Skip to end of metadata
Go to start of metadata

MBINE의 스팸 필터링이 기본적으로 수행하는 룰과 그 점수입니다.

TEST NAMEDESCRIPTION OF TESTDEFAULT SCORES
GTUBEGeneric Test for Unsolicited Bulk Email1000
TRACKER_IDIncorporates a tracking ID number2.026 1.102 1.750 1.306
WEIRD_QUOTINGWeird repeated double-quotation marks0.001 0.001 0.001 0.001
EMAIL_ROT13Body contains a ROT13-encoded email address1
MPART_ALT_DIFFHTML and text parts are different2.246 0.724 0.595 0.790
MPART_ALT_DIFF_COUNTHTML and text parts are different2.799 1.483 1.199 1.112
BLANK_LINES_80_90Message body has 80-90% blank lines1
MULTIPART_ALT_NON_TEXTeval:check_ma_non_text()1
CHARSET_FARAWAYCharacter set indicates a foreign language3.2
MIME_BASE64_BLANKSExtra blank lines in base64 encoding0.001 0.001 0.001 0.001
MIME_BASE64_TEXTMessage text disguised using base64 encoding0.001 0.001 0.001 1.741
MISSING_MIME_HB_SEPMissing blank line between MIME header and body0.001 0.001 0.001 0.001
MIME_HTML_MOSTLYMultipart message mostly text/html MIME0.354 0.001 0.725 0.428
MIME_HTML_ONLYMessage only has text/html MIME parts2.199 1.105 1.199 0.723
MIME_QP_LONG_LINEQuoted-printable line longer than 76 chars0.001
MIME_BAD_ISO_CHARSETMIME character set is an unknown ISO charset1
HTTPS_IP_MISMATCHIP to HTTPS link found in HTML1
URI_TRUNCATEDMessage contained a URI which was truncated0.001
ALL_TRUSTEDPassed through trusted hosts only via SMTP-1
NO_RELAYSInformational: message was not relayed via SMTP-0.001
RCVD_IN_NJABL_RELAYNJABL: sender is confirmed open relay0 1.881 0 2.499
RCVD_IN_NJABL_SPAMNJABL: sender is confirmed spam source0 1.466 0 1.249
RCVD_IN_NJABL_MULTINJABL: sent through multi-stage open relay1
RCVD_IN_NJABL_CGINJABL: sender is an open formmail1
RCVD_IN_NJABL_PROXYNJABL: sender is an open proxy0 0.208 0 2.224
RCVD_IN_SORBS_HTTPSORBS: sender is open HTTP proxy server0 2.499 0 0.001
RCVD_IN_SORBS_SOCKSSORBS: sender is open SOCKS proxy server0 2.443 0 1.927
RCVD_IN_SORBS_MISCSORBS: sender is open proxy server1
RCVD_IN_SORBS_SMTPSORBS: sender is open SMTP relay1
RCVD_IN_SORBS_WEBSORBS: sender is an abusable web server0 0.614 0 0.770
RCVD_IN_SORBS_BLOCKSORBS: sender demands to never be tested1
RCVD_IN_SORBS_ZOMBIESORBS: sender is on a hijacked network1
RCVD_IN_SORBS_DULSORBS: sent directly from dynamic IP address0 0.001 0 0.001
RCVD_IN_SBLReceived via a relay in Spamhaus SBL0 2.596 0 0.141
RCVD_IN_XBLReceived via a relay in Spamhaus XBL0 0.724 0 0.375
RCVD_IN_PBLReceived via a relay in Spamhaus PBL0 3.558 0 3.335
DNS_FROM_RFC_DSNEnvelope sender in dsn.rfc-ignorant.org0 0.001 0 0.001
DNS_FROM_RFC_BOGUSMXEnvelope sender in bogusmx.rfc-ignorant.org0 1.464 0 1.668
DNS_FROM_AHBL_RHSBLEnvelope sender listed in dnsbl.ahbl.org0 2.438 0 2.699
RCVD_IN_BL_SPAMCOP_NETReceived via a relay in bl.spamcop.net0 1.246 0 1.347
RCVD_IN_MAPS_RBLRelay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html1
RCVD_IN_MAPS_DULRelay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html1
RCVD_IN_MAPS_RSSRelay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html1
RCVD_IN_MAPS_OPSRelay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html1
RCVD_IN_MAPS_NMLRelay in NML, http://www.mail-abuse.com/enduserinfo_nml.html1
RCVD_IN_IADB_VOUCHEDISIPP IADB lists as vouched-for sender0 -2.2 0 -2.2
SUBJECT_DRUG_GAP_CSubject contains a gappy version of 'cialis'2.108 0.989 1.348 2.140
SUBJECT_DRUG_GAP_LSubject contains a gappy version of 'levitra'2.799 2.304 1.402 1.561
SUBJECT_DRUG_GAP_SSubject contains a gappy version of 'soma'1
SUBJECT_DRUG_GAP_VASubject contains a gappy version of 'valium'1
SUBJECT_DRUG_GAP_XSubject contains a gappy version of 'xanax'1
DRUG_DOSAGETalks about price per dose1
DRUG_ED_CAPSMentions an E.D. drug2.799 1.023 2.516 0.936
DRUG_ED_SILDTalks about an E.D. drug using its chemical name0.001 0.170 0.113 1.794
DRUG_ED_GENERICMentions Generic Viagra1
DRUG_ED_ONLINEFast Viagra Delivery0.696 1.152 1.221 0.608
ONLINE_PHARMACYOnline Pharmacy0.843 2.371 0.008 0.650
