FutureQuest Professional Web Hosting Flash Intro FutureQuest Community Message Forums
Order Now! Home Web Hosting
Services
Web Hosting
Support
Web Hosting
Data Center
Web Hosting
Community
Web Hosting
About
Web Hosting
Contact
Web Hosting
Account Management

SpamAssassin Test & Scoring Chart

FutureQuest SpamAssassin Test & Scoring Chart

This is the current list of tests SpamAssassin performs on email with SpamAssassin Filtering enabled to determine if they're spam or not.

You may also test specific X-Spam-Status headers via the SpamAssassin Status Decoder.

Test Name Area Tested Description Of Test Score
Bayes off
RBLs off
Score
Bayes off
RBLs on
Score
Bayes on
RBLs off
Score
Bayes on
RBLs on
ACT_NOW_CAPSbodyTalks about 'acting now' with capitals0.1000.1000.1000.100
AC_BR_BONANZArawbodyToo many newlines in a row... spammy template0.0010.0010.0010.001
AC_DIV_BONANZArawbodyToo many divs in a row... spammy template0.0010.0010.0010.001
AC_FROM_MANY_DOTSmetaMultiple periods in From user name2.9992.0112.9992.011
AC_HTML_NONSENSE_TAGSrawbodyMany consecutive multi-letter HTML tags, likely nonsense/spam1.9991.9991.9991.999
AC_POST_EXTRASmetaSuspicious URL0.2950.0010.2950.001
AC_SPAMMY_URI_PATTERNS1metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS10metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS11metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS12metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS2metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS3metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS4metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS8metalink combos match highly spammy template1.0001.0001.0001.000
AC_SPAMMY_URI_PATTERNS9metalink combos match highly spammy template1.0001.0001.0001.000
ADMAILmeta"admail" and variants1.0001.0001.0001.000
ADMITS_SPAMmetaAdmits this is an ad3.3991.0583.3991.058
ADVANCE_FEE_2_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_2_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money1.2061.8601.2061.860
ADVANCE_FEE_2_NEW_MONEYmetaAdvance Fee fraud and lots of money1.9991.9991.9991.999
ADVANCE_FEE_3_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.5993.4662.5993.466
ADVANCE_FEE_3_NEW_FORMmetaAdvance Fee fraud and a form1.0001.0001.0001.000
ADVANCE_FEE_3_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money0.6650.4880.6650.488
ADVANCE_FEE_3_NEW_MONEYmetaAdvance Fee fraud and lots of money2.7000.0012.7000.001
ADVANCE_FEE_4_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.5992.3992.5992.399
ADVANCE_FEE_4_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money1.3680.8121.3680.812
ADVANCE_FEE_4_NEW_MONEYmetaAdvance Fee fraud and lots of money2.8992.6992.8992.699
ADVANCE_FEE_5_NEWmetaAppears to be advance fee fraud (Nigerian 419)2.6162.7002.6162.700
ADVANCE_FEE_5_NEW_FRM_MNYmetaAdvance Fee fraud form and lots of money0.8000.0010.8000.001
ADVANCE_FEE_5_NEW_MONEYmetaAdvance Fee fraud and lots of money2.8182.7452.8182.745
AD_PREFSbodyAdvertising preferences0.2500.2500.2500.250
ALIBABA_IMG_NOT_RCVD_ALImetaAlibaba hosted image but message not from Alibaba1.0001.0001.0001.000
ALL_TRUSTEDheaderPassed through trusted hosts only via SMTP-1.000-1.000-1.000-1.000
AMAZON_IMG_NOT_RCVD_AMZNmetaAmazon hosted image but message not from Amazon2.4992.4992.4992.499
ANY_BOUNCE_MESSAGEmetaMessage is some kind of bounce message0.1000.1000.1000.100
APOSTROPHE_FROMheaderFrom address contains an apostrophe0.1480.7860.6510.545
APP_DEVELOPMENT_FREEMmetaApp development pitch, freemail or CHN replyto1.0001.0001.0001.000
APP_DEVELOPMENT_NORDNSmetaApp development pitch, no rDNS1.9991.9991.9991.999
AWLheaderAdjusted score from AWL reputation of From: address1.0001.0001.0001.000
AXB_XMAILER_MIMEOLE_OL_024C2metaYet another X header trait0.0010.0010.0010.001
AXB_XMAILER_MIMEOLE_OL_1ECD5metaYet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD52.1512.1452.1512.145
BAD_CREDITbodyEliminate Bad Credit0.1000.1000.1000.100
BAD_ENC_HEADERheaderMessage has bad MIME encoding in the header0.0010.0010.0010.001
BANG_GUARbodySomething is emphatically guaranteed1.0001.0001.0001.000
BANKING_LAWSbodyTalks about banking laws2.3992.0042.1571.099
BASE64_LENGTH_78_79bodyNo description provided0.1000.1000.1000.100
BASE64_LENGTH_79_INFbodybase64 encoded email part uses line length greater than 79 characters1.3792.0190.5831.502
BAYES_00bodyBayes spam probability is 0 to 1%-3.000-3.000-3.000-3.000
BAYES_05bodyBayes spam probability is 1 to 5%-0.500-0.500-0.500-0.500
BAYES_20bodyBayes spam probability is 5 to 20%-0.001-0.001-0.001-0.001
BAYES_40bodyBayes spam probability is 20 to 40%-0.001-0.001-0.001-0.001
BAYES_50bodyBayes spam probability is 40 to 60%2.0002.0002.0002.000
BAYES_60bodyBayes spam probability is 60 to 80%3.0003.0003.0003.000
BAYES_80bodyBayes spam probability is 80 to 95%4.0004.0004.0004.000
BAYES_95bodyBayes spam probability is 95 to 99%5.0005.0005.0005.000
BAYES_99bodyBayes spam probability is 99 to 100%6.0006.0006.0006.000
BAYES_999bodyBayes spam probability is 99.9 to 100%7.0007.0007.0007.000
BILLION_DOLLARSbodyTalks about lots of money0.0011.4511.2291.638
BITCOIN_BOMBmetaBitCoin + bomb1.0001.0001.0001.000
BITCOIN_DEADLINEmetaBitCoin with a deadline1.5031.6581.5031.658
BITCOIN_EXTORT_01metaExtortion spam, pay via BitCoin3.0001.8703.0001.870
BITCOIN_EXTORT_02metaExtortion spam, pay via BitCoin1.0001.0001.0001.000
BITCOIN_MALF_HTMLmetaBitcoin + malformed HTML3.4993.4993.4993.499
BITCOIN_MALWAREmetaBitCoin + malware bragging1.0001.0001.0001.000
BITCOIN_PAY_MEmetaPay me via BitCoin1.0001.0001.0001.000
BITCOIN_SPAM_01metaBitCoin spam pattern 011.0001.0001.0001.000
BITCOIN_SPAM_02metaBitCoin spam pattern 021.9220.0011.9220.001
BITCOIN_SPAM_03metaBitCoin spam pattern 031.0001.0001.0001.000
BITCOIN_SPAM_04metaBitCoin spam pattern 041.0001.0001.0001.000
BITCOIN_SPAM_05metaBitCoin spam pattern 050.0012.2950.0012.295
BITCOIN_SPAM_06metaBitCoin spam pattern 061.0001.0001.0001.000
BITCOIN_SPAM_07metaBitCoin spam pattern 073.4993.4993.4993.499
BITCOIN_SPAM_08metaBitCoin spam pattern 081.0001.0001.0001.000
BITCOIN_SPAM_09metaBitCoin spam pattern 091.4991.4991.4991.499
BITCOIN_SPAM_10metaBitCoin spam pattern 101.0001.0001.0001.000
BITCOIN_SPAM_11metaBitCoin spam pattern 111.0001.0001.0001.000
BITCOIN_SPAM_12metaBitCoin spam pattern 121.0001.0001.0001.000
BITCOIN_SPF_ONLYALLmetaBitcoin from a domain specifically set to pass +all SPF0.0011.0000.0011.000
BITCOIN_XPRIOmetaBitcoin + priority1.3531.0031.3531.003
BITCOIN_YOUR_INFOmetaBitCoin with your personal info2.9991.5822.9991.582
BODY_8BITSbodyBody includes 8 consecutive 8-bit characters1.5001.5001.5001.500
BODY_EMPTYmetaNo body text in message1.8131.0001.8131.000
BODY_ENHANCEMENTbodyInformation on growing body parts0.9271.6110.9740.001
BODY_ENHANCEMENT2bodyInformation on getting larger body parts0.1000.1000.1000.100
BODY_SINGLE_URImetaMessage body is only a URI2.4991.6972.4991.697
BODY_URI_ONLYmetaMessage body is only a URI in one line of text or for an image1.0000.0011.0000.001
BOGUS_MIME_VERSIONmetaMime version header is bogus3.3783.4993.3783.499
BOGUS_MSM_HDRSmetaApparently bogus Microsoft email headers1.9181.8051.9181.805
BOMB_FREEMmetaBomb + freemail1.0001.0001.0001.000
BOMB_MONEYmetaBomb + money: bomb threat?1.0001.0001.0001.000
BOUNCE_MESSAGEmetaMTA bounce message0.1000.1000.1000.100
BTC_ORGmetaBitcoin wallet ID + unusual header1.0001.0001.0001.000
BUG6152_INVALID_DATE_TZ_ABSURDheaderNo description provided0.1000.1000.1000.100
BULK_RE_SUSP_NTLDmetaPrecedence bulk and RE: from a suspicious TLD0.9991.0000.9991.000
CANT_SEE_ADmetaYou really want to see our spam.1.0001.0001.0001.000
CHALLENGE_RESPONSEmetaChallenge-Response message for mail you sent0.1000.1000.1000.100
CHARSET_FARAWAYbodyCharacter set indicates a foreign language3.2003.2003.2003.200
CHARSET_FARAWAY_HEADERheaderA foreign language charset used in headers3.2003.2003.2003.200
CK_HELO_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)1.4990.0011.4990.001
CK_HELO_GENERICheaderRelay used name indicative of a Dynamic Pool or Generic rPTR0.2490.2500.2490.250
CN_B2B_SPAMMERbodyChinese company introducing itself1.0001.0001.0001.000
COMMENT_GIBBERISHmetaNonsense in long HTML comment1.0001.0001.0001.000
COMPENSATIONmeta"Compensation"1.4991.0001.4991.000
CRBOUNCE_MESSAGEmetaChallenge-Response bounce message0.1000.1000.1000.100
CTE_8BIT_MISMATCHmetaHeader says 7bits but body disagrees0.9990.9990.9990.999
CTYPE_001C_BheaderNo description provided0.0010.0010.0010.001
CTYPE_NULLmetaMalformed Content-Type header1.5942.6991.5942.699
CURR_PRICEbodyNo description provided0.0010.0010.0010.001
DATE_IN_FUTURE_03_06headerDate: is 3 to 6 hours after Received: date3.3992.4262.9973.027
DATE_IN_FUTURE_06_12headerDate: is 6 to 12 hours after Received: date2.8990.0012.2221.947
DATE_IN_FUTURE_12_24headerDate: is 12 to 24 hours after Received: date2.6032.4893.1993.199
DATE_IN_FUTURE_24_48headerDate: is 24 to 48 hours after Received: date2.5981.2480.0012.048
DATE_IN_FUTURE_48_96headerDate: is 48 to 96 hours after Received: date2.3840.8131.0782.181
DATE_IN_FUTURE_96_QheaderDate: is 4 days to 4 months after Received: date2.5992.3992.5992.399
DATE_IN_FUTURE_Q_PLUSheaderDate: is over 4 months after Received: date2.2992.1992.2992.199
DATE_IN_PAST_03_06headerDate: is 3 to 6 hours before Received: date2.3991.0761.2001.592
DATE_IN_PAST_06_12headerDate: is 6 to 12 hours before Received: date1.6991.1031.2741.543
DATE_IN_PAST_12_24headerDate: is 12 to 24 hours before Received: date0.0010.8041.1901.049
DATE_IN_PAST_24_48headerDate: is 24 to 48 hours before Received: date1.1090.4850.6241.340
DATE_IN_PAST_96_XXheaderDate: is 96 hours or more before Received: date2.6002.0701.2333.405
DAY_I_EARNEDmetaWork-at-home spam1.0001.0001.0001.000
DCC_CHECKfullDetected as bulk mail by DCC (dcc-servers.net)0.0001.1000.0001.100
