Skip to main content

SpamTitan

Built-in Rules
Abstract

SpamTitan uses an extensive set of first and third-party rules for capturing spam, including this comprehensive set of built-in rules.

  • GTUBE = Generic Test for Unsolicited Bulk Email

  • TRACKER_ID = Incorporates a tracking ID number

  • WEIRD_QUOTING = Weird repeated double-quotation marks

  • MIME_HTML_ONLY_MULTI = Multipart message only has text/html MIME parts

  • MIME_CHARSET_FARAWAY = MIME character set indicates a foreign language

  • EMAIL_ROT13 = Body contains a ROT13-encoded email address

  • LONGWORDS = Long string of long words

  • MPART_ALT_DIFF = HTML and text parts are different

  • MPART_ALT_DIFF_COUNT = HTML and text parts are different

  • BLANK_LINES_80_90 = Message body has 80-90% blank lines

  • CHARSET_FARAWAY = Character set indicates a foreign language

  • MIME_BASE64_BLANKS = Extra blank lines in base64 encoding

  • MIME_BASE64_TEXT = Message text disguised using base64 encoding

  • MISSING_MIME_HB_SEP = Missing blank line between MIME header and body

  • MIME_HTML_MOSTLY = Multipart message mostly text/html MIME

  • MIME_HTML_ONLY = Message only has text/html MIME parts

  • MIME_QP_LONG_LINE = Quoted-printable line longer than 76 chars

  • MIME_BAD_ISO_CHARSET = MIME character set is an unknown ISO charset

  • HTTPS_IP_MISMATCH = IP to HTTPS link found in HTML

  • HTTPS_HTTP_MISMATCH = Link presents text as HTTPS://... however the link is to an HTTP://... URL

  • URI_TRUNCATED = Message contained a URI which was truncated

  • NO_RECEIVED = Informational: the message has no Received headers

  • ALL_TRUSTED = Passed through trusted hosts only via SMTP

  • NO_RELAYS = Informational: the message was not relayed via SMTP

  • RCVD_IN_SORBS_HTTP = SORBS: sender is open HTTP proxy server

  • RCVD_IN_SORBS_SOCKS = SORBS: sender is open SOCKS proxy server

  • RCVD_IN_SORBS_MISC = SORBS: sender is an open proxy server

  • RCVD_IN_SORBS_SMTP = SORBS: sender is open SMTP relay

  • RCVD_IN_SORBS_WEB = SORBS: sender is an abusable web server

  • RCVD_IN_SORBS_BLOCK = SORBS: sender demands to never be tested

  • RCVD_IN_SORBS_ZOMBIE = SORBS: sender is on a hijacked network

  • RCVD_IN_SORBS_DUL = SORBS: sent directly from the dynamic IP address

  • RCVD_IN_SBL = Received via a relay in Spamhaus SBL

  • RCVD_IN_XBL = Received via a relay in Spamhaus XBL

  • RCVD_IN_PBL = Received via a relay in Spamhaus PBL

  • RCVD_IN_SBL_CSS = Received via a relay in Spamhaus SBL-CSS

  • RCVD_IN_BL_SPAMCOP_NET = Received via a relay in bl.spamcop.net

  • RCVD_IN_MAPS_RBL = Relay in RBL

  • RCVD_IN_MAPS_DUL = Relay in DUL

  • RCVD_IN_MAPS_RSS = Relay in RSS

  • RCVD_IN_MAPS_OPS = Relay in OPS

  • RCVD_IN_MAPS_NML = Relay in NML

  • RCVD_IN_IADB_VOUCHED = ISIPP IADB lists as a vouched-for sender

  • RCVD_IN_RP_CERTIFIED = Sender in ReturnPath Certified - Contact cert-sa@returnpath.net

  • RCVD_IN_RP_SAFE = Sender in ReturnPath Safe - Contact safe-sa@returnpath.net

  • RCVD_IN_RP_RNBL = Relay in RNBL

  • DKIMDOMAIN_IN_DWL = Signing domain listed in Spamhaus DWL

  • DKIMDOMAIN_IN_DWL_UNKNOWN = Unrecognized response from Spamhaus DWL

  • SUBJECT_DRUG_GAP_C = Subject contains a gappy version of 'cialis'

  • SUBJECT_DRUG_GAP_L = Subject contains a gappy version of 'levitra'

  • SUBJECT_DRUG_GAP_S = Subject contains a gappy version of 'soma'

  • SUBJECT_DRUG_GAP_VA = Subject contains a gappy version of 'valium'

  • SUBJECT_DRUG_GAP_X = Subject contains a gappy version of 'xanax'

  • DRUG_DOSAGE = Talks about price per dose

  • DRUG_ED_CAPS = Mentions an E.D. drug

  • DRUG_ED_SILD = Talks about an E.D. drug using its chemical name

  • DRUG_ED_GENERIC = Mentions Generic Viagra

  • DRUG_ED_ONLINE = Fast Viagra Delivery

  • ONLINE_PHARMACY = Online Pharmacy

  • NO_PRESCRIPTION = No prescription needed

  • VIA_GAP_GRA = Attempts to disguise the word 'viagra'

  • DRUGS_ERECTILE = Refers to an erectile drug

  • DRUGS_ERECTILE_OBFU = Obfuscated reference to an erectile drug

  • DRUGS_DIET = Refers to a diet drug

  • DRUGS_DIET_OBFU = Obfuscated reference to a diet drug

  • DRUGS_MUSCLE = Refers to a muscle relaxant

  • DRUGS_ANXIETY = Refers to an anxiety control drug

  • DRUGS_ANXIETY_OBFU = Obfuscated reference to an anxiety control drug

  • DRUGS_SMEAR1 = Two or more drugs crammed together into one word

  • DRUGS_ANXIETY_EREC = Refers to both an erectile and an anxiety drug

  • DRUGS_SLEEP_EREC = Refers to both an erectile and a sleep aid drug

  • DRUGS_MANYKINDS = Refers to at least four kinds of drugs

  • RDNS_DYNAMIC = Delivered to the internal network by host with dynamic-looking rDNS

  • RDNS_NONE = Delivered to internal network by a host with no rDNS

  • HELO_STATIC_HOST = Relay HELO'd using static hostname

  • HELO_DYNAMIC_IPADDR = Relay HELO'd using suspicious hostname (IP addr 1)

  • HELO_DYNAMIC_DHCP = Relay HELO'd using suspicious hostname (DHCP)

  • HELO_DYNAMIC_HCC = Relay HELO'd using suspicious hostname (HCC)

  • HELO_DYNAMIC_ROGERS = Relay HELO'd using suspicious hostname (Rogers)

  • HELO_DYNAMIC_DIALIN = Relay HELO'd using suspicious hostname (T-Dialin)

  • HELO_DYNAMIC_HEXIP = Relay HELO'd using suspicious hostname (Hex IP)

  • HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using suspicious hostname (Split IP)

  • HELO_DYNAMIC_IPADDR2 = Relay HELO'd using suspicious hostname (IP addr 2)

  • HELO_DYNAMIC_CHELLO_NL = Relay HELO'd using suspicious hostname (Chello.nl)

  • HELO_DYNAMIC_HOME_NL = Relay HELO'd using suspicious hostname (Home.nl)

