| Test |
Description |
| ACCESSDB |
Message would have been caught by accessdb |
| ACT_NOW_CAPS |
Talks about 'acting now' with capitals |
| ADDRESS_IN_SUBJECT |
To: address appears in Subject |
| ADDR_FREE |
From Address contains FREE |
| ADDR_NUMS_AT_BIGSITE |
Has an address with lots of numbers at a big ISP |
| ADVANCE_FEE_1 |
Appears to be advance fee fraud (Nigerian 419) |
| ADVANCE_FEE_2 |
Appears to be advance fee fraud (Nigerian 419) |
| ADVANCE_FEE_3 |
Appears to be advance fee fraud (Nigerian 419) |
| ADVANCE_FEE_4 |
Appears to be advance fee fraud (Nigerian 419) |
| ALL_NATURAL |
Spam is 100% natural?! |
| ALL_TRUSTED |
Passed through trusted hosts only via SMTP |
| AMATEUR_PORN |
Possible porn - Amateur Porn |
| AMAZING_STUFF |
Amazing Stuff |
| AS_SEEN_ON |
As seen on national TV! |
| AWL |
From: address is in the auto white-list |
| BAD_CREDIT |
Eliminate Bad Credit |
| BAD_ENC_HEADER |
Message has bad MIME encoding in the header |
| BANG_EXERCISE |
Talks about exercise with an exclamation! |
| BANG_GUAR |
Something is emphatically guaranteed |
| BANG_MORE |
Talks about more with an exclamation! |
| BANG_OPRAH |
Talks about Oprah with an exclamation! |
| BARGAIN_URL |
Includes a link to a likely spammer domain |
| BAYES_00 |
Bayesian spam probability is 0 to 1% |
| BAYES_05 |
Bayesian spam probability is 1 to 5% |
| BAYES_20 |
Bayesian spam probability is 5 to 20% |
| BAYES_40 |
Bayesian spam probability is 20 to 40% |
| BAYES_50 |
Bayesian spam probability is 40 to 60% |
| BAYES_60 |
Bayesian spam probability is 60 to 80% |
| BAYES_80 |
Bayesian spam probability is 80 to 95% |
| BAYES_95 |
Bayesian spam probability is 95 to 99% |
| BAYES_99 |
Bayesian spam probability is 99 to 100% |
| BEST_PORN |
Possible porn - Best, Largest, Most Porn |
| BE_BOSS |
Be your own boss |
| BILLION_DOLLARS |
Talks about lots of money |
| BILL_1618 |
Possible mention of bill 1618 (anti-spam bill) |
| BIZ_TLD |
Contains an URL in the BIZ top-level domain |
| BLANK_LINES_70_80 |
Message body has 70-80% blank lines |
| BLANK_LINES_80_90 |
Message body has 80-90% blank lines |
| BLANK_LINES_90_100 |
Message body has 90-100% blank lines |
| BODY_8BITS |
Body includes 8 consecutive 8-bit characters |
| BODY_ENHANCEMENT |
Information on growing body parts |
| BODY_ENHANCEMENT2 |
Information on getting larger body parts |
| CHARSET_FARAWAY |
Character set indicates a foreign language |
| CHARSET_FARAWAY_HEADER |
A foreign language charset used in headers |
| CHINA_HEADER |
Involves 'china.com' |
| CLICK_BELOW_CAPS |
Asks you to click below (in capital letters) |
| CLICK_TO_REMOVE_1 |
Click to be removed |
| COMPETE |
Compete for your business |
| CONFIDENTIAL_ORDER |
Confidentiality on all orders |
| CONFIRMED_FORGED |
Received headers are forged |
| CONSOLIDATE_DEBT |
Consolidate debt, credit, or bills |
| CUM_SHOT |
Possible porn - Cum Shot |
| DATE_IN_FUTURE_03_06 |
Date: is 3 to 6 hours after Received: date |
| DATE_IN_FUTURE_06_12 |
Date: is 6 to 12 hours after Received: date |
| DATE_IN_FUTURE_12_24 |
Date: is 12 to 24 hours after Received: date |
| DATE_IN_FUTURE_24_48 |
Date: is 24 to 48 hours after Received: date |
| DATE_IN_FUTURE_48_96 |
Date: is 48 to 96 hours after Received: date |
| DATE_IN_FUTURE_96_XX |
Date: is 96 hours or more after Received: date |
| DATE_IN_PAST_03_06 |
Date: is 3 to 6 hours before Received: date |
| DATE_IN_PAST_06_12 |
Date: is 6 to 12 hours before Received: date |
| DATE_IN_PAST_12_24 |
Date: is 12 to 24 hours before Received: date |
| DATE_IN_PAST_24_48 |
Date: is 24 to 48 hours before Received: date |
| DATE_IN_PAST_48_96 |
Date: is 48 to 96 hours before Received: date |
| DATE_IN_PAST_96_XX |
Date: is 96 hours or more before Received: date |
| DATE_SPAMWARE_Y2K |
Date header uses unusual Y2K formatting |
| DAV_NON_HOTMAIL |
Message sent using DAV, but not via Hotmail |
| DCC_CHECK |
Listed in DCC (http://rhyolite.com/anti-spam/dcc/) |
| DEAR_FRIEND |
Dear Friend? That's not very dear! |
| DEAR_SOMETHING |
Contains 'Dear (something)' |
| DEEP_DISC_MEDS |
Deep discount medications |
| DIET_1 |
Lose Weight Spam |
| DIET_2 |
Describes weight loss |
| DIET_3 |
Describes body fat loss |
| DIGEST_MULTIPLE |
Message hits more than one network digest check |
| DISGUISE_PORN |
Attempts to disguise porn words |
| DISGUISE_PORN_MUNDANE |
Attempts to disguise mundane words used in porn |
| DKIM_POLICY_SIGNALL |
Domain Keys Identified Mail: policy says domain signs all mails |
| DKIM_POLICY_SIGNSOME |
Domain Keys Identified Mail: policy says domain signs some mails |
| DKIM_POLICY_TESTING |
Domain Keys Identified Mail: policy says domain is testing DK |
| DKIM_SIGNED |
Domain Keys Identified Mail: message has a signature |
| DKIM_VERIFIED |
Domain Keys Identified Mail: signature passes verification |
| DK_POLICY_SIGNALL |
Domain Keys: policy says domain signs all mails |
| DK_POLICY_SIGNSOME |
Domain Keys: policy says domain signs some mails |
| DK_POLICY_TESTING |
Domain Keys: policy says domain is testing DK |
| DK_SIGNED |
Domain Keys: message has an unverified signature |
| DK_VERIFIED |
Domain Keys: signature passes verification |
| DNS_FROM_AHBL_RHSBL |
From: sender listed in dnsbl.ahbl.org |
| DNS_FROM_RFC_ABUSE |
Envelope sender in abuse.rfc-ignorant.org |
| DNS_FROM_RFC_BOGUSMX |
Envelope sender in bogusmx.rfc-ignorant.org |
| DNS_FROM_RFC_DSN |
Envelope sender in dsn.rfc-ignorant.org |
| DNS_FROM_RFC_POST |
Envelope sender in postmaster.rfc-ignorant.org |
| DNS_FROM_RFC_WHOIS |