DCC_REPUT_00_12fullDCC reputation between 0 and 12 % (mostly ham)0.000-0.8000.000-0.400
DCC_REPUT_13_19fullDCC reputation between 13 and 19 %0.000-0.1000.000-0.100
DCC_REPUT_70_89fullDCC reputation between 70 and 89 %0.0000.1000.0000.100
DCC_REPUT_90_94fullDCC reputation between 90 and 94 %0.0000.4000.0000.600
DCC_REPUT_95_98fullDCC reputation between 95 and 98 % (mostly spam)0.0000.7000.0001.000
DCC_REPUT_99_100fullDCC reputation between 99 % or higher (spam)0.0001.2000.0001.400
DC_GIF_UNO_LARGOmetaMessage contains a single large gif image0.0011.3230.0532.176
DC_IMAGE_SPAM_HTMLmetaPossible Image-only spam0.1000.1000.1000.100
DC_IMAGE_SPAM_TEXTmetaPossible Image-only spam with little text0.1000.1000.1000.100
DC_PNG_UNO_LARGOmetaMessage contains a single large png image0.0010.0010.0010.001
DEAR_BENEFICIARYbodyDear Beneficiary:1.0970.0011.0970.001
DEAR_FRIENDbodyDear Friend? That's not very dear!2.6832.6041.8012.577
DEAR_SOMETHINGbodyContains 'Dear (something)'1.9991.7311.7871.973
DEAR_WINNERbodySpam with generic salutation of "dear winner"3.0993.0992.3093.099
DIET_1bodyLose Weight Spam0.7140.0000.3990.001
DIGEST_MULTIPLEmetaMessage hits more than one network digest check0.0000.0010.0000.293
DKIMDOMAIN_IN_DWL???No description provided0.000-3.5000.000-3.500
DKIMDOMAIN_IN_DWL_UNKNOWN???No description provided0.000-0.0100.000-0.010
DKIMWL_BLmetaDKIMwl.org - Blocked sender0.0013.0000.0013.000
DKIMWL_BLOCKEDmetaADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0010.0010.0010.001
DKIMWL_WL_HIGHmetaDKIMwl.org - High trust sender0.001-0.0010.001-0.001
DKIMWL_WL_MEDmetaDKIMwl.org - Medium trust sender0.001-0.0010.001-0.001
DKIMWL_WL_MEDHImetaDKIMwl.org - Medium-high trust sender0.001-1.0000.001-1.000
DKIM_ADSP_ALLheaderNo valid author signature, domain signs all mail0.0001.1000.0000.800
DKIM_ADSP_CUSTOM_HIGHheaderNo valid author signature, adsp_override is CUSTOM_HIGH0.0010.0010.0010.001
DKIM_ADSP_CUSTOM_LOWheaderNo valid author signature, adsp_override is CUSTOM_LOW0.0010.0010.0010.001
DKIM_ADSP_CUSTOM_MEDheaderNo valid author signature, adsp_override is CUSTOM_MED0.0010.0010.0010.001
DKIM_ADSP_DISCARDheaderNo valid author signature, domain signs all mail and suggests discarding the rest0.0001.8000.0001.800
DKIM_ADSP_NXDOMAINheaderNo valid author signature and domain not in DNS0.0000.8000.0000.900
DKIM_INVALIDmetaDKIM or DK signature exists, but is not valid0.1000.1000.1000.100
DKIM_SIGNEDfullMessage has a DKIM or DK signature, not necessarily valid0.1000.1000.1000.100
DKIM_VALIDfullMessage has at least one valid DKIM or DK signature-0.100-0.100-0.100-0.100
DKIM_VALID_AUfullMessage has a valid DKIM or DK signature from author's domain-0.100-0.100-0.100-0.100
DKIM_VALID_EFfullMessage has a valid DKIM or DK signature from envelope-from domain-0.100-0.100-0.100-0.100
DOS_OE_TO_MXmetaDelivered direct to MX with OE headers2.6023.0862.2652.523
DOS_OE_TO_MX_IMAGEmetaDirect to MX with OE headers and an image2.8861.8862.4253.699
DOS_OUTLOOK_TO_MXmetaDelivered direct to MX with Outlook headers2.6361.4491.7372.845
DOS_RCVD_IP_TWICE_CheaderReceived from the same IP twice in a row (only one external relay; empty or IP helo)2.5992.0603.2920.096
DOS_STOCK_BATmetaProbable pump and dump stock spam0.0010.0010.0010.001
DOTGOV_IMAGEmeta.gov URI + hosted image1.0001.0001.0001.000
DQ_URI_DOM_IN_PATHuriDQ URI having a domain name in the path part2.4992.2992.4992.299
DRUGS_ANXIETYmetaRefers to an anxiety control drug0.1000.1000.1000.100
DRUGS_DIETmetaRefers to a diet drug2.6600.7571.8310.337
DRUGS_ERECTILEmetaRefers to an erectile drug1.7782.2211.2991.994
DRUGS_ERECTILE_OBFUmetaObfuscated reference to an erectile drug1.3241.3092.9351.109
DRUGS_MANYKINDSmetaRefers to at least four kinds of drugs2.0011.4730.8410.342
DRUGS_MUSCLEmetaRefers to a muscle relaxant0.0012.4990.3920.164
DRUGS_SMEAR1bodyTwo or more drugs crammed together into one word3.3002.0513.1480.235
DRUGS_STOCK_MIMEOLE???No description provided2.6991.6812.4781.321
DRUG_ED_CAPSbodyMentions an E.D. drug2.7991.0232.5160.936
DRUG_ED_ONLINEbodyFast Viagra Delivery0.6961.1521.2210.608
DRUG_ED_SILDbodyTalks about an E.D. drug using its chemical name0.0010.0010.0010.001
DSN_NO_MIMEVERSIONmetaReturn-Path <> and no MIME-Version: header1.9991.9991.9991.999
DX_TEXT_02body"change your message stat"1.0001.0001.0001.000
DX_TEXT_03body"XXX Media Group"0.3990.0990.3990.099
DYN_RDNS_AND_INLINE_IMAGEmetaContains image, and was sent by dynamic rDNS1.3451.3441.4341.168
DYN_RDNS_SHORT_HELO_HTMLmetaSent by dynamic rDNS, short HELO, and HTML0.0010.0010.0000.001
DYN_RDNS_SHORT_HELO_IMAGEmetaShort HELO string, dynamic rDNS, inline image1.8252.5162.2851.013
EBAY_IMG_NOT_RCVD_EBAYmetaE-bay hosted image but message not from E-bay1.0001.0001.0001.000
EMPTY_MESSAGEmetaMessage appears to have no textual parts and no Subject: text2.1952.3441.5522.320
EM_ROLEXbodyMessage puts emphasis on the watch manufacturer0.5951.3092.0680.618
ENCRYPTED_MESSAGEmetaMessage is encrypted, not likely to be spam-1.000-1.000-1.000-1.000
END_FUTURE_EMAILSmetaSpammy unsubscribe2.0941.0682.0941.068
ENGLISH_UCE_SUBJECTheaderSubject contains an English UCE tag0.9531.5422.5692.899
ENV_AND_HDR_SPF_MATCHmetaEnv and Hdr From used in default SPF WL Match-0.500-0.500-0.500-0.500
EXCUSE_24bodyClaims you wanted this ad1.0001.0001.0001.000
EXCUSE_4bodyClaims you can be removed from the list2.3991.6872.3991.325
EXCUSE_REMOVEbodyTalks about how to be removed from mailings2.9072.9923.2993.299
FAKE_REPLY_CmetaNo description provided0.6880.0012.5531.486
FBI_MONEYmetaThe FBI wants to give you lots of money?0.5880.1630.5880.163
FBI_SPOOFmetaClaims to be FBI, but not from FBI domain0.0011.8300.0011.830
FILL_THIS_FORMmetaFill in a form with personal information0.0010.0010.0010.001
FILL_THIS_FORM_FRAUD_PHISHmetaAnswer suspicious question(s)1.1950.3960.6150.334
FILL_THIS_FORM_LOAN???No description provided2.0922.2371.8362.880
FILL_THIS_FORM_LONGmetaFill in a form with personal information2.0002.0002.0002.000
FIN_FREEbodyFreedom of a financial nature0.1000.1000.1000.100
FONT_INVIS_DIRECTmetaInvisible text + direct-to-MX0.0010.0010.0010.001
FONT_INVIS_DOTGOVmetaInvisible text + .gov URI1.0001.0001.0001.000
FONT_INVIS_LONG_LINEmetaInvisible text + long lines2.9992.9992.9992.999
FONT_INVIS_MSGIDmetaInvisible text + suspicious message ID0.0010.0010.0010.001
FONT_INVIS_POSTEXTRASmetaInvisible text + suspicious URI0.3730.0010.3730.001
FORGED_GMAIL_RCVDheader'From' gmail.com does not match 'Received' headers1.0001.0001.0001.000
FORGED_HOTMAIL_RCVD2headerhotmail.com 'From' address, but no 'Received:'0.0011.1870.6980.874
FORGED_MSGID_EXCITEmetaMessage-ID is forged, (excite.com)2.3991.8991.6490.528
FORGED_MSGID_YAHOOmetaMessage-ID is forged, (yahoo.com)0.1000.1000.1000.100
FORGED_MUA_EUDORAmetaForged mail pretending to be from Eudora2.8282.5101.9620.001
FORGED_MUA_IMSmetaForged mail pretending to be from IMS2.3992.3992.3991.943
FORGED_MUA_MOZILLAmetaForged mail pretending to be from Mozilla2.3991.5962.3992.309
FORGED_MUA_OIMOmetaForged mail pretending to be from MS Outlook IMO2.6002.5992.5992.599
FORGED_MUA_OUTLOOKmetaForged mail pretending to be from MS Outlook3.9992.7852.5001.927
FORGED_MUA_THEBAT_BOUNmetaMail pretending to be from The Bat! (boundary)3.0463.2203.2073.399
FORGED_OUTLOOK_HTMLmetaOutlook can't send HTML message only0.0010.0010.0010.021
FORGED_OUTLOOK_TAGSmetaOutlook can't send HTML in this format0.0030.5650.0010.052
FORGED_RELAY_MUA_TO_MXheaderNo description provided3.9993.8223.9993.822
FORGED_TELESP_RCVDheaderContains forged hostname for a DSL IP in Brazil2.4992.4992.4991.841
FORGED_YAHOO_RCVDheader'From' yahoo.com does not match 'Received' headers2.3971.0222.5991.630
FORM_FRAUDmetaFill a form and a fraud phrase0.8000.0010.8000.001
FORM_FRAUD_3metaFill a form and several fraud phrases2.7042.6992.7042.699
FORM_FRAUD_5metaFill a form and many fraud phrases1.2673.1991.2673.199
FORM_LOW_CONTRASTmetaFill in a form with hidden text1.0001.0001.0001.000
FOUND_YOUmetaI found you...3.2493.2493.2493.249
FREEMAIL_ENVFROM_END_DIGITheaderEnvelope-from freemail username ends in digit0.2500.2500.2500.250
FREEMAIL_FORGED_FROMDOMAINmeta2nd level domains in From and EnvelopeFrom freemail headers are different0.2490.2500.2490.250
FREEMAIL_FORGED_REPLYTOmetaFreemail in Reply-To, but not From1.1992.5031.2042.095
FREEMAIL_FROMheaderSender email is commonly abused enduser mail provider0.0010.0010.0010.001
FREEMAIL_REPLYmetaFrom and body contain different freemails1.0001.0001.0001.000
FREEMAIL_REPLYTOmetaReply-To/From or Reply-To/body contain different freemails1.0001.0001.0001.000
FREEMAIL_REPLYTO_END_DIGITheaderReply-To freemail username ends in digit0.2500.2500.2500.250
FREEM_FRNUM_UNICD_EMPTYmetaNumeric freemail From address, unicode From name and Subject, empty body1.0001.0001.0001.000
FREE_QUOTE_INSTANTbodyFree express or no-obligation quote2.7002.6992.6991.297
FRNAME_IN_MSG_XPRIO_NO_SUBmetaFrom name in message + X-Priority + short or no subject1.0001.0001.0001.000
FROM_2_EMAILS_SHORTmetaShort body and From looks like 2 different emails1.9991.9991.9991.999
FROM_ADDR_WSmetaMalformed From address2.9992.8872.9992.887
FROM_BANK_NOAUTHmetaFrom Bank domain but no SPF or DKIM0.0011.0000.0011.000
FROM_BLANK_NAMEheaderFrom: contains empty name2.0992.0992.0990.723
FROM_DOMAIN_NOVOWELheaderFrom: domain has series of non-vowel letters0.5000.5000.5000.500
FROM_EXCESS_BASE64metaFrom: base64 encoded unnecessarily0.0010.0010.0010.001
FROM_FMBLA_NDBLOCKEDmetaADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0010.0010.0010.001
FROM_FMBLA_NEWDOMmetaFrom domain was registered in last 7 days0.0011.4990.0011.499
FROM_FMBLA_NEWDOM14metaFrom domain was registered in last 7-14 days0.0010.9990.0010.999
FROM_FMBLA_NEWDOM28metaFrom domain was registered in last 14-28 days0.0010.7990.0010.799
FROM_GOV_DKIM_AUmetaFrom Government address and DKIM signed0.001-0.0010.001-0.001