  • FREEMAIL_REPLYTO = Reply-To/From or Reply-To/body contain different freemails

  • FREEMAIL_REPLY = From and body contain different freemails

  • FREEMAIL_FROM = Sender email is commonly abused enduser mail provider

  • FREEMAIL_ENVFROM_END_DIGIT = Envelope-from freemail username ends in digit

  • FREEMAIL_REPLYTO_END_DIGIT = Reply-To freemail username ends in digit

  • FREEMAIL_FORGED_REPLYTO = Freemail in Reply-To, but not From

  • FRAGMENTED_MESSAGE = Partial message

  • FROM_BLANK_NAME = From: contains empty name

  • FROM_STARTS_WITH_NUMS = From: starts with several numbers

  • FROM_OFFERS = From address is "at something-offers"

  • FROM_NO_USER = From: has no local-part before @ sign

  • PLING_QUERY = Subject has an exclamation mark and question mark

  • MSGID_SPAM_CAPS = Spam tool Message-Id: (caps variant)

  • MSGID_SPAM_LETTERS = Spam tool Message-Id: (letters variant)

  • MSGID_RANDY = Message-Id has pattern used in spam

  • MSGID_YAHOO_CAPS = Message-ID has ALLCAPS@yahoo.com

  • FORGED_MSGID_AOL = Message-ID is forged, (aol.com)

  • FORGED_MSGID_EXCITE = Message-ID is forged, (excite.com)

  • FORGED_MSGID_HOTMAIL = Message-ID is forged, (hotmail.com)

  • FORGED_MSGID_MSN = Message-ID is forged, (msn.com)

  • FORGED_MSGID_YAHOO = Message-ID is forged, (yahoo.com)

  • MSGID_FROM_MTA_HEADER = Message-Id was added by a relay

  • MSGID_SHORT = Message-ID is unusually short

  • DATE_SPAMWARE_Y2K = Date header uses unusual Y2K formatting

  • INVALID_DATE = Invalid Date: header (not RFC 2822)

  • INVALID_DATE_TZ_ABSURD = Invalid Date: header (timezone does not exist)

  • INVALID_TZ_CST = Invalid date in header (wrong CST timezone)

  • INVALID_TZ_EST = Invalid date in the header (wrong EST timezone)

  • FROM_EXCESS_BASE64 = From: base64 encoded unnecessarily

  • ENGLISH_UCE_SUBJECT = Subject contains an English UCE tag

  • JAPANESE_UCE_SUBJECT = Subject contains a Japanese UCE tag

  • JAPANESE_UCE_BODY = Body contains Japanese UCE tag

  • KOREAN_UCE_SUBJECT = Subject: contains Korean unsolicited email tag

  • RCVD_DOUBLE_IP_SPAM = Bulk email fingerprint (double IP) found

  • RCVD_DOUBLE_IP_LOOSE = Received: by and from look like IP addresses

  • FORGED_TELESP_RCVD = Contains forged hostname for a DSL IP in Brazil

  • CONFIRMED_FORGED = Received headers are forged

  • MULTI_FORGED = Received headers indicate multiple forgeries

  • NONEXISTENT_CHARSET = Character set doesn't exist

  • MISSING_MID = Missing Message-Id: header

  • MISSING_DATE = Missing Date: header

  • MISSING_SUBJECT = Missing Subject: header

  • MISSING_FROM = Missing From: header

  • GAPPY_SUBJECT = Subject: contains G.a.p.p.y-T.e.x.t

  • PREVENT_NONDELIVERY = Message has Prevent-NonDelivery-Report header

  • X_IP = Message has X-IP header

  • MISSING_MIMEOLE = Message has X-MSMail-Priority, but no X-MimeOLE

  • SUBJ_AS_SEEN = Subject contains "As Seen"

  • SUBJ_DOLLARS = Subject starts with a dollar amount

  • SUBJ_YOUR_FAMILY = Subject contains "Your Family"

  • RCVD_FAKE_HELO_DOTCOM = Received contains a faked HELO hostname

  • SUBJECT_DIET = Subject talks about losing pounds

  • MIME_BOUND_DD_DIGITS = Spam tool pattern in MIME boundary

  • MIME_BOUND_DIGITS_15 = Spam tool pattern in MIME boundary

  • MIME_BOUND_MANY_HEX = Spam tool pattern in MIME boundary

  • TO_MALFORMED = To: has a malformed address

  • MIME_HEADER_CTYPE_ONLY = 'Content-Type' found without required MIME headers

  • WITH_LC_SMTP = Received line contains spam-sign (lowercase smtp)

  • SUBJ_BUY = Subject line starts with Buy or Buying

  • RCVD_AM_PM = Received headers forged (AM/PM)

  • FAKE_OUTBLAZE_RCVD = Received header contains faked 'mr.outblaze.com'

  • UNCLOSED_BRACKET = Headers contain an unclosed bracket

  • FROM_DOMAIN_NOVOWEL = From: domain has a series of non-vowel letters

  • FROM_LOCAL_NOVOWEL = From: localpart has series of non-vowel letters

  • FROM_LOCAL_HEX = From: localpart has a long hexadecimal sequence

  • FROM_LOCAL_DIGITS = From: localpart has long digit sequence

  • X_PRIORITY_CC = Cc: after X-Priority: (bulk email fingerprint)

  • BAD_ENC_HEADER = Message has bad MIME encoding in the header

  • RCVD_ILLEGAL_IP = Received: contains illegal IP address

  • CHARSET_FARAWAY_HEADER = A foreign language charset used in headers

  • SUBJ_ILLEGAL_CHARS = Subject: has too many raw illegal characters

  • FROM_ILLEGAL_CHARS = From: has too many raw illegal characters

  • HEAD_ILLEGAL_CHARS = Headers have too many raw illegal characters

  • FORGED_HOTMAIL_RCVD2 = hotmail.com 'From' address, but no 'Received:'

  • FORGED_YAHOO_RCVD = 'From' yahoo.com does not match 'Received' headers

  • SORTED_RECIPS = Recipient list is sorted by address

  • SUSPICIOUS_RECIPS = Similar addresses in the recipient list

  • MISSING_HEADERS = Missing To: header

  • DATE_IN_PAST_03_06 = Date: is 3 to 6 hours before Received: date

  • DATE_IN_PAST_06_12 = Date: is 6 to 12 hours before Received: date

  • DATE_IN_PAST_12_24 = Date: is 12 to 24 hours before Received: date

  • DATE_IN_PAST_24_48 = Date: is 24 to 48 hours before Received: date

  • DATE_IN_PAST_96_XX = Date: is 96 hours or more before Received: date

  • DATE_IN_FUTURE_03_06 = Date: is 3 to 6 hours after Received: date

  • DATE_IN_FUTURE_06_12 = Date: is 6 to 12 hours after Received: date

  • DATE_IN_FUTURE_12_24 = Date: is 12 to 24 hours after Received: date

  • DATE_IN_FUTURE_24_48 = Date: is 24 to 48 hours after Received: date

  • DATE_IN_FUTURE_48_96 = Date: is 48 to 96 hours after Received: date

  • DATE_IN_FUTURE_96_XX = Date: is 96 hours or more after Received: date

  • UNRESOLVED_TEMPLATE = Headers contain an unresolved template

  • SUBJ_ALL_CAPS = Subject is all capitals

  • LOCALPART_IN_SUBJECT = Local part of To: address appears in Subject

  • MSGID_OUTLOOK_INVALID = Message-Id is fake (in Outlook Express format)