NO_PRESCRIPTIONNo prescription needed1.915 1.102 2.280 2.399
VIA_GAP_GRAAttempts to disguise the word 'viagra'1
DRUGS_SMEAR1Two or more drugs crammed together into one word3.300 2.051 3.148 0.235
FAKE_HELO_MAIL_COM_DOMRelay HELO'd with suspicious hostname (mail.com)1.887 0.152 1.370 2.136
HELO_DYNAMIC_ROGERSRelay HELO'd using suspicious hostname (Rogers)1
HELO_DYNAMIC_DIALINRelay HELO'd using suspicious hostname (T-Dialin)2.629 3.233 2.186 1.366
HELO_DYNAMIC_HEXIPRelay HELO'd using suspicious hostname (Hex IP)2.321 0.511 1.773 1.789
HELO_DYNAMIC_SPLIT_IPRelay HELO'd using suspicious hostname (Split IP)3.031 2.893 4.225 3.482
HELO_DYNAMIC_IPADDR2Relay HELO'd using suspicious hostname (IP addr 2)2.815 3.888 3.728 3.607
HELO_DYNAMIC_CHELLO_NLRelay HELO'd using suspicious hostname (Chello.nl)2.412 1.918 2.019 2.428
HELO_DYNAMIC_HOME_NLRelay HELO'd using suspicious hostname (Home.nl)2.385 1.530 1.024 1.459
FREEMAIL_FROMSender email is freemail0.001
FREEMAIL_ENVFROM_END_DIGITEnvelope-from freemail username ends in digit2.602 2.223 1.770 1.553
FREEMAIL_REPLYTO_END_DIGITReply-To freemail username ends in digit1.221 0.980 1.179 1.151
FRAGMENTED_MESSAGEPartial message1
FROM_BLANK_NAMEFrom: contains empty name2.099 2.099 2.099 0.723
FROM_STARTS_WITH_NUMSFrom: starts with many numbers2.801 0.553 1.201 0.738
FROM_OFFERSFrom address is "at something-offers"2.699 2.699 2.510 2.699
FROM_NO_USERFrom: has no local-part before @ sign0.001 2.599 0.019 0.798
MSGID_SPAM_CAPSSpam tool Message-Id: (caps variant)2.366 1.997 3.099 3.099
MSGID_SPAM_LETTERSSpam tool Message-Id: (letters variant)1
MSGID_YAHOO_CAPSMessage-ID has ALLCAPS@yahoo.com0.797 1.413 2.278 1.411
MSGID_SHORTMessage-ID is unusually short0.001 0.337 0.001 0.001
MSGID_MULTIPLE_ATMessage-ID contains multiple '@' characters0.001
DATE_SPAMWARE_Y2KDate header uses unusual Y2K formatting1
INVALID_DATEInvalid Date: header (not RFC 2822)1.701 0.432 1.200 1.096
INVALID_DATE_TZ_ABSURDInvalid Date: header (timezone does not exist)0.262 0.632 0.706 0.491
INVALID_TZ_CSTInvalid date in header (wrong CST timezone)1
INVALID_TZ_ESTInvalid date in header (wrong EST timezone)1
ENGLISH_UCE_SUBJECTSubject contains an English UCE tag0.953 1.542 2.569 2.899
JAPANESE_UCE_SUBJECTSubject contains a Japanese UCE tag1
KOREAN_UCE_SUBJECTSubject: contains Korean unsolicited email tag1
FORGED_TELESP_RCVDContains forged hostname for a DSL IP in Brazil2.499 2.499 2.499 1.841
NONEXISTENT_CHARSETCharacter set doesn't exist1
PREVENT_NONDELIVERYMessage has Prevent-NonDelivery-Report header1
X_IPMessage has X-IP header0.001 0.001 0.001 0.001
SUBJ_AS_SEENSubject contains "As Seen"2.711 3.099 3.099 1.461
SUBJ_DOLLARSSubject starts with dollar amount0.600 0.001 0.601 1.800
SUBJ_YOUR_DEBTSubject contains "Your Bills" or similar3.299 3.045 1.199 0.987
SUBJ_YOUR_FAMILYSubject contains "Your Family"2.910 2.999 2.999 2.999
RCVD_FAKE_HELO_DOTCOMReceived contains a faked HELO hostname2.799 2.389 2.605 1.189
SUBJECT_DIETSubject talks about losing pounds1.927 1.563 0.817 1.466
EXTRA_MPART_TYPEHeader has extraneous Content-type:...type= entry1
MIME_BOUND_DD_DIGITSSpam tool pattern in MIME boundary3.016 0.349 2.417 1.373
MIME_BOUND_DIGITS_15Spam tool pattern in MIME boundary0.432 1.225 1.241 0.798
MIME_BOUND_MANY_HEXSpam tool pattern in MIME boundary1
TO_MALFORMEDTo: has a malformed address0.892 1.247 2.099 2.099
WITH_LC_SMTPReceived line contains spam-sign (lowercase smtp)1
SUBJ_BUYSubject line starts with Buy or Buying0.594 1.498 0.001 0.639
RCVD_AM_PMReceived headers forged (AM/PM)1
FAKE_OUTBLAZE_RCVDReceived header contains faked 'mr.outblaze.com'1
UNCLOSED_BRACKETHeaders contain an unclosed bracket2.699 1.329 1.425 1.496
FROM_DOMAIN_NOVOWELFrom: domain has series of non-vowel letters0.5
FROM_LOCAL_NOVOWELFrom: localpart has series of non-vowel letters0.5
FROM_LOCAL_HEXFrom: localpart has long hexadecimal sequence0.000 0.331 0.001 0.006
FROM_LOCAL_DIGITSFrom: localpart has long digit sequence0.001
