FutureQuest Professional Web Hosting Flash Intro FutureQuest Community Message Forums
Order Now! Home Web Hosting
Services
Web Hosting
Support
Web Hosting
Data Center
Web Hosting
Community
Web Hosting
About
Web Hosting
Contact
Web Hosting
Account Management

SpamAssassin Test & Scoring Chart

FutureQuest SpamAssassin Test & Scoring Chart

This is the current list of tests SpamAssassin performs on email with SpamAssassin Filtering enabled to determine if they're spam or not.

You may also test specific X-Spam-Status headers via the SpamAssassin Status Decoder.

Test Name Area Tested Description Of Test Score
Bayes off
RBLs off
Score
Bayes off
RBLs on
Score
Bayes on
RBLs off
Score
Bayes on
RBLs on
ACT_NOW_CAPSbodyTalks about 'acting now' with capitals1.4042.3990.9252.211
AC_BR_BONANZArawbodyToo many newlines in a row... spammy template0.0010.0010.0010.001
AC_DIV_BONANZArawbodyToo many divs in a row... spammy template0.0010.0010.0010.001
AC_HTML_NONSENSE_TAGSrawbodyMany consecutive multi-letter HTML tags, likely nonsense/spam1.0000.0011.0000.001
AC_SPAMMY_URI_PATTERNS1metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS10metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS11metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS12metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS2metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS3metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS4metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS8metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS9metalink combos match highly spammy template1.0001.0001.0001.000
ADMAILmeta"admail" and variants1.0001.0001.0001.000
ADVANCE_FEE_2_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_2_NEW_MONEYmetaAdvance Fee fraud and lots of money1.9970.0011.9970.001
ADVANCE_FEE_3_NEWmetaAppears to be advance fee fraud (Nigerian 419)3.4960.0013.4960.001
ADVANCE_FEE_3_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_3_NEW_MONEYmetaAdvance Fee fraud and lots of money2.7960.0012.7960.001
ADVANCE_FEE_4_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.5960.7892.5960.789
ADVANCE_FEE_5_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.9960.0012.9960.001
AD_PREFSbodyAdvertising preferences1.0001.0001.0001.000
ALL_TRUSTEDheaderPassed through trusted hosts only via SMTP-1.000-1.000-1.000-1.000
ANY_BOUNCE_MESSAGEmetaMessage is some kind of bounce message0.1000.1000.1000.100
APOSTROPHE_FROMheaderFrom address contains an apostrophe0.1480.7860.6510.545
AWLheaderAdjusted score from AWL reputation of From: address1.0001.0001.0001.000
AXB_XMAILER_MIMEOLE_OL_024C2metaYet another X header trait0.3670.0010.3670.001
AXB_XMAILER_MIMEOLE_OL_1ECD5metaYet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD50.1810.0010.1810.001
AXB_XM_FORGED_OL2600metaForged OE v. 6.26001.1902.6991.1902.699
BAD_CREDITbodyEliminate Bad Credit2.7991.6581.2792.415
BAD_ENC_HEADERheaderMessage has bad MIME encoding in the header0.0010.0010.0010.001
BANG_GUARbodySomething is emphatically guaranteed1.0001.0001.0001.000
BANKING_LAWSbodyTalks about banking laws2.3992.0042.1571.099
BASE64_LENGTH_78_79bodyNo description provided2.3702.6360.7622.667
BASE64_LENGTH_79_INFbodybase64 encoded email part uses line length greater than 79 characters1.3792.0190.5831.502
BAYES_00bodyBayes spam probability is 0 to 1%-3.000-3.000-3.000-3.000
BAYES_05bodyBayes spam probability is 1 to 5%-0.500-0.500-0.500-0.500
BAYES_20bodyBayes spam probability is 5 to 20%-0.001-0.001-0.001-0.001
BAYES_40bodyBayes spam probability is 20 to 40%-0.001-0.001-0.001-0.001
BAYES_50bodyBayes spam probability is 40 to 60%2.0002.0002.0002.000
BAYES_60bodyBayes spam probability is 60 to 80%3.0003.0003.0003.000
BAYES_80bodyBayes spam probability is 80 to 95%4.0004.0004.0004.000
BAYES_95bodyBayes spam probability is 95 to 99%5.0005.0005.0005.000
BAYES_99bodyBayes spam probability is 99 to 100%6.0006.0006.0006.000
BAYES_999bodyBayes spam probability is 99.9 to 100%7.0007.0007.0007.000
BILLION_DOLLARSbodyTalks about lots of money0.0011.4511.2291.638
BODY_8BITSbodyBody includes 8 consecutive 8-bit characters1.5001.5001.5001.500
BODY_EMPTYmetaNo body text in message1.9971.9991.9971.999
BODY_ENHANCEMENTbodyInformation on growing body parts0.9271.6110.9740.001
BODY_ENHANCEMENT2bodyInformation on getting larger body parts1.6911.5071.8651.541
BODY_URI_ONLYmetaMessage body is only a URI in one line of text or for an image0.9980.0010.9980.001
BOGUS_MSM_HDRSmetaApparently bogus Microsoft email headers0.9090.0010.9090.001
BOUNCE_MESSAGEmetaMTA bounce message0.1000.1000.1000.100
BUG6152_INVALID_DATE_TZ_ABSURDheaderNo description provided1.8021.4480.0240.766
CANT_SEE_ADmetaYou really want to see our spam.2.9960.5002.9960.500
CHALLENGE_RESPONSEmetaChallenge-Response message for mail you sent0.1000.1000.1000.100
CHARSET_FARAWAYbodyCharacter set indicates a foreign language3.2003.2003.2003.200
CHARSET_FARAWAY_HEADERheaderA foreign language charset used in headers3.2003.2003.2003.200
CK_HELO_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)1.3500.0011.3500.001
CK_HELO_GENERICheaderRelay used name indicative of a Dynamic Pool or Generic rPTR0.2490.2490.2490.249
CN_B2B_SPAMMERbodyChinese company introducing itself0.0010.0010.0010.001
COMMENT_GIBBERISHmetaNonsense in long HTML comment1.4981.4991.4981.499
CRBOUNCE_MESSAGEmetaChallenge-Response bounce message0.1000.1000.1000.100
CTYPE_001C_BheaderNo description provided0.0010.0010.0010.001
CURR_PRICEbodyNo description provided0.0010.0010.0010.001
DATE_IN_FUTURE_03_06headerDate: is 3 to 6 hours after Received: date3.3992.4262.9973.027
DATE_IN_FUTURE_06_12headerDate: is 6 to 12 hours after Received: date2.8990.0012.2221.947
DATE_IN_FUTURE_12_24headerDate: is 12 to 24 hours after Received: date2.6032.4893.1993.199
DATE_IN_FUTURE_24_48headerDate: is 24 to 48 hours after Received: date2.5981.2480.0012.048
DATE_IN_FUTURE_48_96headerDate: is 48 to 96 hours after Received: date2.3840.8131.0782.181
DATE_IN_FUTURE_96_QheaderDate: is 4 days to 4 months after Received: date3.2963.2993.2963.299
DATE_IN_PAST_03_06headerDate: is 3 to 6 hours before Received: date2.3991.0761.2001.592
DATE_IN_PAST_06_12headerDate: is 6 to 12 hours before Received: date1.6991.1031.2741.543
DATE_IN_PAST_12_24headerDate: is 12 to 24 hours before Received: date0.0010.8041.1901.049
DATE_IN_PAST_24_48headerDate: is 24 to 48 hours before Received: date1.1090.4850.6241.340
DATE_IN_PAST_96_XXheaderDate: is 96 hours or more before Received: date2.6002.0701.2333.405
DCC_CHECKfullDetected as bulk mail by DCC (dcc-servers.net)0.0001.1000.0001.100
DCC_REPUT_00_12fullDCC reputation between 0 and 12 % (mostly ham)0.000-0.8000.000-0.400
DCC_REPUT_13_19fullNo description provided0.000-0.1000.000-0.100
DCC_REPUT_70_89fullDCC reputation between 70 and 89 %0.0000.1000.0000.100
DCC_REPUT_90_94fullDCC reputation between 90 and 94 %0.0000.4000.0000.600
DCC_REPUT_95_98fullDCC reputation between 95 and 98 % (mostly spam)0.0000.7000.0001.000
DCC_REPUT_99_100fullDCC reputation between 99 % or higher (spam)0.0001.2000.0001.400
DC_GIF_UNO_LARGOmetaMessage contains a single large gif image0.0011.3230.0532.176
DC_IMAGE_SPAM_HTMLmetaPossible Image-only spam0.5000.1411.8080.810
DC_IMAGE_SPAM_TEXTmetaPossible Image-only spam with little text0.1000.1230.3230.242
DC_PNG_UNO_LARGOmetaMessage contains a single large png image0.0010.0010.0010.001
