FutureQuest Professional Web Hosting Flash Intro FutureQuest Community Message Forums
Order Now! Home Web Hosting
Services
 Web Hosting
Support
 Web Hosting
Data Center
 Web Hosting
Community
 Web Hosting
About
 Web Hosting
Contact
 Web Hosting
Account Management

SpamAssassin Test & Scoring Chart

FutureQuest SpamAssassin Test & Scoring Chart

This is the current list of tests SpamAssassin performs on email with SpamAssassin Filtering enabled to determine if they're spam or not.

You may also test specific X-Spam-Status headers via the SpamAssassin Status Decoder.

Test Name Area Tested Description Of Test Score
Bayes off
RBLs off		 Score
Bayes off
RBLs on		 Score
Bayes on
RBLs off		 Score
Bayes on
RBLs on
ACCT_PHISHING_MANYmetaPhishing for account information1.0001.0001.0001.000
ACT_NOW_CAPSbodyTalks about 'acting now' with capitals0.1000.1000.1000.100
AC_BR_BONANZArawbodyToo many newlines in a row... spammy template0.0010.0010.0010.001
AC_DIV_BONANZArawbodyToo many divs in a row... spammy template0.0010.0010.0010.001
AC_FROM_MANY_DOTSmetaMultiple periods in From user name2.9991.5442.9991.544
AC_HTML_NONSENSE_TAGSrawbodyMany consecutive multi-letter HTML tags, likely nonsense/spam1.9991.9991.9991.999
AC_POST_EXTRASmetaSuspicious URL1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS1metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS10metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS11metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS12metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS2metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS3metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS4metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS8metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS9metalink combos match highly spammy template1.0001.0001.0001.000
ADMAILmeta"admail" and variants1.0001.0001.0001.000
ADMITS_SPAMmetaAdmits this is an ad1.0001.0001.0001.000
ADULT_DATING_COMPANYmetaNo description provided20.00020.00020.00020.000
ADVANCE_FEE_2_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_2_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money1.0001.0001.0001.000
ADVANCE_FEE_2_NEW_MONEYmetaAdvance Fee fraud and lots of money2.0001.9992.0001.999
ADVANCE_FEE_3_NEWmetaAppears to be advance fee fraud (Nigerian 419)3.4993.4993.4993.499
ADVANCE_FEE_3_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_3_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money1.0001.0001.0001.000
ADVANCE_FEE_3_NEW_MONEYmetaAdvance Fee fraud and lots of money2.3992.3992.3992.399
ADVANCE_FEE_4_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.1992.1992.1992.199
ADVANCE_FEE_4_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_4_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money0.0010.0010.0010.001
ADVANCE_FEE_4_NEW_MONEYmetaAdvance Fee fraud and lots of money2.4852.4992.4852.499
ADVANCE_FEE_5_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.1990.8212.1990.821
ADVANCE_FEE_5_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_5_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money1.5922.2021.5922.202
ADVANCE_FEE_5_NEW_MONEYmetaAdvance Fee fraud and lots of money3.0003.0003.0003.000
AD_PREFSbodyAdvertising preferences0.2500.2500.2500.250
ALIBABA_IMG_NOT_RCVD_ALImetaAlibaba hosted image but message not from Alibaba1.0001.0001.0001.000
ALL_TRUSTEDheaderPassed through trusted hosts only via SMTP-1.000-1.000-1.000-1.000
AMAZON_IMG_NOT_RCVD_AMZNmetaAmazon hosted image but message not from Amazon0.0011.8450.0011.845
ANY_BOUNCE_MESSAGEmetaMessage is some kind of bounce message0.1000.1000.1000.100
APOSTROPHE_FROMheaderFrom address contains an apostrophe0.1480.7860.6510.545
APP_DEVELOPMENT_FREEMmetaApp development pitch, freemail or CHN replyto1.0001.0001.0001.000
APP_DEVELOPMENT_NORDNSmetaApp development pitch, no rDNS1.0001.0001.0001.000
ARC_INVALIDmetaARC signature exists, but is not valid0.1000.1000.1000.100
ARC_SIGNEDfullMessage has a ARC signature0.0010.0010.0010.001
ARC_VALIDfullMessage has a valid ARC signature-0.100-0.100-0.100-0.100
AWLheaderAdjusted score from AWL reputation of From: address1.0001.0001.0001.000
AXB_XMAILER_MIMEOLE_OL_024C2metaYet another X header trait0.0010.0010.0010.001
AXB_X_FF_SEZ_SheaderForefront sez this is spam2.7001.1962.7001.196
BAD_CREDITbodyEliminate Bad Credit0.1000.1000.1000.100
BAD_ENC_HEADERheaderMessage has bad MIME encoding in the header0.0010.0010.0010.001
BANG_GUARbodySomething is emphatically guaranteed1.0001.0001.0001.000
BANKING_LAWSbodyTalks about banking laws2.3992.0042.1571.099
BASE64_LENGTH_78_79bodyNo description provided0.1000.1000.1000.100
BASE64_LENGTH_79_INFbodybase64 encoded email part uses line length greater than 79 characters1.3792.0190.5831.502
BAYES_00bodyBayes spam probability is 0 to 1%-3.000-3.000-3.000-3.000
BAYES_05bodyBayes spam probability is 1 to 5%-0.500-0.500-0.500-0.500
BAYES_20bodyBayes spam probability is 5 to 20%-0.001-0.001-0.001-0.001
BAYES_40bodyBayes spam probability is 20 to 40%-0.001-0.001-0.001-0.001
BAYES_50bodyBayes spam probability is 40 to 60%2.0002.0002.0002.000
BAYES_60bodyBayes spam probability is 60 to 80%3.0003.0003.0003.000
BAYES_80bodyBayes spam probability is 80 to 95%4.0004.0004.0004.000
BAYES_95bodyBayes spam probability is 95 to 99%5.0005.0005.0005.000
BAYES_99bodyBayes spam probability is 99 to 100%6.0006.0006.0006.000
BAYES_999bodyBayes spam probability is 99.9 to 100%7.0007.0007.0007.000
BEBEE_IMG_NOT_RCVD_BBmetaBebee hosted image but message not from Bebee1.0001.0001.0001.000
BIGNUM_EMAILS_FREEMmetaLots of email addresses/leads, free email account1.0000.3841.0000.384
BIGNUM_EMAILS_MANYmetaLots of email addresses/leads, over and over1.0001.0001.0001.000
BILLION_DOLLARSbodyTalks about lots of money0.0011.4511.2291.638
BITCOIN_BOMBmetaBitCoin + bomb1.0001.0001.0001.000
BITCOIN_DEADLINEmetaBitCoin with a deadline1.5001.4491.5001.449
BITCOIN_EXTORT_01metaExtortion spam, pay via BitCoin4.5000.9414.5000.941
BITCOIN_EXTORT_02metaExtortion spam, pay via BitCoin1.0001.0001.0001.000
BITCOIN_IMGURmetaBitcoin + hosted image1.0001.0001.0001.000
BITCOIN_MALF_HTMLmetaBitcoin + malformed HTML3.4993.0843.4993.084
BITCOIN_MALWAREmetaBitCoin + malware bragging2.0942.5012.0942.501
BITCOIN_OBFU_SUBJmetaBitcoin + obfuscated subject1.0001.0001.0001.000
BITCOIN_ONANmetaBitCoin + [censored]1.0001.0001.0001.000
BITCOIN_PAY_MEmetaPay me via BitCoin1.0001.0001.0001.000
BITCOIN_SPAM_01metaBitCoin spam pattern 011.0001.0001.0001.000
BITCOIN_SPAM_02metaBitCoin spam pattern 020.0010.0010.0010.001
BITCOIN_SPAM_03metaBitCoin spam pattern 031.0002.4991.0002.499
BITCOIN_SPAM_04metaBitCoin spam pattern 041.0000.1841.0000.184
BITCOIN_SPAM_05metaBitCoin spam pattern 050.0012.4750.0012.475
BITCOIN_SPAM_06metaBitCoin spam pattern 061.0001.0001.0001.000
BITCOIN_SPAM_07metaBitCoin spam pattern 071.0001.0001.0001.000
BITCOIN_SPAM_08metaBitCoin spam pattern 081.0001.0001.0001.000
BITCOIN_SPAM_09metaBitCoin spam pattern 091.0001.0921.0001.092
BITCOIN_SPAM_10metaBitCoin spam pattern 101.0001.0001.0001.000
BITCOIN_SPAM_11metaBitCoin spam pattern 111.0001.0001.0001.000
BITCOIN_SPAM_12metaBitCoin spam pattern 121.0001.0001.0001.000
BITCOIN_SPF_ONLYALLmetaBitcoin from a domain specifically set to pass +all SPF0.0011.0000.0011.000
BITCOIN_WFH_01metaWork-from-Home + bitcoin1.0001.0001.0001.000
BITCOIN_XPRIOmetaBitcoin + priority0.2340.0010.2340.001
BITCOIN_YOUR_INFOmetaBitCoin with your personal info3.0001.4813.0001.481
BODY_8BITSbodyBody includes 8 consecutive 8-bit characters1.5001.5001.5001.500
BODY_ENHANCEMENTbodyInformation on growing body parts0.9271.6110.9740.001
BODY_ENHANCEMENT2bodyInformation on getting larger body parts0.1000.1000.1000.100
BODY_SINGLE_URImetaMessage body is only a URI1.0040.3021.0040.302
BODY_URI_ONLYmetaMessage body is only a URI in one line of text or for an image1.1541.6541.1541.654
BOGUS_MIME_VERSIONmetaMime version header is bogus1.0001.0001.0001.000
BOGUS_MSM_HDRSmetaApparently bogus Microsoft email headers1.0001.0001.0001.000
BOMB_FREEMmetaBomb + freemail1.0001.0001.0001.000
BOMB_MONEYmetaBomb + money: bomb threat?1.0001.0001.0001.000
BOUNCE_MESSAGEmetaMTA bounce message0.1000.1000.1000.100
BTC_ORGmetaBitcoin wallet ID + unusual header1.0001.0001.0001.000
BULK_RE_SUSP_NTLDmetaPrecedence bulk and RE: from a suspicious TLD1.0001.0001.0001.000
CANT_SEE_ADmetaYou really want to see our spam.1.0001.0001.0001.000
CHALLENGE_RESPONSEmetaChallenge-Response message for mail you sent0.1000.1000.1000.100
CHARSET_FARAWAYbodyCharacter set indicates a foreign language3.2003.2003.2003.200
CHARSET_FARAWAY_HEADERheaderA foreign language charset used in headers3.2003.2003.2003.200
CK_HELO_GENERICheaderRelay used name indicative of a Dynamic Pool or Generic rPTR0.2490.0010.2490.001
CN_B2B_SPAMMERbodyChinese company introducing itself1.0001.0001.0001.000
COMMENT_GIBBERISHmetaNonsense in long HTML comment1.0001.0001.0001.000
CONTENT_AFTER_HTMLmetaMore content after HTML close tag + other spam signs1.0001.0001.0001.000
CONTENT_AFTER_HTML_WEAKmetaMore content after HTML close tag1.0001.0001.0001.000
CRBOUNCE_MESSAGEmetaChallenge-Response bounce message0.1000.1000.1000.100
CTE_8BIT_MISMATCHmetaHeader says 7bits but body disagrees0.9990.1630.9990.163
CTYPE_001C_BheaderNo description provided0.0010.0010.0010.001
CURR_PRICEbodyNo description provided0.0010.0010.0010.001
DATE_IN_FUTURE_03_06headerDate: is 3 to 6 hours after Received: date3.3992.4262.9973.027
DATE_IN_FUTURE_06_12headerDate: is 6 to 12 hours after Received: date2.8990.0012.2221.947
DATE_IN_FUTURE_12_24headerDate: is 12 to 24 hours after Received: date2.6032.4893.1993.199
DATE_IN_FUTURE_24_48headerDate: is 24 to 48 hours after Received: date2.5981.2480.0012.048
DATE_IN_FUTURE_48_96headerDate: is 48 to 96 hours after Received: date2.3840.8131.0782.181
DATE_IN_PAST_03_06headerDate: is 3 to 6 hours before Received: date2.3991.0761.2001.592
DATE_IN_PAST_06_12headerDate: is 6 to 12 hours before Received: date1.6991.1031.2741.543
DATE_IN_PAST_12_24headerDate: is 12 to 24 hours before Received: date0.0010.8041.1901.049
DATE_IN_PAST_24_48headerDate: is 24 to 48 hours before Received: date1.1090.4850.6241.340
DATE_IN_PAST_96_XXheaderDate: is 96 hours or more before Received: date2.6002.0701.2333.405
DAY_I_EARNEDmetaWork-at-home spam1.0001.0001.0001.000
DCC_CHECKfullDetected as bulk mail by DCC (dcc-servers.net)0.0001.1000.0001.100
DCC_REPUT_00_12fullDCC reputation between 0 and 12 % (mostly ham)0.000-0.8000.000-0.400
DCC_REPUT_13_19fullDCC reputation between 13 and 19 %0.000-0.1000.000-0.100
DCC_REPUT_70_89fullDCC reputation between 70 and 89 %0.0000.1000.0000.100
DCC_REPUT_90_94fullDCC reputation between 90 and 94 %0.0000.4000.0000.600