X_PRIORITY_CCCc: after X-Priority: (bulk email fingerprint)1
BAD_ENC_HEADERMessage has bad MIME encoding in the header3.099 1.716 1.805 1.988
RCVD_ILLEGAL_IPReceived: contains illegal IP address3.399
CHARSET_FARAWAY_HEADERA foreign language charset used in headers3.2
FROM_ILLEGAL_CHARSFrom: has too many raw illegal characters2.192 2.059 0.240 0.036
HEAD_ILLEGAL_CHARSHeaders have too many raw illegal characters1
FORGED_HOTMAIL_RCVD2hotmail.com 'From' address, but no 'Received:'0.001 1.187 0.698 0.874
FORGED_YAHOO_RCVD'From' yahoo.com does not match 'Received' headers2.397 1.022 2.599 1.630
SORTED_RECIPSRecipient list is sorted by address1.801 2.474 1.791 2.499
SUSPICIOUS_RECIPSSimilar addresses in recipient list2.499 2.497 2.139 2.510
MISSING_HEADERSMissing To: header0.915 1.207 1.204 1.021
DATE_IN_PAST_03_06Date: is 3 to 6 hours before Received: date2.399 1.076 1.200 1.592
DATE_IN_PAST_06_12Date: is 6 to 12 hours before Received: date1.699 1.103 1.274 1.543
DATE_IN_PAST_12_24Date: is 12 to 24 hours before Received: date0.001 0.804 1.190 1.049
DATE_IN_PAST_24_48Date: is 24 to 48 hours before Received: date1.109 0.485 0.624 1.340
DATE_IN_PAST_96_XXDate: is 96 hours or more before Received: date2.600 2.070 1.233 3.405
DATE_IN_FUTURE_03_06Date: is 3 to 6 hours after Received: date3.399 2.426 2.997 3.027
DATE_IN_FUTURE_06_12Date: is 6 to 12 hours after Received: date2.899 0.001 2.222 1.947
DATE_IN_FUTURE_12_24Date: is 12 to 24 hours after Received: date2.603 2.489 3.199 3.199
DATE_IN_FUTURE_24_48Date: is 24 to 48 hours after Received: date2.598 1.248 0.001 2.048
DATE_IN_FUTURE_48_96Date: is 48 to 96 hours after Received: date2.384 0.813 1.078 2.181
DATE_IN_FUTURE_96_XXDate: is 96 hours or more after Received: date2.614 3.028 2.851 3.087
UNRESOLVED_TEMPLATEHeaders contain an unresolved template3.035 0.716 2.424 1.252
SUBJ_ALL_CAPSSubject is all capitals0.518 1.625 1.197 1.506
LOCALPART_IN_SUBJECTLocal part of To: address appears in Subject0.001 0.730 1.199 1.107
MSGID_OUTLOOK_INVALIDMessage-Id is fake (in Outlook Express format)3.899
HEADER_COUNT_CTYPEMultiple Content-Type headers found1
HEAD_LONGMessage headers are very long1
MISSING_HB_SEPMissing blank line between message header and body1
UNPARSEABLE_RELAYInformational: message has unparseable relay lines0.001
RCVD_HELO_IP_MISMATCHReceived: HELO and IP do not match, but should1.680 1.186 2.362 2.368
RCVD_NUMERIC_HELOReceived: contains an IP address used for HELO0.001 0.865 0.001 1.164
NO_RDNS_DOTCOM_HELOHost HELO'd as a big ISP, but had no rDNS3.100 0.433 3.099 0.823
HIDE_WIN_STATUSJavascript to hide URLs in browser0.001 1.353 0.754 1.380
HTML_MESSAGEHTML included in message0.001
HTML_COMMENT_SHORTHTML comment is very short1
HTML_COMMENT_SAVED_URLHTML message is a saved web page0.198 0.357 0.899 1.391
HTML_EMBEDSHTML with embedded plugin object0.001 0.001 1.171 1.799
HTML_EXTRA_CLOSEHTML contains far too many close tags0.001
HTML_FONT_SIZE_LARGEHTML font size is large0.001
HTML_FONT_SIZE_HUGEHTML font size is huge0.001
HTML_FONT_LOW_CONTRASTHTML font color similar to background0.713 0.001 0.786 0.001
HTML_FONT_FACE_BADHTML font face is not a word0.001 0.289 0.286 0.981
HTML_FORMACTION_MAILTOHTML includes a form which sends mail1
HTML_IMAGE_ONLY_04HTML: images with 0-400 bytes of words1.680 0.342 1.799 1.172
HTML_IMAGE_ONLY_08HTML: images with 400-800 bytes of words0.585 1.781 1.845 1.651
HTML_IMAGE_ONLY_12HTML: images with 800-1200 bytes of words1.381 1.629 1.400 2.059
HTML_IMAGE_ONLY_16HTML: images with 1200-1600 bytes of words1.969 1.048 1.199 1.092
HTML_IMAGE_ONLY_20HTML: images with 1600-2000 bytes of words2.109 0.700 1.300 1.546
HTML_IMAGE_ONLY_24HTML: images with 2000-2400 bytes of words2.799 1.282 1.328 1.618
HTML_IMAGE_ONLY_28HTML: images with 2400-2800 bytes of words2.799 0.726 1.512 1.404
HTML_IMAGE_ONLY_32HTML: images with 2800-3200 bytes of words2.196 0.001 1.172 0.001
HTML_IMAGE_RATIO_02HTML has a low ratio of text to image area2.199 0.805 1.200 0.437