Envelope sender in whois.rfc-ignorant.org |
| DNS_FROM_SECURITYSAGE |
Envelope sender in blackholes.securitysage.com |
| DOMAIN_4U2 |
Domain name containing a "4u" variant |
| DOMAIN_RATIO |
Message body mentions many internet domains |
| DRUGS_ANXIETY |
Refers to an anxiety control drug |
| DRUGS_ANXIETY_EREC |
Refers to both an erectile and an anxiety drug |
| DRUGS_ANXIETY_OBFU |
Obfuscated reference to an anxiety control drug |
| DRUGS_DIET |
Refers to a diet drug |
| DRUGS_DIET_OBFU |
Obfuscated reference to a diet drug |
| DRUGS_ERECTILE |
Refers to an erectile drug |
| DRUGS_ERECTILE_OBFU |
Obfuscated reference to an erectile drug |
| DRUGS_MANYKINDS |
Refers to at least four kinds of drugs |
| DRUGS_MUSCLE |
Refers to a muscle relaxant |
| DRUGS_PAIN |
Refers to a pain relief drug |
| DRUGS_PAIN_OBFU |
Obfuscated reference to a pain relief drug |
| DRUGS_SLEEP |
Refers to a sleep aid drug |
| DRUGS_SLEEP_EREC |
Refers to both an erectile and a sleep aid drug |
| DRUGS_SMEAR1 |
Two or more drugs crammed together into one word |
| DRUG_DOSAGE |
Talks about price per dose |
| DRUG_ED_CAPS |
Mentions an E.D. drug |
| DRUG_ED_COMBO |
Viagra and other drugs |
| DRUG_ED_GENERIC |
Mentions Generic Viagra |
| DRUG_ED_ONLINE |
Fast Viagra Delivery |
| DRUG_ED_SILD |
Talks about an E.D. drug using its chemical name |
| EARN_PER_WEEK |
Contains 'earn $something per week' |
| EMAIL_ROT13 |
Body contains a ROT13-encoded email address |
| EMPTY_MESSAGE |
Message appears to have no textual parts and no Subject: text |
| EM_ROLEX |
Message puts emphasis on the watch manufacturer |
| ENGLISH_UCE_SUBJECT |
Subject contains an English UCE tag |
| ENTITY_DEC_ALPHANUM |
HTML contains needlessly encoded characters |
| ENV_AND_HDR_DKIM_MATCH |
Env and Hdr From used in default DKIM WL Match |
| ENV_AND_HDR_DK_MATCH |
Env and Hdr From used in default DK WL Match |
| ENV_AND_HDR_SPF_MATCH |
Env and Hdr From used in default SPF WL Match |
| EXCUSE_10 |
"if you do not wish to receive any more" |
| EXCUSE_12 |
Nobody's perfect |
| EXCUSE_23 |
Claims you have provided permission |
| EXCUSE_24 |
Claims you wanted this ad |
| EXCUSE_4 |
Claims you can be removed from the list |
| EXCUSE_6 |
Claims you can be removed from the list |
| EXCUSE_REMOVE |
Talks about how to be removed from mailings |
| EXTRA_CASH |
Offers Extra Cash |
| EXTRA_MPART_TYPE |
Header has extraneous Content-type:...type= entry |
| FAKED_UNDISC_RECIPS |
Faked To "Undisclosed-Recipients" |
| FAKE_HELO_EMAIL_COM |
Host HELO did not match rDNS: email.com |
| FAKE_HELO_EUDORAMAIL |
Host HELO did not match rDNS: eudoramail.com |
| FAKE_HELO_EXCITE |
Host HELO did not match rDNS: excite.com |
| FAKE_HELO_LYCOS |
Host HELO did not match rDNS: lycos.com |
| FAKE_HELO_MAIL_COM |
Host HELO did not match rDNS: mail.com |
| FAKE_HELO_MAIL_COM_DOM |
Relay HELO'd with suspicious hostname (mail.com) |
| FAKE_HELO_MSN |
Host HELO did not match rDNS: msn.com |
| FAKE_HELO_YAHOO_CA |
Host HELO did not match rDNS: yahoo.ca |
| FAKE_OUTBLAZE_RCVD |
Received header contains faked 'mr.outblaze.com' |
| FIN_FREE |
Freedom of a financial nature |
| FORGED_AOL_RCVD |
Received forged, contains fake AOL relays |
| FORGED_AOL_TAGS |
AOL mailers can't send HTML in this format |
| FORGED_EUDORAMAIL_RCVD |
Forged eudoramail.com 'Received:' header found |
| FORGED_GW05_RCVD |
Forged 'by gw05' 'Received:' header found |
| FORGED_HOTMAIL_RCVD |
Forged hotmail.com 'Received:' header found |
| FORGED_HOTMAIL_RCVD2 |
hotmail.com 'From' address, but no 'Received:' |
| FORGED_IMS_HTML |
IMS can't send HTML message only |
| FORGED_IMS_TAGS |
IMS mailers can't send HTML in this format |
| FORGED_JUNO_RCVD |
'From' juno.com does not match 'Received' headers |
| FORGED_MSGID_AOL |
Message-ID is forged, (aol.com) |
| FORGED_MSGID_EXCITE |
Message-ID is forged, (excite.com) |
| FORGED_MSGID_HOTMAIL |
Message-ID is forged, (hotmail.com) |
| FORGED_MSGID_MSN |
Message-ID is forged, (msn.com) |
| FORGED_MSGID_YAHOO |
Message-ID is forged, (yahoo.com) |
| FORGED_MUA_AOL_FROM |
Forged mail pretending to be from AOL (by From) |
| FORGED_MUA_EUDORA |
Forged mail pretending to be from Eudora |
| FORGED_MUA_IMS |
Forged mail pretending to be from IMS |
| FORGED_MUA_MOZILLA |
Forged mail pretending to be from Mozilla |
| FORGED_MUA_OIMO |
Forged mail pretending to be from MS Outlook IMO |
| FORGED_MUA_OUTLOOK |
Forged mail pretending to be from MS Outlook |
| FORGED_MUA_THEBAT_BOUN |
Mail pretending to be from The Bat! (boundary) |
| FORGED_MUA_THEBAT_CS |
Mail pretending to be from The Bat! (charset) |
| FORGED_OUTLOOK_HTML |
Outlook can't send HTML message only |
| FORGED_OUTLOOK_TAGS |
Outlook can't send HTML in this format |
| FORGED_QUALCOMM_TAGS |
QUALCOMM mailers can't send HTML in this format |
| FORGED_RCVD_HELO |
Received: contains a forged HELO |
| FORGED_TELESP_RCVD |
Contains forged hostname for a DSL IP in Brazil |
| FORGED_THEBAT_HTML |
The Bat! can't send HTML message only |
| FORGED_YAHOO_RCVD |
'From' yahoo.com does not match 'Received' headers |
| FORWARD_LOOKING |
Stock Disclaimer Statement |
| FRAGMENTED_MESSAGE |
Partial message |
| FREE_ACCESS |
Contains 'free access' with capitals |
| FREE_PORN |
Possible porn - Free Porn |
| FREE_PREVIEW |
Free Preview |
| FREE_QUOTE_INSTANT |
Free express or no-obligation quote |
| FREE_SAMPLE |
Contains 'free sample' with capitals |
| FROM_ALL_NUMS |
From numeric address (except US/Canada phones) |
| FROM_AND_TO_SAME |