DCC_REPUT_95_98fullDCC reputation between 95 and 98 % (mostly spam)0.0000.7000.0001.000
DCC_REPUT_99_100fullDCC reputation between 99 % or higher (spam)0.0001.2000.0001.400
DC_GIF_UNO_LARGOmetaMessage contains a single large gif image0.0011.3230.0532.176
DC_IMAGE_SPAM_HTMLmetaPossible Image-only spam0.1000.1000.1000.100
DC_IMAGE_SPAM_TEXTmetaPossible Image-only spam with little text0.1000.1000.1000.100
DC_PNG_UNO_LARGOmetaMessage contains a single large png image0.0010.0010.0010.001
DEAR_BENEFICIARYbodyDear Beneficiary:0.6990.0010.6990.001
DEAR_FRIENDbodyDear Friend? That's not very dear!2.6832.6041.8012.577
DEAR_SOMETHINGbodyContains 'Dear (something)'1.9991.7311.7871.973
DEAR_WINNERbodySpam with generic salutation of "dear winner"3.0993.0992.3093.099
DIET_1bodyLose Weight Spam0.7140.0000.3990.001
DIGEST_MULTIPLEmetaMessage hits more than one network digest check0.0000.0010.0000.293
DKIMDOMAIN_IN_DWL???No description provided0.000-3.5000.000-3.500
DKIMDOMAIN_IN_DWL_UNKNOWN???No description provided0.000-0.0100.000-0.010
DKIMWL_BLmetaDKIMwl.org - Blocked sender0.0011.2950.0011.295
DKIMWL_BLOCKEDmetaADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0010.0010.0010.001
DKIMWL_WL_HIGHmetaDKIMwl.org - High trust sender0.001-0.0010.001-0.001
DKIMWL_WL_MEDmetaDKIMwl.org - Medium trust sender0.001-0.0010.001-0.001
DKIMWL_WL_MEDHImetaDKIMwl.org - Medium-high trust sender0.001-0.2630.001-0.263
DKIM_ADSP_ALLheaderNo valid author signature, domain signs all mail0.0001.1000.0000.800
DKIM_ADSP_CUSTOM_HIGHheaderNo valid author signature, adsp_override is CUSTOM_HIGH0.0010.0010.0010.001
DKIM_ADSP_CUSTOM_LOWheaderNo valid author signature, adsp_override is CUSTOM_LOW0.0010.0010.0010.001
DKIM_ADSP_CUSTOM_MEDheaderNo valid author signature, adsp_override is CUSTOM_MED0.0010.0010.0010.001
DKIM_ADSP_DISCARDheaderNo valid author signature, domain signs all mail and suggests discarding the rest0.0001.8000.0001.800
DKIM_ADSP_NXDOMAINheaderNo valid author signature and domain not in DNS0.0000.8000.0000.900
DKIM_INVALIDmetaDKIM or DK signature exists, but is not valid0.1000.1000.1000.100
DKIM_SIGNEDfullMessage has a DKIM or DK signature, not necessarily valid0.1000.1000.1000.100
DKIM_VALIDfullMessage has at least one valid DKIM or DK signature-0.100-0.100-0.100-0.100
DKIM_VALID_AUfullMessage has a valid DKIM or DK signature from author's domain-0.100-0.100-0.100-0.100
DKIM_VALID_EFfullMessage has a valid DKIM or DK signature from envelope-from domain-0.100-0.100-0.100-0.100
DMARC_MISSINGheaderMissing DMARC policy0.0010.0010.0010.001
DMARC_NONEheaderDMARC none policy0.0010.8980.0010.898
DMARC_PASSheaderDMARC pass policy-0.001-0.001-0.001-0.001
DMARC_QUARheaderDMARC quarantine policy0.0011.1980.0011.198
DMARC_REJECTheaderDMARC reject policy0.0011.7970.0011.797
DOS_OE_TO_MXmetaDelivered direct to MX with OE headers2.6023.0862.2652.523
DOS_OE_TO_MX_IMAGEmetaDirect to MX with OE headers and an image2.8861.8862.4253.699
DOS_OUTLOOK_TO_MXmetaDelivered direct to MX with Outlook headers2.6361.4491.7372.845
DOS_RCVD_IP_TWICE_CheaderReceived from the same IP twice in a row (only one external relay; empty or IP helo)2.5992.0603.2920.096
DOS_STOCK_BATmetaProbable pump and dump stock spam0.0010.0010.0010.001
DOTGOV_IMAGEmeta.gov URI + hosted image1.0001.0001.0001.000
DRUGS_ANXIETYmetaRefers to an anxiety control drug0.1000.1000.1000.100
DRUGS_DIETmetaRefers to a diet drug2.6600.7571.8310.337
DRUGS_ERECTILEmetaRefers to an erectile drug1.7782.2211.2991.994
DRUGS_ERECTILE_OBFUmetaObfuscated reference to an erectile drug1.3241.3092.9351.109
DRUGS_MANYKINDSmetaRefers to at least four kinds of drugs2.0011.4730.8410.342
DRUGS_MUSCLEmetaRefers to a muscle relaxant0.0012.4990.3920.164
DRUGS_SMEAR1bodyTwo or more drugs crammed together into one word3.3002.0513.1480.235
DRUGS_STOCK_MIMEOLE???No description provided2.6991.6812.4781.321
DRUG_ED_CAPSbodyMentions an E.D. drug2.7991.0232.5160.936
DRUG_ED_ONLINEbodyFast Viagra Delivery0.6961.1521.2210.608
DRUG_ED_SILDbodyTalks about an E.D. drug using its chemical name0.0010.0010.0010.001
DX_TEXT_02body"change your message stat"1.0001.0001.0001.000
DX_TEXT_03body"XXX Media Group"1.0001.0001.0001.000
DYNAMIC_IMGURmetadynamic IP + hosted image1.0001.0001.0001.000
DYN_RDNS_AND_INLINE_IMAGEmetaContains image, and was sent by dynamic rDNS1.3451.3441.4341.168
DYN_RDNS_SHORT_HELO_HTMLmetaSent by dynamic rDNS, short HELO, and HTML0.0010.0010.0000.001
DYN_RDNS_SHORT_HELO_IMAGEmetaShort HELO string, dynamic rDNS, inline image1.8252.5162.2851.013
EBAY_IMG_NOT_RCVD_EBAYmetaE-bay hosted image but message not from E-bay1.0001.0001.0001.000
EMPTY_MESSAGEmetaMessage appears to have no textual parts2.1952.3441.5522.320
EMRCPbody"Excess Maximum Return Capital Profit" scam1.0001.0001.0001.000
EM_ROLEXbodyMessage puts emphasis on the watch manufacturer0.5951.3092.0680.618
ENCRYPTED_MESSAGEmetaMessage is encrypted, not likely to be spam-1.000-0.999-1.000-0.999
END_FUTURE_EMAILSmetaSpammy unsubscribe2.4992.4992.4992.499
ENGLISH_UCE_SUBJECTheaderSubject contains an English UCE tag0.9531.5422.5692.899
ENVFROM_GOOG_TRIXmetaFrom suspicious Google subdomain1.0001.0001.0001.000
ENV_AND_HDR_SPF_MATCHmetaEnv and Hdr From used in default SPF WL Match-0.500-0.500-0.500-0.500
EXCUSE_24bodyClaims you wanted this ad1.0001.0001.0001.000
EXCUSE_4bodyClaims you can be removed from the list2.3991.6872.3991.325
EXCUSE_REMOVEbodyTalks about how to be removed from mailings2.9072.9923.2993.299
FACEBOOK_IMG_NOT_RCVD_FBmetaFacebook hosted image but message not from Facebook1.0001.5511.0001.551
FAKE_REPLY_CmetaNo description provided0.6880.0012.5531.486
FBI_MONEYmetaThe FBI wants to give you lots of money?1.0001.0001.0001.000
FBI_SPOOFmetaClaims to be FBI, but not from FBI domain1.0001.0001.0001.000
FILL_THIS_FORMmetaFill in a form with personal information0.0010.0010.0010.001
FILL_THIS_FORM_FRAUD_PHISH???No description provided1.1950.3960.6150.334
FILL_THIS_FORM_LOAN???No description provided2.0922.2371.8362.880
FILL_THIS_FORM_LONGmetaFill in a form with personal information2.0002.0002.0002.000
FIN_FREEbodyFreedom of a financial nature0.1000.1000.1000.100
FONT_INVIS_DIRECTmetaInvisible text + direct-to-MX0.0010.0010.0010.001
FONT_INVIS_DOTGOVmetaInvisible text + .gov URI1.0001.0001.0001.000
FONT_INVIS_HTML_NOHTMLmetaInvisible text + malformed HTML1.0001.0001.0001.000
FONT_INVIS_LONG_LINEmetaInvisible text + long lines1.2860.7261.2860.726
FONT_INVIS_MSGIDmetaInvisible text + suspicious message ID1.1551.4381.1551.438
FONT_INVIS_NORDNSmetaInvisible text + no rDNS1.0001.0001.0001.000
FONT_INVIS_POSTEXTRASmetaInvisible text + suspicious URI0.0021.8960.0021.896
FORGED_GMAIL_RCVDheader'From' gmail.com does not match 'Received' headers1.0001.0001.0001.000
FORGED_HOTMAIL_RCVD2headerhotmail.com 'From' address, but no 'Received:'0.0011.1870.6980.874
FORGED_MSGID_EXCITEmetaMessage-ID is forged, (excite.com)2.3991.8991.6490.528
FORGED_MSGID_YAHOOmetaMessage-ID is forged, (yahoo.com)0.1000.1000.1000.100
FORGED_MUA_EUDORAmetaForged mail pretending to be from Eudora2.8282.5101.9620.001
FORGED_MUA_IMSmetaForged mail pretending to be from IMS2.3992.3992.3991.943
FORGED_MUA_MOZILLAmetaForged mail pretending to be from Mozilla2.3991.5962.3992.309
FORGED_MUA_OIMOmetaForged mail pretending to be from MS Outlook IMO2.6002.5992.5992.599
FORGED_MUA_OUTLOOKmetaForged mail pretending to be from MS Outlook3.9992.7852.5001.927
FORGED_MUA_THEBAT_BOUNmetaMail pretending to be from The Bat! (boundary)3.0463.2203.2073.399
FORGED_OUTLOOK_HTMLmetaOutlook can't send HTML message only0.0010.0010.0010.021
FORGED_OUTLOOK_TAGSmetaOutlook can't send HTML in this format0.0030.5650.0010.052
FORGED_SPF_HELOmetaNo description provided0.0010.0010.0010.001
FORGED_TELESP_RCVDheaderContains forged hostname for a DSL IP in Brazil2.4992.4992.4991.841
FORGED_YAHOO_RCVDheader'From' yahoo.com does not match 'Received' headers2.3971.0222.5991.630
FORM_FRAUDmetaFill a form and a fraud phrase0.9991.0000.9991.000
FORM_FRAUD_3metaFill a form and several fraud phrases1.0001.0001.0001.000
FORM_FRAUD_5metaFill a form and many fraud phrases0.0010.0010.0010.001
FOUND_YOUmetaI found you...1.0001.0001.0001.000
FREEMAIL_ENVFROM_END_DIGITheaderEnvelope-from freemail username ends in digit0.2500.2500.2500.250
FREEMAIL_FORGED_FROMDOMAINmeta2nd level domains in From and EnvelopeFrom freemail headers are different0.2500.2500.2500.250
FREEMAIL_FORGED_REPLYTOmetaFreemail in Reply-To, but not From1.1992.5031.2042.095
FREEMAIL_FROMheaderSender email is commonly abused enduser mail provider0.0010.0010.0010.001
FREEMAIL_REPLYmetaFrom and body contain different freemails1.0001.0001.0001.000
FREEMAIL_REPLYTOmetaReply-To/From or Reply-To/body contain different freemails1.0001.0001.0001.000
FREEMAIL_REPLYTO_END_DIGITheaderReply-To freemail username ends in digit0.2500.2500.2500.250
FREEMAIL_WFH_01metaWork-from-Home + freemail1.0001.0001.0001.000
FREEM_FRNUM_UNICD_EMPTYmetaNumeric freemail From address, unicode From name and Subject, empty body1.0001.0001.0001.000
FREE_QUOTE_INSTANTbodyFree express or no-obligation quote2.7002.6992.6991.297
FRNAME_IN_MSG_XPRIO_NO_SUBmetaFrom name in message + X-Priority + short or no subject1.0001.0001.0001.000
FROM_ADDR_WSmetaMalformed From address2.9992.3492.9992.349
FROM_BANK_NOAUTHmetaFrom Bank domain but no SPF or DKIM0.0011.0000.0011.000
FROM_BLANK_NAMEheaderFrom: contains empty name2.0992.0992.0990.723
FROM_DOMAIN_NOVOWELheaderFrom: domain has series of non-vowel letters0.5000.5000.5000.500
FROM_EXCESS_BASE64metaFrom: base64 encoded unnecessarily0.0010.0010.0010.001
FROM_FMBLA_NDBLOCKEDmetaADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0010.0010.0010.001
FROM_FMBLA_NEWDOMmetaFrom domain was registered in last 7 days0.0011.0000.0011.000
FROM_FMBLA_NEWDOM14metaFrom domain was registered in last 7-14 days0.0011.0000.0011.000
FROM_FMBLA_NEWDOM28metaFrom domain was registered in last 14-28 days0.0010.7990.0010.799
FROM_GOV_DKIM_AUmetaFrom Government address and DKIM signed0.001-0.7660.001-0.766
FROM_GOV_REPLYTO_FREEMAILmetaFrom Government domain but ReplyTo is FREEMAIL0.0011.0000.0011.000
FROM_GOV_SPOOFmetaFrom Government domain but matches SPOOFED0.0011.0000.0011.000
FROM_ILLEGAL_CHARSmetaFrom: has too many raw illegal characters2.1922.0590.2400.036
FROM_IN_TO_AND_SUBJmetaFrom address is in To and Subject1.0001.0001.0001.000
FROM_LOCAL_DIGITSheaderFrom: localpart has long digit sequence0.0010.0010.0010.001
FROM_LOCAL_HEXheaderFrom: localpart has long hexadecimal sequence0.0000.3310.0010.006
FROM_LOCAL_NOVOWELheaderFrom: localpart has series of non-vowel letters0.5000.5000.5000.500
FROM_MISSPACEDmetaFrom: missing whitespace1.9991.6011.9991.601
