|
Spam Test Rules
|
Description
|
|
ACCESSDB
|
Message would have been caught by accessdb
|
|
ACT_NOW_CAPS
|
Talks about 'acting now' with capitals
|
|
ADDRESS_IN_SUBJECT
|
To: address appears in Subject
|
|
ADDR_FREE
|
From Address contains FREE
|
|
ADDR_NUMS_AT_BIGSITE
|
Has an address with lots of numbers at a big ISP
|
|
ADVANCE_FEE_1
|
Appears to be advance fee fraud (Nigerian 419)
|
|
ADVANCE_FEE_2
|
Appears to be advance fee fraud (Nigerian 419)
|
|
ADVANCE_FEE_3
|
Appears to be advance fee fraud (Nigerian 419)
|
|
ADVANCE_FEE_4
|
Appears to be advance fee fraud (Nigerian 419)
|
|
ALL_NATURAL
|
Spam is 100% natural?!
|
|
ALL_TRUSTED
|
Passed through trusted hosts only via SMTP
|
|
AMATEUR_PORN
|
Possible porn - Amateur Porn
|
|
AMAZING_STUFF
|
Amazing Stuff
|
|
AS_SEEN_ON
|
As seen on national TV!
|
|
AWL
|
From: address is in the auto white-list
|
|
BAD_CREDIT
|
Eliminate Bad Credit
|
|
BAD_ENC_HEADER
|
Message has bad MIME encoding in the header
|
|
BANG_EXERCISE
|
Talks about exercise with an exclamation!
|
|
BANG_GUAR
|
Something is emphatically guaranteed
|
|
BANG_MORE
|
Talks about more with an exclamation!
|
|
BANG_OPRAH
|
Talks about Oprah with an exclamation!
|
|
BARGAIN_URL
|
Includes a link to a likely spammer domain
|
|
BAYES_00
|
Bayesian spam probability is 0 to 1%
|
|
BAYES_05
|
Bayesian spam probability is 1 to 5%
|
|
BAYES_20
|
Bayesian spam probability is 5 to 20%
|
|
BAYES_40
|
Bayesian spam probability is 20 to 40%
|
|
BAYES_50
|
Bayesian spam probability is 40 to 60%
|
|
BAYES_60
|
Bayesian spam probability is 60 to 80% |
|
BAYES_80
|
Bayesian spam probability is 80 to 95%
|
|
BAYES_95
|
Bayesian spam probability is 95 to 99%
|
|
BAYES_99
|
Bayesian spam probability is 99 to 100%
|
|
BEST_PORN
|
Possible porn - Best, Largest, Most Porn
|
|
BE_BOSS
|
Be your own boss
|
|
BILLION_DOLLARS
|
Talks about lots of money
|
|
BILL_1618
|
Possible mention of bill 1618 (anti-spam bill)
|
|
BIZ_TLD
|
Contains an URL in the BIZ top-level domain
|
|
BLANK_LINES_70_80
|
Message body has 70-80% blank lines
|
|
BLANK_LINES_80_90
|
Message body has 80-90% blank lines
|
|
BLANK_LINES_90_100
|
Message body has 90-100% blank lines
|
|
BODY_8BITS
|
Body includes 8 consecutive 8-bit characters
|
|
BODY_ENHANCEMENT
|
Information on growing body parts
|
|
BODY_ENHANCEMENT2
|
Information on getting larger body parts
|
|
CHARSET_FARAWAY
|
Character set indicates a foreign language
|
|
CHARSET_FARAWAY_HEADER
|
A foreign language charset used in headers
|
|
CHINA_HEADER
|
Involves 'china.com'
|
|
CLICK_BELOW_CAPS
|
Asks you to click below (in capital letters)
|
|
CLICK_TO_REMOVE_1
|
Click to be removed
|
|
COMPETE
|
Compete for your business
|
|
CONFIDENTIAL_ORDER
|
Confidentiality on all orders
|
|
CONFIRMED_FORGED
|
Received headers are forged
|
|
CONSOLIDATE_DEBT
|
Consolidate debt, credit, or bills
|
|
CUM_SHOT
|
Possible porn - Cum Shot
|
|
DATE_IN_FUTURE_03_06
|
Date: is 3 to 6 hours after Received: date
|
|
DATE_IN_FUTURE_06_12
|
Date: is 6 to 12 hours after Received: date
|
|
DATE_IN_FUTURE_12_24
|
Date: is 12 to 24 hours after Received: date
|
|
DATE_IN_FUTURE_24_48
|
Date: is 24 to 48 hours after Received: date
|
|
DATE_IN_FUTURE_48_96
|
Date: is 48 to 96 hours after Received: date
|
|
DATE_IN_FUTURE_96_XX
|
Date: is 96 hours or more after Received: date
|
|
DATE_IN_PAST_03_06
|
Date: is 3 to 6 hours before Received: date
|
|
DATE_IN_PAST_06_12
|
Date: is 6 to 12 hours before Received: date
|
|
DATE_IN_PAST_12_24
|
Date: is 12 to 24 hours before Received: date
|
|
DATE_IN_PAST_24_48
|
Date: is 24 to 48 hours before Received: date
|
|
DATE_IN_PAST_48_96
|
Date: is 48 to 96 hours before Received: date
|
|
DATE_IN_PAST_96_XX
|
Date: is 96 hours or more before Received: date
|
|
DATE_SPAMWARE_Y2K
|
Date header uses unusual Y2K formatting
|
|
DAV_NON_HOTMAIL
|
Message sent using DAV, but not via Hotmail
|
|
DCC_CHECK
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
|
DEAR_FRIEND
|
Dear Friend? That's not very dear!
|
|
DEAR_SOMETHING
|
Contains 'Dear (something)'
|
|
DEEP_DISC_MEDS
|
Deep discount medications
|
|
DIET_1
|
Lose Weight Spam
|
|
DIET_2
|
Describes weight loss
|
|
DIET_3
|
Describes body fat loss
|
|
DIGEST_MULTIPLE
|
Message hits more than one network digest check
|
|
DISGUISE_PORN
|
Attempts to disguise porn words
|
|
DISGUISE_PORN_MUNDANE
|
Attempts to disguise mundane words used in porn
|
|
DKIM_POLICY_SIGNALL
|
Domain Keys Identified Mail: policy says domain signs all mails
|
|
DKIM_POLICY_SIGNSOME
|
Domain Keys Identified Mail: policy says domain signs some mails
|
|
DKIM_POLICY_TESTING
|
Domain Keys Identified Mail: policy says domain is testing DK
|
|
DKIM_SIGNED
|
Domain Keys Identified Mail: message has a signature
|
|
DKIM_VERIFIED
|
Domain Keys Identified Mail: signature passes verification
|
|
DK_POLICY_SIGNALL
|
Domain Keys: policy says domain signs all mails
|
|
DK_POLICY_SIGNSOME
|
Domain Keys: policy says domain signs some mails
|
|
DK_POLICY_TESTING
|
Domain Keys: policy says domain is testing DK
|
|
DK_SIGNED
|
Domain Keys: message has an unverified signature
|
|
DK_VERIFIED
|
Domain Keys: signature passes verification
|
|
DNS_FROM_AHBL_RHSBL
|
From: sender listed in dnsbl.ahbl.org
|
|
DNS_FROM_RFC_ABUSE
|
Envelope sender in abuse.rfc-ignorant.org
|
|
DNS_FROM_RFC_BOGUSMX
|
Envelope sender in bogusmx.rfc-ignorant.org
|
|
DNS_FROM_RFC_DSN
|
Envelope sender in dsn.rfc-ignorant.org
|
|
DNS_FROM_RFC_POST
|
Envelope sender in postmaster.rfc-ignorant.org
|
|