DEAR_FRIENDbodyDear Friend? That's not very dear!2.6832.6041.8012.577
DEAR_SOMETHINGbodyContains 'Dear (something)'1.9991.7311.7871.973
DEAR_WINNERbodySpam with generic salutation of "dear winner"3.0993.0992.3093.099
DIET_1bodyLose Weight Spam0.7140.0000.3990.001
DIGEST_MULTIPLEmetaMessage hits more than one network digest check0.0000.0010.0000.293
DKIMDOMAIN_IN_DWLaskdnsSigning domain listed in Spamhaus DWL0.000-3.5000.000-3.500
DKIMDOMAIN_IN_DWL_UNKNOWNmetaUnrecognized response from Spamhaus DWL0.000-0.0100.000-0.010
DKIM_ADSP_ALLheaderNo valid author signature, domain signs all mail0.0001.1000.0000.800
DKIM_ADSP_CUSTOM_HIGHheaderNo valid author signature, adsp_override is CUSTOM_HIGH0.0010.0010.0010.001
DKIM_ADSP_CUSTOM_LOWheaderNo valid author signature, adsp_override is CUSTOM_LOW0.0010.0010.0010.001
DKIM_ADSP_CUSTOM_MEDheaderNo valid author signature, adsp_override is CUSTOM_MED0.0010.0010.0010.001
DKIM_ADSP_DISCARDheaderNo valid author signature, domain signs all mail and suggests discarding the rest0.0001.8000.0001.800
DKIM_ADSP_NXDOMAINheaderNo valid author signature and domain not in DNS0.0000.8000.0000.900
DKIM_SIGNEDfullMessage has a DKIM or DK signature, not necessarily valid0.1000.1000.1000.100
DKIM_VALIDfullMessage has at least one valid DKIM or DK signature-0.100-0.100-0.100-0.100
DKIM_VALID_AUfullMessage has a valid DKIM or DK signature from author's domain-0.100-0.100-0.100-0.100
DOS_OE_TO_MXmetaDelivered direct to MX with OE headers2.6023.0862.2652.523
DOS_OE_TO_MX_IMAGEmetaDirect to MX with OE headers and an image2.8861.8862.4253.699
DOS_OUTLOOK_TO_MXmetaDelivered direct to MX with Outlook headers2.6361.4491.7372.845
DOS_RCVD_IP_TWICE_CheaderReceived from the same IP twice in a row (only one external relay; empty or IP helo)2.5992.0603.2920.096
DOS_STOCK_BATmetaProbable pump and dump stock spam0.0010.0010.0010.001
DRUGS_ANXIETYmetaRefers to an anxiety control drug2.6990.6852.2121.483
DRUGS_DIETmetaRefers to a diet drug2.6600.7571.8310.337
DRUGS_ERECTILEmetaRefers to an erectile drug1.7782.2211.2991.994
DRUGS_ERECTILE_OBFUmetaObfuscated reference to an erectile drug1.3241.3092.9351.109
DRUGS_MANYKINDSmetaRefers to at least four kinds of drugs2.0011.4730.8410.342
DRUGS_MUSCLEmetaRefers to a muscle relaxant0.0012.4990.3920.164
DRUGS_SMEAR1bodyTwo or more drugs crammed together into one word3.3002.0513.1480.235
DRUGS_STOCK_MIMEOLEmetaStock-spam forged headers found (5510)2.6991.6812.4781.321
DRUG_ED_CAPSbodyMentions an E.D. drug2.7991.0232.5160.936
DRUG_ED_ONLINEbodyFast Viagra Delivery0.6961.1521.2210.608
DRUG_ED_SILDbodyTalks about an E.D. drug using its chemical name0.0010.1700.1131.794
DX_TEXT_02body"change your message stat"1.0001.0001.0001.000
DX_TEXT_03body"XXX Media Group"1.0001.0001.0001.000
DYN_RDNS_AND_INLINE_IMAGEmetaContains image, and was sent by dynamic rDNS1.3451.3441.4341.168
DYN_RDNS_SHORT_HELO_HTMLmetaSent by dynamic rDNS, short HELO, and HTML0.0010.0010.0000.001
DYN_RDNS_SHORT_HELO_IMAGEmetaShort HELO string, dynamic rDNS, inline image1.8252.5162.2851.013
EMPTY_MESSAGEmetaMessage appears to have no textual parts and no Subject: text2.1952.3441.5522.320
EM_ROLEXbodyMessage puts emphasis on the watch manufacturer0.5951.3092.0680.618
ENCRYPTED_MESSAGEmetaMessage is encrypted, not likely to be spam-1.000-1.000-1.000-1.000
ENGLISH_UCE_SUBJECTheaderSubject contains an English UCE tag0.9531.5422.5692.899
ENV_AND_HDR_SPF_MATCHmetaEnv and Hdr From used in default SPF WL Match-0.500-0.500-0.500-0.500
EXCUSE_24bodyClaims you wanted this ad1.0001.0001.0001.000
EXCUSE_4bodyClaims you can be removed from the list2.3991.6872.3991.325
EXCUSE_REMOVEbodyTalks about how to be removed from mailings2.9072.9923.2993.299
FAKE_REPLY_CmetaNo description provided0.6880.0012.5531.486
FBI_MONEYmetaThe FBI wants to give you lots of money?0.6960.0010.6960.001
FBI_SPOOFmetaClaims to be FBI, but not from FBI domain1.9991.9991.9991.999
FILL_THIS_FORMmetaFill in a form with personal information0.0010.0010.0010.001
FILL_THIS_FORM_FRAUD_PHISH???No description provided1.1950.3960.6150.334
FILL_THIS_FORM_LOAN???No description provided2.0922.2371.8362.880
FILL_THIS_FORM_LONG???No description provided2.0002.0002.0002.000
FIN_FREEbodyFreedom of a financial nature2.6992.2892.6992.700
FORGED_HOTMAIL_RCVD2headerhotmail.com 'From' address, but no 'Received:'0.0011.1870.6980.874
FORGED_MSGID_EXCITEmetaMessage-ID is forged, (excite.com)2.3991.8991.6490.528
FORGED_MSGID_YAHOOmetaMessage-ID is forged, (yahoo.com)2.6992.2442.0931.549
FORGED_MUA_EUDORAmetaForged mail pretending to be from Eudora2.8282.5101.9620.001
FORGED_MUA_IMSmetaForged mail pretending to be from IMS2.3992.3992.3991.943
FORGED_MUA_MOZILLAmetaForged mail pretending to be from Mozilla2.3991.5962.3992.309
FORGED_MUA_OIMOmetaForged mail pretending to be from MS Outlook IMO2.6002.5992.5992.599
FORGED_MUA_OUTLOOKmetaForged mail pretending to be from MS Outlook3.9992.7852.5001.927
FORGED_MUA_THEBAT_BOUNmetaMail pretending to be from The Bat! (boundary)3.0463.2203.2073.399
FORGED_OUTLOOK_HTMLmetaOutlook can't send HTML message only0.0010.0010.0010.021
FORGED_OUTLOOK_TAGSmetaOutlook can't send HTML in this format0.0030.5650.0010.052
FORGED_TELESP_RCVDheaderContains forged hostname for a DSL IP in Brazil2.4992.4992.4991.841
FORGED_YAHOO_RCVDheader'From' yahoo.com does not match 'Received' headers2.3971.0222.5991.630
FORM_FRAUDmetaFill a form and a fraud phrase0.9980.0010.9980.001
FORM_FRAUD_3metaFill a form and several fraud phrases2.6960.0012.6960.001
FORM_FRAUD_5metaFill a form and many fraud phrases0.2090.0010.2090.001
FORM_LOW_CONTRASTmetaFill in a form with hidden text1.0001.0001.0001.000
FOUND_YOUmetaI found you...3.0130.0013.0130.001
FREEMAIL_DOC_PDF_BCCmetaMS document or PDF attachment, from freemail, all recipients hidden2.5962.5992.5962.599
FREEMAIL_ENVFROM_END_DIGITheaderEnvelope-from freemail username ends in digit0.2500.2500.2500.250
FREEMAIL_FORGED_FROMDOMAINmeta2nd level domains in From and EnvelopeFrom freemail headers are different0.0010.1990.0010.199
FREEMAIL_FORGED_REPLYTOmetaFreemail in Reply-To, but not From1.1992.5031.2042.095
FREEMAIL_FROMheaderSender email is commonly abused enduser mail provider0.0010.0010.0010.001
FREEMAIL_REPLYmetaFrom and body contain different freemails1.0001.0001.0001.000
FREEMAIL_REPLYTOmetaReply-To/From or Reply-To/body contain different freemails1.0001.0001.0001.000
FREEMAIL_REPLYTO_END_DIGITheaderReply-To freemail username ends in digit0.2500.2500.2500.250
FREE_QUOTE_INSTANTbodyFree express or no-obligation quote2.7002.6992.6991.297
FROM_BLANK_NAMEheaderFrom: contains empty name2.0992.0992.0990.723
FROM_DOMAIN_NOVOWELheaderFrom: domain has series of non-vowel letters0.5000.5000.5000.500
FROM_EXCESS_BASE64metaFrom: base64 encoded unnecessarily0.0000.1050.0010.979
FROM_ILLEGAL_CHARSheaderFrom: has too many raw illegal characters2.1922.0590.2400.036
FROM_IN_TO_AND_SUBJmetaFrom address is in To and Subject0.2870.2620.2870.262
FROM_LOCAL_DIGITSheaderFrom: localpart has long digit sequence0.0010.0010.0010.001
FROM_LOCAL_HEXheaderFrom: localpart has long hexadecimal sequence0.0000.3310.0010.006
FROM_LOCAL_NOVOWELheaderFrom: localpart has series of non-vowel letters0.5000.5000.5000.500
FROM_MISSPACEDmetaFrom: missing whitespace0.0010.0010.0010.001
