Built-in Rules
SpamTitan uses an extensive set of first and third-party rules for capturing spam, including this comprehensive set of built-in rules.
GTUBE = Generic Test for Unsolicited Bulk Email
TRACKER_ID = Incorporates a tracking ID number
WEIRD_QUOTING = Weird repeated double-quotation marks
MIME_HTML_ONLY_MULTI = Multipart message only has text/html MIME parts
MIME_CHARSET_FARAWAY = MIME character set indicates a foreign language
EMAIL_ROT13 = Body contains a ROT13-encoded email address
LONGWORDS = Long string of long words
MPART_ALT_DIFF = HTML and text parts are different
MPART_ALT_DIFF_COUNT = HTML and text parts are different
BLANK_LINES_80_90 = Message body has 80-90% blank lines
CHARSET_FARAWAY = Character set indicates a foreign language
MIME_BASE64_BLANKS = Extra blank lines in base64 encoding
MIME_BASE64_TEXT = Message text disguised using base64 encoding
MISSING_MIME_HB_SEP = Missing blank line between MIME header and body
MIME_HTML_MOSTLY = Multipart message mostly text/html MIME
MIME_HTML_ONLY = Message only has text/html MIME parts
MIME_QP_LONG_LINE = Quoted-printable line longer than 76 chars
MIME_BAD_ISO_CHARSET = MIME character set is an unknown ISO charset
HTTPS_IP_MISMATCH = IP to HTTPS link found in HTML
HTTPS_HTTP_MISMATCH = Link presents text as HTTPS://... however the link is to an HTTP://... URL
URI_TRUNCATED = Message contained a URI which was truncated
NO_RECEIVED = Informational: the message has no Received headers
ALL_TRUSTED = Passed through trusted hosts only via SMTP
NO_RELAYS = Informational: the message was not relayed via SMTP
RCVD_IN_SORBS_HTTP = SORBS: sender is open HTTP proxy server
RCVD_IN_SORBS_SOCKS = SORBS: sender is open SOCKS proxy server
RCVD_IN_SORBS_MISC = SORBS: sender is an open proxy server
RCVD_IN_SORBS_SMTP = SORBS: sender is open SMTP relay
RCVD_IN_SORBS_WEB = SORBS: sender is an abusable web server
RCVD_IN_SORBS_BLOCK = SORBS: sender demands to never be tested
RCVD_IN_SORBS_ZOMBIE = SORBS: sender is on a hijacked network
RCVD_IN_SORBS_DUL = SORBS: sent directly from the dynamic IP address
RCVD_IN_SBL = Received via a relay in Spamhaus SBL
RCVD_IN_XBL = Received via a relay in Spamhaus XBL
RCVD_IN_PBL = Received via a relay in Spamhaus PBL
RCVD_IN_SBL_CSS = Received via a relay in Spamhaus SBL-CSS
RCVD_IN_BL_SPAMCOP_NET = Received via a relay in bl.spamcop.net
RCVD_IN_MAPS_RBL = Relay in RBL
RCVD_IN_MAPS_DUL = Relay in DUL
RCVD_IN_MAPS_RSS = Relay in RSS
RCVD_IN_MAPS_OPS = Relay in OPS
RCVD_IN_MAPS_NML = Relay in NML
RCVD_IN_IADB_VOUCHED = ISIPP IADB lists as a vouched-for sender
RCVD_IN_RP_CERTIFIED = Sender in ReturnPath Certified - Contact cert-sa@returnpath.net
RCVD_IN_RP_SAFE = Sender in ReturnPath Safe - Contact safe-sa@returnpath.net
RCVD_IN_RP_RNBL = Relay in RNBL
DKIMDOMAIN_IN_DWL = Signing domain listed in Spamhaus DWL
DKIMDOMAIN_IN_DWL_UNKNOWN = Unrecognized response from Spamhaus DWL
SUBJECT_DRUG_GAP_C = Subject contains a gappy version of 'cialis'
SUBJECT_DRUG_GAP_L = Subject contains a gappy version of 'levitra'
SUBJECT_DRUG_GAP_S = Subject contains a gappy version of 'soma'
SUBJECT_DRUG_GAP_VA = Subject contains a gappy version of 'valium'
SUBJECT_DRUG_GAP_X = Subject contains a gappy version of 'xanax'
DRUG_DOSAGE = Talks about price per dose
DRUG_ED_CAPS = Mentions an E.D. drug
DRUG_ED_SILD = Talks about an E.D. drug using its chemical name
DRUG_ED_GENERIC = Mentions Generic Viagra
DRUG_ED_ONLINE = Fast Viagra Delivery
ONLINE_PHARMACY = Online Pharmacy
NO_PRESCRIPTION = No prescription needed
VIA_GAP_GRA = Attempts to disguise the word 'viagra'
DRUGS_ERECTILE = Refers to an erectile drug
DRUGS_ERECTILE_OBFU = Obfuscated reference to an erectile drug
DRUGS_DIET = Refers to a diet drug
DRUGS_DIET_OBFU = Obfuscated reference to a diet drug
DRUGS_MUSCLE = Refers to a muscle relaxant
DRUGS_ANXIETY = Refers to an anxiety control drug
DRUGS_ANXIETY_OBFU = Obfuscated reference to an anxiety control drug
DRUGS_SMEAR1 = Two or more drugs crammed together into one word
DRUGS_ANXIETY_EREC = Refers to both an erectile and an anxiety drug
DRUGS_SLEEP_EREC = Refers to both an erectile and a sleep aid drug
DRUGS_MANYKINDS = Refers to at least four kinds of drugs
RDNS_DYNAMIC = Delivered to the internal network by host with dynamic-looking rDNS
RDNS_NONE = Delivered to internal network by a host with no rDNS
HELO_STATIC_HOST = Relay HELO'd using static hostname
HELO_DYNAMIC_IPADDR = Relay HELO'd using suspicious hostname (IP addr 1)
HELO_DYNAMIC_DHCP = Relay HELO'd using suspicious hostname (DHCP)
HELO_DYNAMIC_HCC = Relay HELO'd using suspicious hostname (HCC)
HELO_DYNAMIC_ROGERS = Relay HELO'd using suspicious hostname (Rogers)
HELO_DYNAMIC_DIALIN = Relay HELO'd using suspicious hostname (T-Dialin)
HELO_DYNAMIC_HEXIP = Relay HELO'd using suspicious hostname (Hex IP)
HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using suspicious hostname (Split IP)
HELO_DYNAMIC_IPADDR2 = Relay HELO'd using suspicious hostname (IP addr 2)
HELO_DYNAMIC_CHELLO_NL = Relay HELO'd using suspicious hostname (Chello.nl)
HELO_DYNAMIC_HOME_NL = Relay HELO'd using suspicious hostname (Home.nl)
FREEMAIL_REPLYTO = Reply-To/From or Reply-To/body contain different freemails
FREEMAIL_REPLY = From and body contain different freemails
FREEMAIL_FROM = Sender email is commonly abused enduser mail provider
