
|
|
header
|
|
Reply-To: is empty
|
REPLY_TO_EMPTY
|
0.449 0.640 0.512 0.600
|
Wiki
|
|
header
|
|
To: repeats address as real name
|
TO_ADDRESS_EQ_REAL
|
1
|
Wiki
|
|
header
|
|
Valid-looking To "undisclosed-recipients"
|
UNDISC_RECIPS
|
0.960 0.883 0.712 0.841
|
Wiki
|
|
header
|
|
Faked To "Undisclosed-Recipients"
|
FAKED_UNDISC_RECIPS
|
1
|
Wiki
|
|
header
|
|
Subject has exclamation mark and question mark
|
PLING_QUERY
|
0 0.326 0.623 0.514
|
Wiki
|
|
header
|
|
Subject contains a unique ID
|
SUBJ_HAS_UNIQ_ID
|
0.895 0 1.387 0.190
|
Wiki
|
|
header
|
|
Subject contains lots of white space
|
SUBJ_HAS_SPACES
|
1.758 0.651 2.306 0.870
|
Wiki
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
1.049 1.166 0.459 0.997
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (99x9xx99 variant)
|
MSGID_SPAM_99X9XX99
|
1
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (alpha-numeric variant)
|
MSGID_SPAM_ALPHA_NUM
|
1.920 1.920 2.220 2.255
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (caps variant)
|
MSGID_SPAM_CAPS
|
3.520 3.520 4.070 4.400
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (letters variant)
|
MSGID_SPAM_LETTERS
|
2.400 2.349 2.867 3.021
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (12-zeroes variant)
|
MSGID_SPAM_ZEROES
|
1.222 1.360 1.264 1.607
|
Wiki
|
|
header
|
|
Message-Id has no hostname
|
MSGID_NO_HOST
|
0.533 0.129 0.787 0.285
|
Wiki
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_INVALID
|
2.080 2.027 2.405 2.600
|
Wiki
|
|
header
|
|
Message-ID has ALLCAPS@yahoo.com
|
MSGID_YAHOO_CAPS
|
2.466 1.273 2.720 2.399
|
Wiki
|
|
header
|
|
Message-Id for external message added locally
|
MSGID_FROM_MTA_ID
|
1.103 0.927 1.183 1.393
|
Wiki
|
|
header
|
|
Message-Id was added by a hotmail.com relay
|
MSGID_FROM_MTA_HOTMAIL
|
1
|
Wiki
|
|
header
|
|
Message-ID is unusually long
|
MSGID_LONG
|
0.899 0.267 1.188 1.204
|
Wiki
|
|
header
|
|
Message-ID is unusually short
|
MSGID_SHORT
|
2.480 2.465 2.821 3.100
|
Wiki
|
|
header
|
|
Message-ID contains multiple '@' characters
|
MSGID_MULTIPLE_AT
|
2.880 1.375 3.187 1.914
|
Wiki
|
|
header
|
|
Date header uses unusual Y2K formatting
|
DATE_SPAMWARE_Y2K
|
1.859 1.822 1.944 0.745
|
Wiki
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
1.700 1.760 2.005 2.193
|
Wiki
|
|
header
|
|
Invalid Date: header (timezone does not exist)
|
INVALID_DATE_TZ_ABSURD
|
1.360 1.346 1.573 1.700
|
Wiki
|
|
header
|
|
Invalid date in header (wrong CST timezone)
|
INVALID_TZ_CST
|
2.043 0.153 2.419 0.867
|
Wiki
|
|
header
|
|
Invalid date in header (wrong EST timezone)
|
INVALID_TZ_EST
|
2.720 0.737 3.145 1.883
|
Wiki
|
|
header
|
|
Invalid date in header (wrong GMT/UTC timezone)
|
INVALID_TZ_GMT
|
1.928 1.111 2.163 1.042
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours before Received: date
|
DATE_IN_PAST_03_06
|
0.736 0 1.122 0.478
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours before Received: date
|
DATE_IN_PAST_06_12
|
0.846 0.746 0.926 0.827
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours before Received: date
|
DATE_IN_PAST_12_24
|
0.960 0.881 1.036 1.247
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours before Received: date
|
DATE_IN_PAST_24_48
|
0.801 0.805 0.976 0.880
|
Wiki
|
|
header
|
|
Date: is 48 to 96 hours before Received: date
|
DATE_IN_PAST_48_96
|
0.383 0.501 0.400 0.379
|
Wiki
|
|
header
|
|
Date: is 96 hours or more before Received: date
|
DATE_IN_PAST_96_XX
|
1.752 1.572 2.101 2.020
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours after Received: date
|
DATE_IN_FUTURE_03_06
|
2.061 2.007 2.275 1.961
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours after Received: date
|
DATE_IN_FUTURE_06_12
|
1.680 1.498 1.883 1.668
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours after Received: date
|
DATE_IN_FUTURE_12_24
|
2.320 2.316 2.775 2.767
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours after Received: date
|
DATE_IN_FUTURE_24_48
|
2.080 2.080 2.498 2.688
|
Wiki
|
|
header
|
|
Date: is 48 to 96 hours after Received: date
|
DATE_IN_FUTURE_48_96
|
1.680 1.680 1.942 2.100
|
Wiki
|
|
header
|
|
Date: is 96 hours or more after Received: date
|
DATE_IN_FUTURE_96_XX
|
1.920 1.888 2.276 2.403
|
Wiki
|
|
header
|
|
Headers contain an unresolved template
|
UNRESOLVED_TEMPLATE
|
1.520 0.687 1.923 1.324
|
Wiki
|
|
header
|
|
Subject: has too many raw illegal characters
|
SUBJ_ILLEGAL_CHARS
|
3.360 3.360 3.978 4.279
|
Wiki
|
|
header
|
|
From: has too many raw illegal characters
|
FROM_ILLEGAL_CHARS
|
3.280 3.280 3.792 4.100
|
Wiki
|
|
header
|
|
Headers have too many raw illegal characters
|
HEAD_ILLEGAL_CHARS
|
1.652 1.519 1.796 1.606
|
Wiki
|
|
header
|
|
Subject: MIME encoded twice
|
SUBJECT_ENCODED_TWICE
|
0.888 1.543 1.293 1.723
|
Wiki
|
|
header
|
|
Subject contains an English UCE tag
|
ENGLISH_UCE_SUBJECT
|
1.415 0.250 1.850 0.740
|
Wiki
|
|
header
|
|
Subject contains a Japanese UCE tag
|
JAPANESE_UCE_SUBJECT
|
1.280 1.360 1.480 1.700
|
Wiki
|
|
header
|
|
Subject: contains Korean unsolicited email tag
|
KOREAN_UCE_SUBJECT
|
2.480 2.480 2.867 3.100
|
Wiki
|
|
header
|
|
From and To are the same, but not exactly
|
FROM_AND_TO_SAME
|
1
|
Wiki
|
|
header
|
|
Received: contains a forged HELO
|
FORGED_RCVD_HELO
|
0 0 0 0.135
|
Wiki
|
|
header
|
|
Received: HELO and IP do not match, but should
|
RCVD_HELO_IP_MISMATCH
|
3.200 3.200 3.700 4.000
|
Wiki
|
|
header
|
|
Received: contains an IP address used for HELO
|
RCVD_NUMERIC_HELO
|
1.440 1.253 1.665 1.500
|
Wiki
|
|
header
|
|
Received: contains illegal IP address
|
RCVD_ILLEGAL_IP
|
1.585 0.234 1.813 0.288
|
Wiki
|
|
header
|
|
Received by mail server with no name
|
RCVD_BY_IP
|
0.280 0 0 0
|
Wiki
|
|
header
|
|
Received forged, contains fake AOL relays
|
FORGED_AOL_RCVD
|
0.001
|
Wiki
|
|
header
|
|
Contains forged hostname for a DSL IP in Brazil
|
FORGED_TELESP_RCVD
|
1.280 0 1.470 0
|
Wiki
|
|
header
|
|
Forged hotmail.com 'Received:' header found
|
FORGED_HOTMAIL_RCVD
|
2.402 2.152 2.820 2.255
|
Wiki
|
|
header
|
|
hotmail.com 'From' address, but no 'Received:'
|
FORGED_HOTMAIL_RCVD2
|
1.653 0.549 2.127 1.162
|
Wiki
|
|
header
|
|
Forged eudoramail.com 'Received:' header found
|
FORGED_EUDORAMAIL_RCVD
|
1.130 0.528 1.454 0.217
|
Wiki
|
|
header
|
|
'From' yahoo.com does not match 'Received' headers
|
FORGED_YAHOO_RCVD
|
1.506 0.928 1.794 1.849
|
Wiki
|
|
header
|
|
'From' juno.com does not match 'Received' headers
|
FORGED_JUNO_RCVD
|
1.693 1.478 1.787 1.914
|
Wiki
|
|
header
|
|
Forged 'by gw05' 'Received:' header found
|
FORGED_GW05_RCVD
|
0.001
|
Wiki
|
|
header
|
|
Character set doesn't exist
|
NONEXISTENT_CHARSET
|
1.280 1.280 1.480 1.506
|
Wiki
|
|
header
|
|
A foreign language charset used in headers
|
CHARSET_FARAWAY_HEADER
|
3.200
|
Wiki
|
|
header
|
|
Sent with 'X-Priority' set to high
|
X_PRIORITY_HIGH
|
0 0.122 0 0.433
|
Wiki
|
|
header
|
|
Sent with 'X-Msmail-Priority' set to high
|
X_MSMAIL_PRIORITY_HIGH
|
1
|
Wiki
|
|
header
|
|
Received: says mail sent around the world (HELO)
|
ROUND_THE_WORLD_LOCAL
|
1.840 1.429 2.127 1.659
|
Wiki
|
|
header
|
|
Missing Date: header
|
MISSING_DATE
|
1
|
Wiki
|
|
header
|
|
Missing To: header
|
MISSING_HEADERS
|
0 0.189 0 0
|
Wiki
|
|
header
|
|
Similar addresses in recipient list
|
SUSPICIOUS_RECIPS
|
2.240 0.849 2.267 1.757
|
Wiki
|
|
header
|
|
Recipient list is sorted by address
|
SORTED_RECIPS
|
2.800 1.530 3.237 1.960
|
Wiki
|
|
header
|
|
Subject: contains G.a.p.p.y-T.e.x.t
|
GAPPY_SUBJECT
|
1.600 1.625 1.785 1.995
|
Wiki
|
|
header
|
|