HTML_IMAGE_RATIO_04HTML has a low ratio of text to image area2.089 0.610 0.607 0.556
HTML_IMAGE_RATIO_06HTML has a low ratio of text to image area0.001 0.001 0.001 0.001
HTML_IMAGE_RATIO_08HTML has a low ratio of text to image area0.001 0.001 0.001 0.001
HTML_OBFUSCATE_05_10Message is 5% to 10% HTML obfuscation0.601 0.001 0.718 0.260
HTML_OBFUSCATE_10_20Message is 10% to 20% HTML obfuscation0.174 1.162 0.588 0.093
HTML_OBFUSCATE_20_30Message is 20% to 30% HTML obfuscation2.499 2.441 1.449 1.999
HTML_OBFUSCATE_30_40Message is 30% to 40% HTML obfuscation1
HTML_OBFUSCATE_50_60Message is 50% to 60% HTML obfuscation1
HTML_OBFUSCATE_70_80Message is 70% to 80% HTML obfuscation1
HTML_OBFUSCATE_90_100Message is 90% to 100% HTML obfuscation1
HTML_TAG_BALANCE_BODYHTML has unbalanced "body" tags1.247 0.712 0.628 1.157
HTML_TAG_BALANCE_HEADHTML has unbalanced "head" tags0.520 0.000 0.600 0.817
HTML_TAG_EXIST_BGSOUNDHTML has "bgsound" tag1
HTML_BADTAG_40_50HTML message is 40% to 50% bad tags1
HTML_BADTAG_50_60HTML message is 50% to 60% bad tags1
HTML_BADTAG_60_70HTML message is 60% to 70% bad tags1
HTML_BADTAG_90_100HTML message is 90% to 100% bad tags1
HTML_NONELEMENT_30_4030% to 40% of HTML elements are non-standard0.000 0.001 0.308 0.001
HTML_NONELEMENT_40_5040% to 50% of HTML elements are non-standard1
HTML_NONELEMENT_60_7060% to 70% of HTML elements are non-standard1
HTML_NONELEMENT_80_9080% to 90% of HTML elements are non-standard1
HTML_IFRAME_SRCMessage has HTML IFRAME tag with SRC URI1
NO_DNS_FOR_FROMEnvelope sender has no MX or A DNS records0 0.379 0 0.001
REMOVE_BEFORE_LINKRemoval phrase right before a link0.406 1.587 1.799 1.800
GUARANTEED_100_PERCENTOne hundred percent guaranteed2.699 2.699 2.480 2.699
DEAR_FRIENDDear Friend? That's not very dear!2.683 2.604 1.801 2.577
DEAR_SOMETHINGContains 'Dear (something)'1.999 1.731 1.787 1.973
BILLION_DOLLARSTalks about lots of money0.001 1.451 1.229 1.638
EXCUSE_4Claims you can be removed from the list2.399 1.687 2.399 1.325
EXCUSE_24Claims you wanted this ad2.799
EXCUSE_REMOVETalks about how to be removed from mailings2.907 2.992 3.299 3.299
STRONG_BUYTells you about a strong buy1
STOCK_ALERTOffers a alert about a stock1
NOT_ADVISORNot registered investment advisor1
PREST_NON_ACCREDITED'Prestigious Non-Accredited Universities'1
BODY_ENHANCEMENTInformation on growing body parts0.927 1.611 0.974 0.001
BODY_ENHANCEMENT2Information on getting larger body parts1.691 1.507 1.865 1.541
IMPOTENCEImpotence cure1.539 2.144 3.028 1.374
NA_DOLLARSTalks about a million North American dollars3.599
US_DOLLARS_3Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)2.599 2.523 1.780 1.754
MILLION_USDTalks about millions of dollars3.799 2.477 3.221 3.247
URG_BIZContains urgent matter1.750 0.941 0.568 0.573
MONEY_BACKMoney back guarantee2.910 2.486 0.601 1.232
FREE_QUOTE_INSTANTFree express or no-obligation quote2.700 2.699 2.699 1.297
BAD_CREDITEliminate Bad Credit2.799 1.658 1.279 2.415
REFINANCE_YOUR_HOMEHome refinancing1
REFINANCE_NOWHome refinancing1
NO_MEDICALNo Medical Exams2.199 1.254 2.199 1.773
DIET_1Lose Weight Spam0.714 0.000 0.399 0.001
FIN_FREEFreedom of a financial nature2.699 2.289 2.699 2.700
FORWARD_LOOKINGStock Disclaimer Statement1
ONE_TIMEOne Time Rip Off1.840 1.175 1.830 0.714
JOIN_MILLIONSJoin Millions of Americans0.700 0.128 1.549 1.026
MARKETING_PARTNERSClaims you registered with a partner0.553 0.235 0.689 0.001
LOW_PRICELowest Price0.161 0.600 0.001 1.464
UNCLAIMED_MONEYPeople just leave money laying around2.699 2.699 2.699 2.427
OBSCURED_EMAILMessage seems to contain rot13ed address1
BANG_OPRAHTalks about Oprah with an exclamation!1
ACT_NOW_CAPSTalks about 'acting now' with capitals1.404 2.399 0.925 2.211
MORE_SEXTalks about a bigger drive for sex2.799 2.765 2.568 1.413
BANG_GUARSomething is emphatically guaranteed2.202 2.377 1.690 2.704
INVESTMENT_ADVICEMessage mentions investment advice0.200 2.160 2.199 2.199
MALE_ENHANCEMessage talks about enhancing men3.100 3.099 3.099 0.851