FREEMAIL_ENVFROM_END_DIGIT = Envelope-from freemail username ends in digit
FREEMAIL_REPLYTO_END_DIGIT = Reply-To freemail username ends in digit
FREEMAIL_FORGED_REPLYTO = Freemail in Reply-To, but not From
FRAGMENTED_MESSAGE = Partial message
FROM_BLANK_NAME = From: contains empty name
FROM_STARTS_WITH_NUMS = From: starts with several numbers
FROM_OFFERS = From address is "at something-offers"
FROM_NO_USER = From: has no local-part before @ sign
PLING_QUERY = Subject has an exclamation mark and question mark
MSGID_SPAM_CAPS = Spam tool Message-Id: (caps variant)
MSGID_SPAM_LETTERS = Spam tool Message-Id: (letters variant)
MSGID_RANDY = Message-Id has pattern used in spam
MSGID_YAHOO_CAPS = Message-ID has ALLCAPS@yahoo.com
FORGED_MSGID_AOL = Message-ID is forged, (aol.com)
FORGED_MSGID_EXCITE = Message-ID is forged, (excite.com)
FORGED_MSGID_HOTMAIL = Message-ID is forged, (hotmail.com)
FORGED_MSGID_MSN = Message-ID is forged, (msn.com)
FORGED_MSGID_YAHOO = Message-ID is forged, (yahoo.com)
MSGID_FROM_MTA_HEADER = Message-Id was added by a relay
MSGID_SHORT = Message-ID is unusually short
DATE_SPAMWARE_Y2K = Date header uses unusual Y2K formatting
INVALID_DATE = Invalid Date: header (not RFC 2822)
INVALID_DATE_TZ_ABSURD = Invalid Date: header (timezone does not exist)
INVALID_TZ_CST = Invalid date in header (wrong CST timezone)
INVALID_TZ_EST = Invalid date in the header (wrong EST timezone)
FROM_EXCESS_BASE64 = From: base64 encoded unnecessarily
ENGLISH_UCE_SUBJECT = Subject contains an English UCE tag
JAPANESE_UCE_SUBJECT = Subject contains a Japanese UCE tag
JAPANESE_UCE_BODY = Body contains Japanese UCE tag
KOREAN_UCE_SUBJECT = Subject: contains Korean unsolicited email tag
RCVD_DOUBLE_IP_SPAM = Bulk email fingerprint (double IP) found
RCVD_DOUBLE_IP_LOOSE = Received: by and from look like IP addresses
FORGED_TELESP_RCVD = Contains forged hostname for a DSL IP in Brazil
CONFIRMED_FORGED = Received headers are forged
MULTI_FORGED = Received headers indicate multiple forgeries
NONEXISTENT_CHARSET = Character set doesn't exist
MISSING_MID = Missing Message-Id: header
MISSING_DATE = Missing Date: header
MISSING_SUBJECT = Missing Subject: header
MISSING_FROM = Missing From: header
GAPPY_SUBJECT = Subject: contains G.a.p.p.y-T.e.x.t
PREVENT_NONDELIVERY = Message has Prevent-NonDelivery-Report header
X_IP = Message has X-IP header
MISSING_MIMEOLE = Message has X-MSMail-Priority, but no X-MimeOLE
SUBJ_AS_SEEN = Subject contains "As Seen"
SUBJ_DOLLARS = Subject starts with a dollar amount
SUBJ_YOUR_FAMILY = Subject contains "Your Family"
RCVD_FAKE_HELO_DOTCOM = Received contains a faked HELO hostname
SUBJECT_DIET = Subject talks about losing pounds
MIME_BOUND_DD_DIGITS = Spam tool pattern in MIME boundary
MIME_BOUND_DIGITS_15 = Spam tool pattern in MIME boundary
MIME_BOUND_MANY_HEX = Spam tool pattern in MIME boundary
TO_MALFORMED = To: has a malformed address
MIME_HEADER_CTYPE_ONLY = 'Content-Type' found without required MIME headers
WITH_LC_SMTP = Received line contains spam-sign (lowercase smtp)
SUBJ_BUY = Subject line starts with Buy or Buying
RCVD_AM_PM = Received headers forged (AM/PM)
FAKE_OUTBLAZE_RCVD = Received header contains faked 'mr.outblaze.com'
UNCLOSED_BRACKET = Headers contain an unclosed bracket
FROM_DOMAIN_NOVOWEL = From: domain has a series of non-vowel letters
FROM_LOCAL_NOVOWEL = From: localpart has series of non-vowel letters
FROM_LOCAL_HEX = From: localpart has a long hexadecimal sequence
FROM_LOCAL_DIGITS = From: localpart has long digit sequence
X_PRIORITY_CC = Cc: after X-Priority: (bulk email fingerprint)
BAD_ENC_HEADER = Message has bad MIME encoding in the header
RCVD_ILLEGAL_IP = Received: contains illegal IP address
CHARSET_FARAWAY_HEADER = A foreign language charset used in headers
SUBJ_ILLEGAL_CHARS = Subject: has too many raw illegal characters
FROM_ILLEGAL_CHARS = From: has too many raw illegal characters
HEAD_ILLEGAL_CHARS = Headers have too many raw illegal characters
FORGED_HOTMAIL_RCVD2 = hotmail.com 'From' address, but no 'Received:'
FORGED_YAHOO_RCVD = 'From' yahoo.com does not match 'Received' headers
SORTED_RECIPS = Recipient list is sorted by address
SUSPICIOUS_RECIPS = Similar addresses in the recipient list
MISSING_HEADERS = Missing To: header
DATE_IN_PAST_03_06 = Date: is 3 to 6 hours before Received: date
DATE_IN_PAST_06_12 = Date: is 6 to 12 hours before Received: date
DATE_IN_PAST_12_24 = Date: is 12 to 24 hours before Received: date
DATE_IN_PAST_24_48 = Date: is 24 to 48 hours before Received: date
DATE_IN_PAST_96_XX = Date: is 96 hours or more before Received: date
DATE_IN_FUTURE_03_06 = Date: is 3 to 6 hours after Received: date
DATE_IN_FUTURE_06_12 = Date: is 6 to 12 hours after Received: date
DATE_IN_FUTURE_12_24 = Date: is 12 to 24 hours after Received: date
DATE_IN_FUTURE_24_48 = Date: is 24 to 48 hours after Received: date
DATE_IN_FUTURE_48_96 = Date: is 48 to 96 hours after Received: date
DATE_IN_FUTURE_96_XX = Date: is 96 hours or more after Received: date
UNRESOLVED_TEMPLATE = Headers contain an unresolved template
SUBJ_ALL_CAPS = Subject is all capitals
LOCALPART_IN_SUBJECT = Local part of To: address appears in Subject
MSGID_OUTLOOK_INVALID = Message-Id is fake (in Outlook Express format)