From and To are the same, but not exactly |
| FROM_BLANK_NAME |
From: contains empty name |
| FROM_DOMAIN_NOVOWEL |
From: domain has series of non-vowel letters |
| FROM_ENDS_IN_NUMS |
From: ends in many numbers |
| FROM_EXCESS_BASE64 |
From: base64 encoded unnecessarily |
| FROM_EXCESS_QP |
From: quoted-printable encoded unnecessarily |
| FROM_HAS_MIXED_NUMS |
From: contains numbers mixed in with letters |
| FROM_HAS_ULINE_NUMS |
From: contains an underline and numbers/letters |
| FROM_ILLEGAL_CHARS |
From: has too many raw illegal characters |
| FROM_LOCAL_DIGITS |
From: localpart has long digit sequence |
| FROM_LOCAL_HEX |
From: localpart has long hexadecimal sequence |
| FROM_LOCAL_NOVOWEL |
From: localpart has series of non-vowel letters |
| FROM_NONSENDING_DOMAIN |
Message is from domain that never sends email |
| FROM_NO_LOWER |
From address has no lower-case characters |
| FROM_NO_USER |
From: has no local-part before @ sign |
| FROM_OFFERS |
From address is "at something-offers" |
| FROM_STARTS_WITH_NUMS |
From: starts with many numbers |
| FRONTPAGE |
Frontpage used to create the message |
| FULL_REFUND |
Offers a full refund |
| FUZZY_AFFORDABLE |
Attempt to obfuscate words in spam |
| FUZZY_AMBIEN |
Attempt to obfuscate words in spam |
| FUZZY_BILLION |
Attempt to obfuscate words in spam |
| FUZZY_CELEBREX |
Attempt to obfuscate words in spam |
| FUZZY_CPILL |
Attempt to obfuscate words in spam |
| FUZZY_CREDIT |
Attempt to obfuscate words in spam |
| FUZZY_ERECT |
Attempt to obfuscate words in spam |
| FUZZY_FOLLOW |
Attempt to obfuscate words in spam |
| FUZZY_GUARANTEE |
Attempt to obfuscate words in spam |
| FUZZY_MEDICATION |
Attempt to obfuscate words in spam |
| FUZZY_MILF |
Attempt to obfuscate words in spam |
| FUZZY_MILLION |
Attempt to obfuscate words in spam |
| FUZZY_MONEY |
Attempt to obfuscate words in spam |
| FUZZY_MORTGAGE |
Attempt to obfuscate words in spam |
| FUZZY_OBLIGATION |
Attempt to obfuscate words in spam |
| FUZZY_OFFERS |
Attempt to obfuscate words in spam |
| FUZZY_PHARMACY |
Attempt to obfuscate words in spam |
| FUZZY_PHENT |
Attempt to obfuscate words in spam |
| FUZZY_PLEASE |
Attempt to obfuscate words in spam |
| FUZZY_PRESCRIPT |
Attempt to obfuscate words in spam |
| FUZZY_PRICES |
Attempt to obfuscate words in spam |
| FUZZY_REFINANCE |
Attempt to obfuscate words in spam |
| FUZZY_REMOVE |
Attempt to obfuscate words in spam |
| FUZZY_ROLEX |
Attempt to obfuscate words in spam |
| FUZZY_SOFTWARE |
Attempt to obfuscate words in spam |
| FUZZY_THOUSANDS |
Attempt to obfuscate words in spam |
| FUZZY_TRAMADOL |
Attempt to obfuscate words in spam |
| FUZZY_VICODIN |
Attempt to obfuscate words in spam |
| FUZZY_VIOXX |
Attempt to obfuscate words in spam |
| FUZZY_VLIUM |
Attempt to obfuscate words in spam |
| FUZZY_VPILL |
Attempt to obfuscate words in spam |
| FUZZY_XPILL |
Attempt to obfuscate words in spam |
| GAPPY_SUBJECT |
Subject: contains G.a.p.p.y-T.e.x.t |
| GET_PAID |
Get Paid |
| GTUBE |
Generic Test for Unsolicited Bulk Email |
| GUARANTEED_100_PERCENT |
One hundred percent guaranteed |
| GUARANTEED_STUFF |
Guaranteed Stuff |
| HABEAS_ACCREDITED_COI |
Habeas Accredited Confirmed Opt-In or Better |
| HABEAS_ACCREDITED_SOI |
Habeas Accredited Opt-In or Better |
| HABEAS_CHECKED |
Habeas Checked |
| HAIR_LOSS |
Cures Baldness |
| HARDCORE_PORN |
Possible porn - Hardcore Porn |
| HASHCASH_20 |
Contains valid Hashcash token (20 bits) |
| HASHCASH_21 |
Contains valid Hashcash token (21 bits) |
| HASHCASH_22 |
Contains valid Hashcash token (22 bits) |
| HASHCASH_23 |
Contains valid Hashcash token (23 bits) |
| HASHCASH_24 |
Contains valid Hashcash token (24 bits) |
| HASHCASH_25 |
Contains valid Hashcash token (25 bits) |
| HASHCASH_2SPEND |
Hashcash token already spent in another mail |
| HASHCASH_HIGH |
Contains valid Hashcash token (>25 bits) |
| HDR_ORDER_MTSRIX |
Headers are in order found in spam (MTSRIX) |
| HDR_ORDER_TRIMRS |
Headers are in order found in spam (TRIMRS) |
| HEADER_COUNT_CTYPE |
Multiple Content-Type headers found |
| HEADER_SPAM |
Bulk email fingerprint (header-based) found |
| HEAD_ILLEGAL_CHARS |
Headers have too many raw illegal characters |
| HEAD_LONG |
Message headers are very long |
| HELO_DYNAMIC_ADELPHIA |
Relay HELO'd using suspicious hostname (Adelphia) |
| HELO_DYNAMIC_ATTBI |
Relay HELO'd using suspicious hostname (ATTBI.com) |
| HELO_DYNAMIC_CHELLO_NL |
Relay HELO'd using suspicious hostname (Chello.nl) |
| HELO_DYNAMIC_CHELLO_NO |
Relay HELO'd using suspicious hostname (Chello.no) |
| HELO_DYNAMIC_COMCAST |
Relay HELO'd using suspicious hostname (Comcast) |
| HELO_DYNAMIC_DHCP |
Relay HELO'd using suspicious hostname (DHCP) |
| HELO_DYNAMIC_DIALIN |
Relay HELO'd using suspicious hostname (T-Dialin) |
| HELO_DYNAMIC_HCC |
Relay HELO'd using suspicious hostname (HCC) |
| HELO_DYNAMIC_HEXIP |
Relay HELO'd using suspicious hostname (Hex IP) |
| HELO_DYNAMIC_HOME_NL |
Relay HELO'd using suspicious hostname (Home.nl) |
| HELO_DYNAMIC_IPADDR |
Relay HELO'd using suspicious hostname (IP addr 1) |
| HELO_DYNAMIC_IPADDR2 |
Relay HELO'd using suspicious hostname (IP addr 2) |
| HELO_DYNAMIC_NTL |
Relay HELO'd using suspicious hostname (NTL) |
| HELO_DYNAMIC_OOL |
Relay HELO'd using suspicious hostname (OptOnline) |
| HELO_DYNAMIC_ROGERS |
Relay HELO'd using suspicious hostname (Rogers) |
| HELO_DYNAMIC_RR2 |
Relay HELO'd using suspicious hostname (RR 2) |
| HELO_DYNAMIC_SPLIT_IP |
Relay HELO'd using suspicious hostname (Split IP) |