Message has Prevent-NonDelivery-Report header
|
PREVENT_NONDELIVERY
|
1.515 1.640 1.737 1.600
|
Wiki
|
|
header
|
|
Message has X-IP header
|
X_IP
|
2.803 1.848 3.286 2.305
|
Wiki
|
|
header
|
|
Message has X-Library header
|
X_LIBRARY
|
1.920 1.920 2.220 2.400
|
Wiki
|
|
header
|
|
Message has X-Message-flag header (odd case)
|
X_MESSAGE_FLAG_ODD
|
2.080 2.080 2.405 2.600
|
Wiki
|
|
header
|
|
Subject contains "As Seen"
|
SUBJ_AS_SEEN
|
1.511 0 1.757 0
|
Wiki
|
|
header
|
|
Subject starts with dollar amount
|
SUBJ_DOLLARS
|
0.650 0.381 0.636 0.301
|
Wiki
|
|
header
|
|
Subject contains "For Only"
|
SUBJ_FOR_ONLY
|
1.104 0.316 1.268 0.415
|
Wiki
|
|
header
|
|
Subject contains "FREE" in CAPS
|
SUBJ_FREE_CAP
|
1
|
Wiki
|
|
header
|
|
Subject starts with "Free"
|
SUB_FREE_OFFER
|
0.286 0 0 0
|
Wiki
|
|
header
|
|
Subject GUARANTEED
|
SUBJ_GUARANTEED
|
1.360 1.421 1.623 1.785
|
Wiki
|
|
header
|
|
Subject starts with "Hello"
|
SUB_HELLO
|
1.840 1.760 2.027 2.141
|
Wiki
|
|
header
|
|
Subject includes "life insurance"
|
SUBJ_LIFE_INSURANCE
|
1.520 1.520 1.757 1.900
|
Wiki
|
|
header
|
|
Subject contains "Your Bills" or similar
|
SUBJ_YOUR_DEBT
|
1.405 0.577 1.757 1.106
|
Wiki
|
|
header
|
|
Subject contains "Your Family"
|
SUBJ_YOUR_FAMILY
|
1.600 0.338 1.850 1.157
|
Wiki
|
|
header
|
|
Subject contains "Your Own"
|
SUBJ_YOUR_OWN
|
1.023 0.127 0.865 0.811
|
Wiki
|
|
header
|
|
Received contains a faked HELO hostname
|
RCVD_FAKE_HELO_DOTCOM
|
2.160 1.652 2.590 2.281
|
Wiki
|
|
header
|
|
To: address appears in Subject
|
ADDRESS_IN_SUBJECT
|
1.053 0 0.919 0.533
|
Wiki
|
|
header
|
|
Local part of To: address appears in Subject
|
LOCALPART_IN_SUBJECT
|
1.559 1.561 1.757 1.900
|
Wiki
|
|
header
|
|
Subject talks about losing pounds
|
SUBJECT_DIET
|
1.812 0.623 2.127 1.330
|
Wiki
|
|
header
|
|
Header has extraneous Content-type:...type= entry
|
EXTRA_MPART_TYPE
|
0.847 0.815 0.733 1.091
|
Wiki
|
|
header
|
|
To header contains 'recipient' marker
|
TO_RECIP_MARKER
|
1.044 1.033 1.168 1.038
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DD_DIGITS
|
3.600 3.600 4.162 4.500
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DIGITS_7
|
1
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DIGITS_15
|
2.400 2.400 2.775 2.949
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_MANY_HEX
|
2.160 2.144 2.498 2.700
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary (rfkindy)
|
MIME_BOUND_RKFINDY
|
2.160 2.160 2.498 2.700
|
Wiki
|
|
header
|
|
To: has a malformed address
|
TO_MALFORMED
|
1
|
Wiki
|
|
header
|
|
From Address contains FREE
|
ADDR_FREE
|
0.469 0 1.118 0.205
|
Wiki
|
|
header
|
|
Sent to a text file
|
TO_TXT
|
1.360 1.360 1.573 1.492
|
Wiki
|
|
header
|
|
Involves 'china.com'
|
CHINA_HEADER
|
1.440 1.440 1.665 1.800
|
Wiki
|
|
header
|
|
Received line contains spam-sign (lowercase smtp)
|
WITH_LC_SMTP
|
1.440 1.440 1.665 1.621
|
Wiki
|
|
header
|
|
From address has no lower-case characters
|
FROM_NO_LOWER
|
0.365 0.201 0.534 0.141
|
Wiki
|
|
header
|
|
Subject line starts with Buy or Buying
|
SUBJ_BUY
|
1.311 0.116 0.701 0.255
|
Wiki
|
|
header
|
|
Received headers forged (AM/PM)
|
RCVD_AM_PM
|
1.760 1.726 2.035 1.662
|
Wiki
|
|
header
|
|
Multiple Content-Type headers found
|
HEADER_COUNT_CTYPE
|
1.336 1.440 1.665 1.800
|
Wiki
|
|
header
|
|
Host HELO'd as a big ISP, but had no rDNS
|
NO_RDNS_DOTCOM_HELO
|
0.356 0 0 0
|
Wiki
|
|
header
|
|
X-Originating-IP doesn't look like IPv4 address
|
X_ORIG_IP_NOT_IPV4
|
1
|
Wiki
|
|
header
|
|
X-Authentication-Warning header looks faked
|
X_AUTH_WARN_FAKED
|
0 0 0.189 0.206
|
Wiki
|
|
header
|
|
Received header contains faked 'mr.outblaze.com'
|
FAKE_OUTBLAZE_RCVD
|
2.480 2.480 2.867 3.100
|
Wiki
|
|
header
|
|
Message is from domain that never sends email
|
FROM_NONSENDING_DOMAIN
|
1.280 1.254 1.480 1.336
|
Wiki
|
|
header
|
|
Subject contains common spam sign (2 numbers)
|
SUBJ_2_NUM_PARENS
|
0.952 1.074 1.026 1.206
|
Wiki
|
|
header
|
|
Headers contain an unclosed bracket
|
UNCLOSED_BRACKET
|
2.480 2.480 2.867 2.900
|
Wiki
|
|
header
|
|
Organization is MIME-tools
|
ORG_MIME_TOOLS
|
1.760 1.760 2.035 1.920
|
Wiki
|
|
header
|
|
Message has X-MIME-Autoconverted "Yes" header
|
X_MIME_AUTOCONVERTED
|
2.080 2.080 2.405 2.236
|
Wiki
|
|
header
|
|
From: domain has series of non-vowel letters
|
FROM_DOMAIN_NOVOWEL
|
1.582 1.592 1.903 2.100
|
Wiki
|
|
header
|
|
From: localpart has series of non-vowel letters
|
FROM_LOCAL_NOVOWEL
|
2.480 2.331 2.867 2.861
|
Wiki
|
|
header
|
|
Subject: has long non-vowel letter sequence
|
SUBJECT_NOVOWEL
|
0 0.131 0.327 0.155
|
Wiki
|
|
header
|
|
From: localpart has long hexadecimal sequence
|
FROM_LOCAL_HEX
|
2.000 1.343 2.240 1.305
|
Wiki
|
|
header
|
|
From: localpart has long digit sequence
|
FROM_LOCAL_DIGITS
|
1
|
Wiki
|
|
header
|
|
X-Mailer: header is bulk email fingerprint
|
X_MAILER_SPAM
|
1.840 0.720 1.879 1.365
|
Wiki
|
|
header
|
|
Cc: after X-Priority: (bulk email fingerprint)
|
X_PRIORITY_CC
|
2.320 2.320 2.683 2.900
|
Wiki
|
|
header
|
|
Subject contains consecutive consonants in "word"
|
SUBJ_CONSONANTS
|
1
|
Wiki
|
|
header
|
|
Message has bad MIME encoding in the header
|
BAD_ENC_HEADER
|
2.480 2.255 2.960 3.100
|
Wiki
|
|
body
|
|
HTML included in message
|
HTML_MESSAGE
|
0.001
|
Wiki
|
|
body
|
|
Message is 0% to 10% HTML
|
HTML_00_10
|
1.232 0.642 1.996 0.795
|
Wiki
|
|
body
|
|
Message is 10% to 20% HTML
|
HTML_10_20
|
0.911 0.945 1.387 1.351
|
Wiki
|
|
body
|
|
Message is 20% to 30% HTML
|
HTML_20_30
|
0.911 0 1.053 0
|
Wiki
|
|
body
|
|
Message is 30% to 40% HTML
|
HTML_30_40
|
0.137 0 0.463 0.374
|
Wiki
|
|
body
|
|
Message is 40% to 50% HTML
|
HTML_40_50
|
0.611 0 0.497 0.496
|
Wiki
|
|
body
|
|
Message is 50% to 60% HTML
|
HTML_50_60
|
0.130 0 0 0.134
|
Wiki
|
|
body
|
|
Message is 60% to 70% HTML
|
HTML_60_70
|
0.290 0 0 0
|
Wiki
|
|
body
|
|
Message is 70% to 80% HTML
|
HTML_70_80
|
0 0 0.144 0
|
Wiki
|
|
body
|
|
Message is 80% to 90% HTML
|
HTML_80_90
|
1
|
Wiki
|
|
body
|
|
Message is 90% to 100% HTML
|
HTML_90_100
|
0.584 0 0.567 0.113
|
Wiki
|
|
body
|
|
HTML has very strong "shouting" markup
|
HTML_SHOUTING3
|
0 0 0.198 0
|
Wiki
|
|
body
|
|
HTML has very strong "shouting" markup
|
HTML_SHOUTING4
|
0 0 0.215 0
|
Wiki
|
|
body
|
|
HTML has very strong "shouting" markup
|
HTML_SHOUTING5
|
0.827 0.169 1.133 0
|
Wiki
|
|
body
|
|
HTML has very strong "shouting" markup
|
HTML_SHOUTING6
|
1
|
Wiki
|
|
body
|
|
HTML has very strong "shouting" markup
|
HTML_SHOUTING7
|
0 0.121 0 0.118
|
Wiki
|
|
body
|
|
HTML contains text after HTML close tag
|
HTML_TEXT_AFTER_HTML
|
0.274 0 0.286 0
|
Wiki
|
|
body
|
|
HTML contains text after BODY close tag
|
HTML_TEXT_AFTER_BODY
|
0.153 0 0 0.115
|
Wiki
|
|
body
|
|
HTML comment is very short
|
HTML_COMMENT_SHORT
|
1
|
Wiki
|
|
body
|
|
HTML message is a saved web page
|
HTML_COMMENT_SAVED_URL
|
0 0.647 1.197 0.273
|
Wiki
|
|
body
|
|
HTML with embedded plugin object
|
HTML_EMBEDS
|
0.495 0.273 0.292 0.325
|
Wiki
|
|
body
|
|
HTML contains unsafe auto-executing code
|
HTML_EVENT_UNSAFE
|
1
|
Wiki
|
|
body
|
|
HTML contains far too many close tags
|
HTML_EXTRA_CLOSE
|
2.880 2.699 3.330 3.600
|
Wiki
|
|
body
|
|
HTML font size is tiny
|
HTML_FONT_SIZE_TINY
|
0.106 0 0.276 0
|
Wiki
|
|
body
|
|
HTML font size is negative
|
HTML_FONT_SIZE_NONE
|
1
|
Wiki
|
|
body
|
|
HTML font size is large
|
HTML_FONT_SIZE_LARGE
|
1.415 1.575 1.182 1.238
|
Wiki
|
|
body
|
|
HTML font size is huge
|
HTML_FONT_SIZE_HUGE
|
0 0 0.128 0.314
|
Wiki
|
|
body
|
|
HTML tag for a big font size