HEADER_COUNT_CTYPE = Multiple Content-Type headers found
HEAD_LONG = Message headers are very long
MISSING_HB_SEP = Missing blank line between message header and body
UNPARSEABLE_RELAY = Informational: message has unparseable relay lines
RCVD_HELO_IP_MISMATCH = Received: HELO and IP do not match, but should
RCVD_NUMERIC_HELO = Received: contains an IP address used for HELO
NO_RDNS_DOTCOM_HELO = Host HELO'd as a big ISP, but had no rDNS
HTML_SHORT_LINK_IMG_1 = HTML is very short with a linked image
HTML_SHORT_LINK_IMG_2 = HTML is very short with a linked image
HTML_SHORT_LINK_IMG_3 = HTML is very short with a linked image
HTML_SHORT_CENTER = HTML is very short with CENTER tag
HTML_CHARSET_FARAWAY = A foreign language charset used in HTML markup
HTML_MIME_NO_HTML_TAG = HTML-only message, but there is no HTML tag
HTML_MISSING_CTYPE = Message is HTML without HTML Content-Type
HIDE_WIN_STATUS = Javascript to hide URLs in browser
OBFUSCATING_COMMENT = HTML comments which obfuscate text
JS_FROMCHARCODE = Document is built from a Javascript charcode array
HTML_MESSAGE = HTML included in message
HTML_COMMENT_SHORT = HTML comment is very short
HTML_COMMENT_SAVED_URL = HTML message is a saved web page
HTML_EMBEDS = HTML with embedded plugin object
HTML_EXTRA_CLOSE = HTML contains far too many close tags
HTML_FONT_SIZE_LARGE = HTML font size is large
HTML_FONT_SIZE_HUGE = HTML font size is huge
HTML_FONT_LOW_CONTRAST = HTML font color similar or identical to background
HTML_FONT_FACE_BAD = HTML font face is not a word
HTML_FORMACTION_MAILTO = HTML includes a form which sends mail
HTML_IMAGE_ONLY_04 = HTML: images with 0-400 bytes of words
HTML_IMAGE_ONLY_08 = HTML: images with 400-800 bytes of words
HTML_IMAGE_ONLY_12 = HTML: images with 800-1200 bytes of words
HTML_IMAGE_ONLY_16 = HTML: images with 1200-1600 bytes of words
HTML_IMAGE_ONLY_20 = HTML: images with 1600-2000 bytes of words
HTML_IMAGE_ONLY_24 = HTML: images with 2000-2400 bytes of words
HTML_IMAGE_ONLY_28 = HTML: images with 2400-2800 bytes of words
HTML_IMAGE_ONLY_32 = HTML: images with 2800-3200 bytes of words
HTML_IMAGE_RATIO_02 = HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_04 = HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_06 = HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_08 = HTML has a low ratio of text to image area
HTML_OBFUSCATE_05_10 = Message is 5% to 10% HTML obfuscation
HTML_OBFUSCATE_10_20 = Message is 10% to 20% HTML obfuscation
HTML_OBFUSCATE_20_30 = Message is 20% to 30% HTML obfuscation
HTML_OBFUSCATE_30_40 = Message is 30% to 40% HTML obfuscation
HTML_OBFUSCATE_50_60 = Message is 50% to 60% HTML obfuscation
HTML_OBFUSCATE_70_80 = Message is 70% to 80% HTML obfuscation
HTML_OBFUSCATE_90_100 = Message is 90% to 100% HTML obfuscation
HTML_TAG_BALANCE_BODY = HTML has unbalanced "body" tags
HTML_TAG_BALANCE_HEAD = HTML has unbalanced "head" tags
HTML_TAG_EXIST_BGSOUND = HTML has "bgsound" tag
HTML_BADTAG_40_50 = HTML message is 40% to 50% bad tags
HTML_BADTAG_50_60 = HTML message is 50% to 60% bad tags
HTML_BADTAG_60_70 = HTML message is 60% to 70% bad tags
HTML_BADTAG_90_100 = HTML message is 90% to 100% bad tags
HTML_NONELEMENT_30_40 = 30% to 40% of HTML elements are non-standard
HTML_NONELEMENT_40_50 = 40% to 50% of HTML elements are non-standard
HTML_NONELEMENT_60_70 = 60% to 70% of HTML elements are non-standard
HTML_NONELEMENT_80_90 = 80% to 90% of HTML elements are non-standard
HTML_IFRAME_SRC = Message has HTML IFRAME tag with SRC URI
DC_GIF_UNO_LARGO = Message contains a single large gif image
DC_PNG_UNO_LARGO = Message contains a single large png image
DC_IMAGE_SPAM_TEXT = Possible Image-only spam with little text
DC_IMAGE_SPAM_HTML = Possible Image-only spam
RCVD_IN_MSPIKE_L5 = Very bad reputation (-5)
RCVD_IN_MSPIKE_L4 = Bad reputation (-4)
RCVD_IN_MSPIKE_L3 = Low reputation (-3)
RCVD_IN_MSPIKE_L2 = Suspicious reputation (-2)
RCVD_IN_MSPIKE_H5 = Excellent reputation (+5)
RCVD_IN_MSPIKE_H4 = Very Good reputation (+4)
RCVD_IN_MSPIKE_H3 = Good reputation (+3)
RCVD_IN_MSPIKE_H2 = Average reputation (+2)
RCVD_IN_MSPIKE_BL = Mailspike blocked
RCVD_IN_MSPIKE_WL = Mailspike good senders
UPPERCASE_50_75 = message body is 50-75% uppercase
UPPERCASE_75_100 = message body is 75-100% uppercase
INVALID_MSGID = Message-Id is not valid, according to RFC 2822
FORGED_MUA_MOZILLA = Forged mail pretending to be from Mozilla
PERCENT_RANDOM = Message has a random macro in it
EMPTY_MESSAGE = Message appears to have no textual parts and no Subject: text
NO_HEADERS_MESSAGE = Message appears to be missing most RFC-822 headers
DIGEST_MULTIPLE = Message hits more than one network digest check
NO_DNS_FOR_FROM = Envelope sender has no MX or A DNS records
GMD_PDF_HORIZ = Contains pdf 100-240 (high) x 450-800 (wide)
GMD_PDF_SQUARE = Contains pdf 180-360 (high) x 180-360 (wide)
GMD_PDF_VERT = Contains pdf 450-800 (high) x 100-240 (wide)
GMD_PRODUCER_GPL = PDF producer was GPL Ghostscript
GMD_PRODUCER_POWERPDF = PDF producer was PowerPDF
GMD_PRODUCER_EASYPDF = PDF producer was BCL easyPDF
GMD_PDF_ENCRYPTED = Attached PDF is encrypted
GMD_PDF_EMPTY_BODY = Attached PDF with empty message body
REMOVE_BEFORE_LINK = Removal phrase right before a link
GUARANTEED_100_PERCENT = One hundred percent guaranteed
DEAR_FRIEND = Dear Friend? That's not very dear!