| HELO_DYNAMIC_TELIA |
Relay HELO'd using suspicious hostname (Telia) |
| HELO_DYNAMIC_VELOX |
Relay HELO'd using suspicious hostname (Veloxzone) |
| HELO_DYNAMIC_VTR |
Relay HELO'd using suspicious hostname (VTR) |
| HELO_DYNAMIC_YAHOOBB |
Relay HELO'd using suspicious hostname (YahooBB) |
| HG_HORMONE |
Talks about hormones for human growth |
| HIDDEN_CHARGES |
Talks about Hidden Charges |
| HIDE_WIN_STATUS |
Javascript to hide URLs in browser |
| HOT_NASTY |
Possible porn - Hot, Nasty, Wild, Young |
| HTML_00_10 |
Message is 0% to 10% HTML |
| HTML_10_20 |
Message is 10% to 20% HTML |
| HTML_20_30 |
Message is 20% to 30% HTML |
| HTML_30_40 |
Message is 30% to 40% HTML |
| HTML_40_50 |
Message is 40% to 50% HTML |
| HTML_50_60 |
Message is 50% to 60% HTML |
| HTML_60_70 |
Message is 60% to 70% HTML |
| HTML_70_80 |
Message is 70% to 80% HTML |
| HTML_80_90 |
Message is 80% to 90% HTML |
| HTML_90_100 |
Message is 90% to 100% HTML |
| HTML_ATTR_BAD |
HTML has many bad attributes in tags |
| HTML_ATTR_UNIQUE |
HTML appears to have random attributes in tags |
| HTML_BACKHAIR_2 |
HTML tags used to obfuscate words |
| HTML_BACKHAIR_4 |
HTML tags used to obfuscate words |
| HTML_BACKHAIR_8 |
HTML tags used to obfuscate words |
| HTML_BADTAG_00_10 |
HTML message is 0% to 10% bad tags |
| HTML_BADTAG_10_20 |
HTML message is 10% to 20% bad tags |
| HTML_BADTAG_20_30 |
HTML message is 20% to 30% bad tags |
| HTML_BADTAG_30_40 |
HTML message is 30% to 40% bad tags |
| HTML_BADTAG_40_50 |
HTML message is 40% to 50% bad tags |
| HTML_BADTAG_50_60 |
HTML message is 50% to 60% bad tags |
| HTML_BADTAG_60_70 |
HTML message is 60% to 70% bad tags |
| HTML_BADTAG_70_80 |
HTML message is 70% to 80% bad tags |
| HTML_BADTAG_80_90 |
HTML message is 80% to 90% bad tags |
| HTML_BADTAG_90_100 |
HTML message is 90% to 100% bad tags |
| HTML_CHARSET_FARAWAY |
A foreign language charset used in HTML markup |
| HTML_COMMENT_SAVED_URL |
HTML message is a saved web page |
| HTML_COMMENT_SHORT |
HTML comment is very short |
| HTML_EHTML2 |
HTML has doubled end HTML tag |
| HTML_EMBEDS |
HTML with embedded plugin object |
| HTML_EVENT_UNSAFE |
HTML contains unsafe auto-executing code |
| HTML_EXTRA_CLOSE |
HTML contains far too many close tags |
| HTML_FONT_BIG |
HTML tag for a big font size |
| HTML_FONT_FACE_BAD |
HTML font face is not a word |
| HTML_FONT_FACE_CAPS |
HTML font face has excess capital characters |
| HTML_FONT_INVISIBLE |
HTML font color is same as background |
| HTML_FONT_LOW_CONTRAST |
HTML font color similar to background |
| HTML_FONT_SIZE_HUGE |
HTML font size is huge |
| HTML_FONT_SIZE_LARGE |
HTML font size is large |
| HTML_FONT_SIZE_NONE |
HTML font size is negative |
| HTML_FONT_SIZE_TINY |
HTML font size is tiny |
| HTML_FONT_TINY |
HTML tag for a tiny font size |
| HTML_FORMACTION_MAILTO |
HTML includes a form which sends mail |
| HTML_IMAGE_ONLY_04 |
HTML: images with 0-400 bytes of words |
| HTML_IMAGE_ONLY_08 |
HTML: images with 400-800 bytes of words |
| HTML_IMAGE_ONLY_12 |
HTML: images with 800-1200 bytes of words |
| HTML_IMAGE_ONLY_16 |
HTML: images with 1200-1600 bytes of words |
| HTML_IMAGE_ONLY_20 |
HTML: images with 1600-2000 bytes of words |
| HTML_IMAGE_ONLY_24 |
HTML: images with 2000-2400 bytes of words |
| HTML_IMAGE_ONLY_28 |
HTML: images with 2400-2800 bytes of words |
| HTML_IMAGE_ONLY_32 |
HTML: images with 2800-3200 bytes of words |
| HTML_IMAGE_RATIO_02 |
HTML has a low ratio of text to image area |
| HTML_IMAGE_RATIO_04 |
HTML has a low ratio of text to image area |
| HTML_IMAGE_RATIO_06 |
HTML has a low ratio of text to image area |
| HTML_IMAGE_RATIO_08 |
HTML has a low ratio of text to image area |
| HTML_LINK_OPT_OUT |
HTML link text says "opt out" or similar |
| HTML_LINK_PUSH_HERE |
HTML link text says "push here" or similar |
| HTML_MESSAGE |
HTML included in message |
| HTML_MIME_NO_HTML_TAG |
HTML-only message, but there is no HTML tag |
| HTML_MISSING_CTYPE |
Message is HTML without HTML Content-Type |
| HTML_NONELEMENT_00_10 |
0% to 10% of HTML elements are non-standard |
| HTML_NONELEMENT_10_20 |
10% to 20% of HTML elements are non-standard |
| HTML_NONELEMENT_20_30 |
20% to 30% of HTML elements are non-standard |
| HTML_NONELEMENT_30_40 |
30% to 40% of HTML elements are non-standard |
| HTML_NONELEMENT_40_50 |
40% to 50% of HTML elements are non-standard |
| HTML_NONELEMENT_50_60 |
50% to 60% of HTML elements are non-standard |
| HTML_NONELEMENT_60_70 |
60% to 70% of HTML elements are non-standard |
| HTML_NONELEMENT_70_80 |
70% to 80% of HTML elements are non-standard |
| HTML_NONELEMENT_80_90 |
80% to 90% of HTML elements are non-standard |
| HTML_NONELEMENT_90_100 |
90% to 100% of HTML elements are non-standard |
| HTML_OBFUSCATE_05_10 |
Message is 5% to 10% HTML obfuscation |
| HTML_OBFUSCATE_10_20 |
Message is 10% to 20% HTML obfuscation |
| HTML_OBFUSCATE_20_30 |
Message is 20% to 30% HTML obfuscation |
| HTML_OBFUSCATE_30_40 |
Message is 30% to 40% HTML obfuscation |
| HTML_OBFUSCATE_40_50 |
Message is 40% to 50% HTML obfuscation |
| HTML_OBFUSCATE_50_60 |
Message is 50% to 60% HTML obfuscation |
| HTML_OBFUSCATE_60_70 |
Message is 60% to 70% HTML obfuscation |
| HTML_OBFUSCATE_70_80 |
Message is 70% to 80% HTML obfuscation |
| HTML_OBFUSCATE_80_90 |
Message is 80% to 90% HTML obfuscation |
| HTML_OBFUSCATE_90_100 |
Message is 90% to 100% HTML obfuscation |
| HTML_SHORT_CENTER |
HTML is very short with CENTER tag |
| HTML_SHORT_COMMENT |
