E-POSTA’LAR NEDEN SPAM (İstenmeyen E-posta) OLARAK İŞARETLENİR?

Günümüzde haberleşme dendiğinde akla gelen ilk yöntem e-posta gönderimi olmaktadır. Hemen hemen herkesin anlık olarak kontrol ettiği ve her yere ulaşabildiği e-posta sistemi, getirdiği kolaylıklar yanında bazı sıkıntıları da beraberinde getirmektedir. E-posta gönderim işlemini reklam ve kötü amaçlı kullanmak isteyen kişiler, içerikte bazı hileler yaparak kullanıcıları kandırma yoluna gidebilmektedir. Kullanıcıların bu tarz kötü niyetli e-postalara maruz kalmasını engellemek amacıyla ANTI-SPAM adı verilen ve e-posta içeriğindeki bazı özelliklere göre kötü niyet veya istenmeyen içerik olması durumunu tespit etmeye yarayan sistemler kullanılmaktadır.

Anti-Spam sistemleri, gelen ve/veya gönderilen e-postaların içeriğini kontrol eder ve içerisinde beklenmeyen farklılıklar tespit edildiğinde bu alanlara göre (Tablo 1) puanlar vererek e-posta’daki istenmeyen içerik puanını (Spam Score) oluşturur. Spam score değeri, sunucu tarafından belirlenen bir eşik değerini aşmıyorsa, sadece bilgi amaçlı olarak bu score değeri e-postanın header (başlık) kısmına eklenir ve kullanıcıya gönderilir. Belirlenen değerlere göre, belirli bir eşik değer aşılmış ise, e-postanın Spam olabileceği şüphesi ortaya çıkar ve gerektiğinde alt-üst limitler dahilinde sadece uyarı verilmesi (Konu kısmına [SPAM] gibi bir uyarı eklenmesi) veya e-postanın tamamen kullanıcıya erişiminin engellenmesi sağlanır.

SPAM SCORE NEDİR?

Bir e-postanın spam olarak kabul edilebilmesi için Tablo 1’de gösterilen testlerden bazılarına uyuyor olması gereklidir. Tabloda sunucunun değerlendirme aşamasında gerçekleştirdiği karşılaştırma faktörleri görülmektedir. Bu faktörler, standart bir sunucu için kullanılan testler olup, istenildiği taktirde benzer özelliklerde farklı karşılaştırmalar da yaptırılması mümkündür. Her testin sonucuna göre e-postada bu koşul var ise, test spam değeri e-posta spam score değerine eklenir. Böylece tüm testlerin sonucunda elde edilen test skoru e-postanın spam score değerini oluşturur.

E-postalarda en çok karşılaşılan spam score nedenlerinden bazıları şunlardır:

·         Konu veya içeriklerin tamamının büyük harfle yazılması

·         Konu veya içeriklerde normalde kullanılmayan karakterlerin yazılması

·         Konu için belirli bazı kelime veya soru cümlelelerinin yazılması

·         İçeriklerde arka arkaya gereksiz boşluklar (birden çok space tuşu veya enter tuşu) kullanılması

·         E-postada yazı yazmadan sadece resim kullanılması, kullanılan resmin çok büyük veya çok küçük boyutlarda olması

·         E-postanın birden çok adrese gönderilmesi sırasında tüm adreslerin To (Kime) ya da CC (Kopya) alanlarına yazılması

·         Gönderen ve/veya gönderilen e-posta adreslerinin geçersiz/hatalı formatta yazılması

·         E-postanın gönderildiği sunucunun DNS kayıtlarının olmaması veya uyumsuz olması

·         E-postayı gönderen sunucunun RBL SPAM Kontrol Listelerinde kara listeye girmiş olması

 

BİR E-POSTANIN SPAM OLUP OLMADIĞI NASIL ANLAŞILIR?

E-posta mesajları temelde 2 kısımdan oluşur. Bunlar, Başlık (Header) ve İçerik (Content) bölümleridir. İçerik bölümü, e-postada yazılan ve normalde kişilerin okuduğu kısımdır. Bu kısımda metinler, tablolar, resimler ve ek dosyalar gibi birçok parça bulunabilir. Başlık bölümü, e-postanın normalde gözükmeyen tanımlama bilgilerini içerir. Bu bilgiler içerisinde, e-postayı oluşturan kişi, gönderildiği yer(ler), gönderilme tarihi, konu, e-postanın hazırlandığı bilgisayar ve kullanıcı bilgileri, çıkış noktasından ulaşması gereken adrese kadar dolaştığı sunucular gibi bir çok bilgi bulunur. Spam kontrolleri sonucunda oluşan spam-score bilgileri de yine bu başlık bölümünde yer alır.

Bir e-postanın başlık bölümlerini görebilmek için, e-postanın okunduğu yazılımdaki “Kaynağı Göster” veya “Orjinali Göster” seçeneklerinin kullanılması yeterlidir. Ege Üniversitesi e-posta sunucusu üzerindeki web tabanlı e-posta yazılımında (Zimbra), başlıkları görülmesi istenen e-posta üzerine çift tıklanarak ayrı bir sayfada açıldıktan sonra, üstteki menüden “Actions / İşlemler” menüsünden, “Show Original / Orjinali göster” seçeneği ile başlıklar görüntülenebilir. En çok kullanılan Microsoft Outlook yazılımında ise, ilgili e-posta üzerine çift tıklanarak açıldıktan sonra, aşağıdaki resimde gösterilen “Kaynağı Göster” seçeneği (İLETİ -> EYLEMLER -> DİĞER EYLEMLER -> KAYNAĞI GÖSTER) ile görüntülenebilir.

Aşağıda örnek bir e-posta bölümleri ile birlikte gösterilmiştir: Başlık bölümü yeşil, içerik bölümü mavi ve Spam-score bölümü de kırmızı olarak işaretlenmiştir (içerik bölümünde bulunan resimler, base64 olarak kodlanarak mail içerisine eklenir ancak çok yer kapladığı için aşağıdaki örnekte sadece 1 satırı gösterilmiştir).

Return-Path: halkilis_duyuru-return-3020-mail.ege.edu.tr-egeweb=mail.ege.edu.tr@mail.ege.edu.tr

Received: from zimbrane.ege.edu.tr (LHLO zimbrane.ege.edu.tr)

 (155.223.64.236) by zimbrane.ege.edu.tr with LMTP; Thu, 10 Nov 2016

 08:47:02 +0200 (EET)

Received: from localhost (localhost [127.0.0.1])

                by zimbrane.ege.edu.tr (Postfix) with ESMTP id CA2148FCC86

                for <***********@ege.edu.tr>; Thu, 10 Nov 2016 08:47:02 +0200 (EET)

X-Spam-Flag: NO

X-Spam-Score: 5.119

X-Spam-Level: *****

X-Spam-Status: No, score=5.119 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_80=2,

                HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428,

                MPART_ALT_DIFF=0.79, SUBJ_ALL_CAPS=1.506, T_RP_MATCHES_RCVD=-0.01]

                autolearn=no autolearn_force=no

Received: from zimbrane.ege.edu.tr ([127.0.0.1])

                by localhost (zimbrane.ege.edu.tr [127.0.0.1]) (amavisd-new, port 10032)

                with ESMTP id fgsfRzBvgBZx for <***********@ege.edu.tr>;

                Thu, 10 Nov 2016 08:47:02 +0200 (EET)

Received: from localhost (localhost [127.0.0.1])

                by zimbrane.ege.edu.tr (Postfix) with ESMTP id 6ED2B8FCC7D

                for <***********@ege.edu.tr>; Thu, 10 Nov 2016 08:47:02 +0200 (EET)

X-Virus-Scanned: amavisd-new at zimbrane.ege.edu.tr

Received: from zimbrane.ege.edu.tr ([127.0.0.1])

                by localhost (zimbrane.ege.edu.tr [127.0.0.1]) (amavisd-new, port 10026)

                with ESMTP id sqTqNZq4_n30 for <***********@ege.edu.tr>;

                Thu, 10 Nov 2016 08:47:02 +0200 (EET)

Received: from virusguard.ege.edu.tr (virusguard.ege.edu.tr [155.223.64.33])

                by zimbrane.ege.edu.tr (Postfix) with ESMTP id 09FE88FCC6A

                for <***********@ege.edu.tr>; Thu, 10 Nov 2016 08:47:02 +0200 (EET)

Received: from egemaily.ege.edu.tr (egemailyedek.ege.edu.tr [155.223.64.215])

                by virusguard.ege.edu.tr (Extensible Content Security) with ESMTP id BA891371052A0E6A

                for <***********@ege.edu.tr>; Thu, 10 Nov 2016 08:48:11 +0200 (EET)

Received: (qmail 31075 invoked by uid 507); 10 Nov 2016 08:46:44 +0200

Delivered-To: egeweb@mail.ege.edu.tr

Received: (qmail 21805 invoked by uid 507); 10 Nov 2016 08:37:25 +0200

Mailing-List: contact halkilis_duyuru-help@mail.ege.edu.tr; run by ezmlm

Precedence: bulk

X-No-Archive: yes

List-Post: <mailto:halkilis_duyuru@mail.ege.edu.tr>

List-Help: <mailto:halkilis_duyuru-help@mail.ege.edu.tr>

List-Unsubscribe: <mailto:halkilis_duyuru-unsubscribe@mail.ege.edu.tr>

List-Subscribe: <mailto:halkilis_duyuru-subscribe@mail.ege.edu.tr>

Delivered-To: mailing list halkilis_duyuru@mail.ege.edu.tr

Delivered-To: moderator for halkilis_duyuru@mail.ege.edu.tr

Received: (qmail 21501 invoked by uid 507); 10 Nov 2016 08:35:47 +0200

X-Mail-Scanner: Scanned by qSheff-II-2.1-r3 (http://www.enderunix.org/qsheff/)