FROM_MISSP_FREEMAILmetaFrom misspaced + freemail provider3.5950.0013.5950.001
FROM_MISSP_MSFTmetaFrom misspaced + supposed Microsoft tool0.0010.0010.0010.001
FROM_MISSP_REPLYTOmetaFrom misspaced, has Reply-To0.0010.0010.0010.001
FROM_MISSP_SPF_FAILmetaNo description provided0.0011.0000.0011.000
FROM_MISSP_TO_UNDISCmetaFrom misspaced, To undisclosed1.4380.0011.4380.001
FROM_MISSP_USERmetaFrom misspaced, from "User"0.0010.0010.0010.001
FROM_MISSP_XPRIOmetaMisspaced FROM + X-Priority0.0010.0010.0010.001
FROM_NO_USERheaderFrom: has no local-part before @ sign0.0012.5990.0190.798
FROM_OFFERSheaderFrom address is "at something-offers"1.0001.0001.0001.000
FROM_STARTS_WITH_NUMSheaderFrom: starts with several numbers2.8010.5531.2010.738
FROM_WORDYmetaFrom address looks like a sentence2.4970.0012.4970.001
FROM_WORDY_SHORTmetaFrom address looks like a sentence + short message1.0001.0001.0001.000
FSL_CTYPE_WIN1251headerContent-Type only seen in 419 spam0.0010.0010.0010.001
FSL_FAKE_HOTMAIL_RVCDheaderNo description provided2.6311.8162.0112.365
FSL_HELO_BARE_IP_1metaNo description provided2.5981.4263.0992.347
FSL_HELO_BARE_IP_2metaNo description provided1.4981.4991.4981.499
FSL_HELO_DEVICEheaderNo description provided1.6820.0010.8840.806
FSL_HELO_NON_FQDN_1headerNo description provided2.3610.0011.7830.001
FSL_INTERIA_ABUSEuriNo description provided3.8992.6643.0803.106
FSL_NEW_HELO_USERmetaSpam's using Helo and User0.0830.0010.0830.001
FUZZY_AMBIENbodyAttempt to obfuscate words in spam2.1991.8510.9250.552
FUZZY_ANDROIDbodyObfuscated "android"1.0001.0001.0001.000
FUZZY_BROWSERbodyObfuscated "browser"1.0001.0001.0001.000
FUZZY_CLICK_HEREbodyObfuscated "click here"1.0001.0001.0001.000
FUZZY_CPILLbodyAttempt to obfuscate words in spam0.0010.0010.0010.001
FUZZY_CREDITbodyAttempt to obfuscate words in spam1.6991.4130.6011.678
FUZZY_DR_OZmetaObfuscated Doctor Oz1.0001.0001.0001.000
FUZZY_ERECTbodyAttempt to obfuscate words in spam2.3561.3062.3601.859
FUZZY_IMPORTANTbodyObfuscated "important"1.0001.0001.0001.000
FUZZY_MILLIONbodyAttempt to obfuscate words in spam2.5992.5991.6592.505
FUZZY_PHARMACYbodyAttempt to obfuscate words in spam2.9603.2991.9671.353
FUZZY_PHENTbodyAttempt to obfuscate words in spam2.7991.6471.5402.662
FUZZY_PRICESbodyAttempt to obfuscate words in spam1.8210.7202.2102.311
FUZZY_PRIVACYbodyObfuscated "privacy"1.0001.0001.0001.000
FUZZY_PROMOTIONbodyObfuscated "promotion"1.0001.0001.0001.000
FUZZY_ROLEXbodyAttempt to obfuscate words in spam3.3991.0383.3991.964
FUZZY_SAVINGSbodyObfuscated "savings"1.0001.0001.0001.000
FUZZY_SECURITYbodyObfuscated "security"1.0001.0001.0001.000
FUZZY_UNSUBSCRIBEbodyObfuscated "unsubscribe"1.0001.0001.0001.000
FUZZY_VPILLbodyAttempt to obfuscate words in spam0.0010.4940.7961.014
FUZZY_XPILLbodyAttempt to obfuscate words in spam2.2021.7522.7992.799
GAPPY_SUBJECTmetaSubject: contains G.a.p.p.y-T.e.x.t0.5941.3121.2101.954
GMD_PDF_EMPTY_BODYbodyAttached PDF with empty message body0.2500.2500.2500.250
GMD_PDF_ENCRYPTEDbodyAttached PDF is encrypted0.6000.6000.6000.600
GMD_PDF_HORIZbodyContains pdf 100-240 (high) x 450-800 (wide)0.2500.2500.2500.250
GMD_PDF_SQUAREbodyContains pdf 180-360 (high) x 180-360 (wide)0.5000.5000.5000.500
GMD_PDF_VERTbodyContains pdf 450-800 (high) x 100-240 (wide)0.9000.9000.9000.900
GMD_PRODUCER_EASYPDFbodyPDF producer was BCL easyPDF0.2500.2500.2500.250
GMD_PRODUCER_GPLbodyPDF producer was GPL Ghostscript0.2500.2500.2500.250
GMD_PRODUCER_POWERPDFbodyPDF producer was PowerPDF0.2500.2500.2500.250
GOOGLE_DOCS_PHISHmetaPossible phishing via a Google Docs form1.0001.0001.0001.000
GOOGLE_DOCS_PHISH_MANYmetaPhishing via a Google Docs form1.0001.0001.0001.000
GOOG_MALWARE_DNLDmetaFile download via Google - Malware?1.0001.0001.0001.000
GOOG_REDIR_SHORTmetaGoogle redirect to obscure spamvertised website + short message1.0001.0001.0001.000
GTUBEbodyGeneric Test for Unsolicited Bulk Email1000.0001000.0001000.0001000.000
GUARANTEED_100_PERCENTbodyOne hundred percent guaranteed2.6992.6992.4802.699
HASHCASH_20headerContains valid Hashcash token (20 bits)-0.500-0.500-0.500-0.500
HASHCASH_21headerContains valid Hashcash token (21 bits)-0.700-0.700-0.700-0.700
HASHCASH_22headerContains valid Hashcash token (22 bits)-1.000-1.000-1.000-1.000
HASHCASH_23headerContains valid Hashcash token (23 bits)-2.000-2.000-2.000-2.000
HASHCASH_24headerContains valid Hashcash token (24 bits)-3.000-3.000-3.000-3.000
HASHCASH_25headerContains valid Hashcash token (25 bits)-4.000-4.000-4.000-4.000
HASHCASH_2SPENDheaderHashcash token already spent in another mail0.1000.1000.1000.100
HASHCASH_HIGHheaderContains valid Hashcash token (>25 bits)-5.000-5.000-5.000-5.000
HDRS_LCASEmetaOdd capitalization of message header0.0990.1000.0990.100
HEADER_FROM_DIFFERENT_DOMAINSheaderFrom and EnvelopeFrom 2nd level mail domains are different0.0010.0010.0010.001
HEADER_HOST_IN_BLACKLISTheaderBlacklisted header host or domain100.000100.000100.000100.000
HEADER_HOST_IN_WHITELISTheaderWhitelisted header host or domain-100.000-100.000-100.000-100.000
HEADER_SPAMheaderBulk email fingerprint (header-based) found2.4992.4991.9940.585
HELO_DYNAMIC_CHELLO_NLheaderRelay HELO'd using suspicious hostname (Chello.nl)2.4121.9182.0192.428
HELO_DYNAMIC_DHCPmetaRelay HELO'd using suspicious hostname (DHCP)2.6020.8411.5370.206
HELO_DYNAMIC_DIALINheaderRelay HELO'd using suspicious hostname (T-Dialin)2.6293.2332.1861.366
HELO_DYNAMIC_HCCmetaRelay HELO'd using suspicious hostname (HCC)4.2992.5142.9312.762
HELO_DYNAMIC_HEXIPheaderRelay HELO'd using suspicious hostname (Hex IP)2.3210.5111.7731.789
HELO_DYNAMIC_HOME_NLheaderRelay HELO'd using suspicious hostname (Home.nl)2.3851.5301.0241.459
HELO_DYNAMIC_IPADDRmetaRelay HELO'd using suspicious hostname (IP addr 1)2.6333.2433.6801.951
HELO_DYNAMIC_IPADDR2metaRelay HELO'd using suspicious hostname (IP addr 2)2.8153.8883.7283.607
HELO_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)3.0312.8934.2253.482
HELO_LH_HOME???No description provided0.0012.0230.5371.736
HELO_LOCALHOSTheaderNo description provided2.6393.6032.9153.828
HELO_MISC_IPmetaLooking for more Dynamic IP Relays0.2480.2500.2480.250
HELO_OEMheaderNo description provided2.8992.8991.2340.270
HELO_STATIC_HOSTmetaRelay HELO'd using static hostname-0.001-0.001-0.001-0.001
HEXHASH_WORDmetaMultiple instances of word + hexadecimal hash1.0001.0001.0001.000
HIDE_WIN_STATUSrawbodyJavascript to hide URLs in browser0.0011.3530.7541.380
HK_NAME_DRUGSheaderFrom name contains drugs4.2990.0013.0770.552
HK_RANDOM_ENVFROMheaderEnvelope sender username looks random2.6380.6261.7980.001
HK_RANDOM_FROMheaderFrom username looks random0.9980.0010.9980.001
HK_SCAM_N15bodyNo description provided1.9352.4991.9352.499
HK_SCAM_N2bodyNo description provided3.2490.0013.2490.001
HTML_CHARSET_FARAWAYmetaA foreign language charset used in HTML markup0.5000.5000.5000.500
HTML_COMMENT_SAVED_URLbodyHTML message is a saved web page0.1980.3570.8991.391
HTML_EMBEDSbodyHTML with embedded plugin object0.0010.0011.1711.799
HTML_EXTRA_CLOSEbodyHTML contains far too many close tags0.0010.0010.0010.001
HTML_FONT_FACE_BADbodyHTML font face is not a word0.0010.2890.2860.981
HTML_FONT_LOW_CONTRASTbodyHTML font color similar or identical to background0.7130.0010.7860.001
HTML_FONT_SIZE_HUGEbodyHTML font size is huge0.0010.0010.0010.001
HTML_FONT_SIZE_LARGEbodyHTML font size is large0.0010.0010.0010.001