HTML is very short with HTML comments |
| HTML_SHORT_LENGTH |
HTML is extremely short |
| HTML_SHORT_LINK_IMG_1 |
HTML is very short with a linked image |
| HTML_SHORT_LINK_IMG_2 |
HTML is very short with a linked image |
| HTML_SHORT_LINK_IMG_3 |
HTML is very short with a linked image |
| HTML_SHOUTING3 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING4 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING5 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING6 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING7 |
HTML has very strong "shouting" markup |
| HTML_TAG_BALANCE_BODY |
HTML has unbalanced "body" tags |
| HTML_TAG_BALANCE_HEAD |
HTML has unbalanced "head" tags |
| HTML_TAG_EXIST_BGSOUND |
HTML has "bgsound" tag |
| HTML_TAG_EXIST_MARQUEE |
HTML has "marquee" tag |
| HTML_TAG_EXIST_TBODY |
HTML has "tbody" tag |
| HTML_TEXT_AFTER_BODY |
HTML contains text after BODY close tag |
| HTML_TEXT_AFTER_HTML |
HTML contains text after HTML close tag |
| HTML_TINY_FONT |
body contains 1 or 0-point font |
| HTML_TITLE_EMPTY |
HTML title contains no text |
| HTML_TITLE_LONG |
HTML title is very long |
| HTML_TITLE_UNTITLED |
HTML title contains "Untitled" |
| HTTPS_IP_MISMATCH |
IP to HTTPS link found in HTML |
| HTTP_77 |
Contains an URL-encoded hostname (HTTP77) |
| HTTP_CTRL_CHARS_HOST |
Uses control sequences inside a URL hostname |
| HTTP_ESCAPED_HOST |
Uses %-escapes inside a URL's hostname |
| HTTP_EXCESSIVE_ESCAPES |
Completely unnecessary %-escapes inside a URL |
| IMPOTENCE |
Impotence cure |
| INFO_TLD |
Contains an URL in the INFO top-level domain |
| INTERRUPTUS |
Message looks to contain HTML-interrupted text |
| INVALID_DATE |
Invalid Date: header (not RFC 2822) |
| INVALID_DATE_TZ_ABSURD |
Invalid Date: header (timezone does not exist) |
| INVALID_MSGID |
Message-Id is not valid, according to RFC 2822 |
| INVALID_TZ_CST |
Invalid date in header (wrong CST timezone) |
| INVALID_TZ_EST |
Invalid date in header (wrong EST timezone) |
| INVALID_TZ_GMT |
Invalid date in header (wrong GMT/UTC timezone) |
| INVESTMENT_ADVICE |
Message mentions investment advice |
| INVESTMENT_EXPERT |
Message mentions investment expert |
| IP_LINK_PLUS |
Dotted-decimal IP address followed by CGI |
| JAPANESE_UCE_SUBJECT |
Subject contains a Japanese UCE tag |
| JOIN_MILLIONS |
Join Millions of Americans |
| JS_FROMCHARCODE |
Document is built from a Javascript charcode array |
| KOREAN_UCE_SUBJECT |
Subject: contains Korean unsolicited email tag |
| LIVE_PORN |
Possible porn - Live Porn |
| LOCALPART_IN_SUBJECT |
Local part of To: address appears in Subject |
| LONGWORDS |
Long string of long words |
| LOTS_OF_STUFF |
Thousands or millions of pictures, movies, etc. |
| LOW_PRICE |
Lowest Price |
| MAILTO_SUBJ_REMOVE |
mailto URI includes removal text |
| MAILTO_TO_REMOVE |
Includes a 'remove' email address |
| MAILTO_TO_SPAM_ADDR |
Includes a link to a likely spammer email |
| MALE_ENHANCE |
Message talks about enhancing men |
| MANY_EXCLAMATIONS |
Subject has many exclamations |
| MARKETING_PARTNERS |
Claims you registered with a partner |
| MEET_SINGLES |
Meet Singles |
| MICROSOFT_EXECUTABLE |
Message includes Microsoft executable program |
| MICRO_CAP_WARNING |
SEC-mandated penny-stock warning |
| MILLION_USD |
Talks about millions of dollars |
| MIME_BAD_ISO_CHARSET |
MIME character set is an unknown ISO charset |
| MIME_BASE64_BLANKS |
Extra blank lines in base64 encoding |
| MIME_BASE64_NO_NAME |
base64 attachment does not have a file name |
| MIME_BASE64_TEXT |
Message text disguised using base64 encoding |
| MIME_BOUND_DD_DIGITS |
Spam tool pattern in MIME boundary |
| MIME_BOUND_DIGITS_15 |
Spam tool pattern in MIME boundary |
| MIME_BOUND_DIGITS_7 |
Spam tool pattern in MIME boundary |
| MIME_BOUND_MANY_HEX |
Spam tool pattern in MIME boundary |
| MIME_BOUND_NEXTPART |
Spam tool pattern in MIME boundary |
| MIME_BOUND_RKFINDY |
Spam tool pattern in MIME boundary (rfkindy) |
| MIME_CHARSET_FARAWAY |
MIME character set indicates foreign language |
| MIME_HEADER_CTYPE_ONLY |
'Content-Type' found without required MIME headers |
| MIME_HTML_MOSTLY |
Multipart message mostly text/html MIME |
| MIME_HTML_ONLY |
Message only has text/html MIME parts |
| MIME_HTML_ONLY_MULTI |
Multipart message only has text/html MIME parts |
| MIME_MISSING_BOUNDARY |
MIME section missing boundary |
| MIME_QP_LONG_LINE |
Quoted-printable line longer than 76 chars |
| MIME_SUSPECT_NAME |
MIME filename does not match content |
| MISSING_DATE |
Missing Date: header |
| MISSING_HB_SEP |
Missing blank line between message header and body |
| MISSING_HEADERS |
Missing To: header |
| MISSING_MIMEOLE |
Message has X-MSMail-Priority, but no X-MimeOLE |
| MISSING_MIME_HB_SEP |
Missing blank line between MIME header and body |
| MISSING_SUBJECT |
Missing Subject: header |
| ML_MARKETING |
Multi Level Marketing mentioned |
| MONEY_BACK |
Money back guarantee |
| MORE_SEX |
Talks about a bigger drive for sex |
| MORTGAGE_BEST |
Information on mortgages |
| MORTGAGE_PITCH |
Looks like mortgage pitch |
| MORTGAGE_RATES |
Information on mortgage rates |
| MPART_ALT_DIFF |
HTML and text parts are different |
| MPART_ALT_DIFF_COUNT |
HTML and text parts are different |
| MSGID_DOLLARS |
Message-Id has pattern used in spam |
| MSGID_FROM_MTA_HEADER |
Message-Id was added by a relay |
| MSGID_FROM_MTA_HOTMAIL |
Message-Id was added by a hotmail.com relay |
| MSGID_FROM_MTA_ID |
Message-Id for external message added locally |