From: =?iso-8859-9?B?RdwgUmVrdPZybPzw/CBCYXP9biB2ZSBIYWxrbGEg3Wxp/mtpbGVyIE38?= =?iso-8859-9?B?ZPxybPzw/A==?= <halkilis@mail.ege.edu.tr>

To: <halkilis_duyuru@mail.ege.edu.tr>

References:

In-Reply-To:

Subject: =?iso-8859-9?Q?REKT=D6R=DCM=DCZ=DCN_10_KASIM_MESAJI?=

Date: Thu, 10 Nov 2016 08:37:29 +0300

Message-ID: <006001d23b14$873bbeb0$95b33c10$@mail.ege.edu.tr>

MIME-Version: 1.0

Content-Type: multipart/related;

                boundary="----=_NextPart_000_0061_01D23B2D.AC88F6B0"

X-Mailer: Microsoft Outlook 14.0

Thread-Index: AdI7FHfIiqrF6sPzScOE/70+SJWjrAAAAg0A

Content-Language: tr

X-STA-Metric: 0 (engine=031)

X-STA-NotSpam: message-id:@mail.ege header:In-Reply-To:1 subject:KASIM from:addr:mail.ege.e from:name:m?

X-STA-Spam: from:name:? to:2**0 header:To:1 header:Subject:1 header:From:1

Received-SPF: none

 

This is a multipart message in MIME format.

 

------=_NextPart_000_0061_01D23B2D.AC88F6B0

Content-Type: multipart/alternative;

                boundary="----=_NextPart_001_0062_01D23B2D.AC88F6B0"

 

 

------=_NextPart_001_0062_01D23B2D.AC88F6B0

Content-Type: text/plain;

                charset="iso-8859-9"

Content-Transfer-Encoding: 7bit

 

 

------=_NextPart_001_0062_01D23B2D.AC88F6B0

Content-Type: text/html;

                charset="iso-8859-9"

Content-Transfer-Encoding: quoted-printable

 

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =

xmlns:o=3D"urn:schemas-microsoft-com:office:office" =

xmlns:w=3D"urn:schemas-microsoft-com:office:word" =

xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =

xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =

http-equiv=3DContent-Type content=3D"text/html; =

charset=3Diso-8859-9"><meta name=3DGenerator content=3D"Microsoft Word =

14 (filtered medium)"><!--[if !mso]><style>v\:* =

{behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

                {font-family:"Cambria Math";

                panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

                {font-family:Calibri;

                panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

                {font-family:Tahoma;

                panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

                {margin:0cm;

                margin-bottom:.0001pt;

                font-size:11.0pt;

                font-family:"Calibri","sans-serif";

                mso-fareast-language:EN-US;}

a:link, span.MsoHyperlink

                {mso-style-priority:99;

                color:blue;

                text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

                {mso-style-priority:99;

                color:purple;

                text-decoration:underline;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext=3D"edit">

<o:idmap v:ext=3D"edit" data=3D"1" />

</o:shapelayout></xml><![endif]--></head><body lang=3DTR link=3Dblue =

vlink=3Dpurple><div class=3DWordSection1><p =

class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal =

align=3Dcenter style=3D'text-align:center'><span =

style=3D'mso-fareast-language:TR'><img width=3D1183 height=3D639 =

id=3D"Resim_x0020_1" =

src=3D"cid:image001.png@01D23B2D.A14D71E0"></span><o:p></o:p></p></div></=

body></html>

------=_NextPart_001_0062_01D23B2D.AC88F6B0--

 

------=_NextPart_000_0061_01D23B2D.AC88F6B0

Content-Type: image/png;

                name="image001.png"

Content-Transfer-Encoding: base64

Content-ID: <image001.png@01D23B2D.A14D71E0>

 

iVBORw0KGgoAAAANSUhEUgAABJ8AAAJ/CAIAAABZe+WeAAAAAXNSR0IArs4c6QAAAAlwSFlzAAAO

------=_NextPart_000_0061_01D23B2D.AC88F6B0--

 

Yukarıdaki örnekte, Spam açısından önemli olan kısım şunlardır:

X-Spam-Flag: NO

X-Spam-Score: 5.119

X-Spam-Level: *****

X-Spam-Status: No, score=5.119 required=6.6 tests=[ALL_TRUSTED=-1, BAYES_80=2,

                HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428,

                MPART_ALT_DIFF=0.79, SUBJ_ALL_CAPS=1.506, T_RP_MATCHES_RCVD=-0.01]

                autolearn=no autolearn_force=no

 

“Tests” bölümündeki bileşenler, Tablo 1’de gösterilen test adları olup, tümü taranmasına rağmen sadece spam score oluşturan testleri göstermektedir. Sunucu, bu e-posta için “tests” başlığında gösterilen değerlendirmeler nedeniyle spam-score oluşturmuş ve toplamda “X-Spam-Score: 5.119” puanı elde edilmiştir. X-Spam-Status içerisindeki “required=6.6” değeri, sunucunun bir e-postayı “spam” olarak değerlendirmesi için gereken eşik değerini göstermektedir. Eğer testlerden elde edilen spam score değeri bu eşiği aşmış ise (X-Spam-Score >= 6.6), “X-Spam-Flag: NO” ve “X-Spam-Status: No” değerlerindeki “NO/No” yerine “YES” ifadesi eklenerek bu e-postanın gerçekten spam olduğu gösterilir. “X-Spam-Level: *****” değeri ise, Spam olarak değerlendirilmesi için verilen kademeyi göstermekte ve 5 adet “*” oldukça yüksek bir değerde olduğunu ifade etmektedir.

Bazı durumlarda, spam score değeri düşük olsa bile, e-postanın okunduğu yazılımın kendi değerlendirme kriterleri nedeniyle e-postalar spam (istenmeyen posta) klasörlerinde gösterilebilmektedir. Bu durumda, kullanılan e-posta okuma yazılımlarının kendi içerisindeki spam ayarlarına bakılmalıdır.

Tablo 1 Değerlendirme için kullanılan temel Spam-Score Değerleri

TEST ALANI

TEST AÇIKLAMASI

TEST ADI

SPAM SCORE  DEĞERLERİ

DETAYLAR

local /
 net /
 bayes ile / bayes+net

wiki dökümanı

body

Talks about 'acting now' with capitals

ACT_NOW_CAPS

1.404 / 2.399 / 0.925 / 2.211

Wiki

body

Eliminate Bad Credit

BAD_CREDIT

2.799 / 1.658 / 1.279 / 2.415

Wiki

body

Something is emphatically guaranteed

BANG_GUAR

2.202 / 2.377 / 1.690 / 2.704

Wiki

body

Talks about Oprah with an exclamation!

BANG_OPRAH

1

Wiki

body

Talks about banking laws

BANKING_LAWS

2.399 / 2.004 / 2.157 / 1.099

Wiki

body

eval:check_base64_length('78','79')

BASE64_LENGTH_78_79

2.370 / 2.636 / 0.762 / 2.667

Wiki

body

eval:check_base64_length('79')

BASE64_LENGTH_79_INF

1.379 / 2.019 / 0.583 / 1.502

Wiki

body

Bayes spam probability is 0 to 1%

BAYES_00

0 /
0 /
-1.5 /
-1.9

Wiki

body

Bayes spam probability is 1 to 5%

BAYES_05

0 /
0 /
-0.3 /
-0.5

Wiki

body

Bayes spam probability is 5 to 20%

BAYES_20

0 /
0 /
-0.001 /
-0.001

Wiki

body

Bayes spam probability is 20 to 40%

BAYES_40

0 /
0 /
-0.001 /
-0.001

Wiki

body

Bayes spam probability is 40 to 60%

BAYES_50

0 /
0 /
2.0 /
0.8

Wiki

body

Bayes spam probability is 60 to 80%

BAYES_60

0 /
0 /
2.5 /
1.5

Wiki

body

Bayes spam probability is 80 to 95%

BAYES_80

0 /
0 /
2.7 /
2.0

Wiki

body

Bayes spam probability is 95 to 99%

BAYES_95

0 /
0 /
3.2 /
3.0

Wiki

body

Bayes spam probability is 99 to 100%

BAYES_99

0 /
0 /
3.8 /
3.5

Wiki

body

Talks about lots of money

BILLION_DOLLARS

0.001 / 1.451 / 1.229 / 1.638

Wiki

body

Message body has 80-90% blank lines

BLANK_LINES_80_90

1

Wiki

body

Body includes 8 consecutive 8-bit characters

BODY_8BITS

1.500

Wiki

body

Information on growing body parts

BODY_ENHANCEMENT

0.927 / 1.611 / 0.974 / 0.001

Wiki

body

Information on getting larger body parts

BODY_ENHANCEMENT2

1.691 / 1.507 / 1.865 / 1.541

Wiki

body

Character set indicates a foreign language

CHARSET_FARAWAY

3.200

Wiki

body

Possible porn - Cum Shot

CUM_SHOT

1

Wiki

body

/\bCurrent Price:/

CURR_PRICE

0.001

Wiki

body

Dear Beneficiary:

DEAR_BENEFICIARY

1

Wiki

body

Message contains Dear email address

DEAR_EMAIL

1

Wiki

body

Dear Friend? That's not very dear!