HTML_IMAGE_ONLY_04bodyHTML: images with 0-400 bytes of words1.6800.3421.7991.172
HTML_IMAGE_ONLY_08bodyHTML: images with 400-800 bytes of words0.5851.7811.8451.651
HTML_IMAGE_ONLY_12bodyHTML: images with 800-1200 bytes of words1.3811.6291.4002.059
HTML_IMAGE_ONLY_16bodyHTML: images with 1200-1600 bytes of words1.9691.0481.1991.092
HTML_IMAGE_ONLY_20bodyHTML: images with 1600-2000 bytes of words2.1090.7001.3001.546
HTML_IMAGE_ONLY_24bodyHTML: images with 2000-2400 bytes of words2.7991.2821.3281.618
HTML_IMAGE_ONLY_28bodyHTML: images with 2400-2800 bytes of words2.7990.7261.5121.404
HTML_IMAGE_ONLY_32bodyHTML: images with 2800-3200 bytes of words2.1960.0011.1720.001
HTML_IMAGE_RATIO_02bodyHTML has a low ratio of text to image area2.1990.8051.2000.437
HTML_IMAGE_RATIO_04bodyHTML has a low ratio of text to image area2.0890.6100.6070.556
HTML_IMAGE_RATIO_06bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_08bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_MESSAGEbodyHTML included in message0.0010.0010.0010.001
HTML_MIME_NO_HTML_TAGmetaHTML-only message, but there is no HTML tag0.0010.6350.0010.377
HTML_NONELEMENT_30_40body30% to 40% of HTML elements are non-standard0.0000.0010.3080.001
HTML_OBFUSCATE_05_10bodyMessage is 5% to 10% HTML obfuscation0.6010.0010.7180.260
HTML_OBFUSCATE_10_20bodyMessage is 10% to 20% HTML obfuscation0.1741.1620.5880.093
HTML_OBFUSCATE_20_30bodyMessage is 20% to 30% HTML obfuscation2.4992.4411.4491.999
HTML_OFF_PAGEmetaHTML element rendered well off the displayed page1.0001.0001.0001.000
HTML_SHORT_CENTERmetaHTML is very short with CENTER tag3.7993.4212.6110.743
HTML_SHORT_LINK_IMG_1metaHTML is very short with a linked image2.2150.1390.4800.001
HTML_SHORT_LINK_IMG_2metaHTML is very short with a linked image1.4190.2590.6030.001
HTML_SHORT_LINK_IMG_3metaHTML is very short with a linked image0.6910.3280.0010.148
HTML_TAG_BALANCE_BODYbodyHTML has unbalanced "body" tags1.2470.7120.6281.157
HTML_TAG_BALANCE_HEADbodyHTML has unbalanced "head" tags0.5200.0000.6000.817
HTML_TITLE_SUBJ_DIFFmetaNo description provided1.1492.1711.8012.036
HTTPS_HTTP_MISMATCHbodyNo description provided0.5570.0001.7781.989
HTTP_ESCAPED_HOSTuriUses %-escapes inside a URL's hostname0.8071.6210.4831.125
HTTP_EXCESSIVE_ESCAPESuriCompletely unnecessary %-escapes inside a URL0.0011.5160.0001.572
IMG_DIRECT_TO_MXmetaNo description provided2.3972.4002.3972.400
IMPOTENCEbodyImpotence cure1.5392.1443.0281.374
INVALID_DATEheaderInvalid Date: header (not RFC 2822)1.7010.4321.2001.096
INVALID_DATE_TZ_ABSURDheaderInvalid Date: header (timezone does not exist)0.2620.6320.7060.491
INVALID_MSGIDmetaMessage-Id is not valid, according to RFC 28222.6021.1671.3280.568
INVESTMENT_ADVICEbodyMessage mentions investment advice0.2002.1602.1992.199
IP_LINK_PLUSuriDotted-decimal IP address followed by CGI0.0010.0010.2460.012
JOIN_MILLIONSbodyJoin Millions of Americans0.7000.1281.5491.026
KB_DATE_CONTAINS_TABmetaNo description provided3.8003.7993.7992.751
KB_FAKED_THE_BATmetaNo description provided2.4323.4412.0082.694
KB_RATWARE_MSGIDmetaNo description provided4.0992.9872.1081.700
KB_RATWARE_OUTLOOK_MIDheaderNo description provided4.4004.4002.5031.499
LIST_PRTL_PUMPDUMPmetaIncomplete List-* headers and stock pump-and-dump1.0001.0001.0001.000
LIST_PRTL_SAME_USERmetaIncomplete List-* headers and from+to user the same0.0010.2860.0010.286
LIVEFILESTOREuriNo description provided3.3002.5703.1830.771
LOCALPART_IN_SUBJECTheaderLocal part of To: address appears in Subject0.0010.7301.1991.107
LONGWORDSmetaLong string of long words2.1991.8441.8192.035
LONG_HEX_URImetaVery long purely hexadecimal URI2.1942.2902.1942.290
LONG_IMG_URImetaImage URI with very long path component - web bug?0.5530.1000.5530.100
LONG_TERM_PRICEbodyNo description provided0.0010.0010.0010.001
LOTS_OF_MONEYmetaHuge... sums of money0.0010.0010.0010.001
LOTTERY_1metaNo description provided0.0011.4881.6300.087
LOTTERY_PH_004470metaNo description provided3.2993.3003.2993.299
LOTTO_AGENTmetaClaims Agent1.4981.4991.4981.499
LOTTO_DEPTmetaClaims Department0.0010.0010.0010.001
LOW_PRICEbodyLowest Price0.1610.6000.0011.464
LUCRATIVEmetaMake lots of money!1.0001.0001.0001.000
L_SPAM_TOOL_13headerNo description provided0.5390.4850.4941.333
MALE_ENHANCEbodyMessage talks about enhancing men3.1003.0993.0990.851
MANY_SPAN_IN_TEXTmetaMany <SPAN> tags embedded within text1.0001.0001.0001.000
MARKETING_PARTNERSbodyClaims you registered with a partner0.5530.2350.6890.001
MICROSOFT_EXECUTABLEbodyMessage includes Microsoft executable program0.1000.1000.1000.100
MIMEOLE_DIRECT_TO_MXmetaMIMEOLE + direct-to-MX1.4450.3811.4450.381
MIME_BASE64_BLANKSrawbodyExtra blank lines in base64 encoding0.0010.0010.0010.001
MIME_BASE64_TEXTrawbodyMessage text disguised using base64 encoding0.0010.0010.0011.741
MIME_BOUND_DD_DIGITSheaderSpam tool pattern in MIME boundary3.0160.3492.4171.373
MIME_BOUND_DIGITS_15headerSpam tool pattern in MIME boundary0.4321.2251.2410.798
MIME_CHARSET_FARAWAYmetaMIME character set indicates foreign language2.4502.4502.4502.450
MIME_HEADER_CTYPE_ONLYmeta'Content-Type' found without required MIME headers3.2991.9961.8010.717
MIME_HTML_MOSTLYbodyMultipart message mostly text/html MIME0.3540.0010.7250.428
MIME_HTML_ONLYbodyMessage only has text/html MIME parts2.1991.1051.1990.723
MIME_HTML_ONLY_MULTImetaMultipart message only has text/html MIME parts0.0000.0010.0010.001
MIME_NO_TEXTmetaNo (properly identified) text body parts1.0001.0001.0001.000
MIME_PHP_NO_TEXTmetaNo text body parts, X-Mailer: PHP2.8002.7992.7992.799
MIME_QP_LONG_LINErawbodyQuoted-printable line longer than 76 chars0.0010.0010.0010.001
MIME_SUSPECT_NAMEbodyMIME filename does not match content0.1000.1000.1000.100
MISSING_DATEmetaMissing Date: header2.7391.3961.8001.360
MISSING_FROMmetaMissing From: header1.0001.0001.0001.000
MISSING_HEADERSheaderMissing To: header0.9151.2071.2041.021
MISSING_MIDmetaMissing Message-Id: header0.5520.1401.1990.497
MISSING_MIMEOLEmetaMessage has X-MSMail-Priority, but no X-MimeOLE0.3921.8430.5711.899
MISSING_MIME_HB_SEPbodyMissing blank line between MIME header and body0.0010.0010.0010.001
MISSING_SUBJECTmetaMissing Subject: header0.0011.7671.3001.799
MONEY_BACKbodyMoney back guarantee2.9102.4860.6011.232
MONEY_FRAUD_3metaLots of money and several fraud phrases2.8960.0012.8960.001
MONEY_FRAUD_5metaLots of money and many fraud phrases3.0960.0013.0960.001
MONEY_FRAUD_8metaLots of money and very many fraud phrases2.5480.0012.5480.001
MONEY_LOTTERYmetaLots of money from a lottery2.4981.6112.4981.611
MORE_SEXbodyTalks about a bigger drive for sex2.7992.7652.5681.413
MPART_ALT_DIFFbodyHTML and text parts are different2.2460.7240.5950.790
MPART_ALT_DIFF_COUNTbodyHTML and text parts are different2.7991.4831.1991.112
MSGID_FROM_MTA_HEADERmetaMessage-Id was added by a relay0.4010.0010.4730.001
MSGID_MULTIPLE_ATheaderMessage-ID contains multiple '@' characters1.0001.0001.0001.000
MSGID_NOFQDN1metaMessage-ID with no domain name2.3953.2992.3953.299
MSGID_OUTLOOK_INVALIDheaderMessage-Id is fake (in Outlook Express format)3.8993.8993.8993.899
MSGID_RANDYmetaMessage-Id has pattern used in spam2.1962.5992.5992.599
MSGID_SHORTheaderMessage-ID is unusually short0.0010.3370.0010.001
MSGID_SPAM_CAPSheaderSpam tool Message-Id: (caps variant)2.3661.9973.0993.099
MSGID_YAHOO_CAPSheaderMessage-ID has ALLCAPS@yahoo.com0.7971.4132.2781.411