DNS_FROM_RFC_WHOIS
|
Envelope sender in whois.rfc-ignorant.org
|
|
DNS_FROM_SECURITYSAGE
|
Envelope sender in blackholes.securitysage.com
|
|
DOMAIN_4U2
|
Domain name containing a "4u" variant
|
|
DOMAIN_RATIO
|
Message body mentions many internet domains
|
|
DRUGS_ANXIETY
|
Refers to an anxiety control drug
|
|
DRUGS_ANXIETY_EREC
|
Refers to both an erectile and an anxiety drug
|
|
DRUGS_ANXIETY_OBFU
|
Obfuscated reference to an anxiety control drug
|
|
DRUGS_DIET
|
Refers to a diet drug
|
|
DRUGS_DIET_OBFU
|
Obfuscated reference to a diet drug
|
|
DRUGS_ERECTILE
|
Refers to an erectile drug
|
|
DRUGS_ERECTILE_OBFU
|
Obfuscated reference to an erectile drug
|
|
DRUGS_MANYKINDS
|
Refers to at least four kinds of drugs
|
|
DRUGS_MUSCLE
|
Refers to a muscle relaxant
|
|
DRUGS_PAIN
|
Refers to a pain relief drug
|
|
DRUGS_PAIN_OBFU
|
Obfuscated reference to a pain relief drug
|
|
DRUGS_SLEEP
|
Refers to a sleep aid drug
|
|
DRUGS_SLEEP_EREC
|
Refers to both an erectile and a sleep aid drug
|
|
DRUGS_SMEAR1
|
Two or more drugs crammed together into one word
|
|
DRUG_DOSAGE
|
Talks about price per dose
|
|
DRUG_ED_CAPS
|
Mentions an E.D. drug
|
|
DRUG_ED_COMBO
|
Viagra and other drugs
|
|
DRUG_ED_GENERIC
|
Mentions Generic Viagra
|
|
DRUG_ED_ONLINE
|
Fast Viagra Delivery
|
|
DRUG_ED_SILD
|
Talks about an E.D. drug using its chemical name
|
|
EARN_PER_WEEK
|
Contains 'earn $something per week'
|
|
EMAIL_ROT13
|
Body contains a ROT13-encoded email address
|
|
EMPTY_MESSAGE
|
Message appears to have no textual parts and no Subject: text
|
|
EM_ROLEX
|
Message puts emphasis on the watch manufacturer
|
|
ENGLISH_UCE_SUBJECT
|
Subject contains an English UCE tag
|
|
ENTITY_DEC_ALPHANUM
|
HTML contains needlessly encoded characters
|
|
ENV_AND_HDR_DKIM_MATCH
|
Env and Hdr From used in default DKIM WL Match
|
|
ENV_AND_HDR_DK_MATCH
|
Env and Hdr From used in default DK WL Match
|
|
ENV_AND_HDR_SPF_MATCH
|
Env and Hdr From used in default SPF WL Match
|
|
EXCUSE_10
|
"if you do not wish to receive any more"
|
|
EXCUSE_12
|
Nobody's perfect
|
|
EXCUSE_23
|
Claims you have provided permission
|
|
EXCUSE_24
|
Claims you wanted this ad
|
|
EXCUSE_4
|
Claims you can be removed from the list
|
|
EXCUSE_6
|
Claims you can be removed from the list
|
|
EXCUSE_REMOVE
|
Talks about how to be removed from mailings
|
|
EXTRA_CASH
|
Offers Extra Cash
|
|
EXTRA_MPART_TYPE
|
Header has extraneous Content-type:...type= entry
|
|
FAKED_UNDISC_RECIPS
|
Faked To "Undisclosed-Recipients"
|
|
FAKE_HELO_EMAIL_COM
|
Host HELO did not match rDNS: email.com
|
|
FAKE_HELO_EUDORAMAIL
|
Host HELO did not match rDNS: eudoramail.com
|
|
FAKE_HELO_EXCITE
|
Host HELO did not match rDNS: excite.com
|
|
FAKE_HELO_LYCOS
|
Host HELO did not match rDNS: lycos.com
|
|
FAKE_HELO_MAIL_COM
|
Host HELO did not match rDNS: mail.com
|
|
FAKE_HELO_MAIL_COM_DOM
|
Relay HELO'd with suspicious hostname (mail.com)
|
|
FAKE_HELO_MSN
|
Host HELO did not match rDNS: msn.com
|
|
FAKE_HELO_YAHOO_CA
|
Host HELO did not match rDNS: yahoo.ca
|
|
FAKE_OUTBLAZE_RCVD
|
Received header contains faked 'mr.outblaze.com'
|
|
FIN_FREE
|
Freedom of a financial nature
|
|
FORGED_AOL_RCVD
|
Received forged, contains fake AOL relays
|
|
FORGED_AOL_TAGS
|
AOL mailers can't send HTML in this format
|
|
FORGED_EUDORAMAIL_RCVD
|
Forged eudoramail.com 'Received:' header found
|
|
FORGED_GW05_RCVD
|
Forged 'by gw05' 'Received:' header found
|
|
FORGED_HOTMAIL_RCVD
|
Forged hotmail.com 'Received:' header found
|
|
FORGED_HOTMAIL_RCVD2
|
hotmail.com 'From' address, but no 'Received:'
|
|
FORGED_IMS_HTML
|
IMS can't send HTML message only
|
|
FORGED_IMS_TAGS
|
IMS mailers can't send HTML in this format
|
|
FORGED_JUNO_RCVD
|
'From' juno.com does not match 'Received' headers
|
|
FORGED_MSGID_AOL
|
Message-ID is forged, (aol.com)
|
|
FORGED_MSGID_EXCITE
|
Message-ID is forged, (excite.com)
|
|
FORGED_MSGID_HOTMAIL
|
Message-ID is forged, (hotmail.com)
|
|
FORGED_MSGID_MSN
|
Message-ID is forged, (msn.com)
|
|
FORGED_MSGID_YAHOO
|
Message-ID is forged, (yahoo.com)
|
|
FORGED_MUA_AOL_FROM
|
Forged mail pretending to be from AOL (by From)
|
|
FORGED_MUA_EUDORA
|
Forged mail pretending to be from Eudora
|
|
FORGED_MUA_IMS
|
Forged mail pretending to be from IMS
|
|
FORGED_MUA_MOZILLA
|
Forged mail pretending to be from Mozilla
|
|
FORGED_MUA_OIMO
|
Forged mail pretending to be from MS Outlook IMO
|
|
FORGED_MUA_OUTLOOK
|
Forged mail pretending to be from MS Outlook
|
|
FORGED_MUA_THEBAT_BOUN
|
Mail pretending to be from The Bat! (boundary)
|
|
FORGED_MUA_THEBAT_CS
|
Mail pretending to be from The Bat! (charset)
|
|
FORGED_OUTLOOK_HTML
|
Outlook can't send HTML message only
|
|
FORGED_OUTLOOK_TAGS
|
Outlook can't send HTML in this format
|
|
FORGED_QUALCOMM_TAGS
|
QUALCOMM mailers can't send HTML in this format
|
|
FORGED_RCVD_HELO
|
Received: contains a forged HELO
|
|
FORGED_TELESP_RCVD
|
Contains forged hostname for a DSL IP in Brazil
|
|
FORGED_THEBAT_HTML
|
The Bat! can't send HTML message only
|
|
FORGED_YAHOO_RCVD
|
'From' yahoo.com does not match 'Received' headers
|
|
FORWARD_LOOKING
|
Stock Disclaimer Statement
|
|
FRAGMENTED_MESSAGE
|
Partial message
|
|
FREE_ACCESS
|
Contains 'free access' with capitals
|
|
FREE_PORN
|
Possible porn - Free Porn
|
|
FREE_PREVIEW
|
Free Preview
|
|
FREE_QUOTE_INSTANT
|
Free express or no-obligation quote
|
|
FREE_SAMPLE
|
Contains 'free sample' with capitals
|
|
FROM_ALL_NUMS
|
From numeric address (except US/Canada phones)
|
|
FROM_AND_TO_SAME
|