  • HEADER_COUNT_CTYPE = Multiple Content-Type headers found

  • HEAD_LONG = Message headers are very long

  • MISSING_HB_SEP = Missing blank line between message header and body

  • UNPARSEABLE_RELAY = Informational: message has unparseable relay lines

  • RCVD_HELO_IP_MISMATCH = Received: HELO and IP do not match, but should

  • RCVD_NUMERIC_HELO = Received: contains an IP address used for HELO

  • NO_RDNS_DOTCOM_HELO = Host HELO'd as a big ISP, but had no rDNS

  • HTML_SHORT_LINK_IMG_1 = HTML is very short with a linked image

  • HTML_SHORT_LINK_IMG_2 = HTML is very short with a linked image

  • HTML_SHORT_LINK_IMG_3 = HTML is very short with a linked image

  • HTML_SHORT_CENTER = HTML is very short with CENTER tag

  • HTML_CHARSET_FARAWAY = A foreign language charset used in HTML markup

  • HTML_MIME_NO_HTML_TAG = HTML-only message, but there is no HTML tag

  • HTML_MISSING_CTYPE = Message is HTML without HTML Content-Type

  • HIDE_WIN_STATUS = Javascript to hide URLs in browser

  • OBFUSCATING_COMMENT = HTML comments which obfuscate text

  • JS_FROMCHARCODE = Document is built from a Javascript charcode array

  • HTML_MESSAGE = HTML included in message

  • HTML_COMMENT_SHORT = HTML comment is very short

  • HTML_COMMENT_SAVED_URL = HTML message is a saved web page

  • HTML_EMBEDS = HTML with embedded plugin object

  • HTML_EXTRA_CLOSE = HTML contains far too many close tags

  • HTML_FONT_SIZE_LARGE = HTML font size is large

  • HTML_FONT_SIZE_HUGE = HTML font size is huge

  • HTML_FONT_LOW_CONTRAST = HTML font color similar or identical to background

  • HTML_FONT_FACE_BAD = HTML font face is not a word

  • HTML_FORMACTION_MAILTO = HTML includes a form which sends mail

  • HTML_IMAGE_ONLY_04 = HTML: images with 0-400 bytes of words

  • HTML_IMAGE_ONLY_08 = HTML: images with 400-800 bytes of words

  • HTML_IMAGE_ONLY_12 = HTML: images with 800-1200 bytes of words

  • HTML_IMAGE_ONLY_16 = HTML: images with 1200-1600 bytes of words

  • HTML_IMAGE_ONLY_20 = HTML: images with 1600-2000 bytes of words

  • HTML_IMAGE_ONLY_24 = HTML: images with 2000-2400 bytes of words

  • HTML_IMAGE_ONLY_28 = HTML: images with 2400-2800 bytes of words

  • HTML_IMAGE_ONLY_32 = HTML: images with 2800-3200 bytes of words

  • HTML_IMAGE_RATIO_02 = HTML has a low ratio of text to image area

  • HTML_IMAGE_RATIO_04 = HTML has a low ratio of text to image area

  • HTML_IMAGE_RATIO_06 = HTML has a low ratio of text to image area

  • HTML_IMAGE_RATIO_08 = HTML has a low ratio of text to image area

  • HTML_OBFUSCATE_05_10 = Message is 5% to 10% HTML obfuscation

  • HTML_OBFUSCATE_10_20 = Message is 10% to 20% HTML obfuscation

  • HTML_OBFUSCATE_20_30 = Message is 20% to 30% HTML obfuscation

  • HTML_OBFUSCATE_30_40 = Message is 30% to 40% HTML obfuscation

  • HTML_OBFUSCATE_50_60 = Message is 50% to 60% HTML obfuscation

  • HTML_OBFUSCATE_70_80 = Message is 70% to 80% HTML obfuscation

  • HTML_OBFUSCATE_90_100 = Message is 90% to 100% HTML obfuscation

  • HTML_TAG_BALANCE_BODY = HTML has unbalanced "body" tags

  • HTML_TAG_BALANCE_HEAD = HTML has unbalanced "head" tags

  • HTML_TAG_EXIST_BGSOUND = HTML has "bgsound" tag

  • HTML_BADTAG_40_50 = HTML message is 40% to 50% bad tags

  • HTML_BADTAG_50_60 = HTML message is 50% to 60% bad tags

  • HTML_BADTAG_60_70 = HTML message is 60% to 70% bad tags

  • HTML_BADTAG_90_100 = HTML message is 90% to 100% bad tags

  • HTML_NONELEMENT_30_40 = 30% to 40% of HTML elements are non-standard

  • HTML_NONELEMENT_40_50 = 40% to 50% of HTML elements are non-standard

  • HTML_NONELEMENT_60_70 = 60% to 70% of HTML elements are non-standard

  • HTML_NONELEMENT_80_90 = 80% to 90% of HTML elements are non-standard

  • HTML_IFRAME_SRC = Message has HTML IFRAME tag with SRC URI

  • DC_GIF_UNO_LARGO = Message contains a single large gif image

  • DC_PNG_UNO_LARGO = Message contains a single large png image

  • DC_IMAGE_SPAM_TEXT = Possible Image-only spam with little text

  • DC_IMAGE_SPAM_HTML = Possible Image-only spam

  • RCVD_IN_MSPIKE_L5 = Very bad reputation (-5)

  • RCVD_IN_MSPIKE_L4 = Bad reputation (-4)

  • RCVD_IN_MSPIKE_L3 = Low reputation (-3)

  • RCVD_IN_MSPIKE_L2 = Suspicious reputation (-2)

  • RCVD_IN_MSPIKE_H5 = Excellent reputation (+5)

  • RCVD_IN_MSPIKE_H4 = Very Good reputation (+4)

  • RCVD_IN_MSPIKE_H3 = Good reputation (+3)

  • RCVD_IN_MSPIKE_H2 = Average reputation (+2)

  • RCVD_IN_MSPIKE_BL = Mailspike blocked

  • RCVD_IN_MSPIKE_WL = Mailspike good senders

  • UPPERCASE_50_75 = message body is 50-75% uppercase

  • UPPERCASE_75_100 = message body is 75-100% uppercase

  • INVALID_MSGID = Message-Id is not valid, according to RFC 2822

  • FORGED_MUA_MOZILLA = Forged mail pretending to be from Mozilla

  • PERCENT_RANDOM = Message has a random macro in it

  • EMPTY_MESSAGE = Message appears to have no textual parts and no Subject: text

  • NO_HEADERS_MESSAGE = Message appears to be missing most RFC-822 headers

  • DIGEST_MULTIPLE = Message hits more than one network digest check

  • NO_DNS_FOR_FROM = Envelope sender has no MX or A DNS records

  • GMD_PDF_HORIZ = Contains pdf 100-240 (high) x 450-800 (wide)

  • GMD_PDF_SQUARE = Contains pdf 180-360 (high) x 180-360 (wide)

  • GMD_PDF_VERT = Contains pdf 450-800 (high) x 100-240 (wide)

  • GMD_PRODUCER_GPL = PDF producer was GPL Ghostscript

  • GMD_PRODUCER_POWERPDF = PDF producer was PowerPDF

  • GMD_PRODUCER_EASYPDF = PDF producer was BCL easyPDF

  • GMD_PDF_ENCRYPTED = Attached PDF is encrypted

  • GMD_PDF_EMPTY_BODY = Attached PDF with empty message body

  • REMOVE_BEFORE_LINK = Removal phrase right before a link

  • GUARANTEED_100_PERCENT = One hundred percent guaranteed

  • DEAR_FRIEND = Dear Friend? That's not very dear!