FROM_MISSP_EH_MATCHmetaFrom misspaced, matches envelope2.0001.3992.0001.399
FROM_MISSP_FREEMAILmetaFrom misspaced + freemail provider2.6990.0012.6990.001
FROM_MISSP_MSFTmetaFrom misspaced + supposed Microsoft tool0.6010.0010.6010.001
FROM_MISSP_REPLYTOmetaFrom misspaced, has Reply-To1.1990.9011.1990.901
FROM_MISSP_SPF_FAILmetaNo description provided0.0010.0010.0010.001
FROM_MISSP_USERmetaFrom misspaced, from "User"0.0010.0010.0010.001
FROM_NEWDOM_BTCmetaNewdomain with Bitcoin ID0.0011.0000.0011.000
FROM_NO_USERheaderFrom: has no local-part before @ sign0.0012.5990.0190.798
FROM_NTLD_LINKBAITmetaFrom abused NTLD with little more than a URI1.0001.0001.0001.000
FROM_NTLD_REPLY_FREEMAILmetaFrom abused NTLD and Reply-To is FREEMAIL1.0001.0001.0001.000
FROM_NUMBERO_NEWDOMAINmetaFingerprint and new domain0.0011.0000.0011.000
FROM_OFFERSheaderFrom address is "at something-offers"1.0001.0001.0001.000
FROM_PAYPAL_SPOOFmetaFrom PayPal domain but matches SPOOFED0.0011.4510.0011.451
FROM_STARTS_WITH_NUMSheaderFrom: starts with several numbers2.8010.5531.2010.738
FROM_SUSPICIOUS_NTLDmetaFrom abused NTLD0.4990.4990.4990.499
FROM_SUSPICIOUS_NTLD_FPmetaFrom abused NTLD1.9991.9991.9991.999
FROM_UNBAL1headerFrom with unbalanced angle brackets, '>' missing2.2992.2992.2992.299
FSL_BULK_SIGmetaBulk signature with no Unsubscribe0.0010.8150.0010.815
FSL_CTYPE_WIN1251headerContent-Type only seen in 419 spam0.0010.0010.0010.001
FSL_FAKE_HOTMAIL_RVCDheaderNo description provided2.6311.8162.0112.365
FSL_HAS_TINYURLuriNo description provided2.7992.6992.7992.699
FSL_HELO_BARE_IP_1metaNo description provided2.5981.4263.0992.347
FSL_HELO_DEVICEheaderNo description provided0.1000.1000.1000.100
FSL_HELO_NON_FQDN_1headerNo description provided2.3610.0011.7830.001
FSL_INTERIA_ABUSEuriNo description provided3.8992.6643.0803.106
FSL_NEW_HELO_USERmetaSpam's using Helo and User0.0010.0010.0010.001
FUZZY_AMAZONbodyObfuscated "amazon"1.0001.0001.0001.000
FUZZY_ANDROIDbodyObfuscated "android"1.0001.0001.0001.000
FUZZY_APPLEbodyObfuscated "apple"1.0001.0001.0001.000
FUZZY_BITCOINbodyObfuscated "Bitcoin"1.0001.0001.0001.000
FUZZY_BROWSERbodyObfuscated "browser"1.0001.0001.0001.000
FUZZY_BTC_WALLETmetaHeavily obfuscated "bitcoin wallet"1.0001.0001.0001.000
FUZZY_CLICK_HEREbodyObfuscated "click here"1.0001.0001.0001.000
FUZZY_CPILLbodyAttempt to obfuscate words in spam0.0010.0010.0010.001
FUZZY_CREDITbodyAttempt to obfuscate words in spam1.6991.4130.6011.678
FUZZY_DR_OZmetaObfuscated Doctor Oz1.0001.0001.0001.000
FUZZY_FACEBOOKbodyObfuscated "facebook"1.0001.0001.0001.000
FUZZY_IMPORTANTbodyObfuscated "important"3.7990.6333.7990.633
FUZZY_MICROSOFTbodyObfuscated "microsoft"1.0001.0001.0001.000
FUZZY_MILLIONbodyAttempt to obfuscate words in spam0.1000.1000.1000.100
FUZZY_MONEROmetaObfuscated "Monero"1.0001.0001.0001.000
FUZZY_NORTONbodyObfuscated "norton"1.0001.0001.0001.000
FUZZY_OVERSTOCKbodyObfuscated "overstock"1.0001.0001.0001.000
FUZZY_PAYPALbodyObfuscated "paypal"1.0001.0001.0001.000
FUZZY_PHARMACYbodyAttempt to obfuscate words in spam2.9603.2991.9671.353
FUZZY_PHENTbodyAttempt to obfuscate words in spam2.7991.6471.5402.662
FUZZY_PORNmetaObfuscated "Pornography" or "Pornographic"1.0001.0001.0001.000
FUZZY_PRICESbodyAttempt to obfuscate words in spam1.8210.7202.2102.311
FUZZY_PRIVACYbodyObfuscated "privacy"1.0001.0001.0001.000
FUZZY_PROMOTIONbodyObfuscated "promotion"1.0001.0001.0001.000
FUZZY_SAVINGSbodyObfuscated "savings"1.0001.0001.0001.000
FUZZY_SECURITYbodyObfuscated "security"1.0001.0001.0001.000
FUZZY_UNSUBSCRIBEbodyObfuscated "unsubscribe"1.0001.0001.0001.000
FUZZY_VPILLbodyAttempt to obfuscate words in spam0.0010.4940.7961.014
FUZZY_WALLETbodyObfuscated "Wallet"1.7990.0781.7990.078
FUZZY_XPILLbodyAttempt to obfuscate words in spam0.1000.1000.1000.100
GAPPY_SALES_LEADS_FREEMmetaObfuscated marketing text, freemail or CHN replyto1.0001.0001.0001.000
GAPPY_SUBJECTmetaSubject: contains G.a.p.p.y-T.e.x.t0.1000.1000.1000.100
GB_BITCOIN_CPmetaLocalized Bitcoin scam2.9770.5982.9770.598
GB_BITCOIN_NHmetaLocalized Bitcoin scam1.0001.9801.0001.980
GB_CUSTOM_HTM_URImetaCustom html uri1.4990.0011.4990.001
GB_FAKE_RF_SHORTmetaFake reply or forward with url shortener1.0001.0001.0001.000
GB_FORGED_MUA_POSTFIXmetaForged Postfix mua headers1.0001.0001.0001.000
GB_FREEMAIL_DISPTOmetaDisposition-Notification-To/From or Disposition-Notification-To/body contain different freemails0.0010.0010.0010.001
GB_FREEMAIL_DISPTO_NOTFREEMmetaDisposition-Notification-To/From contain different freemails but mailfrom is not a freemail0.5000.5000.5000.500
GB_GOOGLE_OBFURuriObfuscate url through Google redirect0.7500.7500.7500.750
GB_HASHBL_BTCbodyMessage contains BTC address found on BTCBL0.0010.5040.0010.504
GB_STORAGE_GOOGLE_EMAILuriGoogle storage cloud abuse1.0001.0001.0001.000
GB_URI_FLEEK_STO_HTMuriHtml file stored on Fleek cloud1.0001.0001.0001.000
GMD_PDF_EMPTY_BODYbodyAttached PDF with empty message body0.2500.2500.2500.250
GMD_PDF_ENCRYPTEDbodyAttached PDF is encrypted0.6000.6000.6000.600
GMD_PDF_HORIZbodyContains pdf 100-240 (high) x 450-800 (wide)0.2500.2500.2500.250
GMD_PDF_SQUAREbodyContains pdf 180-360 (high) x 180-360 (wide)0.5000.5000.5000.500
GMD_PDF_VERTbodyContains pdf 450-800 (high) x 100-240 (wide)0.9000.9000.9000.900
GMD_PRODUCER_EASYPDFbodyPDF producer was BCL easyPDF0.2500.2500.2500.250
GMD_PRODUCER_GPLbodyPDF producer was GPL Ghostscript0.2500.2500.2500.250
GMD_PRODUCER_POWERPDFbodyPDF producer was PowerPDF0.2500.2500.2500.250
GOOGLE_DOCS_PHISHmetaPossible phishing via a Google Docs form1.0001.0001.0001.000
GOOGLE_DOCS_PHISH_MANYmetaPhishing via a Google Docs form1.0001.0001.0001.000
GOOGLE_DOC_SUSPmetaSuspicious use of Google Docs1.0001.0001.0001.000
GOOGLE_DRIVE_REPLY_BAD_NTLDmetaFrom Google Drive and Reply-To is from a suspicious TLD1.0001.0001.0001.000
GOOG_MALWARE_DNLDmetaFile download via Google - Malware?1.0001.0001.0001.000
GOOG_REDIR_DOCUSIGNuriIndirect docusign link, probable phishing1.0001.0001.0001.000
GOOG_REDIR_HTML_ONLYmetaGoogle redirect to obscure spamvertised website + HTML only1.9991.9991.9991.999
GOOG_REDIR_NORDNSmetaGoogle redirect to obscure spamvertised website + no rDNS2.6002.9002.6002.900
GOOG_REDIR_SHORTmetaGoogle redirect to obscure spamvertised website + short message1.0001.0001.0001.000
GOOG_STO_EMAIL_PHISHmetaPossible phishing with google hosted content URI having email address1.0001.0001.0001.000
GOOG_STO_HTML_PHISHmetaPossible phishing with google content hosting to avoid URIBL1.0001.0001.0001.000
GOOG_STO_HTML_PHISH_MANYmetaPhishing with google content hosting to avoid URIBL1.0001.0001.0001.000
GOOG_STO_IMG_HTMLmetaApparently using google content hosting to avoid URIBL1.0001.0001.0001.000
GOOG_STO_IMG_NOHTMLmetaApparently using google content hosting to avoid URIBL1.0002.5001.0002.500
GOOG_STO_NOIMG_HTMLmetaApparently using google content hosting to avoid URIBL3.0002.9493.0002.949
GTUBEbodyGeneric Test for Unsolicited Bulk Email1000.0001000.0001000.0001000.000
GUARANTEED_100_PERCENTbodyOne hundred percent guaranteed2.6992.6992.4802.699
HAS_X_NO_RELAYmetaHas spammy header1.0001.0001.0001.000
HAS_X_OUTGOING_SPAM_STATmetaHas header claiming outbound spam scan - why trust the results?0.5020.0010.5020.001
HDRS_LCASEmetaOdd capitalization of message header0.0010.1000.0010.100
HDRS_LCASE_IMGONLYmetaOdd capitalization of message headers + image-only HTML0.1000.0990.1000.099
HDRS_MISSPmetaMisspaced headers2.4990.7182.4990.718
HDR_ORDER_FTSDMCXX_DIRECTmetaHeader order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX0.8650.0010.8650.001
HDR_ORDER_FTSDMCXX_NORDNSmetaHeader order similar to spam (FTSDMCXX/boundary variant) + no rDNS0.0010.0010.0010.001
HEADER_FROM_DIFFERENT_DOMAINSheaderFrom and EnvelopeFrom 2nd level mail domains are different0.2500.2500.2500.250
HEADER_SPAMheaderBulk email fingerprint (header-based) found2.4992.4991.9940.585
HELO_DYNAMIC_CHELLO_NLheaderRelay HELO'd using suspicious hostname (Chello.nl)2.4121.9182.0192.428
HELO_DYNAMIC_DHCPmetaRelay HELO'd using suspicious hostname (DHCP)2.6020.8411.5370.206
HELO_DYNAMIC_DIALINheaderRelay HELO'd using suspicious hostname (T-Dialin)2.6293.2332.1861.366
HELO_DYNAMIC_HCCmetaRelay HELO'd using suspicious hostname (HCC)4.2992.5142.9312.762
HELO_DYNAMIC_HEXIPheaderRelay HELO'd using suspicious hostname (Hex IP)2.3210.5111.7731.789
HELO_DYNAMIC_HOME_NLheaderRelay HELO'd using suspicious hostname (Home.nl)2.3851.5301.0241.459
HELO_DYNAMIC_IPADDRmetaRelay HELO'd using suspicious hostname (IP addr 1)2.6333.2433.6801.951
HELO_DYNAMIC_IPADDR2metaRelay HELO'd using suspicious hostname (IP addr 2)2.8153.8883.7283.607
HELO_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)3.0312.8934.2253.482
HELO_LH_HOME???No description provided0.0012.0230.5371.736
HELO_LOCALHOSTheaderNo description provided2.6393.6032.9153.828
HELO_MISC_IPmetaLooking for more Dynamic IP Relays0.2500.0010.2500.001
HELO_NO_DOMAINmetaRelay reports its domain incorrectly0.0010.0010.0010.001
HELO_OEMheaderNo description provided2.8992.8991.2340.270
HELO_STATIC_HOSTmetaRelay HELO'd using static hostname-0.001-0.001-0.001-0.001
HEXHASH_WORDmetaMultiple instances of word + hexadecimal hash1.0001.9731.0001.973
HIDE_WIN_STATUSrawbodyJavascript to hide URLs in browser0.0010.0010.0010.001
HK_CTE_RAWmimeheaderNo description provided1.0001.0001.0001.000
HK_LOTTOmetaNo description provided1.0000.1201.0000.120
HK_NAME_DRUGSheaderFrom name contains drugs4.2990.0013.0770.552
HK_NAME_MR_MRSmetaNo description provided0.9990.9990.9990.999
HK_RANDOM_ENVFROMheaderEnvelope sender username looks random0.3870.9990.3870.999
HK_RANDOM_FROMheaderFrom username looks random1.0001.0001.0001.000
HK_RANDOM_REPLYTOheaderReply-To username looks random0.9991.0000.9991.000
HK_RCVD_IP_MULTICASTheaderNo description provided1.0001.0001.0001.000
HK_SCAMmetaNo description provided1.9991.9991.9991.999
HK_WINmetaNo description provided1.0001.0001.0001.000
HOSTED_IMG_DIRECT_MXmetaImage hosted at large ecomm, CDN or hosting site, message direct-to-mx0.0012.7070.0012.707
HOSTED_IMG_DQ_UNSUBmetaImage hosted at large ecomm site, IP addr unsub link1.0001.0001.0001.000
HOSTED_IMG_FREEMmetaImage hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to1.0001.0001.0001.000
HOSTED_IMG_MULTImetaMultiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected1.0001.0001.0001.000
HOSTED_IMG_MULTI_PUB_01metaMultiple hosted images at public site1.0002.9991.0002.999
HTML_CHARSET_FARAWAYmetaA foreign language charset used in HTML markup0.5000.5000.5000.500
HTML_COMMENT_SAVED_URLbodyHTML message is a saved web page0.1980.3570.8991.391
HTML_EMBEDSbodyHTML with embedded plugin object0.0010.0010.0010.001
HTML_ENTITY_ASCIImetaObfuscated ASCII2.9992.9992.9992.999