|
HTML_FONT_BIG
|
0 0.256 0 0
|
Wiki
|
|
body
|
|
HTML tag for a tiny font size
|
HTML_FONT_TINY
|
0 0 0.223 0
|
Wiki
|
|
body
|
|
HTML font color is same as background
|
HTML_FONT_INVISIBLE
|
1
|
Wiki
|
|
body
|
|
HTML font color similar to background
|
HTML_FONT_LOW_CONTRAST
|
1.335 0.766 1.890 0.194
|
Wiki
|
|
body
|
|
HTML font face is not a word
|
HTML_FONT_FACE_BAD
|
0 0.452 0.231 0.156
|
Wiki
|
|
body
|
|
HTML font face has excess capital characters
|
HTML_FONT_FACE_CAPS
|
1
|
Wiki
|
|
body
|
|
HTML includes a form which sends mail
|
HTML_FORMACTION_MAILTO
|
1.760 1.760 2.035 2.200
|
Wiki
|
|
body
|
|
HTML: images with 0-400 bytes of words
|
HTML_IMAGE_ONLY_04
|
2.820 2.880 3.330 3.600
|
Wiki
|
|
body
|
|
HTML: images with 400-800 bytes of words
|
HTML_IMAGE_ONLY_08
|
2.581 2.435 3.469 3.126
|
Wiki
|
|
body
|
|
HTML: images with 800-1200 bytes of words
|
HTML_IMAGE_ONLY_12
|
2.294 1.639 2.046 1.867
|
Wiki
|
|
body
|
|
HTML: images with 1200-1600 bytes of words
|
HTML_IMAGE_ONLY_16
|
0.668 0.627 0.338 0.497
|
Wiki
|
|
body
|
|
HTML: images with 1600-2000 bytes of words
|
HTML_IMAGE_ONLY_20
|
1.108 0.640 1.416 1.157
|
Wiki
|
|
body
|
|
HTML: images with 2000-2400 bytes of words
|
HTML_IMAGE_ONLY_24
|
1.316 0.930 1.771 1.841
|
Wiki
|
|
body
|
|
HTML: images with 2400-2800 bytes of words
|
HTML_IMAGE_ONLY_28
|
1.438 1.014 1.732 1.900
|
Wiki
|
|
body
|
|
HTML: images with 2800-3200 bytes of words
|
HTML_IMAGE_ONLY_32
|
1.423 0.836 1.610 1.052
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_02
|
1.245 0.192 1.800 0.463
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_04
|
0.877 0 1.057 0
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_06
|
0 0 0.139 0
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_08
|
1
|
Wiki
|
|
body
|
|
HTML link text says "push here" or similar
|
HTML_LINK_PUSH_HERE
|
1.762 0.402 1.920 0.397
|
Wiki
|
|
body
|
|
HTML link text says "opt out" or similar
|
HTML_LINK_OPT_OUT
|
1.151 0 0.823 0
|
Wiki
|
|
body
|
|
Message is 5% to 10% HTML obfuscation
|
HTML_OBFUSCATE_05_10
|
1.421 1.169 1.522 1.449
|
Wiki
|
|
body
|
|
Message is 10% to 20% HTML obfuscation
|
HTML_OBFUSCATE_10_20
|
1.936 1.397 2.371 1.770
|
Wiki
|
|
body
|
|
Message is 20% to 30% HTML obfuscation
|
HTML_OBFUSCATE_20_30
|
2.720 2.720 3.145 3.400
|
Wiki
|
|
body
|
|
Message is 30% to 40% HTML obfuscation
|
HTML_OBFUSCATE_30_40
|
2.480 2.480 2.867 2.859
|
Wiki
|
|
body
|
|
Message is 40% to 50% HTML obfuscation
|
HTML_OBFUSCATE_40_50
|
2.160 2.160 2.498 2.640
|
Wiki
|
|
body
|
|
Message is 50% to 60% HTML obfuscation
|
HTML_OBFUSCATE_50_60
|
2.049 2.061 2.342 2.031
|
Wiki
|
|
body
|
|
Message is 60% to 70% HTML obfuscation
|
HTML_OBFUSCATE_60_70
|
1.637 1.592 1.892 1.652
|
Wiki
|
|
body
|
|
Message is 70% to 80% HTML obfuscation
|
HTML_OBFUSCATE_70_80
|
1.440 1.507 1.680 1.472
|
Wiki
|
|
body
|
|
Message is 80% to 90% HTML obfuscation
|
HTML_OBFUSCATE_80_90
|
1.244 1.191 1.397 0.982
|
Wiki
|
|
body
|
|
Message is 90% to 100% HTML obfuscation
|
HTML_OBFUSCATE_90_100
|
1
|
Wiki
|
|
body
|
|
HTML tags used to obfuscate words
|
HTML_BACKHAIR_2
|
1
|
Wiki
|
|
body
|
|
HTML tags used to obfuscate words
|
HTML_BACKHAIR_4
|
1
|
Wiki
|
|
body
|
|
HTML tags used to obfuscate words
|
HTML_BACKHAIR_8
|
0.536 0.130 0.266 0.282
|
Wiki
|
|
body
|
|
HTML has many bad attributes in tags
|
HTML_ATTR_BAD
|
0.118 0 0 0
|
Wiki
|
|
body
|
|
HTML appears to have random attributes in tags
|
HTML_ATTR_UNIQUE
|
0.245 0 0.244 0.639
|
Wiki
|
|
body
|
|
HTML has unbalanced "body" tags
|
HTML_TAG_BALANCE_BODY
|
0 0.180 0.351 0.228
|
Wiki
|
|
body
|
|
HTML has unbalanced "head" tags
|
HTML_TAG_BALANCE_HEAD
|
2.143 1.159 2.498 1.447
|
Wiki
|
|
body
|
|
HTML has "bgsound" tag
|
HTML_TAG_EXIST_BGSOUND
|
1.920 1.920 2.220 2.107
|
Wiki
|
|
body
|
|
HTML has "marquee" tag
|
HTML_TAG_EXIST_MARQUEE
|
1.642 1.348 2.036 1.899
|
Wiki
|
|
body
|
|
HTML has "tbody" tag
|
HTML_TAG_EXIST_TBODY
|
0.221 0.126 0.282 0
|
Wiki
|
|
body
|
|
HTML message is 0% to 10% bad tags
|
HTML_BADTAG_00_10
|
1
|
Wiki
|
|
body
|
|
HTML message is 10% to 20% bad tags
|
HTML_BADTAG_10_20
|
1
|
Wiki
|
|
body
|
|
HTML message is 20% to 30% bad tags
|
HTML_BADTAG_20_30
|
1
|
Wiki
|
|
body
|
|
HTML message is 30% to 40% bad tags
|
HTML_BADTAG_30_40
|
0.366 0.228 0.137 0.124
|
Wiki
|
|
body
|
|
HTML message is 40% to 50% bad tags
|
HTML_BADTAG_40_50
|
1
|
Wiki
|
|
body
|
|
HTML message is 50% to 60% bad tags
|
HTML_BADTAG_50_60
|
1.604 0.263 1.811 0.987
|
Wiki
|
|
body
|
|
HTML message is 60% to 70% bad tags
|
HTML_BADTAG_60_70
|
1.727 0.819 1.873 1.679
|
Wiki
|
|
body
|
|
HTML message is 70% to 80% bad tags
|
HTML_BADTAG_70_80
|
1.517 1.577 1.711 1.547
|
Wiki
|
|
body
|
|
HTML message is 80% to 90% bad tags
|
HTML_BADTAG_80_90
|
0 0.167 0 0
|
Wiki
|
|
body
|
|
HTML message is 90% to 100% bad tags
|
HTML_BADTAG_90_100
|
1.074 0.846 1.098 1.399
|
Wiki
|
|
body
|
|
0% to 10% of HTML elements are non-standard
|
HTML_NONELEMENT_00_10
|
1
|
Wiki
|
|
body
|
|
10% to 20% of HTML elements are non-standard
|
HTML_NONELEMENT_10_20
|
1
|
Wiki
|
|
body
|
|
20% to 30% of HTML elements are non-standard
|
HTML_NONELEMENT_20_30
|
1
|
Wiki
|
|
body
|
|
30% to 40% of HTML elements are non-standard
|
HTML_NONELEMENT_30_40
|
1
|
Wiki
|
|
body
|
|
40% to 50% of HTML elements are non-standard
|
HTML_NONELEMENT_40_50
|
0 0 0 0.126
|
Wiki
|
|
body
|
|
50% to 60% of HTML elements are non-standard
|
HTML_NONELEMENT_50_60
|
1
|
Wiki
|
|
body
|
|
60% to 70% of HTML elements are non-standard
|
HTML_NONELEMENT_60_70
|
0 0.316 0 0
|
Wiki
|
|
body
|
|
70% to 80% of HTML elements are non-standard
|
HTML_NONELEMENT_70_80
|
0.449 1.353 1.915 2.143
|
Wiki
|
|
body
|
|
80% to 90% of HTML elements are non-standard
|
HTML_NONELEMENT_80_90
|
1
|
Wiki
|
|
body
|
|
90% to 100% of HTML elements are non-standard
|
HTML_NONELEMENT_90_100
|
1
|
Wiki
|
|
body
|
|
HTML is extremely short
|
HTML_SHORT_LENGTH
|
1.612 0.629 1.504 1.574
|
Wiki
|
|
body
|
|
HTML title contains no text
|
HTML_TITLE_EMPTY
|
0 0 0 0.214
|
Wiki
|
|
body
|
|
HTML title contains "Untitled"
|
HTML_TITLE_UNTITLED
|
0 0 0.168 0.514
|
Wiki
|
|
rawbody
|
|
Javascript to hide URLs in browser
|
HIDE_WIN_STATUS
|
1
|
Wiki
|
|
rawbody
|
|
HTML contains needlessly encoded characters
|
ENTITY_DEC_ALPHANUM
|
1.749 0 1.882 0.142
|
Wiki
|
|
rawbody
|
|
HTML has doubled end HTML tag
|
HTML_EHTML2
|
2.640 2.114 3.052 2.618
|
Wiki
|
|
rawbody
|
|
body contains 1 or 0-point font
|
HTML_TINY_FONT
|
2.607 1.425 3.393 2.324
|
Wiki
|
|
header
|
|
Envelope sender has no MX or A DNS records
|
NO_DNS_FOR_FROM
|
0 2.603 0 3.200
|
Wiki
|
|
header
|
|
Received: says mail sent around the world (DNS)
|
ROUND_THE_WORLD
|
0 1.267 0 1.495
|
Wiki
|
|
body
|
|
Send real mail to be unsubscribed
|
REMOVE_POSTAL
|
1
|
Wiki
|
|
body
|
|
Removal phrase right before a link
|
REMOVE_BEFORE_LINK
|
3.120 2.152 3.700 2.692
|
Wiki
|
|
body
|
|
Asks you to click below (in capital letters)
|
CLICK_BELOW_CAPS
|
1
|
Wiki
|
|
body
|
|
Click to be removed
|
CLICK_TO_REMOVE_1
|
1
|
Wiki
|
|
body
|
|
Claims compliance with spam regulations
|
SENT_IN_COMPLIANCE
|
1.360 0.508 0.824 1.070
|
Wiki
|
|
body
|
|
Possible mention of bill 1618 (anti-spam bill)
|
BILL_1618
|
1.440 1.405 1.665 1.800
|
Wiki
|
|
body
|
|
Offers a full refund
|
FULL_REFUND
|
0.490 0 0 0
|
Wiki
|
|
body
|
|
No such thing as a free lunch (3)
|
NO_COST
|
0 0 0.565 0
|
Wiki
|
|
body
|
|
One hundred percent guaranteed
|
GUARANTEED_100_PERCENT
|
0.810 0 1.392 0
|
Wiki
|
|
body
|
|
Dear Friend? That's not very dear!