MSM_PRIO_REPTOmetaMSMail priority header + Reply-to + short subject2.4970.1802.4970.180
MSOE_MID_WRONG_CASEmetaNo description provided0.9933.3730.9602.584
NML_ADSP_CUSTOM_HIGHmetaADSP custom_high hit, and not from a mailing list0.0002.6000.0002.500
NML_ADSP_CUSTOM_LOWmetaADSP custom_low hit, and not from a mailing list0.0000.7000.0000.700
NML_ADSP_CUSTOM_MEDmetaADSP custom_med hit, and not from a mailing list0.0001.2000.0000.900
NORMAL_HTTP_TO_IPuriURI host has a public dotted-decimal IPv4 address0.1590.0010.7950.001
NO_DNS_FOR_FROMheaderEnvelope sender has no MX or A DNS records0.0000.3790.0000.001
NO_HEADERS_MESSAGEmetaMessage appears to be missing most RFC-822 headers0.0010.0010.0010.001
NO_MEDICALbodyNo Medical Exams2.1991.2542.1991.773
NO_PRESCRIPTIONbodyNo prescription needed1.9151.1022.2802.399
NO_RDNS_DOTCOM_HELOheaderHost HELO'd as a big ISP, but had no rDNS3.1000.4333.0990.823
NO_RECEIVEDmetaInformational: message has no Received headers-0.001-0.001-0.001-0.001
NO_RELAYSheaderInformational: message was not relayed via SMTP-0.001-0.001-0.001-0.001
NSL_RCVD_FROM_USERheaderReceived from User0.5480.0010.5480.001
NSL_RCVD_HELO_USERheaderReceived from HELO User1.2730.0011.2730.001
NULL_IN_BODYfullMessage has NUL (ASCII 0) byte in message0.5110.4982.0561.596
NUMERIC_HTTP_ADDRuriUses a numeric IP address in URL0.0000.0010.0011.242
OBFUSCATING_COMMENTmetaHTML comments which obfuscate text0.0000.0000.0010.723
OBFU_JVSCR_ESCrawbodyInjects content using obfuscated javascript1.0001.0001.0001.000
OBFU_TEXT_ATTACHmimeheaderText attachment with non-text MIME type1.0001.0001.0001.000
ONE_TIMEbodyOne Time Rip Off1.8401.1751.8300.714
ONLINE_PHARMACYbodyOnline Pharmacy0.8432.3710.0080.650
PART_CID_STOCKmetaHas a spammy image attachment (by Content-ID)0.0010.0010.0010.000
PART_CID_STOCK_LESSmetaHas a spammy image attachment (by Content-ID, more specific)0.0000.0360.7450.894
PERCENT_RANDOMmetaMessage has a random macro in it2.9992.8372.9831.838
PHP_NOVER_MUAmetaMail from PHP with no version number1.0001.0001.0001.000
PHP_ORIG_SCRIPTmetaSent by bot & other signs0.5022.4990.5022.499
PHP_SCRIPT_MUAmetaSent by PHP script, no version number1.0001.0001.0001.000
PLING_QUERYmetaSubject has exclamation mark and question mark0.7740.2790.6860.994
PP_MIME_FAKE_ASCII_TEXTbodyMIME text/plain claims to be ASCII but isn't0.4290.0010.4290.001
PP_TOO_MUCH_UNICODE02bodyIs text/plain but has many unicode escapes0.5000.5000.5000.500
PP_TOO_MUCH_UNICODE05bodyIs text/plain but has many unicode escapes1.0001.0001.0001.000
PRICES_ARE_AFFORDABLEbodyMessage says that prices aren't too expensive0.7940.8511.1120.551
PUMPDUMPmetaPump-and-dump stock scam phrase1.0001.0001.0001.000
PUMPDUMP_MULTImetaPump-and-dump stock scam phrases1.0001.0001.0001.000
PUMPDUMP_TIPmetaPump-and-dump stock tip1.0001.0001.0001.000
PYZOR_CHECKfullListed in Pyzor (http://pyzor.sf.net/)0.0001.9850.0001.392
RAND_HEADER_MANYmetaMany random gibberish message headers1.0001.0001.0001.000
RATWARE_EFROMheaderBulk email fingerprint (envfrom) found2.9992.9992.9992.999
RATWARE_EGROUPSheaderBulk email fingerprint (eGroups) found1.8981.2581.4061.621
RATWARE_MPOP_WEBMAILheaderBulk email fingerprint (mPOP Web-Mail)1.1531.3381.2291.999
RATWARE_MS_HASHmetaBulk email fingerprint (msgid ms hash) found2.0363.6920.4542.148
RATWARE_NAME_IDmetaBulk email fingerprint (msgid from) found3.0990.3093.0990.247
RATWARE_OUTLOOK_NONAMEmetaBulk email fingerprint (Outlook no name) found2.9640.0332.6852.950
RATWARE_ZERO_TZmetaBulk email fingerprint (+0000) found2.3922.5350.2651.781
RAZOR2_CF_RANGE_51_100fullRazor2 gives confidence level above 50%0.0000.3650.0000.500
RAZOR2_CF_RANGE_E4_51_100fullRazor2 gives engine 4 confidence level above 50%0.0000.4670.0000.642
RAZOR2_CF_RANGE_E8_51_100fullRazor2 gives engine 8 confidence level above 50%0.0002.4300.0001.886
RAZOR2_CHECKfullListed in Razor2 (http://razor.sf.net/)0.0001.7290.0000.922
RCVD_DBL_DQheaderMalformatted message header1.0001.0001.0001.000
RCVD_DOUBLE_IP_LOOSEmetaReceived: by and from look like IP addresses1.1500.9601.0421.012
RCVD_DOUBLE_IP_SPAMmetaBulk email fingerprint (double IP) found2.4112.7771.9121.808
RCVD_FAKE_HELO_DOTCOMheaderReceived contains a faked HELO hostname2.7992.3892.6051.189
RCVD_HELO_IP_MISMATCHheaderReceived: HELO and IP do not match, but should1.6801.1862.3622.368
RCVD_ILLEGAL_IPheaderReceived: contains illegal IP address1.3001.3001.3001.300
RCVD_IN_BL_SPAMCOP_NETheaderReceived via a relay in bl.spamcop.net0.0001.2460.0001.347
RCVD_IN_BRBL_LASTEXTheaderNo description provided0.0001.6440.0001.449
RCVD_IN_DNSWL_BLOCKEDheaderADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0000.0010.0000.001
RCVD_IN_DNSWL_HIheaderSender listed at http://www.dnswl.org/, high trust0.000-5.0000.000-5.000
RCVD_IN_DNSWL_LOWheaderSender listed at http://www.dnswl.org/, low trust0.000-0.7000.000-0.700
RCVD_IN_DNSWL_MEDheaderSender listed at http://www.dnswl.org/, medium trust0.000-2.3000.000-2.300
RCVD_IN_DNSWL_NONEheaderSender listed at http://www.dnswl.org/, no trust0.000-0.0000.000-0.000
RCVD_IN_IADB_DKheaderIADB: Sender publishes Domain Keys record0.000-0.2230.000-0.095
RCVD_IN_IADB_DOPTINheaderIADB: All mailing list mail is confirmed opt-in0.000-4.0000.000-4.000
RCVD_IN_IADB_DOPTIN_LT50headerIADB: Confirmed opt-in used less than 50% of the time0.000-0.0010.000-0.001
RCVD_IN_IADB_LISTEDheaderParticipates in the IADB system0.000-0.3800.000-0.001
RCVD_IN_IADB_MI_CPR_MATheaderIADB: Sends no material under Michigan's CPR0.000-0.3320.0000.000
RCVD_IN_IADB_ML_DOPTINheaderIADB: Mailing list email only, confirmed opt-in0.000-6.0000.000-6.000
RCVD_IN_IADB_OPTINheaderIADB: All mailing list mail is opt-in0.000-2.0570.000-1.470
RCVD_IN_IADB_OPTIN_GT50headerIADB: Opt-in used more than 50% of the time0.000-1.2080.000-0.007
RCVD_IN_IADB_RDNSheaderIADB: Sender has reverse DNS record0.000-0.1670.000-0.235
RCVD_IN_IADB_SENDERIDheaderIADB: Sender publishes Sender ID record0.000-0.0010.000-0.001
RCVD_IN_IADB_SPFheaderIADB: Sender publishes SPF record0.000-0.0010.000-0.059
RCVD_IN_IADB_UT_CPR_MATheaderIADB: Sends no material under Utah's CPR0.000-0.0950.000-0.001
RCVD_IN_IADB_VOUCHEDheaderISIPP IADB lists as vouched-for sender0.000-2.2000.000-2.200
RCVD_IN_MSPIKE_BLmetaMailspike blacklisted0.0010.0100.0010.010
RCVD_IN_MSPIKE_H2headerAverage reputation (+2)0.001-2.8000.001-2.800
RCVD_IN_MSPIKE_H3headerGood reputation (+3)0.001-0.0100.001-0.010
RCVD_IN_MSPIKE_H4headerVery Good reputation (+4)0.001-0.0100.001-0.010
RCVD_IN_MSPIKE_H5headerExcellent reputation (+5)0.001-1.0000.001-1.000
RCVD_IN_MSPIKE_L2headerSuspicious reputation (-2)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L3headerLow reputation (-3)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L4headerBad reputation (-4)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L5headerVery bad reputation (-5)0.0010.0010.0010.001
RCVD_IN_MSPIKE_WLmetaMailspike good senders0.001-0.0100.001-0.010
RCVD_IN_MSPIKE_ZBImetaNo description provided0.0010.0010.0010.001
RCVD_IN_PBLheaderReceived via a relay in Spamhaus PBL0.0003.5580.0003.335
RCVD_IN_PSBLheaderReceived via a relay in PSBL0.0002.7000.0002.700
RCVD_IN_RP_CERTIFIEDheaderSender in ReturnPath Certified - Contact cert-sa@returnpath.net0.000-3.0000.000-3.000
RCVD_IN_RP_RNBLheaderRelay in RNBL, https://senderscore.org/blacklistlookup/0.0001.2840.0001.310