DEAR_FRIEND

2.683 / 2.604 / 1.801 / 2.577

Wiki

body

Contains 'Dear (something)'

DEAR_SOMETHING

1.999 / 1.731 / 1.787 / 1.973

Wiki

body

/\bdear.{1,20}winner/i

DEAR_WINNER

3.099 / 3.099 / 2.309 / 3.099

Wiki

body

Lose Weight Spam

DIET_1

0.714 / 0.000 / 0.399 / 0.001

Wiki

body

Talks about price per dose

DRUG_DOSAGE

1

Wiki

body

Mentions an E.D. drug

DRUG_ED_CAPS

2.799 / 1.023 / 2.516 / 0.936

Wiki

body

Mentions Generic Viagra

DRUG_ED_GENERIC

1

Wiki

body

Fast Viagra Delivery

DRUG_ED_ONLINE

0.696 / 1.152 / 1.221 / 0.608

Wiki

body

Talks about an E.D. drug using its chemical name

DRUG_ED_SILD

0.001 / 0.170 / 0.113 / 1.794

Wiki

body

Two or more drugs crammed together into one word

DRUGS_SMEAR1

3.300 / 2.051 / 3.148 / 0.235

Wiki

body

Message puts emphasis on the watch manufacturer

EM_ROLEX

0.595 / 1.309 / 2.068 / 0.618

Wiki

body

Body contains a ROT13-encoded email address

EMAIL_ROT13

1

Wiki

body

Claims you wanted this ad

EXCUSE_24

2.799

Wiki

body

Claims you can be removed from the list

EXCUSE_4

2.399 / 1.687 / 2.399 / 1.325

Wiki

body

Talks about how to be removed from mailings

EXCUSE_REMOVE

2.907 / 2.992 / 3.299 / 3.299

Wiki

body

Add / Gain inches

FB_ADD_INCHES

1

Wiki

body

It's almost sex, but not!

FB_ALMOST_SEX

1

Wiki

body

Broken AnaTrim phrase.

FB_ANA_TRIM

1

Wiki

body

Phrase: A_U_N_I

FB_ANUI

1

Wiki

body

Phrase: [BM]Illi0n

FB_BILLI0N

1

Wiki

body

Phrase: C0mpany

FB_C0MPANY

1

Wiki

body

Phrase: can last longer

FB_CAN_LONGER

1

Wiki

body

Uses a mis-spelled version of cialis.

FB_CIALIS_LEO3

1.688 / 3.055 / 2.465 / 3.245

Wiki

body

Looks like double 0 words

FB_DOUBLE_0WORDS

1

Wiki

body

Phrase: email hier

FB_EMAIL_HIER

1

Wiki

body

Phrase: extra inches

FB_EXTRA_INCHES

0.289 / 0.000 / 2.603 / 0.001

Wiki

body

Looks like numbers with O's insted of 0's

FB_FAKE_NUMBERS

1

Wiki

body

Looks like fake numbers (4)

FB_FAKE_NUMS4

1

Wiki

body

Phrase: Farmacy

FB_FHARMACY

1

Wiki

body

Phrase: forward look with 0's

FB_FORWARD_LOOK

1

Wiki

body

Too much spacing in Address

FB_GAPPY_ADDRESS

1

Wiki

body

Looks like trying to sell meds

FB_GET_MEDS

2.314 / 2.027 / 1.195 / 0.935

Wiki

body

Looks like generic viagra

FB_GVR

2.340 / 0.691 / 2.568 / 2.301

Wiki

body

Phrase hey bro,

FB_HEY_BRO_COMMA

1

Wiki

body

Phrase: HGH

FB_HG_H_CAP

1

Wiki

body

Phrase (dollar) x home loan

FB_HOMELOAN

1

Wiki

body

Phrase: impress ... girl

FB_IMPRESS_GIRL

1

Wiki

body

Phrase: Increase your energy

FB_INCREASE_YOUR

2.699 / 2.700 / 2.335 / 2.343

Wiki

body

Phrase: independent reward

FB_INDEPEND_RWD

2.799

Wiki

body

Phrase: L0an

FB_L0AN

1

Wiki

body

Special people leave special signs!

FB_LETTERS_21B

1

Wiki

body

Phrase: LOSE WEIGHT

FB_LOSE_WEIGHT_CAP

0.001 / 0.001 / 2.187 / 0.001

Wiki

body

Phrase: lower your monthly payments

FB_LOWER_PAYM

1

Wiki

body

Phrase: more size

FB_MORE_SIZE

1

Wiki

body

Phrase: no prescription needed.

FB_NO_SCRIP_NEEDED

1.656 / 1.469 / 2.133 / 0.922

Wiki

body

Looks like a fake phone number (1)

FB_NOT_PHONE_NUM1

1

Wiki

body

Looks like a fake phone number (3)

FB_NOT_PHONE_NUM3

1

Wiki

body

Looks like school but it's not!

FB_NOT_SCHOOL

1

Wiki

body

Speaks of teenager.

FB_NUMYO

1

Wiki

body

Speaks of 20+ year old.

FB_NUMYO2

1

Wiki

body

Looks like money but has odd spacing.

FB_ODD_SPACED_MONEY

1

Wiki

body

Mis-spelled online

FB_ONIINE

1

Wiki

body

Phrase: p1ll

FB_P1LL

1

Wiki

body

Phrase: penis growth

FB_PENIS_GROWTH

1

Wiki

body

Looks like illion, but it's not

FB_PIPE_ILLION

1

Wiki

body

Phrase: Dollar, with pipes or 0's.

FB_PIPEDOLLAR

1

Wiki

body

Talks about prolonged hardness

FB_PROLONGED_HARD

1

Wiki

body

Phrase: quality replica

FB_QUALITY_REPLICA

3.313 / 3.149 / 2.005 / 2.308

Wiki

body

Looks like refi.

FB_RE_FI

1

Wiki

body

Refcode with spacing

FB_REF_CODE_SPACE

1

Wiki

body

Phrase: REPLICA

FB_REPLIC_CAP

1

Wiki

body

Phrase: Replica Rolex

FB_REPLICA_ROLEX

1.674 / 0.710 / 1.115 / 3.175

Wiki

body

Phrase: Roller is th

FB_ROLLER_IS_T

1

Wiki

body

Phrase: rolx

FB_ROLX

1

Wiki

body

Phrase: save ... prescription.

FB_SAVE_PERSC

2.799 / 0.367 / 1.864 / 1.492

Wiki

body

Phrase: Softabs

FB_SOFTTABS

2.887 / 3.174 / 3.378 / 1.584

Wiki

body

Phrase: F R E E

FB_SPACED_FREE

2.499 / 2.499 / 2.203 / 0.395

Wiki

body

Phone number with -- spacing. (B)

FB_SPACED_PHN_3B

0.001

Wiki

body

Looks like a s p a c e d zipcode.

FB_SPACEY_ZIP

1

Wiki

body

Phrase: SPUR-M

FB_SPUR_M

1

Wiki

body

Phrase: ssex

FB_SSEX

1

Wiki

body

Looks like stocks exploding.

FB_STOCK_EXPLODE

1

Wiki

body

Mis-spelled symbol.

FB_SYMBLO

1

Wiki

body

Phrase: this advertiser

FB_THIS_ADVERT

3.599 / 3.600 / 2.999 / 3.599

Wiki

body

Phrase: thousand personal

FB_THOUS_PERSONAL

1

Wiki

body

Phrase: to stop further distribution

FB_TO_STOP_DISTRO

3.399

Wiki

body

Phrase: Ultra Allure

FB_ULTRA_ALLURE

2.352 / 1.074 / 2.334 / 0.829

Wiki

body

Phrase: lock to your girlfriend

FB_UNLOCK_YOUR_G

1

Wiki

body

Pattern Replacement PROV_D

FB_UNRESOLV_PROV

1

Wiki

body

Phrase: Your refi

FB_YOUR_REFI

1

Wiki

body

Phrase: yourself master

FB_YOURSELF_MASTER

1

Wiki

body

Fill in a form with personal information

FILL_THIS_FORM_LONG

3.800 / 3.476 / 2.300 / 3.404

Wiki

body

Freedom of a financial nature

FIN_FREE

2.699 / 2.289 / 2.699 / 2.700

Wiki

body

Stock Disclaimer Statement

FORWARD_LOOKING

1

Wiki

body

Possible porn - Free Porn

FREE_PORN

1

Wiki

body

Free express or no-obligation quote

FREE_QUOTE_INSTANT

2.700 / 2.699 / 2.699 / 1.297

Wiki

body

ReplaceTags: Adobe

FRT_ADOBE2

0.001 / 1.099 / 0.221 / 0.877

Wiki

body

ReplaceTags: Approve

FRT_APPROV

2.499

Wiki

body

ReplaceTags: Bigger / Larger, Penis / Member

FRT_BIGGERMEM1

2.523 / 0.146 / 2.372 / 1.758

Wiki

body

ReplaceTags: Diploma

FRT_DIPLOMA

0.000 / 1.548 / 0.787 / 1.599

Wiki

body

ReplaceTags: Discount

FRT_DISCOUNT

1

Wiki

body

ReplaceTags: Dollar

FRT_DOLLAR

1

Wiki

body

ReplaceTags: Establish (2)