HTML_ENTITY_ASCII_TINYmetaObfuscated ASCII + tiny fonts1.0001.0001.0001.000
HTML_EXTRA_CLOSEbodyHTML contains far too many close tags0.0010.0010.0010.001
HTML_FONT_FACE_BADbodyHTML font face is not a word0.0010.0010.0010.001
HTML_FONT_LOW_CONTRASTbodyHTML font color similar or identical to background0.7130.0010.7860.001
HTML_FONT_SIZE_HUGEbodyHTML font size is huge0.0010.0010.0010.001
HTML_FONT_SIZE_LARGEbodyHTML font size is large0.0010.0010.0010.001
HTML_FONT_TINY_NORDNSmetaFont too small to read, no rDNS1.8501.8231.8501.823
HTML_IMAGE_ONLY_04bodyHTML: images with 0-400 bytes of words1.6800.3421.7991.172
HTML_IMAGE_ONLY_08bodyHTML: images with 400-800 bytes of words0.5851.7811.8451.651
HTML_IMAGE_ONLY_12bodyHTML: images with 800-1200 bytes of words1.3811.6291.4002.059
HTML_IMAGE_ONLY_16bodyHTML: images with 1200-1600 bytes of words1.9691.0481.1991.092
HTML_IMAGE_ONLY_20bodyHTML: images with 1600-2000 bytes of words2.1090.7001.3001.546
HTML_IMAGE_ONLY_24bodyHTML: images with 2000-2400 bytes of words2.7991.2821.3281.618
HTML_IMAGE_ONLY_28bodyHTML: images with 2400-2800 bytes of words2.7990.7261.5121.404
HTML_IMAGE_ONLY_32bodyHTML: images with 2800-3200 bytes of words2.1960.0011.1720.001
HTML_IMAGE_RATIO_02bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_04bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_06bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_08bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_MESSAGEbodyHTML included in message0.0010.0010.0010.001
HTML_MIME_NO_HTML_TAGmetaHTML-only message, but there is no HTML tag0.0010.6350.0010.377
HTML_NONELEMENT_30_40body30% to 40% of HTML elements are non-standard0.0000.0010.3080.001
HTML_OBFUSCATE_05_10bodyMessage is 5% to 10% HTML obfuscation0.6010.0010.7180.260
HTML_OBFUSCATE_10_20bodyMessage is 10% to 20% HTML obfuscation0.1741.1620.5880.093
HTML_OBFUSCATE_20_30bodyMessage is 20% to 30% HTML obfuscation2.4992.4411.4491.999
HTML_OBFUSCATE_90_100bodyMessage is 90% to 100% HTML obfuscation2.0002.0002.0002.000
HTML_OFF_PAGEmetaHTML element rendered well off the displayed page1.9321.0001.9321.000
HTML_SHORT_CENTERmetaHTML is very short with CENTER tag3.7993.4212.6110.743
HTML_SHORT_LINK_IMG_1metaHTML is very short with a linked image2.2150.1390.4800.001
HTML_SHORT_LINK_IMG_2metaHTML is very short with a linked image1.4190.2590.6030.001
HTML_SHORT_LINK_IMG_3metaHTML is very short with a linked image0.6910.3280.0010.148
HTML_SHRT_CMNT_OBFU_MANYmetaObfuscation with many short HTML comments1.0001.0001.0001.000
HTML_SINGLET_MANYmetaMany single-letter HTML format blocks2.4992.4552.4992.455
HTML_TAG_BALANCE_BODYbodyHTML has unbalanced "body" tags0.1000.1000.1000.100
HTML_TAG_BALANCE_CENTERmetaMalformatted HTML2.8992.7992.8992.799
HTML_TAG_BALANCE_HEADbodyHTML has unbalanced "head" tags0.5200.0000.6000.817
HTML_TEXT_INVISIBLE_FONTmetaHTML hidden text - word obfuscation?1.4021.1111.4021.111
HTML_TEXT_INVISIBLE_STYLEmetaHTML hidden text + other spam signs2.0501.2072.0501.207
HTML_TITLE_SUBJ_DIFFmetaNo description provided1.1492.1711.8012.036
HTTPS_HTTP_MISMATCHbodyNo description provided0.1000.1000.1000.100
HTTP_ESCAPED_HOSTuriUses %-escapes inside a URL's hostname0.1000.1000.1000.100
HTTP_EXCESSIVE_ESCAPESuriCompletely unnecessary %-escapes inside a URL0.0010.0010.0010.001
IMG_ONLY_FM_DOM_INFOmetaHTML image-only message from .info domain1.0001.0001.0001.000
IMPOTENCEbodyImpotence cure1.5392.1443.0281.374
INVALID_DATEheaderInvalid Date: header (not RFC 2822)1.7010.4321.2001.096
INVALID_DATE_TZ_ABSURDheaderInvalid Date: header (timezone does not exist)0.2620.6320.7060.491
INVALID_MSGIDmetaMessage-Id is not valid, according to RFC 28222.6021.1671.3280.568
INVESTMENT_ADVICEbodyMessage mentions investment advice0.1000.1000.1000.100
IP_LINK_PLUSuriDotted-decimal IP address followed by CGI0.0010.0010.2460.012
JH_SPAMMY_HEADERSmetaHas unusual message header(s) seen primarily in spam3.4993.4993.4993.499
JH_SPAMMY_PATTERN01rawbodyUnusual pattern seen in spam campaign1.0001.0001.0001.000
JH_SPAMMY_PATTERN02rawbodyUnusual pattern seen in spam campaign1.0001.0001.0001.000
JOIN_MILLIONSbodyJoin Millions of Americans0.1000.1000.1000.100
KB_DATE_CONTAINS_TABmetaNo description provided3.8003.7993.7992.751
KB_FAKED_THE_BATmetaNo description provided2.4323.4412.0082.694
KB_RATWARE_MSGIDmetaNo description provided4.0992.9872.1081.700
KB_RATWARE_OUTLOOK_MIDheaderNo description provided4.4004.4002.5031.499
KHOP_FAKE_EBAYmetaSender falsely claims to be from eBay1.0001.0001.0001.000
KHOP_HELO_FCRDNSmetaRelay HELO differs from its IP's reverse DNS0.3990.3990.3990.399
LINKEDIN_IMG_NOT_RCVD_LNKNmetaLinkedin hosted image but message not from Linkedin1.0001.0001.0001.000
LIST_PRTL_PUMPDUMPmetaIncomplete List-* headers and stock pump-and-dump1.0001.0001.0001.000
LIST_PRTL_SAME_USERmetaIncomplete List-* headers and from+to user the same1.0001.0001.0001.000
LIVEFILESTOREuriNo description provided0.1000.1000.1000.100
LOCALPART_IN_SUBJECTheaderLocal part of To: address appears in Subject0.0010.7301.1991.107
LONGWORDSmetaLong string of long words2.1991.8441.8192.035
LONG_HEX_URImetaVery long purely hexadecimal URI2.9992.8702.9992.870
LONG_IMG_URImetaImage URI with very long path component - web bug?0.5682.4720.5682.472
LONG_INVISIBLE_TEXTmetaLong block of hidden text - bayes poison?2.9992.9992.9992.999
LONG_TERM_PRICEbodyNo description provided0.0010.0010.0010.001
LOTS_OF_MONEYmetaHuge... sums of money0.0010.0010.0010.001
LOTTERY_1metaNo description provided0.0011.4881.6300.087
LOTTERY_PH_004470metaNo description provided0.1000.1000.1000.100
LOTTO_AGENTmetaClaims Agent1.0001.0111.0001.011
LOTTO_DEPTmetaClaims Department0.0010.0010.0010.001
LOW_PRICEbodyLowest Price0.1000.1000.1000.100
LUCRATIVEmetaMake lots of money!1.0001.0001.0001.000
L_SPAM_TOOL_13headerNo description provided0.5390.4850.4941.333
MAILING_LIST_MULTImetaMultiple indicators imply a widely-seen list manager1.0001.0001.0001.000
MALE_ENHANCEbodyMessage talks about enhancing men3.1003.0993.0990.851
MALF_HTML_B64metaMalformatted base64-encoded HTML content1.0001.0001.0001.000
MALWARE_NORDNSmetaMalware bragging + no rDNS0.9372.5910.9372.591
MALWARE_PASSWORDmetaMalware bragging + "password"2.9703.4992.9703.499
MALW_ATTACHmetaAttachment filename suspicious, probable malware exploit3.5003.5003.5003.500
MANY_SPAN_IN_TEXTmetaMany <SPAN> tags embedded within text2.4992.3992.4992.399
MARKETING_PARTNERSbodyClaims you registered with a partner0.5530.2350.6890.001
MAY_BE_FORGEDmetaRelay IP's reverse DNS does not resolve to IP1.0001.0001.0001.000
MICROSOFT_EXECUTABLEbodyMessage includes Microsoft executable program0.1000.1000.1000.100
MILLION_HUNDREDbodyMillion "One to Nine" Hundred0.5951.7380.5951.738
MILLION_USDbodyTalks about millions of dollars1.2120.9941.2120.994
MIMEOLE_DIRECT_TO_MXmetaMIMEOLE + direct-to-MX0.0010.0010.0010.001
MIMEPART_LIMIT_EXCEEDEDbodyMessage has too many MIME parts0.0010.0010.0010.001
MIME_BASE64_TEXTrawbodyMessage text disguised using base64 encoding0.0010.0010.0011.741
MIME_BOUND_DD_DIGITSheaderSpam tool pattern in MIME boundary3.0160.3492.4171.373
MIME_BOUND_DIGITS_15headerSpam tool pattern in MIME boundary0.1000.1000.1000.100
MIME_CHARSET_FARAWAYmetaMIME character set indicates foreign language2.4502.4502.4502.450
MIME_HEADER_CTYPE_ONLYmeta'Content-Type' found without required MIME headers0.1000.1000.1000.100
MIME_HTML_MOSTLYbodyMultipart message mostly text/html MIME0.1000.1000.1000.100
MIME_HTML_ONLYbodyMessage only has text/html MIME parts0.1000.1000.1000.100
MIME_HTML_ONLY_MULTImetaMultipart message only has text/html MIME parts0.0000.0010.0010.001
MIME_NO_TEXTmetaNo (properly identified) text body parts1.0001.0001.0001.000
MIME_PHP_NO_TEXTmetaNo text body parts, X-Mailer: PHP2.8002.7992.7992.799
MIME_QP_LONG_LINErawbodyQuoted-printable line longer than 76 chars0.0010.0010.0010.001
MIME_SUSPECT_NAMEbodyMIME filename does not match content0.1000.1000.1000.100
MISSING_DATEmetaMissing Date: header2.7391.3961.8001.360
MISSING_FROMmetaMissing From: header1.0001.0001.0001.000
MISSING_HEADERSheaderMissing To: header0.9151.2071.2041.021
MISSING_MIDmetaMissing Message-Id: header0.5520.1401.1990.497
MISSING_MIMEOLEmetaMessage has X-MSMail-Priority, but no X-MimeOLE0.3921.8430.5711.899
MISSING_MIME_HB_SEPbodyMissing blank line between MIME header and body0.0010.0010.0010.001
MISSING_SUBJECTmetaMissing Subject: header0.0011.7671.3001.799
MIXED_AREA_CASEmetaHas area tag in mixed case1.0001.0001.0001.000
MIXED_CENTER_CASEmetaHas center tag in mixed case1.0001.5961.0001.596
MIXED_ESmetaToo many es are not es1.7991.9991.7991.999
MIXED_FONT_CASEmetaHas font tag in mixed case1.0001.0001.0001.000
MIXED_HREF_CASEmetaHas href in mixed case1.0000.4871.0000.487
MIXED_IMG_CASEmetaHas img tag in mixed case1.0002.2741.0002.274
MONERO_DEADLINEmetaMonero cryptocurrency with a deadline1.0001.0001.0001.000
MONERO_EXTORT_01metaExtortion spam, pay via Monero cryptocurrency1.0001.0001.0001.000
MONERO_MALWAREmetaMonero cryptocurrency + malware bragging1.0001.0001.0001.000
MONERO_PAY_MEmetaPay me via Monero cryptocurrency1.0001.0001.0001.000
MONEY_ATM_CARDmetaLots of money on an ATM card0.0010.0010.0010.001
MONEY_BACKbodyMoney back guarantee2.9102.4860.6011.232
MONEY_BARRISTERmetaLots of money from a UK lawyer0.0010.4800.0010.480
MONEY_FORMmetaLots of money if you fill out a form0.0010.0010.0010.001
MONEY_FORM_SHORTmetaLots of money if you fill out a short form2.4991.0782.4991.078
MONEY_FRAUD_3metaLots of money and several fraud phrases2.5731.1852.5731.185
MONEY_FRAUD_5metaLots of money and many fraud phrases2.5031.4062.5031.406
MONEY_FRAUD_8metaLots of money and very many fraud phrases1.2402.0371.2402.037
MONEY_FREEMAIL_REPTOmetaLots of money from someone using free email?2.9991.1092.9991.109
MONEY_FROM_MISSPmetaLots of money and misspaced From1.3220.0011.3220.001
MORE_SEXbodyTalks about a bigger drive for sex2.7992.7652.5681.413
MPART_ALT_DIFFbodyHTML and text parts are different2.2460.7240.5950.790
MPART_ALT_DIFF_COUNTbodyHTML and text parts are different2.7991.4831.1991.112
MSGID_DOLLARS_URI_IMGmetaSuspicious Message-ID and image1.0001.0001.0001.000
MSGID_FROM_MTA_HEADERmetaMessage-Id was added by a relay0.4010.0010.4730.001
MSGID_HDR_MALFmetaHas invalid message ID header1.0001.0001.0001.000
MSGID_MULTIPLE_ATheaderMessage-ID contains multiple '@' characters1.0001.0001.0001.000
MSGID_OUTLOOK_INVALIDheaderMessage-Id is fake (in Outlook Express format)3.8993.8993.8993.899
MSGID_RANDYmetaMessage-Id has pattern used in spam2.1962.5992.5992.599
MSGID_SHORTheaderMessage-ID is unusually short0.0010.3370.0010.001
MSGID_SPAM_CAPSheaderSpam tool Message-Id: (caps variant)2.3661.9973.0993.099
MSGID_YAHOO_CAPSheaderMessage-ID has ALLCAPS@yahoo.com0.7971.4132.2781.411