FROM_GOV_REPLYTO_FREEMAILmetaFrom Government domain but ReplyTo is FREEMAIL0.0011.0000.0011.000
FROM_GOV_SPOOFmetaFrom Government domain but matches SPOOFED0.0010.9990.0010.999
FROM_ILLEGAL_CHARSheaderFrom: has too many raw illegal characters2.1922.0590.2400.036
FROM_IN_TO_AND_SUBJmetaFrom address is in To and Subject1.0001.0001.0001.000
FROM_LOCAL_DIGITSheaderFrom: localpart has long digit sequence0.0010.0010.0010.001
FROM_LOCAL_HEXheaderFrom: localpart has long hexadecimal sequence0.0000.3310.0010.006
FROM_LOCAL_NOVOWELheaderFrom: localpart has series of non-vowel letters0.5000.5000.5000.500
FROM_MISSPACEDmetaFrom: missing whitespace1.9990.0011.9990.001
FROM_MISSP_DYNIPmetaFrom misspaced + dynamic rDNS1.0081.2511.0081.251
FROM_MISSP_EH_MATCHmetaFrom misspaced, matches envelope1.9990.0011.9990.001
FROM_MISSP_FREEMAILmetaFrom misspaced + freemail provider3.1993.0003.1993.000
FROM_MISSP_MSFTmetaFrom misspaced + supposed Microsoft tool0.0010.0010.0010.001
FROM_MISSP_PHISHmetaMalformed, claims to be from financial organization - possible phish1.4011.2631.4011.263
FROM_MISSP_REPLYTOmetaFrom misspaced, has Reply-To0.0010.0010.0010.001
FROM_MISSP_SPF_FAILmetaNo description provided0.0010.0010.0010.001
FROM_MISSP_TO_UNDISCmetaFrom misspaced, To undisclosed0.4121.9930.4121.993
FROM_MISSP_USERmetaFrom misspaced, from "User"0.0010.0010.0010.001
FROM_MISSP_XPRIOmetaMisspaced FROM + X-Priority0.0010.0010.0010.001
FROM_NAME_EQ_TO_G_DRIVEmetaFrom:name equals To:addr and GDRIVE link0.8471.1040.8471.104
FROM_NEWDOM_BTCmetaNewdomain with Bitcoin ID0.0011.1730.0011.173
FROM_NO_USERheaderFrom: has no local-part before @ sign0.0012.5990.0190.798
FROM_NTLD_LINKBAITmetaFrom abused NTLD with little more than a URI1.9990.7181.9990.718
FROM_NTLD_REPLY_FREEMAILmetaFrom abused NTLD and Reply-To is FREEMAIL1.7290.6631.7290.663
FROM_NUMBERO_NEWDOMAINmetaFingerprint and new domain0.0011.0000.0011.000
FROM_NUMERIC_TLDheaderFrom: address has numeric TLD1.0001.0001.0001.000
FROM_OFFERSheaderFrom address is "at something-offers"1.0001.0001.0001.000
FROM_PAYPAL_SPOOFmetaFrom PayPal domain but matches SPOOFED0.0010.5950.0010.595
FROM_STARTS_WITH_NUMSheaderFrom: starts with several numbers2.8010.5531.2010.738
FROM_SUSPICIOUS_NTLDmetaFrom abused NTLD0.4990.4990.4990.499
FROM_SUSPICIOUS_NTLD_FPmetaFrom abused NTLD1.9991.9991.9991.999
FROM_UNBAL1headerFrom with unbalanced angle brackets, '>' missing1.8942.1991.8942.199
FROM_WORDYmetaFrom address looks like a sentence1.0001.3521.0001.352
FROM_WORDY_SHORTmetaFrom address looks like a sentence + short message1.0001.0001.0001.000
FROM_WSP_TRAILheaderTrailing whitespace before '>' in From header field2.4992.2002.4992.200
FSL_BULK_SIGmetaBulk signature with no Unsubscribe0.0010.0010.0010.001
FSL_CTYPE_WIN1251headerContent-Type only seen in 419 spam0.0010.0010.0010.001
FSL_FAKE_HOTMAIL_RVCDheaderNo description provided2.6311.8162.0112.365
FSL_HELO_BARE_IP_1metaNo description provided2.5981.4263.0992.347
FSL_HELO_DEVICEheaderNo description provided0.1000.1000.1000.100
FSL_HELO_NON_FQDN_1headerNo description provided2.3610.0011.7830.001
FSL_INTERIA_ABUSEuriNo description provided3.8992.6643.0803.106
FSL_NEW_HELO_USERmetaSpam's using Helo and User0.0010.0010.0010.001
FSL_THIS_IS_ADVbodyThis is an advertisement1.2030.0011.2030.001
FUZZY_ANDROIDbodyObfuscated "android"1.0001.0001.0001.000
FUZZY_BITCOINbodyObfuscated "Bitcoin"1.5961.9871.5961.987
FUZZY_BROWSERbodyObfuscated "browser"1.0001.0001.0001.000
FUZZY_BTC_WALLETmetaHeavily obfuscated "bitcoin wallet"1.0001.0001.0001.000
FUZZY_CLICK_HEREbodyObfuscated "click here"2.3992.1992.3992.199
FUZZY_CPILLbodyAttempt to obfuscate words in spam0.0010.0010.0010.001
FUZZY_CREDITbodyAttempt to obfuscate words in spam1.6991.4130.6011.678
FUZZY_DR_OZmetaObfuscated Doctor Oz1.0001.0001.0001.000
FUZZY_IMPORTANTbodyObfuscated "important"1.0001.0001.0001.000
FUZZY_MILLIONbodyAttempt to obfuscate words in spam0.1000.1000.1000.100
FUZZY_MONEROmetaObfuscated "Monero"1.0001.0001.0001.000
FUZZY_PHARMACYbodyAttempt to obfuscate words in spam2.9603.2991.9671.353
FUZZY_PHENTbodyAttempt to obfuscate words in spam2.7991.6471.5402.662
FUZZY_PRICESbodyAttempt to obfuscate words in spam1.8210.7202.2102.311
FUZZY_PRIVACYbodyObfuscated "privacy"1.0001.0001.0001.000
FUZZY_PROMOTIONbodyObfuscated "promotion"1.0001.0001.0001.000
FUZZY_SAVINGSbodyObfuscated "savings"1.0001.0001.0001.000
FUZZY_SECURITYbodyObfuscated "security"1.0001.0001.0001.000
FUZZY_UNSUBSCRIBEbodyObfuscated "unsubscribe"1.0001.0001.0001.000
FUZZY_VPILLbodyAttempt to obfuscate words in spam0.0010.4940.7961.014
FUZZY_WALLETbodyObfuscated "Wallet"2.6972.4992.6972.499
FUZZY_XPILLbodyAttempt to obfuscate words in spam0.1000.1000.1000.100
GAPPY_SALES_LEADS_FREEMmetaObfuscated marketing text, freemail or CHN replyto1.0001.0001.0001.000
GAPPY_SUBJECTmetaSubject: contains G.a.p.p.y-T.e.x.t0.1000.1000.1000.100
GB_BITCOIN_CPmetaLocalized Bitcoin scam1.5192.8101.5192.810
GB_FORGED_MUA_POSTFIXmetaForged Postfix mua headers1.0001.0001.0001.000
GB_FREEMAIL_DISPTOmetaDisposition-Notification-To/From or Disposition-Notification-To/body contain different freemails0.0010.0010.0010.001
GB_FREEMAIL_DISPTO_NOTFREEMmetaDisposition-Notification-To/From contain different freemails but mailfrom is not a freemail0.4990.4990.4990.499
GB_GOOGLE_OBFURuriObfuscate url through Google redirect0.7500.7500.7500.750
GB_GOOGLE_OBFUSuriObfuscate url through Google search0.7490.6480.7490.648
GB_LINKED_IMG_NOT_RCVD_LINKmetaLinkedin hosted image but message not from Linkedin1.0001.0001.0001.000
GB_WP_FILELINKbodytry to abuse file_links uris in Wordpress emails1.0001.0001.0001.000
GMD_PDF_EMPTY_BODYbodyAttached PDF with empty message body0.2500.2500.2500.250
GMD_PDF_ENCRYPTEDbodyAttached PDF is encrypted0.6000.6000.6000.600
GMD_PDF_HORIZbodyContains pdf 100-240 (high) x 450-800 (wide)0.2500.2500.2500.250
GMD_PDF_SQUAREbodyContains pdf 180-360 (high) x 180-360 (wide)0.5000.5000.5000.500
GMD_PDF_VERTbodyContains pdf 450-800 (high) x 100-240 (wide)0.9000.9000.9000.900
GMD_PRODUCER_EASYPDFbodyPDF producer was BCL easyPDF0.2500.2500.2500.250
GMD_PRODUCER_GPLbodyPDF producer was GPL Ghostscript0.2500.2500.2500.250
GMD_PRODUCER_POWERPDFbodyPDF producer was PowerPDF0.2500.2500.2500.250
GOOGLE_DOCS_PHISHmetaPossible phishing via a Google Docs form1.0001.0001.0001.000
GOOGLE_DOCS_PHISH_MANYmetaPhishing via a Google Docs form1.0001.0001.0001.000
GOOGLE_DRIVE_REPLY_BAD_NTLDmetaFrom Google Drive and Reply-To is from a suspicious TLD1.0001.0001.0001.000
GOOG_MALWARE_DNLDmetaFile download via Google - Malware?1.0001.0001.0001.000
GOOG_REDIR_HTML_ONLYmetaGoogle redirect to obscure spamvertised website + HTML only1.9992.0001.9992.000
GOOG_REDIR_NORDNSmetaGoogle redirect to obscure spamvertised website + no rDNS0.5720.8260.5720.826
GOOG_REDIR_SHORTmetaGoogle redirect to obscure spamvertised website + short message2.5992.2992.5992.299
GTUBEbodyGeneric Test for Unsolicited Bulk Email1000.0001000.0001000.0001000.000
GUARANTEED_100_PERCENTbodyOne hundred percent guaranteed2.6992.6992.4802.699
HDRS_LCASEmetaOdd capitalization of message header0.0990.0990.0990.099
HDRS_LCASE_IMGONLYmetaOdd capitalization of message headers + image-only HTML0.1000.0990.1000.099
HDRS_MISSPmetaMisspaced headers1.0001.0001.0001.000
HDR_ORDER_FTSDMCXX_DIRECTmetaHeader order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX1.9991.7121.9991.712
HDR_ORDER_FTSDMCXX_NORDNSmetaHeader order similar to spam (FTSDMCXX/boundary variant) + no rDNS0.0010.0010.0010.001
HEADER_FROM_DIFFERENT_DOMAINSheaderFrom and EnvelopeFrom 2nd level mail domains are different0.2490.2490.2490.249
HEADER_SPAMheaderBulk email fingerprint (header-based) found2.4992.4991.9940.585
HELO_DYNAMIC_CHELLO_NLheaderRelay HELO'd using suspicious hostname (Chello.nl)2.4121.9182.0192.428
HELO_DYNAMIC_DHCPmetaRelay HELO'd using suspicious hostname (DHCP)2.6020.8411.5370.206
HELO_DYNAMIC_DIALINheaderRelay HELO'd using suspicious hostname (T-Dialin)2.6293.2332.1861.366
HELO_DYNAMIC_HCCmetaRelay HELO'd using suspicious hostname (HCC)4.2992.5142.9312.762
HELO_DYNAMIC_HEXIPheaderRelay HELO'd using suspicious hostname (Hex IP)2.3210.5111.7731.789
HELO_DYNAMIC_HOME_NLheaderRelay HELO'd using suspicious hostname (Home.nl)2.3851.5301.0241.459
HELO_DYNAMIC_IPADDRmetaRelay HELO'd using suspicious hostname (IP addr 1)2.6333.2433.6801.951
HELO_DYNAMIC_IPADDR2metaRelay HELO'd using suspicious hostname (IP addr 2)2.8153.8883.7283.607
HELO_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)3.0312.8934.2253.482
HELO_LH_HOMEheaderNo description provided0.0012.0230.5371.736
HELO_LOCALHOSTheaderNo description provided2.6393.6032.9153.828
HELO_MISC_IPmetaLooking for more Dynamic IP Relays0.2490.0010.2490.001
HELO_NO_DOMAINmetaRelay reports its domain incorrectly0.0010.1650.0010.165
HELO_OEMheaderNo description provided2.8992.8991.2340.270
HELO_STATIC_HOSTmetaRelay HELO'd using static hostname-0.001-0.001-0.001-0.001
HEXHASH_WORDmetaMultiple instances of word + hexadecimal hash1.0002.9991.0002.999
HIDE_WIN_STATUSrawbodyJavascript to hide URLs in browser0.0010.0010.0010.001
HK_CTE_RAWmimeheaderNo description provided1.0001.0001.0001.000
HK_LOTTOmetaNo description provided0.9990.9990.9990.999
HK_NAME_DRUGSheaderFrom name contains drugs4.2990.0013.0770.552
HK_NAME_MR_MRSmetaNo description provided0.9990.9990.9990.999
HK_RANDOM_ENVFROMheaderEnvelope sender username looks random2.6380.6261.7980.001
HK_RANDOM_FROMheaderFrom username looks random0.9990.0010.9990.001
HK_RANDOM_REPLYTOheaderReply-To username looks random0.9990.9990.9990.999
HK_RCVD_IP_MULTICASTheaderNo description provided1.9991.9991.9991.999
HK_SCAMmetaNo description provided1.9991.9991.9991.999
HK_WINmetaNo description provided0.8290.0010.8290.001
HOSTED_IMG_DIRECT_MXmetaImage hosted at large ecomm site, message direct-to-mx3.0912.1173.0912.117