FRT_ESTABLISH2

1

Wiki

body

ReplaceTags: Fuck (2)

FRT_FUCK2

1

Wiki

body

ReplaceTags: Guarantee (1)

FRT_GUARANTEE1

1

Wiki

body

ReplaceTags: Investor

FRT_INVESTOR

1

Wiki

body

ReplaceTags: Levitra

FRT_LEVITRA

1

Wiki

body

ReplaceTags: Meeting

FRT_MEETING

1

Wiki

body

ReplaceTags: Offer (2)

FRT_OFFER2

1.681 / 1.109 / 2.048 / 0.926

Wiki

body

ReplaceTags: Oppertun (2)

FRT_OPPORTUN2

1

Wiki

body

ReplaceTags: Penis

FRT_PENIS1

2.299 / 2.293 / 1.029 / 0.731

Wiki

body

ReplaceTags: Pharmac

FRT_PHARMAC

1

Wiki

body

ReplaceTags: Price

FRT_PRICE

0.001

Wiki

body

ReplaceTags: Refinance (1)

FRT_REFINANCE1

1

Wiki

body

ReplaceTags: Rolex

FRT_ROLEX

2.699 / 2.183 / 1.440 / 2.699

Wiki

body

ReplaceTags: Sexual

FRT_SEXUAL

1

Wiki

body

ReplaceTags: Soma

FRT_SOMA

0.000 / 3.280 / 2.099 / 2.871

Wiki

body

ReplaceTags: Soma (2)

FRT_SOMA2

0.001 / 0.001 / 0.001 / 0.001

Wiki

body

ReplaceTags: Strong (1)

FRT_STRONG1

1

Wiki

body

ReplaceTags: Strong (2)

FRT_STRONG2

1

Wiki

body

ReplaceTags: Symbol

FRT_SYMBOL

1

Wiki

body

ReplaceTags: Today (2)

FRT_TODAY2

0.480 / 0.693 / 1.988 / 0.905

Wiki

body

ReplaceTags: Valium

FRT_VALIUM1

1

Wiki

body

ReplaceTags: Valium (2)

FRT_VALIUM2

1

Wiki

body

ReplaceTags: Weight (2)

FRT_WEIGHT2

1

Wiki

body

ReplaceTags: Xanax (1)

FRT_XANAX1

1

Wiki

body

ReplaceTags: Xanax (2)

FRT_XANAX2

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_AFFORDABLE

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_AMBIEN

2.199 / 1.851 / 0.925 / 0.552

Wiki

body

Attempt to obfuscate words in spam

FUZZY_BILLION

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_CPILL

0.001 / 0.001 / 0.001 / 0.001

Wiki

body

Attempt to obfuscate words in spam

FUZZY_CREDIT

1.699 / 1.413 / 0.601 / 1.678

Wiki

body

Attempt to obfuscate words in spam

FUZZY_ERECT

2.356 / 1.306 / 2.360 / 1.859

Wiki

body

Attempt to obfuscate words in spam

FUZZY_GUARANTEE

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_MEDICATION

1

Wiki

body

/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i

FUZZY_MERIDIA

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_MILLION

2.599 / 2.599 / 1.659 / 2.505

Wiki

body

Attempt to obfuscate words in spam

FUZZY_MONEY

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_MORTGAGE

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_OBLIGATION

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_OFFERS

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_PHARMACY

2.960 / 3.299 / 1.967 / 1.353

Wiki

body

Attempt to obfuscate words in spam

FUZZY_PHENT

2.799 / 1.647 / 1.540 / 2.662

Wiki

body

Attempt to obfuscate words in spam

FUZZY_PRESCRIPT

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_PRICES

1.821 / 0.720 / 2.210 / 2.311

Wiki

body

Attempt to obfuscate words in spam

FUZZY_REFINANCE

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_REMOVE

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_ROLEX

3.399 / 1.038 / 3.399 / 1.964

Wiki

body

Attempt to obfuscate words in spam

FUZZY_SOFTWARE

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_THOUSANDS

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_VIOXX

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_VLIUM

1

Wiki

body

Attempt to obfuscate words in spam

FUZZY_VPILL

0.001 / 0.494 / 0.796 / 1.014

Wiki

body

Attempt to obfuscate words in spam

FUZZY_XPILL

2.202 / 1.752 / 2.799 / 2.799

Wiki

body

Generic Test for Unsolicited Bulk Email

GTUBE

1.000.000

Wiki

body

One hundred percent guaranteed

GUARANTEED_100_PERCENT

2.699 / 2.699 / 2.480 / 2.699

Wiki

body

/\bnext of kin\b/i

HK_SCAM_N2

1

Wiki

body

Somebody has uploaded some new software for you

HS_BODY_UPLOADED_SOFTWARE

1

Wiki

body

Contains a drug and price-like pattern.

HS_DRUG_DOLLAR_1

0.001

Wiki

body

Contains a drug and price-like pattern.

HS_DRUG_DOLLAR_2

0.001

Wiki

body

Contains a drug and price-like pattern.

HS_DRUG_DOLLAR_3

0.001

Wiki

body

Talks about meeting up for sex.

HS_MEETUP_FOR_SEX

1

Wiki

body

Contains VPXL, yet the recommended dose is only 2 tablets.