MSMAIL_PRI_ABNORMALmetaEmail priority often abused0.2091.0670.2091.067
MSM_PRIO_REPTOmetaMSMail priority header + Reply-to + short subject1.0001.0001.0001.000
MSOE_MID_WRONG_CASEmetaNo description provided0.9933.3730.9602.584
NA_DOLLARSbodyTalks about a million North American dollars1.4991.4991.4991.499
NEWEGG_IMG_NOT_RCVD_NEGGmetaNewegg hosted image but message not from Newegg1.0001.0001.0001.000
NEW_PRODUCTSmetaNo description provided1.0001.0001.0001.000
NICE_REPLY_AmetaLooks like a legit reply (A)-0.001-0.001-0.001-0.001
NML_ADSP_CUSTOM_HIGHmetaADSP custom_high hit, and not from a mailing list0.0002.6000.0002.500
NML_ADSP_CUSTOM_LOWmetaADSP custom_low hit, and not from a mailing list0.0000.7000.0000.700
NML_ADSP_CUSTOM_MEDmetaADSP custom_med hit, and not from a mailing list0.0001.2000.0000.900
NORDNS_LOW_CONTRASTmetaNo rDNS + hidden text0.0011.1520.0011.152
NORMAL_HTTP_TO_IPuriURI host has a public dotted-decimal IPv4 address0.1590.0010.7950.001
NOT_SPAMbodyI'm not spam! Really! I'm not, I'm not, I'm not!1.0001.0001.0001.000
NO_DNS_FOR_FROMheaderEnvelope sender has no MX or A DNS records0.0000.3790.0000.001
NO_FM_NAME_IP_HOSTNmetaNo From name + hostname using IP address0.0010.0010.0010.001
NO_HEADERS_MESSAGEmetaMessage appears to be missing most RFC-822 headers0.0010.0010.0010.001
NO_MEDICALbodyNo Medical Exams2.1991.2542.1991.773
NO_PRESCRIPTIONbodyNo prescription needed1.9151.1022.2802.399
NO_RDNS_DOTCOM_HELOheaderHost HELO'd as a big ISP, but had no rDNS3.1000.4333.0990.823
NO_RECEIVEDmetaInformational: message has no Received headers-0.001-0.001-0.001-0.001
NO_RELAYSheaderInformational: message was not relayed via SMTP-0.001-0.001-0.001-0.001
NSL_RCVD_FROM_USERheaderReceived from User0.0010.0010.0010.001
NSL_RCVD_HELO_USERheaderReceived from HELO User0.0012.2590.0012.259
NULL_IN_BODYfullMessage has NUL (ASCII 0) byte in message0.5110.4982.0561.596
NUMBERONLY_BITCOIN_EXPmetaDomain ends in a large number and very short body with link1.9991.9991.9991.999
NUMERIC_HTTP_ADDRuriUses a numeric IP address in URL0.0000.0010.0011.242
OBFUSCATING_COMMENTmetaHTML comments which obfuscate text0.0000.0000.0010.723
OBFU_BITCOINmetaObfuscated BitCoin references1.0001.0001.0001.000
OBFU_JVSCR_ESCrawbodyInjects content using obfuscated javascript1.0001.0001.0001.000
OBFU_TEXT_ATTACHmimeheaderText attachment with non-text MIME type0.0460.8980.0460.898
OBFU_UNSUB_ULmetaObfuscated unsubscribe text1.0001.0001.0001.000
ODD_FREEM_REPTOmetaHas unusual reply-to header2.9992.5572.9992.557
ONE_TIMEbodyOne Time Rip Off1.8401.1751.8300.714
ONLINE_PHARMACYbodyOnline Pharmacy0.8432.3710.0080.650
OOOBOUNCE_MESSAGEmetaOut Of Office bounce message0.1000.1000.1000.100
PART_CID_STOCKmetaHas a spammy image attachment (by Content-ID)0.0010.0010.0010.000
PART_CID_STOCK_LESSmetaHas a spammy image attachment (by Content-ID, more specific)0.0000.0360.7450.894
PDS_BAD_THREAD_QP_64metaBad thread header - short QP0.0010.0010.0010.001
PDS_BTC_IDmetaFP reduced Bitcoin ID0.4990.2920.4990.292
PDS_BTC_MSGIDmetaBitcoin ID with T_MSGID_NOFQDN20.0010.0010.0010.001
PDS_BTC_NTLDmetaBitcoin suspect NTLD0.7890.0270.7890.027
PDS_DBL_URL_TNB_RUNONmetaDouble-url and To no arrows, from runon1.9991.0001.9991.000
PDS_EMPTYSUBJ_URISHRTmetaEmpty subject with little more than URI shortener1.4771.4191.4771.419
PDS_FROM_2_EMAILS_SHRTNERmetaFrom 2 emails short email with little more than a URI shortener0.6051.4450.6051.445
PDS_HELO_SPF_FAILmetaHigh profile HELO that fails SPF0.0011.9990.0011.999
PDS_NAKED_TO_NUMEROmetaNaked-to, numberonly domain1.9961.1491.9961.149
PDS_NO_FULL_NAME_SPOOFED_URLmetaHTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME0.7490.7490.7490.749
PDS_PHP_EVALmetaPHP header shows eval'd code1.0001.4991.0001.499
PDS_RDNS_DYNAMIC_FPmetaRDNS_DYNAMIC with FP steps0.0010.0100.0010.010
PDS_SHORT_SPOOFED_URLmetaHTML message short and T_SPOOFED_URL (S_U_FP)1.9991.9991.9991.999
PDS_TINYSUBJ_URISHRTmetaShort subject with URL shortener1.4991.3561.4991.356
PDS_TONAME_EQ_TOLOCAL_FREEM_FORGEmetaForged replyto and __PDS_TONAME_EQ_TOLOCAL1.0001.0001.0001.000
PDS_TONAME_EQ_TOLOCAL_VSHORTmetaVery short body and From looks like 2 different emails0.9990.9990.9990.999
PERCENT_RANDOMmetaMessage has a random macro in it2.9992.8372.9831.838
PHISH_ATTACHmetaAttachment filename suspicious, probable phishing3.5003.5003.5003.500
PHISH_AZURE_CLOUDAPPuriLink to known phishing web application3.5003.5003.5003.500
PHISH_FBASEAPPmetaProbable phishing via hosted web app1.0001.0001.0001.000
PHP_NOVER_MUAmetaMail from PHP with no version number1.0001.0001.0001.000
PHP_ORIG_SCRIPTmetaSent by bot & other signs2.3471.3512.3471.351
PHP_ORIG_SCRIPT_EVALmetaFrom suspicious PHP source1.0002.9991.0002.999
PHP_SCRIPTmetaSent by PHP script2.4992.3982.4992.398
PHP_SCRIPT_MUAmetaSent by PHP script, no version number1.0001.0001.0001.000
PLING_QUERYmetaSubject has exclamation mark and question mark0.1000.1000.1000.100
POSSIBLE_APPLE_PHISH_02metaClaims to be from apple but not processed by any apple MTA1.0001.0001.0001.000
POSSIBLE_EBAY_PHISH_02metaClaims to be from ebay but not processed by any ebay MTA1.0001.0001.0001.000
POSSIBLE_GMAIL_PHISHERmetaApparent phishing email sent from a gmail account1.3820.6941.3820.694
POSSIBLE_PAYPAL_PHISH_01metaClaims to be from paypal but has non-paypal from email address1.0001.0001.0001.000
POSSIBLE_PAYPAL_PHISH_02metaClaims to be from paypal but not processed by any paypal MTA1.0001.0001.0001.000
PP_MIME_FAKE_ASCII_TEXTbodyMIME text/plain claims to be ASCII but isn't0.9990.0010.9990.001
PP_TOO_MUCH_UNICODE02bodyIs text/plain but has many unicode escapes0.5000.5000.5000.500
PP_TOO_MUCH_UNICODE05bodyIs text/plain but has many unicode escapes1.0001.0001.0001.000
PRICES_ARE_AFFORDABLEbodyMessage says that prices aren't too expensive0.7940.8511.1120.551
PUMPDUMPmetaPump-and-dump stock scam phrase1.0001.0001.0001.000
PUMPDUMP_MULTImetaPump-and-dump stock scam phrases1.0001.0001.0001.000
PUMPDUMP_TIPmetaPump-and-dump stock tip1.0001.0001.0001.000
PYZOR_CHECKfullListed in Pyzor (https://pyzor.readthedocs.io/en/latest/)0.0001.9850.0001.392
RAND_HEADER_LIST_SPOOFmetaRandom gibberish message header(s) + pretending to be a mailing list1.0001.0001.0001.000
RAND_HEADER_MANYmetaMultiple random gibberish message headers1.0001.0001.0001.000
RAND_MKTG_HEADERmetaHas partially-randomized marketing/tracking header(s)1.9991.9991.9991.999
RATWARE_EFROMheaderBulk email fingerprint (envfrom) found0.1000.1000.1000.100
RATWARE_EGROUPSheaderBulk email fingerprint (eGroups) found1.8981.2581.4061.621
RATWARE_MPOP_WEBMAILheaderBulk email fingerprint (mPOP Web-Mail)1.1531.3381.2291.999
RATWARE_MS_HASHmetaBulk email fingerprint (msgid ms hash) found1.0001.0001.0001.000
RATWARE_NAME_IDmetaBulk email fingerprint (msgid from) found3.0990.3093.0990.247
RATWARE_NO_RDNSmetaSuspicious MsgID and MIME boundary + no rDNS0.0011.8970.0011.897
RATWARE_OUTLOOK_NONAMEmetaBulk email fingerprint (Outlook no name) found1.0001.0001.0001.000
RATWARE_ZERO_TZmetaBulk email fingerprint (+0000) found2.3922.5350.2651.781
RAZOR2_CF_RANGE_51_100fullRazor2 gives confidence level above 50%0.0002.4300.0001.886
RAZOR2_CHECKfullListed in Razor2 (http://razor.sf.net/)0.0001.7290.0000.922
RCVD_DBL_DQheaderMalformatted message header1.0001.0001.0001.000
RCVD_DOTEDU_SHORTmetaVia .edu MTA + short message1.0001.0001.0001.000
RCVD_DOTEDU_SUSP_URImetaVia .edu MTA + suspicious URI1.0001.0001.0001.000
RCVD_DOUBLE_IP_LOOSEmetaReceived: by and from look like IP addresses1.1500.9601.0421.012
RCVD_DOUBLE_IP_SPAMmetaBulk email fingerprint (double IP) found2.4112.7771.9121.808
RCVD_FAKE_HELO_DOTCOMheaderReceived contains a faked HELO hostname2.7992.3892.6051.189
RCVD_HELO_IP_MISMATCHheaderReceived: HELO and IP do not match, but should1.6801.1862.3622.368
RCVD_ILLEGAL_IPheaderReceived: contains illegal IP address1.3001.3001.3001.300
RCVD_IN_BL_SPAMCOP_NETheaderReceived via a relay in bl.spamcop.net0.0001.2460.0001.347
RCVD_IN_DNSWL_BLOCKEDheaderADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0000.0010.0000.001
RCVD_IN_DNSWL_HIheaderSender listed at https://www.dnswl.org/, high trust0.000-5.0000.000-5.000
RCVD_IN_DNSWL_LOWheaderSender listed at https://www.dnswl.org/, low trust0.000-0.7000.000-0.700
RCVD_IN_DNSWL_MEDheaderSender listed at https://www.dnswl.org/, medium trust0.000-2.3000.000-2.300
RCVD_IN_DNSWL_NONEheaderSender listed at https://www.dnswl.org/, no trust0.000-0.0000.000-0.000
RCVD_IN_IADB_DKheaderIADB: Sender publishes Domain Keys record0.000-0.2230.000-0.095
RCVD_IN_IADB_DOPTINheaderIADB: All mailing list mail is confirmed opt-in0.000-4.0000.000-4.000
RCVD_IN_IADB_DOPTIN_LT50headerIADB: Confirmed opt-in used less than 50% of the time0.000-0.0010.000-0.001
RCVD_IN_IADB_LISTEDheaderParticipates in the IADB system0.000-0.3800.000-0.001
RCVD_IN_IADB_MI_CPR_MATheaderIADB: Sends no material under Michigan's CPR0.000-0.3320.0000.000
RCVD_IN_IADB_ML_DOPTINheaderIADB: Mailing list email only, confirmed opt-in0.000-6.0000.000-6.000
RCVD_IN_IADB_OPTINheaderIADB: All mailing list mail is opt-in0.000-2.0570.000-1.470
RCVD_IN_IADB_OPTIN_GT50headerIADB: Opt-in used more than 50% of the time0.000-1.2080.000-0.007
RCVD_IN_IADB_RDNSheaderIADB: Sender has reverse DNS record0.000-0.1670.000-0.235
RCVD_IN_IADB_SENDERIDheaderIADB: Sender publishes Sender ID record0.000-0.0010.000-0.001
RCVD_IN_IADB_SPFheaderIADB: Sender publishes SPF record0.000-0.0010.000-0.059
RCVD_IN_IADB_UT_CPR_MATheaderIADB: Sends no material under Utah's CPR0.000-0.0950.000-0.001
RCVD_IN_IADB_VOUCHEDheaderISIPP IADB lists as vouched-for sender0.000-2.2000.000-2.200
RCVD_IN_MSPIKE_BLmetaMailspike blocklisted0.0100.0100.0100.010
RCVD_IN_MSPIKE_H2headerAverage reputation (+2)0.001-0.0010.001-0.001
RCVD_IN_MSPIKE_H3headerGood reputation (+3)-0.010-0.010-0.010-0.010
RCVD_IN_MSPIKE_H4headerVery Good reputation (+4)-0.010-0.010-0.010-0.010
RCVD_IN_MSPIKE_H5headerExcellent reputation (+5)-1.000-1.000-1.000-1.000
RCVD_IN_MSPIKE_L2headerSuspicious reputation (-2)1.0001.0001.0001.000
RCVD_IN_MSPIKE_L3headerLow reputation (-3)0.9000.9000.9000.900
RCVD_IN_MSPIKE_L4headerBad reputation (-4)1.7001.7001.7001.700
RCVD_IN_MSPIKE_L5headerVery bad reputation (-5)2.5002.5002.5002.500
RCVD_IN_MSPIKE_WLmetaMailspike good senders-0.010-0.010-0.010-0.010
RCVD_IN_MSPIKE_ZBImetaNo description provided2.7002.7002.7002.700
RCVD_IN_PBLheaderReceived via a relay in Spamhaus PBL0.0003.5580.0003.335
RCVD_IN_PSBLheaderReceived via a relay in PSBL0.0002.7000.0002.700
RCVD_IN_SBLheaderReceived via a relay in Spamhaus SBL0.0002.5960.0000.141
RCVD_IN_SBL_CSSheaderReceived via a relay in Spamhaus SBL-CSS0.0003.5580.0003.335
RCVD_IN_SORBS_DULheaderSORBS: sent directly from dynamic IP address0.0000.0010.0000.001