PRICES_ARE_AFFORDABLEMessage says that prices aren't too expensive0.794 0.851 1.112 0.551
REPLICA_WATCHMessage talks about a replica watch3.487 3.164 4.074 3.775
EM_ROLEXMessage puts emphasis on the watch manufacturer0.595 1.309 2.068 0.618
FREE_PORNPossible porn - Free Porn1
CUM_SHOTPossible porn - Cum Shot1
LIVE_PORNPossible porn - Live Porn1
SUBJECT_SEXUALSubject indicates sexually-explicit content1
RATWARE_EGROUPSBulk email fingerprint (eGroups) found1.898 1.258 1.406 1.621
RATWARE_OE_MALFORMEDX-Mailer has malformed Outlook Express version1
RATWARE_MOZ_MALFORMEDBulk email fingerprint (Mozilla malformed) found1
RATWARE_MPOP_WEBMAILBulk email fingerprint (mPOP Web-Mail)1.153 1.338 1.229 1.999
RATWARE_HASH_DASHContains a hashbuster in Send-Safe format1
RATWARE_GECKO_BUILDBulk email fingerprint (Gecko faked) found1
X_MESSAGE_INFOBulk email fingerprint (X-Message-Info) found1
HEADER_SPAMBulk email fingerprint (header-based) found2.499 2.499 1.994 0.585
RATWARE_RCVD_PFBulk email fingerprint (Received PF) found1
RATWARE_RCVD_ATBulk email fingerprint (Received @) found1
RATWARE_EFROMBulk email fingerprint (envfrom) found2.999
HIGH_CODEPAGE_URI/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i1
NUMERIC_HTTP_ADDRUses a numeric IP address in URL0.000 0.001 0.001 1.242
HTTP_ESCAPED_HOSTUses %-escapes inside a URL's hostname0.807 1.621 0.483 1.125
HTTP_EXCESSIVE_ESCAPESCompletely unnecessary %-escapes inside a URL0.001 1.516 0.000 1.572
IP_LINK_PLUSDotted-decimal IP address followed by CGI0.001 0.001 0.246 0.012
WEIRD_PORTUses non-standard port number for HTTP0.001 0.001 0.097 0.001
YAHOO_RD_REDIRHas Yahoo Redirect URI1
YAHOO_DRS_REDIRHas Yahoo Redirect URI1
HTTP_77Contains an URL-encoded hostname (HTTP77)1
SPOOF_COM2OTHURI contains ".com" in middle2.999 2.999 2.877 2.723
SPOOF_COM2COMURI contains ".com" in middle and end0.001 1.632 1.952 2.048
SPOOF_NET2COMURI contains ".net" or ".org", then ".com"1
URI_HEXURI hostname has long hexadecimal sequence2.800 1.313 1.206 1.122
URI_NOVOWELURI hostname has long non-vowel sequence0.5
URI_UNSUBSCRIBEURI contains suspicious unsubscribe link1
URI_NO_WWW_INFO_CGICGI in .info TLD other than third-level "www"2.299 2.299 0.292 2.071
URI_NO_WWW_BIZ_CGICGI in .biz TLD other than third-level "www"2.399 2.399 2.400 2.399
NORMAL_HTTP_TO_IPUses a dotted-decimal IP address in URL0.159 0.001 0.795 0.001
BAYES_00Bayes spam probability is 0 to 1%0 0 -1.5 -1.9
BAYES_05Bayes spam probability is 1 to 5%0 0 -0.3 -0.5
BAYES_20Bayes spam probability is 5 to 20%0 0 -0.001 -0.001
BAYES_40Bayes spam probability is 20 to 40%0 0 -0.001 -0.001
BAYES_50Bayes spam probability is 40 to 60%0 0 2.0 0.8
BAYES_60Bayes spam probability is 60 to 80%0 0 2.5 1.5
BAYES_80Bayes spam probability is 80 to 95%0 0 2.7 2.0
BAYES_95Bayes spam probability is 95 to 99%0 0 3.2 3.0
BAYES_99Bayes spam probability is 99 to 100%0 0 3.8 3.5
ACCESSDBMessage would have been caught by accessdb1
MICROSOFT_EXECUTABLEMessage includes Microsoft executable program0.1
MIME_SUSPECT_NAMEMIME filename does not match content0.1
DCC_CHECKListed in DCC (http://rhyolite.com/anti-spam/dcc/)0 1.1 0 1.1
DCC_REPUT_00_12DCC reputation between 0 and 12 % (mostly ham)0 -0.8 0 -0.4
DCC_REPUT_13_19eval:check_dcc_reputation_range(13,19)0 -0.1 0 -0.1
DCC_REPUT_70_89DCC reputation between 70 and 89 %0 0.1 0 0.1
DCC_REPUT_90_94DCC reputation between 90 and 94 %0 0.4 0 0.6
DCC_REPUT_95_98DCC reputation between 95 and 98 % (mostly spam)0 0.7 0 1.0
DCC_REPUT_99_100DCC reputation between 99 % or higher (spam)0 1.2 0 1.4
DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily valid0.1
DKIM_VALIDMessage has at least one valid DKIM or DK signature-0.1
DKIM_VALID_AUMessage has a valid DKIM or DK signature from author's domain-0.1
DKIM_ADSP_NXDOMAINNo valid author signature and domain not in DNS0 0.8 0 0.9
DKIM_ADSP_DISCARDNo valid author signature, domain signs all mail and suggests discarding the rest0 1.8 0 1.8