|
DEAR_FRIEND
|
0.811 0.858 0.976 1.632
|
Wiki
|
|
body
|
|
Contains 'Dear (something)'
|
DEAR_SOMETHING
|
1.605 1.612 1.901 2.100
|
Wiki
|
|
body
|
|
Talks about lots of money
|
BILLION_DOLLARS
|
1
|
Wiki
|
|
body
|
|
Talks about opting out (capitalized version)
|
OPTING_OUT_CAPS
|
0 0 0.171 0.128
|
Wiki
|
|
body
|
|
Claims you can be removed from the list
|
EXCUSE_4
|
0 0.985 0 0.697
|
Wiki
|
|
body
|
|
Claims you can be removed from the list
|
EXCUSE_6
|
1.680 1.746 1.930 2.187
|
Wiki
|
|
body
|
|
"if you do not wish to receive any more"
|
EXCUSE_10
|
0.682 0 0.341 0
|
Wiki
|
|
body
|
|
Nobody's perfect
|
EXCUSE_12
|
1.173 1.131 1.387 1.447
|
Wiki
|
|
body
|
|
Claims you have provided permission
|
EXCUSE_23
|
1.280 1.360 1.573 1.459
|
Wiki
|
|
body
|
|
Claims you wanted this ad
|
EXCUSE_24
|
1.440 1.520 1.757 1.900
|
Wiki
|
|
body
|
|
Talks about how to be removed from mailings
|
EXCUSE_REMOVE
|
1.345 0 1.573 0.110
|
Wiki
|
|
body
|
|
Tells you about a strong buy
|
STRONG_BUY
|
2.160 2.080 2.498 2.690
|
Wiki
|
|
body
|
|
Claims to honor removal requests
|
WE_HONOR_ALL
|
1.190 1.196 1.169 1.221
|
Wiki
|
|
body
|
|
Offers a alert about a stock
|
STOCK_ALERT
|
1.680 1.760 2.035 2.200
|
Wiki
|
|
body
|
|
SEC-mandated penny-stock warning
|
MICRO_CAP_WARNING
|
1.200 1.280 1.480 1.462
|
Wiki
|
|
body
|
|
Not registered investment advisor
|
NOT_ADVISOR
|
2.160 2.160 2.498 2.700
|
Wiki
|
|
body
|
|
Describes some sort of breakthrough
|
SOME_BREAKTHROUGH
|
1.049 1.053 1.136 1.368
|
Wiki
|
|
body
|
|
'Prestigious Non-Accredited Universities'
|
PREST_NON_ACCREDITED
|
1.280 1.280 1.480 1.600
|
Wiki
|
|
body
|
|
Information on growing body parts
|
BODY_ENHANCEMENT
|
1.090 0 1.163 0
|
Wiki
|
|
body
|
|
Information on getting larger body parts
|
BODY_ENHANCEMENT2
|
1.821 0.618 2.045 0.736
|
Wiki
|
|
body
|
|
Impotence cure
|
IMPOTENCE
|
2.093 0.592 2.443 0.627
|
Wiki
|
|
body
|
|
Information on mortgages
|
MORTGAGE_BEST
|
1
|
Wiki
|
|
body
|
|
Looks like mortgage pitch
|
MORTGAGE_PITCH
|
0.151 0 0 0
|
Wiki
|
|
body
|
|
Information on mortgage rates
|
MORTGAGE_RATES
|
1
|
Wiki
|
|
rawbody
|
|
mailto URI includes removal text
|
MAILTO_SUBJ_REMOVE
|
0.244 0 0.100 0
|
Wiki
|
|
body
|
|
Talks about a million North American dollars
|
NA_DOLLARS
|
0.868 0.609 1.529 1.285
|
Wiki
|
|
body
|
|
Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)
|
US_DOLLARS_3
|
0.214 0 0.152 0
|
Wiki
|
|
body
|
|
Talks about millions of dollars
|
MILLION_USD
|
2.359 1.606 2.824 1.816
|
Wiki
|
|
rawbody
|
|
Frontpage used to create the message
|
FRONTPAGE
|
1.161 0.809 1.459 0.886
|
Wiki
|
|
body
|
|
Resistance to this spam is futile
|
RESISTANCE_IS_FUTILE
|
1
|
Wiki
|
|
body
|
|
Contains urgent matter
|
URG_BIZ
|
0.395 0.269 0.699 0.351
|
Wiki
|
|
body
|
|
Contains 'earn (dollar) something per week'
|
EARN_PER_WEEK
|
1.055 1.189 1.327 1.404
|
Wiki
|
|
body
|
|
Spam is 100% natural?!
|
ALL_NATURAL
|
1.310 0.618 0.357 0
|
Wiki
|
|
body
|
|
Money back guarantee
|
MONEY_BACK
|
0.843 0 0.645 0
|
Wiki
|
|
body
|
|
There is no obligation
|
NO_OBLIGATION
|
0.488 0.303 0.628 0.966
|
Wiki
|
|
body
|
|
Risk free. Suuurreeee....
|
RISK_FREE
|
1
|
Wiki
|
|
body
|
|
As seen on national TV!
|
AS_SEEN_ON
|
1
|
Wiki
|
|
body
|
|
Off Shore Scams
|
OFFSHORE_SCAM
|
0 0.147 0 0
|
Wiki
|
|
body
|
|
Why Pay More?
|
WHY_PAY_MORE
|
1.680 0.120 1.781 0.606
|
Wiki
|
|
body
|
|
Receive a special offer
|
RECEIVE_OFFER
|
0 0 0.172 0
|
Wiki
|
|
body
|
|
Free express or no-obligation quote
|
FREE_QUOTE_INSTANT
|
1.178 0 1.422 0
|
Wiki
|
|
body
|
|
Eliminate Bad Credit
|
BAD_CREDIT
|
1.501 0.129 1.539 0
|
Wiki
|
|
body
|
|
Consolidate debt, credit, or bills
|
CONSOLIDATE_DEBT
|
0 0.119 0 0.194
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_YOUR_HOME
|
1.760 0.980 2.035 0.302
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_NOW
|
1.520 0.872 1.576 1.050
|
Wiki
|
|
body
|
|
No Medical Exams
|
NO_MEDICAL
|
1.200 1.259 1.480 1.363
|
Wiki
|
|
body
|
|
No Claim Forms
|
NO_FORMS
|
1.440 0.501 1.709 0.673
|
Wiki
|
|
body
|
|
What are you waiting for
|
WHY_WAIT
|
1.116 0.412 1.193 0.638
|
Wiki
|
|
body
|
|
You can search for anyone
|
YOU_CAN_SEARCH
|
1
|
Wiki
|
|
body
|
|
Guaranteed Stuff
|
GUARANTEED_STUFF
|
1
|
Wiki
|
|
body
|
|
Amazing Stuff
|
AMAZING_STUFF
|
0.733 0 1.237 0
|
Wiki
|
|
body
|
|
Lose Weight Spam
|
DIET_1
|
0.633 0 0.485 0
|
Wiki
|
|
body
|
|
Describes weight loss
|
DIET_2
|
1
|
Wiki
|
|
body
|
|
Describes body fat loss
|
DIET_3
|
1
|
Wiki
|
|
body
|
|
Reverses Aging
|
REVERSE_AGING
|
1.520 1.600 1.795 1.555
|
Wiki
|
|
body
|
|
Cures Baldness
|
HAIR_LOSS
|
0.102 0 0 0
|
Wiki
|
|
body
|
|
Removes Wrinkles
|
WRINKLES
|
1.360 1.360 1.573 1.432
|
Wiki
|
|
body
|
|
While you Sleep
|
WHILE_YOU_SLEEP
|
0.463 0.441 0.240 0.268
|
Wiki
|
|
body
|
|
Talks about Hidden Charges
|
HIDDEN_CHARGES
|
0.721 0.752 0.611 0.853
|
Wiki
|
|
body
|
|
Freedom of a financial nature
|
FIN_FREE
|
1.019 0.611 1.313 0.469
|
Wiki
|
|
body
|
|
Stock Disclaimer Statement
|
FORWARD_LOOKING
|
1.207 1.434 1.692 1.048
|
Wiki
|
|
body
|
|
Mail guarantees satisfaction
|
SATIS_GUAR
|
1.036 0 1.207 0
|
Wiki
|
|
body
|
|
Offers Extra Cash
|
EXTRA_CASH
|
0 0 0.275 0.172
|
Wiki
|
|
body
|
|
Get Paid
|
GET_PAID
|
1.049 0 0.707 0.204
|
Wiki
|
|
body
|
|
One Time Rip Off
|
ONE_TIME
|
1.840 1.138 2.118 1.569
|
Wiki
|
|
body
|
|
Compete for your business
|
COMPETE
|
1.330 1.392 1.646 1.467
|
Wiki
|
|
body
|
|
Meet Singles
|
MEET_SINGLES
|
1.280 0.370 1.456 0.492
|
Wiki
|
|
body
|
|
Join Millions of Americans
|
JOIN_MILLIONS
|
0.178 0 0.463 0
|
Wiki
|
|
body
|
|
Be your own boss
|
BE_BOSS
|
1.268 1.271 1.480 1.539
|
Wiki
|
|
body
|
|
Multi Level Marketing mentioned
|
ML_MARKETING
|
1.274 1.310 1.511 1.624
|
Wiki
|
|
body
|
|
Confidentiality on all orders
|
CONFIDENTIAL_ORDER
|
1
|
Wiki
|
|
body
|
|
Save big money
|
SAVE_THOUSANDS
|
0.467 0 0.414 0.398
|
Wiki
|
|
body
|
|
Claims you registered with a partner
|
MARKETING_PARTNERS
|
1.482 1.435 1.757 1.765
|
Wiki
|
|
body
|
|
Free Preview
|
FREE_PREVIEW
|
1.500 1.409 1.757 1.884
|
Wiki
|
|
body
|
|
Contains 'free access' with capitals
|
FREE_ACCESS
|
0 0 0.156 0
|
Wiki
|
|
body
|
|
Contains 'free sample' with capitals
|
FREE_SAMPLE
|
0 0 0.231 0.335
|
Wiki
|
|
body
|
|
Lowest Price
|
LOW_PRICE
|
1
|
Wiki
|
|
body
|
|
People just leave money laying around
|
UNCLAIMED_MONEY
|
1.920 1.920 2.220 2.400
|
Wiki
|
|
body
|
|
Message seems to contain rot13ed address
|
OBSCURED_EMAIL
|
1.680 1.680 1.834 2.100
|
Wiki
|
|
body
|
|
Talks about exercise with an exclamation!