RCVD_IN_SORBS_HTTPheaderSORBS: sender is open HTTP proxy server0.0002.4990.0000.001
RCVD_IN_SORBS_SOCKSheaderSORBS: sender is open SOCKS proxy server0.0002.4430.0001.927
RCVD_IN_SORBS_WEBheaderSORBS: sender is an abusable web server0.0001.5000.0001.500
RCVD_IN_VALIDITY_CERTIFIEDheaderSender in Validity Certification - Contact certification@validity.com0.000-3.0000.000-3.000
RCVD_IN_VALIDITY_RPBLheaderRelay in Validity RPBL, https://senderscore.org/blocklistlookup/0.0001.2840.0001.310
RCVD_IN_VALIDITY_SAFEheaderSender in Validity Safe - Contact certification@validity.com0.000-2.0000.000-2.000
RCVD_IN_XBLheaderReceived via a relay in Spamhaus XBL0.0000.7240.0000.375
RCVD_IN_ZEN_BLOCKEDheaderADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/0.0000.0010.0000.001
RCVD_IN_ZEN_BLOCKED_OPENDNSheaderADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/0.0000.0010.0000.001
RCVD_NUMERIC_HELO???No description provided0.0010.8650.0011.164
RDNS_DYNAMICmetaDelivered to internal network by host with dynamic-looking rDNS2.6390.3631.6630.982
RDNS_LOCALHOSTheaderSender's public rDNS is "localhost"3.7000.9692.3450.001
RDNS_NONEmetaDelivered to internal network by a host with no rDNS2.3991.2741.2280.793
RDNS_NUM_TLD_ATCHNXmetaRelay rDNS has numeric TLD + suspicious attachment1.0001.0001.0001.000
RDNS_NUM_TLD_XMmetaRelay rDNS has numeric TLD + suspicious headers1.0001.0001.0001.000
REMOVE_BEFORE_LINKbodyRemoval phrase right before a link0.1000.1000.1000.100
REPLICA_WATCHbodyMessage talks about a replica watch3.4873.1644.0743.775
REPLYTO_WITHOUT_TO_CCmetaNo description provided2.3991.9460.6071.552
REPTO_419_FRAUDheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_AOLheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_AOL_LOOSEmetaEnds-in-digits Reply-To is similar to known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_CNSheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_GMheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_GM_LOOSEmetaEnds-in-digits Reply-To is similar to known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_HMheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_OLheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_PMheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_QQheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_YHheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_YH_LOOSEmetaEnds-in-digits Reply-To is similar to known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_YJheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_419_FRAUD_YNheaderReply-To is known advance fee fraud collector mailbox1.0001.0001.0001.000
REPTO_INFONUMSCOMmetaNo description provided1.0001.0001.0001.000
REPTO_QUOTE_YAHOOmetaYahoo! doesn't do quoting like this0.0010.4900.0010.646
RISK_FREEmetaNo risk!1.0001.0001.0001.000
RP_MATCHES_RCVD???No description provided-0.001-0.001-0.001-0.001
SB_GIF_AND_NO_URISmetaNo description provided2.1992.1992.2002.199
SCC_BOGUS_CTE_1metaBogus Content-Transfer-Encoding header1.0001.0001.0001.000
SCC_CTMPPmetaUncommon Content-Type1.0001.0001.0001.000
SCC_ISEMM_LID_1headerFingerprint of a particular spammer using an old spamware1.0001.0001.0001.000
SCC_ISEMM_LID_1BheaderGenericized spammer fingerprint1.4991.4991.4991.499
SCC_SPECIAL_GUIDrawbodyUnique in a similar way1.0001.0001.0001.000
SENDGRID_REDIRmetaRedirect URI via Sendgrid1.4991.0681.4991.068
SENDGRID_REDIR_PHISHmetaRedirect URI via Sendgrid + phishing signs1.0001.0001.0001.000
SEO_SUSP_NTLDmetaSEO offer from suspicious TLD1.0001.0001.0001.000
SHOPIFY_IMG_NOT_RCVD_SFYmetaShopify hosted image but message not from Shopify2.4992.2982.4992.298
SHORTENER_SHORT_IMGmetaShort HTML + image + URL shortener1.0001.0001.0001.000
SHORT_HELO_AND_INLINE_IMAGEmetaShort HELO string, with inline image0.1000.1000.1000.100
SHORT_IMG_SUSP_NTLDmetaShort HTML + image + suspicious TLD1.0001.0001.0001.000
SHORT_SHORTNERmetaShort body with little more than a link to a shortener1.9991.1081.9991.108
SHORT_TERM_PRICEbodyNo description provided0.0010.0010.0010.001
SORTED_RECIPSheaderRecipient list is sorted by address1.8012.4741.7912.499
SPAMMY_XMAILERmetaX-Mailer string is common in spam and not in ham2.6500.8621.9932.491
SPF_FAILheaderSPF: sender does not match SPF record (fail)0.0000.9190.0000.001
SPF_HELO_FAILheaderSPF: HELO does not match SPF record (fail)0.0000.0010.0000.001
SPF_HELO_NEUTRALheaderSPF: HELO does not match SPF record (neutral)0.0000.0010.0000.112
SPF_HELO_NONEheaderSPF: HELO does not publish an SPF Record0.0010.0010.0010.001
SPF_HELO_PASSheaderSPF: HELO matches SPF record-0.001-0.001-0.001-0.001
SPF_HELO_SOFTFAILheaderSPF: HELO does not match SPF record (softfail)0.0000.8960.0000.732
SPF_NEUTRALheaderSPF: sender does not match SPF record (neutral)0.0000.6520.0000.779
SPF_NONEheaderSPF: sender does not publish an SPF Record0.0010.0010.0010.001
SPF_PASSheaderSPF: sender matches SPF record-0.001-0.001-0.001-0.001
SPF_SOFTFAILheaderSPF: sender does not match SPF record (softfail)0.0000.9720.0000.665
SPOOFED_FREEMAILmetaNo description provided0.0010.0010.0010.001
SPOOFED_FREEMAIL_NO_RDNSmetaFrom SPOOFED_FREEMAIL and no rDNS0.0010.0010.0010.001
SPOOFED_FREEM_REPTOmetaForged freemail sender with freemail reply-to0.0012.4990.0012.499
SPOOFED_FREEM_REPTO_CHNmetaForged freemail sender with Chinese freemail reply-to0.0011.2150.0011.215
SPOOFED_FREEM_REPTO_RUSmetaForged freemail sender with Russian freemail reply-to0.0011.0000.0011.000
SPOOF_COM2COMmetaURI contains ".com" in middle and end0.0010.0010.0010.001
SPOOF_COM2OTHuriURI contains ".com" in middle0.0010.0010.0010.001
SPOOF_GMAIL_MIDmetaFrom Gmail but it doesn't seem to be...1.4990.0011.4990.001
STATIC_XPRIO_OLEmetaStatic RDNS + X-Priority + MIMEOLE0.0011.8650.0011.865
STOCK_IMG_CTYPEmetaStock spam image part, with distinctive Content-Type header0.0010.0050.0010.001
STOCK_IMG_HDR_FROMmetaStock spam image part, with distinctive From line0.0010.0010.0010.021
STOCK_IMG_HTMLmetaStock spam image part, with distinctive HTML0.0000.0280.0000.005
STOCK_IMG_OUTLOOKmetaStock spam image part, with Outlook-like features0.0010.7020.4130.190
STOCK_TIPmetaStock tips1.0001.0001.0001.000
STOX_BOUND_090909_BheaderNo description provided1.6740.0011.6740.001
STOX_REPLY_TYPEheaderNo description provided1.8980.2120.1410.439
STOX_REPLY_TYPE_WITHOUT_QUOTESmetaNo description provided3.0991.8601.6291.757
SUBJECT_DIETheaderSubject talks about losing pounds1.9271.5630.8171.466
SUBJECT_DRUG_GAP_CheaderSubject contains a gappy version of 'cialis'2.1080.9891.3482.140
SUBJECT_DRUG_GAP_LheaderSubject contains a gappy version of 'levitra'2.7992.3041.4021.561
SUBJECT_FUZZY_CHEAPheaderAttempt to obfuscate words in Subject:0.6411.8310.8330.001
SUBJECT_IN_BLACKLISTmetaDEPRECATED: See SUBJECT_IN_BLOCKLIST100.000100.000100.000100.000
SUBJECT_IN_BLOCKLISTheaderSubject: contains string in the user's block-list0.0100.0100.0100.010
SUBJECT_IN_WELCOMELISTheaderSubject: contains string in the user's welcome-list-0.010-0.010-0.010-0.010
SUBJECT_IN_WHITELISTmetaDEPRECATED: See SUBJECT_IN_WELCOMELIST-100.000-100.000-100.000-100.000
SUBJECT_NEEDS_ENCODINGmetaSubject includes non-encoded illegal characters0.4980.1000.8040.049
SUBJ_ALL_CAPSheaderSubject is all capitals0.5000.5000.5000.500
SUBJ_AS_SEENheaderSubject contains "As Seen"2.7113.0993.0991.461
SUBJ_BRKN_WORDNUMSmetaSubject contains odd word breaks and numbers1.0001.0001.0001.000
SUBJ_BUYheaderSubject line starts with Buy or Buying0.5941.4980.0010.639
SUBJ_DOLLARSheaderSubject starts with dollar amount0.1000.1000.1000.100
SUBJ_ILLEGAL_CHARSmetaSubject: has too many raw illegal characters0.6201.1050.4481.518
SUBJ_YOUR_FAMILYheaderSubject contains "Your Family"2.9102.9992.9992.999
SURBL_BLOCKEDbodyADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.1.0001.0001.0001.000
SUSPICIOUS_RECIPSheaderSimilar addresses in recipient list2.4992.4972.1392.510
SUSP_UTF8_WORD_SUBJmetaWord in Subject using only suspicious UTF-8 characters2.0001.9992.0001.999
SYSADMINmetaSupposedly from your IT department1.0001.0001.0001.000
TAGSTAT_IMG_NOT_RCVD_TGSTmetaTagstat hosted image but message not from Tagstat1.0001.0001.0001.000
TARINGANET_IMG_NOT_RCVD_TNmetamedia.taringa.net hosted image but message not from taringa.net1.0001.0001.0001.000
TBIRD_SUSP_MIME_BDRYmetaUnlikely Thunderbird MIME boundary2.4002.4002.3992.399
TEQF_USR_IMAGEmetaTo and from user nearly same + image1.0001.0001.0001.000
TEQF_USR_MSGID_HEXmetaTo and from user nearly same + unusual message ID1.0001.0001.0001.000
TEQF_USR_MSGID_MALFmetaTo and from user nearly same + malformed message ID1.0001.0001.0001.000
THEBAT_UNREGheaderNo description provided2.5991.8432.3241.524
THIS_ADmeta"This ad" and variants2.4001.2622.4001.262
THIS_IS_ADV_SUSP_NTLDmetaThis is an advertisement from a suspicious TLD1.0001.0001.0001.000
TONLINE_FAKE_DKIMmetat-online.de doesn't do DKIM1.0001.0001.0001.000
TONOM_EQ_TOLOC_SHRT_SHRTNERmetaShort email with shortener and To:name eq To:local0.0010.0010.0010.001
TO_EQ_FM_DIRECT_MXmetaTo == From and direct-to-MX1.0001.0001.0001.000
TO_EQ_FM_DOM_SPF_FAILmetaTo domain == From domain and external SPF failed0.0010.0010.0010.001
TO_EQ_FM_SPF_FAILmetaTo == From and external SPF failed0.0010.0010.0010.001
TO_IN_SUBJmetaTo address is in Subject0.1000.1000.1000.100
TO_MALFORMEDheaderTo: has a malformed address0.1000.1000.1000.100
TO_NAME_SUBJ_NO_RDNSmetaRecipient username in subject + no rDNS2.6050.9502.6050.950
TO_NO_BRKTS_FROM_MSSPmetaMultiple header formatting problems2.4992.4992.4992.499
TO_NO_BRKTS_HTML_IMGmetaTo: lacks brackets and HTML and one image1.9991.9991.9991.999
TO_NO_BRKTS_HTML_ONLYmetaTo: lacks brackets and HTML only2.0001.9992.0001.999
TO_NO_BRKTS_MSFTmetaTo: lacks brackets and supposed Microsoft tool0.0010.5460.0010.546
TO_NO_BRKTS_NORDNS_HTMLmetaTo: lacks brackets and no rDNS and HTML only1.9991.3701.9991.370
TO_NO_BRKTS_PCNTmetaTo: lacks brackets + percentage2.4992.5002.4992.500
TO_TOO_MANY_WFH_01metaWork-from-Home + many recipients1.0001.0001.0001.000
TRACKER_IDbodyIncorporates a tracking ID number0.1000.1000.1000.100
TT_MSGID_TRUNCheaderScora: Message-Id ends after left-bracket + digits0.7480.0231.4341.448
TVD_APPROVEDbodyBody states that the recipient has been approved1.0001.0001.0001.000
TVD_FINGER_02headerNo description provided0.0010.0010.0010.001
TVD_FW_GRAPHIC_NAME_LONGmimeheaderLong image attachment name0.0010.6480.8361.293
TVD_FW_GRAPHIC_NAME_MIDmimeheaderMedium sized image attachment name0.6000.0010.3890.095
TVD_INCREASE_SIZEbodyAdvertising for penis enlargement1.5290.6011.0550.001
TVD_PH_7bodyNo description provided2.1992.2992.1992.299
TVD_PH_BODY_ACCOUNTS_PREmetaThe body matches phrases such as "accounts suspended", "account credited", "account verification"0.0010.0010.0010.001