From and To are the same, but not exactly
|
|
FROM_BLANK_NAME
|
From: contains empty name
|
|
FROM_DOMAIN_NOVOWEL
|
From: domain has series of non-vowel letters
|
|
FROM_ENDS_IN_NUMS
|
From: ends in many numbers
|
|
FROM_EXCESS_BASE64
|
From: base64 encoded unnecessarily
|
|
FROM_EXCESS_QP
|
From: quoted-printable encoded unnecessarily
|
|
FROM_HAS_MIXED_NUMS
|
From: contains numbers mixed in with letters
|
|
FROM_HAS_ULINE_NUMS
|
From: contains an underline and numbers/letters
|
|
FROM_ILLEGAL_CHARS
|
From: has too many raw illegal characters
|
|
FROM_LOCAL_DIGITS
|
From: localpart has long digit sequence
|
|
FROM_LOCAL_HEX
|
From: localpart has long hexadecimal sequence
|
|
FROM_LOCAL_NOVOWEL
|
From: localpart has series of non-vowel letters
|
|
FROM_NONSENDING_DOMAIN
|
Message is from domain that never sends email
|
|
FROM_NO_LOWER
|
From address has no lower-case characters
|
|
FROM_NO_USER
|
From: has no local-part before @ sign
|
|
FROM_OFFERS
|
From address is "at something-offers"
|
|
FROM_STARTS_WITH_NUMS
|
From: starts with many numbers
|
|
FRONTPAGE
|
Frontpage used to create the message
|
|
FULL_REFUND
|
Offers a full refund
|
|
FUZZY_AFFORDABLE
|
Attempt to obfuscate words in spam
|
|
FUZZY_AMBIEN
|
Attempt to obfuscate words in spam
|
|
FUZZY_BILLION
|
Attempt to obfuscate words in spam
|
|
FUZZY_CELEBREX
|
Attempt to obfuscate words in spam
|
|
FUZZY_CPILL
|
Attempt to obfuscate words in spam
|
|
FUZZY_CREDIT
|
Attempt to obfuscate words in spam
|
|
FUZZY_ERECT
|
Attempt to obfuscate words in spam
|
|
FUZZY_FOLLOW
|
Attempt to obfuscate words in spam
|
|
FUZZY_GUARANTEE
|
Attempt to obfuscate words in spam
|
|
FUZZY_MEDICATION
|
Attempt to obfuscate words in spam
|
|
FUZZY_MILF
|
Attempt to obfuscate words in spam
|
|
FUZZY_MILLION
|
Attempt to obfuscate words in spam
|
|
FUZZY_MONEY
|
Attempt to obfuscate words in spam
|
|
FUZZY_MORTGAGE
|
Attempt to obfuscate words in spam
|
|
FUZZY_OBLIGATION
|
Attempt to obfuscate words in spam
|
|
FUZZY_OFFERS
|
Attempt to obfuscate words in spam
|
|
FUZZY_PHARMACY
|
Attempt to obfuscate words in spam
|
|
FUZZY_PHENT
|
Attempt to obfuscate words in spam
|
|
FUZZY_PLEASE
|
Attempt to obfuscate words in spam
|
|
FUZZY_PRESCRIPT
|
Attempt to obfuscate words in spam
|
|
FUZZY_PRICES
|
Attempt to obfuscate words in spam
|
|
FUZZY_REFINANCE
|
Attempt to obfuscate words in spam
|
|
FUZZY_REMOVE
|
Attempt to obfuscate words in spam
|
|
FUZZY_ROLEX
|
Attempt to obfuscate words in spam
|
|
FUZZY_SOFTWARE
|
Attempt to obfuscate words in spam
|
|
FUZZY_THOUSANDS
|
Attempt to obfuscate words in spam
|
|
FUZZY_TRAMADOL
|
Attempt to obfuscate words in spam
|
|
FUZZY_VICODIN
|
Attempt to obfuscate words in spam
|
|
FUZZY_VIOXX
|
Attempt to obfuscate words in spam
|
|
FUZZY_VLIUM
|
Attempt to obfuscate words in spam
|
|
FUZZY_VPILL
|
Attempt to obfuscate words in spam
|
|
FUZZY_XPILL
|
Attempt to obfuscate words in spam
|
|
GAPPY_SUBJECT
|
Subject: contains G.a.p.p.y-T.e.x.t
|
|
GET_PAID
|
Get Paid
|
|
GTUBE
|
Generic Test for Unsolicited Bulk Email
|
|
GUARANTEED_100_PERCENT
|
One hundred percent guaranteed
|
|
GUARANTEED_STUFF
|
Guaranteed Stuff
|
|
HABEAS_ACCREDITED_COI
|
Habeas Accredited Confirmed Opt-In or Better
|
|
HABEAS_ACCREDITED_SOI
|
Habeas Accredited Opt-In or Better
|
|
HABEAS_CHECKED
|
Habeas Checked
|
|
HAIR_LOSS
|
Cures Baldness
|
|
HARDCORE_PORN
|
Possible porn - Hardcore Porn
|
|
HASHCASH_20
|
Contains valid Hashcash token (20 bits)
|
|
HASHCASH_21
|
Contains valid Hashcash token (21 bits)
|
|
HASHCASH_22
|
Contains valid Hashcash token (22 bits)
|
|
HASHCASH_23
|
Contains valid Hashcash token (23 bits)
|
|
HASHCASH_24
|
Contains valid Hashcash token (24 bits)
|
|
HASHCASH_25
|
Contains valid Hashcash token (25 bits)
|
|
HASHCASH_2SPEND
|
Hashcash token already spent in another mail
|
|
HASHCASH_HIGH
|
Contains valid Hashcash token (>25 bits)
|
|
HDR_ORDER_MTSRIX
|
Headers are in order found in spam (MTSRIX)
|
|
HDR_ORDER_TRIMRS
|
Headers are in order found in spam (TRIMRS)
|
|
HEADER_COUNT_CTYPE
|
Multiple Content-Type headers found
|
|
HEADER_SPAM
|
Bulk email fingerprint (header-based) found
|
|
HEAD_ILLEGAL_CHARS
|
Headers have too many raw illegal characters
|
|
HEAD_LONG
|
Message headers are very long
|
|
HELO_DYNAMIC_ADELPHIA
|
Relay HELO'd using suspicious hostname (Adelphia)
|
|
HELO_DYNAMIC_ATTBI
|
Relay HELO'd using suspicious hostname (ATTBI.com)
|
|
HELO_DYNAMIC_CHELLO_NL
|
Relay HELO'd using suspicious hostname (Chello.nl)
|
|
HELO_DYNAMIC_CHELLO_NO
|
Relay HELO'd using suspicious hostname (Chello.no)
|
|
HELO_DYNAMIC_COMCAST
|
Relay HELO'd using suspicious hostname (Comcast)
|
|
HELO_DYNAMIC_DHCP
|
Relay HELO'd using suspicious hostname (DHCP)
|
|
HELO_DYNAMIC_DIALIN
|
Relay HELO'd using suspicious hostname (T-Dialin)
|
|
HELO_DYNAMIC_HCC
|
Relay HELO'd using suspicious hostname (HCC)
|
|
HELO_DYNAMIC_HEXIP
|
Relay HELO'd using suspicious hostname (Hex IP)
|
|
HELO_DYNAMIC_HOME_NL
|
Relay HELO'd using suspicious hostname (Home.nl)
|
|
HELO_DYNAMIC_IPADDR
|
Relay HELO'd using suspicious hostname (IP addr 1)
|
|
HELO_DYNAMIC_IPADDR2
|
Relay HELO'd using suspicious hostname (IP addr 2)
|
|
HELO_DYNAMIC_NTL
|
Relay HELO'd using suspicious hostname (NTL)
|
|
HELO_DYNAMIC_OOL
|
Relay HELO'd using suspicious hostname (OptOnline)
|
|
HELO_DYNAMIC_ROGERS
|
Relay HELO'd using suspicious hostname (Rogers)
|
|
HELO_DYNAMIC_RR2
|
Relay HELO'd using suspicious hostname (RR 2)
|
|
HELO_DYNAMIC_SPLIT_IP
|
Relay HELO'd using suspicious hostname (Split IP)