DKIM_ADSP_ALLNo valid author signature, domain signs all mail0 1.1 0 0.8
DKIM_ADSP_CUSTOM_LOWNo valid author signature, adsp_override is CUSTOM_LOW0.001
DKIM_ADSP_CUSTOM_MEDNo valid author signature, adsp_override is CUSTOM_MED0.001
DKIM_ADSP_CUSTOM_HIGHNo valid author signature, adsp_override is CUSTOM_HIGH0.001
DKIM_VERIFIEDeval:check_dkim_valid()1
DKIM_POLICY_TESTINGeval:check_dkim_testing()1
DKIM_POLICY_SIGNSOMEeval:check_dkim_signsome()1
DKIM_POLICY_SIGNALLeval:check_dkim_signall()1
HASHCASH_20Contains valid Hashcash token (20 bits)-0.5
HASHCASH_21Contains valid Hashcash token (21 bits)-0.7
HASHCASH_22Contains valid Hashcash token (22 bits)-1
HASHCASH_23Contains valid Hashcash token (23 bits)-2
HASHCASH_24Contains valid Hashcash token (24 bits)-3
HASHCASH_25Contains valid Hashcash token (25 bits)-4
HASHCASH_HIGHContains valid Hashcash token (>25 bits)-5
HASHCASH_2SPENDHashcash token already spent in another mail0.1
PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)0 1.985 0 1.392
RAZOR2_CHECKListed in Razor2 (http://razor.sf.net/)0 1.729 0 0.922
RAZOR2_CF_RANGE_51_100Razor2 gives confidence level above 50%0 0.365 0 0.500
RAZOR2_CF_RANGE_E4_51_100Razor2 gives engine 4 confidence level above 50%0 0.467 0 0.642
RAZOR2_CF_RANGE_E8_51_100Razor2 gives engine 8 confidence level above 50%0 2.430 0 1.886
SUBJECT_FUZZY_MEDSAttempt to obfuscate words in Subject:1
SUBJECT_FUZZY_CHEAPAttempt to obfuscate words in Subject:0.641 1.831 0.833 0.001
SUBJECT_FUZZY_PENISAttempt to obfuscate words in Subject:1
SUBJECT_FUZZY_TIONAttempt to obfuscate words in Subject:1
FUZZY_AFFORDABLEAttempt to obfuscate words in spam1
FUZZY_AMBIENAttempt to obfuscate words in spam2.199 1.851 0.925 0.552
FUZZY_BILLIONAttempt to obfuscate words in spam1
FUZZY_CPILLAttempt to obfuscate words in spam0.001 0.001 0.001 0.001
FUZZY_CREDITAttempt to obfuscate words in spam1.699 1.413 0.601 1.678
FUZZY_ERECTAttempt to obfuscate words in spam2.356 1.306 2.360 1.859
FUZZY_GUARANTEEAttempt to obfuscate words in spam1
FUZZY_MEDICATIONAttempt to obfuscate words in spam1
FUZZY_MILLIONAttempt to obfuscate words in spam2.599 2.599 1.659 2.505
FUZZY_MONEYAttempt to obfuscate words in spam1
FUZZY_MORTGAGEAttempt to obfuscate words in spam1
FUZZY_OBLIGATIONAttempt to obfuscate words in spam1
FUZZY_OFFERSAttempt to obfuscate words in spam1
FUZZY_PHARMACYAttempt to obfuscate words in spam2.960 3.299 1.967 1.353
FUZZY_PHENTAttempt to obfuscate words in spam2.799 1.647 1.540 2.662
FUZZY_PRESCRIPTAttempt to obfuscate words in spam1
FUZZY_PRICESAttempt to obfuscate words in spam1.821 0.720 2.210 2.311
FUZZY_REFINANCEAttempt to obfuscate words in spam1
FUZZY_REMOVEAttempt to obfuscate words in spam1
FUZZY_ROLEXAttempt to obfuscate words in spam3.399 1.038 3.399 1.964
FUZZY_SOFTWAREAttempt to obfuscate words in spam1
FUZZY_THOUSANDSAttempt to obfuscate words in spam1
FUZZY_VLIUMAttempt to obfuscate words in spam1
FUZZY_VIOXXAttempt to obfuscate words in spam1
FUZZY_VPILLAttempt to obfuscate words in spam0.001 0.494 0.796 1.014
FUZZY_XPILLAttempt to obfuscate words in spam2.202 1.752 2.799 2.799
SPF_PASSSPF: sender matches SPF record-0.001
SPF_NEUTRALSPF: sender does not match SPF record (neutral)0 0.652 0 0.779
SPF_FAILSPF: sender does not match SPF record (fail)0 0.919 0 0.001
SPF_SOFTFAILSPF: sender does not match SPF record (softfail)0 0.972 0 0.665
SPF_HELO_PASSSPF: HELO matches SPF record-0.001
SPF_HELO_NEUTRALSPF: HELO does not match SPF record (neutral)0 0.001 0 0.112
SPF_HELO_FAILSPF: HELO does not match SPF record (fail)0 0.001 0 0.001
SPF_HELO_SOFTFAILSPF: HELO does not match SPF record (softfail)0 0.896 0 0.732
UNWANTED_LANGUAGE_BODYMessage written in an undesired language2.8
BODY_8BITSBody includes 8 consecutive 8-bit characters1.5
URIBL_SBLContains an URL listed in the SBL blocklist0 0.644 0 1.623
URIBL_SC_SURBLContains an URL listed in the SC SURBL blocklist0 0.001 0 0.568
URIBL_WS_SURBLContains an URL listed in the WS SURBL blocklist0 1.659 0 1.608