HS_VPXL

3.211 / 1.399 / 2.696 / 1.948

Wiki

body

HTML message is 40% to 50% bad tags

HTML_BADTAG_40_50

1

Wiki

body

HTML message is 50% to 60% bad tags

HTML_BADTAG_50_60

1

Wiki

body

HTML message is 60% to 70% bad tags

HTML_BADTAG_60_70

1

Wiki

body

HTML message is 90% to 100% bad tags

HTML_BADTAG_90_100

1

Wiki

body

HTML message is a saved web page

HTML_COMMENT_SAVED_URL

0.198 / 0.357 / 0.899 / 1.391

Wiki

body

HTML comment is very short

HTML_COMMENT_SHORT

1

Wiki

body

HTML with embedded plugin object

HTML_EMBEDS

0.001 / 0.001 / 1.171 / 1.799

Wiki

body

HTML contains far too many close tags

HTML_EXTRA_CLOSE

0.001

Wiki

body

HTML font face is not a word

HTML_FONT_FACE_BAD

0.001 / 0.289 / 0.286 / 0.981

Wiki

body

HTML font color similar to background

HTML_FONT_LOW_CONTRAST

0.713 / 0.001 / 0.786 / 0.001

Wiki

body

HTML font size is huge

HTML_FONT_SIZE_HUGE

0.001

Wiki

body

HTML font size is large

HTML_FONT_SIZE_LARGE

0.001

Wiki

body

HTML includes a form which sends mail

HTML_FORMACTION_MAILTO

1

Wiki

body

Message has HTML IFRAME tag with SRC URI

HTML_IFRAME_SRC

1

Wiki

body

HTML: images with 0-400 bytes of words

HTML_IMAGE_ONLY_04

1.680 / 0.342 / 1.799 / 1.172

Wiki

body

HTML: images with 400-800 bytes of words

HTML_IMAGE_ONLY_08

0.585 / 1.781 / 1.845 / 1.651

Wiki

body

HTML: images with 800-1200 bytes of words

HTML_IMAGE_ONLY_12

1.381 / 1.629 / 1.400 / 2.059

Wiki

body

HTML: images with 1200-1600 bytes of words

HTML_IMAGE_ONLY_16

1.969 / 1.048 / 1.199 / 1.092

Wiki

body

HTML: images with 1600-2000 bytes of words

HTML_IMAGE_ONLY_20

2.109 / 0.700 / 1.300 / 1.546

Wiki

body

HTML: images with 2000-2400 bytes of words

HTML_IMAGE_ONLY_24

2.799 / 1.282 / 1.328 / 1.618

Wiki

body

HTML: images with 2400-2800 bytes of words

HTML_IMAGE_ONLY_28

2.799 / 0.726 / 1.512 / 1.404

Wiki

body

HTML: images with 2800-3200 bytes of words

HTML_IMAGE_ONLY_32

2.196 / 0.001 / 1.172 / 0.001

Wiki

body

HTML has a low ratio of text to image area

HTML_IMAGE_RATIO_02

2.199 / 0.805 / 1.200 / 0.437

Wiki

body

HTML has a low ratio of text to image area

HTML_IMAGE_RATIO_04

2.089 / 0.610 / 0.607 / 0.556

Wiki

body

HTML has a low ratio of text to image area

HTML_IMAGE_RATIO_06

0.001 / 0.001 / 0.001 / 0.001

Wiki

body

HTML has a low ratio of text to image area

HTML_IMAGE_RATIO_08

0.001 / 0.001 / 0.001 / 0.001

Wiki

body

HTML included in message

HTML_MESSAGE

0.001

Wiki

body

30% to 40% of HTML elements are non-standard

HTML_NONELEMENT_30_40

0.000 / 0.001 / 0.308 / 0.001

Wiki

body

40% to 50% of HTML elements are non-standard

HTML_NONELEMENT_40_50

1

Wiki

body

60% to 70% of HTML elements are non-standard

HTML_NONELEMENT_60_70

1

Wiki

body

80% to 90% of HTML elements are non-standard

HTML_NONELEMENT_80_90

1

Wiki

body

Message is 5% to 10% HTML obfuscation

HTML_OBFUSCATE_05_10

0.601 / 0.001 / 0.718 / 0.260

Wiki

body

Message is 10% to 20% HTML obfuscation

HTML_OBFUSCATE_10_20

0.174 / 1.162 / 0.588 / 0.093

Wiki

body

Message is 20% to 30% HTML obfuscation

HTML_OBFUSCATE_20_30

2.499 / 2.441 / 1.449 / 1.999

Wiki

body

Message is 30% to 40% HTML obfuscation

HTML_OBFUSCATE_30_40

1

Wiki

body

Message is 50% to 60% HTML obfuscation

HTML_OBFUSCATE_50_60

1

Wiki

body

Message is 70% to 80% HTML obfuscation

HTML_OBFUSCATE_70_80

1

Wiki

body

Message is 90% to 100% HTML obfuscation

HTML_OBFUSCATE_90_100

1

Wiki

body

HTML has unbalanced "body" tags

HTML_TAG_BALANCE_BODY

1.247 / 0.712 / 0.628 / 1.157

Wiki

body

HTML has unbalanced "head" tags

HTML_TAG_BALANCE_HEAD

0.520 / 0.000 / 0.600 / 0.817

Wiki

body

HTML has "bgsound" tag

HTML_TAG_EXIST_BGSOUND

1

Wiki

body

eval:check_https_http_mismatch('1','10')

HTTPS_HTTP_MISMATCH

0.557 / 0.000 / 1.778 / 1.989

Wiki

body

IP to HTTPS link found in HTML

HTTPS_IP_MISMATCH

1

Wiki

body

Impotence cure

IMPOTENCE

1.539 / 2.144 / 3.028 / 1.374

Wiki

body

Message mentions investment advice

INVESTMENT_ADVICE

0.200 / 2.160 / 2.199 / 2.199

Wiki

body

Join Millions of Americans

JOIN_MILLIONS

0.700 / 0.128 / 1.549 / 1.026

Wiki

body

Possible porn - Live Porn

LIVE_PORN

1

Wiki

body

/long\W+term\W+(target| projected)(\W+price)?/i

LONG_TERM_PRICE

0.001

Wiki

body

A loop hole in the banking laws?

LOOPHOLE_1

1

Wiki

body

Claims Agent

LOTTO_AGENT

1

Wiki

body

Lowest Price

LOW_PRICE

0.161 / 0.600 / 0.001 / 1.464

Wiki

body

Message talks about enhancing men

MALE_ENHANCE

3.100 / 3.099 / 3.099 / 0.851

Wiki

body

Claims you registered with a partner

MARKETING_PARTNERS

0.553 / 0.235 / 0.689 / 0.001

Wiki

body

Message includes Microsoft executable program

MICROSOFT_EXECUTABLE

0.1

Wiki

body

Talks about millions of dollars

MILLION_USD

3.799 / 2.477 / 3.221 / 3.247

Wiki

body

MIME character set is an unknown ISO charset

MIME_BAD_ISO_CHARSET

1

Wiki

body

Multipart message mostly text/html MIME

MIME_HTML_MOSTLY

0.354 / 0.001 / 0.725 / 0.428

Wiki

body

Message only has text/html MIME parts

MIME_HTML_ONLY

2.199 / 1.105 / 1.199 / 0.723

Wiki

body

MIME filename does not match content

MIME_SUSPECT_NAME

0.1

Wiki

body

Missing blank line between MIME header and body

MISSING_MIME_HB_SEP

0.001 / 0.001 / 0.001 / 0.001

Wiki

body

Money back guarantee

MONEY_BACK

2.910 / 2.486 / 0.601 / 1.232

Wiki

body

Talks about a bigger drive for sex

MORE_SEX

2.799 / 2.765 / 2.568 / 1.413

Wiki

body

HTML and text parts are different

MPART_ALT_DIFF

2.246 / 0.724 / 0.595 / 0.790

Wiki

body

HTML and text parts are different

MPART_ALT_DIFF_COUNT

2.799 / 1.483 / 1.199 / 1.112

Wiki

body

eval:check_ma_non_text()

MULTIPART_ALT_NON_TEXT

1

Wiki

body

Talks about a million North American dollars

NA_DOLLARS

3.599

Wiki

body

No Medical Exams

NO_MEDICAL

2.199 / 1.254 / 2.199 / 1.773

Wiki

body

No prescription needed

NO_PRESCRIPTION

1.915 / 1.102 / 2.280 / 2.399

Wiki

body

Not registered investment advisor

NOT_ADVISOR

1

Wiki

body

Message seems to contain rot13ed address

OBSCURED_EMAIL

1

Wiki

body

One Time Rip Off

ONE_TIME

1.840 / 1.175 / 1.830 / 0.714

Wiki

body

Online Pharmacy

ONLINE_PHARMACY

0.843 / 2.371 / 0.008 / 0.650

Wiki

body

'Prestigious Non-Accredited Universities'

PREST_NON_ACCREDITED

1

Wiki

body

Message says that prices aren't too expensive

PRICES_ARE_AFFORDABLE

0.794 / 0.851 / 1.112 / 0.551

Wiki

body

Home refinancing

REFINANCE_NOW

1

Wiki

body

Home refinancing

REFINANCE_YOUR_HOME

1

Wiki

body

Removal phrase right before a link

REMOVE_BEFORE_LINK

0.406 / 1.587 / 1.799 / 1.800

Wiki

body

Message talks about a replica watch

REPLICA_WATCH

3.487 / 3.164 / 4.074 / 3.775

Wiki

body

Email.Spam.Gen3177.Sanesecurity.08051611

SANE_04e8bf28eb445199a7f11b943c44d209

1.712 / 3.185 / 2.654 / 1.337

Wiki

body

Email.Spam.Gen3234.Sanesecurity.08052309

SANE_1c4f3286fa4aed6424ced88bfaf8b09c

3.199 / 2.040 / 3.199 / 1.502

Wiki

body

Email.Spam.Sanesecurity.Url_2496

SANE_2b173a7fb7518c75ac8a2d294d773fd8

2.976 / 1.117 / 1.951 / 0.942

Wiki

body

Email.Spam.Gen158.Sanesecurity.07012700

SANE_3b92eda751c992f230f215fb7eb36844

0.001 / 0.626 / 0.585 / 3.040

Wiki

body

Email.Spam.Gen1941.Sanesecurity.07112519

SANE_4ef8302546bf270a19baf98508afacc4

2.231 / 3.464 / 2.266 / 3.543

Wiki

body

Email.Spam.Gen2507.Sanesecurity.08021303

SANE_7429530a7398f43f1f1b795f9420714e

3.999 / 1.655 / 2.776 / 1.479

Wiki

body

Email.Malware.Sanesecurity.07011300

SANE_91eb43f705d25c804374a746d7519660

3.099 / 2.803 / 2.746 / 1.572

Wiki

body

Email.Spam.Sanesecurity.Url_2499

SANE_d0d2b0f6373bf91253d66dd74c594b87

3.799 / 2.040 / 2.710 / 1.494

Wiki

body

/short\W+term\W+(target| projected)(\W+price)?/i

SHORT_TERM_PRICE

0.001

Wiki

body

Offers a alert about a stock

STOCK_ALERT

1

Wiki

body

Tells you about a strong buy

STRONG_BUY

1

Wiki

body

Incorporates a tracking ID number

TRACKER_ID

2.026 / 1.102 / 1.750 / 1.306

Wiki

body

/\bact of (?:193| nineteen thirty)/i

TVD_ACT_193

1

Wiki

body

/you.{1,2}re .{0,20}approved/i

TVD_APPROVED

2.356 / 2.599 / 2.599 / 2.090

Wiki

body

/^dear homeowner/i

TVD_DEAR_HOMEOWNER

1

Wiki

body

/<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i

TVD_FUZZY_DEGREE

1

Wiki

body

/(?!finance)<F><I><N><A><N><C><E>/i

TVD_FUZZY_FINANCE

1

Wiki

body

/<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i

TVD_FUZZY_FIXED_RATE

1

Wiki

body

/<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i

TVD_FUZZY_MICROCAP

1

Wiki

body

/<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i

TVD_FUZZY_PHARMACEUTICAL

1

Wiki

body

/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i

TVD_FUZZY_SYMBOL

1

Wiki

body

/\bsize of .{1,20}(?:penis| dick| manhood)/i

TVD_INCREASE_SIZE

1.529 / 0.601 / 1.055 / 0.001

Wiki

body

/\blink to save\b/i

TVD_LINK_SAVE

1

Wiki

body

/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/i

TVD_PH_BODY_ACCOUNTS_PRE

1.201 / 1.527 / 1.327 / 2.393

Wiki

body

Message has a phrase standard for phishing mails

TVD_PH_REC

3.127 / 2.026 / 3.266 / 1.784

Wiki

body

Message has a phrase standard for phishing mails

TVD_PH_SEC

0.291 / 1.498 / 0.869 / 1.764

Wiki

body

/\bquality med(?:ication)?s\b/i

TVD_QUAL_MEDS

2.697 / 2.397 / 2.799 / 2.483

Wiki

body

/\bSection (?:27A| 21B)/i

TVD_SECTION

1

Wiki

body

m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!i

TVD_SILLY_URI_OBFU

1

Wiki

body

eval:check_stock_info('2')