  • DEAR_SOMETHING = Contains 'Dear (something)'

  • BILLION_DOLLARS = Talks about lots of money

  • EXCUSE_4 = Claims you can be removed from the list

  • EXCUSE_REMOVE = Talks about how to be removed from mailings

  • STRONG_BUY = Tells you about a strong buy

  • STOCK_ALERT = Offers an alert about a stock

  • NOT_ADVISOR = Not registered investment advisor

  • PREST_NON_ACCREDITED = 'Prestigious Non-Accredited Universities'

  • BODY_ENHANCEMENT = Information on growing body parts

  • BODY_ENHANCEMENT2 = Information on getting larger body parts

  • IMPOTENCE = Impotence cure

  • URG_BIZ = Contains urgent matter

  • MONEY_BACK = Money back guarantee

  • FREE_QUOTE_INSTANT = Free express or no-obligation quote

  • BAD_CREDIT = Eliminate Bad Credit

  • REFINANCE_YOUR_HOME = Home refinancing

  • REFINANCE_NOW = Home refinancing

  • NO_MEDICAL = No Medical Exams

  • DIET_1 = Lose Weight Spam

  • FIN_FREE = Freedom of a financial nature

  • FORWARD_LOOKING = Stock Disclaimer Statement

  • ONE_TIME = One Time Rip Off

  • JOIN_MILLIONS = Join Millions of Americans

  • MARKETING_PARTNERS = Claims you registered with a partner

  • LOW_PRICE = Lowest Price

  • UNCLAIMED_MONEY = People just leave money laying around

  • OBSCURED_EMAIL = Message seems to contain rot13ed address

  • BANG_OPRAH = Talks about Oprah with an exclamation!

  • ACT_NOW_CAPS = Talks about 'acting now' with capitals

  • MORE_SEX = Talks about a bigger drive for sex

  • BANG_GUAR = Something is emphatically guaranteed

  • RUDE_HTML = Spammer message says you need an HTML mailer

  • INVESTMENT_ADVICE = Message mentions investment advice

  • MALE_ENHANCE = Message talks about enhancing men

  • PRICES_ARE_AFFORDABLE = Message says that prices aren't too expensive

  • REPLICA_WATCH = Message talks about a replica watch

  • EM_ROLEX = Message puts emphasis on the watch manufacturer

  • FREE_PORN = Possible porn - Free Porn

  • CUM_SHOT = Possible porn - Cum Shot

  • LIVE_PORN = Possible porn - Live Porn

  • SUBJECT_SEXUAL = Subject indicates sexually-explicit content

  • RATWARE_EGROUPS = Bulk email fingerprint (eGroups) found

  • RATWARE_OE_MALFORMED = X-Mailer has malformed Outlook Express version

  • RATWARE_MOZ_MALFORMED = Bulk email fingerprint (Mozilla malformed) found

  • RATWARE_MPOP_WEBMAIL = Bulk email fingerprint (mPOP Web-Mail)

  • FORGED_MUA_IMS = Forged mail pretending to be from IMS

  • FORGED_MUA_OUTLOOK = Forged mail pretending to be from MS Outlook

  • FORGED_MUA_OIMO = Forged mail pretending to be from MS Outlook IMO

  • FORGED_MUA_EUDORA = Forged mail pretending to be from Eudora

  • FORGED_MUA_THEBAT_CS = Mail pretending to be from The Bat! (charset)

  • FORGED_MUA_THEBAT_BOUN = Mail pretending to be from The Bat! (boundary)

  • FORGED_OUTLOOK_HTML = Outlook can't send HTML message only

  • FORGED_IMS_HTML = IMS can't send HTML message only

  • FORGED_THEBAT_HTML = The Bat! can't send HTML message only

  • REPTO_QUOTE_AOL = AOL doesn't do quoting like this

  • REPTO_QUOTE_IMS = IMS doesn't do quoting like this

  • REPTO_QUOTE_MSN = MSN doesn't do quoting like this

  • REPTO_QUOTE_QUALCOMM = Qualcomm/Eudora doesn't do quoting like this

  • REPTO_QUOTE_YAHOO = Yahoo! doesn't do quoting like this

  • FORGED_QUALCOMM_TAGS = QUALCOMM mailers can't send HTML in this format

  • FORGED_IMS_TAGS = IMS mailers can't send HTML in this format

  • FORGED_OUTLOOK_TAGS = Outlook can't send HTML in this format

  • RATWARE_HASH_DASH = Contains a hashbuster in Send-Safe format

  • RATWARE_ZERO_TZ = Bulk email fingerprint (+0000) found

  • X_MESSAGE_INFO = Bulk email fingerprint (X-Message-Info) found

  • HEADER_SPAM = Bulk email fingerprint (header-based) found

  • RATWARE_RCVD_PF = Bulk email fingerprint (Received PF) found

  • RATWARE_RCVD_AT = Bulk email fingerprint (Received @) found

  • RATWARE_OUTLOOK_NONAME = Bulk email fingerprint (Outlook no name) found

  • RATWARE_MS_HASH = Bulk email fingerprint (msgid ms hash) found

  • RATWARE_NAME_ID = Bulk email fingerprint (msgid from) found

  • RATWARE_EFROM = Bulk email fingerprint (envfrom) found

  • NUMERIC_HTTP_ADDR = Uses a numeric IP address in URL

  • HTTP_ESCAPED_HOST = Uses %-escapes inside a URL's hostname

  • HTTP_EXCESSIVE_ESCAPES = Completely unnecessary %-escapes inside a URL

  • IP_LINK_PLUS = Dotted-decimal IP address followed by CGI

  • WEIRD_PORT = Uses non-standard port number for HTTP

  • YAHOO_RD_REDIR = Has Yahoo Redirect URI

  • YAHOO_DRS_REDIR = Has Yahoo Redirect URI

  • HTTP_77 = Contains an URL-encoded hostname (HTTP77)

  • SPOOF_COM2OTH = URI contains ".com" in middle

  • SPOOF_COM2COM = URI contains ".com" in middle and end

  • SPOOF_NET2COM = URI contains ".net" or ".org", then ".com"

  • URI_HEX = URI hostname has a long hexadecimal sequence

  • URI_NOVOWEL = URI hostname has a long non-vowel sequence

  • URI_UNSUBSCRIBE = URI contains suspicious unsubscribe link

  • URI_NO_WWW_INFO_CGI = CGI in .info TLD other than third-level "www"

  • URI_NO_WWW_BIZ_CGI = CGI in .biz TLD other than third-level "www"

  • NORMAL_HTTP_TO_IP = URI host has a public dotted-decimal IPv4 address

  • BOUNCE_MESSAGE = MTA bounce message

  • CHALLENGE_RESPONSE = Challenge-Response message for mail you sent

  • CRBOUNCE_MESSAGE = Challenge-Response bounce message

  • VBOUNCE_MESSAGE = Virus-scanner bounce message

  • ANY_BOUNCE_MESSAGE = Message is some kind of bounce message

  • ACCESSDB = Message would have been caught by accessdb

  • MICROSOFT_EXECUTABLE = Message includes Microsoft executable program

  • MIME_SUSPECT_NAME = MIME filename does not match content

  • DCC_CHECK = Detected as bulk mail by DCC (dcc-servers.net)

  • DCC_REPUT_00_12 = DCC reputation between 0 and 12 % (mostly ham)

  • DCC_REPUT_70_89 = DCC reputation between 70 and 89 %

  • DCC_REPUT_90_94 = DCC reputation between 90 and 94 %

  • DCC_REPUT_95_98 = DCC reputation between 95 and 98 % (mostly spam)

  • DCC_REPUT_99_100 = DCC reputation between 99 % or higher (spam)

  • DKIM_SIGNED = Message has a DKIM or DK signature, not necessarily valid

  • DKIM_VALID = Message has at least one valid DKIM or DK signature

  • DKIM_VALID_AU = Message has a valid DKIM or DK signature from author's domain

  • DKIM_ADSP_NXDOMAIN = No valid author signature, and domain not in DNS

  • DKIM_ADSP_DISCARD = No valid author signature, domain signs all mail and suggests discarding the rest