TVD_PH_RECbodyMessage includes a phrase commonly used in phishing mails0.1000.1000.1000.100
TVD_PH_SECbodyMessage includes a phrase commonly used in phishing mails0.1000.1000.1000.100
TVD_QUAL_MEDSbodyThe body matches phrases such as "quality meds" or "quality medication"2.6972.3972.7992.483
TVD_RCVD_IPheaderMessage was received from an IP address0.0010.0010.0010.001
TVD_RCVD_IP4headerMessage was received from an IPv4 address0.0010.0010.0010.001
TVD_SPACE_ENCODED???No description provided1.5001.5001.5001.500
TVD_SPACE_RATIOmetaNo description provided0.0010.0010.0010.001
TVD_SPACE_RATIO_MINFP???No description provided1.5001.5001.5001.500
TVD_SUBJ_ACC_NUMheaderSubject has spammy looking monetary reference0.1000.1000.1000.100
TVD_SUBJ_APPR_LOANheaderNo description provided0.0012.2000.0012.200
TVD_SUBJ_WIPE_DEBTheaderSpam advertising a way to eliminate debt2.5992.2912.5991.004
TVD_VISIT_PHARMAbodyBody mentions online pharmacy1.9571.1960.4171.406
TW_GIBBERISH_MANYmetaLots of gibberish text to spoof pattern matching filters1.0001.0001.0001.000
TXREPheaderScore normalizing based on sender's reputation1.0001.0001.0001.000
T_ACH_CANCELLED_EXEmeta"ACH cancelled" probable malware0.1000.1000.1000.100
T_ANY_PILL_PRICEmetaPrices for pills0.1000.1000.1000.100
T_CDISP_SZ_MANYmimeheaderSuspicious MIME header0.1000.1000.1000.100
T_COMPENSATIONmeta"Compensation"0.1000.1000.1000.100
T_CTYPE_NULLmetaMalformed Content-Type header0.1000.1000.1000.100
T_DATE_IN_FUTURE_96_QheaderDate: is 4 days to 4 months after Received: date0.1000.1000.1000.100
T_DATE_IN_FUTURE_Q_PLUSheaderDate: is over 4 months after Received: date0.1000.1000.1000.100
T_DOC_ATTACH_NO_EXTmetaDocument attachment with suspicious name0.1000.1000.1000.100
T_DOS_OUTLOOK_TO_MX_IMAGEmetaDirect to MX with Outlook headers and an image0.1000.1000.1000.100
T_DOS_ZIP_HARDCOREmimeheaderhardcore.zip file attached; quite certainly a virus0.1000.1000.1000.100
T_DRUGS_ERECTILE_SHORT_SHORTNERmetaShort erectile drugs advert with T_URL_SHORTENER0.1000.1000.1000.100
T_FILL_THIS_FORM_FRAUD_PHISHmetaAnswer suspicious question(s)0.1000.1000.1000.100
T_FILL_THIS_FORM_LOANmetaAnswer loan question(s)0.1000.1000.1000.100
T_FILL_THIS_FORM_SHORTmetaFill in a short form with personal information0.1000.1000.1000.100
T_FORGED_TBIRD_IMG_SIZEmetaLikely forged Thunderbird image spam0.1000.1000.1000.100
T_FREEMAIL_DOC_PDFmetaMS document or PDF attachment, from freemail0.1000.1000.1000.100
T_FREEMAIL_DOC_PDF_BCCmetaMS document or PDF attachment, from freemail, all recipients hidden0.1000.1000.1000.100
T_FREEMAIL_RVW_ATTCHmetaPlease review attached document, from freemail0.1000.1000.1000.100
T_FROMNAME_EQUALS_TOmetaFrom:name matches To:0.1000.1000.1000.100
T_FROMNAME_SPOOFED_EMAILmetaFrom:name looks like a spoofed email0.1000.1000.1000.100
T_FROM_MULTI_NORDNSmetaMultiple From addresses + no rDNS0.1000.1000.1000.100
T_FROM_MULTI_SHORT_IMGmetaMultiple From addresses + short message with image0.1000.1000.1000.100
T_FUZZY_OPTOUTbodyObfuscated opt-out text0.1000.1000.1000.100
T_FUZZY_WELLSFARGOmetaObfuscated "Wells Fargo"0.1000.1000.1000.100
T_GB_FREEM_FROM_NOT_REPLYmetaFrom: and Reply-To: have different freemail domains0.1000.1000.1000.100
T_GB_FROMNAME_SPOOFED_EMAIL_IPmetaFrom:name looks like a spoofed email from a spoofed ip0.1000.1000.1000.100
T_GB_WEBFORMmetaWebform with url shortener0.1000.1000.1000.100
T_HTML_ATTACHmetaHTML attachment to bypass scanning?0.1000.1000.1000.100
T_ISO_ATTACHmetaISO attachment - possible malware delivery0.1000.1000.1000.100
T_KAM_HTML_FONT_INVALIDmetaTest for Invalidly Named or Formatted Colors in HTML0.1000.1000.1000.100
T_LARGE_PCT_AFTER_MANYmetaMany large percentages after...0.1000.1000.1000.100
T_LOTTO_AGENT_FMheaderClaims Agent0.1000.1000.1000.100
T_LOTTO_AGENT_RPLYmetaClaims Agent0.1000.1000.1000.100
T_LOTTO_URIuriClaims Department URL0.1000.1000.1000.100
T_MANY_HDRS_LCASEmetaOdd capitalization of multiple message headers0.1000.1000.1000.100
T_MANY_PILL_PRICEmetaPrices for many pills0.1000.1000.1000.100
T_MIME_MALFmetaMalformed MIME: headers in body0.1000.1000.1000.100
T_MONEY_PERCENTmetaX% of a lot of money for you0.1000.1000.1000.100
T_OBFU_ATTACH_MISSPmetaObfuscated attachment type and misspaced From0.1000.1000.1000.100
T_OBFU_DOC_ATTACHmimeheaderMS Document attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_GIF_ATTACHmimeheaderGIF attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_HTML_ATTACHmimeheaderHTML attachment with non-text MIME type0.1000.1000.1000.100
T_OBFU_HTML_ATT_MALWmetaHTML attachment with incorrect MIME type - possible malware0.1000.1000.1000.100
T_OBFU_JPG_ATTACHmimeheaderJPG attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_PDF_ATTACHmimeheaderPDF attachment with generic MIME type0.1000.1000.1000.100
T_OFFER_ONLY_AMERICAmetaOffer only available to US0.1000.1000.1000.100
T_PDS_BTC_AHACKERmetaBitcoin Hacker0.1000.1000.1000.100
T_PDS_BTC_HACKERmetaBitcoin Hacker0.1000.1000.1000.100
T_PDS_FREEMAIL_REPLYTO_URISHRTmetaFreemail replyto with URI shortener0.1000.1000.1000.100
T_PDS_FROM_2_EMAILSmetaFrom header has multiple different addresses0.1000.1000.1000.100
T_PDS_LTC_AHACKERmetaLitecoin Hacker0.1000.1000.1000.100
T_PDS_LTC_HACKERmetaLitecoin Hacker0.1000.1000.1000.100
T_PDS_OTHER_BAD_TLDheaderUntrustworthy TLDs0.1000.1000.1000.100
T_PDS_PRO_TLDheader.pro TLD0.1000.1000.1000.100
T_PDS_SHORTFWD_URISHRTmetaThreaded email with URI shortener0.1000.1000.1000.100
T_PDS_SHORTFWD_URISHRT_FPmetaApparently a short fwd/re with URI shortener0.1000.1000.1000.100
T_PDS_SHORTFWD_URISHRT_QPmetaApparently a short fwd/re with URI shortener0.1000.1000.1000.100
T_PDS_TO_EQ_FROM_NAMEmetaFrom: name same as To: address0.1000.1000.1000.100
T_PDS_URISHRT_LOCALPART_SUBJmetaLocalpart of To in subject0.1000.1000.1000.100
T_PHOTO_EDITING_DIRECTmetaImage editing service, direct to MX0.1000.1000.1000.100
T_PHOTO_EDITING_FREEMmetaImage editing service, freemail or CHN replyto0.1000.1000.1000.100
T_REMOTE_IMAGEmetaMessage contains an external image0.1000.1000.1000.100
T_SENT_TO_EMAIL_ADDRmetaEmail was sent to email address0.1000.1000.1000.100
T_SHARE_50_50metaShare the money 50/500.1000.1000.1000.100
T_SPF_HELO_PERMERRORheaderSPF: test of HELO record failed (permerror)0.1000.1000.1000.100
T_SPF_HELO_TEMPERRORheaderSPF: test of HELO record failed (temperror)0.1000.1000.1000.100
T_SPF_PERMERRORheaderSPF: test of record failed (permerror)0.1000.1000.1000.100
T_SPF_TEMPERRORheaderSPF: test of record failed (temperror)0.1000.1000.1000.100
T_STY_INVIS_DIRECTmetaHTML hidden text + direct-to-MX0.1000.1000.1000.100
T_SUSPNTLD_EXPIRATION_EXTORTmetaSusp NTLD with an expiration notice and lotsa money0.1000.1000.1000.100
T_TONOM_EQ_TOLOC_SHRT_PSHRTNERmetaShort subject with potential shortener and To:name eq To:local0.1000.1000.1000.100
T_WON_MONEY_ATTACHmetaYou won lots of money! See attachment.0.1000.1000.1000.100
T_WON_NBDY_ATTACHmetaYou won lots of money! See attachment.0.1000.1000.1000.100
T_ZW_OBFU_BITCOINmetaObfuscated text + bitcoin ID - possible extortion0.1000.1000.1000.100
T_ZW_OBFU_FREEMmetaObfuscated text + freemail0.1000.1000.1000.100
T_ZW_OBFU_FROMTOSUBJmetaObfuscated text + from in to and subject0.1000.1000.1000.100
UC_GIBBERISH_OBFUmetaMultiple instances of "word VERYLONGGIBBERISH word"1.0001.0001.0001.000
UNCLAIMED_MONEYbodyPeople just leave money laying around2.6992.6992.6992.427
UNCLOSED_BRACKETheaderHeaders contain an unclosed bracket2.6991.3291.4251.496
UNDISC_FREEMmetaUndisclosed recipients + freemail reply-to2.9992.8992.9992.899
UNDISC_MONEYmetaUndisclosed recipients + money/fraud signs2.7481.9792.7481.979
UNICODE_OBFU_ASCmetaObfuscating text with unicode1.0002.4991.0002.499
UNICODE_OBFU_ZWmetaObfuscating text with hidden characters1.0001.0001.0001.000
UNPARSEABLE_RELAYmetaInformational: message has unparseable relay lines0.0010.0010.0010.001
UNRESOLVED_TEMPLATEheaderHeaders contain an unresolved template3.0350.7162.4241.252
UNSUB_GOOG_FORMmetaUnsubscribe via Google Docs form1.0001.0001.0001.000
UNWANTED_LANGUAGE_BODYbodyMessage written in an undesired language2.8002.8002.8002.800
UPPERCASE_50_75metamessage body is 50-75% uppercase0.0010.7910.0010.008
UPPERCASE_75_100metamessage body is 75-100% uppercase1.4801.1890.0010.001
URG_BIZmetaContains urgent matter1.7500.9410.5680.573
URIBL_ABUSE_SURBLbodyContains an URL listed in the ABUSE SURBL blocklist0.0001.9480.0001.250
URIBL_CR_SURBLbodyContains an URL listed in the CR SURBL blocklist0.0001.2630.0001.263
URIBL_CSSbodyContains an URL's NS IP listed in the Spamhaus CSS blocklist0.0000.1000.0000.100
URIBL_CSS_AbodyContains URL's A record listed in the Spamhaus CSS blocklist0.0000.1000.0000.100
URIBL_DBL_ABUSE_BOTCCbodyContains an abused botnet C&C URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_MALWbodyContains an abused malware URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_PHISHbodyContains an abused phishing URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_REDIRbodyContains an abused redirector URL listed in the Spamhaus DBL blocklist0.0000.0010.0000.001
URIBL_DBL_ABUSE_SPAMbodyContains an abused spamvertized URL listed in the Spamhaus DBL blocklist0.0002.0000.0002.000
URIBL_DBL_BLOCKEDbodyADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/0.0000.0010.0000.001
URIBL_DBL_BLOCKED_OPENDNSbodyADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/0.0000.0010.0000.001
URIBL_DBL_BOTNETCCbodyContains a botned C&C URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ERRORbodyError: queried the Spamhaus DBL blocklist for an IP0.0000.0010.0000.001
URIBL_DBL_MALWAREbodyContains a malware URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_PHISHbodyContains a Phishing URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_SPAMbodyContains a spam URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_MW_SURBLbodyContains a URL listed in the MW SURBL blocklist0.0001.2630.0001.263
URIBL_PH_SURBLbodyContains an URL listed in the PH SURBL blocklist0.0000.0010.0000.610
URIBL_RHS_DOBbodyContains an URI of a new domain (Day Old Bread)0.0000.2760.0001.514
URIBL_SBLbodyContains an URL's NS IP listed in the Spamhaus SBL blocklist0.0000.6440.0001.623
URIBL_SBL_AbodyContains URL's A record listed in the Spamhaus SBL blocklist0.0000.1000.0000.100
URIBL_ZEN_BLOCKEDbodyADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/0.0000.0010.0000.001
URIBL_ZEN_BLOCKED_OPENDNSbodyADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/0.0000.0010.0000.001
URI_ADOBESPARKmetaNo description provided1.0001.0001.0001.000
URI_AZURE_CLOUDAPPmetaLink to hosted azure web application, possible phishing1.0001.0001.0001.000
URI_DASHGOVEDUmetaSuspicious domain name1.0001.0001.0001.000