|
|
HELO_DYNAMIC_TELIA
|
Relay HELO'd using suspicious hostname (Telia)
|
|
HELO_DYNAMIC_VELOX
|
Relay HELO'd using suspicious hostname (Veloxzone)
|
|
HELO_DYNAMIC_VTR
|
Relay HELO'd using suspicious hostname (VTR)
|
|
HELO_DYNAMIC_YAHOOBB
|
Relay HELO'd using suspicious hostname (YahooBB)
|
|
HG_HORMONE
|
Talks about hormones for human growth
|
|
HIDDEN_CHARGES
|
Talks about Hidden Charges
|
|
HIDE_WIN_STATUS
|
Javascript to hide URLs in browser
|
|
HOT_NASTY
|
Possible porn - Hot, Nasty, Wild, Young
|
|
HTML_00_10
|
Message is 0% to 10% HTML
|
|
HTML_10_20
|
Message is 10% to 20% HTML
|
|
HTML_20_30
|
Message is 20% to 30% HTML
|
|
HTML_30_40
|
Message is 30% to 40% HTML
|
|
HTML_40_50
|
Message is 40% to 50% HTML
|
|
HTML_50_60
|
Message is 50% to 60% HTML
|
|
HTML_60_70
|
Message is 60% to 70% HTML
|
|
HTML_70_80
|
Message is 70% to 80% HTML
|
|
HTML_80_90
|
Message is 80% to 90% HTML
|
|
HTML_90_100
|
Message is 90% to 100% HTML
|
|
HTML_ATTR_BAD
|
HTML has many bad attributes in tags
|
|
HTML_ATTR_UNIQUE
|
HTML appears to have random attributes in tags
|
|
HTML_BACKHAIR_2
|
HTML tags used to obfuscate words
|
|
HTML_BACKHAIR_4
|
HTML tags used to obfuscate words
|
|
HTML_BACKHAIR_8
|
HTML tags used to obfuscate words
|
|
HTML_BADTAG_00_10
|
HTML message is 0% to 10% bad tags
|
|
HTML_BADTAG_10_20
|
HTML message is 10% to 20% bad tags
|
|
HTML_BADTAG_20_30
|
HTML message is 20% to 30% bad tags
|
|
HTML_BADTAG_30_40
|
HTML message is 30% to 40% bad tags
|
|
HTML_BADTAG_40_50
|
HTML message is 40% to 50% bad tags
|
|
HTML_BADTAG_50_60
|
HTML message is 50% to 60% bad tags
|
|
HTML_BADTAG_60_70
|
HTML message is 60% to 70% bad tags
|
|
HTML_BADTAG_70_80
|
HTML message is 70% to 80% bad tags
|
|
HTML_BADTAG_80_90
|
HTML message is 80% to 90% bad tags
|
|
HTML_BADTAG_90_100
|
HTML message is 90% to 100% bad tags
|
|
HTML_CHARSET_FARAWAY
|
A foreign language charset used in HTML markup
|
|
HTML_COMMENT_SAVED_URL
|
HTML message is a saved web page
|
|
HTML_COMMENT_SHORT
|
HTML comment is very short
|
|
HTML_EHTML2
|
HTML has doubled end HTML tag
|
|
HTML_EMBEDS
|
HTML with embedded plugin object
|
|
HTML_EVENT_UNSAFE
|
HTML contains unsafe auto-executing code
|
|
HTML_EXTRA_CLOSE
|
HTML contains far too many close tags
|
|
HTML_FONT_BIG
|
HTML tag for a big font size
|
|
HTML_FONT_FACE_BAD
|
HTML font face is not a word
|
|
HTML_FONT_FACE_CAPS
|
HTML font face has excess capital characters
|
|
HTML_FONT_INVISIBLE
|
HTML font color is same as background
|
|
HTML_FONT_LOW_CONTRAST
|
HTML font color similar to background
|
|
HTML_FONT_SIZE_HUGE
|
HTML font size is huge
|
|
HTML_FONT_SIZE_LARGE
|
HTML font size is large
|
|
HTML_FONT_SIZE_NONE
|
HTML font size is negative
|
|
HTML_FONT_SIZE_TINY
|
HTML font size is tiny
|
|
HTML_FONT_TINY
|
HTML tag for a tiny font size
|
|
HTML_FORMACTION_MAILTO
|
HTML includes a form which sends mail
|
|
HTML_IMAGE_ONLY_04
|
HTML: images with 0-400 bytes of words
|
|
HTML_IMAGE_ONLY_08
|
HTML: images with 400-800 bytes of words
|
|
HTML_IMAGE_ONLY_12
|
HTML: images with 800-1200 bytes of words
|
|
HTML_IMAGE_ONLY_16
|
HTML: images with 1200-1600 bytes of words
|
|
HTML_IMAGE_ONLY_20
|
HTML: images with 1600-2000 bytes of words
|
|
HTML_IMAGE_ONLY_24
|
HTML: images with 2000-2400 bytes of words
|
|
HTML_IMAGE_ONLY_28
|
HTML: images with 2400-2800 bytes of words
|
|
HTML_IMAGE_ONLY_32
|
HTML: images with 2800-3200 bytes of words
|
|
HTML_IMAGE_RATIO_02
|
HTML has a low ratio of text to image area
|
|
HTML_IMAGE_RATIO_04
|
HTML has a low ratio of text to image area
|
|
HTML_IMAGE_RATIO_06
|
HTML has a low ratio of text to image area
|
|
HTML_IMAGE_RATIO_08
|
HTML has a low ratio of text to image area
|
|
HTML_LINK_OPT_OUT
|
HTML link text says "opt out" or similar
|
|
HTML_LINK_PUSH_HERE
|
HTML link text says "push here" or similar
|
|
HTML_MESSAGE
|
HTML included in message
|
|
HTML_MIME_NO_HTML_TAG
|
HTML-only message, but there is no HTML tag
|
|
HTML_MISSING_CTYPE
|
Message is HTML without HTML Content-Type
|
|
HTML_NONELEMENT_00_10
|
0% to 10% of HTML elements are non-standard
|
|
HTML_NONELEMENT_10_20
|
10% to 20% of HTML elements are non-standard
|
|
HTML_NONELEMENT_20_30
|
20% to 30% of HTML elements are non-standard
|
|
HTML_NONELEMENT_30_40
|
30% to 40% of HTML elements are non-standard
|
|
HTML_NONELEMENT_40_50
|
40% to 50% of HTML elements are non-standard
|
|
HTML_NONELEMENT_50_60
|
50% to 60% of HTML elements are non-standard
|
|
HTML_NONELEMENT_60_70
|
60% to 70% of HTML elements are non-standard
|
|
HTML_NONELEMENT_70_80
|
70% to 80% of HTML elements are non-standard
|
|
HTML_NONELEMENT_80_90
|
80% to 90% of HTML elements are non-standard
|
|
HTML_NONELEMENT_90_100
|
90% to 100% of HTML elements are non-standard
|
|
HTML_OBFUSCATE_05_10
|
Message is 5% to 10% HTML obfuscation
|
|
HTML_OBFUSCATE_10_20
|
Message is 10% to 20% HTML obfuscation
|
|
HTML_OBFUSCATE_20_30
|
Message is 20% to 30% HTML obfuscation
|
|
HTML_OBFUSCATE_30_40
|
Message is 30% to 40% HTML obfuscation
|
|
HTML_OBFUSCATE_40_50
|
Message is 40% to 50% HTML obfuscation
|
|
HTML_OBFUSCATE_50_60
|
Message is 50% to 60% HTML obfuscation
|
|
HTML_OBFUSCATE_60_70
|
Message is 60% to 70% HTML obfuscation
|
|
HTML_OBFUSCATE_70_80
|
Message is 70% to 80% HTML obfuscation
|
|
HTML_OBFUSCATE_80_90
|
Message is 80% to 90% HTML obfuscation
|
|
HTML_OBFUSCATE_90_100
|
Message is 90% to 100% HTML obfuscation
|
|
HTML_SHORT_CENTER
|
HTML is very short with CENTER tag
|
|
HTML_SHORT_COMMENT
|