RCVD_IN_RP_SAFEheaderSender in ReturnPath Safe - Contact safe-sa@returnpath.net0.000-2.0000.000-2.000
RCVD_IN_SBLheaderReceived via a relay in Spamhaus SBL0.0002.5960.0000.141
RCVD_IN_SBL_CSSheaderReceived via a relay in Spamhaus SBL-CSS0.0003.5580.0003.335
RCVD_IN_SORBS_DULheaderSORBS: sent directly from dynamic IP address0.0000.0010.0000.001
RCVD_IN_SORBS_HTTPheaderSORBS: sender is open HTTP proxy server0.0002.4990.0000.001
RCVD_IN_SORBS_SOCKSheaderSORBS: sender is open SOCKS proxy server0.0002.4430.0001.927
RCVD_IN_SORBS_SPAMheaderSORBS: sender is a spam source0.0000.5000.0000.500
RCVD_IN_SORBS_WEBheaderSORBS: sender is an abusable web server0.0001.5000.0001.500
RCVD_IN_XBLheaderReceived via a relay in Spamhaus XBL0.0000.7240.0000.375
RCVD_NUMERIC_HELOheaderReceived: contains an IP address used for HELO0.0010.8650.0011.164
RDNS_DYNAMICmetaDelivered to internal network by host with dynamic-looking rDNS2.6390.3631.6630.982
RDNS_LOCALHOSTheaderSender's public rDNS is "localhost"3.7000.9692.3450.001
RDNS_NONEmetaDelivered to internal network by a host with no rDNS2.3991.2741.2280.793
REMOVE_BEFORE_LINKbodyRemoval phrase right before a link0.4061.5871.7991.800
REPLICA_WATCHbodyMessage talks about a replica watch3.4873.1644.0743.775
REPLYTO_WITHOUT_TO_CCmetaNo description provided2.3991.9460.6071.552
REPTO_QUOTE_YAHOOmetaYahoo! doesn't do quoting like this0.0010.4900.0010.646
RP_MATCHES_RCVDheaderEnvelope sender domain matches handover relay domain-1.050-0.001-1.050-0.001
SB_GIF_AND_NO_URISmetaNo description provided2.1992.1992.2002.199
SHARE_50_50metaShare the money 50/502.1211.8182.1211.818
SHORT_HELO_AND_INLINE_IMAGEmetaShort HELO string, with inline image0.2370.1600.0131.390
SHORT_TERM_PRICEbodyNo description provided0.0010.0010.0010.001
SINGLETS_LOW_CONTRASTmetaSingle-letter formatted HTML + hidden text1.0001.0001.0001.000
SORTED_RECIPSheaderRecipient list is sorted by address1.8012.4741.7912.499
SPAMMY_XMAILERmetaX-Mailer string is common in spam and not in ham2.6500.8621.9932.491
SPF_FAILheaderSPF: sender does not match SPF record (fail)0.0000.9190.0000.001
SPF_HELO_FAILheaderSPF: HELO does not match SPF record (fail)0.0000.0010.0000.001
SPF_HELO_NEUTRALheaderSPF: HELO does not match SPF record (neutral)0.0000.0010.0000.112
SPF_HELO_PASSheaderSPF: HELO matches SPF record-0.001-0.001-0.001-0.001
SPF_HELO_SOFTFAILheaderSPF: HELO does not match SPF record (softfail)0.0000.8960.0000.732
SPF_NEUTRALheaderSPF: sender does not match SPF record (neutral)0.0000.6520.0000.779
SPF_PASSheaderSPF: sender matches SPF record-0.001-0.001-0.001-0.001
SPF_SOFTFAILheaderSPF: sender does not match SPF record (softfail)0.0000.9720.0000.665
SPOOFED_FREEM_REPTOmetaForged freemail sender with freemail reply-to2.4981.3682.4981.368
SPOOFED_FREEM_REPTO_CHNmetaForged freemail sender with Chinese freemail reply-to1.0001.0001.0001.000
SPOOF_COM2COMuriURI contains ".com" in middle and end0.0011.6321.9522.048
SPOOF_COM2OTHuriURI contains ".com" in middle2.9992.9992.8772.723
STATIC_XPRIO_OLEmetaStatic RDNS + X-Priority + MIMEOLE1.9970.0011.9970.001
STOCK_IMG_CTYPEmetaStock spam image part, with distinctive Content-Type header0.0010.0050.0010.001
STOCK_IMG_HDR_FROMmetaStock spam image part, with distinctive From line0.0010.0010.0010.021
STOCK_IMG_HTMLmetaStock spam image part, with distinctive HTML0.0000.0280.0000.005
STOCK_IMG_OUTLOOKmetaStock spam image part, with Outlook-like features0.0010.7020.4130.190
STOCK_LOW_CONTRASTmetaStocks + hidden text2.0302.3472.0302.347
STOCK_TIPmetaStock tips1.0001.0001.0001.000
STOX_REPLY_TYPEheaderNo description provided1.8980.2120.1410.439
STOX_REPLY_TYPE_WITHOUT_QUOTESmetaNo description provided3.0991.8601.6291.757
STYLE_GIBBERISHmetaNonsense in HTML <STYLE> tag2.8003.0932.8003.093
SUBJECT_DIETheaderSubject talks about losing pounds1.9271.5630.8171.466
SUBJECT_DRUG_GAP_CheaderSubject contains a gappy version of 'cialis'2.1080.9891.3482.140
SUBJECT_DRUG_GAP_LheaderSubject contains a gappy version of 'levitra'2.7992.3041.4021.561
SUBJECT_FUZZY_CHEAPheaderAttempt to obfuscate words in Subject:0.6411.8310.8330.001
SUBJECT_IN_BLACKLISTheaderSubject: contains string in the user's black-list100.000100.000100.000100.000
SUBJECT_IN_WHITELISTheaderSubject: contains string in the user's white-list-100.000-100.000-100.000-100.000
SUBJECT_NEEDS_ENCODINGmetaSubject is encoded but does not specify the encoding0.4980.1000.8040.049
SUBJ_ALL_CAPSheaderSubject is all capitals0.5181.6251.1971.506
SUBJ_AS_SEENheaderSubject contains "As Seen"2.7113.0993.0991.461
SUBJ_BUYheaderSubject line starts with Buy or Buying0.5941.4980.0010.639
SUBJ_DOLLARSheaderSubject starts with dollar amount0.6000.0010.6011.800
SUBJ_ILLEGAL_CHARSmetaSubject: has too many raw illegal characters0.6201.1050.4481.518
SUBJ_YOUR_FAMILYheaderSubject contains "Your Family"2.9102.9992.9992.999
SURBL_BLOCKEDbodyADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0010.0010.0010.001
SUSPICIOUS_RECIPSheaderSimilar addresses in recipient list2.4992.4972.1392.510
SYSADMINmetaSupposedly from your IT department1.0001.0001.0001.000
TBIRD_SUSP_MIME_BDRYmetaUnlikely Thunderbird MIME boundary2.4002.4002.3992.399
TEQF_USR_IMAGEmetaTo and from user nearly same + image1.0001.0001.0001.000
TEQF_USR_MSGID_HEXmetaTo and from user nearly same + unusual message ID1.0001.0001.0001.000
TEQF_USR_MSGID_MALFmetaTo and from user nearly same + malformed message ID1.0001.0001.0001.000
THEBAT_UNREGheaderNo description provided2.5991.8432.3241.524
THIS_ADmeta"This ad" and variants0.5962.2000.5962.200
TO_EQ_FM_DIRECT_MXmetaTo == From and direct-to-MX2.4970.6222.4970.622
TO_EQ_FM_DOM_SPF_FAILmetaTo domain == From domain and external SPF failed0.0010.0010.0010.001
TO_EQ_FM_SPF_FAILmetaTo == From and external SPF failed0.0010.0010.0010.001
TO_IN_SUBJmetaTo address is in Subject0.0990.0990.0990.099
TO_MALFORMEDheaderTo: has a malformed address0.8921.2472.0992.099
TO_NO_BRKTS_FROM_MSSPmetaMultiple header formatting problems0.0010.0010.0010.001
TO_NO_BRKTS_HTML_IMGmetaTo: lacks brackets and HTML and one image0.0012.0000.0012.000
TO_NO_BRKTS_HTML_ONLYmetaTo: lacks brackets and HTML only1.9970.0011.9970.001
TO_NO_BRKTS_MSFTmetaTo: lacks brackets and supposed Microsoft tool2.4970.0012.4970.001
TO_NO_BRKTS_NORDNS_HTMLmetaTo: lacks brackets and no rDNS and HTML only0.3980.0010.3980.001
TO_NO_BRKTS_PCNTmetaTo: lacks brackets + percentage2.4970.0012.4970.001
TRACKER_IDbodyIncorporates a tracking ID number2.0261.1021.7501.306
TT_MSGID_TRUNCheaderScora: Message-Id ends after left-bracket + digits0.7480.0231.4341.448
TVD_APPROVEDbodyBody states that the recipient has been approved2.3562.5992.5992.090
TVD_FINGER_02headerNo description provided0.0011.5441.3941.215
TVD_FW_GRAPHIC_NAME_LONGmimeheaderLong image attachment name0.0010.6480.8361.293
TVD_FW_GRAPHIC_NAME_MIDmimeheaderMedium sized image attachment name0.6000.0010.3890.095
TVD_INCREASE_SIZEbodyAdvertising for penis enlargement1.5290.6011.0550.001
TVD_PH_BODY_ACCOUNTS_PREmetaThe body matches phrases such as "accounts suspended", "account credited", "account verification"0.0010.0010.0010.001
TVD_PH_RECbodyMessage includes a phrase commonly used in phishing mails3.1272.0263.2661.784
TVD_PH_SECbodyMessage includes a phrase commonly used in phishing mails0.2911.4980.8691.764