URIBL_PH_SURBLContains an URL listed in the PH SURBL blocklist0 0.001 0 0.610
URIBL_OB_SURBLContains an URL listed in the OB SURBL blocklist0 0.785 0 0.122
URIBL_AB_SURBLContains an URL listed in the AB SURBL blocklist0 4.499 0 4.499
URIBL_JP_SURBLContains an URL listed in the JP SURBL blocklist0 1.948 0 1.250
URIBL_BLACKContains an URL listed in the URIBL blacklist0 1.775 0 1.725
URIBL_GREYContains an URL listed in the URIBL greylist0 1.084 0 0.424
URIBL_REDContains an URL listed in the URIBL redlist0.001
AWLFrom: address is in the auto white-list1
SHORTCIRCUITNot all rules were run, due to a shortcircuited rule1
USER_IN_BLACKLISTFrom: address is in the user's black-list100
USER_IN_WHITELISTFrom: address is in the user's white-list-100
USER_IN_DEF_WHITELISTFrom: address is in the default white-list-15
USER_IN_BLACKLIST_TOUser is listed in 'blacklist_to'10
USER_IN_WHITELIST_TOUser is listed in 'whitelist_to'-6
USER_IN_MORE_SPAM_TOUser is listed in 'more_spam_to'-20
USER_IN_ALL_SPAM_TOUser is listed in 'all_spam_to'-100
USER_IN_DKIM_WHITELISTFrom: address is in the user's DKIM whitelist-100
USER_IN_DEF_DKIM_WLFrom: address is in the default DKIM white-list-7.5
USER_IN_SPF_WHITELISTFrom: address is in the user's SPF whitelist-100
USER_IN_DEF_SPF_WLFrom: address is in the default SPF white-list-7.5
SUBJECT_IN_WHITELISTSubject: contains string in the user's white-list-100
SUBJECT_IN_BLACKLISTSubject: contains string in the user's black-list100
APOSTROPHE_FROMFrom address contains an apostrophe0.148 0.786 0.651 0.545
AXB_HELO_HOME_UNHELO from home - untrusted1
AXB_XMID_1212Barbera Fingerprint1
AXB_XMID_1510Brunello Fingerprint1
AXB_XMID_OEGOESNULLAmarone Fingerprint1
AXB_XM_SENDMAIL_NOTNebbiolo fingerprint1
AXB_XR_STULDAPReceived =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/1
BANKING_LAWSTalks about banking laws2.399 2.004 2.157 1.099
BASE64_LENGTH_78_79eval:check_base64_length('78','79')2.370 2.636 0.762 2.667
BASE64_LENGTH_79_INFeval:check_base64_length('79')1.379 2.019 0.583 1.502
BUG6152_INVALID_DATE_TZ_ABSURDDate =~ /[-+](?!(?:0\d| 1[0-4])(?:[03]0| [14]5))\d{4}/1.802 1.448 0.024 0.766
CTYPE_001C_BContent-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/0.001 0.001 0.001 0.001
CURR_PRICE/\bCurrent Price:/0.001
DEAR_BENEFICIARYDear Beneficiary:1
DEAR_EMAILMessage contains Dear email address1
DEAR_WINNER/\bdear.{1,20}winner/i3.099 3.099 2.309 3.099
DOS_ANAL_SPAM_MAILERX-mailer pattern common to anal porn site spam1
DOS_RCVD_IP_TWICE_CReceived from the same IP twice in a row (only one external relay; empty or IP helo)2.599 2.060 3.292 0.096
DOS_URI_ASTERISKFound an asterisk in a URI1
DRUGS_HDIASubject =~ /\bhoodia\b/i1
FB_ADD_INCHESAdd / Gain inches1
FB_ALMOST_SEXIt's almost sex, but not!1
FB_ANA_TRIMBroken AnaTrim phrase.1
FB_ANUIPhrase: A_U_N_I1
FB_BILLI0NPhrase: [BM]Illi0n1
FB_C0MPANYPhrase: C0mpany1
FB_CAN_LONGERPhrase: can last longer1
FB_CIALIS_LEO3Uses a mis-spelled version of cialis.1.688 3.055 2.465 3.245
FB_DOUBLE_0WORDSLooks like double 0 words1
FB_EMAIL_HIERPhrase: email hier1
FB_EXTRA_INCHESPhrase: extra inches0.289 0.000 2.603 0.001
FB_FAKE_NUMBERSLooks like numbers with O's insted of 0's1
FB_FAKE_NUMS4Looks like fake numbers (4)1
FB_FHARMACYPhrase: Farmacy1
FB_FORWARD_LOOKPhrase: forward look with 0's1
FB_GAPPY_ADDRESSToo much spacing in Address1
FB_GET_MEDSLooks like trying to sell meds2.314 2.027 1.195 0.935
FB_GVRLooks like generic viagra2.340 0.691 2.568 2.301
FB_HEY_BRO_COMMAPhrase hey bro,1
FB_HG_H_CAPPhrase: HGH1
FB_HOMELOANPhrase (dollar) x home loan1
FB_IMPRESS_GIRLPhrase: impress ... girl1
FB_INCREASE_YOURPhrase: Increase your energy2.699 2.700 2.335 2.343
FB_INDEPEND_RWDPhrase: independent reward2.799
FB_L0ANPhrase: L0an1
FB_LETTERS_21BSpecial people leave special signs!1
FB_LOSE_WEIGHT_CAPPhrase: LOSE WEIGHT0.001 0.001 2.187 0.001
FB_LOWER_PAYMPhrase: lower your monthly payments1
FB_MORE_SIZEPhrase: more size1
FB_NOT_PHONE_NUM1Looks like a fake phone number (1)1