|
BANG_EXERCISE
|
0.731 0.537 0.650 1.133
|
Wiki
|
|
body
|
|
Talks about more with an exclamation!
|
BANG_MORE
|
0 0 0.106 0
|
Wiki
|
|
body
|
|
Talks about Oprah with an exclamation!
|
BANG_OPRAH
|
1.233 0.366 1.386 0
|
Wiki
|
|
body
|
|
Talks about 'acting now' with capitals
|
ACT_NOW_CAPS
|
0.120 0 0 0
|
Wiki
|
|
body
|
|
Talks about a bigger drive for sex
|
MORE_SEX
|
2.240 2.035 2.590 1.950
|
Wiki
|
|
body
|
|
Something is emphatically guaranteed
|
BANG_GUAR
|
0 0.139 0.504 0
|
Wiki
|
|
body
|
|
See for yourself
|
SEE_FOR_YOURSELF
|
1
|
Wiki
|
|
body
|
|
Message mentions investment advice
|
INVESTMENT_ADVICE
|
2.960 2.960 3.423 3.700
|
Wiki
|
|
body
|
|
Message mentions investment expert
|
INVESTMENT_EXPERT
|
2.571 2.640 3.052 3.300
|
Wiki
|
|
body
|
|
Qualify for this special...
|
QUALIFY_FOR_THIS
|
2.080 1.422 1.990 1.684
|
Wiki
|
|
body
|
|
Message talks about enhancing men
|
MALE_ENHANCE
|
2.480 2.480 2.867 3.100
|
Wiki
|
|
body
|
|
Message says that prices aren't too expensive
|
PRICES_ARE_AFFORDABLE
|
1.964 0.522 2.312 0.995
|
Wiki
|
|
body
|
|
Message talks about a replica watch
|
REPLICA_WATCH
|
2.320 2.320 2.683 2.900
|
Wiki
|
|
body
|
|
Message puts emphasis on the watch manufacturer
|
EM_ROLEX
|
2.160 1.271 2.590 1.570
|
Wiki
|
|
body
|
|
Possible porn - Free Porn
|
FREE_PORN
|
0 0 0.143 0
|
Wiki
|
|
body
|
|
Possible porn - Cum Shot
|
CUM_SHOT
|
2.320 2.095 2.683 2.708
|
Wiki
|
|
body
|
|
Possible porn - Live Porn
|
LIVE_PORN
|
0.530 0.332 0.782 0
|
Wiki
|
|
body
|
|
Possible porn - Hardcore Porn
|
HARDCORE_PORN
|
1.440 1.440 1.665 1.635
|
Wiki
|
|
body
|
|
Possible porn - Hot, Nasty, Wild, Young
|
HOT_NASTY
|
0.809 0 0.697 0.157
|
Wiki
|
|
body
|
|
Possible porn - Best, Largest, Most Porn
|
BEST_PORN
|
1
|
Wiki
|
|
body
|
|
Possible porn - Nasty Girls
|
NASTY_GIRLS
|
1.517 1.344 1.757 0.339
|
Wiki
|
|
body
|
|
Possible porn - Amateur Porn
|
AMATEUR_PORN
|
1.499 1.473 1.757 1.511
|
Wiki
|
|
body
|
|
Possible porn - Adult Web Sites
|
SOMETHING_FOR_ADULTS
|
1.000 0.872 1.234 1.091
|
Wiki
|
|
body
|
|
Possible porn - various types of feline
|
PORN_15
|
0.520 1.117 1.079 0.451
|
Wiki
|
|
body
|
|
Possible porn - nasty, dirty, little etc.
|
PORN_16
|
1.309 1.410 1.573 1.800
|
Wiki
|
|
body
|
|
Thousands or millions of pictures, movies, etc.
|
LOTS_OF_STUFF
|
1
|
Wiki
|
|
body
|
|
Attempts to disguise porn words
|
DISGUISE_PORN
|
0.724 0.110 0.721 0.247
|
Wiki
|
|
body
|
|
Attempts to disguise mundane words used in porn
|
DISGUISE_PORN_MUNDANE
|
1.840 1.798 2.127 2.300
|
Wiki
|
|
uri
|
|
URL uses words/phrases which indicate porn (sex)
|
PORN_URL_SEX
|
0 0.261 0.256 0
|
Wiki
|
|
uri
|
|
URL uses words/phrases which indicate porn (slut)
|
PORN_URL_SLUT
|
1
|
Wiki
|
|
uri
|
|
URL uses words/phrases which indicate porn (misc)
|
PORN_URL_MISC
|
1.160 0 1.421 0.322
|
Wiki
|
|
header
|
|
Subject indicates sexually-explicit content
|
SUBJECT_SEXUAL
|
2.160 2.160 2.498 2.684
|
Wiki
|
|
header
|
|
Bulk email fingerprint (eGroups) found
|
RATWARE_EGROUPS
|
2.640 2.487 3.052 2.563
|
Wiki
|
|
header
|
|
Bulk email fingerprint (hash 2) found
|
RATWARE_HASH_2
|
2.000 1.949 2.220 2.111
|
Wiki
|
|
header
|
|
Bulk email fingerprint (hash 2 v2) found
|
RATWARE_HASH_2_V2
|
2.000 2.000 2.312 2.500
|
Wiki
|
|
header
|
|
Bulk email fingerprint (jpfree) found
|
RATWARE_JPFREE
|
1.200 1.280 1.480 1.600
|
Wiki
|
|
uri
|
|
Bulk email fingerprint (StormPost) found
|
RATWARE_STORM_URI
|
1
|
Wiki
|
|
header
|
|
X-Mailer has malformed Outlook Express version
|
RATWARE_OE_MALFORMED
|
2.400 2.400 2.775 3.000
|
Wiki
|
|
header
|
|
Bulk email fingerprint ('esmtp' Received) found
|
RATWARE_RCVD_LC_ESMTP
|
1.416 0 1.500 0
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Mozilla malformed) found
|
RATWARE_MOZ_MALFORMED
|
1.840 1.820 2.035 1.847
|
Wiki
|
|
header
|
|
Bulk email fingerprint (mPOP Web-Mail)
|
RATWARE_MPOP_WEBMAIL
|
0 0.118 0.417 0.111
|
Wiki
|
|
rawbody
|
|
Contains a hashbuster in Send-Safe format
|
RATWARE_HASH_DASH
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (netIP) found
|
RATWARE_NETIP
|
1.272 0.548 1.497 1.398
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Gecko faked) found
|
RATWARE_GECKO_BUILD
|
1.751 1.426 1.966 1.691
|
Wiki
|
|
header
|
|
Headers are in order found in spam (MTSRIX)
|
HDR_ORDER_MTSRIX
|
1
|
Wiki
|
|
header
|
|
Headers are in order found in spam (TRIMRS)
|
HDR_ORDER_TRIMRS
|
1.440 1.440 1.665 1.800
|
Wiki
|
|
header
|
|
Bulk email fingerprint (bonus space) found
|
RCVD_BONUS_SPC_DATE
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (X-Message-Info) found
|
X_MESSAGE_INFO
|
3.520 3.520 4.070 4.400
|
Wiki
|
|
header
|
|
Bulk email fingerprint (header-based) found
|
HEADER_SPAM
|
3.200 3.115 3.700 3.789
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received PF) found
|
RATWARE_RCVD_PF
|
2.880 2.880 3.330 3.600
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received @) found
|
RATWARE_RCVD_AT
|
2.880 2.590 3.330 2.292
|
Wiki
|
|
header
|
|
Bulk email fingerprint found
|
MSGID_RATWARE1
|
1.920 1.810 2.220 2.364
|
Wiki
|
|
header
|
|
Bulk email fingerprint (piece boundary) found
|
RATWARE_BOUND_PIECE
|
1.600 1.680 1.850 2.000
|
Wiki
|
|
header
|
|
Bulk email fingerprint (envfrom) found
|
RATWARE_EFROM
|
2.880 2.880 3.330 3.600
|
Wiki
|
|
uri
|
|
Uses a numeric IP address in URL
|
NUMERIC_HTTP_ADDR
|
1.253 0.585 1.249 0.472
|
Wiki
|
|
uri
|
|
Uses a dotted-decimal IP address in URL
|
NORMAL_HTTP_TO_IP
|
0 0 0.160 0.175
|
Wiki
|
|
uri
|
|
Uses %-escapes inside a URL's hostname
|
HTTP_ESCAPED_HOST
|
0 0 0.124 0
|
Wiki
|
|
uri
|
|
Uses control sequences inside a URL hostname
|
HTTP_CTRL_CHARS_HOST
|
1.280 1.259 1.480 1.600
|
Wiki
|
|
uri
|
|
Completely unnecessary %-escapes inside a URL
|
HTTP_EXCESSIVE_ESCAPES
|
1.329 1.146 1.145 1.572
|
Wiki
|
|
uri
|
|
Dotted-decimal IP address followed by CGI
|
IP_LINK_PLUS
|
0.467 1.047 1.372 1.248
|
Wiki
|
|
uri
|
|
URL of page called "remove"
|
REMOVE_PAGE
|
1
|
Wiki
|
|
uri
|
|
Includes a link to a likely spammer email
|
MAILTO_TO_SPAM_ADDR
|
0.307 0.276 0.446 0
|
Wiki
|
|
uri
|
|
Includes a 'remove' email address
|
MAILTO_TO_REMOVE
|
1.040 0.484 1.109 0.383
|
Wiki
|
|
uri
|
|
Uses non-standard port number for HTTP
|
WEIRD_PORT
|
1
|
Wiki
|
|
uri
|
|
URL contains username and (optional) password
|
USERPASS
|
0.825 0.819 1.196 1.373
|
Wiki
|
|
uri
|
|
Filename is just a '\#'; probably a JS trick
|
URI_IS_POUND
|
1
|
Wiki
|
|
uri
|
|
Includes a link to a likely spammer domain
|
BARGAIN_URL
|
1.360 0 1.559 0.463
|
Wiki
|
|