  • DKIM_ADSP_ALL = No valid author signature, domain signs all mail

  • DKIM_ADSP_CUSTOM_LOW = No valid author signature, adsp_override is CUSTOM_LOW

  • DKIM_ADSP_CUSTOM_MED = No valid author signature, adsp_override is CUSTOM_MED

  • DKIM_ADSP_CUSTOM_HIGH = No valid author signature, adsp_override is CUSTOM_HIGH

  • NML_ADSP_CUSTOM_LOW = ADSP custom_low hit, and not from a mailing list

  • NML_ADSP_CUSTOM_MED = ADSP custom_med hit, and not from a mailing list

  • NML_ADSP_CUSTOM_HIGH = ADSP custom_high hit, and not from a mailing list

  • HASHCASH_20 = Contains valid Hashcash token (20 bits)

  • HASHCASH_21 = Contains valid Hashcash token (21 bits)

  • HASHCASH_22 = Contains valid Hashcash token (22 bits)

  • HASHCASH_23 = Contains valid Hashcash token (23 bits)

  • HASHCASH_24 = Contains valid Hashcash token (24 bits)

  • HASHCASH_25 = Contains valid Hashcash token (25 bits)

  • HASHCASH_HIGH = Contains valid Hashcash token (>25 bits)

  • HASHCASH_2SPEND = Hashcash token already spent in another mail

  • SUBJECT_FUZZY_MEDS = Attempt to obfuscate words in Subject:

  • SUBJECT_FUZZY_VPILL = Attempt to obfuscate words in Subject:

  • SUBJECT_FUZZY_CHEAP = Attempt to obfuscate words in Subject:

  • SUBJECT_FUZZY_PENIS = Attempt to obfuscate words in Subject:

  • SUBJECT_FUZZY_TION = Attempt to obfuscate words in Subject:

  • FUZZY_AFFORDABLE = Attempt to obfuscate words in spam

  • FUZZY_AMBIEN = Attempt to obfuscate words in spam

  • FUZZY_BILLION = Attempt to obfuscate words in spam

  • FUZZY_CPILL = Attempt to obfuscate words in spam

  • FUZZY_CREDIT = Attempt to obfuscate words in spam

  • FUZZY_ERECT = Attempt to obfuscate words in spam

  • FUZZY_GUARANTEE = Attempt to obfuscate words in spam

  • FUZZY_MEDICATION = Attempt to obfuscate words in spam

  • FUZZY_MILLION = Attempt to obfuscate words in spam

  • FUZZY_MONEY = Attempt to obfuscate words in spam

  • FUZZY_MORTGAGE = Attempt to obfuscate words in spam

  • FUZZY_OBLIGATION = Attempt to obfuscate words in spam

  • FUZZY_OFFERS = Attempt to obfuscate words in spam

  • FUZZY_PHARMACY = Attempt to obfuscate words in spam

  • FUZZY_PHENT = Attempt to obfuscate words in spam

  • FUZZY_PRESCRIPT = Attempt to obfuscate words in spam

  • FUZZY_PRICES = Attempt to obfuscate words in spam

  • FUZZY_REFINANCE = Attempt to obfuscate words in spam

  • FUZZY_REMOVE = Attempt to obfuscate words in spam

  • FUZZY_ROLEX = Attempt to obfuscate words in spam

  • FUZZY_SOFTWARE = Attempt to obfuscate words in spam

  • FUZZY_THOUSANDS = Attempt to obfuscate words in spam

  • FUZZY_VLIUM = Attempt to obfuscate words in spam

  • FUZZY_VIOXX = Attempt to obfuscate words in spam

  • FUZZY_VPILL = Attempt to obfuscate words in spam

  • FUZZY_XPILL = Attempt to obfuscate words in spam

  • SPF_PASS = SPF: sender matches SPF record

  • SPF_NEUTRAL = SPF: sender does not match SPF record (neutral)

  • SPF_FAIL = SPF: sender does not match SPF record (fail)

  • SPF_SOFTFAIL = SPF: sender does not match SPF record (softfail)

  • SPF_HELO_PASS = SPF: HELO matches SPF record

  • SPF_HELO_NEUTRAL = SPF: HELO does not match SPF record (neutral)

  • SPF_HELO_FAIL = SPF: HELO does not match SPF record (fail)

  • SPF_HELO_SOFTFAIL = SPF: HELO does not match SPF record (softfail)

  • SPF_NONE = SPF: sender does not publish an SPF Record

  • SPF_HELO_NONE = SPF: HELO does not publish an SPF Record

  • UNWANTED_LANGUAGE_BODY = Message written in an undesired language

  • BODY_8BITS = Body includes 8 consecutive 8-bit characters

  • URIBL_SBL = Contains an URL's NS IP listed in the SBL blocklist

  • URIBL_DBL_SPAM = Contains a spam URL listed in the DBL blocklist

  • URIBL_DBL_PHISH = Contains a Phishing URL listed in the DBL blocklist

  • URIBL_DBL_MALWARE = Contains a malware URL listed in the DBL blocklist

  • URIBL_DBL_BOTNETCC = Contains a botnet C&C URL listed in the DBL blocklist

  • URIBL_DBL_ABUSE_SPAM = Contains an abused spamvertized URL listed in the DBL blocklist

  • URIBL_DBL_ABUSE_REDIR = Contains an abused redirector URL listed in the DBL blocklist

  • URIBL_DBL_ABUSE_PHISH = Contains an abused phishing URL listed in the DBL blocklist

  • URIBL_DBL_ABUSE_MALW = Contains an abused malware URL listed in the DBL blocklist

  • URIBL_DBL_ABUSE_BOTCC = Contains an abused botnet C&C URL listed in the DBL blocklist

  • URIBL_DBL_ERROR = Error: queried the DBL blocklist for an IP

  • URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist

  • URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist

  • URIBL_MW_SURBL = Contains a URL listed in the MW SURBL blocklist

  • URIBL_CR_SURBL = Contains an URL listed in the CR SURBL blocklist

  • URIBL_ABUSE_SURBL = Contains an URL listed in the ABUSE SURBL blocklist

  • SURBL_BLOCKED = ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists/#dnsbl-block for more information.

  • URIBL_BLACK = Contains an URL listed in the URIBL block list

  • URIBL_GREY = Contains an URL listed in the URIBL greylist

  • URIBL_RED = Contains an URL listed in the URIBL redlist

  • URIBL_BLOCKED = ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists/#dnsbl-block for more information.