HTML is very short with HTML comments
|
|
HTML_SHORT_LENGTH
|
HTML is extremely short
|
|
HTML_SHORT_LINK_IMG_1
|
HTML is very short with a linked image
|
|
HTML_SHORT_LINK_IMG_2
|
HTML is very short with a linked image
|
|
HTML_SHORT_LINK_IMG_3
|
HTML is very short with a linked image
|
|
HTML_SHOUTING3
|
HTML has very strong "shouting" markup
|
|
HTML_SHOUTING4
|
HTML has very strong "shouting" markup
|
|
HTML_SHOUTING5
|
HTML has very strong "shouting" markup
|
|
HTML_SHOUTING6
|
HTML has very strong "shouting" markup
|
|
HTML_SHOUTING7
|
HTML has very strong "shouting" markup
|
|
HTML_TAG_BALANCE_BODY
|
HTML has unbalanced "body" tags
|
|
HTML_TAG_BALANCE_HEAD
|
HTML has unbalanced "head" tags
|
|
HTML_TAG_EXIST_BGSOUND
|
HTML has "bgsound" tag
|
|
HTML_TAG_EXIST_MARQUEE
|
HTML has "marquee" tag
|
|
HTML_TAG_EXIST_TBODY
|
HTML has "tbody" tag
|
|
HTML_TEXT_AFTER_BODY
|
HTML contains text after BODY close tag
|
|
HTML_TEXT_AFTER_HTML
|
HTML contains text after HTML close tag
|
|
HTML_TINY_FONT
|
body contains 1 or 0-point font
|
|
HTML_TITLE_EMPTY
|
HTML title contains no text
|
|
HTML_TITLE_LONG
|
HTML title is very long
|
|
HTML_TITLE_UNTITLED
|
HTML title contains "Untitled"
|
|
HTTPS_IP_MISMATCH
|
IP to HTTPS link found in HTML
|
|
HTTP_77
|
Contains an URL-encoded hostname (HTTP77)
|
|
HTTP_CTRL_CHARS_HOST
|
Uses control sequences inside a URL hostname
|
|
HTTP_ESCAPED_HOST
|
Uses %-escapes inside a URL's hostname
|
|
HTTP_EXCESSIVE_ESCAPES
|
Completely unnecessary %-escapes inside a URL
|
|
IMPOTENCE
|
Impotence cure
|
|
INFO_TLD
|
Contains an URL in the INFO top-level domain
|
|
INTERRUPTUS
|
Message looks to contain HTML-interrupted text
|
|
INVALID_DATE
|
Invalid Date: header (not RFC 2822)
|
|
INVALID_DATE_TZ_ABSURD
|
Invalid Date: header (timezone does not exist)
|
|
INVALID_MSGID
|
Message-Id is not valid, according to RFC 2822
|
|
INVALID_TZ_CST
|
Invalid date in header (wrong CST timezone)
|
|
INVALID_TZ_EST
|
Invalid date in header (wrong EST timezone)
|
|
INVALID_TZ_GMT
|
Invalid date in header (wrong GMT/UTC timezone)
|
|
INVESTMENT_ADVICE
|
Message mentions investment advice
|
|
INVESTMENT_EXPERT
|
Message mentions investment expert
|
|
IP_LINK_PLUS
|
Dotted-decimal IP address followed by CGI
|
|
JAPANESE_UCE_SUBJECT
|
Subject contains a Japanese UCE tag
|
|
JOIN_MILLIONS
|
Join Millions of Americans
|
|
JS_FROMCHARCODE
|
Document is built from a Javascript charcode array
|
|
KOREAN_UCE_SUBJECT
|
Subject: contains Korean unsolicited email tag
|
|
LIVE_PORN
|
Possible porn - Live Porn
|
|
LOCALPART_IN_SUBJECT
|
Local part of To: address appears in Subject
|
|
LONGWORDS
|
Long string of long words
|
|
LOTS_OF_STUFF
|
Thousands or millions of pictures, movies, etc.
|
|
LOW_PRICE
|
Lowest Price
|
|
MAILTO_SUBJ_REMOVE
|
mailto URI includes removal text
|
|
MAILTO_TO_REMOVE
|
Includes a 'remove' email address
|
|
MAILTO_TO_SPAM_ADDR
|
Includes a link to a likely spammer email
|
|
MALE_ENHANCE
|
Message talks about enhancing men
|
|
MANY_EXCLAMATIONS
|
Subject has many exclamations
|
|
MARKETING_PARTNERS
|
Claims you registered with a partner
|
|
MEET_SINGLES
|
Meet Singles
|
|
MICROSOFT_EXECUTABLE
|
Message includes Microsoft executable program
|
|
MICRO_CAP_WARNING
|
SEC-mandated penny-stock warning
|
|
MILLION_USD
|
Talks about millions of dollars
|
|
MIME_BAD_ISO_CHARSET
|
MIME character set is an unknown ISO charset
|
|
MIME_BASE64_BLANKS
|
Extra blank lines in base64 encoding
|
|
MIME_BASE64_NO_NAME
|
base64 attachment does not have a file name
|
|
MIME_BASE64_TEXT
|
Message text disguised using base64 encoding
|
|
MIME_BOUND_DD_DIGITS
|
Spam tool pattern in MIME boundary
|
|
MIME_BOUND_DIGITS_15
|
Spam tool pattern in MIME boundary
|
|
MIME_BOUND_DIGITS_7
|
Spam tool pattern in MIME boundary
|
|
MIME_BOUND_MANY_HEX
|
Spam tool pattern in MIME boundary
|
|
MIME_BOUND_NEXTPART
|
Spam tool pattern in MIME boundary
|
|
MIME_BOUND_RKFINDY
|
Spam tool pattern in MIME boundary (rfkindy)
|
|
MIME_CHARSET_FARAWAY
|
MIME character set indicates foreign language
|
|
MIME_HEADER_CTYPE_ONLY
|
'Content-Type' found without required MIME headers
|
|
MIME_HTML_MOSTLY
|
Multipart message mostly text/html MIME
|
|
MIME_HTML_ONLY
|
Message only has text/html MIME parts
|
|
MIME_HTML_ONLY_MULTI
|
Multipart message only has text/html MIME parts
|
|
MIME_MISSING_BOUNDARY
|
MIME section missing boundary
|
|
MIME_QP_LONG_LINE
|
Quoted-printable line longer than 76 chars
|
|
MIME_SUSPECT_NAME
|
MIME filename does not match content
|
|
MISSING_DATE
|
Missing Date: header
|
|
MISSING_HB_SEP
|
Missing blank line between message header and body
|
|
MISSING_HEADERS
|
Missing To: header
|
|
MISSING_MIMEOLE
|
Message has X-MSMail-Priority, but no X-MimeOLE
|
|
MISSING_MIME_HB_SEP
|
Missing blank line between MIME header and body
|
|
MISSING_SUBJECT
|
Missing Subject: header
|
|
ML_MARKETING
|
Multi Level Marketing mentioned
|
|
MONEY_BACK
|
Money back guarantee
|
|
MORE_SEX
|
Talks about a bigger drive for sex
|
|
MORTGAGE_BEST
|
Information on mortgages
|
|
MORTGAGE_PITCH
|
Looks like mortgage pitch
|
|
MORTGAGE_RATES
|
Information on mortgage rates
|
|
MPART_ALT_DIFF
|
HTML and text parts are different
|
|
MPART_ALT_DIFF_COUNT
|
HTML and text parts are different
|
|
MSGID_DOLLARS
|
Message-Id has pattern used in spam
|
|
MSGID_FROM_MTA_HEADER
|
Message-Id was added by a relay
|
|
MSGID_FROM_MTA_HOTMAIL
|
Message-Id was added by a hotmail.com relay
|
|
MSGID_FROM_MTA_ID
|
Message-Id for external message added locally