URI_DATAmeta"data:" URI - possible malware or phish1.0001.0001.0001.000
URI_DOTEDUmetaHas .edu URI1.0001.6781.0001.678
URI_DOTEDU_ENTITYmetaVia .edu MTA + suspicious HTML content1.0001.0001.0001.000
URI_DOTTY_HEXmetaSuspicious URI format1.0001.0001.0001.000
URI_DQ_UNSUBmetaIP-address unsubscribe URI1.0001.0001.0001.000
URI_FIREBASEAPPmetaLink to hosted firebase web application, possible phishing1.0001.0001.0001.000
URI_GOOGLE_PROXYmetaAccessing a blacklisted URI or obscuring source of phish via Google proxy?1.7991.5991.7991.599
URI_GOOG_STO_SPAMMYuriLink to spammy content hosted by google storage3.5003.5003.5003.500
URI_HEXuriURI hostname has long hexadecimal sequence0.1000.1000.1000.100
URI_HEX_IPmetaURI with hex-encoded IP-address host1.0001.0001.0001.000
URI_HOST_IN_BLACKLISTmetaDEPRECATED: See URI_HOST_IN_BLOCKLIST100.000100.000100.000100.000
URI_HOST_IN_BLOCKLISTbodyHost or Domain is listed in the user's URI block-list0.0100.0100.0100.010
URI_HOST_IN_WELCOMELISTbodyHost or Domain is listed in the user's URI welcome-list-0.010-0.010-0.010-0.010
URI_HOST_IN_WHITELISTmetaDEPRECATED: See URI_HOST_IN_WELCOMELIST-100.000-100.000-100.000-100.000
URI_IMG_WP_REDIRmetaImage via WordPress "accelerator" proxy1.0001.0001.0001.000
URI_LONG_REPEATmetaLong identical host+domain1.0001.0001.0001.000
URI_MALWARE_SCMSuriLink to malware exploit download (.SettingContent-ms file)1.0001.0001.0001.000
URI_NOVOWELuriURI hostname has long non-vowel sequence0.5000.5000.5000.500
URI_NO_WWW_BIZ_CGIuriCGI in .biz TLD other than third-level "www"1.0001.0001.0001.000
URI_NO_WWW_INFO_CGIuriCGI in .info TLD other than third-level "www"1.0001.0001.0001.000
URI_ONLY_MSGID_MALFmetaURI only + malformed message ID1.0001.0001.0001.000
URI_OPTOUT_3LDuriOpt-out URI, suspicious hostname1.0002.0001.0002.000
URI_OPTOUT_USMEuriOpt-out URI, unusual TLD1.0001.0001.0001.000
URI_PHISHmetaPhishing using web form3.9993.6273.9993.627
URI_PHP_REDIRmetaPHP redirect to different URL (link obfuscation)1.0001.0001.0001.000
URI_TRUNCATEDbodyMessage contained a URI which was truncated0.0010.0010.0010.001
URI_TRY_3LDmeta"Try it" URI, suspicious hostname1.9991.6671.9991.667
URI_TRY_USMEmeta"Try it" URI, unusual TLD1.0001.0001.0001.000
URI_WPADMINmetaWordPress login/admin URI, possible phishing0.0012.2990.0012.299
URI_WP_DIRINDEXmetaURI for compromised WordPress site, possible malware1.0001.0001.0001.000
URI_WP_HACKEDmetaURI for compromised WordPress site, possible malware3.5003.4993.5003.499
URI_WP_HACKED_2metaURI for compromised WordPress site, possible malware2.4992.4992.4992.499
URL_SHORTENER_CHAINEDbodyMessage contains shortened URL chained to other shorteners0.0100.0100.0100.010
URL_SHORTENER_DISABLEDuriMessage contains shortened URL that has been disabled due to abuse2.0002.0002.0002.000
USB_DRIVESmetaTrying to sell custom USB flash drives1.0001.0001.0001.000
USER_IN_ALL_SPAM_TOheaderUser is listed in 'all_spam_to'-100.000-100.000-100.000-100.000
USER_IN_BLACKLISTmetaDEPRECATED: See USER_IN_BLOCKLIST100.000100.000100.000100.000
USER_IN_BLACKLIST_TOmetaDEPRECATED: See USER_IN_BLOCKLIST_TO10.00010.00010.00010.000
USER_IN_BLOCKLISTheaderFrom: user is listed in the block-list0.0100.0100.0100.010
USER_IN_BLOCKLIST_TOheaderUser is listed in 'blocklist_to'0.0100.0100.0100.010
USER_IN_DEF_DKIM_WLheaderFrom: address is in the default DKIM welcome-list-7.500-7.500-7.500-7.500
USER_IN_DEF_SPF_WLheaderFrom: address is in the default SPF welcome-list-7.500-7.500-7.500-7.500
USER_IN_DEF_WELCOMELISTheaderFrom: user is listed in the default welcome-list-0.010-0.010-0.010-0.010
USER_IN_DEF_WHITELISTmetaDEPRECATED: See USER_IN_DEF_WELCOMELIST-15.000-15.000-15.000-15.000
USER_IN_DKIM_WELCOMELISTheaderFrom: address is in the user's DKIM welcomelist-0.010-0.010-0.010-0.010
USER_IN_DKIM_WHITELISTmetaDEPRECATED: See USER_IN_DKIM_WELCOMELIST-100.000-100.000-100.000-100.000
USER_IN_MORE_SPAM_TOheaderUser is listed in 'more_spam_to'-20.000-20.000-20.000-20.000
USER_IN_SPF_WELCOMELISTheaderFrom: address is in the user's SPF welcomelist-0.010-0.010-0.010-0.010
USER_IN_SPF_WHITELISTmetaDEPRECATED: See USER_IN_SPF_WELCOMELIST-100.000-100.000-100.000-100.000
USER_IN_WELCOMELISTheaderUser is listed in 'welcomelist_from'-0.010-0.010-0.010-0.010
USER_IN_WELCOMELIST_TOheaderUser is listed in 'welcomelist_to'-0.010-0.010-0.010-0.010
USER_IN_WHITELISTmetaDEPRECATED: See USER_IN_WELCOMELIST-100.000-100.000-100.000-100.000
USER_IN_WHITELIST_TOmetaDEPRECATED: See USER_IN_WELCOMELIST_TO-6.000-6.000-6.000-6.000
VBOUNCE_MESSAGEmetaVirus-scanner bounce message0.1000.1000.1000.100
VFY_ACCT_NORDNSmetaVerify your account to a poorly-configured MTA - probable phishing2.6222.9992.6222.999
VPS_NO_NTLDmetavps[0-9] domain at a suspiscious TLD1.0001.0001.0001.000
WALMART_IMG_NOT_RCVD_WALmetaWalmart hosted image but message not from Walmart1.0001.0001.0001.000
WEIRD_PORTuriUses non-standard port number for HTTP0.0010.0010.0970.001
WEIRD_QUOTINGbodyWeird repeated double-quotation marks0.0010.0010.0010.001
WORD_INVISmetaA hidden word1.5760.5041.5760.504
WORD_INVIS_MANYmetaMultiple individual hidden words3.0002.9993.0002.999
XFER_LOTSA_MONEYmetaTransfer a lot of money0.5410.4980.5410.498
XM_DIGITS_ONLYmetaX-Mailer malformed1.0001.0001.0001.000
XM_PHPMAILER_FORGEDmetaApparently forged header1.0001.0001.0001.000
XM_RANDOMmetaX-Mailer apparently random1.3522.3021.3522.302
XM_RECPTIDmetaHas spammy message header2.9991.6022.9991.602
XPRIOmetaHas X-Priority header0.3970.0010.3970.001
XPRIO_SHORT_SUBJmetaHas X Priority header + short subject1.0001.0001.0001.000
XPRIO_URL_SHORTNERmetaX-Priority header and short URL0.5230.9990.5230.999
X_IPheaderMessage has X-IP header0.0010.0010.0010.001
X_MAILER_CME_6543_MSNheaderNo description provided2.8862.0043.0023.348
YOU_INHERITmetaDiscussing your inheritance0.9261.3450.9261.345
__DC_GIF_MULTI_LARGOmetaMessage has 2+ inline gif covering lots of area1.0001.0001.0001.000
__DC_IMG_HTML_RATIOrawbodyLow rawbody to pixel area ratio1.0001.0001.0001.000
__DC_IMG_TEXT_RATIObodyLow body to pixel area ratio1.0001.0001.0001.000
__DC_PNG_MULTI_LARGOmetaMessage has 2+ png images covering lots of area1.0001.0001.0001.000
__DKIM_DEPENDABLEfullA validation failure not attributable to truncation1.0001.0001.0001.000
__FORGED_TBIRD_IMGmetaPossibly forged Thunderbird image spam1.0001.0001.0001.000
__FROM_41_FREEMAILmetaSent from Africa + freemail provider1.0001.0001.0001.000
__GB_BITCOIN_CP_DEmetaGerman Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_ENmetaEnglish Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_ESmetaSpanish Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_FRmetaFrench Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_ITmetaItalian Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_NLmetaDutch Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_SEmetaSwedish Bitcoin scam1.0001.0001.0001.000
__HAS_HREFrawbodyHas an anchor tag with a href attribute in non-quoted line1.0001.0001.0001.000
__HAS_HREF_ONECASErawbodyHas an anchor tag with a href attribute in non-quoted line with consistent case1.0001.0001.0001.000
__HAS_IMG_SRCrawbodyHas an img tag on a non-quoted line1.0001.0001.0001.000
__HAS_IMG_SRC_ONECASErawbodyHas an img tag on a non-quoted line with consistent case1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_1024bodyThe length of the body of the email is less than 1024 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_128bodyThe length of the body of the email is less than 128 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_256bodyThe length of the body of the email is less than 256 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_512bodyThe length of the body of the email is less than 512 bytes.1.0001.0001.0001.000
__MIME_BASE64rawbodyIncludes a base64 attachment1.0001.0001.0001.000
__MIME_QPrawbodyIncludes a quoted-printable attachment1.0001.0001.0001.000
__ML_TURNS_SP_TO_TABheaderA mailing list changing a space to a TAB1.0001.0001.0001.000
__NSL_ORIG_FROM_41headerOriginates from 41.0.0.0/81.0001.0001.0001.000
__NSL_RCVD_FROM_41headerReceived from 41.0.0.0/81.0001.0001.0001.000
__RCVD_IN_MSPIKE_ZheaderSpam wave participant1.0001.0001.0001.000
__RCVD_IN_SORBSheaderSORBS: sender is listed in SORBS1.0001.0001.0001.000
__RCVD_IN_ZENheaderReceived via a relay in Spamhaus Zen1.0001.0001.0001.000
__RDNS_DYNAMIC_ADELPHIAheaderRelay HELO'd using suspicious hostname (Adelphia)1.0001.0001.0001.000
__RDNS_DYNAMIC_ATTBIheaderRelay HELO'd using suspicious hostname (ATTBI.com)1.0001.0001.0001.000
__RDNS_DYNAMIC_CHELLO_NLheaderRelay HELO'd using suspicious hostname (Chello.nl)1.0001.0001.0001.000
__RDNS_DYNAMIC_CHELLO_NOheaderRelay HELO'd using suspicious hostname (Chello.no)1.0001.0001.0001.000
__RDNS_DYNAMIC_COMCASTheaderRelay HELO'd using suspicious hostname (Comcast)1.0001.0001.0001.000
__RDNS_DYNAMIC_DHCPheaderRelay HELO'd using suspicious hostname (DHCP)1.0001.0001.0001.000
__RDNS_DYNAMIC_DIALINheaderRelay HELO'd using suspicious hostname (T-Dialin)1.0001.0001.0001.000
__RDNS_DYNAMIC_HCCheaderRelay HELO'd using suspicious hostname (HCC)1.0001.0001.0001.000
__RDNS_DYNAMIC_HEXIPheaderRelay HELO'd using suspicious hostname (Hex IP)1.0001.0001.0001.000
__RDNS_DYNAMIC_IPADDRheaderRelay HELO'd using suspicious hostname (IP addr 1)1.0001.0001.0001.000
__RDNS_DYNAMIC_NTLheaderRelay HELO'd using suspicious hostname (NTL)1.0001.0001.0001.000
__RDNS_DYNAMIC_OOLheaderRelay HELO'd using suspicious hostname (OptOnline)1.0001.0001.0001.000
__RDNS_DYNAMIC_ROGERSheaderRelay HELO'd using suspicious hostname (Rogers)1.0001.0001.0001.000
__RDNS_DYNAMIC_RR2headerRelay HELO'd using suspicious hostname (RR 2)1.0001.0001.0001.000
__RDNS_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)1.0001.0001.0001.000
__RDNS_DYNAMIC_TELIAheaderRelay HELO'd using suspicious hostname (Telia)1.0001.0001.0001.000
__RDNS_DYNAMIC_VELOXheaderRelay HELO'd using suspicious hostname (Veloxzone)1.0001.0001.0001.000
__RDNS_DYNAMIC_VTRheaderRelay HELO'd using suspicious hostname (VTR)1.0001.0001.0001.000
__RDNS_DYNAMIC_YAHOOBBheaderRelay HELO'd using suspicious hostname (YahooBB)1.0001.0001.0001.000
__TO_EQ_FROMmetaTo: same as From:1.0001.0001.0001.000
__TO_EQ_FROM_DOMmetaTo: domain same as From: domain1.0001.0001.0001.000
__TO_EQ_FROM_USRmetaTo: username same as From: username1.0001.0001.0001.000
__TO_EQ_FROM_USR_NNmetaTo: username same as From: username sans trailing nums1.0001.0001.0001.000
__VIA_MLmetaMail from a mailing list1.0001.0001.0001.000
__VIA_RESIGNERmetaMail through a popular signing remailer1.0001.0001.0001.000

FutureQuest Site Search

Back to Top

FutureQuest Professional Web Hosting Services
Copyright © 1998-2023 FutureQuest, Inc. All rights reserved.