  • AWL = Adjusted score from AWL reputation of From: address

  • SHORTCIRCUIT = Not all rules were run, due to a shortcircuited rule

  • TXREP = Score normalizing based on the sender's reputation

  • USER_IN_BLACKLIST = From: address is in the user's block list

  • USER_IN_WHITELIST = From: address is in the user's allow list

  • USER_IN_DEF_WHITELIST = From: address is in the default allow list

  • USER_IN_BLACKLIST_TO = User is listed in 'blacklist_to'

  • USER_IN_WHITELIST_TO = User is listed in 'whitelist_to'

  • USER_IN_MORE_SPAM_TO = User is listed in 'more_spam_to'

  • USER_IN_ALL_SPAM_TO = User is listed in 'all_spam_to'

  • URI_HOST_IN_BLACKLIST = host or domain listed in the URI block list

  • URI_HOST_IN_WHITELIST = host or domain listed in the URI allow list

  • HEADER_HOST_IN_BLACKLIST = Blocked header host or domain

  • HEADER_HOST_IN_WHITELIST = Allowed header host or domain

  • USER_IN_DKIM_WHITELIST = From: address is in the user's DKIM allow list

  • USER_IN_DEF_DKIM_WL = From: address is in the default DKIM allow list

  • USER_IN_SPF_WHITELIST = From: address is in the user's SPF allow list

  • USER_IN_DEF_SPF_WL = From: address is in the default SPF allow list

  • ENV_AND_HDR_SPF_MATCH = Env and Hdr From used in default SPF WL Match

  • SUBJECT_IN_WHITELIST = Subject: contains string in the user's allow list

  • SUBJECT_IN_BLACKLIST = Subject: contains a string in the user's block list

  • AC_BR_BONANZA = Too many newlines in a row... spammy template

  • AC_DIV_BONANZA = Too many divs in a row... spammy template

  • AC_HTML_NONSENSE_TAGS = Many consecutive multi-letter HTML tags, likely nonsense/spam

  • AC_SPAMMY_URI_PATTERNS1 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS10 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS11 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS12 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS2 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS3 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS4 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS8 = link combos match highly spammy template

  • AC_SPAMMY_URI_PATTERNS9 = link combos match highly spammy template

  • ADMAIL = "admail" and variants

  • ADMITS_SPAM = Admits this is an ad

  • ADVANCE_FEE_2_NEW_FORM = Advance Fee fraud and a form

  • ADVANCE_FEE_2_NEW_MONEY = Advance Fee fraud and lots of money

  • ADVANCE_FEE_3_NEW = Appears to be advance fee fraud (Nigerian 419)

  • ADVANCE_FEE_3_NEW_FORM = Advance Fee fraud and a form

  • ADVANCE_FEE_3_NEW_MONEY = Advance Fee fraud and lots of money

  • ADVANCE_FEE_4_NEW = Appears to be advance fee fraud (Nigerian 419)

  • ADVANCE_FEE_4_NEW_MONEY = Advance Fee fraud and lots of money

  • ADVANCE_FEE_5_NEW_FRM_MNY = Advance Fee fraud form and lots of money

  • ADVANCE_FEE_5_NEW_MONEY = Advance Fee fraud and lots of money

  • AD_PREFS = Advertising preferences

  • APOSTROPHE_FROM = From address contains an apostrophe

  • AXB_XMAILER_MIMEOLE_OL_024C2 = Yet another X header trait

  • AXB_XMAILER_MIMEOLE_OL_1ECD5 = Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5

  • AXB_X_FF_SEZ_S = Forefront sez this is spam

  • BANKING_LAWS = Talks about banking laws

  • BASE64_LENGTH_79_INF = base64 encoded email part uses line length of 78 or 79 characters

  • BASE64_LENGTH_79_INF = base64 encoded email part uses line length greater than 79 characters

  • BODY_SINGLE_URI = Message body is only a URI

  • BODY_SINGLE_WORD = Message body is only one word (no spaces)

  • BODY_URI_ONLY = Message body is only a URI in one line of text or for an image

  • BOGUS_MSM_HDRS = Apparently bogus Microsoft email headers

  • CANT_SEE_AD = You really want to see our spam.

  • CK_HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using a suspicious hostname (Split IP)

  • CK_HELO_GENERIC = Relay used name indicative of a Dynamic Pool or Generic rPTR

  • CN_B2B_SPAMMER = Chinese company introducing itself

  • COMMENT_GIBBERISH = Nonsense in long HTML comment

  • COMPENSATION = "Compensation"

  • CORRUPT_FROM_LINE_IN_HDRS = Informational: the message is corrupt, with a From line in its headers

  • CTYPE_8SPACE_GIF = Stock spam image part 'Content-Type' found (8 spc)

  • DATE_IN_FUTURE_96_Q = Date: is 4 days to 4 months after Received: date

  • DEAR_BENEFICIARY = Dear Beneficiary:

  • DEAR_WINNER = Spam with a generic salutation of "dear winner"

  • DOS_ANAL_SPAM_MAILER = X-mailer pattern common to anal porn site spam

  • DOS_FIX_MY_URI = Looks like a "fix my obfu'd URI please" spam

  • DOS_HIGH_BAT_TO_MX = The Bat! Direct to MX with High Bits

  • DOS_LET_GO_JOB = Let go from their job and now makes lots of dough!

  • DOS_OE_TO_MX = Delivered directly to MX with OE headers

  • DOS_OE_TO_MX_IMAGE = Direct to MX with OE headers and an image

  • DOS_OUTLOOK_TO_MX = Delivered directly to MX with Outlook headers

  • DOS_RCVD_IP_TWICE_C = Received from the same IP twice in a row (only one external relay; empty or IP helo)

  • DOS_STOCK_BAT = Probable pump and dump stock spam

  • DOS_URI_ASTERISK = Found an asterisk in a URI

  • DOS_YOUR_PLACE = Russian dating spam

  • DRUGS_HDIA = Subject mentions "hoodia"

  • DRUGS_STOCK_MIMEOLE = Stock-spam forged headers found (5510)

  • DX_TEXT_01 = "message status"

  • DX_TEXT_02 = "change your message stat"

  • DX_TEXT_03 = "XXX Media Group"

  • DYN_RDNS_AND_INLINE_IMAGE = Contains image, and was sent by dynamic rDNS

  • DYN_RDNS_SHORT_HELO_HTML = Sent by dynamic rDNS, short HELO, and HTML

  • DYN_RDNS_SHORT_HELO_IMAGE = Short HELO string, dynamic rDNS, inline image

  • ENCRYPTED_MESSAGE = Message is encrypted, not likely to be spam

  • EXCUSE_24 = Claims you wanted this ad

  • FBI_MONEY = The FBI wants to give you lots of money?

  • FBI_SPOOF = Claims to be FBI, but not from FBI domain

  • FORM_FRAUD = Fill a form and a fraud phrase

  • FORM_FRAUD_3 = Fill a form and several fraud phrases

  • FORM_FRAUD_5 = Fill a form and many fraud phrases

  • FORM_LOW_CONTRAST = Fill in a form with hidden text

  • FOUND_YOU = I found you...

  • FROM_IN_TO_AND_SUBJ = From address is in To and Subject

  • FROM_MISSPACED = From: missing whitespace

  • FROM_MISSP_MSFT = From misspaced + supposed Microsoft tool

  • FROM_MISSP_REPLYTO = From misspaced, has Reply-To

  • FROM_MISSP_TO_UNDISC = From misspaced, To undisclosed

  • FROM_MISSP_USER = From misspaced, from "User"

  • FROM_MISSP_XPRIO = Misspaced FROM + X-Priority

  • FROM_WORDY = From address looks like a sentence

  • FROM_WORDY_SHORT = From address looks like a sentence + short message

  • FROM_WSP_TRAIL = Trailing whitespace before '>' in From header field

  • FSL_CTYPE_WIN1251 = Content-Type only seen in 419 spam

  • FSL_NEW_HELO_USER = Spam's using Helo and User

  • FUZZY_MERIDIA = Obfuscation of the word "meridia"

  • GOOGLE_DOCS_PHISH = Possible phishing via a Google Docs form

  • GOOGLE_DOCS_PHISH_MANY = Phishing via a Google Docs form

  • GOOG_MALWARE_DNLD = File download via Google - Malware?