DEAR_SOMETHING = Contains 'Dear (something)'
BILLION_DOLLARS = Talks about lots of money
EXCUSE_4 = Claims you can be removed from the list
EXCUSE_REMOVE = Talks about how to be removed from mailings
STRONG_BUY = Tells you about a strong buy
STOCK_ALERT = Offers an alert about a stock
NOT_ADVISOR = Not registered investment advisor
PREST_NON_ACCREDITED = 'Prestigious Non-Accredited Universities'
BODY_ENHANCEMENT = Information on growing body parts
BODY_ENHANCEMENT2 = Information on getting larger body parts
IMPOTENCE = Impotence cure
URG_BIZ = Contains urgent matter
MONEY_BACK = Money back guarantee
FREE_QUOTE_INSTANT = Free express or no-obligation quote
BAD_CREDIT = Eliminate Bad Credit
REFINANCE_YOUR_HOME = Home refinancing
REFINANCE_NOW = Home refinancing
NO_MEDICAL = No Medical Exams
DIET_1 = Lose Weight Spam
FIN_FREE = Freedom of a financial nature
FORWARD_LOOKING = Stock Disclaimer Statement
ONE_TIME = One Time Rip Off
JOIN_MILLIONS = Join Millions of Americans
MARKETING_PARTNERS = Claims you registered with a partner
LOW_PRICE = Lowest Price
UNCLAIMED_MONEY = People just leave money laying around
OBSCURED_EMAIL = Message seems to contain rot13ed address
BANG_OPRAH = Talks about Oprah with an exclamation!
ACT_NOW_CAPS = Talks about 'acting now' with capitals
MORE_SEX = Talks about a bigger drive for sex
BANG_GUAR = Something is emphatically guaranteed
RUDE_HTML = Spammer message says you need an HTML mailer
INVESTMENT_ADVICE = Message mentions investment advice
MALE_ENHANCE = Message talks about enhancing men
PRICES_ARE_AFFORDABLE = Message says that prices aren't too expensive
REPLICA_WATCH = Message talks about a replica watch
EM_ROLEX = Message puts emphasis on the watch manufacturer
FREE_PORN = Possible porn - Free Porn
CUM_SHOT = Possible porn - Cum Shot
LIVE_PORN = Possible porn - Live Porn
SUBJECT_SEXUAL = Subject indicates sexually-explicit content
RATWARE_EGROUPS = Bulk email fingerprint (eGroups) found
RATWARE_OE_MALFORMED = X-Mailer has malformed Outlook Express version
RATWARE_MOZ_MALFORMED = Bulk email fingerprint (Mozilla malformed) found
RATWARE_MPOP_WEBMAIL = Bulk email fingerprint (mPOP Web-Mail)
FORGED_MUA_IMS = Forged mail pretending to be from IMS
FORGED_MUA_OUTLOOK = Forged mail pretending to be from MS Outlook
FORGED_MUA_OIMO = Forged mail pretending to be from MS Outlook IMO
FORGED_MUA_EUDORA = Forged mail pretending to be from Eudora
FORGED_MUA_THEBAT_CS = Mail pretending to be from The Bat! (charset)
FORGED_MUA_THEBAT_BOUN = Mail pretending to be from The Bat! (boundary)
FORGED_OUTLOOK_HTML = Outlook can't send HTML message only
FORGED_IMS_HTML = IMS can't send HTML message only
FORGED_THEBAT_HTML = The Bat! can't send HTML message only
REPTO_QUOTE_AOL = AOL doesn't do quoting like this
REPTO_QUOTE_IMS = IMS doesn't do quoting like this
REPTO_QUOTE_MSN = MSN doesn't do quoting like this
REPTO_QUOTE_QUALCOMM = Qualcomm/Eudora doesn't do quoting like this
REPTO_QUOTE_YAHOO = Yahoo! doesn't do quoting like this
FORGED_QUALCOMM_TAGS = QUALCOMM mailers can't send HTML in this format
FORGED_IMS_TAGS = IMS mailers can't send HTML in this format
FORGED_OUTLOOK_TAGS = Outlook can't send HTML in this format
RATWARE_HASH_DASH = Contains a hashbuster in Send-Safe format
RATWARE_ZERO_TZ = Bulk email fingerprint (+0000) found
X_MESSAGE_INFO = Bulk email fingerprint (X-Message-Info) found
HEADER_SPAM = Bulk email fingerprint (header-based) found
RATWARE_RCVD_PF = Bulk email fingerprint (Received PF) found
RATWARE_RCVD_AT = Bulk email fingerprint (Received @) found
RATWARE_OUTLOOK_NONAME = Bulk email fingerprint (Outlook no name) found
RATWARE_MS_HASH = Bulk email fingerprint (msgid ms hash) found
RATWARE_NAME_ID = Bulk email fingerprint (msgid from) found
RATWARE_EFROM = Bulk email fingerprint (envfrom) found
NUMERIC_HTTP_ADDR = Uses a numeric IP address in URL
HTTP_ESCAPED_HOST = Uses %-escapes inside a URL's hostname
HTTP_EXCESSIVE_ESCAPES = Completely unnecessary %-escapes inside a URL
IP_LINK_PLUS = Dotted-decimal IP address followed by CGI
WEIRD_PORT = Uses non-standard port number for HTTP
YAHOO_RD_REDIR = Has Yahoo Redirect URI
YAHOO_DRS_REDIR = Has Yahoo Redirect URI
HTTP_77 = Contains an URL-encoded hostname (HTTP77)
SPOOF_COM2OTH = URI contains ".com" in middle
SPOOF_COM2COM = URI contains ".com" in middle and end
SPOOF_NET2COM = URI contains ".net" or ".org", then ".com"
URI_HEX = URI hostname has a long hexadecimal sequence
URI_NOVOWEL = URI hostname has a long non-vowel sequence
URI_UNSUBSCRIBE = URI contains suspicious unsubscribe link
URI_NO_WWW_INFO_CGI = CGI in .info TLD other than third-level "www"
URI_NO_WWW_BIZ_CGI = CGI in .biz TLD other than third-level "www"
NORMAL_HTTP_TO_IP = URI host has a public dotted-decimal IPv4 address
BOUNCE_MESSAGE = MTA bounce message
CHALLENGE_RESPONSE = Challenge-Response message for mail you sent
CRBOUNCE_MESSAGE = Challenge-Response bounce message
VBOUNCE_MESSAGE = Virus-scanner bounce message
ANY_BOUNCE_MESSAGE = Message is some kind of bounce message
ACCESSDB = Message would have been caught by accessdb
MICROSOFT_EXECUTABLE = Message includes Microsoft executable program
MIME_SUSPECT_NAME = MIME filename does not match content
DCC_CHECK = Detected as bulk mail by DCC (dcc-servers.net)
DCC_REPUT_00_12 = DCC reputation between 0 and 12 % (mostly ham)
DCC_REPUT_70_89 = DCC reputation between 70 and 89 %