| MSGID_LONG |
Message-ID is unusually long |
| MSGID_MULTIPLE_AT |
Message-ID contains multiple '@' characters |
| MSGID_NO_HOST |
Message-Id has no hostname |
| MSGID_OUTLOOK_INVALID |
Message-Id is fake (in Outlook Express format) |
| MSGID_RANDY |
Message-Id has pattern used in spam |
| MSGID_RATWARE1 |
Bulk email fingerprint found |
| MSGID_SHORT |
Message-ID is unusually short |
| MSGID_SPAM_99X9XX99 |
Spam tool Message-Id: (99x9xx99 variant) |
| MSGID_SPAM_ALPHA_NUM |
Spam tool Message-Id: (alpha-numeric variant) |
| MSGID_SPAM_CAPS |
Spam tool Message-Id: (caps variant) |
| MSGID_SPAM_LETTERS |
Spam tool Message-Id: (letters variant) |
| MSGID_SPAM_ZEROES |
Spam tool Message-Id: (12-zeroes variant) |
| MSGID_YAHOO_CAPS |
Message-ID has ALLCAPS@yahoo.com |
| MULTI_FORGED |
Received headers indicate multiple forgeries |
| NASTY_GIRLS |
Possible porn - Nasty Girls |
| NA_DOLLARS |
Talks about a million North American dollars |
| NONEXISTENT_CHARSET |
Character set doesn't exist |
| NORMAL_HTTP_TO_IP |
Uses a dotted-decimal IP address in URL |
| NOT_ADVISOR |
Not registered investment advisor |
| NO_COST |
No such thing as a free lunch (3) |
| NO_DNS_FOR_FROM |
Envelope sender has no MX or A DNS records |
| NO_FORMS |
No Claim Forms |
| NO_MEDICAL |
No Medical Exams |
| NO_OBLIGATION |
There is no obligation |
| NO_PRESCRIPTION |
No prescription needed |
| NO_RDNS_DOTCOM_HELO |
Host HELO'd as a big ISP, but had no rDNS |
| NO_REAL_NAME |
From: does not include a real name |
| NO_RECEIVED |
Informational: message has no Received headers |
| NO_RELAYS |
Informational: message was not relayed via SMTP |
| NUMERIC_HTTP_ADDR |
Uses a numeric IP address in URL |
| OBFUSCATING_COMMENT |
HTML comments which obfuscate text |
| OBSCURED_EMAIL |
Message seems to contain rot13ed address |
| OFFSHORE_SCAM |
Off Shore Scams |
| ONE_TIME |
One Time Rip Off |
| ONLINE_PHARMACY |
Online Pharmacy |
| OPTING_OUT_CAPS |
Talks about opting out (capitalized version) |
| ORG_MIME_TOOLS |
Organization is MIME-tools |
| PERCENT_RANDOM |
Message has a random macro in it |
| PLING_PLING |
Subject has lots of exclamation marks |
| PLING_QUERY |
Subject has exclamation mark and question mark |
| PORN_15 |
Possible porn - various types of feline |
| PORN_16 |
Possible porn - nasty, dirty, little etc. |
| PORN_URL_MISC |
URL uses words/phrases which indicate porn (misc) |
| PORN_URL_SEX |
URL uses words/phrases which indicate porn (sex) |
| PORN_URL_SLUT |
URL uses words/phrases which indicate porn (slut) |
| PREST_NON_ACCREDITED |
'Prestigious Non-Accredited Universities' |
| PREVENT_NONDELIVERY |
Message has Prevent-NonDelivery-Report header |
| PRICES_ARE_AFFORDABLE |
Message says that prices aren't too expensive |
| PRIORITY_NO_NAME |
Message has priority, but no user agent name |
| PYZOR_CHECK |
Listed in Pyzor (http://pyzor.sf.net/) |
| QUALIFY_FOR_THIS |
Qualify for this special... |
| RATWARE_BOUND_PIECE |
Bulk email fingerprint (piece boundary) found |
| RATWARE_EFROM |
Bulk email fingerprint (envfrom) found |
| RATWARE_EGROUPS |
Bulk email fingerprint (eGroups) found |
| RATWARE_GECKO_BUILD |
Bulk email fingerprint (Gecko faked) found |
| RATWARE_HASH_2 |
Bulk email fingerprint (hash 2) found |
| RATWARE_HASH_2_V2 |
Bulk email fingerprint (hash 2 v2) found |
| RATWARE_HASH_DASH |
Contains a hashbuster in Send-Safe format |
| RATWARE_JPFREE |
Bulk email fingerprint (jpfree) found |
| RATWARE_MOZ_MALFORMED |
Bulk email fingerprint (Mozilla malformed) found |
| RATWARE_MPOP_WEBMAIL |
Bulk email fingerprint (mPOP Web-Mail) |
| RATWARE_MS_HASH |
Bulk email fingerprint (msgid ms hash) found |
| RATWARE_NAME_ID |
Bulk email fingerprint (msgid from) found |
| RATWARE_NETIP |
Bulk email fingerprint (netIP) found |
| RATWARE_OE_MALFORMED |
X-Mailer has malformed Outlook Express version |
| RATWARE_OUTLOOK_NONAME |
Bulk email fingerprint (Outlook no name) found |
| RATWARE_RCVD_AT |
Bulk email fingerprint (Received @) found |
| RATWARE_RCVD_LC_ESMTP |
Bulk email fingerprint ('esmtp' Received) found |
| RATWARE_RCVD_PF |
Bulk email fingerprint (Received PF) found |
| RATWARE_STORM_URI |
Bulk email fingerprint (StormPost) found |
| RATWARE_ZERO_TZ |
Bulk email fingerprint (+0000) found |
| RAZOR2_CF_RANGE_51_100 |
Razor2 gives confidence level above 50% |
| RAZOR2_CF_RANGE_E4_51_100 |
Razor2 gives engine 4 confidence level above 50% |
| RAZOR2_CF_RANGE_E8_51_100 |
Razor2 gives engine 8 confidence level above 50% |
| RAZOR2_CHECK |
Listed in Razor2 (http://razor.sf.net/) |
| RCVD_AM_PM |
Received headers forged (AM/PM) |
| RCVD_BONUS_SPC_DATE |
Bulk email fingerprint (bonus space) found |
| RCVD_BY_IP |
Received by mail server with no name |
| RCVD_DOUBLE_IP_LOOSE |
Received: by and from look like IP addresses |
| RCVD_DOUBLE_IP_SPAM |
Bulk email fingerprint (double IP) found |
| RCVD_FAKE_HELO_DOTCOM |
Received contains a faked HELO hostname |
| RCVD_HELO_IP_MISMATCH |
Received: HELO and IP do not match, but should |
| RCVD_ILLEGAL_IP |
Received: contains illegal IP address |
| RCVD_IN_BL_SPAMCOP_NET |
Received via a relay in bl.spamcop.net |
| RCVD_IN_BSP_OTHER |
Sender is in Bonded Sender Program (other relay) |
| RCVD_IN_BSP_TRUSTED |
Sender is in Bonded Sender Program (trusted relay) |
| RCVD_IN_DSBL |
Received via a relay in list.dsbl.org |
| RCVD_IN_IADB_VOUCHED |
ISIPP IADB lists as vouched-for sender |
| RCVD_IN_MAPS_DUL |
Relay in DUL, http://www.mail-abuse.org/dul/ |
| RCVD_IN_MAPS_NML |