uri
|
|
Contains an URL in the BIZ top-level domain
|
BIZ_TLD
|
1.719 1.169 2.035 2.013
|
Wiki
|
|
uri
|
|
Contains an URL in the INFO top-level domain
|
INFO_TLD
|
1.373 0.813 1.457 1.273
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_RD_REDIR
|
1
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_DRS_REDIR
|
1.007 0.313 1.189 1.103
|
Wiki
|
|
uri
|
|
Message has link to company offers
|
URI_OFFERS
|
1.674 0.133 1.414 0.712
|
Wiki
|
|
uri
|
|
Message has URI 4you
|
URI_4YOU
|
0.759 0.196 0.928 0.135
|
Wiki
|
|
uri
|
|
Contains URI to a document hosted at 'terra.es'
|
TERRA_ES
|
1.520 1.495 1.724 1.888
|
Wiki
|
|
uri
|
|
Contains an URL-encoded hostname (HTTP77)
|
HTTP_77
|
2.242 2.658 2.644 2.346
|
Wiki
|
|
uri
|
|
Contains a URI with an affiliate ID code
|
URI_AFFILIATE
|
0.106 0 0 0
|
Wiki
|
|
header
|
|
Message has HTTP redirector URI
|
URI_REDIRECTOR
|
1
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle
|
SPOOF_COM2OTH
|
0.537 0 0 0
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle and end
|
SPOOF_COM2COM
|
2.320 1.938 2.683 2.450
|
Wiki
|
|
uri
|
|
URI contains ".net" or ".org", then ".com"
|
SPOOF_NET2COM
|
1.806 1.106 1.870 1.541
|
Wiki
|
|
uri
|
|
URI has items in odd places
|
SPOOF_OURI
|
0.293 0 1.321 0.104
|
Wiki
|
|
uri
|
|
URI hostname has long digit sequence
|
URI_DIGITS
|
1
|
Wiki
|
|
uri
|
|
URI hostname has long hexadecimal sequence
|
URI_HEX
|
1
|
Wiki
|
|
uri
|
|
URI hostname has long non-vowel sequence
|
URI_NOVOWEL
|
1.885 0.997 2.405 0.884
|
Wiki
|
|
uri
|
|
URI contains suspicious unsubscribe link
|
URI_UNSUBSCRIBE
|
2.560 2.069 2.809 3.200
|
Wiki
|
|
uri
|
|
URI contains capitalized hostname parts ("Abcde")
|
URI_UPPER_LOWER
|
2.080 2.080 2.405 2.600
|
Wiki
|
|
uri
|
|
CGI in .info TLD other than third-level "www"
|
URI_NO_WWW_INFO_CGI
|
3.280 3.241 3.792 4.100
|
Wiki
|
|
uri
|
|
CGI in .biz TLD other than third-level "www"
|
URI_NO_WWW_BIZ_CGI
|
2.480 2.480 2.867 3.000
|
Wiki
|
|
uri
|
|
CGI with long hostname other fourth-level "www"
|
URI_NO_WWW_ANY_CGI
|
1.070 0.129 1.087 0.161
|
Wiki
|
|
uri
|
|
URI scheme has mixed uppercase and lowercase
|
URI_SCHEME_MIXED_CASE
|
1.920 0.871 1.894 1.841
|
Wiki
|
|
uri
|
|
Domain name containing a "4u" variant
|
DOMAIN_4U2
|
2.160 1.429 2.362 1.994
|
Wiki
|
|
uri
|
|
/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i
|
HIGH_CODEPAGE_URI
|
2.5
|
Wiki
|
|
body
|
|
Bayesian spam probability is 0 to 1%
|
BAYES_00
|
0.0001 0.0001 -2.312 -2.599
|
Wiki
|
|
body
|
|
Bayesian spam probability is 1 to 5%
|
BAYES_05
|
0.0001 0.0001 -1.110 -1.110
|
Wiki
|
|
body
|
|
Bayesian spam probability is 5 to 20%
|
BAYES_20
|
0.0001 0.0001 -0.740 -0.740
|
Wiki
|
|
body
|
|
Bayesian spam probability is 20 to 40%
|
BAYES_40
|
0.0001 0.0001 -0.185 -0.185
|
Wiki
|
|
body
|
|
Bayesian spam probability is 40 to 60%
|
BAYES_50
|
0.0001 0.0001 0.001 0.001
|
Wiki
|
|
body
|
|
Bayesian spam probability is 60 to 80%
|
BAYES_60
|
0.0001 0.0001 1.0 1.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 80 to 95%
|
BAYES_80
|
0.0001 0.0001 2.0 2.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 95 to 99%
|
BAYES_95
|
0.0001 0.0001 3.0 3.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 99 to 100%
|
BAYES_99
|
0.0001 0.0001 3.5 3.5
|
Wiki
|
|
header
|
|
Message would have been caught by accessdb
|
ACCESSDB
|
1
|
Wiki
|
|
body
|
|
Message includes Microsoft executable program
|
MICROSOFT_EXECUTABLE
|
0.100
|
Wiki
|
|
body
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.100
|
Wiki
|
|
body
|
es
|
Claims you can be removed in Spanish
|
REMOVE_ES_01
|
1
|
Wiki
|
|
body
|
es
|
Claims you can be removed in Spanish
|
REMOVE_ES_02
|
1
|
Wiki
|
|
body
|
es
|
Claims you can be removed in Spanish
|
REMOVE_ES_03
|
1
|
Wiki
|
|
body
|
es
|
Claims you can be removed in Spanish
|
REMOVE_ES_04
|
1
|
Wiki
|
|
body
|
es
|
If you send an email you will be OptOut
|
REMOVE_ES_05
|
1
|
Wiki
|
|
body
|
es
|
Claims you can opt-out
|
REMOVE_ES_06
|
1
|
Wiki
|
|
body
|
es
|
Claims you can opt-out
|
REMOVE_ES_07
|
1
|
Wiki
|
|
body
|
es
|
Claims you can opt-out
|
REMOVE_ES_08
|
1
|
Wiki
|
|
body
|
es
|
If you want to subscribe...
|
SUBSCRIBE_ES_01
|
1
|
Wiki
|
|
body
|
es
|
Claims not to be spam in Spanish
|
EXCUSE_ES_01
|
1
|
Wiki
|
|
body
|
es
|
Someone fell free to send you a message in Spanish
|
EXCUSE_ES_02
|
1
|
Wiki
|
|
body
|
es
|
Someone requested an spammer to spam you in Spanish
|
EXCUSE_ES_03
|
1
|
Wiki
|
|
body
|
es
|
El correo como alternativa comercial
|
EXCUSE_ES_05
|
1
|
Wiki
|
|
body
|
es
|
Mensaje enviado por error
|
EXCUSE_ES_06
|
1
|
Wiki
|
|
body
|
es
|
No se puede considerar spam
|
EXCUSE_ES_07
|
1
|
Wiki
|
|
body
|
es
|
Para dejar de fumar
|
DEJAR_DE_FUMAR_ES
|
1
|
Wiki
|
|
body
|
es
|
NOS CHILLAN PARA DECIR QUE ES GRATIS
|
GRATIS_ES
|
1.4
|
Wiki
|
|
body
|
es
|
Nos animan a contestar si estamos interesados
|
INTERESADO_ES
|
1
|
Wiki
|
|
body
|
es
|
Dice cumplir con la ley
|
LEY_ORGANICA_ES
|
2.0
|
Wiki
|
|
body
|
es
|
Clama cumplir con la normativa SPAM
|
NORMATIVA_SPAM_ES
|
2.0
|
Wiki
|
|
body
|
es
|
No existe legislación en Chile contra el SPAM
|
LEY_CHILE_ES_01
|
1
|
Wiki
|
|
body
|
es
|
Clama cumplir con la legislación chilena
|
LEY_CHILE_ES_02
|
1
|
Wiki
|
|
body
|
es
|
Inmigración legal (?) a los Estados Unidos
|
TARJETA_VERDE_ES
|
1
|
Wiki
|
|
body
|
es
|
Promocion especial.
|
PROMOCION_ES
|
1
|
Wiki
|
|
body
|
es
|
Alta en buscadores hispanos.
|
ALTA_BUSCADORES_ES
|
1
|
Wiki
|
|
body
|
es
|
IMPERATIVOS/EXCLAMACIONES EN MAYUSCULAS.
|
EXCLAMACION_ES
|
1
|
Wiki
|
|
body
|
es
|
Presentación de un nuevo producto.
|
PRESENTAMOS_ES
|
1
|
Wiki
|
|
body
|
es
|
Pago contra reembolso.
|
CONTRA_REEMBOLSO_ES
|
1
|
Wiki
|
|
body
|
es
|
Para hacer su pedido.
|
PEDIDO_ES
|
1
|
Wiki
|
|
body
|
es
|
Haga click aqui.
|
CLICK_ES
|
1
|
Wiki
|
|
body
|
es
|
Los regalos no existen, salvo de nuestros amigos.
|
REGALO_ES
|
1
|
Wiki
|
|
body
|
es
|
Pueden ser ganadores.
|
GANADORES_ES_01
|
1
|
Wiki
|
|
body
|
es
|
Ha sido ganador.
|
GANADORES_ES_02
|
1
|
Wiki
|
|
body
|
es
|
Porno gratis.
|
PORNO_GRATIS_ES
|
1
|
Wiki
|
|
body
|
es
|
Mas informacion.
|
MAS_INFORMACION_ES
|
1
|
Wiki
|
|
body
|
es
|
Informacion y reserva
|
INFORMACION_RESERVA_ES
|
1
|
Wiki
|
|
body
|
es
|
Conviertete en Spammer.
|
REENVIA_ES
|
1
|
Wiki
|
|
body
|
es
|
No nos envían más spam... seguro que no.
|
NO_MAS_MAIL_1_ES
|
1
|
Wiki
|
|
body
|
es
|
No recibirá este spam otra vez... seguro que no.
|
NO_MAS_MAIL_2_ES
|
1
|
Wiki
|
|
body
|
es
|
Las direcciones fueron obtenidas de internet.