TVD_STOCK1

1

Wiki

body

/Online Ph.rmacy/i

TVD_VISIT_PHARMA

1.957 / 1.196 / 0.417 / 1.406

Wiki

body

People just leave money laying around

UNCLAIMED_MONEY

2.699 / 2.699 / 2.699 / 2.427

Wiki

body

Message written in an undesired language

UNWANTED_LANGUAGE_BODY

2.800

Wiki

body

Contains urgent matter

URG_BIZ

1.750 / 0.941 / 0.568 / 0.573

Wiki

body

Obfuscated URI

URI_OBFU_WWW

3.099 / 3.099 / 2.306 / 2.475

Wiki

body

Message contained a URI which was truncated

URI_TRUNCATED

0.001

Wiki

body

Contains an URL listed in the AB SURBL blocklist

URIBL_AB_SURBL

0 /
4.499 /
0 /
4.499

Wiki

body

Contains an URL listed in the URIBL blacklist

URIBL_BLACK

0 /
1.775 /
0 /
1.725

Wiki

body

Contains an URL listed in the URIBL greylist

URIBL_GREY

0 /
1.084 /
0 /
0.424

Wiki

body

Contains an URL listed in the JP SURBL blocklist

URIBL_JP_SURBL

0 /
1.948 /
0 /
1.250

Wiki

body

Contains an URL listed in the OB SURBL blocklist

URIBL_OB_SURBL

0 /
0.785 /
0 /
0.122

Wiki

body

Contains an URL listed in the PH SURBL blocklist

URIBL_PH_SURBL

0 /
0.001 /
0 /
0.610

Wiki

body

Contains an URL listed in the URIBL redlist

URIBL_RED

0.001

Wiki

body

Contains an URI of a new domain (Day Old Bread)

URIBL_RHS_DOB

0 /
0.276 /
0 /
1.514

Wiki

body

Contains an URL listed in the SBL blocklist

URIBL_SBL

0 /
0.644 /
0 /
1.623

Wiki

body

Contains an URL listed in the SC SURBL blocklist

URIBL_SC_SURBL

0 /
0.001 /
0 /
0.568

Wiki

body

Contains an URL listed in the WS SURBL blocklist

URIBL_WS_SURBL

0 /
1.659 /
0 /
1.608

Wiki

body

Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)

US_DOLLARS_3

2.599 / 2.523 / 1.780 / 1.754

Wiki

body

Attempts to disguise the word 'viagra'

VIA_GAP_GRA

1

Wiki

body

Weird repeated double-quotation marks

WEIRD_QUOTING

0.001 / 0.001 / 0.001 / 0.001

Wiki

full

Listed in DCC (http://rhyolite.com/anti-spam/dcc/)

DCC_CHECK

0 /
1.1 /
0 /
1.1

Wiki

full

DCC reputation between 0 and 12 % (mostly ham)

DCC_REPUT_00_12

0 /
-0.8 /
0 /
-0.4

Wiki

full

eval:check_dcc_reputation_range(13,19)

DCC_REPUT_13_19

0 /
-0.1 /
0 /
-0.1

Wiki

full

DCC reputation between 70 and 89 %

DCC_REPUT_70_89

0 /
0.1 /
0 /
0.1

Wiki

full

DCC reputation between 90 and 94 %

DCC_REPUT_90_94

0 /
0.4 /
0 /
0.6

Wiki

full

DCC reputation between 95 and 98 % (mostly spam)

DCC_REPUT_95_98

0 /
0.7 /
0 /
1.0

Wiki

full

DCC reputation between 99 % or higher (spam)

DCC_REPUT_99_100

0 /
1.2 /
0 /
1.4

Wiki

full

Message has a DKIM or DK signature, not necessarily valid

DKIM_SIGNED

0.1

Wiki

full

Message has at least one valid DKIM or DK signature

DKIM_VALID

-0.1

Wiki

full

Message has a valid DKIM or DK signature from author's domain

DKIM_VALID_AU

-0.1

Wiki

full

eval:check_dkim_valid()

DKIM_VERIFIED

1

Wiki

full

Message has NUL (ASCII 0) byte in message

NULL_IN_BODY

0.511 / 0.498 / 2.056 / 1.596

Wiki

full

Listed in Pyzor (http://pyzor.sf.net/)

PYZOR_CHECK

0 /
1.985 /
0 /
1.392

Wiki

full

Razor2 gives confidence level above 50%

RAZOR2_CF_RANGE_51_100

0 /
0.365 /
0 /
0.500

Wiki

full

Razor2 gives engine 4 confidence level above 50%

RAZOR2_CF_RANGE_E4_51_100

0 /
0.467 /
0 /
0.642

Wiki

full

Razor2 gives engine 8 confidence level above 50%

RAZOR2_CF_RANGE_E8_51_100

0 /
2.430 /
0 /
1.886

Wiki

full

Listed in Razor2 (http://razor.sf.net/)

RAZOR2_CHECK

0 /
1.729 /
0 /
0.922

Wiki

header

Message would have been caught by accessdb

ACCESSDB

1

Wiki

header

Passed through trusted hosts only via SMTP

ALL_TRUSTED

-1.000

Wiki

header

From address contains an apostrophe

APOSTROPHE_FROM

0.148 / 0.786 / 0.651 / 0.545

Wiki

header

From: address is in the auto white-list

AWL

1

Wiki

header

HELO from home - untrusted

AXB_HELO_HOME_UN

1

Wiki

header

Nebbiolo fingerprint

AXB_XM_SENDMAIL_NOT

1

Wiki

header

Barbera Fingerprint

AXB_XMID_1212

1

Wiki

header

Brunello Fingerprint

AXB_XMID_1510

1

Wiki

header

Amarone Fingerprint

AXB_XMID_OEGOESNULL

1

Wiki

header

Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/

AXB_XR_STULDAP

1

Wiki

header

Message has bad MIME encoding in the header

BAD_ENC_HEADER

3.099 / 1.716 / 1.805 / 1.988

Wiki

header

Date =~ /[-+](?!(?:0\d| 1[0-4])(?:[03]0| [14]5))\d{4}/

BUG6152_INVALID_DATE_TZ_ABSURD

1.802 / 1.448 / 0.024 / 0.766

Wiki

header

A foreign language charset used in headers

CHARSET_FARAWAY_HEADER

3.200

Wiki

header

Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/

CTYPE_001C_B

0.001 / 0.001 / 0.001 / 0.001

Wiki

header

Date: is 3 to 6 hours after Received: date

DATE_IN_FUTURE_03_06

3.399 / 2.426 / 2.997 / 3.027

Wiki

header

Date: is 6 to 12 hours after Received: date

DATE_IN_FUTURE_06_12

2.899 / 0.001 / 2.222 / 1.947

Wiki

header

Date: is 12 to 24 hours after Received: date

DATE_IN_FUTURE_12_24

2.603 / 2.489 / 3.199 / 3.199

Wiki

header

Date: is 24 to 48 hours after Received: date

DATE_IN_FUTURE_24_48

2.598 / 1.248 / 0.001 / 2.048

Wiki

header

Date: is 48 to 96 hours after Received: date

DATE_IN_FUTURE_48_96

2.384 / 0.813 / 1.078 / 2.181

Wiki

header

Date: is 96 hours or more after Received: date

DATE_IN_FUTURE_96_XX

2.614 / 3.028 / 2.851 / 3.087

Wiki

header

Date: is 3 to 6 hours before Received: date

DATE_IN_PAST_03_06

2.399 / 1.076 / 1.200 / 1.592

Wiki

header

Date: is 6 to 12 hours before Received: date

DATE_IN_PAST_06_12

1.699 / 1.103 / 1.274 / 1.543

Wiki

header

Date: is 12 to 24 hours before Received: date

DATE_IN_PAST_12_24

0.001 / 0.804 / 1.190 / 1.049

Wiki

header

Date: is 24 to 48 hours before Received: date

DATE_IN_PAST_24_48

1.109 / 0.485 / 0.624 / 1.340

Wiki

header

Date: is 96 hours or more before Received: date

DATE_IN_PAST_96_XX

2.600 / 2.070 / 1.233 / 3.405

Wiki

header

Date header uses unusual Y2K formatting

DATE_SPAMWARE_Y2K

1

Wiki

header

No valid author signature, domain signs all mail

DKIM_ADSP_ALL

0 /
1.1 /
0 /
0.8

Wiki

header

No valid author signature, adsp_override is CUSTOM_HIGH

DKIM_ADSP_CUSTOM_HIGH

0.001

Wiki

header

No valid author signature, adsp_override is CUSTOM_LOW

DKIM_ADSP_CUSTOM_LOW

0.001

Wiki

header

No valid author signature, adsp_override is CUSTOM_MED

DKIM_ADSP_CUSTOM_MED

0.001

Wiki

header

No valid author signature, domain signs all mail and suggests discarding the rest

DKIM_ADSP_DISCARD

0 /
1.8 /
0 /
1.8

Wiki

header

No valid author signature and domain not in DNS

DKIM_ADSP_NXDOMAIN

0 /
0.8 /
0 /
0.9

Wiki

header

eval:check_dkim_signall()