Relay in NML, http://www.mail-abuse.org/nml/ |
| RCVD_IN_MAPS_RBL |
Relay in RBL, http://www.mail-abuse.org/rbl/ |
| RCVD_IN_MAPS_RSS |
Relay in RSS, http://www.mail-abuse.org/rss/ |
| RCVD_IN_NJABL_CGI |
NJABL: sender is an open formmail |
| RCVD_IN_NJABL_DUL |
NJABL: dialup sender did non-local SMTP |
| RCVD_IN_NJABL_MULTI |
NJABL: sent through multi-stage open relay |
| RCVD_IN_NJABL_PROXY |
NJABL: sender is an open proxy |
| RCVD_IN_NJABL_RELAY |
NJABL: sender is confirmed open relay |
| RCVD_IN_NJABL_SPAM |
NJABL: sender is confirmed spam source |
| RCVD_IN_SBL |
Received via a relay in Spamhaus SBL |
| RCVD_IN_SORBS_BLOCK |
SORBS: sender demands to never be tested |
| RCVD_IN_SORBS_DUL |
SORBS: sent directly from dynamic IP address |
| RCVD_IN_SORBS_HTTP |
SORBS: sender is open HTTP proxy server |
| RCVD_IN_SORBS_MISC |
SORBS: sender is open proxy server |
| RCVD_IN_SORBS_SMTP |
SORBS: sender is open SMTP relay |
| RCVD_IN_SORBS_SOCKS |
SORBS: sender is open SOCKS proxy server |
| RCVD_IN_SORBS_WEB |
SORBS: sender is a abuseable web server |
| RCVD_IN_SORBS_ZOMBIE |
SORBS: sender is on a hijacked network |
| RCVD_IN_WHOIS_BOGONS |
CompleteWhois: sender on bogons IP block |
| RCVD_IN_WHOIS_HIJACKED |
CompleteWhois: sender on hijacked IP block |
| RCVD_IN_WHOIS_INVALID |
CompleteWhois: sender on invalid IP block |
| RCVD_IN_XBL |
Received via a relay in Spamhaus XBL |
| RCVD_NUMERIC_HELO |
Received: contains an IP address used for HELO |
| RECEIVE_OFFER |
Receive a special offer |
| REFINANCE_NOW |
Home refinancing |
| REFINANCE_YOUR_HOME |
Home refinancing |
| REMOVE_BEFORE_LINK |
Removal phrase right before a link |
| REMOVE_PAGE |
URL of page called "remove" |
| REMOVE_POSTAL |
Send real mail to be unsubscribed |
| REPLICA_WATCH |
Message talks about a replica watch |
| REPLY_TO_EMPTY |
Reply-To: is empty |
| REPTO_OVERQUOTE_THEBAT |
The Bat! doesn't do quoting like this |
| REPTO_QUOTE_AOL |
AOL doesn't do quoting like this |
| REPTO_QUOTE_IMS |
IMS doesn't do quoting like this |
| REPTO_QUOTE_MSN |
MSN doesn't do quoting like this |
| REPTO_QUOTE_QUALCOMM |
Qualcomm/Eudora doesn't do quoting like this |
| REPTO_QUOTE_YAHOO |
Yahoo! doesn't do quoting like this |
| RESISTANCE_IS_FUTILE |
Resistance to this spam is futile |
| REVERSE_AGING |
Reverses Aging |
| RISK_FREE |
Risk free. Suuurreeee.... |
| ROUND_THE_WORLD |
Received: says mail sent around the world (DNS) |
| ROUND_THE_WORLD_LOCAL |
Received: says mail sent around the world (HELO) |
| RUDE_HTML |
Spammer message says you need an HTML mailer |
| SATIS_GUAR |
Mail guarantees satisfaction |
| SAVE_THOUSANDS |
Save big money |
| SEE_FOR_YOURSELF |
See for yourself |
| SENT_IN_COMPLIANCE |
Claims compliance with spam regulations |
| SOMETHING_FOR_ADULTS |
Possible porn - Adult Web Sites |
| SOME_BREAKTHROUGH |
Describes some sort of breakthrough |
| SORTED_RECIPS |
Recipient list is sorted by address |
| SPF_FAIL |
SPF: sender does not match SPF record (fail) |
| SPF_HELO_FAIL |
SPF: HELO does not match SPF record (fail) |
| SPF_HELO_NEUTRAL |
SPF: HELO does not match SPF record (neutral) |
| SPF_HELO_PASS |
SPF: HELO matches SPF record |
| SPF_HELO_SOFTFAIL |
SPF: HELO does not match SPF record (softfail) |
| SPF_NEUTRAL |
SPF: sender does not match SPF record (neutral) |
| SPF_PASS |
SPF: sender matches SPF record |
| SPF_SOFTFAIL |
SPF: sender does not match SPF record (softfail) |
| SPOOF_COM2COM |
URI contains ".com" in middle and end |
| SPOOF_COM2OTH |
URI contains ".com" in middle |
| SPOOF_NET2COM |
URI contains ".net" or ".org", then ".com" |
| SPOOF_OURI |
URI has items in odd places |
| STOCK_ALERT |
Offers a alert about a stock |
| STRONG_BUY |
Tells you about a strong buy |
| SUBJECT_DIET |
Subject talks about losing pounds |
| SUBJECT_DRUG_GAP_C |
Subject contains a gappy version of 'cialis' |
| SUBJECT_DRUG_GAP_L |
Subject contains a gappy version of 'levitra' |
| SUBJECT_DRUG_GAP_P |
Subject contains a gappy version of 'phentermine' |
| SUBJECT_DRUG_GAP_S |
Subject contains a gappy version of 'soma' |
| SUBJECT_DRUG_GAP_VA |
Subject contains a gappy version of 'valium' |
| SUBJECT_DRUG_GAP_VIC |
Subject contains a gappy version of 'vicodin' |
| SUBJECT_DRUG_GAP_X |
Subject contains a gappy version of 'xanax' |
| SUBJECT_ENCODED_TWICE |
Subject: MIME encoded twice |
| SUBJECT_EXCESS_BASE64 |
Subject: base64 encoded encoded unnecessarily |
| SUBJECT_EXCESS_QP |
Subject: quoted-printable encoded unnecessarily |
| SUBJECT_FUZZY_CHEAP |
Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_MEDS |
Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_PENIS |
Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_TION |
Attempt to obfuscate words in Subject: |
| SUBJECT_IN_BLACKLIST |
Subject: contains string in the user's black-list |
| SUBJECT_IN_WHITELIST |
Subject: contains string in the user's white-list |
| SUBJECT_NOVOWEL |
Subject: has long non-vowel letter sequence |
| SUBJECT_SEXUAL |
Subject indicates sexually-explicit content |
| SUBJ_2_NUM_PARENS |
Subject contains common spam sign (2 numbers) |
| SUBJ_ALL_CAPS |
Subject is all capitals |
| SUBJ_AS_SEEN |
Subject contains "As Seen" |
| SUBJ_BUY |
Subject line starts with Buy or Buying |
| SUBJ_CONSONANTS |
Subject contains consecutive consonants in "word" |
| SUBJ_DOLLARS |
Subject starts with dollar amount |
| SUBJ_FOR_ONLY |
Subject contains "For Only" |
| SUBJ_FREE_CAP |
Subject contains "FREE" in CAPS |
| SUBJ_GUARANTEED |
Subject GUARANTEED |
| SUBJ_HAS_SPACES |