|
COLECTOR_DE_MAILS_ES
|
1
|
Wiki
|
|
body
|
pl
|
/zap.acisz.{1,10}tylko/i
|
PL_ZAPLACISZ_TYLKO
|
1
|
Wiki
|
|
body
|
pl
|
/realiz.{1,20}w.{1,10}ci.gu/i
|
PL_REALIZOWANE_W_CIAGU
|
1
|
Wiki
|
|
body
|
pl
|
/ABSOLUTNA.{0,10}NOWO../i
|
PL_ABSOLUTNA_NOWOSC
|
1
|
Wiki
|
|
body
|
pl
|
/ZAPRASZAMY/
|
PL_ZAPRASZAMY
|
1
|
Wiki
|
|
body
|
pl
|
/ZACHECAM/i
|
PL_ZACHECAMY
|
1
|
Wiki
|
|
body
|
pl
|
/do odwiedzenia/i
|
PL_DO_ODWIEDZENIA
|
1
|
Wiki
|
|
body
|
pl
|
/serdecznie.{0,50}zapraszamy/i
|
PL_SERDECZ_ZAPRASZAMY
|
1
|
Wiki
|
|
body
|
pl
|
/zapraszam.{0,50}korzyst/i
|
PL_ZAPRASZAMY_SKORZYST
|
1
|
Wiki
|
|
body
|
pl
|
/zam.wieni/i
|
PL_ZAMOWIENIE
|
1
|
Wiki
|
|
body
|
pl
|
/bezp.atn/i
|
PL_BEZPLATNIE
|
1
|
Wiki
|
|
body
|
pl
|
/wyprzeda/i
|
PL_WYPRZEDAZ
|
1
|
Wiki
|
|
body
|
pl
|
/najtansz/i
|
PL_NAJTANSZE
|
1
|
Wiki
|
|
body
|
pl
|
/windyk/i
|
PL_WINDYKACJA
|
1
|
Wiki
|
|
body
|
pl
|
/subskrypc/i
|
PL_SUBSKRYPCJA
|
1
|
Wiki
|
|
body
|
pl
|
/promoc/i
|
PL_PROMOCJA
|
1
|
Wiki
|
|
body
|
pl
|
/akcj.{0,20} promoc/i
|
PL_AKCJA_PROMOCJA
|
1
|
Wiki
|
|
body
|
pl
|
/nasz.{0,20} stron/i
|
PL_NASZEJ_STRONIE
|
1
|
Wiki
|
|
body
|
pl
|
/klikn.{0,20} tutaj/i
|
PL_KLIKNIJ_TUTAJ
|
1
|
Wiki
|
|
body
|
pl
|
/odzysk.{0,30} d.ug/i
|
PL_ODZYSK_DLUGOW
|
1
|
Wiki
|
|
body
|
pl
|
/atrakcyjn.{0,30}propozyc/i
|
PL_ATRAKCYJNA_PROP
|
1
|
Wiki
|
|
body
|
pl
|
/nisk.{0,20} cen/i
|
PL_NISKIE_CENY
|
1
|
Wiki
|
|
body
|
pl
|
/dobr.{0,20} cen/i
|
PL_DOBRE_CENY
|
1
|
Wiki
|
|
body
|
pl
|
/atrakcyjn.{0,20} cen/i
|
PL_ATRAKCYJNE_CENY
|
1
|
Wiki
|
|
body
|
pl
|
/najni.{0,50} cen/i
|
PL_NAJNIZ_CENY
|
1
|
Wiki
|
|
body
|
pl
|
/cen.{0,50}tto/i
|
PL_CENY_TTO
|
1
|
Wiki
|
|
body
|
pl
|
/cen.{0,50} wynosi/i
|
PL_CENA_WYNOSI
|
1
|
Wiki
|
|
body
|
pl
|
/cen.{0,50} promoc/i
|
PL_CENA_PROMOCYJNA
|
1
|
Wiki
|
|
body
|
pl
|
/jeszcze .{0,50}dzi/i
|
PL_JESZCZE_DZIS
|
1
|
Wiki
|
|
body
|
pl
|
/zapozn.{0,50} ofert/i
|
PL_ZAPOZNAJ_OFERTA
|
1
|
Wiki
|
|
body
|
pl
|
/specjaln.{0,50}ofert/i
|
PL_SPEC_OFERTA
|
1
|
Wiki
|
|
body
|
pl
|
/ now.{0,50} ofert/i
|
PL_NOWYCH_OFERTA
|
1
|
Wiki
|
|
body
|
pl
|
/przesy.{0,50}ofert/i
|
PL_PRZES_OFERTE
|
1
|
Wiki
|
|
body
|
pl
|
/szer.{0,50} ofert/i
|
PL_NAJSZERSZA_OFERTA
|
1
|
Wiki
|
|
body
|
pl
|
/ofert.{0,50} cen/i
|
PL_OFERTA_CENOWA
|
1
|
Wiki
|
|
body
|
pl
|
/ofert.{0,50} promoc/i
|
PL_OFERTA_PROMOCYJNA
|
1
|
Wiki
|
|
body
|
pl
|
/ofer.{0,50} pa.stwu/i
|
PL_OFERUJEMY_PANSTWU
|
1
|
Wiki
|
|
body
|
pl
|
/posiadam.{0,50} ofer/i
|
PL_POSIADAMY_W_OFERCIE
|
1
|
Wiki
|
|
body
|
pl
|
/GDZIE.{0,50}KUPI/i
|
PL_GDZIEKUPIC
|
1
|
Wiki
|
|
body
|
pl
|
/nasz.{0,50} ofert/i
|
PL_NASZ_OFERT
|
1
|
Wiki
|
|
body
|
pl
|
/nasz.{0,50} firm/i
|
PL_NASZ_FIRMA
|
1
|
Wiki
|
|
body
|
pl
|
/www\.adresy\.org/i
|
PL_WWW_ADRESY_ORG
|
1
|
Wiki
|
|
body
|
pl
|
/www\.perswazja\.pl/i
|
PL_PERSWAZJA_PL
|
1
|
Wiki
|
|
body
|
pl
|
/zainteresowan.{0,50}wsp..prac/
|
PL_WSPOLPRACA
|
1
|
Wiki
|
|
body
|
pl
|
/chc.{0,50} zach.ci./i
|
PL_CHCIELIBYSMY
|
1
|
Wiki
|
|
body
|
pl
|
/nie zwlekaj/i
|
PL_NIE_ZWLEKAJ
|
1
|
Wiki
|
|
body
|
pl
|
/twoje pieni.dze/i
|
PL_TWOJE_PIENIADZE
|
1
|
Wiki
|
|
body
|
pl
|
/Katalog zawiera/i
|
PL_KATALOG_ZAWIERA
|
1
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Za zaliczeniem pocztowym...'
|
PL_ZALICZENIE_POCZT
|
1.0
|
Wiki
|
|
body
|
pl
|
Zawiera odnosnik do upowaznienia wyst. faktur VAT
|
PL_UPOWAZNIENIE_VAT
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Je¿eli nie chcesz (otrzymywac)...'
|
PL_JESLI_NIE_CHCESZ
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Je¿eli nie interesuj±...'
|
PL_JEZELI_NIE_INTERES
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Je¿eli ... nie ¿yczycie(sz) sobie'
|
PL_JEZELI_NIE
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Zamów teraz!!!'
|
PL_ZAMOW_TERAZ
|
2.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'do nabycia u nas'
|
PL_NABYCIA_UNAS
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Wiadomo¶æ nadano jednorazowo...'
|
PL_NADANO_JEDNORAZOWO
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Wiadomo¶æ nadano na podstawie...'
|
PL_NADANO_NA_PODSTAWIE
|
2.0
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'Szanowni Pañstwo'
|
PL_SZANOWNI_PANSTWO
|
1.0
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'Zaprosiæ pañstwa'
|
PL_ZAPROSICI_PANSTWO
|
1.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'odes³anie z dopiskiem NIE'
|
PL_DOPISKIEM_NIE
|
1.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'Artykul 25 ust 2 punkt 2'
|
PL_ARTYKUL_USTAWY
|
1.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'Ustawy o ochronie danych osobowych'
|
PL_DANE_OSOBOWE
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'e-mail publicznie dostepnych...'
|
PL_ADRESOW_PUBLICZ
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'publicznie dostêpny (email)'
|
PL_PUBL_DOSTEPNY
|
1.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'adres e-mail zostal...'
|
PL_ADRES_EMAIL
|
2.0
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'adres ... pochodzi z ogólno...'
|
PL_ADRES_EMAIL_3
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'przepraszamy za zajêty czas'
|
PL_ZAJETY_CZAS
|
2.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Niezainteresowanych przepraszamy'
|
PL_NIEZAINTERESOWANYCH
|
2.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ jest od wydawnictwa Verlag Dashofer
|
PL_DASHOFER
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Prosimy o przes³anie pustego maila'
|
PL_PUSTY_MAIL
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Wys³aæ pusty mail'
|
PL_PUSTY_MAIL_2
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Aby usun±æ adres e-mail...'
|
PL_USUNAC_MAIL
|
2.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera '...adres z bazy...'
|
PL_ADRES_Z_BAZY
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'USUN Z BAZY'
|
PL_USUN_Z_BAZY
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera '...mail z tematem...'
|
PL_MAIL_Z_TEMATEM
|
0.8
|
Wiki
|
|
body
|
pl
|
Tresc zawiera '...prosimy o zwrotny e-mail...'
|
PL_PROSBA_O_ZWROTNY
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'temat USUN'
|
PL_TEMAT_USUN
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'kliknij w poni¿szy link'
|
PL_KLIKNIJ_W_LINK
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Zapraszamy do udzialu'
|
PL_ZAPRASZAMY_UDZIAL
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Jezeli wiadomosc doszla wiecej..'
|
PL_JESLI_WIADOMOSC
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Zg³oszenie powinno...'
|
PL_ZGLOSZENIE_POWINNO
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'SZCZEGOLOWE_INFORMACJE..'
|
PL_SZCZEGOLOWE_INFO
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Mamy przyjemnosc..'
|
PL_MAMY_PRZYJEMNOSC
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Prosimy o skladanie na...'
|
PL_PROSIMY_O_SKLADANIE
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'reklama (bez)platna'
|
PL_REKLAMA
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'wystarczy wejsc na strone'
|
PL_WYSTARCZY_WEJSC
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'czas obowiazywania promocji jest'
|
PL_CZAS_OBOWIAZYWANIA
|
2.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'oferta'
|
PL_OFERTA
|
0.4
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Otrzymasz bezplatnie..'
|
PL_OTRZYMASZ_BEZPLATN
|
1.6
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'swoich znajomych i przyjaciol'
|
PL_SWOICH_ZNAJOMYCH
|
0.4
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'dodatkowo dosta(j| ni)esz'
|
PL_DODATKOWO
|
0.6
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'witaj internauto'
|
PL_WITAJ_INTERNAUTO
|
0.4
|
Wiki
|
|
body
|
pl
|
Tresc prawdopodbnie dot. polsko-ukrainskiego spamu
|
PL_POLSKA_UKRAINA
|
0.9
|
Wiki
|
|
body
|
pl
|
Tresc prawdopodbnie dot. polsko-ukrainskiego spamu
|
PL_WSPOL_POLSKA_UKRAIN
|
1.5
|
Wiki
|
|
body
|
pl
|
Prawdopodobnie dotyczy polsko-ukrainskiego spamu
|
PL_KONDERENCJA_UKRAINA
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc prawdopodobnie ze spamem o www.perswazja.pl
|
PL_PERSWAZJA_1
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc prawdopodobnie ze spamem o www.perswazja.pl
|
PL_PERSWAZJA_2
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc prawdopodobnie ze spamem o www.perswazja.pl
|
PL_PERSWAZJA_3
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc prawdopobnie ze spamem o www.perswazja.pl
|
PL_PERSWAZJA_4
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'na podstawie dostêpnych baz danych'
|
PL_BAZ_DANYCH
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'wyslano jednorazowo'
|
PL_WYSLANY_JEDNORAZOWO
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'za ... przepraszamy'
|
PL_ZA_PRZEPRASZAM
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'aby wypisac sie z listy'
|
PL_BY_WYPISAC
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'link do wypisania sie z listy...'