|
|
MSGID_LONG
|
Message-ID is unusually long
|
|
MSGID_MULTIPLE_AT
|
Message-ID contains multiple '@' characters
|
|
MSGID_NO_HOST
|
Message-Id has no hostname
|
|
MSGID_OUTLOOK_INVALID
|
Message-Id is fake (in Outlook Express format)
|
|
MSGID_RANDY
|
Message-Id has pattern used in spam
|
|
MSGID_RATWARE1
|
Bulk email fingerprint found
|
|
MSGID_SHORT
|
Message-ID is unusually short
|
|
MSGID_SPAM_99X9XX99
|
Spam tool Message-Id: (99x9xx99 variant)
|
|
MSGID_SPAM_ALPHA_NUM
|
Spam tool Message-Id: (alpha-numeric variant)
|
|
MSGID_SPAM_CAPS
|
Spam tool Message-Id: (caps variant)
|
|
MSGID_SPAM_LETTERS
|
Spam tool Message-Id: (letters variant)
|
|
MSGID_SPAM_ZEROES
|
Spam tool Message-Id: (12-zeroes variant)
|
|
MSGID_YAHOO_CAPS
|
Message-ID has [email protected]
|
|
MULTI_FORGED
|
Received headers indicate multiple forgeries
|
|
NASTY_GIRLS
|
Possible porn - Nasty Girls
|
|
NA_DOLLARS
|
Talks about a million North American dollars
|
|
NONEXISTENT_CHARSET
|
Character set doesn't exist
|
|
NORMAL_HTTP_TO_IP
|
Uses a dotted-decimal IP address in URL
|
|
NOT_ADVISOR
|
Not registered investment advisor
|
|
NO_COST
|
No such thing as a free lunch (3)
|
|
NO_DNS_FOR_FROM
|
Envelope sender has no MX or A DNS records
|
|
NO_FORMS
|
No Claim Forms
|
|
NO_MEDICAL
|
No Medical Exams
|
|
NO_OBLIGATION
|
There is no obligation
|
|
NO_PRESCRIPTION
|
No prescription needed
|
|
NO_RDNS_DOTCOM_HELO
|
Host HELO'd as a big ISP, but had no rDNS
|
|
NO_REAL_NAME
|
From: does not include a real name
|
|
NO_RECEIVED
|
Informational: message has no Received headers
|
|
NO_RELAYS
|
Informational: message was not relayed via SMTP
|
|
NUMERIC_HTTP_ADDR
|
Uses a numeric IP address in URL
|
|
OBFUSCATING_COMMENT
|
HTML comments which obfuscate text
|
|
OBSCURED_EMAIL
|
Message seems to contain rot13ed address
|
|
OFFSHORE_SCAM
|
Off Shore Scams
|
|
ONE_TIME
|
One Time Rip Off
|
|
ONLINE_PHARMACY
|
Online Pharmacy
|
|
OPTING_OUT_CAPS
|
Talks about opting out (capitalized version)
|
|
ORG_MIME_TOOLS
|
Organization is MIME-tools
|
|
PERCENT_RANDOM
|
Message has a random macro in it
|
|
PLING_PLING
|
Subject has lots of exclamation marks
|
|
PLING_QUERY
|
Subject has exclamation mark and question mark
|
|
PORN_15
|
Possible porn - various types of feline
|
|
PORN_16
|
Possible porn - nasty, dirty, little etc.
|
|
PORN_URL_MISC
|
URL uses words/phrases which indicate porn (misc)
|
|
PORN_URL_SEX
|
URL uses words/phrases which indicate porn (sex)
|
|
PORN_URL_SLUT
|
URL uses words/phrases which indicate porn (slut)
|
|
PREST_NON_ACCREDITED
|
'Prestigious Non-Accredited Universities'
|
|
PREVENT_NONDELIVERY
|
Message has Prevent-NonDelivery-Report header
|
|
PRICES_ARE_AFFORDABLE
|
Message says that prices aren't too expensive
|
|
PRIORITY_NO_NAME
|
Message has priority, but no user agent name
|
|
PYZOR_CHECK
|
Listed in Pyzor (http://pyzor.sf.net/)
|
|
QUALIFY_FOR_THIS
|
Qualify for this special...
|
|
RATWARE_BOUND_PIECE
|
Bulk email fingerprint (piece boundary) found
|
|
RATWARE_EFROM
|
Bulk email fingerprint (envfrom) found
|
|
RATWARE_EGROUPS
|
Bulk email fingerprint (eGroups) found
|
|
RATWARE_GECKO_BUILD
|
Bulk email fingerprint (Gecko faked) found
|
|
RATWARE_HASH_2
|
Bulk email fingerprint (hash 2) found
|
|
RATWARE_HASH_2_V2
|
Bulk email fingerprint (hash 2 v2) found
|
|
RATWARE_HASH_DASH
|
Contains a hashbuster in Send-Safe format
|
|
RATWARE_JPFREE
|
Bulk email fingerprint (jpfree) found
|
|
RATWARE_MOZ_MALFORMED
|
Bulk email fingerprint (Mozilla malformed) found
|
|
RATWARE_MPOP_WEBMAIL
|
Bulk email fingerprint (mPOP Web-Mail)
|
|
RATWARE_MS_HASH
|
Bulk email fingerprint (msgid ms hash) found
|
|
RATWARE_NAME_ID
|
Bulk email fingerprint (msgid from) found
|
|
RATWARE_NETIP
|
Bulk email fingerprint (netIP) found
|
|
RATWARE_OE_MALFORMED
|
X-Mailer has malformed Outlook Express version
|
|
RATWARE_OUTLOOK_NONAME
|
Bulk email fingerprint (Outlook no name) found
|
|
RATWARE_RCVD_AT
|
Bulk email fingerprint (Received @) found
|
|
RATWARE_RCVD_LC_ESMTP
|
Bulk email fingerprint ('esmtp' Received) found
|
|
RATWARE_RCVD_PF
|
Bulk email fingerprint (Received PF) found
|
|
RATWARE_STORM_URI
|
Bulk email fingerprint (StormPost) found
|
|
RATWARE_ZERO_TZ
|
Bulk email fingerprint (+0000) found
|
|
RAZOR2_CF_RANGE_51_100
|
Razor2 gives confidence level above 50%
|
|
RAZOR2_CF_RANGE_E4_51_100
|
Razor2 gives engine 4 confidence level above 50%
|
|
RAZOR2_CF_RANGE_E8_51_100
|
Razor2 gives engine 8 confidence level above 50%
|
|
RAZOR2_CHECK
|
Listed in Razor2 (http://razor.sf.net/)
|
|
RCVD_AM_PM
|
Received headers forged (AM/PM)
|
|
RCVD_BONUS_SPC_DATE
|
Bulk email fingerprint (bonus space) found
|
|
RCVD_BY_IP
|
Received by mail server with no name
|
|
RCVD_DOUBLE_IP_LOOSE
|
Received: by and from look like IP addresses
|
|
RCVD_DOUBLE_IP_SPAM
|
Bulk email fingerprint (double IP) found
|
|
RCVD_FAKE_HELO_DOTCOM
|
Received contains a faked HELO hostname
|
|
RCVD_HELO_IP_MISMATCH
|
Received: HELO and IP do not match, but should
|
|
RCVD_ILLEGAL_IP
|
Received: contains illegal IP address
|
|
RCVD_IN_BL_SPAMCOP_NET
|
Received via a relay in bl.spamcop.net
|
|
RCVD_IN_BSP_OTHER
|
Sender is in Bonded Sender Program (other relay)
|
|
RCVD_IN_BSP_TRUSTED
|
Sender is in Bonded Sender Program (trusted relay)
|
|
RCVD_IN_DSBL
|
Received via a relay in list.dsbl.org
|
|
RCVD_IN_IADB_VOUCHED
|
ISIPP IADB lists as vouched-for sender
|
|
RCVD_IN_MAPS_DUL
|
Relay in DUL, http://www.mail-abuse.org/dul/
|
|
RCVD_IN_MAPS_NML
|