HOSTED_IMG_DQ_UNSUBmetaImage hosted at large ecomm site, IP addr unsub link1.0001.0001.0001.000
HOSTED_IMG_FREEMmetaImage hosted at large ecomm site or redirected, freemail from or reply-to1.0001.0001.0001.000
HOSTED_IMG_MULTImetaMultiple images hosted at different large ecomm sites or redirected1.0001.0001.0001.000
HTML_CHARSET_FARAWAYmetaA foreign language charset used in HTML markup0.5000.5000.5000.500
HTML_COMMENT_SAVED_URLbodyHTML message is a saved web page0.1980.3570.8991.391
HTML_EMBEDSbodyHTML with embedded plugin object0.0010.0010.0010.001
HTML_ENTITY_ASCIImetaObfuscated ASCII1.0001.0001.0001.000
HTML_ENTITY_ASCII_TINYmetaObfuscated ASCII + tiny fonts1.0001.0001.0001.000
HTML_EXTRA_CLOSEbodyHTML contains far too many close tags0.0010.0010.0010.001
HTML_FONT_FACE_BADbodyHTML font face is not a word0.0010.0010.0010.001
HTML_FONT_LOW_CONTRASTbodyHTML font color similar or identical to background0.7130.0010.7860.001
HTML_FONT_SIZE_HUGEbodyHTML font size is huge0.0010.0010.0010.001
HTML_FONT_SIZE_LARGEbodyHTML font size is large0.0010.0010.0010.001
HTML_IMAGE_ONLY_04bodyHTML: images with 0-400 bytes of words1.6800.3421.7991.172
HTML_IMAGE_ONLY_08bodyHTML: images with 400-800 bytes of words0.5851.7811.8451.651
HTML_IMAGE_ONLY_12bodyHTML: images with 800-1200 bytes of words1.3811.6291.4002.059
HTML_IMAGE_ONLY_16bodyHTML: images with 1200-1600 bytes of words1.9691.0481.1991.092
HTML_IMAGE_ONLY_20bodyHTML: images with 1600-2000 bytes of words2.1090.7001.3001.546
HTML_IMAGE_ONLY_24bodyHTML: images with 2000-2400 bytes of words2.7991.2821.3281.618
HTML_IMAGE_ONLY_28bodyHTML: images with 2400-2800 bytes of words2.7990.7261.5121.404
HTML_IMAGE_ONLY_32bodyHTML: images with 2800-3200 bytes of words2.1960.0011.1720.001
HTML_IMAGE_RATIO_02bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_04bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_06bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_IMAGE_RATIO_08bodyHTML has a low ratio of text to image area0.0010.0010.0010.001
HTML_MESSAGEbodyHTML included in message0.0010.0010.0010.001
HTML_MIME_NO_HTML_TAGmetaHTML-only message, but there is no HTML tag0.0010.6350.0010.377
HTML_NONELEMENT_30_40body30% to 40% of HTML elements are non-standard0.0000.0010.3080.001
HTML_OBFUSCATE_05_10bodyMessage is 5% to 10% HTML obfuscation0.6010.0010.7180.260
HTML_OBFUSCATE_10_20bodyMessage is 10% to 20% HTML obfuscation0.1741.1620.5880.093
HTML_OBFUSCATE_20_30bodyMessage is 20% to 30% HTML obfuscation2.4992.4411.4491.999
HTML_OBFUSCATE_90_100bodyMessage is 90% to 100% HTML obfuscation2.0002.0002.0002.000
HTML_OFF_PAGEmetaHTML element rendered well off the displayed page2.9990.0012.9990.001
HTML_SHORT_CENTERmetaHTML is very short with CENTER tag3.7993.4212.6110.743
HTML_SHORT_LINK_IMG_1metaHTML is very short with a linked image2.2150.1390.4800.001
HTML_SHORT_LINK_IMG_2metaHTML is very short with a linked image1.4190.2590.6030.001
HTML_SHORT_LINK_IMG_3metaHTML is very short with a linked image0.6910.3280.0010.148
HTML_SHRT_CMNT_OBFU_MANYmetaObfuscation with many short HTML comments1.0001.0001.0001.000
HTML_SINGLET_MANYmetaMany single-letter HTML format blocks0.4772.3670.4772.367
HTML_TAG_BALANCE_BODYbodyHTML has unbalanced "body" tags0.1000.1000.1000.100
HTML_TAG_BALANCE_HEADbodyHTML has unbalanced "head" tags0.5200.0000.6000.817
HTML_TEXT_INVISIBLE_FONTmetaHTML hidden text - word obfuscation?1.9991.9991.9991.999
HTML_TEXT_INVISIBLE_STYLEmetaHTML hidden text + other spam signs0.6392.6310.6392.631
HTML_TITLE_SUBJ_DIFFmetaNo description provided1.1492.1711.8012.036
HTTPS_HTTP_MISMATCHbodyNo description provided0.1000.1000.1000.100
HTTP_ESCAPED_HOSTuriUses %-escapes inside a URL's hostname0.1000.1000.1000.100
HTTP_EXCESSIVE_ESCAPESuriCompletely unnecessary %-escapes inside a URL0.0010.0010.0010.001
IMG_ONLY_FM_DOM_INFOmetaHTML image-only message from .info domain2.4992.4452.4992.445
IMPOTENCEbodyImpotence cure1.5392.1443.0281.374
INVALID_DATEheaderInvalid Date: header (not RFC 2822)1.7010.4321.2001.096
INVALID_DATE_TZ_ABSURDheaderInvalid Date: header (timezone does not exist)0.2620.6320.7060.491
INVALID_MSGIDmetaMessage-Id is not valid, according to RFC 28222.6021.1671.3280.568
INVESTMENT_ADVICEbodyMessage mentions investment advice0.1000.1000.1000.100
IP_LINK_PLUSuriDotted-decimal IP address followed by CGI0.0010.0010.2460.012
JOIN_MILLIONSbodyJoin Millions of Americans0.1000.1000.1000.100
KB_DATE_CONTAINS_TABmetaNo description provided3.8003.7993.7992.751
KB_FAKED_THE_BATmetaNo description provided2.4323.4412.0082.694
KB_FORGED_MOZ4headerMozilla 4 uses X-Mailer2.8442.8422.8442.842
KB_RATWARE_MSGIDmetaNo description provided4.0992.9872.1081.700
KB_RATWARE_OUTLOOK_MIDheaderNo description provided4.4004.4002.5031.499
KHOP_FAKE_EBAYmetaSender falsely claims to be from eBay0.0410.8990.0410.899
KHOP_HELO_FCRDNSmetaRelay HELO differs from its IP's reverse DNS0.4000.4000.4000.400
LH_URI_DOM_IN_PATHuriLong-host URI having a domain name in the path part2.2990.2912.2990.291
LIST_PARTIAL_SHORT_MSGmetaIncomplete mailing list headers + short message2.4990.9352.4990.935
LIST_PRTL_PUMPDUMPmetaIncomplete List-* headers and stock pump-and-dump1.0001.0001.0001.000
LIST_PRTL_SAME_USERmetaIncomplete List-* headers and from+to user the same1.8321.9251.8321.925
LIVEFILESTOREuriNo description provided0.1000.1000.1000.100
LOCALPART_IN_SUBJECTheaderLocal part of To: address appears in Subject0.0010.7301.1991.107
LONGWORDSmetaLong string of long words2.1991.8441.8192.035
LONG_HEX_URImetaVery long purely hexadecimal URI1.8991.5831.8991.583
LONG_IMG_URImetaImage URI with very long path component - web bug?0.4980.1090.4980.109
LONG_INVISIBLE_TEXTmetaLong block of hidden text - spam scan evasion?1.2521.8271.2521.827
LONG_TERM_PRICEbodyNo description provided0.0010.0010.0010.001
LOTS_OF_MONEYmetaHuge... sums of money0.0010.0010.0010.001
LOTTERY_1metaNo description provided0.0011.4881.6300.087
LOTTERY_PH_004470metaNo description provided0.1000.1000.1000.100
LOTTO_AGENTmetaClaims Agent1.2441.4991.2441.499
LOW_PRICEbodyLowest Price0.1000.1000.1000.100
LUCRATIVEmetaMake lots of money!1.9991.9991.9991.999
L_SPAM_TOOL_13headerNo description provided0.5390.4850.4941.333
MAILING_LIST_MULTImetaMultiple indicators imply a widely-seen list manager1.0001.0001.0001.000
MALE_ENHANCEbodyMessage talks about enhancing men3.1003.0993.0990.851
MALF_HTML_B64metaMalformatted base64-encoded HTML content1.0001.0001.0001.000
MALWARE_NORDNSmetaMalware bragging + no rDNS1.0001.0001.0001.000
MALWARE_PASSWORDmetaMalware bragging + "password"1.0001.0001.0001.000
MANY_HDRS_LCASEmetaOdd capitalization of multiple message headers0.1000.1000.1000.100
MANY_SPAN_IN_TEXTmetaMany <SPAN> tags embedded within text2.3992.1992.3992.199
MARKETING_PARTNERSbodyClaims you registered with a partner0.5530.2350.6890.001
MAY_BE_FORGEDmetaRelay IP's reverse DNS does not resolve to IP1.0980.0011.0980.001
MICROSOFT_EXECUTABLEbodyMessage includes Microsoft executable program0.1000.1000.1000.100
MILLION_HUNDREDbodyMillion "One to Nine" Hundred0.0550.0010.0550.001
MILLION_USDbodyTalks about millions of dollars0.5190.0010.5190.001
MIMEOLE_DIRECT_TO_MXmetaMIMEOLE + direct-to-MX0.0010.0010.0010.001
MIMEPART_LIMIT_EXCEEDEDbodyMessage has too many MIME parts0.0010.0010.0010.001
MIME_BASE64_TEXTrawbodyMessage text disguised using base64 encoding0.0010.0010.0011.741
MIME_BOUND_DD_DIGITSheaderSpam tool pattern in MIME boundary3.0160.3492.4171.373
MIME_BOUND_DIGITS_15headerSpam tool pattern in MIME boundary0.1000.1000.1000.100
MIME_CHARSET_FARAWAYmetaMIME character set indicates foreign language2.4502.4502.4502.450
MIME_HEADER_CTYPE_ONLYmeta'Content-Type' found without required MIME headers0.1000.1000.1000.100
MIME_HTML_MOSTLYbodyMultipart message mostly text/html MIME0.1000.1000.1000.100
MIME_HTML_ONLYbodyMessage only has text/html MIME parts0.1000.1000.1000.100
MIME_HTML_ONLY_MULTImetaMultipart message only has text/html MIME parts0.0000.0010.0010.001
MIME_NO_TEXTmetaNo (properly identified) text body parts0.0010.0010.0010.001
MIME_PHP_NO_TEXTmetaNo text body parts, X-Mailer: PHP2.8002.7992.7992.799
MIME_QP_LONG_LINErawbodyQuoted-printable line longer than 76 chars0.0010.0010.0010.001
MIME_SUSPECT_NAMEbodyMIME filename does not match content0.1000.1000.1000.100
MISSING_DATEmetaMissing Date: header2.7391.3961.8001.360
MISSING_FROMmetaMissing From: header1.0001.0001.0001.000
MISSING_HEADERSheaderMissing To: header0.9151.2071.2041.021
MISSING_MIDmetaMissing Message-Id: header0.5520.1401.1990.497
MISSING_MIMEOLEmetaMessage has X-MSMail-Priority, but no X-MimeOLE0.3921.8430.5711.899
MISSING_MIME_HB_SEPbodyMissing blank line between MIME header and body0.0010.0010.0010.001
MISSING_SUBJECTmetaMissing Subject: header0.0011.7671.3001.799
MIXED_ESmetaToo many es are not es3.0990.6523.0990.652
MONERO_DEADLINEmetaMonero cryptocurrency with a deadline1.0001.0001.0001.000
MONERO_EXTORT_01metaExtortion spam, pay via Monero cryptocurrency1.0001.0001.0001.000
MONERO_MALWAREmetaMonero cryptocurrency + malware bragging1.0001.0001.0001.000
MONERO_PAY_MEmetaPay me via Monero cryptocurrency1.0001.0001.0001.000
MONEY_ATM_CARDmetaLots of money on an ATM card3.1002.7993.1002.799
MONEY_BACKbodyMoney back guarantee2.9102.4860.6011.232
MONEY_FORMmetaLots of money if you fill out a form2.9902.4842.9902.484
MONEY_FORM_SHORTmetaLots of money if you fill out a short form1.9360.0011.9360.001
MONEY_FRAUD_3metaLots of money and several fraud phrases2.9851.9702.9851.970
MONEY_FRAUD_5metaLots of money and many fraud phrases1.5650.0011.5650.001
MONEY_FRAUD_8metaLots of money and very many fraud phrases0.0010.0010.0010.001
MONEY_FROM_41metaLots of money from Africa1.9991.9991.9991.999
MONEY_FROM_MISSPmetaLots of money and misspaced From1.9990.0011.9990.001
MORE_SEXbodyTalks about a bigger drive for sex2.7992.7652.5681.413