TVD_QUAL_MEDSbodyThe body matches phrases such as "quality meds" or "quality medication"2.6972.3972.7992.483
TVD_RCVD_IPheaderMessage was received from an IP address0.0010.0010.0010.001
TVD_RCVD_IP4headerMessage was received from an IPv4 address0.0010.0010.0010.001
TVD_RCVD_SINGLEheaderMessage was received from localhost0.2421.2130.0012.172
TVD_RCVD_SPACE_BRACKETheaderNo description provided0.0010.0010.0010.001
TVD_SPACE_ENCODEDmetaSpace ratio & encoded subject1.5001.5001.5001.500
TVD_SPACE_ENC_FM_MIMEmetaSpace ratio & encoded subject & MIME needed1.9970.0011.9970.001
TVD_SPACE_RATIOmetaNo description provided0.0010.0010.0010.001
TVD_SPACE_RATIO_MINFPmetaSpace ratio1.5001.5001.5001.500
TVD_SUBJ_ACC_NUMheaderSubject has spammy looking monetary reference0.0012.1992.1992.198
TVD_SUBJ_WIPE_DEBTheaderSpam advertising a way to eliminate debt2.5992.2912.5991.004
TVD_VISIT_PHARMAbodyBody mentions online pharmacy1.9571.1960.4171.406
TW_GIBBERISH_MANYmetaLots of gibberish text to spoof pattern matching filters1.0001.0001.0001.000
TXREPheaderScore normalizing based on sender's reputation1.0001.0001.0001.000
T_ACH_CANCELLED_EXEmeta"ACH cancelled" probable malware0.1000.1000.1000.100
T_ANY_PILL_PRICEmetaPrices for pills0.1000.1000.1000.100
T_CDISP_SZ_MANYmimeheaderSuspicious MIME header0.1000.1000.1000.100
T_COMPENSATIONmeta"Compensation"0.1000.1000.1000.100
T_CTYPE_NULLmetaMalformed Content-Type header0.1000.1000.1000.100
T_DATE_IN_FUTURE_Q_PLUSheaderDate: is over 4 months after Received: date0.1000.1000.1000.100
T_DEAR_BENEFICIARYbodyDear Beneficiary:0.1000.1000.1000.100
T_DKIM_INVALIDmetaDKIM-Signature header exists but is not valid0.1000.1000.1000.100
T_DOC_ATTACH_NO_EXTmetaDocument attachment with suspicious name0.1000.1000.1000.100
T_DOS_OUTLOOK_TO_MX_IMAGEmetaDirect to MX with Outlook headers and an image0.1000.1000.1000.100
T_DOS_ZIP_HARDCOREmimeheaderhardcore.zip file attached; quite certainly a virus0.1000.1000.1000.100
T_EMRCPbody"Excess Maximum Return Capital Profit" scam0.1000.1000.1000.100
T_END_FUTURE_EMAILSmetaSpammy unsubscribe0.1000.1000.1000.100
T_FILL_THIS_FORM_FRAUD_PHISHmetaAnswer suspicious question(s)0.1000.1000.1000.100
T_FILL_THIS_FORM_LOANmetaAnswer loan question(s)0.1000.1000.1000.100
T_FILL_THIS_FORM_LONGmetaFill in a form with personal information0.1000.1000.1000.100
T_FILL_THIS_FORM_SHORTmetaFill in a short form with personal information0.1000.1000.1000.100
T_FORGED_TBIRD_IMG_SIZEmetaLikely forged Thunderbird image spam0.1000.1000.1000.100
T_FREEMAIL_DOC_PDFmetaMS document or PDF attachment, from freemail0.1000.1000.1000.100
T_FREEMAIL_RVW_ATTCHmetaPlease review attached document, from freemail0.1000.1000.1000.100
T_FUZZY_OPTOUTbodyObfuscated opt-out text0.1000.1000.1000.100
T_HTML_ATTACHmetaHTML attachment to bypass scanning?0.1000.1000.1000.100
T_HTML_TAG_BALANCE_CENTERmetaMalformatted HTML0.1000.1000.1000.100
T_KAM_HTML_FONT_INVALIDbodyTest for Invalidly Named or Formatted Colors in HTML0.1000.1000.1000.100
T_LARGE_PCT_AFTER_MANYmetaMany large percentages after...0.1000.1000.1000.100
T_LOTTO_AGENT_FMheaderClaims Agent0.1000.1000.1000.100
T_LOTTO_AGENT_RPLYmetaClaims Agent0.1000.1000.1000.100
T_LOTTO_URIuriClaims Department URL0.1000.1000.1000.100
T_MANY_HDRS_LCASEmetaOdd capitalization of multiple message headers0.1000.1000.1000.100
T_MANY_PILL_PRICEmetaPrices for many pills0.1000.1000.1000.100
T_MIME_MALFmetaMalformed MIME: headers in body0.1000.1000.1000.100
T_MONEY_PERCENTmetaX% of a lot of money for you0.1000.1000.1000.100
T_OBFU_ATTACH_MISSPmetaObfuscated attachment type and misspaced From0.1000.1000.1000.100
T_OBFU_DOC_ATTACHmimeheaderMS Document attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_GIF_ATTACHmimeheaderGIF attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_HTML_ATTACHmimeheaderHTML attachment with non-text MIME type0.1000.1000.1000.100
T_OBFU_HTML_ATT_MALWmetaHTML attachment with incorrect MIME type - possible malware0.1000.1000.1000.100
T_OBFU_JPG_ATTACHmimeheaderJPG attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_PDF_ATTACHmimeheaderPDF attachment with generic MIME type0.1000.1000.1000.100
T_PDS_TO_EQ_FROM_NAMEmetaFrom: name same as To: address0.1000.1000.1000.100
T_REMOTE_IMAGEmetaMessage contains an external image0.1000.1000.1000.100
T_SPF_HELO_PERMERRORheaderSPF: test of HELO record failed (permerror)0.1000.1000.1000.100
T_SPF_HELO_TEMPERRORheaderSPF: test of HELO record failed (temperror)0.1000.1000.1000.100
T_SPF_PERMERRORheaderSPF: test of record failed (permerror)0.1000.1000.1000.100
T_SPF_TEMPERRORheaderSPF: test of record failed (temperror)0.1000.1000.1000.100
T_SUBJ_BRKN_WORDNUMSmetaSubject contains odd word breaks and numbers0.1000.1000.1000.100
T_WON_MONEY_ATTACHmetaYou won lots of money! See attachment.0.1000.1000.1000.100
T_WON_NBDY_ATTACHmetaYou won lots of money! See attachment.0.1000.1000.1000.100
UC_GIBBERISH_OBFUmetaMultiple instances of "word VERYLONGGIBBERISH word"1.0001.0001.0001.000
UNCLAIMED_MONEYbodyPeople just leave money laying around2.6992.6992.6992.427
UNCLOSED_BRACKETheaderHeaders contain an unclosed bracket2.6991.3291.4251.496
UNPARSEABLE_RELAYmetaInformational: message has unparseable relay lines0.0010.0010.0010.001
UNRESOLVED_TEMPLATEheaderHeaders contain an unresolved template3.0350.7162.4241.252
UNWANTED_LANGUAGE_BODYbodyMessage written in an undesired language2.8002.8002.8002.800
UPPERCASE_50_75metamessage body is 50-75% uppercase0.0010.7910.0010.008
UPPERCASE_75_100metamessage body is 75-100% uppercase1.4801.1890.0010.001
URG_BIZbodyContains urgent matter1.7500.9410.5680.573
URIBL_ABUSE_SURBLbodyContains an URL listed in the ABUSE SURBL blocklist0.0001.9480.0001.250
URIBL_CR_SURBLbodyContains an URL listed in the CR SURBL blocklist0.0001.2630.0001.263
URIBL_DBL_ABUSE_BOTCCbodyContains an abused botnet C&C URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_MALWbodyContains an abused malware URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_PHISHbodyContains an abused phishing URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_REDIRbodyContains an abused redirector URL listed in the DBL blocklist0.0000.0010.0000.001
URIBL_DBL_ABUSE_SPAMbodyContains an abused spamvertized URL listed in the DBL blocklist0.0002.0000.0002.000
URIBL_DBL_BOTNETCCbodyContains a botned C&C URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ERRORbodyError: queried the DBL blocklist for an IP0.0000.0010.0000.001
URIBL_DBL_MALWAREbodyContains a malware URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_DBL_PHISHbodyContains a Phishing URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_DBL_SPAMbodyContains a spam URL listed in the DBL blocklist0.0002.5000.0002.500
URIBL_MW_SURBLbodyContains a URL listed in the MW SURBL blocklist0.0001.2630.0001.263
URIBL_PH_SURBLbodyContains an URL listed in the PH SURBL blocklist0.0000.0010.0000.610
URIBL_RHS_DOBbodyContains an URI of a new domain (Day Old Bread)0.0000.2760.0001.514
URIBL_SBLbodyContains an URL's NS IP listed in the SBL blocklist0.0000.6440.0001.623
URIBL_SBL_AbodyContains URL's A record listed in the SBL blocklist0.0000.1000.0000.100
URIBL_WS_SURBLbodyContains an URL listed in the WS SURBL blocklist0.0001.6590.0001.608
URI_DATAmeta"data:" URI - possible malware or phish1.0001.0001.0001.000
URI_DQ_UNSUBuriIP-address unsubscribe URI1.0001.0001.0001.000