DKIM_POLICY_SIGNALL

1

Wiki

header

eval:check_dkim_signsome()

DKIM_POLICY_SIGNSOME

1

Wiki

header

eval:check_dkim_testing()

DKIM_POLICY_TESTING

1

Wiki

header

Envelope sender listed in dnsbl.ahbl.org

DNS_FROM_AHBL_RHSBL

0 /
2.438 /
0 /
2.699

Wiki

header

Envelope sender in bogusmx.rfc-ignorant.org

DNS_FROM_RFC_BOGUSMX

0 /
1.464 /
0 /
1.668

Wiki

header

Envelope sender in dsn.rfc-ignorant.org

DNS_FROM_RFC_DSN

0 /
0.001 /
0 /
0.001

Wiki

header

X-mailer pattern common to anal porn site spam

DOS_ANAL_SPAM_MAILER

1

Wiki

header

Received from the same IP twice in a row (only one external relay; empty or IP helo)

DOS_RCVD_IP_TWICE_C

2.599 / 2.060 / 3.292 / 0.096

Wiki

header

Subject =~ /\bhoodia\b/i

DRUGS_HDIA

1

Wiki

header

Subject contains an English UCE tag

ENGLISH_UCE_SUBJECT

0.953 / 1.542 / 2.569 / 2.899

Wiki

header

Header has extraneous Content-type:...type= entry

EXTRA_MPART_TYPE

1.0

Wiki

header

Relay HELO'd with suspicious hostname (mail.com)

FAKE_HELO_MAIL_COM_DOM

1.887 / 0.152 / 1.370 / 2.136

Wiki

header

Received header contains faked 'mr.outblaze.com'

FAKE_OUTBLAZE_RCVD

1

Wiki

header

Bad X-Mailer version

FH_BAD_OEV1441

1

Wiki

header

The date is not 19xx.

FH_DATE_IS_19XX

0.000 / 1.598 / 2.373 / 0.277

Wiki

header

RCVD line looks faked (A)

FH_FAKE_RCVD_LINE

2.167 / 1.431 / 2.525 / 1.778

Wiki

header

RCVD line looks faked (B)

FH_FAKE_RCVD_LINE_B

4.000 / 3.372 / 3.999 / 3.999

Wiki

header

From name has "cash"

FH_FROM_CASH

2.599 / 2.436 / 2.599 / 1.739

Wiki

header

From name says Get

FH_FROM_GET_NAME

2.699

Wiki

header

From name is giveaway.

FH_FROM_GIVEAWAY

2.599 / 1.817 / 1.810 / 1.655

Wiki

header

From has Hoodia!!?

FH_FROM_HOODIA

1

Wiki

header

E-mail address doesn't have TLD (.com, etc.)

FH_FROMEML_NOTLD

1.708 / 0.180 / 0.975 / 1.082

Wiki

header

Has X-AIMC-AUTH header

FH_HAS_XAIMC

1.602 / 1.899 / 0.561 / 1.899

Wiki

header

Has X-ID

FH_HAS_XID

3.299 / 3.215 / 3.003 / 1.782

Wiki

header

Helo is almost an IP addr.

FH_HELO_ALMOST_IP

3.699 / 3.268 / 3.457 / 0.688

Wiki

header

Helo ends with a dot.

FH_HELO_ENDS_DOT

1

Wiki

header

Helo is 6-10 hex chr's.

FH_HELO_EQ_610HEX

1

Wiki

header

Helo is d-d-d-d charter.com

FH_HELO_EQ_CHARTER

0.607 / 0.286 / 0.093 / 2.683

Wiki

header

Helo is d-d-d-d

FH_HELO_EQ_D_D_D_D

2.361 / 1.117 / 2.815 / 3.177

Wiki

header

Faked helo of gmail-smtp-in

FH_HELO_GMAILSMTP

1

Wiki

header

Host is dynamicip

FH_HOST_EQ_DYNAMICIP

2.632 / 2.454 / 3.299 / 3.298

Wiki

header

Host is pacbell.net dsl

FH_HOST_EQ_PACBELL_D

0.001 / 0.927 / 0.559 / 1.703

Wiki

header

Host is pool-.+verizon.net

FH_HOST_EQ_VERIZON_P

2.681 / 1.237 / 3.671 / 1.323

Wiki

header

HOST dns says "in-addr.arpa"

FH_HOST_IN_ADDRARPA

3.199 / 2.933 / 2.452 / 2.157

Wiki

header

Special MSGID

FH_MSGID_000000

1

Wiki

header

Special MSGID

FH_MSGID_01C67

1

Wiki

header

MESSAGE ID seen often!!!

FH_MSGID_01C70XXX

1

Wiki

header

Broken Replace Template

FH_MSGID_REPLACE

1

Wiki

header

Common sign in msg-id's 12/21/2006

FH_MSGID_XXBLAH

1

Wiki

header

Message-Id = @xxx

FH_MSGID_XXX

2.399 / 1.632 / 2.376 / 1.482

Wiki

header

Subject is Re: new \d\d\d

FH_RE_NEW_DDD

1

Wiki

header

Broken Replace Template

FH_XMAIL_REPLACE

1

Wiki

header

Looks like Fake Outlook?

FM_XMAIL_F_OUT

1

Wiki

header

hotmail.com 'From' address, but no 'Received:'

FORGED_HOTMAIL_RCVD2

0.001 / 1.187 / 0.698 / 0.874

Wiki

header

X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10| 127| 169\.254| 172\.(?:1[6-9]| 2[0-9]| 3[01])| 192\.168)\.)| )[^\[]+(dollar) /

FORGED_RELAY_MUA_TO_MX

1

Wiki

header

Contains forged hostname for a DSL IP in Brazil

FORGED_TELESP_RCVD

2.499 / 2.499 / 2.499 / 1.841

Wiki

header

'From' yahoo.com does not match 'Received' headers

FORGED_YAHOO_RCVD

2.397 / 1.022 / 2.599 / 1.630

Wiki

header

Partial message

FRAGMENTED_MESSAGE

1

Wiki

header

Envelope-from freemail username ends in digit

FREEMAIL_ENVFROM_END_DIGIT

2.602 / 2.223 / 1.770 / 1.553

Wiki

header

Sender email is freemail

FREEMAIL_FROM

0.001

Wiki

header

Reply-To freemail username ends in digit

FREEMAIL_REPLYTO_END_DIGIT

1.221 / 0.980 / 1.179 / 1.151

Wiki

header

From: contains empty name

FROM_BLANK_NAME

2.099 / 2.099 / 2.099 / 0.723

Wiki

header

From: domain has series of non-vowel letters

FROM_DOMAIN_NOVOWEL

0.500

Wiki

header

From: has too many raw illegal characters

FROM_ILLEGAL_CHARS

2.192 / 2.059 / 0.240 / 0.036

Wiki

header

From: localpart has long digit sequence

FROM_LOCAL_DIGITS

0.001

Wiki

header

From: localpart has long hexadecimal sequence

FROM_LOCAL_HEX

0.000 / 0.331 / 0.001 / 0.006

Wiki

header

From: localpart has series of non-vowel letters

FROM_LOCAL_NOVOWEL

0.500

Wiki

header

From: has no local-part before @ sign

FROM_NO_USER

0.001 / 2.599 / 0.019 / 0.798

Wiki

header

From address is "at something-offers"

FROM_OFFERS

2.699 / 2.699 / 2.510 / 2.699

Wiki

header

From: starts with many numbers

FROM_STARTS_WITH_NUMS

2.801 / 0.553 / 1.201 / 0.738

Wiki

header

Subject has "a bigger"

FS_ABIGGER

1.693 / 1.354 / 2.477 / 1.112

Wiki

header

Subject says approve you

FS_APPROVE_YOU

2.499 / 1.272 / 1.942 / 1.873

Wiki

header

Subject says "At No Cost"

FS_AT_NO_COST

2.499

Wiki

header

Phrase: Cheap in Caps in Subject.

FS_CHEAP_CAP

1

Wiki

header

Subject talks about money bonus!

FS_DOLLAR_BONUS

1

Wiki

header

Phrase: ejaculation in subject.

FS_EJACULA

1

Wiki

header

Phrase: erection in subject.

FS_ERECTION

1

Wiki

header

Phrase: Huge Cock

FS_HUGECOCK

1

Wiki

header

Larger than 100% in subj.

FS_LARGE_PERCENT2

2.645 / 2.699 / 0.001 / 1.960

Wiki

header

Subject says low rates

FS_LOW_RATES

1

Wiki

header

Subj starts with New software uploaded

FS_NEW_SOFT_UPLOAD

1

Wiki

header

Subject looks like Fharmacy spams.

FS_NEW_XXX

1

Wiki

header

Subject almost says No prescription

FS_NO_SCRIP

1

Wiki

header

Subject says Nude

FS_NUDE

2.399 / 1.653 / 1.288 / 1.101

Wiki

header

what could this word be?

FS_OBFU_PRMCY

2.400 / 0.384 / 0.204 / 1.248

Wiki

header

Subject mis-spelled prescription

FS_PERSCRIPTION

1

Wiki

header

Looks like Phramacy subject.