MPART_ALT_DIFFbodyHTML and text parts are different2.2460.7240.5950.790
MPART_ALT_DIFF_COUNTbodyHTML and text parts are different2.7991.4831.1991.112
MSGID_DOLLARS_URI_IMGmetaSuspicious Message-ID and image2.9992.9992.9992.999
MSGID_FROM_MTA_HEADERmetaMessage-Id was added by a relay0.4010.0010.4730.001
MSGID_MULTIPLE_ATheaderMessage-ID contains multiple '@' characters1.0001.0001.0001.000
MSGID_NOFQDN1metaMessage-ID with no domain name0.7971.5320.7971.532
MSGID_OUTLOOK_INVALIDheaderMessage-Id is fake (in Outlook Express format)3.8993.8993.8993.899
MSGID_RANDYmetaMessage-Id has pattern used in spam2.1962.5992.5992.599
MSGID_SHORTheaderMessage-ID is unusually short0.0010.3370.0010.001
MSGID_SPAM_CAPSheaderSpam tool Message-Id: (caps variant)2.3661.9973.0993.099
MSGID_YAHOO_CAPSheaderMessage-ID has ALLCAPS@yahoo.com0.7971.4132.2781.411
MSM_PRIO_REPTOmetaMSMail priority header + Reply-to + short subject1.0001.0001.0001.000
MSOE_MID_WRONG_CASEmetaNo description provided0.9933.3730.9602.584
NEWEGG_IMG_NOT_RCVD_NEGGmetaNewegg hosted image but message not from Newegg1.0001.0001.0001.000
NICE_REPLY_AmetaLooks like a legit reply (A)-0.001-2.167-0.001-2.167
NML_ADSP_CUSTOM_HIGHmetaADSP custom_high hit, and not from a mailing list0.0002.6000.0002.500
NML_ADSP_CUSTOM_LOWmetaADSP custom_low hit, and not from a mailing list0.0000.7000.0000.700
NML_ADSP_CUSTOM_MEDmetaADSP custom_med hit, and not from a mailing list0.0001.2000.0000.900
NORDNS_LOW_CONTRASTmetaNo rDNS + hidden text1.2161.2511.2161.251
NORMAL_HTTP_TO_IPuriURI host has a public dotted-decimal IPv4 address0.1590.0010.7950.001
NO_DNS_FOR_FROMheaderEnvelope sender has no MX or A DNS records0.0000.3790.0000.001
NO_FM_NAME_IP_HOSTNmetaNo From name + hostname using IP address0.0010.3980.0010.398
NO_HEADERS_MESSAGEmetaMessage appears to be missing most RFC-822 headers0.0010.0010.0010.001
NO_MEDICALbodyNo Medical Exams2.1991.2542.1991.773
NO_PRESCRIPTIONbodyNo prescription needed1.9151.1022.2802.399
NO_RDNS_DOTCOM_HELOheaderHost HELO'd as a big ISP, but had no rDNS3.1000.4333.0990.823
NO_RECEIVEDmetaInformational: message has no Received headers-0.001-0.001-0.001-0.001
NO_RELAYSheaderInformational: message was not relayed via SMTP-0.001-0.001-0.001-0.001
NSL_RCVD_FROM_USERheaderReceived from User0.0010.0010.0010.001
NSL_RCVD_HELO_USERheaderReceived from HELO User0.2341.8520.2341.852
NULL_IN_BODYfullMessage has NUL (ASCII 0) byte in message0.5110.4982.0561.596
NUMBERONLY_BITCOIN_EXPmetaDomain ends in a large number and very short body with link0.0370.6940.0370.694
NUMERIC_HTTP_ADDRuriUses a numeric IP address in URL0.0000.0010.0011.242
OBFUSCATING_COMMENTmetaHTML comments which obfuscate text0.0000.0000.0010.723
OBFU_BITCOINmetaObfuscated BitCoin references1.0001.0001.0001.000
OBFU_JVSCR_ESCrawbodyInjects content using obfuscated javascript1.0001.0001.0001.000
OBFU_TEXT_ATTACHmimeheaderText attachment with non-text MIME type1.0001.0001.0001.000
OFFER_ONLY_AMERICAmetaOffer only available to US0.4990.0010.4990.001
ONE_TIMEbodyOne Time Rip Off1.8401.1751.8300.714
ONLINE_PHARMACYbodyOnline Pharmacy0.8432.3710.0080.650
OOOBOUNCE_MESSAGEmetaOut Of Office bounce message0.1000.1000.1000.100
PART_CID_STOCKmetaHas a spammy image attachment (by Content-ID)0.0010.0010.0010.000
PART_CID_STOCK_LESSmetaHas a spammy image attachment (by Content-ID, more specific)0.0000.0360.7450.894
PDS_BTC_IDmetaFP reduced Bitcoin ID0.4990.4990.4990.499
PDS_BTC_MSGIDmetaBitcoin ID with T_MSGID_NOFQDN20.9990.0010.9990.001
PDS_BTC_NTLDmetaBitcoin suspect NTLD1.4931.3261.4931.326
PDS_DBL_URL_TNB_RUNONmetaDouble-url and To no arrows, from runon1.9991.9991.9991.999
PDS_EMPTYSUBJ_URISHRTmetaEmpty subject with little more than URI shortener1.4990.6511.4990.651
PDS_FREEMAIL_REPLYTO_URISHRTmetaFreemail replyto with URI shortener1.4991.4991.4991.499
PDS_FRNOM_TODOM_NAKED_TOmetaNaked to From name equals to Domain1.4991.4991.4991.499
PDS_FROM_2_EMAILSmetaNo description provided2.1992.0992.1992.099
PDS_FROM_NAME_TO_DOMAINmetaFrom:name looks like To:domain0.9990.9990.9990.999
PDS_HELO_SPF_FAILmetaHigh profile HELO that fails SPF0.0011.0000.0011.000
PDS_HP_HELO_NORDNSmetaHigh profile HELO with no sender rDNS0.5410.0010.5410.001
PDS_NAKED_TO_NUMEROmetaNaked-to, numberonly domain1.9991.7671.9991.767
PDS_NO_FULL_NAME_SPOOFED_URLmetaHTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME0.7490.7490.7490.749
PDS_OTHER_BAD_TLDheaderUntrustworthy TLDs1.9991.9991.9991.999
PDS_SHORTFWD_URISHRTmetaThreaded email with URI shortener1.4991.5001.4991.500
PDS_SHORT_SPOOFED_URLmetaHTML message short and T_SPOOFED_URL (S_U_FP)1.9991.9991.9991.999
PDS_TINYSUBJ_URISHRTmetaShort subject with URL shortener1.4990.7811.4990.781
PDS_TONAME_EQ_TOLOCAL_FREEM_FORGEmetaForged replyto and __PDS_TONAME_EQ_TOLOCAL1.9991.9991.9991.999
PDS_TONAME_EQ_TOLOCAL_HDRS_LCASEmetaTo: name matches everything in local email - LCASE headers1.9991.9991.9991.999
PDS_TONAME_EQ_TOLOCAL_SHORTmetaShort body with To: name matches everything in local email1.9991.9991.9991.999
PDS_TONAME_EQ_TOLOCAL_VSHORTmetaVery short body and From looks like 2 different emails0.9990.9990.9990.999
PDS_TO_EQ_FROM_NAMEmetaFrom: name same as To: address3.9993.2403.9993.240
PERCENT_RANDOMmetaMessage has a random macro in it2.9992.8372.9831.838
PHOTO_EDITING_DIRECTmetaImage editing service, direct to MX1.0001.0001.0001.000
PHOTO_EDITING_FREEMmetaImage editing service, freemail or CHN replyto1.0001.0001.0001.000
PHP_NOVER_MUAmetaMail from PHP with no version number1.0001.0001.0001.000
PHP_ORIG_SCRIPTmetaSent by bot & other signs2.4991.6222.4991.622
PHP_SCRIPT_MUAmetaSent by PHP script, no version number1.0001.0001.0001.000
PLING_QUERYmetaSubject has exclamation mark and question mark0.1000.1000.1000.100
PP_MIME_FAKE_ASCII_TEXTbodyMIME text/plain claims to be ASCII but isn't0.9990.4440.9990.444
PP_TOO_MUCH_UNICODE02bodyIs text/plain but has many unicode escapes0.5000.5000.5000.500
PP_TOO_MUCH_UNICODE05bodyIs text/plain but has many unicode escapes1.0001.0001.0001.000
PRICES_ARE_AFFORDABLEbodyMessage says that prices aren't too expensive0.7940.8511.1120.551
PUMPDUMPmetaPump-and-dump stock scam phrase1.0001.0001.0001.000
PUMPDUMP_MULTImetaPump-and-dump stock scam phrases1.0001.0001.0001.000
PUMPDUMP_TIPmetaPump-and-dump stock tip1.0001.0001.0001.000
PYZOR_CHECKfullListed in Pyzor (https://pyzor.readthedocs.io/en/latest/)0.0001.9850.0001.392
RAND_HEADER_MANYmetaMany random gibberish message headers2.1642.0912.1642.091
RATWARE_EFROMheaderBulk email fingerprint (envfrom) found0.1000.1000.1000.100
RATWARE_EGROUPSheaderBulk email fingerprint (eGroups) found1.8981.2581.4061.621
RATWARE_MPOP_WEBMAILheaderBulk email fingerprint (mPOP Web-Mail)1.1531.3381.2291.999
RATWARE_MS_HASHmetaBulk email fingerprint (msgid ms hash) found2.0363.6920.4542.148
RATWARE_NAME_IDmetaBulk email fingerprint (msgid from) found3.0990.3093.0990.247
RATWARE_NO_RDNSmetaSuspicious MsgID and MIME boundary + no rDNS2.6991.1022.6991.102
RATWARE_OUTLOOK_NONAMEmetaBulk email fingerprint (Outlook no name) found2.9640.0332.6852.950
RATWARE_ZERO_TZmetaBulk email fingerprint (+0000) found2.3922.5350.2651.781
RAZOR2_CF_RANGE_51_100fullRazor2 gives confidence level above 50%0.0002.4300.0001.886
RAZOR2_CHECKfullListed in Razor2 (http://razor.sf.net/)0.0001.7290.0000.922
RCVD_DBL_DQheaderMalformatted message header1.0001.0001.0001.000
RCVD_DOTEDU_SHORTmetaVia .edu MTA + short message0.0850.0010.0850.001
RCVD_DOTEDU_SUSPmetaVia .edu MTA + suspicious content0.7030.0010.7030.001
RCVD_DOTEDU_SUSP_URImetaVia .edu MTA + suspicious URI0.0010.0010.0010.001
RCVD_DOUBLE_IP_LOOSEmetaReceived: by and from look like IP addresses1.1500.9601.0421.012
RCVD_DOUBLE_IP_SPAMmetaBulk email fingerprint (double IP) found2.4112.7771.9121.808
RCVD_FAKE_HELO_DOTCOMheaderReceived contains a faked HELO hostname2.7992.3892.6051.189
RCVD_HELO_IP_MISMATCHheaderReceived: HELO and IP do not match, but should1.6801.1862.3622.368
RCVD_ILLEGAL_IPheaderReceived: contains illegal IP address1.3001.3001.3001.300
RCVD_IN_BL_SPAMCOP_NETheaderReceived via a relay in bl.spamcop.net0.0001.2460.0001.347
RCVD_IN_DNSWL_BLOCKEDheaderADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0000.0010.0000.001
RCVD_IN_DNSWL_HIheaderSender listed at https://www.dnswl.org/, high trust0.000-5.0000.000-5.000
RCVD_IN_DNSWL_LOWheaderSender listed at https://www.dnswl.org/, low trust0.000-0.7000.000-0.700
RCVD_IN_DNSWL_MEDheaderSender listed at https://www.dnswl.org/, medium trust0.000-2.3000.000-2.300
RCVD_IN_DNSWL_NONEheaderSender listed at https://www.dnswl.org/, no trust0.000-0.0000.000-0.000
RCVD_IN_IADB_DKheaderIADB: Sender publishes Domain Keys record0.000-0.2230.000-0.095
RCVD_IN_IADB_DOPTINheaderIADB: All mailing list mail is confirmed opt-in0.000-4.0000.000-4.000
RCVD_IN_IADB_DOPTIN_LT50headerIADB: Confirmed opt-in used less than 50% of the time0.000-0.0010.000-0.001
RCVD_IN_IADB_LISTEDheaderParticipates in the IADB system0.000-0.3800.000-0.001
RCVD_IN_IADB_MI_CPR_MATheaderIADB: Sends no material under Michigan's CPR0.000-0.3320.0000.000
RCVD_IN_IADB_ML_DOPTINheaderIADB: Mailing list email only, confirmed opt-in0.000-6.0000.000-6.000
RCVD_IN_IADB_OPTINheaderIADB: All mailing list mail is opt-in0.000-2.0570.000-1.470
RCVD_IN_IADB_OPTIN_GT50headerIADB: Opt-in used more than 50% of the time0.000-1.2080.000-0.007
RCVD_IN_IADB_RDNSheaderIADB: Sender has reverse DNS record0.000-0.1670.000-0.235
RCVD_IN_IADB_SENDERIDheaderIADB: Sender publishes Sender ID record0.000-0.0010.000-0.001
RCVD_IN_IADB_SPFheaderIADB: Sender publishes SPF record0.000-0.0010.000-0.059
RCVD_IN_IADB_UT_CPR_MATheaderIADB: Sends no material under Utah's CPR0.000-0.0950.000-0.001
RCVD_IN_IADB_VOUCHEDheaderISIPP IADB lists as vouched-for sender0.000-2.2000.000-2.200
RCVD_IN_MSPIKE_BLmetaMailspike blacklisted0.0010.0010.0010.001
RCVD_IN_MSPIKE_H2headerAverage reputation (+2)0.001-0.0010.001-0.001