DCC_REPUT_90_94 = DCC reputation between 90 and 94 %
DCC_REPUT_95_98 = DCC reputation between 95 and 98 % (mostly spam)
DCC_REPUT_99_100 = DCC reputation between 99 % or higher (spam)
DKIM_SIGNED = Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID = Message has at least one valid DKIM or DK signature
DKIM_VALID_AU = Message has a valid DKIM or DK signature from author's domain
DKIM_ADSP_NXDOMAIN = No valid author signature, and domain not in DNS
DKIM_ADSP_DISCARD = No valid author signature, domain signs all mail and suggests discarding the rest
DKIM_ADSP_ALL = No valid author signature, domain signs all mail
DKIM_ADSP_CUSTOM_LOW = No valid author signature, adsp_override is CUSTOM_LOW
DKIM_ADSP_CUSTOM_MED = No valid author signature, adsp_override is CUSTOM_MED
DKIM_ADSP_CUSTOM_HIGH = No valid author signature, adsp_override is CUSTOM_HIGH
NML_ADSP_CUSTOM_LOW = ADSP custom_low hit, and not from a mailing list
NML_ADSP_CUSTOM_MED = ADSP custom_med hit, and not from a mailing list
NML_ADSP_CUSTOM_HIGH = ADSP custom_high hit, and not from a mailing list
HASHCASH_20 = Contains valid Hashcash token (20 bits)
HASHCASH_21 = Contains valid Hashcash token (21 bits)
HASHCASH_22 = Contains valid Hashcash token (22 bits)
HASHCASH_23 = Contains valid Hashcash token (23 bits)
HASHCASH_24 = Contains valid Hashcash token (24 bits)
HASHCASH_25 = Contains valid Hashcash token (25 bits)
HASHCASH_HIGH = Contains valid Hashcash token (>25 bits)
HASHCASH_2SPEND = Hashcash token already spent in another mail
SUBJECT_FUZZY_MEDS = Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_VPILL = Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_CHEAP = Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_PENIS = Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_TION = Attempt to obfuscate words in Subject:
FUZZY_AFFORDABLE = Attempt to obfuscate words in spam
FUZZY_AMBIEN = Attempt to obfuscate words in spam
FUZZY_BILLION = Attempt to obfuscate words in spam
FUZZY_CPILL = Attempt to obfuscate words in spam
FUZZY_CREDIT = Attempt to obfuscate words in spam
FUZZY_ERECT = Attempt to obfuscate words in spam
FUZZY_GUARANTEE = Attempt to obfuscate words in spam
FUZZY_MEDICATION = Attempt to obfuscate words in spam
FUZZY_MILLION = Attempt to obfuscate words in spam
FUZZY_MONEY = Attempt to obfuscate words in spam
FUZZY_MORTGAGE = Attempt to obfuscate words in spam
FUZZY_OBLIGATION = Attempt to obfuscate words in spam
FUZZY_OFFERS = Attempt to obfuscate words in spam
FUZZY_PHARMACY = Attempt to obfuscate words in spam
FUZZY_PHENT = Attempt to obfuscate words in spam
FUZZY_PRESCRIPT = Attempt to obfuscate words in spam
FUZZY_PRICES = Attempt to obfuscate words in spam
FUZZY_REFINANCE = Attempt to obfuscate words in spam
FUZZY_REMOVE = Attempt to obfuscate words in spam
FUZZY_ROLEX = Attempt to obfuscate words in spam
FUZZY_SOFTWARE = Attempt to obfuscate words in spam
FUZZY_THOUSANDS = Attempt to obfuscate words in spam
FUZZY_VLIUM = Attempt to obfuscate words in spam
FUZZY_VIOXX = Attempt to obfuscate words in spam
FUZZY_VPILL = Attempt to obfuscate words in spam
FUZZY_XPILL = Attempt to obfuscate words in spam
SPF_PASS = SPF: sender matches SPF record
SPF_NEUTRAL = SPF: sender does not match SPF record (neutral)
SPF_FAIL = SPF: sender does not match SPF record (fail)
SPF_SOFTFAIL = SPF: sender does not match SPF record (softfail)
SPF_HELO_PASS = SPF: HELO matches SPF record
SPF_HELO_NEUTRAL = SPF: HELO does not match SPF record (neutral)
SPF_HELO_FAIL = SPF: HELO does not match SPF record (fail)
SPF_HELO_SOFTFAIL = SPF: HELO does not match SPF record (softfail)
SPF_NONE = SPF: sender does not publish an SPF Record
SPF_HELO_NONE = SPF: HELO does not publish an SPF Record
UNWANTED_LANGUAGE_BODY = Message written in an undesired language
BODY_8BITS = Body includes 8 consecutive 8-bit characters
URIBL_SBL = Contains an URL's NS IP listed in the SBL blocklist
URIBL_DBL_SPAM = Contains a spam URL listed in the DBL blocklist
URIBL_DBL_PHISH = Contains a Phishing URL listed in the DBL blocklist
URIBL_DBL_MALWARE = Contains a malware URL listed in the DBL blocklist
URIBL_DBL_BOTNETCC = Contains a botnet C&C URL listed in the DBL blocklist
URIBL_DBL_ABUSE_SPAM = Contains an abused spamvertized URL listed in the DBL blocklist
URIBL_DBL_ABUSE_REDIR = Contains an abused redirector URL listed in the DBL blocklist
URIBL_DBL_ABUSE_PHISH = Contains an abused phishing URL listed in the DBL blocklist
URIBL_DBL_ABUSE_MALW = Contains an abused malware URL listed in the DBL blocklist
URIBL_DBL_ABUSE_BOTCC = Contains an abused botnet C&C URL listed in the DBL blocklist
URIBL_DBL_ERROR = Error: queried the DBL blocklist for an IP
URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist
URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist
URIBL_MW_SURBL = Contains a URL listed in the MW SURBL blocklist
URIBL_CR_SURBL = Contains an URL listed in the CR SURBL blocklist
URIBL_ABUSE_SURBL = Contains an URL listed in the ABUSE SURBL blocklist
SURBL_BLOCKED = ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists/#dnsbl-block for more information.
URIBL_BLACK = Contains an URL listed in the URIBL block list
URIBL_GREY = Contains an URL listed in the URIBL greylist
URIBL_RED = Contains an URL listed in the URIBL redlist
URIBL_BLOCKED = ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists/#dnsbl-block for more information.