URI_GOOGLE_PROXYmetaAccessing a blacklisted URI or obscuring source of phish via Google proxy?0.7101.3780.7101.378
URI_HEXuriURI hostname has long hexadecimal sequence2.8001.3131.2061.122
URI_HOST_IN_BLACKLISTbodyhost or domain listed in the URI black-list100.000100.000100.000100.000
URI_HOST_IN_WHITELISTbodyhost or domain listed in the URI white-list-100.000-100.000-100.000-100.000
URI_NOVOWELuriURI hostname has long non-vowel sequence0.5000.5000.5000.500
URI_NO_WWW_BIZ_CGIuriCGI in .biz TLD other than third-level "www"2.3992.3992.4002.399
URI_NO_WWW_INFO_CGIuriCGI in .info TLD other than third-level "www"2.2992.2990.2922.071
URI_OBFU_WWW???No description provided3.0993.0992.3062.475
URI_ONLY_MSGID_MALFmetaURI only + malformed message ID0.0011.1910.0011.191
URI_OPTOUT_3LDuriOpt-out URI, suspicious hostname1.0001.0001.0001.000
URI_OPTOUT_USMEuriOpt-out URI, unusual TLD1.0001.0001.0001.000
URI_PHISHmetaPhishing using web form3.9953.9993.9953.999
URI_TRUNCATEDbodyMessage contained a URI which was truncated0.0010.0010.0010.001
URI_TRY_3LDuri"Try it" URI, suspicious hostname0.1950.0010.1950.001
URI_TRY_USMEmeta"Try it" URI, unusual TLD0.0010.0010.0010.001
URI_WPADMINmetaWordPress login/admin URI, possible phishing3.3963.0143.3963.014
URI_WP_DIRINDEXmetaURI for compromised WordPress site, possible malware1.0001.0001.0001.000
URI_WP_HACKEDmetaURI for compromised WordPress site, possible malware2.9963.0002.9963.000
URI_WP_HACKED_2metaURI for compromised WordPress site, possible malware1.1871.7641.1871.764
USER_IN_ALL_SPAM_TOheaderUser is listed in 'all_spam_to'-100.000-100.000-100.000-100.000
USER_IN_BLACKLISTheaderFrom: address is in the user's black-list100.000100.000100.000100.000
USER_IN_BLACKLIST_TOheaderUser is listed in 'blacklist_to'10.00010.00010.00010.000
USER_IN_DEF_DKIM_WLheaderFrom: address is in the default DKIM white-list-7.500-7.500-7.500-7.500
USER_IN_DEF_SPF_WLheaderFrom: address is in the default SPF white-list-7.500-7.500-7.500-7.500
USER_IN_DEF_WHITELISTheaderFrom: address is in the default white-list-15.000-15.000-15.000-15.000
USER_IN_DKIM_WHITELISTheaderFrom: address is in the user's DKIM whitelist-100.000-100.000-100.000-100.000
USER_IN_MORE_SPAM_TOheaderUser is listed in 'more_spam_to'-20.000-20.000-20.000-20.000
USER_IN_SPF_WHITELISTheaderFrom: address is in the user's SPF whitelist-100.000-100.000-100.000-100.000
USER_IN_WHITELISTheaderFrom: address is in the user's white-list-100.000-100.000-100.000-100.000
USER_IN_WHITELIST_TOheaderUser is listed in 'whitelist_to'-6.000-6.000-6.000-6.000
VBOUNCE_MESSAGEmetaVirus-scanner bounce message0.1000.1000.1000.100
WEIRD_PORTuriUses non-standard port number for HTTP0.0010.0010.0970.001
WEIRD_QUOTINGbodyWeird repeated double-quotation marks0.0010.0010.0010.001
XM_PHPMAILER_FORGEDmetaApparently forged header1.0001.0001.0001.000
XPRIOmetaHas X-Priority header2.2482.2492.2482.249
XPRIO_SHORT_SUBJmetaHas X-Priority header + short subject1.0001.0001.0001.000
X_IPheaderMessage has X-IP header0.0010.0010.0010.001
X_MAILER_CME_6543_MSNheaderNo description provided2.8862.0043.0023.348
__DC_GIF_MULTI_LARGOmetaMessage has 2+ inline gif covering lots of area1.0001.0001.0001.000
__DC_IMG_HTML_RATIOrawbodyLow rawbody to pixel area ratio1.0001.0001.0001.000
__DC_IMG_TEXT_RATIObodyLow body to pixel area ratio1.0001.0001.0001.000
__DC_PNG_MULTI_LARGOmetaMessage has 2+ png images covering lots of area1.0001.0001.0001.000
__DKIMDOMAIN_IN_DWL_ANYaskdnsAny TXT response received from a Spamhaus DWL1.0001.0001.0001.000
__DKIM_DEPENDABLEfullA validation failure not attributable to truncation1.0001.0001.0001.000
__FORGED_TBIRD_IMGmetaPossibly forged Thunderbird image spam1.0001.0001.0001.000
__FROM_41_FREEMAILmetaSent from Africa + freemail provider1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_1024bodyThe length of the body of the email is less than 1024 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_128bodyThe length of the body of the email is less than 128 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_256bodyThe length of the body of the email is less than 256 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_512bodyThe length of the body of the email is less than 512 bytes.1.0001.0001.0001.000
__MIME_BASE64rawbodyIncludes a base64 attachment1.0001.0001.0001.000
__MIME_QPrawbodyIncludes a quoted-printable attachment1.0001.0001.0001.000
__ML_TURNS_SP_TO_TABheaderA mailing list changing a space to a TAB1.0001.0001.0001.000
__MY_SERVERS_FOUNDbodyNo description provided-0.001-0.001-0.001-0.001
__NSL_ORIG_FROM_41headerOriginates from 41.0.0.0/81.0001.0001.0001.000
__NSL_RCVD_FROM_41headerReceived from 41.0.0.0/81.0001.0001.0001.000
__RCVD_IN_MSPIKE_ZheaderSpam wave participant1.0001.0001.0001.000
__RCVD_IN_SORBSheaderSORBS: sender is listed in SORBS1.0001.0001.0001.000
__RCVD_IN_ZENheaderReceived via a relay in Spamhaus Zen1.0001.0001.0001.000
__RDNS_DYNAMIC_ADELPHIAheaderRelay HELO'd using suspicious hostname (Adelphia)1.0001.0001.0001.000
__RDNS_DYNAMIC_ATTBIheaderRelay HELO'd using suspicious hostname (ATTBI.com)1.0001.0001.0001.000
__RDNS_DYNAMIC_CHELLO_NLheaderRelay HELO'd using suspicious hostname (Chello.nl)1.0001.0001.0001.000
__RDNS_DYNAMIC_CHELLO_NOheaderRelay HELO'd using suspicious hostname (Chello.no)1.0001.0001.0001.000
__RDNS_DYNAMIC_COMCASTheaderRelay HELO'd using suspicious hostname (Comcast)1.0001.0001.0001.000
__RDNS_DYNAMIC_DHCPheaderRelay HELO'd using suspicious hostname (DHCP)1.0001.0001.0001.000
__RDNS_DYNAMIC_DIALINheaderRelay HELO'd using suspicious hostname (T-Dialin)1.0001.0001.0001.000
__RDNS_DYNAMIC_HCCheaderRelay HELO'd using suspicious hostname (HCC)1.0001.0001.0001.000
__RDNS_DYNAMIC_HEXIPheaderRelay HELO'd using suspicious hostname (Hex IP)1.0001.0001.0001.000
__RDNS_DYNAMIC_HOME_NLheaderRelay HELO'd using suspicious hostname (Home.nl)1.0001.0001.0001.000
__RDNS_DYNAMIC_IPADDRheaderRelay HELO'd using suspicious hostname (IP addr 1)1.0001.0001.0001.000
__RDNS_DYNAMIC_NTLheaderRelay HELO'd using suspicious hostname (NTL)1.0001.0001.0001.000
__RDNS_DYNAMIC_OOLheaderRelay HELO'd using suspicious hostname (OptOnline)1.0001.0001.0001.000
__RDNS_DYNAMIC_ROGERSheaderRelay HELO'd using suspicious hostname (Rogers)1.0001.0001.0001.000
__RDNS_DYNAMIC_RR2headerRelay HELO'd using suspicious hostname (RR 2)1.0001.0001.0001.000
__RDNS_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)1.0001.0001.0001.000
__RDNS_DYNAMIC_TELIAheaderRelay HELO'd using suspicious hostname (Telia)1.0001.0001.0001.000
__RDNS_DYNAMIC_VELOXheaderRelay HELO'd using suspicious hostname (Veloxzone)1.0001.0001.0001.000
__RDNS_DYNAMIC_VTRheaderRelay HELO'd using suspicious hostname (VTR)1.0001.0001.0001.000
__RDNS_DYNAMIC_YAHOOBBheaderRelay HELO'd using suspicious hostname (YahooBB)1.0001.0001.0001.000
__TO_EQ_FROMmetaTo: same as From:1.0001.0001.0001.000
__TO_EQ_FROM_DOMmetaTo: domain same as From: domain1.0001.0001.0001.000
__TO_EQ_FROM_USRmetaTo: username same as From: username1.0001.0001.0001.000
__TO_EQ_FROM_USR_NNmetaTo: username same as From: username sans trailing nums1.0001.0001.0001.000
__VIA_MLmetaMail from a mailing list1.0001.0001.0001.000
__VIA_RESIGNERmetaMail through a popular signing remailer1.0001.0001.0001.000


FutureQuest Site Search
Loading

Back to Top

FutureQuest Professional Web Hosting Services
Copyright © 1998-2017 FutureQuest, Inc. All rights reserved.