RCVD_IN_MSPIKE_H3headerGood reputation (+3)0.0010.0010.0010.001
RCVD_IN_MSPIKE_H4headerVery Good reputation (+4)0.0010.0010.0010.001
RCVD_IN_MSPIKE_H5headerExcellent reputation (+5)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L2headerSuspicious reputation (-2)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L3headerLow reputation (-3)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L4headerBad reputation (-4)0.0010.0010.0010.001
RCVD_IN_MSPIKE_L5headerVery bad reputation (-5)0.0010.0010.0010.001
RCVD_IN_MSPIKE_WLmetaMailspike good senders0.0010.0010.0010.001
RCVD_IN_MSPIKE_ZBImetaNo description provided0.0010.0010.0010.001
RCVD_IN_PBLheaderReceived via a relay in Spamhaus PBL0.0003.5580.0003.335
RCVD_IN_PSBLheaderReceived via a relay in PSBL0.0002.7000.0002.700
RCVD_IN_RP_CERTIFIEDheaderSender in ReturnPath Certified - Contact cert-sa@returnpath.net0.000-3.0000.000-3.000
RCVD_IN_RP_RNBLheaderRelay in RNBL, https://senderscore.org/blacklistlookup/0.0001.2840.0001.310
RCVD_IN_RP_SAFEheaderSender in ReturnPath Safe - Contact safe-sa@returnpath.net0.000-2.0000.000-2.000
RCVD_IN_SBLheaderReceived via a relay in Spamhaus SBL0.0002.5960.0000.141
RCVD_IN_SBL_CSSheaderReceived via a relay in Spamhaus SBL-CSS0.0003.5580.0003.335
RCVD_IN_SORBS_DULheaderSORBS: sent directly from dynamic IP address0.0000.0010.0000.001
RCVD_IN_SORBS_HTTPheaderSORBS: sender is open HTTP proxy server0.0002.4990.0000.001
RCVD_IN_SORBS_SOCKSheaderSORBS: sender is open SOCKS proxy server0.0002.4430.0001.927
RCVD_IN_SORBS_WEBheaderSORBS: sender is an abusable web server0.0001.5000.0001.500
RCVD_IN_XBLheaderReceived via a relay in Spamhaus XBL0.0000.7240.0000.375
RCVD_IN_ZEN_BLOCKEDheaderADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/0.0000.0010.0000.001
RCVD_IN_ZEN_BLOCKED_OPENDNSheaderADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/0.0000.0010.0000.001
RCVD_NUMERIC_HELO???No description provided0.0010.8650.0011.164
RDNS_DYNAMICmetaDelivered to internal network by host with dynamic-looking rDNS2.6390.3631.6630.982
RDNS_LOCALHOSTheaderSender's public rDNS is "localhost"3.7000.9692.3450.001
RDNS_NONEmetaDelivered to internal network by a host with no rDNS2.3991.2741.2280.793
RDNS_NUM_TLD_ATCHNXmetaRelay rDNS has numeric TLD + suspicious attachment1.9982.3191.9982.319
RDNS_NUM_TLD_XMmetaRelay rDNS has numeric TLD + suspicious headers2.9991.6552.9991.655
REMOVE_BEFORE_LINKbodyRemoval phrase right before a link0.1000.1000.1000.100
REPLICA_WATCHbodyMessage talks about a replica watch3.4873.1644.0743.775
REPLYTO_WITHOUT_TO_CCmetaNo description provided2.3991.9460.6071.552
REPTO_QUOTE_YAHOOmetaYahoo! doesn't do quoting like this0.0010.4900.0010.646
RISK_FREEmetaNo risk!3.0992.8993.0992.899
RP_MATCHES_RCVD???No description provided-0.001-0.001-0.001-0.001
SB_GIF_AND_NO_URISmetaNo description provided2.1992.1992.2002.199
SENDGRID_REDIRmetaRedirect URI via Sendgrid1.4991.4991.4991.499
SENDGRID_REDIR_PHISHmetaRedirect URI via Sendgrid + phishing signs3.3211.7353.3211.735
SEO_SUSP_NTLDmetaSEO offer from suspicious TLD1.0271.0001.0271.000
SERGIO_SUBJECT_VIAGRA01headerViagra garbled subject0.7172.1470.7172.147
SHOPIFY_IMG_NOT_RCVD_SFYmetaShopify hosted image but message not from Shopify2.4990.0012.4990.001
SHORTENED_URL_HREFrawbodyNo description provided0.9991.0000.9991.000
SHORTENED_URL_SRCrawbodyNo description provided3.0992.8993.0992.899
SHORTENER_SHORT_IMGmetaShort HTML + image + URL shortener0.0011.3610.0011.361
SHORT_BODY_G_DRIVE_DYNmetaShort body with Google Drive link and dynamic looking sender0.1290.8490.1290.849
SHORT_HELO_AND_INLINE_IMAGEmetaShort HELO string, with inline image0.1000.1000.1000.100
SHORT_IMG_SUSP_NTLDmetaShort HTML + image + suspicious TLD0.7670.8910.7670.891
SHORT_SHORTNERmetaShort body with little more than a link to a shortener1.9991.9991.9991.999
SHORT_TERM_PRICEbodyNo description provided0.0010.0010.0010.001
SINGLETS_LOW_CONTRASTmetaSingle-letter formatted HTML + hidden text0.0010.0010.0010.001
SORTED_RECIPSheaderRecipient list is sorted by address1.8012.4741.7912.499
SPAMMY_XMAILERmetaX-Mailer string is common in spam and not in ham2.6500.8621.9932.491
SPF_FAILheaderSPF: sender does not match SPF record (fail)0.0000.9190.0000.001
SPF_HELO_FAILheaderSPF: HELO does not match SPF record (fail)0.0000.0010.0000.001
SPF_HELO_NEUTRALheaderSPF: HELO does not match SPF record (neutral)0.0000.0010.0000.112
SPF_HELO_NONEheaderSPF: HELO does not publish an SPF Record0.0010.0010.0010.001
SPF_HELO_PASSheaderSPF: HELO matches SPF record-0.001-0.001-0.001-0.001
SPF_HELO_SOFTFAILheaderSPF: HELO does not match SPF record (softfail)0.0000.8960.0000.732
SPF_NEUTRALheaderSPF: sender does not match SPF record (neutral)0.0000.6520.0000.779
SPF_NONEheaderSPF: sender does not publish an SPF Record0.0010.0010.0010.001
SPF_PASSheaderSPF: sender matches SPF record-0.001-0.001-0.001-0.001
SPF_SOFTFAILheaderSPF: sender does not match SPF record (softfail)0.0000.9720.0000.665
SPOOFED_FREEMAILmetaNo description provided0.0011.7180.0011.718
SPOOFED_FREEMAIL_NO_RDNSmetaFrom SPOOFED_FREEMAIL and no rDNS1.4990.0011.4990.001
SPOOFED_FREEM_REPTOmetaForged freemail sender with freemail reply-to0.0012.2760.0012.276
SPOOFED_FREEM_REPTO_CHNmetaForged freemail sender with Chinese freemail reply-to0.0012.0540.0012.054
SPOOFED_FREEM_REPTO_RUSmetaForged freemail sender with Russian freemail reply-to0.0011.0000.0011.000
SPOOF_COM2COMuriURI contains ".com" in middle and end0.0010.0010.0010.001
SPOOF_COM2OTHuriURI contains ".com" in middle0.0010.0010.0010.001
STATIC_XPRIO_OLEmetaStatic RDNS + X-Priority + MIMEOLE1.0801.9401.0801.940
STOCK_IMG_CTYPEmetaStock spam image part, with distinctive Content-Type header0.0010.0050.0010.001
STOCK_IMG_HDR_FROMmetaStock spam image part, with distinctive From line0.0010.0010.0010.021
STOCK_IMG_HTMLmetaStock spam image part, with distinctive HTML0.0000.0280.0000.005
STOCK_IMG_OUTLOOKmetaStock spam image part, with Outlook-like features0.0010.7020.4130.190
STOCK_LOW_CONTRASTmetaStocks + hidden text0.7280.0010.7280.001
STOCK_TIPmetaStock tips1.0001.0001.0001.000
STOX_BOUND_090909_BheaderNo description provided1.9692.4271.9692.427
STOX_REPLY_TYPEheaderNo description provided1.8980.2120.1410.439
STOX_REPLY_TYPE_WITHOUT_QUOTESmetaNo description provided3.0991.8601.6291.757
STYLE_GIBBERISH???No description provided0.1000.1000.1000.100
SUBJECT_DIETheaderSubject talks about losing pounds1.9271.5630.8171.466
SUBJECT_DRUG_GAP_CheaderSubject contains a gappy version of 'cialis'2.1080.9891.3482.140
SUBJECT_DRUG_GAP_LheaderSubject contains a gappy version of 'levitra'2.7992.3041.4021.561
SUBJECT_FUZZY_CHEAPheaderAttempt to obfuscate words in Subject:0.6411.8310.8330.001
SUBJECT_IN_BLACKLISTheaderSubject: contains string in the user's black-list100.000100.000100.000100.000
SUBJECT_IN_WHITELISTheaderSubject: contains string in the user's white-list-100.000-100.000-100.000-100.000
SUBJECT_NEEDS_ENCODINGmetaSubject is encoded but does not specify the encoding0.4980.1000.8040.049
SUBJ_ALL_CAPSheaderSubject is all capitals0.5000.5000.5000.500
SUBJ_AS_SEENheaderSubject contains "As Seen"2.7113.0993.0991.461
SUBJ_BRKN_WORDNUMSmetaSubject contains odd word breaks and numbers1.0001.0001.0001.000
SUBJ_BUYheaderSubject line starts with Buy or Buying0.5941.4980.0010.639
SUBJ_DOLLARSheaderSubject starts with dollar amount0.1000.1000.1000.100
SUBJ_ILLEGAL_CHARSmetaSubject: has too many raw illegal characters0.6201.1050.4481.518
SUBJ_OBFU_PUNCT_FEWmetaPossible punctuation-obfuscated Subject: header0.7490.7490.7490.749
SUBJ_OBFU_PUNCT_MANYmetaPunctuation-obfuscated Subject: header0.0010.6960.0010.696
SUBJ_UNNEEDED_HTMLmetaUnneeded HTML formatting in Subject:1.0001.0001.0001.000
SUBJ_YOUR_FAMILYheaderSubject contains "Your Family"2.9102.9992.9992.999
SURBL_BLOCKEDbodyADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.0.0010.0010.0010.001
SUSPICIOUS_RECIPSheaderSimilar addresses in recipient list2.4992.4972.1392.510
SUSP_UTF8_WORD_FROMmetaWord in From name using only suspicious UTF-8 characters0.3640.0010.3640.001
SUSP_UTF8_WORD_SUBJmetaWord in Subject using only suspicious UTF-8 characters1.9991.9991.9991.999
SYSADMINmetaSupposedly from your IT department1.0001.0001.0001.000
TBIRD_SUSP_MIME_BDRYmetaUnlikely Thunderbird MIME boundary2.4002.4002.3992.399
TEQF_USR_IMAGEmetaTo and from user nearly same + image1.0001.0001.0001.000
TEQF_USR_MSGID_HEXmetaTo and from user nearly same + unusual message ID1.0001.0001.0001.000
TEQF_USR_MSGID_MALFmetaTo and from user nearly same + malformed message ID1.0001.0001.0001.000
TEQF_USR_POLITEmetaTo and from user nearly same + polite greeting1.3040.7631.3040.763
THEBAT_UNREGheaderNo description provided2.5991.8432.3241.524
THIS_ADmeta"This ad" and variants1.3991.2991.3991.299
THIS_IS_ADV_SUSP_NTLDmetaThis is an advertisement from a suspicious TLD0.0010.0010.0010.001
TONOM_EQ_TOLOC_SHRT_SHRTNERmetaShort email with shortener and To:name eq To:local0.9940.0010.9940.001
TO_EQ_FM_DIRECT_MXmetaTo == From and direct-to-MX0.0012.0250.0012.025
TO_EQ_FM_DOM_HTML_IMGmetaTo domain == From domain and HTML image link0.1580.5180.1580.518
TO_EQ_FM_DOM_HTML_ONLYmetaTo domain == From domain and HTML only1.6991.0431.6991.043
TO_EQ_FM_DOM_SPF_FAILmetaTo domain == From domain and external SPF failed0.0010.0010.0010.001
TO_EQ_FM_HTML_ONLYmetaTo == From and HTML only0.3950.1370.3950.137
TO_EQ_FM_SPF_FAILmetaTo == From and external SPF failed0.0010.2930.0010.293
TO_IN_SUBJmetaTo address is in Subject0.0010.0740.0010.074
TO_MALFORMEDheaderTo: has a malformed address0.1000.1000.1000.100
TO_NAME_SUBJ_NO_RDNSmetaRecipient username in subject + no rDNS2.4952.9302.4952.930
TO_NO_BRKTS_FROM_MSSPmetaMultiple header formatting problems2.4992.4992.4992.499
TO_NO_BRKTS_HTML_IMGmetaTo: lacks brackets and HTML and one image1.9991.0491.9991.049