AWL = Adjusted score from AWL reputation of From: address
SHORTCIRCUIT = Not all rules were run, due to a shortcircuited rule
TXREP = Score normalizing based on the sender's reputation
USER_IN_BLACKLIST = From: address is in the user's block list
USER_IN_WHITELIST = From: address is in the user's allow list
USER_IN_DEF_WHITELIST = From: address is in the default allow list
USER_IN_BLACKLIST_TO = User is listed in 'blacklist_to'
USER_IN_WHITELIST_TO = User is listed in 'whitelist_to'
USER_IN_MORE_SPAM_TO = User is listed in 'more_spam_to'
USER_IN_ALL_SPAM_TO = User is listed in 'all_spam_to'
URI_HOST_IN_BLACKLIST = host or domain listed in the URI block list
URI_HOST_IN_WHITELIST = host or domain listed in the URI allow list
HEADER_HOST_IN_BLACKLIST = Blocked header host or domain
HEADER_HOST_IN_WHITELIST = Allowed header host or domain
USER_IN_DKIM_WHITELIST = From: address is in the user's DKIM allow list
USER_IN_DEF_DKIM_WL = From: address is in the default DKIM allow list
USER_IN_SPF_WHITELIST = From: address is in the user's SPF allow list
USER_IN_DEF_SPF_WL = From: address is in the default SPF allow list
ENV_AND_HDR_SPF_MATCH = Env and Hdr From used in default SPF WL Match
SUBJECT_IN_WHITELIST = Subject: contains string in the user's allow list
SUBJECT_IN_BLACKLIST = Subject: contains a string in the user's block list
AC_BR_BONANZA = Too many newlines in a row... spammy template
AC_DIV_BONANZA = Too many divs in a row... spammy template
AC_HTML_NONSENSE_TAGS = Many consecutive multi-letter HTML tags, likely nonsense/spam
AC_SPAMMY_URI_PATTERNS1 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS10 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS11 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS12 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS2 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS3 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS4 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS8 = link combos match highly spammy template
AC_SPAMMY_URI_PATTERNS9 = link combos match highly spammy template
ADMAIL = "admail" and variants
ADMITS_SPAM = Admits this is an ad
ADVANCE_FEE_2_NEW_FORM = Advance Fee fraud and a form
ADVANCE_FEE_2_NEW_MONEY = Advance Fee fraud and lots of money
ADVANCE_FEE_3_NEW = Appears to be advance fee fraud (Nigerian 419)
ADVANCE_FEE_3_NEW_FORM = Advance Fee fraud and a form
ADVANCE_FEE_3_NEW_MONEY = Advance Fee fraud and lots of money
ADVANCE_FEE_4_NEW = Appears to be advance fee fraud (Nigerian 419)
ADVANCE_FEE_4_NEW_MONEY = Advance Fee fraud and lots of money
ADVANCE_FEE_5_NEW_FRM_MNY = Advance Fee fraud form and lots of money
ADVANCE_FEE_5_NEW_MONEY = Advance Fee fraud and lots of money
AD_PREFS = Advertising preferences
APOSTROPHE_FROM = From address contains an apostrophe
AXB_XMAILER_MIMEOLE_OL_024C2 = Yet another X header trait
AXB_XMAILER_MIMEOLE_OL_1ECD5 = Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5
AXB_X_FF_SEZ_S = Forefront sez this is spam
BANKING_LAWS = Talks about banking laws
BASE64_LENGTH_79_INF = base64 encoded email part uses line length of 78 or 79 characters
BASE64_LENGTH_79_INF = base64 encoded email part uses line length greater than 79 characters
BODY_SINGLE_URI = Message body is only a URI
BODY_SINGLE_WORD = Message body is only one word (no spaces)
BODY_URI_ONLY = Message body is only a URI in one line of text or for an image
BOGUS_MSM_HDRS = Apparently bogus Microsoft email headers
CANT_SEE_AD = You really want to see our spam.
CK_HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using a suspicious hostname (Split IP)
CK_HELO_GENERIC = Relay used name indicative of a Dynamic Pool or Generic rPTR
CN_B2B_SPAMMER = Chinese company introducing itself
COMMENT_GIBBERISH = Nonsense in long HTML comment
COMPENSATION = "Compensation"
CORRUPT_FROM_LINE_IN_HDRS = Informational: the message is corrupt, with a From line in its headers
CTYPE_8SPACE_GIF = Stock spam image part 'Content-Type' found (8 spc)
DATE_IN_FUTURE_96_Q = Date: is 4 days to 4 months after Received: date
DEAR_BENEFICIARY = Dear Beneficiary:
DEAR_WINNER = Spam with a generic salutation of "dear winner"
DOS_ANAL_SPAM_MAILER = X-mailer pattern common to anal porn site spam
DOS_FIX_MY_URI = Looks like a "fix my obfu'd URI please" spam
DOS_HIGH_BAT_TO_MX = The Bat! Direct to MX with High Bits
DOS_LET_GO_JOB = Let go from their job and now makes lots of dough!
DOS_OE_TO_MX = Delivered directly to MX with OE headers
DOS_OE_TO_MX_IMAGE = Direct to MX with OE headers and an image
DOS_OUTLOOK_TO_MX = Delivered directly to MX with Outlook headers
DOS_RCVD_IP_TWICE_C = Received from the same IP twice in a row (only one external relay; empty or IP helo)
DOS_STOCK_BAT = Probable pump and dump stock spam
DOS_URI_ASTERISK = Found an asterisk in a URI
DOS_YOUR_PLACE = Russian dating spam
DRUGS_HDIA = Subject mentions "hoodia"
DRUGS_STOCK_MIMEOLE = Stock-spam forged headers found (5510)
DX_TEXT_01 = "message status"
DX_TEXT_02 = "change your message stat"
DX_TEXT_03 = "XXX Media Group"
DYN_RDNS_AND_INLINE_IMAGE = Contains image, and was sent by dynamic rDNS
DYN_RDNS_SHORT_HELO_HTML = Sent by dynamic rDNS, short HELO, and HTML
DYN_RDNS_SHORT_HELO_IMAGE = Short HELO string, dynamic rDNS, inline image
ENCRYPTED_MESSAGE = Message is encrypted, not likely to be spam
EXCUSE_24 = Claims you wanted this ad
FBI_MONEY = The FBI wants to give you lots of money?
FBI_SPOOF = Claims to be FBI, but not from FBI domain
FORM_FRAUD = Fill a form and a fraud phrase
FORM_FRAUD_3 = Fill a form and several fraud phrases
FORM_FRAUD_5 = Fill a form and many fraud phrases
FORM_LOW_CONTRAST = Fill in a form with hidden text
FOUND_YOU = I found you...
FROM_IN_TO_AND_SUBJ = From address is in To and Subject
FROM_MISSPACED = From: missing whitespace
FROM_MISSP_MSFT = From misspaced + supposed Microsoft tool
FROM_MISSP_REPLYTO = From misspaced, has Reply-To
FROM_MISSP_TO_UNDISC = From misspaced, To undisclosed
FROM_MISSP_USER = From misspaced, from "User"
FROM_MISSP_XPRIO = Misspaced FROM + X-Priority
FROM_WORDY = From address looks like a sentence
FROM_WORDY_SHORT = From address looks like a sentence + short message
FROM_WSP_TRAIL = Trailing whitespace before '>' in From header field
FSL_CTYPE_WIN1251 = Content-Type only seen in 419 spam
FSL_NEW_HELO_USER = Spam's using Helo and User
FUZZY_MERIDIA = Obfuscation of the word "meridia"
GOOGLE_DOCS_PHISH = Possible phishing via a Google Docs form
GOOGLE_DOCS_PHISH_MANY = Phishing via a Google Docs form
GOOG_MALWARE_DNLD = File download via Google - Malware?