|
PL_LINK_NA_DOLE
|
2.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'nie zainteresowany otrzymywaniem..'
|
PL_NIEZAINTERESOWANY
|
2.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Jezeli nie jestes zainteresowany'
|
PL_JEZELI_NIE_ZAINTER
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Milo nam przedstawic panstwu..'
|
PL_MILO_NAM_PRZEDST
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'do odwiedzenia strony'
|
PL_DO_ODWIEDZENIA_STR
|
0.9
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Zwracamy sie z pytaniem'
|
PL_ZWRACAMY_Z_PYTANIEM
|
0.9
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'wyra¿asz zgodê na'
|
PL_WYRAZASZ_ZGODE
|
0.4
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'otrzymywanie informacji dotycz'
|
PL_OTRZYMYWANIE_INFOR
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'jednorazowo otrzymac informacje'
|
PL_JEDNORAZ_OTRZYMAC
|
1.0
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'ustawa z dnia 18 lipca 2002'
|
PL_USTAWA18LIPCA2002
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera 'Dz.U. Nr 144 poz.1204'
|
PL_USTAWA_DZU_144_1204
|
1.5
|
Wiki
|
|
body
|
pl
|
Tresc zawiera '...nie stanowi oferty w rozumieniu'
|
PL_NIE_STANOWI_OFERTY
|
2.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'Witamy Pañstwa'
|
PL_WITAMY_PANSTWA
|
0.9
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'koszt udzialu w...'
|
PL_KOSZT_UDZIALU_W
|
0.9
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'koszt wysylki'
|
PL_KOSZT_WYSYLKI
|
0.9
|
Wiki
|
|
body
|
pl
|
Tre¶æ dotyczy prawdopdobnie spamu HOMO CREATORE
|
PL_SPAMER_HOMOCREATORE
|
0.9
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'odeslaniu wniosku na'
|
PL_ODESLANIE_WNIOSKU
|
1.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ prawdopodbnie o SYSTEMIE PROMOCJI GOSP.
|
PL_PROMOCJA_GOSPOD
|
0.9
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'p³atno¶æ przy odbiorze'
|
PL_PRZY_ODBIORZE
|
2.5
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'bli¿sze informacje uzyskasz pod'
|
PL_INFORMACJE_UZYSKASZ
|
0.9
|
Wiki
|
|
body
|
pl
|
Tre¶æ zawiera 'Nie czekaj, dzwoñ!'
|
PL_NIE_CZEKAJ_DZWON
|
2.1
|
Wiki
|
|
full
|
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.37 0 2.17
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: message has a signature
|
DKIM_SIGNED
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: signature passes verification
|
DKIM_VERIFIED
|
-0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain is testing DK
|
DKIM_POLICY_TESTING
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain signs some mails
|
DKIM_POLICY_SIGNSOME
|
1
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain signs all mails
|
DKIM_POLICY_SIGNALL
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: message has an unverified signature
|
DK_SIGNED
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: signature passes verification
|
DK_VERIFIED
|
-0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain is testing DK
|
DK_POLICY_TESTING
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain signs some mails
|
DK_POLICY_SIGNSOME
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain signs all mails
|
DK_POLICY_SIGNALL
|
0.001
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (20 bits)
|
HASHCASH_20
|
-0.500
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (21 bits)
|
HASHCASH_21
|
-0.700
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (22 bits)
|
HASHCASH_22
|
-1.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (23 bits)
|
HASHCASH_23
|
-2.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (24 bits)
|
HASHCASH_24
|
-3.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (25 bits)
|
HASHCASH_25
|
-4.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (>25 bits)
|
HASHCASH_HIGH
|
-5.000
|
Wiki
|
|
header
|
|
Hashcash token already spent in another mail
|
HASHCASH_2SPEND
|
0.100
|
Wiki
|
|
full
|
|
Listed in Pyzor (http://pyzor.sf.net/)
|
PYZOR_CHECK
|
0 2.834 0 3.700
|
Wiki
|
|
full
|
|
Listed in Razor2 (http://razor.sf.net/)
|
RAZOR2_CHECK
|
0 0.5 0 0.5
|
Wiki
|
|
full
|
|
Razor2 gives confidence level above 50%
|
RAZOR2_CF_RANGE_51_100
|
0 0.5 0 0.5
|
Wiki
|
|
full
|
|
Razor2 gives engine 4 confidence level above 50%
|
RAZOR2_CF_RANGE_E4_51_100
|
0 1.5 0 1.5
|
Wiki
|
|
full
|
|
Razor2 gives engine 8 confidence level above 50%
|
RAZOR2_CF_RANGE_E8_51_100
|
0 1.5 0 1.5
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_MEDS
|
2.812 2.873 3.330 3.600
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_CHEAP
|
2.036 1.821 2.462 1.996
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_PENIS
|
1.967 2.062 2.405 2.532
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_TION
|
1.590 1.468 1.856 2.080
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AFFORDABLE
|
1.840 1.840 2.035 2.199
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AMBIEN
|
0 0.454 0.367 0.416
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_BILLION
|
2.400 0.914 2.727 1.925
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CELEBREX
|
2.320 2.221 2.683 2.186
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CPILL
|
1.848 0.881 1.727 0.518
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CREDIT
|
1.983 1.556 2.538 1.079
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ERECT
|
2.720 2.640 3.052 3.400
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_FOLLOW
|
0.879 0.790 0.977 0.223
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_GUARANTEE
|
2.880 2.960 3.330 3.658
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MEDICATION
|
2.720 2.720 3.145 3.400
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MILF
|
1.760 1.208 2.035 1.321
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MILLION
|
2.880 2.880 3.330 3.600
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MONEY
|
2.240 2.240 2.590 2.800
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MORTGAGE
|
2.960 2.960 3.423 3.655
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OBLIGATION
|
2.640 2.555 3.052 3.272
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OFFERS
|
2.080 1.439 2.405 1.768
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHARMACY
|
2.560 2.560 2.960 3.200
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHENT
|
2.560 1.155 2.960 1.799
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PLEASE
|
2.800 2.777 3.146 3.466
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRESCRIPT
|
2.880 2.880 3.330 3.600
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRICES
|
2.544 2.531 2.960 3.200
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REFINANCE
|
2.528 1.512 2.960 2.060
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REMOVE
|
2.160 2.128 2.498 2.663
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ROLEX
|
2.193 0.972 2.683 0.514
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_SOFTWARE
|
2.160 2.160 2.498 2.675
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_THOUSANDS
|
2.240 2.240 2.590 2.800
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_TRAMADOL
|
2.160 2.160 2.498 2.700
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VLIUM
|
1.736 0.612 1.691 0.229
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VICODIN
|
2.660 1.595 2.980 1.691
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VIOXX
|
0 0 0.219 0
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VPILL
|
2.153 0.729 2.837 0.924
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_XPILL
|
2.880 2.643 2.731 3.337
|
Wiki
|
|
header
|
|
SPF: sender matches SPF record
|
SPF_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (neutral)
|
SPF_NEUTRAL
|
0 1.379 0 1.069
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (fail)
|
SPF_FAIL
|
0 1.333 0 1.142
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (softfail)
|
SPF_SOFTFAIL
|
0 1.470 0 1.384
|
Wiki
|
|
header
|
|
SPF: HELO matches SPF record
|
SPF_HELO_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (neutral)
|
SPF_HELO_NEUTRAL
|
1
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (fail)
|
SPF_HELO_FAIL
|
1
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (softfail)
|
SPF_HELO_SOFTFAIL
|
0 2.078 0 2.432
|
Wiki
|
|
body
|
|
Message written in an undesired language
|
UNWANTED_LANGUAGE_BODY
|
2.800
|
Wiki
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the SBL blocklist
|
URIBL_SBL
|
0 1.094 0 1.639
|
Wiki
|
|
body
|
|
Contains an URL listed in the SC SURBL blocklist
|
URIBL_SC_SURBL
|
0 3.600 0 4.498
|
Wiki
|
|
body
|
|
Contains an URL listed in the WS SURBL blocklist
|
URIBL_WS_SURBL
|
0 1.533 0 2.140
|
Wiki
|
|
body
|
|
Contains an URL listed in the PH SURBL blocklist
|
URIBL_PH_SURBL
|
0 2.240 0 2.800
|
Wiki
|
|
body
|
|
Contains an URL listed in the OB SURBL blocklist
|
URIBL_OB_SURBL
|
0 2.617 0 3.008
|
Wiki
|
|
body
|
|
Contains an URL listed in the AB SURBL blocklist
|
URIBL_AB_SURBL
|
0 3.306 0 3.812
|
Wiki
|
|
body
|
|
Contains an URL listed in the JP SURBL blocklist
|
URIBL_JP_SURBL
|
0 3.360 0 4.087
|
Wiki
|
|
header
|
|
From: address is in the auto white-list
|
AWL
|
1
|
Wiki
|
|
header
|
|
From: address is in the user's black-list
|
USER_IN_BLACKLIST
|
100.000
|
Wiki
|
|
header
|
|
From: address is in the user's white-list
|
USER_IN_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default white-list
|
USER_IN_DEF_WHITELIST
|
-15.000
|
Wiki
|
|
header
|
|
User is listed in 'blacklist_to'
|
USER_IN_BLACKLIST_TO
|
10.000
|
Wiki
|
|
header
|
|
User is listed in 'whitelist_to'
|
USER_IN_WHITELIST_TO
|
-6.000
|
Wiki
|
|
header
|
|
User is listed in 'more_spam_to'
|
USER_IN_MORE_SPAM_TO
|
-20.000
|
Wiki
|
|
header
|
|
User is listed in 'all_spam_to'
|
USER_IN_ALL_SPAM_TO
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the user's DK whitelist
|
USER_IN_DK_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DK white-list
|
USER_IN_DEF_DK_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's DKIM whitelist
|
USER_IN_DKIM_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DKIM white-list
|
USER_IN_DEF_DKIM_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's SPF whitelist
|
USER_IN_SPF_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default SPF white-list
|
USER_IN_DEF_SPF_WL
|
-7.500
|
Wiki
|
|
header
|
|
Subject: contains string in the user's white-list
|
SUBJECT_IN_WHITELIST
|
-100
|
Wiki
|
|
header
|
|
Subject: contains string in the user's black-list
|
SUBJECT_IN_BLACKLIST
|
100
|
Wiki
|