Relay in NML, http://www.mail-abuse.org/nml/
|
|
RCVD_IN_MAPS_RBL
|
Relay in RBL, http://www.mail-abuse.org/rbl/
|
|
RCVD_IN_MAPS_RSS
|
Relay in RSS, http://www.mail-abuse.org/rss/
|
|
RCVD_IN_NJABL_CGI
|
NJABL: sender is an open formmail
|
|
RCVD_IN_NJABL_DUL
|
NJABL: dialup sender did non-local SMTP
|
|
RCVD_IN_NJABL_MULTI
|
NJABL: sent through multi-stage open relay
|
|
RCVD_IN_NJABL_PROXY
|
NJABL: sender is an open proxy
|
|
RCVD_IN_NJABL_RELAY
|
NJABL: sender is confirmed open relay
|
|
RCVD_IN_NJABL_SPAM
|
NJABL: sender is confirmed spam source
|
|
RCVD_IN_SBL
|
Received via a relay in Spamhaus SBL
|
|
RCVD_IN_SORBS_BLOCK
|
SORBS: sender demands to never be tested
|
|
RCVD_IN_SORBS_DUL
|
SORBS: sent directly from dynamic IP address
|
|
RCVD_IN_SORBS_HTTP
|
SORBS: sender is open HTTP proxy server
|
|
RCVD_IN_SORBS_MISC
|
SORBS: sender is open proxy server
|
|
RCVD_IN_SORBS_SMTP
|
SORBS: sender is open SMTP relay
|
|
RCVD_IN_SORBS_SOCKS
|
SORBS: sender is open SOCKS proxy server
|
|
RCVD_IN_SORBS_WEB
|
SORBS: sender is a abuseable web server
|
|
RCVD_IN_SORBS_ZOMBIE
|
SORBS: sender is on a hijacked network
|
|
RCVD_IN_WHOIS_BOGONS
|
CompleteWhois: sender on bogons IP block
|
|
RCVD_IN_WHOIS_HIJACKED
|
CompleteWhois: sender on hijacked IP block
|
|
RCVD_IN_WHOIS_INVALID
|
CompleteWhois: sender on invalid IP block
|
|
RCVD_IN_XBL
|
Received via a relay in Spamhaus XBL
|
|
RCVD_NUMERIC_HELO
|
Received: contains an IP address used for HELO
|
|
RECEIVE_OFFER
|
Receive a special offer
|
|
REFINANCE_NOW
|
Home refinancing
|
|
REFINANCE_YOUR_HOME
|
Home refinancing
|
|
REMOVE_BEFORE_LINK
|
Removal phrase right before a link
|
|
REMOVE_PAGE
|
URL of page called "remove"
|
|
REMOVE_POSTAL
|
Send real mail to be unsubscribed
|
|
REPLICA_WATCH
|
Message talks about a replica watch
|
|
REPLY_TO_EMPTY
|
Reply-To: is empty
|
|
REPTO_OVERQUOTE_THEBAT
|
The Bat! doesn't do quoting like this
|
|
REPTO_QUOTE_AOL
|
AOL doesn't do quoting like this
|
|
REPTO_QUOTE_IMS
|
IMS doesn't do quoting like this
|
|
REPTO_QUOTE_MSN
|
MSN doesn't do quoting like this
|
|
REPTO_QUOTE_QUALCOMM
|
Qualcomm/Eudora doesn't do quoting like this
|
|
REPTO_QUOTE_YAHOO
|
Yahoo! doesn't do quoting like this
|
|
RESISTANCE_IS_FUTILE
|
Resistance to this spam is futile
|
|
REVERSE_AGING
|
Reverses Aging
|
|
RISK_FREE
|
Risk free. Suuurreeee....
|
|
ROUND_THE_WORLD
|
Received: says mail sent around the world (DNS)
|
|
ROUND_THE_WORLD_LOCAL
|
Received: says mail sent around the world (HELO)
|
|
RUDE_HTML
|
Spammer message says you need an HTML mailer
|
|
SATIS_GUAR
|
Mail guarantees satisfaction
|
|
SAVE_THOUSANDS
|
Save big money
|
|
SEE_FOR_YOURSELF
|
See for yourself
|
|
SENT_IN_COMPLIANCE
|
Claims compliance with spam regulations
|
|
SOMETHING_FOR_ADULTS
|
Possible porn - Adult Web Sites
|
|
SOME_BREAKTHROUGH
|
Describes some sort of breakthrough
|
|
SORTED_RECIPS
|
Recipient list is sorted by address
|
|
SPF_FAIL
|
SPF: sender does not match SPF record (fail)
|
|
SPF_HELO_FAIL
|
SPF: HELO does not match SPF record (fail)
|
|
SPF_HELO_NEUTRAL
|
SPF: HELO does not match SPF record (neutral)
|
|
SPF_HELO_PASS
|
SPF: HELO matches SPF record
|
|
SPF_HELO_SOFTFAIL
|
SPF: HELO does not match SPF record (softfail)
|
|
SPF_NEUTRAL
|
SPF: sender does not match SPF record (neutral)
|
|
SPF_PASS
|
SPF: sender matches SPF record
|
|
SPF_SOFTFAIL
|
SPF: sender does not match SPF record (softfail)
|
|
SPOOF_COM2COM
|
URI contains ".com" in middle and end
|
|
SPOOF_COM2OTH
|
URI contains ".com" in middle
|
|
SPOOF_NET2COM
|
URI contains ".net" or ".org", then ".com"
|
|
SPOOF_OURI
|
URI has items in odd places
|
|
STOCK_ALERT
|
Offers a alert about a stock
|
|
STRONG_BUY
|
Tells you about a strong buy
|
|
SUBJECT_DIET
|
Subject talks about losing pounds
|
|
SUBJECT_DRUG_GAP_C
|
Subject contains a gappy version of 'cialis'
|
|
SUBJECT_DRUG_GAP_L
|
Subject contains a gappy version of 'levitra'
|
|
SUBJECT_DRUG_GAP_P
|
Subject contains a gappy version of 'phentermine'
|
|
SUBJECT_DRUG_GAP_S
|
Subject contains a gappy version of 'soma'
|
|
SUBJECT_DRUG_GAP_VA
|
Subject contains a gappy version of 'valium'
|
|
SUBJECT_DRUG_GAP_VIC
|
Subject contains a gappy version of 'vicodin'
|
|
SUBJECT_DRUG_GAP_X
|
Subject contains a gappy version of 'xanax'
|
|
SUBJECT_ENCODED_TWICE
|
Subject: MIME encoded twice
|
|
SUBJECT_EXCESS_BASE64
|
Subject: base64 encoded encoded unnecessarily
|
|
SUBJECT_EXCESS_QP
|
Subject: quoted-printable encoded unnecessarily
|
|
SUBJECT_FUZZY_CHEAP
|
Attempt to obfuscate words in Subject:
|
|
SUBJECT_FUZZY_MEDS
|
Attempt to obfuscate words in Subject:
|
|
SUBJECT_FUZZY_PENIS
|
Attempt to obfuscate words in Subject:
|
|
SUBJECT_FUZZY_TION
|
Attempt to obfuscate words in Subject:
|
|
SUBJECT_IN_BLACKLIST
|
Subject: contains string in the user's black-list
|
|
SUBJECT_IN_WHITELIST
|
Subject: contains string in the user's white-list
|
|
SUBJECT_NOVOWEL
|
Subject: has long non-vowel letter sequence
|
|
SUBJECT_SEXUAL
|
Subject indicates sexually-explicit content
|
|
SUBJ_2_NUM_PARENS
|
Subject contains common spam sign (2 numbers)
|
|
SUBJ_ALL_CAPS
|
Subject is all capitals
|
|
SUBJ_AS_SEEN
|
Subject contains "As Seen"
|
|
SUBJ_BUY
|
Subject line starts with Buy or Buying
|
|
SUBJ_CONSONANTS
|
Subject contains consecutive consonants in "word"
|
|
SUBJ_DOLLARS
|
Subject starts with dollar amount
|
|
SUBJ_FOR_ONLY
|
Subject contains "For Only"
|
|
SUBJ_FREE_CAP
|
Subject contains "FREE" in CAPS
|
|
SUBJ_GUARANTEED
|
Subject GUARANTEED
|
|
SUBJ_HAS_SPACES
|