  • GOOG_REDIR_SHORT = Google redirect to obscure spamvertised website + short message

  • HDRS_LCASE = Odd capitalization of the message header

  • HDRS_MISSP = Misspaced headers

  • HDR_ORDER_FTSDMCXX_001C = Header order similar to spam (FTSDMCXX/MID variant)

  • HDR_ORDER_FTSDMCXX_BAT = Header order similar to spam (FTSDMCXX/boundary variant)

  • HEADER_COUNT_SUBJECT = Multiple Subject headers found

  • HELO_MISC_IP = Looking for more Dynamic IP Relays

  • HEXHASH_WORD = Multiple instances of word + hexadecimal hash

  • HK_NAME_DRUGS = From name contains drugs

  • HK_RANDOM_ENVFROM = Envelope sender username looks random

  • HTML_OFF_PAGE = HTML element rendered well off the displayed page

  • KHOP_DYNAMIC = Relay looks like a dynamic address

  • LIST_PARTIAL_SHORT_MSG = Incomplete mailing list headers + short message

  • LIST_PRTL_PUMPDUMP = Incomplete List-* headers and stock pump-and-dump

  • LIST_PRTL_SAME_USER = Incomplete List-* headers and from+to user the same

  • LONG_HEX_URI = Very long purely hexadecimal URI

  • LONG_IMG_URI = Image URI with very long path component - web bug?

  • LOOPHOLE_1 = A loophole in the banking laws?

  • LOTTO_AGENT = Claims Agent

  • LUCRATIVE = Make lots of money!

  • MANY_HDRS_LCASE = Odd capitalization of multiple message headers

  • MANY_SPAN_IN_TEXT = Many <SPAN> tags embedded within text

  • MILLION_USD = Talks about millions of dollars

  • MIMEOLE_DIRECT_TO_MX = MIMEOLE + direct-to-MX

  • MONEY_ATM_CARD = Lots of money on an ATM card

  • MONEY_FRAUD_3 = Lots of money and several fraud phrases

  • MONEY_FRAUD_5 = Lots of money and many fraud phrases

  • MONEY_FRAUD_8 = Lots of money and very many fraud phrases

  • MONEY_FROM_41 = Lots of money from Africa

  • MONEY_FROM_MISSP = Lots of money and misspaced From

  • MSGID_MULTIPLE_AT = Message-ID contains multiple '@' characters

  • MSGID_NOFQDN1 = Message-ID with no domain name

  • MSM_PRIO_REPTO = MSMail priority header + Reply-to + short subject

  • NSL_RCVD_FROM_USER = Received from User

  • NSL_RCVD_HELO_USER = Received from HELO User

  • NULL_IN_BODY = Message has NUL (ASCII 0) byte in the message

  • OBFU_JVSCR_ESC = Injects content using obfuscated javascript

  • PART_CID_STOCK = Has a spammy image attachment (by Content-ID)

  • PART_CID_STOCK_LESS = Has a spammy image attachment (by Content-ID, more specific)

  • PHP_NOVER_MUA = Mail from PHP with no version number

  • PHP_ORIG_SCRIPT = Sent by bot & other signs

  • PHP_SCRIPT_MUA = Sent by PHP script, no version number

  • PUMPDUMP = Pump-and-dump stock scam phrase

  • PUMPDUMP_MULTI = Pump-and-dump stock scam phrases

  • PUMPDUMP_TIP = Pump-and-dump stock tip

  • RAND_HEADER_MANY = Many random gibberish message headers

  • RCVD_BAD_ID = Received header contains id field with bad characters

  • RCVD_DBL_DQ = Malformatted message header

  • RCVD_FORGED_WROTE = Forged 'Received' header found ('wrote:' spam)

  • RCVD_IN_DNSWL_BLOCKED = ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists/#dnsbl-block for more information.

  • RCVD_IN_DNSWL_HI = Sender listed at http://www.dnswl.org/, high trust

  • RCVD_IN_DNSWL_LOW = Sender listed at http://www.dnswl.org/, low trust

  • RCVD_IN_DNSWL_MED = Sender listed at http://www.dnswl.org/, medium trust

  • RCVD_IN_DNSWL_NONE = Sender listed at http://www.dnswl.org/, no trust

  • RCVD_IN_IADB_DK = IADB: Sender publishes Domain Keys record

  • RCVD_IN_IADB_DOPTIN = IADB: All mailing list mail is confirmed opt-in

  • RCVD_IN_IADB_DOPTIN_GT50 = IADB: Confirmed opt-in used more than 50% of the time

  • RCVD_IN_IADB_DOPTIN_LT50 = IADB: Confirmed opt-in used less than 50% of the time

  • RCVD_IN_IADB_EDDB = IADB: Participates in Email Deliverability Database

  • RCVD_IN_IADB_EPIA = IADB: Member of Email Processing Industry Alliance

  • RCVD_IN_IADB_GOODMAIL = IADB: Sender has been certified by GoodMail

  • RCVD_IN_IADB_LISTED = Participates in the IADB system

  • RCVD_IN_IADB_LOOSE = IADB: Adds relationship addrs w/out opt-in

  • RCVD_IN_IADB_MI_CPEAR = IADB: Complies with Michigan's CPEAR law

  • RCVD_IN_IADB_MI_CPR_30 = IADB: Checked lists against Michigan's CPR within 30 days

  • RCVD_IN_IADB_MI_CPR_MAT = IADB: Sends no material under Michigan's CPR

  • RCVD_IN_IADB_ML_DOPTIN = IADB: Mailing list email only, confirmed opt-in

  • RCVD_IN_IADB_NOCONTROL = IADB: Has absolutely no mailing controls in place

  • RCVD_IN_IADB_OOO = IADB: One-to-one/transactional email only

  • RCVD_IN_IADB_OPTIN = IADB: All mailing list mail is opt-in

  • RCVD_IN_IADB_OPTIN_GT50 = IADB: Opt-in used more than 50% of the time

  • RCVD_IN_IADB_OPTIN_LT50 = IADB: Opt-in used less than 50% of the time

  • RCVD_IN_IADB_OPTOUTONLY = IADB: Scrapes addresses, pure opt-out only

  • RCVD_IN_IADB_RDNS = IADB: Sender has reverse DNS record

  • RCVD_IN_IADB_SENDERID = IADB: Sender publishes Sender ID record

  • RCVD_IN_IADB_SPF = IADB: Sender publishes SPF record

  • RCVD_IN_IADB_UNVERIFIED_1 = IADB: Accepts unverified sign-ups

  • RCVD_IN_IADB_UNVERIFIED_2 = IADB: Accepts unverified sign-ups, gives chance to opt out

  • RCVD_IN_IADB_UT_CPEAR = IADB: Complies with Utah's CPEAR law

  • RCVD_IN_IADB_UT_CPR_30 = IADB: Checked lists against Utah's CPR within 30 days

  • RCVD_IN_IADB_UT_CPR_MAT = IADB: Sends no material under Utah's CPR

  • RCVD_IN_PSBL = Received via a relay in PSBL

  • RCVD_MAIL_COM = Forged Received header (contains post.com or mail.com)

  • RDNS_LOCALHOST = Sender's public rDNS is "localhost"

  • RISK_FREE = No risk!