TO_NO_BRKTS_HTML_ONLYmetaTo: lacks brackets and HTML only1.9991.9991.9991.999
TO_NO_BRKTS_MSFTmetaTo: lacks brackets and supposed Microsoft tool2.4992.5002.4992.500
TO_NO_BRKTS_NORDNS_HTMLmetaTo: lacks brackets and no rDNS and HTML only1.9991.9991.9991.999
TO_NO_BRKTS_PCNTmetaTo: lacks brackets + percentage2.4992.3982.4992.398
TRACKER_IDbodyIncorporates a tracking ID number0.1000.1000.1000.100
TRANSFORM_LIFEmetaTransform your life!2.4992.4992.4992.499
TT_MSGID_TRUNCheaderScora: Message-Id ends after left-bracket + digits0.7480.0231.4341.448
TVD_APPROVEDbodyBody states that the recipient has been approved1.0001.0001.0001.000
TVD_FINGER_02headerNo description provided0.0010.0010.0010.001
TVD_FW_GRAPHIC_NAME_LONGmimeheaderLong image attachment name0.0010.6480.8361.293
TVD_FW_GRAPHIC_NAME_MIDmimeheaderMedium sized image attachment name0.6000.0010.3890.095
TVD_INCREASE_SIZEbodyAdvertising for penis enlargement1.5290.6011.0550.001
TVD_PH_7bodyNo description provided2.6992.4992.6992.499
TVD_PH_BODY_ACCOUNTS_PREmetaThe body matches phrases such as "accounts suspended", "account credited", "account verification"0.0010.0010.0010.001
TVD_PH_RECbodyMessage includes a phrase commonly used in phishing mails0.1000.1000.1000.100
TVD_PH_SECbodyMessage includes a phrase commonly used in phishing mails0.1000.1000.1000.100
TVD_QUAL_MEDSbodyThe body matches phrases such as "quality meds" or "quality medication"2.6972.3972.7992.483
TVD_RCVD_IPheaderMessage was received from an IP address0.0010.0010.0010.001
TVD_RCVD_IP4headerMessage was received from an IPv4 address0.0010.0010.0010.001
TVD_RCVD_SPACE_BRACKETheaderNo description provided4.2993.1704.2993.170
TVD_SPACE_ENCODEDmetaSpace ratio & encoded subject1.5001.5001.5001.500
TVD_SPACE_RATIOmetaNo description provided0.0010.0010.0010.001
TVD_SPACE_RATIO_MINFPmetaSpace ratio1.5001.5001.5001.500
TVD_SUBJ_ACC_NUMheaderSubject has spammy looking monetary reference0.1000.1000.1000.100
TVD_SUBJ_NUM_OBFU_MINFPmetaNo description provided2.9991.6332.9991.633
TVD_SUBJ_WIPE_DEBTheaderSpam advertising a way to eliminate debt2.5992.2912.5991.004
TVD_VISIT_PHARMAbodyBody mentions online pharmacy1.9571.1960.4171.406
TW_GIBBERISH_MANYmetaLots of gibberish text to spoof pattern matching filters1.0001.0001.0001.000
TXREPheaderScore normalizing based on sender's reputation1.0001.0001.0001.000
T_ACH_CANCELLED_EXEmeta"ACH cancelled" probable malware0.1000.1000.1000.100
T_ANY_PILL_PRICEmetaPrices for pills0.1000.1000.1000.100
T_CDISP_SZ_MANYmimeheaderSuspicious MIME header0.1000.1000.1000.100
T_DOC_ATTACH_NO_EXTmetaDocument attachment with suspicious name0.1000.1000.1000.100
T_DOS_OUTLOOK_TO_MX_IMAGEmetaDirect to MX with Outlook headers and an image0.1000.1000.1000.100
T_DOS_ZIP_HARDCOREmimeheaderhardcore.zip file attached; quite certainly a virus0.1000.1000.1000.100
T_DRUGS_ERECTILE_SHORT_SHORTNERmetaShort erectile drugs advert with T_URL_SHORTENER0.1000.1000.1000.100
T_EMRCPbody"Excess Maximum Return Capital Profit" scam0.1000.1000.1000.100
T_FILL_THIS_FORM_LOANmetaAnswer loan question(s)0.1000.1000.1000.100
T_FILL_THIS_FORM_SHORTmetaFill in a short form with personal information0.1000.1000.1000.100
T_FONT_INVIS_NAKED_TOmetaInvisible text + suspicious To0.1000.1000.1000.100
T_FONT_INVIS_NORDNSmetaInvisible text + no rDNS0.1000.1000.1000.100
T_FORGED_TBIRD_IMG_SIZEmetaLikely forged Thunderbird image spam0.1000.1000.1000.100
T_FREEMAIL_DOC_PDFmetaMS document or PDF attachment, from freemail0.1000.1000.1000.100
T_FREEMAIL_DOC_PDF_BCCmetaMS document or PDF attachment, from freemail, all recipients hidden0.1000.1000.1000.100
T_FREEMAIL_RVW_ATTCHmetaPlease review attached document, from freemail0.1000.1000.1000.100
T_FROMNAME_EQUALS_TOmetaFrom:name matches To:0.1000.1000.1000.100
T_FROMNAME_SPOOFED_EMAILmetaFrom:name looks like a spoofed email0.1000.1000.1000.100
T_FUZZY_OPTOUTbodyObfuscated opt-out text0.1000.1000.1000.100
T_GB_FREEM_FROM_NOT_REPLYmetaFrom: and Reply-To: have different freemail domains0.1000.1000.1000.100
T_GB_FROMNAME_SPOOFED_EMAIL_IPmetaFrom:name looks like a spoofed email from a spoofed ip0.1000.1000.1000.100
T_GB_HASHBL_BTCbodyMessage contains BTC address found on BTCBL0.1000.1000.1000.100
T_HTML_ATTACHmetaHTML attachment to bypass scanning?0.1000.1000.1000.100
T_HTML_TAG_BALANCE_CENTERmetaMalformatted HTML0.1000.1000.1000.100
T_ISO_ATTACHmetaISO attachment - possible malware delivery0.1000.1000.1000.100
T_KAM_HTML_FONT_INVALIDbodyTest for Invalidly Named or Formatted Colors in HTML0.1000.1000.1000.100
T_LARGE_PCT_AFTER_MANYmetaMany large percentages after...0.1000.1000.1000.100
T_LOTTO_AGENT_FMheaderClaims Agent0.1000.1000.1000.100
T_LOTTO_AGENT_RPLYmetaClaims Agent0.1000.1000.1000.100
T_LOTTO_URIuriClaims Department URL0.1000.1000.1000.100
T_MALW_ATTACHmetaAttachment filename suspicious, probable malware exploit0.1000.1000.1000.100
T_MANY_PILL_PRICEmetaPrices for many pills0.1000.1000.1000.100
T_MIME_MALFmetaMalformed MIME: headers in body0.1000.1000.1000.100
T_MONEY_PERCENTmetaX% of a lot of money for you0.1000.1000.1000.100
T_OBFU_ATTACH_MISSPmetaObfuscated attachment type and misspaced From0.1000.1000.1000.100
T_OBFU_DOC_ATTACHmimeheaderMS Document attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_GIF_ATTACHmimeheaderGIF attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_HTML_ATTACHmimeheaderHTML attachment with non-text MIME type0.1000.1000.1000.100
T_OBFU_HTML_ATT_MALWmetaHTML attachment with incorrect MIME type - possible malware0.1000.1000.1000.100
T_OBFU_JPG_ATTACHmimeheaderJPG attachment with generic MIME type0.1000.1000.1000.100
T_OBFU_PDF_ATTACHmimeheaderPDF attachment with generic MIME type0.1000.1000.1000.100
T_PDS_BTC_AHACKERmetaBitcoin Hacker0.1000.1000.1000.100
T_PDS_BTC_HACKERmetaBitcoin Hacker0.1000.1000.1000.100
T_PDS_LTC_AHACKERmetaLitecoin Hacker0.1000.1000.1000.100
T_PDS_LTC_HACKERmetaLitecoin Hacker0.1000.1000.1000.100
T_REMOTE_IMAGEmetaMessage contains an external image0.1000.1000.1000.100
T_SENT_TO_EMAIL_ADDRmetaEmail was sent to email address0.1000.1000.1000.100
T_SHARE_50_50metaShare the money 50/500.1000.1000.1000.100
T_SPF_HELO_PERMERRORheaderSPF: test of HELO record failed (permerror)0.1000.1000.1000.100
T_SPF_HELO_TEMPERRORheaderSPF: test of HELO record failed (temperror)0.1000.1000.1000.100
T_SPF_PERMERRORheaderSPF: test of record failed (permerror)0.1000.1000.1000.100
T_SPF_TEMPERRORheaderSPF: test of record failed (temperror)0.1000.1000.1000.100
T_STY_INVIS_DIRECTmetaHTML hidden text + direct-to-MX0.1000.1000.1000.100
T_SUSPNTLD_EXPIRATION_EXTORTmetaSusp NTLD with an expiration notice and lotsa money0.1000.1000.1000.100
T_TONOM_EQ_TOLOC_SHRT_PSHRTNERmetaShort subject with potential shortener and To:name eq To:local0.1000.1000.1000.100
T_WON_MONEY_ATTACHmetaYou won lots of money! See attachment.0.1000.1000.1000.100
T_WON_NBDY_ATTACHmetaYou won lots of money! See attachment.0.1000.1000.1000.100
T_ZW_OBFU_BITCOINmetaObfuscated text + bitcoin ID - possible extortion0.1000.1000.1000.100
T_ZW_OBFU_FREEMmetaObfuscated text + freemail0.1000.1000.1000.100
T_ZW_OBFU_FROMTOSUBJmetaObfuscated text + from in to and subject0.1000.1000.1000.100
UC_GIBBERISH_OBFUmetaMultiple instances of "word VERYLONGGIBBERISH word"1.0001.0001.0001.000
UNCLAIMED_MONEYbodyPeople just leave money laying around2.6992.6992.6992.427
UNCLOSED_BRACKETheaderHeaders contain an unclosed bracket2.6991.3291.4251.496
UNICODE_OBFU_ASCmetaObfuscating text with unicode1.0001.0001.0001.000
UNICODE_OBFU_ZWmetaObfuscating text with hidden characters1.0001.0001.0001.000
UNPARSEABLE_RELAYmetaInformational: message has unparseable relay lines0.0010.0010.0010.001
UNRESOLVED_TEMPLATEheaderHeaders contain an unresolved template3.0350.7162.4241.252
UNWANTED_LANGUAGE_BODYbodyMessage written in an undesired language2.8002.8002.8002.800
UPGRADE_MAILBOXmetaUpgrade your mailbox! (phishing?)1.1990.0011.1990.001
UPPERCASE_50_75metamessage body is 50-75% uppercase0.0010.7910.0010.008
UPPERCASE_75_100metamessage body is 75-100% uppercase1.4801.1890.0010.001
URG_BIZbodyContains urgent matter1.7500.9410.5680.573
URIBL_ABUSE_SURBLbodyContains an URL listed in the ABUSE SURBL blocklist0.0001.9480.0001.250
URIBL_CR_SURBLbodyContains an URL listed in the CR SURBL blocklist0.0001.2630.0001.263
URIBL_CSSbodyContains an URL's NS IP listed in the Spamhaus CSS blocklist0.0000.1000.0000.100
URIBL_CSS_AbodyContains URL's A record listed in the Spamhaus CSS blocklist0.0000.1000.0000.100
URIBL_DBL_ABUSE_BOTCCbodyContains an abused botnet C&C URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_MALWbodyContains an abused malware URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_PHISHbodyContains an abused phishing URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ABUSE_REDIRbodyContains an abused redirector URL listed in the Spamhaus DBL blocklist0.0000.0010.0000.001
URIBL_DBL_ABUSE_SPAMbodyContains an abused spamvertized URL listed in the Spamhaus DBL blocklist0.0002.0000.0002.000
URIBL_DBL_BLOCKEDbodyADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/0.0000.0010.0000.001
URIBL_DBL_BLOCKED_OPENDNSbodyADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/0.0000.0010.0000.001
URIBL_DBL_BOTNETCCbodyContains a botned C&C URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_ERRORbodyError: queried the Spamhaus DBL blocklist for an IP0.0000.0010.0000.001
URIBL_DBL_MALWAREbodyContains a malware URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_PHISHbodyContains a Phishing URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_DBL_SPAMbodyContains a spam URL listed in the Spamhaus DBL blocklist0.0002.5000.0002.500
URIBL_MW_SURBLbodyContains a URL listed in the MW SURBL blocklist0.0001.2630.0001.263
URIBL_PH_SURBLbodyContains an URL listed in the PH SURBL blocklist0.0000.0010.0000.610
URIBL_RHS_DOBbodyContains an URI of a new domain (Day Old Bread)0.0000.2760.0001.514