FS_PHARMASUB2

2.980 / 1.345 / 2.956 / 0.549

Wiki

header

Subject says Ramrod

FS_RAMROD

1

Wiki

header

Phrase: re approved

FS_RE_APPROV

1

Wiki

header

Subject says "replica"

FS_REPLICA

1.630 / 3.599 / 2.028 / 3.599

Wiki

header

Subject says Replica watch

FS_REPLICAWATCH

3.237 / 1.715 / 1.733 / 3.015

Wiki

header

Subject starts with Do you dream,have,want,love, etc.

FS_START_DOYOU2

2.799 / 2.799 / 2.799 / 2.800

Wiki

header

Subject starts with Lose

FS_START_LOSE

0.249 / 0.176 / 1.424 / 1.809

Wiki

header

Subject says something bad about teens

FS_TEEN_BAD

1

Wiki

header

Phrase: subject = tip ddd

FS_TIP_DDD

1

Wiki

header

Subject says Weight Loss

FS_WEIGHT_LOSS

1.894 / 1.541 / 2.501 / 2.036

Wiki

header

Subject says will help

FS_WILL_HELP

2.599 / 0.893 / 2.484 / 0.734

Wiki

header

Subject says With ... small

FS_WITH_SMALL

1

Wiki

header

X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/

FSL_FAKE_GMAIL_RCVD

3.099 / 2.974 / 1.002 / 2.104

Wiki

header

X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/

FSL_FAKE_HOTMAIL_RVCD

2.631 / 1.816 / 2.011 / 2.365

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i

FSL_HELO_BARE_IP_1

2.598 / 1.426 / 3.099 / 2.347

Wiki

header

X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device| speedtouch)\.lan\b/i

FSL_HELO_DEVICE

1.682 / 0.001 / 0.884 / 0.806

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i

FSL_HELO_NON_FQDN_1

2.361 / 0.001 / 1.783 / 0.001

Wiki

header

X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i

FSL_HELO_SETUP

1

Wiki

header

Contains valid Hashcash token (20 bits)

HASHCASH_20

-0.5

Wiki

header

Contains valid Hashcash token (21 bits)

HASHCASH_21

-0.7

Wiki

header

Contains valid Hashcash token (22 bits)

HASHCASH_22

-1.0

Wiki

header

Contains valid Hashcash token (23 bits)

HASHCASH_23

-2.0

Wiki

header

Contains valid Hashcash token (24 bits)

HASHCASH_24

-3.0

Wiki

header

Contains valid Hashcash token (25 bits)

HASHCASH_25

-4.0

Wiki

header

Hashcash token already spent in another mail

HASHCASH_2SPEND

0.1

Wiki

header

Contains valid Hashcash token (>25 bits)

HASHCASH_HIGH

-5.0

Wiki

header

Misspaced headers

HDRS_MISSP

1

Wiki

header

Headers have too many raw illegal characters

HEAD_ILLEGAL_CHARS

1

Wiki

header

Message headers are very long

HEAD_LONG

1

Wiki

header

Multiple Content-Type headers found

HEADER_COUNT_CTYPE

1

Wiki

header

Multiple Subject headers found

HEADER_COUNT_SUBJECT

1

Wiki

header

Bulk email fingerprint (header-based) found

HEADER_SPAM

2.499 / 2.499 / 1.994 / 0.585

Wiki

header

Relay HELO'd using suspicious hostname (Chello.nl)

HELO_DYNAMIC_CHELLO_NL

2.412 / 1.918 / 2.019 / 2.428

Wiki

header

Relay HELO'd using suspicious hostname (T-Dialin)

HELO_DYNAMIC_DIALIN

2.629 / 3.233 / 2.186 / 1.366

Wiki

header

Relay HELO'd using suspicious hostname (Hex IP)

HELO_DYNAMIC_HEXIP

2.321 / 0.511 / 1.773 / 1.789

Wiki

header

Relay HELO'd using suspicious hostname (Home.nl)

HELO_DYNAMIC_HOME_NL

2.385 / 1.530 / 1.024 / 1.459

Wiki

header

Relay HELO'd using suspicious hostname (IP addr 2)

HELO_DYNAMIC_IPADDR2

2.815 / 3.888 / 3.728 / 3.607

Wiki

header

Relay HELO'd using suspicious hostname (Rogers)

HELO_DYNAMIC_ROGERS

1

Wiki

header

Relay HELO'd using suspicious hostname (Split IP)

HELO_DYNAMIC_SPLIT_IP

3.031 / 2.893 / 4.225 / 3.482

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i

HELO_FRIEND

1

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home| lan) /i

HELO_LH_HOME

0.001 / 2.023 / 0.537 / 1.736

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i

HELO_LH_LD

1

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i

HELO_LOCALHOST

2.639 / 3.603 / 2.915 / 3.828

Wiki

header

X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc| oem\S*) /i

HELO_OEM

2.899 / 2.899 / 1.234 / 0.270

Wiki

header

From name contains drugs

HK_NAME_DRUGS

4.299 / 0.001 / 3.077 / 0.552

Wiki

header

From name mentions free stuff

HK_NAME_FREE

1

Wiki

header

Envelope sender username looks random

HK_RANDOM_ENVFROM

2.638 / 0.626 / 1.798 / 0.001

Wiki

header

Bobax? Message-Id: <0IX000EJXVWDA000@example.com>

HS_BOBAX_MID_2

2.762 / 2.612 / 1.243 / 1.437

Wiki

header

Subject starts with 'New software uploaded by'

HS_SUBJ_NEW_SOFTWARE

1

Wiki

header

Subject contains the phrase 'Online pharmaceutical'

HS_SUBJ_ONLINE_PHARMACEUTICAL

1

Wiki

header

Invalid Date: header (not RFC 2822)

INVALID_DATE

1.701 / 0.432 / 1.200 / 1.096

Wiki

header

Invalid Date: header (timezone does not exist)

INVALID_DATE_TZ_ABSURD

0.262 / 0.632 / 0.706 / 0.491

Wiki

header

Invalid date in header (wrong CST timezone)

INVALID_TZ_CST

1

Wiki

header

Invalid date in header (wrong EST timezone)

INVALID_TZ_EST

1

Wiki

header

Subject contains a Japanese UCE tag

JAPANESE_UCE_SUBJECT

1

Wiki

header

Received =~ /by \S+ \(Qmailv1\) with ESMTP/

JM_RCVD_QMAILV1

1

Wiki

header

Date:raw =~ /^\t/

KB_DATE_CONTAINS_TAB

3.800 / 3.799 / 3.799 / 2.751

Wiki

header

ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\./msi

KB_RATWARE_OUTLOOK_08

1

Wiki

header

ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi

KB_RATWARE_OUTLOOK_12

1

Wiki

header

ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi

KB_RATWARE_OUTLOOK_16

1

Wiki

header

ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi

KB_RATWARE_OUTLOOK_MID

4.400 / 4.400 / 2.503 / 1.499

Wiki

header

Subject: contains Korean unsolicited email tag

KOREAN_UCE_SUBJECT

1

Wiki

header

Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /

L_SPAM_TOOL_13

0.539 / 0.485 / 0.494 / 1.333

Wiki

header

Local part of To: address appears in Subject

LOCALPART_IN_SUBJECT

0.001 / 0.730 / 1.199 / 1.107

Wiki

header

Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /

MID_DEGREES

1

Wiki

header

Spam tool pattern in MIME boundary

MIME_BOUND_DD_DIGITS

3.016 / 0.349 / 2.417 / 1.373

Wiki

header

Spam tool pattern in MIME boundary

MIME_BOUND_DIGITS_15

0.432 / 1.225 / 1.241 / 0.798

Wiki

header

Content-Type =~ /boundary="=====================_\d+==\.REL"/s

MIME_BOUND_EQ_REL

1

Wiki

header

Spam tool pattern in MIME boundary

MIME_BOUND_MANY_HEX

1

Wiki

header

Missing blank line between message header and body

MISSING_HB_SEP

1

Wiki

header

Missing To: header

MISSING_HEADERS

0.915 / 1.207 / 1.204 / 1.021

Wiki

header

Message-ID contains multiple '@' characters

MSGID_MULTIPLE_AT

0.001

Wiki

header

Message-Id is fake (in Outlook Express format)

MSGID_OUTLOOK_INVALID

3.899

Wiki

header

Message-ID is unusually short

MSGID_SHORT

0.001 / 0.337 / 0.001 / 0.001

Wiki

header

Spam tool Message-Id: (caps variant)

MSGID_SPAM_CAPS

2.366 / 1.997 / 3.099 / 3.099

Wiki

header

Spam tool Message-Id: (letters variant)

MSGID_SPAM_LETTERS

1

Wiki

header

Message-ID has ALLCAPS@yahoo.com

MSGID_YAHOO_CAPS

0.797 / 1.413 / 2.278 / 1.411

Wiki

header

Envelope sender has no MX or A DNS records

NO_DNS_FOR_FROM

0 /
0.379 /
0 /
0.001

Wiki

header

Host HELO'd as a big ISP, but had no rDNS

NO_RDNS_DOTCOM_HELO

3.100 / 0.433 / 3.099 / 0.823

Wiki

header

Informational: message was not relayed via SMTP

NO_RELAYS

-0.001

Wiki

header

Character set doesn't exist

NONEXISTENT_CHARSET

1

Wiki

header

Message has Prevent-NonDelivery-Report header

PREVENT_NONDELIVERY

1