Subject contains lots of white space
|
|
SUBJ_HAS_UNIQ_ID
|
Subject contains a unique ID
|
|
SUBJ_ILLEGAL_CHARS
|
Subject: has too many raw illegal characters
|
|
SUBJ_LIFE_INSURANCE
|
Subject includes "life insurance"
|
|
SUBJ_YOUR_DEBT
|
Subject contains "Your Bills" or similar
|
|
SUBJ_YOUR_FAMILY
|
Subject contains "Your Family"
|
|
SUBJ_YOUR_OWN
|
Subject contains "Your Own"
|
|
SUB_FREE_OFFER
|
Subject starts with "Free"
|
|
SUB_HELLO
|
Subject starts with "Hello"
|
|
SUSPICIOUS_RECIPS
|
Similar addresses in recipient list
|
|
TERRA_ES
|
Contains URI to a document hosted at 'terra.es'
|
|
TO_ADDRESS_EQ_REAL
|
To: repeats address as real name
|
|
TO_CC_NONE
|
No To: or Cc: header
|
|
TO_EMPTY
|
To: is empty
|
|
TO_MALFORMED
|
To: has a malformed address
|
|
TO_NO_USER
|
To: has no local-part before @ sign
|
|
TO_RECIP_MARKER
|
To header contains 'recipient' marker
|
|
TO_TXT
|
Sent to a text file
|
|
TRACKER_ID
|
Incorporates a tracking ID number
|
|
UNCLAIMED_MONEY
|
People just leave money laying around
|
|
UNCLOSED_BRACKET
|
Headers contain an unclosed bracket
|
UNDISC_RECIPS
|
Valid-looking To "undisclosed-recipients"
|
|
UNIQUE_WORDS
|
Message body has many words used only once
|
|
UNPARSEABLE_RELAY
|
Informational: message has unparseable relay lines
|
|
UNRESOLVED_TEMPLATE
|
Headers contain an unresolved template
|
|
UNWANTED_LANGUAGE_BODY
|
Message written in an undesired language
|
|
UPPERCASE_25_50
|
message body is 25-50% uppercase
|
|
UPPERCASE_50_75
|
message body is 50-75% uppercase
|
|
UPPERCASE_75_100
|
message body is 75-100% uppercase
|
|
URG_BIZ
|
Contains urgent matter
|
|
URIBL_AB_SURBL
|
Contains an URL listed in the AB SURBL blocklist
|
|
URIBL_JP_SURBL
|
Contains an URL listed in the JP SURBL blocklist
|
|
URIBL_OB_SURBL
|
Contains an URL listed in the OB SURBL blocklist
|
|
URIBL_PH_SURBL
|
Contains an URL listed in the PH SURBL blocklist
|
|
URIBL_SBL
|
Contains an URL listed in the SBL blocklist
|
|
URIBL_SC_SURBL
|
Contains an URL listed in the SC SURBL blocklist
|
|
URIBL_WS_SURBL
|
Contains an URL listed in the WS SURBL blocklist
|
|
URI_4YOU
|
Message has URI 4you
|
|
URI_AFFILIATE
|
Contains a URI with an affiliate ID code
|
|
URI_DIGITS
|
URI hostname has long digit sequence
|
|
URI_HEX
|
URI hostname has long hexadecimal sequence
|
|
URI_IS_POUND
|
Filename is just a '\#'; probably a JS trick
|
|
URI_NOVOWEL
|
URI hostname has long non-vowel sequence
|
|
URI_NO_WWW_ANY_CGI
|
CGI with long hostname other fourth-level "www"
|
|
URI_NO_WWW_BIZ_CGI
|
CGI in .biz TLD other than third-level "www"
|
|
URI_NO_WWW_INFO_CGI
|
CGI in .info TLD other than third-level "www"
|
|
URI_OFFERS
|
Message has link to company offers
|
|
URI_REDIRECTOR
|
Message has HTTP redirector URI
|
|
URI_SCHEME_MIXED_CASE
|
URI scheme has mixed uppercase and lowercase
|
|
URI_UNSUBSCRIBE
|
URI contains suspicious unsubscribe link
|
|
URI_UPPER_LOWER
|
URI contains capitalized hostname parts ("Abcde")
|
|
USERPASS
|
URL contains username and (optional) password
|
|
USER_IN_ALL_SPAM_TO
|
User is listed in 'all_spam_to'
|
|
USER_IN_BLACKLIST
|
From: address is in the user's black-list
|
|
USER_IN_BLACKLIST_TO
|
User is listed in 'blacklist_to'
|
|
USER_IN_DEF_DKIM_WL
|
From: address is in the default DKIM white-list
|
|
USER_IN_DEF_DK_WL
|
From: address is in the default DK white-list
|
|
USER_IN_DEF_SPF_WL
|
From: address is in the default SPF white-list
|
|
USER_IN_DEF_WHITELIST
|
From: address is in the default white-list
|
|
USER_IN_DKIM_WHITELIST
|
From: address is in the user's DKIM whitelist
|
|
USER_IN_DK_WHITELIST
|
From: address is in the user's DK whitelist
|
|
USER_IN_MORE_SPAM_TO
|
User is listed in 'more_spam_to'
|
|
USER_IN_SPF_WHITELIST
|
From: address is in the user's SPF whitelist
|
|
USER_IN_WHITELIST
|
From: address is in the user's white-list
|
|
USER_IN_WHITELIST_TO
|
User is listed in 'whitelist_to'
|
|
US_DOLLARS_3
|
Mentions millions of $ ($NN,NNN,NNN.NN)
|
|
VIA_GAP_GRA
|
Attempts to disguise the word 'viagra'
|
|
WEIRD_PORT
|
Uses non-standard port number for HTTP
|
|
WEIRD_QUOTING
|
Weird repeated double-quotation marks
|
|
WE_HONOR_ALL
|
Claims to honor removal requests
|
|
WHILE_YOU_SLEEP
|
While you Sleep
|
|
WHY_PAY_MORE
|
Why Pay More?
|
|
WHY_WAIT
|
What are you waiting for
|
|
WITH_LC_SMTP
|
Received line contains spam-sign (lowercase smtp)
|
|
WRINKLES
|
Removes Wrinkles
|
|
X_AUTH_WARN_FAKED
|
X-Authentication-Warning header looks faked
|
|
X_IP
|
Message has X-IP header
|
|
X_LIBRARY
|
Message has X-Library header
|
|
X_MAILER_SPAM
|
X-Mailer: header is bulk email fingerprint
|
|
X_MESSAGE_FLAG_ODD
|
Message has X-Message-flag header (odd case)
|
|
X_MESSAGE_INFO
|
Bulk email fingerprint (X-Message-Info) found
|
|
X_MIME_AUTOCONVERTED
|
Message has X-MIME-Autoconverted "Yes" header
|
|
X_MSMAIL_PRIORITY_HIGH
|
Sent with 'X-Msmail-Priority' set to high
|
|
X_ORIG_IP_NOT_IPV4
|
X-Originating-IP doesn't look like IPv4 address
|
|
X_PRIORITY_CC
|
Cc: after X-Priority: (bulk email fingerprint)
|
|
X_PRIORITY_HIGH
|
Sent with 'X-Priority' set to high
|
|
YAHOO_DRS_REDIR
|
Has Yahoo Redirect URI
|
|
YAHOO_RD_REDIR
|
Has Yahoo Redirect URI
|
|
YOU_CAN_SEARCH
|
You can search for anyone
|
|
__MIME_BASE64
|
Includes a base64 attachment
|
|
__MIME_QP
|
Includes a quoted-printable attachment
|
|
__RCVD_IN_NJABL
|
Received via a relay in combined.njabl.org
|
|
__RCVD_IN_SBL_XBL
|
Received via a relay in Spamhaus SBL+XBL
|
|
__RCVD_IN_SORBS
|
SORBS: sender is listed in SORBS
|