GOOG_REDIR_SHORT = Google redirect to obscure spamvertised website + short message
HDRS_LCASE = Odd capitalization of the message header
HDRS_MISSP = Misspaced headers
HDR_ORDER_FTSDMCXX_001C = Header order similar to spam (FTSDMCXX/MID variant)
HDR_ORDER_FTSDMCXX_BAT = Header order similar to spam (FTSDMCXX/boundary variant)
HEADER_COUNT_SUBJECT = Multiple Subject headers found
HELO_MISC_IP = Looking for more Dynamic IP Relays
HEXHASH_WORD = Multiple instances of word + hexadecimal hash
HK_NAME_DRUGS = From name contains drugs
HK_RANDOM_ENVFROM = Envelope sender username looks random
HTML_OFF_PAGE = HTML element rendered well off the displayed page
KHOP_DYNAMIC = Relay looks like a dynamic address
LIST_PARTIAL_SHORT_MSG = Incomplete mailing list headers + short message
LIST_PRTL_PUMPDUMP = Incomplete List-* headers and stock pump-and-dump
LIST_PRTL_SAME_USER = Incomplete List-* headers and from+to user the same
LONG_HEX_URI = Very long purely hexadecimal URI
LONG_IMG_URI = Image URI with very long path component - web bug?
LOOPHOLE_1 = A loophole in the banking laws?
LOTTO_AGENT = Claims Agent
LUCRATIVE = Make lots of money!
MANY_HDRS_LCASE = Odd capitalization of multiple message headers
MANY_SPAN_IN_TEXT = Many <SPAN> tags embedded within text
MILLION_USD = Talks about millions of dollars
MIMEOLE_DIRECT_TO_MX = MIMEOLE + direct-to-MX
MONEY_ATM_CARD = Lots of money on an ATM card
MONEY_FRAUD_3 = Lots of money and several fraud phrases
MONEY_FRAUD_5 = Lots of money and many fraud phrases
MONEY_FRAUD_8 = Lots of money and very many fraud phrases
MONEY_FROM_41 = Lots of money from Africa
MONEY_FROM_MISSP = Lots of money and misspaced From
MSGID_MULTIPLE_AT = Message-ID contains multiple '@' characters
MSGID_NOFQDN1 = Message-ID with no domain name
MSM_PRIO_REPTO = MSMail priority header + Reply-to + short subject
NSL_RCVD_FROM_USER = Received from User
NSL_RCVD_HELO_USER = Received from HELO User
NULL_IN_BODY = Message has NUL (ASCII 0) byte in the message
OBFU_JVSCR_ESC = Injects content using obfuscated javascript
PART_CID_STOCK = Has a spammy image attachment (by Content-ID)
PART_CID_STOCK_LESS = Has a spammy image attachment (by Content-ID, more specific)
PHP_NOVER_MUA = Mail from PHP with no version number
PHP_ORIG_SCRIPT = Sent by bot & other signs
PHP_SCRIPT_MUA = Sent by PHP script, no version number
PUMPDUMP = Pump-and-dump stock scam phrase
PUMPDUMP_MULTI = Pump-and-dump stock scam phrases
PUMPDUMP_TIP = Pump-and-dump stock tip
RAND_HEADER_MANY = Many random gibberish message headers
RCVD_BAD_ID = Received header contains id field with bad characters
RCVD_DBL_DQ = Malformatted message header
RCVD_FORGED_WROTE = Forged 'Received' header found ('wrote:' spam)
RCVD_IN_DNSWL_BLOCKED = ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists/#dnsbl-block for more information.
RCVD_IN_DNSWL_HI = Sender listed at http://www.dnswl.org/, high trust
RCVD_IN_DNSWL_LOW = Sender listed at http://www.dnswl.org/, low trust
RCVD_IN_DNSWL_MED = Sender listed at http://www.dnswl.org/, medium trust
RCVD_IN_DNSWL_NONE = Sender listed at http://www.dnswl.org/, no trust
RCVD_IN_IADB_DK = IADB: Sender publishes Domain Keys record
RCVD_IN_IADB_DOPTIN = IADB: All mailing list mail is confirmed opt-in
RCVD_IN_IADB_DOPTIN_GT50 = IADB: Confirmed opt-in used more than 50% of the time
RCVD_IN_IADB_DOPTIN_LT50 = IADB: Confirmed opt-in used less than 50% of the time
RCVD_IN_IADB_EDDB = IADB: Participates in Email Deliverability Database
RCVD_IN_IADB_EPIA = IADB: Member of Email Processing Industry Alliance
RCVD_IN_IADB_GOODMAIL = IADB: Sender has been certified by GoodMail
RCVD_IN_IADB_LISTED = Participates in the IADB system
RCVD_IN_IADB_LOOSE = IADB: Adds relationship addrs w/out opt-in
RCVD_IN_IADB_MI_CPEAR = IADB: Complies with Michigan's CPEAR law
RCVD_IN_IADB_MI_CPR_30 = IADB: Checked lists against Michigan's CPR within 30 days
RCVD_IN_IADB_MI_CPR_MAT = IADB: Sends no material under Michigan's CPR
RCVD_IN_IADB_ML_DOPTIN = IADB: Mailing list email only, confirmed opt-in
RCVD_IN_IADB_NOCONTROL = IADB: Has absolutely no mailing controls in place
RCVD_IN_IADB_OOO = IADB: One-to-one/transactional email only
RCVD_IN_IADB_OPTIN = IADB: All mailing list mail is opt-in
RCVD_IN_IADB_OPTIN_GT50 = IADB: Opt-in used more than 50% of the time
RCVD_IN_IADB_OPTIN_LT50 = IADB: Opt-in used less than 50% of the time
RCVD_IN_IADB_OPTOUTONLY = IADB: Scrapes addresses, pure opt-out only
RCVD_IN_IADB_RDNS = IADB: Sender has reverse DNS record
RCVD_IN_IADB_SENDERID = IADB: Sender publishes Sender ID record
RCVD_IN_IADB_SPF = IADB: Sender publishes SPF record
RCVD_IN_IADB_UNVERIFIED_1 = IADB: Accepts unverified sign-ups
RCVD_IN_IADB_UNVERIFIED_2 = IADB: Accepts unverified sign-ups, gives chance to opt out
RCVD_IN_IADB_UT_CPEAR = IADB: Complies with Utah's CPEAR law
RCVD_IN_IADB_UT_CPR_30 = IADB: Checked lists against Utah's CPR within 30 days
RCVD_IN_IADB_UT_CPR_MAT = IADB: Sends no material under Utah's CPR
RCVD_IN_PSBL = Received via a relay in PSBL
RCVD_MAIL_COM = Forged Received header (contains post.com or mail.com)
RDNS_LOCALHOST = Sender's public rDNS is "localhost"
RISK_FREE = No risk!