  • SERGIO_SUBJECT_VIAGRA01 = Viagra garbled subject

  • SHORT_HELO_AND_INLINE_IMAGE = Short HELO string, with inline image

  • SINGLETS_LOW_CONTRAST = Single-letter formatted HTML + hidden text

  • SPAMMY_XMAILER = X-Mailer string is common in spam and not in ham

  • SPOOFED_FREEM_REPTO = Forged freemail sender with freemail reply-to

  • SPOOFED_FREEM_REPTO_CHN = Forged freemail sender with Chinese freemail reply-to

  • STATIC_XPRIO_OLE = Static RDNS + X-Priority + MIMEOLE

  • STOCK_IMG_CTYPE = Stock spam image part, with distinctive Content-Type header

  • STOCK_IMG_HDR_FROM = Stock spam image part, with distinctive From line

  • STOCK_IMG_HTML = Stock spam image part, with distinctive HTML

  • STOCK_IMG_OUTLOOK = Stock spam image part, with Outlook-like features

  • STOCK_LOW_CONTRAST = Stocks + hidden text

  • STOCK_TIP = Stock tips

  • STYLE_GIBBERISH = Nonsense in HTML <STYLE> tag

  • SUBJECT_NEEDS_ENCODING = Subject is encoded but does not specify the encoding

  • SYSADMIN = Supposedly from your IT department

  • TBIRD_SUSP_MIME_BDRY = Unlikely Thunderbird MIME boundary

  • TEQF_USR_IMAGE = To and from user nearly same + image

  • TEQF_USR_MSGID_HEX = To and from user nearly same + unusual message ID

  • TEQF_USR_MSGID_MALF = To and from user nearly same + malformed message ID

  • THIS_AD = "This ad" and variants

  • TO_IN_SUBJ = To address is in Subject

  • TO_NO_BRKTS_DYNIP = To: lacks brackets and dynamic rDNS

  • TO_NO_BRKTS_FROM_MSSP = Multiple header formatting problems

  • TO_NO_BRKTS_HTML_IMG = To: lacks brackets and HTML and one image

  • TO_NO_BRKTS_HTML_ONLY = To: lacks brackets and HTML only

  • TO_NO_BRKTS_MSFT = To: lacks brackets and supposed Microsoft tool

  • TO_NO_BRKTS_NORDNS_HTML = To: lacks brackets and no rDNS and HTML only

  • TO_NO_BRKTS_PCNT = To: lacks brackets + percentage

  • TT_MSGID_TRUNC = Scora: Message-Id ends after left-bracket + digits

  • TT_OBSCURED_VALIUM = Scora: obscured "VALIUM" in subject

  • TT_OBSCURED_VIAGRA = Scora: obscured "VIAGRA" in subject

  • TVD_ACT_193 = Message refers to an act passed in the 1930s

  • TVD_APPROVED = Body states that the recipient has been approved

  • TVD_DEAR_HOMEOWNER = Spam with the generic salutation of "dear homeowner"

  • TVD_ENVFROM_APOST = Envelope From contains single-quote

  • TVD_FLOAT_GENERAL = Message uses CSS float style

  • TVD_FUZZY_DEGREE = Obfuscation of the word "degree"

  • TVD_FUZZY_FINANCE = Obfuscation of the word "finance"

  • TVD_FUZZY_FIXED_RATE = Obfuscation of the phrase "fixed rate"

  • TVD_FUZZY_MICROCAP = Obfuscation of the word "micro-cap"

  • TVD_FUZZY_PHARMACEUTICAL = Obfuscation of the word "pharmaceutical"

  • TVD_FUZZY_SYMBOL = Obfuscation of the word "symbol"

  • TVD_FW_GRAPHIC_NAME_LONG = Long image attachment name

  • TVD_FW_GRAPHIC_NAME_MID = Medium sized image attachment name

  • TVD_INCREASE_SIZE = Advertising for penis enlargement

  • TVD_LINK_SAVE = Spam with the text "link to save"

  • TVD_PH_BODY_ACCOUNTS_PRE = The body matches phrases such as "accounts suspended", "account credited", "account verification"

  • TVD_PH_REC = Message includes a phrase commonly used in phishing mails

  • TVD_PH_SEC = Message includes a phrase commonly used in phishing mails

  • TVD_QUAL_MEDS = The body matches phrases such as "quality meds" or "quality medication"

  • TVD_RATWARE_CB = Content-Type header that is commonly indicative of ratware

  • TVD_RATWARE_CB_2 = Content-Type header that is commonly indicative of ratware

  • TVD_RATWARE_MSGID_02 = Ratware with a Message-ID header that is entirely lower-case

  • TVD_RCVD_IP = Message was received from an IP address

  • TVD_RCVD_IP4 = Message was received from an IPv4 address

  • TVD_RCVD_SINGLE = Message was received from localhost

  • TVD_SECTION = References to specific legal codes

  • TVD_SILLY_URI_OBFU = URI obfuscation that can fool a URIBL or a uri rule

  • TVD_SPACED_SUBJECT_WORD3 = Entire subject is "UPPERlowerUPPER" with no whitespace

  • TVD_SPACE_ENCODED = Space ratio & encoded subject

  • TVD_SPACE_ENC_FM_MIME = Space ratio & encoded subject & MIME needed

  • TVD_SPACE_RATIO_MINFP = Space ratio

  • TVD_STOCK1 = Spam related to stock trading

  • TVD_SUBJ_ACC_NUM = Subject has spammy looking monetary reference

  • TVD_SUBJ_FINGER_03 = Entire subject is enclosed in asterisks "* like so *"

  • TVD_SUBJ_OWE = Subject line states that the recipient is in debt

  • TVD_SUBJ_WIPE_DEBT = Spam advertising a way to eliminate debt

  • TVD_VISIT_PHARMA = Body mentions online pharmacy

  • TVD_VIS_HIDDEN = Invisible textarea HTML tags

  • TW_GIBBERISH_MANY = Lots of gibberish text to spoof pattern matching filters

  • T_DATE_IN_FUTURE_Q_PLUS = Date: is over 4 months after Received: date

  • T_DOS_OUTLOOK_TO_MX_IMAGE = Direct to MX with Outlook headers and an image

  • T_EMRCP = "Excess Maximum Return Capital Profit" scam

  • T_END_FUTURE_EMAILS = Spammy unsubscribe

  • T_LOTTO_AGENT_FM = Claims Agent

  • T_LOTTO_AGENT_RPLY = Claims Agent

  • T_LOTTO_URI = Claims Department URL

  • T_RP_MATCHES_RCVD = Envelope sender domain matches handover relay domain

  • T_SHARE_50_50 = Share the money 50/50

  • UC_GIBBERISH_OBFU = Multiple instances of "word VERYLONGGIBBERISH word"

  • URIBL_RHS_DOB = Contains a URI of a new domain (Day Old Bread)

  • URI_DATA = "data:" URI - possible malware or phish

  • URI_DQ_UNSUB = IP-address unsubscribe URI

  • URI_GOOGLE_PROXY = Accessing a blocked URI or obscuring the source of phish via Google proxy?

  • URI_ONLY_MSGID_MALF = URI only + malformed message ID

  • URI_OPTOUT_3LD = Opt-out URI, suspicious hostname

  • URI_OPTOUT_USME = Opt-out URI, unusual TLD

  • URI_PHISH = Phishing using web form

  • URI_TRY_3LD = "Try it" URI, suspicious hostname

  • URI_TRY_USME = "Try it" URI, unusual TLD

  • URI_WPADMIN = WordPress login/admin URI, possible phishing

  • URI_WP_DIRINDEX = URI for compromised WordPress site, possible malware

  • URI_WP_HACKED = URI for compromised WordPress site, possible malware

  • URI_WP_HACKED_2 = URI for compromised WordPress site, possible malware

  • XM_PHPMAILER_FORGED = Apparently forged header

  • XPRIO = Has X-Priority header

  • XPRIO_SHORT_SUBJ = Has X-Priority header + short subject

  • URIBL_SC_SURBL = Contains an URL listed in the SC SURBL blocklist

  • URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist

  • URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist

  • URIBL_MW_SURBL = Contains a Malware Domain or IP listed in the MW SURBL blocklist

  • URIBL_AB_SURBL = Contains an URL listed in the AB SURBL blocklist

  • URIBL_JP_SURBL = Contains an URL listed in the JP SURBL blocklist