URIBL_SBLbodyContains an URL's NS IP listed in the Spamhaus SBL blocklist0.0000.6440.0001.623
URIBL_SBL_AbodyContains URL's A record listed in the Spamhaus SBL blocklist0.0000.1000.0000.100
URIBL_WS_SURBLbodyContains an URL listed in the WS SURBL blocklist0.0001.6590.0001.608
URIBL_ZEN_BLOCKEDbodyADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/0.0000.0010.0000.001
URIBL_ZEN_BLOCKED_OPENDNSbodyADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/0.0000.0010.0000.001
URI_BUFFLYmetabuff.ly redirector URI1.9991.9991.9991.999
URI_DASHGOVEDUmetaSuspicious domain name1.0001.0001.0001.000
URI_DATAmeta"data:" URI - possible malware or phish1.0001.0001.0001.000
URI_DOTEDUmetaHas .edu URI0.0010.0010.0010.001
URI_DOTEDU_ENTITYmetaVia .edu MTA + suspicious HTML content1.0001.0001.0001.000
URI_DQ_UNSUBmetaIP-address unsubscribe URI1.0001.0001.0001.000
URI_GOOGLE_PROXYmetaAccessing a blacklisted URI or obscuring source of phish via Google proxy?0.0010.3380.0010.338
URI_HEXuriURI hostname has long hexadecimal sequence0.1000.1000.1000.100
URI_HEX_IPmetaURI with hex-encoded IP-address host1.0001.0001.0001.000
URI_HOST_IN_BLACKLISTbodyHost or Domain is listed in the user's URI black-list100.000100.000100.000100.000
URI_HOST_IN_WHITELISTbodyHost or Domain is listed in the user's URI white-list-100.000-100.000-100.000-100.000
URI_IMG_WP_REDIRmetaImage via WordPress "accelerator" proxy1.0001.0001.0001.000
URI_IN_URI_10uriMultiple URIs inside URI3.1734.0933.1734.093
URI_IN_URI_5uriMultiple URIs inside URI2.0982.5502.0982.550
URI_MALWARE_SCMSuriLink to malware exploit download (.SettingContent-ms file)1.0001.0001.0001.000
URI_NOVOWELuriURI hostname has long non-vowel sequence0.5000.5000.5000.500
URI_NO_WWW_BIZ_CGIuriCGI in .biz TLD other than third-level "www"1.0001.0001.0001.000
URI_NO_WWW_INFO_CGIuriCGI in .info TLD other than third-level "www"1.0001.0001.0001.000
URI_ONLY_MSGID_MALFmetaURI only + malformed message ID0.0010.0010.0010.001
URI_OPTOUT_3LDuriOpt-out URI, suspicious hostname1.0001.0001.0001.000
URI_OPTOUT_USMEuriOpt-out URI, unusual TLD1.0001.0001.0001.000
URI_PHISHmetaPhishing using web form2.2472.7732.2472.773
URI_PHP_REDIRmetaPHP redirect to different URL (link obfuscation)3.4993.4993.4993.499
URI_TRUNCATEDbodyMessage contained a URI which was truncated0.0010.0010.0010.001
URI_TRY_3LDuri"Try it" URI, suspicious hostname0.0011.9990.0011.999
URI_TRY_USMEmeta"Try it" URI, unusual TLD1.0001.0001.0001.000
URI_WPADMINmetaWordPress login/admin URI, possible phishing2.4092.4002.4092.400
URI_WP_DIRINDEXmetaURI for compromised WordPress site, possible malware2.6870.8662.6870.866
URI_WP_HACKEDmetaURI for compromised WordPress site, possible malware3.4993.4993.4993.499
URI_WP_HACKED_2metaURI for compromised WordPress site, possible malware2.4992.4992.4992.499
USB_DRIVESmetaTrying to sell custom USB flash drives1.0001.0001.0001.000
USER_IN_ALL_SPAM_TOheaderUser is listed in 'all_spam_to'-100.000-100.000-100.000-100.000
USER_IN_BLACKLISTheaderFrom: address is in the user's black-list100.000100.000100.000100.000
USER_IN_BLACKLIST_TOheaderUser is listed in 'blacklist_to'10.00010.00010.00010.000
USER_IN_DEF_DKIM_WLheaderFrom: address is in the default DKIM white-list-7.500-7.500-7.500-7.500
USER_IN_DEF_SPF_WLheaderFrom: address is in the default SPF white-list-7.500-7.500-7.500-7.500
USER_IN_DEF_WHITELISTheaderFrom: address is in the default white-list-15.000-15.000-15.000-15.000
USER_IN_DKIM_WHITELISTheaderFrom: address is in the user's DKIM whitelist-100.000-100.000-100.000-100.000
USER_IN_MORE_SPAM_TOheaderUser is listed in 'more_spam_to'-20.000-20.000-20.000-20.000
USER_IN_SPF_WHITELISTheaderFrom: address is in the user's SPF whitelist-100.000-100.000-100.000-100.000
USER_IN_WELCOMELISTheaderuser is listed in 'welcomelist_from'-0.010-0.010-0.010-0.010
USER_IN_WELCOMELIST_TOheaderUser is listed in 'welcomelist_to'-0.010-0.010-0.010-0.010
USER_IN_WHITELISTmetaDEPRECATED: See USER_IN_WELCOMELIST-100.000-100.000-100.000-100.000
USER_IN_WHITELIST_TOmetaDEPRECATED: See USER_IN_WELCOMELIST_TO-6.000-6.000-6.000-6.000
VBOUNCE_MESSAGEmetaVirus-scanner bounce message0.1000.1000.1000.100
VPS_NO_NTLDmetavps[0-9] domain at a suspiscious TLD1.0001.0001.0001.000
WALMART_IMG_NOT_RCVD_WALmetaWalmart hosted image but message not from Walmart1.0001.0001.0001.000
WEIRD_PORTuriUses non-standard port number for HTTP0.0010.0010.0970.001
WEIRD_QUOTINGbodyWeird repeated double-quotation marks0.0010.0010.0010.001
WIKI_IMGuriImage from wikipedia3.1992.9993.1992.999
XM_PHPMAILER_FORGEDmetaApparently forged header1.0001.0001.0001.000
XPRIOmetaHas X-Priority header2.2491.9652.2491.965
XPRIO_SHORT_SUBJmetaHas X-Priority header + short subject0.9980.6420.9980.642
XPRIO_URL_SHORTNERmetaX-Priority header and short URL0.4250.9990.4250.999
X_IPheaderMessage has X-IP header0.0010.0010.0010.001
X_MAILER_CME_6543_MSNheaderNo description provided2.8862.0043.0023.348
YOU_INHERITmetaDiscussing your inheritance2.9992.6992.9992.699
__DC_GIF_MULTI_LARGOmetaMessage has 2+ inline gif covering lots of area1.0001.0001.0001.000
__DC_IMG_HTML_RATIOrawbodyLow rawbody to pixel area ratio1.0001.0001.0001.000
__DC_IMG_TEXT_RATIObodyLow body to pixel area ratio1.0001.0001.0001.000
__DC_PNG_MULTI_LARGOmetaMessage has 2+ png images covering lots of area1.0001.0001.0001.000
__DKIM_DEPENDABLEfullA validation failure not attributable to truncation1.0001.0001.0001.000
__FORGED_TBIRD_IMGmetaPossibly forged Thunderbird image spam1.0001.0001.0001.000
__FROM_41_FREEMAILmetaSent from Africa + freemail provider1.0001.0001.0001.000
__GB_BITCOIN_CP_DEmetaGerman Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_ENmetaEnglish Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_ESmetaSpanish Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_FRmetaFrench Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_ITmetaItalian Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_NLmetaDutch Bitcoin scam1.0001.0001.0001.000
__GB_BITCOIN_CP_SEmetaSwedish Bitcoin scam1.0001.0001.0001.000
__HAS_HREFrawbodyHas an anchor tag with a href attribute in non-quoted line1.0001.0001.0001.000
__HAS_HREF_ONECASErawbodyHas an anchor tag with a href attribute in non-quoted line with consistent case1.0001.0001.0001.000
__HAS_IMG_SRCrawbodyHas an img tag on a non-quoted line1.0001.0001.0001.000
__HAS_IMG_SRC_ONECASErawbodyHas an img tag on a non-quoted line with consistent case1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_1024bodyThe length of the body of the email is less than 1024 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_128bodyThe length of the body of the email is less than 128 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_256bodyThe length of the body of the email is less than 256 bytes.1.0001.0001.0001.000
__KAM_BODY_LENGTH_LT_512bodyThe length of the body of the email is less than 512 bytes.1.0001.0001.0001.000
__MIME_BASE64rawbodyIncludes a base64 attachment1.0001.0001.0001.000
__MIME_QPrawbodyIncludes a quoted-printable attachment1.0001.0001.0001.000
__ML_TURNS_SP_TO_TABheaderA mailing list changing a space to a TAB1.0001.0001.0001.000
__NSL_ORIG_FROM_41headerOriginates from 41.0.0.0/81.0001.0001.0001.000
__NSL_RCVD_FROM_41headerReceived from 41.0.0.0/81.0001.0001.0001.000
__RCVD_IN_MSPIKE_ZheaderSpam wave participant1.0001.0001.0001.000
__RCVD_IN_SORBSheaderSORBS: sender is listed in SORBS1.0001.0001.0001.000
__RCVD_IN_ZENheaderReceived via a relay in Spamhaus Zen1.0001.0001.0001.000
__RDNS_DYNAMIC_ADELPHIAheaderRelay HELO'd using suspicious hostname (Adelphia)1.0001.0001.0001.000
__RDNS_DYNAMIC_ATTBIheaderRelay HELO'd using suspicious hostname (ATTBI.com)1.0001.0001.0001.000
__RDNS_DYNAMIC_CHELLO_NLheaderRelay HELO'd using suspicious hostname (Chello.nl)1.0001.0001.0001.000
__RDNS_DYNAMIC_CHELLO_NOheaderRelay HELO'd using suspicious hostname (Chello.no)1.0001.0001.0001.000
__RDNS_DYNAMIC_COMCASTheaderRelay HELO'd using suspicious hostname (Comcast)1.0001.0001.0001.000
__RDNS_DYNAMIC_DHCPheaderRelay HELO'd using suspicious hostname (DHCP)1.0001.0001.0001.000
__RDNS_DYNAMIC_DIALINheaderRelay HELO'd using suspicious hostname (T-Dialin)1.0001.0001.0001.000
__RDNS_DYNAMIC_HCCheaderRelay HELO'd using suspicious hostname (HCC)1.0001.0001.0001.000
__RDNS_DYNAMIC_HEXIPheaderRelay HELO'd using suspicious hostname (Hex IP)1.0001.0001.0001.000
__RDNS_DYNAMIC_IPADDRheaderRelay HELO'd using suspicious hostname (IP addr 1)1.0001.0001.0001.000
__RDNS_DYNAMIC_NTLheaderRelay HELO'd using suspicious hostname (NTL)1.0001.0001.0001.000
__RDNS_DYNAMIC_OOLheaderRelay HELO'd using suspicious hostname (OptOnline)1.0001.0001.0001.000
__RDNS_DYNAMIC_ROGERSheaderRelay HELO'd using suspicious hostname (Rogers)1.0001.0001.0001.000
__RDNS_DYNAMIC_RR2headerRelay HELO'd using suspicious hostname (RR 2)1.0001.0001.0001.000
__RDNS_DYNAMIC_SPLIT_IPheaderRelay HELO'd using suspicious hostname (Split IP)1.0001.0001.0001.000
__RDNS_DYNAMIC_TELIAheaderRelay HELO'd using suspicious hostname (Telia)1.0001.0001.0001.000
__RDNS_DYNAMIC_VELOXheaderRelay HELO'd using suspicious hostname (Veloxzone)1.0001.0001.0001.000
__RDNS_DYNAMIC_VTRheaderRelay HELO'd using suspicious hostname (VTR)1.0001.0001.0001.000
__RDNS_DYNAMIC_YAHOOBBheaderRelay HELO'd using suspicious hostname (YahooBB)1.0001.0001.0001.000
__TO_EQ_FROMmetaTo: same as From:1.0001.0001.0001.000
__TO_EQ_FROM_DOMmetaTo: domain same as From: domain1.0001.0001.0001.000
__TO_EQ_FROM_USRmetaTo: username same as From: username1.0001.0001.0001.000
__TO_EQ_FROM_USR_NNmetaTo: username same as From: username sans trailing nums1.0001.0001.0001.000
__VIA_MLmetaMail from a mailing list1.0001.0001.0001.000
__VIA_RESIGNERmetaMail through a popular signing remailer1.0001.0001.0001.000


FutureQuest Site Search

Back to Top

FutureQuest Professional Web Hosting Services
Copyright © 1998-2020 FutureQuest, Inc. All rights reserved.