Subject contains lots of white space |
| SUBJ_HAS_UNIQ_ID |
Subject contains a unique ID |
| SUBJ_ILLEGAL_CHARS |
Subject: has too many raw illegal characters |
| SUBJ_LIFE_INSURANCE |
Subject includes "life insurance" |
| SUBJ_YOUR_DEBT |
Subject contains "Your Bills" or similar |
| SUBJ_YOUR_FAMILY |
Subject contains "Your Family" |
| SUBJ_YOUR_OWN |
Subject contains "Your Own" |
| SUB_FREE_OFFER |
Subject starts with "Free" |
| SUB_HELLO |
Subject starts with "Hello" |
| SUSPICIOUS_RECIPS |
Similar addresses in recipient list |
| TERRA_ES |
Contains URI to a document hosted at 'terra.es' |
| TO_ADDRESS_EQ_REAL |
To: repeats address as real name |
| TO_CC_NONE |
No To: or Cc: header |
| TO_EMPTY |
To: is empty |
| TO_MALFORMED |
To: has a malformed address |
| TO_NO_USER |
To: has no local-part before @ sign |
| TO_RECIP_MARKER |
To header contains 'recipient' marker |
| TO_TXT |
Sent to a text file |
| TRACKER_ID |
Incorporates a tracking ID number |
| UNCLAIMED_MONEY |
People just leave money laying around |
| UNCLOSED_BRACKET |
Headers contain an unclosed bracket |
| UNDISC_RECIPS |
Valid-looking To "undisclosed-recipients" |
| UNIQUE_WORDS |
Message body has many words used only once |
| UNPARSEABLE_RELAY |
Informational: message has unparseable relay lines |
| UNRESOLVED_TEMPLATE |
Headers contain an unresolved template |
| UNWANTED_LANGUAGE_BODY |
Message written in an undesired language |
| UPPERCASE_25_50 |
message body is 25-50% uppercase |
| UPPERCASE_50_75 |
message body is 50-75% uppercase |
| UPPERCASE_75_100 |
message body is 75-100% uppercase |
| URG_BIZ |
Contains urgent matter |
| URIBL_AB_SURBL |
Contains an URL listed in the AB SURBL blocklist |
| URIBL_JP_SURBL |
Contains an URL listed in the JP SURBL blocklist |
| URIBL_OB_SURBL |
Contains an URL listed in the OB SURBL blocklist |
| URIBL_PH_SURBL |
Contains an URL listed in the PH SURBL blocklist |
| URIBL_SBL |
Contains an URL listed in the SBL blocklist |
| URIBL_SC_SURBL |
Contains an URL listed in the SC SURBL blocklist |
| URIBL_WS_SURBL |
Contains an URL listed in the WS SURBL blocklist |
| URI_4YOU |
Message has URI 4you |
| URI_AFFILIATE |
Contains a URI with an affiliate ID code |
| URI_DIGITS |
URI hostname has long digit sequence |
| URI_HEX |
URI hostname has long hexadecimal sequence |
| URI_IS_POUND |
Filename is just a '\#'; probably a JS trick |
| URI_NOVOWEL |
URI hostname has long non-vowel sequence |
| URI_NO_WWW_ANY_CGI |
CGI with long hostname other fourth-level "www" |
| URI_NO_WWW_BIZ_CGI |
CGI in .biz TLD other than third-level "www" |
| URI_NO_WWW_INFO_CGI |
CGI in .info TLD other than third-level "www" |
| URI_OFFERS |
Message has link to company offers |
| URI_REDIRECTOR |
Message has HTTP redirector URI |
| URI_SCHEME_MIXED_CASE |
URI scheme has mixed uppercase and lowercase |
| URI_UNSUBSCRIBE |
URI contains suspicious unsubscribe link |
| URI_UPPER_LOWER |
URI contains capitalized hostname parts ("Abcde") |
| USERPASS |
URL contains username and (optional) password |
| USER_IN_ALL_SPAM_TO |
User is listed in 'all_spam_to' |
| USER_IN_BLACKLIST |
From: address is in the user's black-list |
| USER_IN_BLACKLIST_TO |
User is listed in 'blacklist_to' |
| USER_IN_DEF_DKIM_WL |
From: address is in the default DKIM white-list |
| USER_IN_DEF_DK_WL |
From: address is in the default DK white-list |
| USER_IN_DEF_SPF_WL |
From: address is in the default SPF white-list |
| USER_IN_DEF_WHITELIST |
From: address is in the default white-list |
| USER_IN_DKIM_WHITELIST |
From: address is in the user's DKIM whitelist |
| USER_IN_DK_WHITELIST |
From: address is in the user's DK whitelist |
| USER_IN_MORE_SPAM_TO |
User is listed in 'more_spam_to' |
| USER_IN_SPF_WHITELIST |
From: address is in the user's SPF whitelist |
| USER_IN_WHITELIST |
From: address is in the user's white-list |
| USER_IN_WHITELIST_TO |
User is listed in 'whitelist_to' |
| US_DOLLARS_3 |
Mentions millions of $ ($NN,NNN,NNN.NN) |
| VIA_GAP_GRA |
Attempts to disguise the word 'viagra' |
| WEIRD_PORT |
Uses non-standard port number for HTTP |
| WEIRD_QUOTING |
Weird repeated double-quotation marks |
| WE_HONOR_ALL |
Claims to honor removal requests |
| WHILE_YOU_SLEEP |
While you Sleep |
| WHY_PAY_MORE |
Why Pay More? |
| WHY_WAIT |
What are you waiting for |
| WITH_LC_SMTP |
Received line contains spam-sign (lowercase smtp) |
| WRINKLES |
Removes Wrinkles |
| X_AUTH_WARN_FAKED |
X-Authentication-Warning header looks faked |
| X_IP |
Message has X-IP header |
| X_LIBRARY |
Message has X-Library header |
| X_MAILER_SPAM |
X-Mailer: header is bulk email fingerprint |
| X_MESSAGE_FLAG_ODD |
Message has X-Message-flag header (odd case) |
| X_MESSAGE_INFO |
Bulk email fingerprint (X-Message-Info) found |
| X_MIME_AUTOCONVERTED |
Message has X-MIME-Autoconverted "Yes" header |
| X_MSMAIL_PRIORITY_HIGH |
Sent with 'X-Msmail-Priority' set to high |
| X_ORIG_IP_NOT_IPV4 |
X-Originating-IP doesn't look like IPv4 address |
| X_PRIORITY_CC |
Cc: after X-Priority: (bulk email fingerprint) |
| X_PRIORITY_HIGH |
Sent with 'X-Priority' set to high |
| YAHOO_DRS_REDIR |
Has Yahoo Redirect URI |
| YAHOO_RD_REDIR |
Has Yahoo Redirect URI |
| YOU_CAN_SEARCH |
You can search for anyone |
| __MIME_BASE64 |
Includes a base64 attachment |
| __MIME_QP |
Includes a quoted-printable attachment |
| __RCVD_IN_NJABL |
Received via a relay in combined.njabl.org |
| __RCVD_IN_SBL_XBL |
Received via a relay in Spamhaus SBL+XBL |
| __RCVD_IN_SORBS |
SORBS: sender is listed in SORBS |