SERGIO_SUBJECT_VIAGRA01 = Viagra garbled subject
SHORT_HELO_AND_INLINE_IMAGE = Short HELO string, with inline image
SINGLETS_LOW_CONTRAST = Single-letter formatted HTML + hidden text
SPAMMY_XMAILER = X-Mailer string is common in spam and not in ham
SPOOFED_FREEM_REPTO = Forged freemail sender with freemail reply-to
SPOOFED_FREEM_REPTO_CHN = Forged freemail sender with Chinese freemail reply-to
STATIC_XPRIO_OLE = Static RDNS + X-Priority + MIMEOLE
STOCK_IMG_CTYPE = Stock spam image part, with distinctive Content-Type header
STOCK_IMG_HDR_FROM = Stock spam image part, with distinctive From line
STOCK_IMG_HTML = Stock spam image part, with distinctive HTML
STOCK_IMG_OUTLOOK = Stock spam image part, with Outlook-like features
STOCK_LOW_CONTRAST = Stocks + hidden text
STOCK_TIP = Stock tips
STYLE_GIBBERISH = Nonsense in HTML <STYLE> tag
SUBJECT_NEEDS_ENCODING = Subject is encoded but does not specify the encoding
SYSADMIN = Supposedly from your IT department
TBIRD_SUSP_MIME_BDRY = Unlikely Thunderbird MIME boundary
TEQF_USR_IMAGE = To and from user nearly same + image
TEQF_USR_MSGID_HEX = To and from user nearly same + unusual message ID
TEQF_USR_MSGID_MALF = To and from user nearly same + malformed message ID
THIS_AD = "This ad" and variants
TO_IN_SUBJ = To address is in Subject
TO_NO_BRKTS_DYNIP = To: lacks brackets and dynamic rDNS
TO_NO_BRKTS_FROM_MSSP = Multiple header formatting problems
TO_NO_BRKTS_HTML_IMG = To: lacks brackets and HTML and one image
TO_NO_BRKTS_HTML_ONLY = To: lacks brackets and HTML only
TO_NO_BRKTS_MSFT = To: lacks brackets and supposed Microsoft tool
TO_NO_BRKTS_NORDNS_HTML = To: lacks brackets and no rDNS and HTML only
TO_NO_BRKTS_PCNT = To: lacks brackets + percentage
TT_MSGID_TRUNC = Scora: Message-Id ends after left-bracket + digits
TT_OBSCURED_VALIUM = Scora: obscured "VALIUM" in subject
TT_OBSCURED_VIAGRA = Scora: obscured "VIAGRA" in subject
TVD_ACT_193 = Message refers to an act passed in the 1930s
TVD_APPROVED = Body states that the recipient has been approved
TVD_DEAR_HOMEOWNER = Spam with the generic salutation of "dear homeowner"
TVD_ENVFROM_APOST = Envelope From contains single-quote
TVD_FLOAT_GENERAL = Message uses CSS float style
TVD_FUZZY_DEGREE = Obfuscation of the word "degree"
TVD_FUZZY_FINANCE = Obfuscation of the word "finance"
TVD_FUZZY_FIXED_RATE = Obfuscation of the phrase "fixed rate"
TVD_FUZZY_MICROCAP = Obfuscation of the word "micro-cap"
TVD_FUZZY_PHARMACEUTICAL = Obfuscation of the word "pharmaceutical"
TVD_FUZZY_SYMBOL = Obfuscation of the word "symbol"
TVD_FW_GRAPHIC_NAME_LONG = Long image attachment name
TVD_FW_GRAPHIC_NAME_MID = Medium sized image attachment name
TVD_INCREASE_SIZE = Advertising for penis enlargement
TVD_LINK_SAVE = Spam with the text "link to save"
TVD_PH_BODY_ACCOUNTS_PRE = The body matches phrases such as "accounts suspended", "account credited", "account verification"
TVD_PH_REC = Message includes a phrase commonly used in phishing mails
TVD_PH_SEC = Message includes a phrase commonly used in phishing mails
TVD_QUAL_MEDS = The body matches phrases such as "quality meds" or "quality medication"
TVD_RATWARE_CB = Content-Type header that is commonly indicative of ratware
TVD_RATWARE_CB_2 = Content-Type header that is commonly indicative of ratware
TVD_RATWARE_MSGID_02 = Ratware with a Message-ID header that is entirely lower-case
TVD_RCVD_IP = Message was received from an IP address
TVD_RCVD_IP4 = Message was received from an IPv4 address
TVD_RCVD_SINGLE = Message was received from localhost
TVD_SECTION = References to specific legal codes
TVD_SILLY_URI_OBFU = URI obfuscation that can fool a URIBL or a uri rule
TVD_SPACED_SUBJECT_WORD3 = Entire subject is "UPPERlowerUPPER" with no whitespace
TVD_SPACE_ENCODED = Space ratio & encoded subject
TVD_SPACE_ENC_FM_MIME = Space ratio & encoded subject & MIME needed
TVD_SPACE_RATIO_MINFP = Space ratio
TVD_STOCK1 = Spam related to stock trading
TVD_SUBJ_ACC_NUM = Subject has spammy looking monetary reference
TVD_SUBJ_FINGER_03 = Entire subject is enclosed in asterisks "* like so *"
TVD_SUBJ_OWE = Subject line states that the recipient is in debt
TVD_SUBJ_WIPE_DEBT = Spam advertising a way to eliminate debt
TVD_VISIT_PHARMA = Body mentions online pharmacy
TVD_VIS_HIDDEN = Invisible textarea HTML tags
TW_GIBBERISH_MANY = Lots of gibberish text to spoof pattern matching filters
T_DATE_IN_FUTURE_Q_PLUS = Date: is over 4 months after Received: date
T_DOS_OUTLOOK_TO_MX_IMAGE = Direct to MX with Outlook headers and an image
T_EMRCP = "Excess Maximum Return Capital Profit" scam
T_END_FUTURE_EMAILS = Spammy unsubscribe
T_LOTTO_AGENT_FM = Claims Agent
T_LOTTO_AGENT_RPLY = Claims Agent
T_LOTTO_URI = Claims Department URL
T_RP_MATCHES_RCVD = Envelope sender domain matches handover relay domain
T_SHARE_50_50 = Share the money 50/50
UC_GIBBERISH_OBFU = Multiple instances of "word VERYLONGGIBBERISH word"
URIBL_RHS_DOB = Contains a URI of a new domain (Day Old Bread)
URI_DATA = "data:" URI - possible malware or phish
URI_DQ_UNSUB = IP-address unsubscribe URI
URI_GOOGLE_PROXY = Accessing a blocked URI or obscuring the source of phish via Google proxy?
URI_ONLY_MSGID_MALF = URI only + malformed message ID
URI_OPTOUT_3LD = Opt-out URI, suspicious hostname
URI_OPTOUT_USME = Opt-out URI, unusual TLD
URI_PHISH = Phishing using web form
URI_TRY_3LD = "Try it" URI, suspicious hostname
URI_TRY_USME = "Try it" URI, unusual TLD
URI_WPADMIN = WordPress login/admin URI, possible phishing
URI_WP_DIRINDEX = URI for compromised WordPress site, possible malware
URI_WP_HACKED = URI for compromised WordPress site, possible malware
URI_WP_HACKED_2 = URI for compromised WordPress site, possible malware
XM_PHPMAILER_FORGED = Apparently forged header
XPRIO = Has X-Priority header
XPRIO_SHORT_SUBJ = Has X-Priority header + short subject
URIBL_SC_SURBL = Contains an URL listed in the SC SURBL blocklist
URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist
URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist
URIBL_MW_SURBL = Contains a Malware Domain or IP listed in the MW SURBL blocklist
URIBL_AB_SURBL = Contains an URL listed in the AB SURBL blocklist
URIBL_JP_SURBL = Contains an URL listed in the JP SURBL blocklist