FB_NOT_PHONE_NUM3Looks like a fake phone number (3)1
FB_NOT_SCHOOLLooks like school but it's not!1
FB_NO_SCRIP_NEEDEDPhrase: no prescription needed.1.656 1.469 2.133 0.922
FB_NUMYOSpeaks of teenager.1
FB_NUMYO2Speaks of 20+ year old.1
FB_ODD_SPACED_MONEYLooks like money but has odd spacing.1
FB_ONIINEMis-spelled online1
FB_P1LLPhrase: p1ll1
FB_PENIS_GROWTHPhrase: penis growth1
FB_PIPEDOLLARPhrase: Dollar, with pipes or 0's.1
FB_PIPE_ILLIONLooks like illion, but it's not1
FB_PROLONGED_HARDTalks about prolonged hardness1
FB_QUALITY_REPLICAPhrase: quality replica3.313 3.149 2.005 2.308
FB_REF_CODE_SPACERefcode with spacing1
FB_REPLICA_ROLEXPhrase: Replica Rolex1.674 0.710 1.115 3.175
FB_REPLIC_CAPPhrase: REPLICA1
FB_RE_FILooks like refi.1
FB_ROLLER_IS_TPhrase: Roller is th1
FB_ROLXPhrase: rolx1
FB_SAVE_PERSCPhrase: save ... prescription.2.799 0.367 1.864 1.492
FB_SOFTTABSPhrase: Softabs2.887 3.174 3.378 1.584
FB_SPACED_FREEPhrase: F R E E2.499 2.499 2.203 0.395
FB_SPACED_PHN_3BPhone number with -- spacing. (B)0.001
FB_SPACEY_ZIPLooks like a s p a c e d zipcode.1
FB_SPUR_MPhrase: SPUR-M1
FB_SSEXPhrase: ssex1
FB_STOCK_EXPLODELooks like stocks exploding.1
FB_SYMBLOMis-spelled symbol.1
FB_THIS_ADVERTPhrase: this advertiser3.599 3.600 2.999 3.599
FB_THOUS_PERSONALPhrase: thousand personal1
FB_TO_STOP_DISTROPhrase: to stop further distribution3.399
FB_ULTRA_ALLUREPhrase: Ultra Allure2.352 1.074 2.334 0.829
FB_UNLOCK_YOUR_GPhrase: lock to your girlfriend1
FB_UNRESOLV_PROVPattern Replacement PROV_D1
FB_YOURSELF_MASTERPhrase: yourself master1
FB_YOUR_REFIPhrase: Your refi1
FH_BAD_OEV1441Bad X-Mailer version1
FH_DATE_IS_19XXThe date is not 19xx.0.000 1.598 2.373 0.277
FH_FAKE_RCVD_LINERCVD line looks faked (A)2.167 1.431 2.525 1.778
FH_FAKE_RCVD_LINE_BRCVD line looks faked (B)4.000 3.372 3.999 3.999
FH_FROMEML_NOTLDE-mail address doesn't have TLD (.com, etc.)1.708 0.180 0.975 1.082
FH_FROM_CASHFrom name has "cash"2.599 2.436 2.599 1.739
FH_FROM_GET_NAMEFrom name says Get2.699
FH_FROM_GIVEAWAYFrom name is giveaway.2.599 1.817 1.810 1.655
FH_FROM_HOODIAFrom has Hoodia!!?1
FH_HAS_XAIMCHas X-AIMC-AUTH header1.602 1.899 0.561 1.899
FH_HAS_XIDHas X-ID3.299 3.215 3.003 1.782
FH_HELO_ALMOST_IPHelo is almost an IP addr.3.699 3.268 3.457 0.688
FH_HELO_ENDS_DOTHelo ends with a dot.1
FH_HELO_EQ_610HEXHelo is 6-10 hex chr's.1
FH_HELO_EQ_CHARTERHelo is d-d-d-d charter.com0.607 0.286 0.093 2.683
FH_HELO_EQ_D_D_D_DHelo is d-d-d-d2.361 1.117 2.815 3.177
FH_HELO_GMAILSMTPFaked helo of gmail-smtp-in1
FH_HOST_EQ_DYNAMICIPHost is dynamicip2.632 2.454 3.299 3.298
FH_HOST_EQ_PACBELL_DHost is pacbell.net dsl0.001 0.927 0.559 1.703
FH_HOST_EQ_VERIZON_PHost is pool-.+verizon.net2.681 1.237 3.671 1.323
FH_HOST_IN_ADDRARPAHOST dns says "in-addr.arpa"3.199 2.933 2.452 2.157
FH_MSGID_000000Special MSGID1
FH_MSGID_01C67Special MSGID1
FH_MSGID_01C70XXXMESSAGE ID seen often!!!1
FH_MSGID_REPLACEBroken Replace Template1
FH_MSGID_XXBLAHCommon sign in msg-id's 12/21/20061
FH_MSGID_XXXMessage-Id = @xxx2.399 1.632 2.376 1.482
FH_RE_NEW_DDDSubject is Re: new \d\d\d1
FH_XMAIL_REPLACEBroken Replace Template1
FILL_THIS_FORM_LONGFill in a form with personal information3.800 3.476 2.300 3.404
FM_XMAIL_F_OUTLooks like Fake Outlook?1
FORGED_RELAY_MUA_TO_MXX-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10| 127| 169\.254| 172\.(?:1[6-9]| 2[0-9]| 3[01])| 192\.168)\.)| )[^\[]+(dollar) /1
FRT_ADOBE2ReplaceTags: Adobe0.001 1.099 0.221 0.877
FRT_APPROVReplaceTags: Approve2.499
FRT_BIGGERMEM1ReplaceTags: Bigger / Larger, Penis / Member2.523 0.146 2.372 1.758
FRT_DIPLOMAReplaceTags: Diploma0.000 1.548 0.787 1.599
FRT_DISCOUNTReplaceTags: Discount1
FRT_DOLLARReplaceTags: Dollar1
FRT_ESTABLISH2ReplaceTags: Establish (2)1
FRT_FUCK2ReplaceTags: Fuck (2)1
FRT_GUARANTEE1ReplaceTags: Guarantee (1)1
FRT_INVESTORReplaceTags: Investor1
FRT_LEVITRAReplaceTags: Levitra1
FRT_MEETINGReplaceTags: Meeting1
FRT_OFFER2ReplaceTags: Offer (2)1.681 1.109 2.048 0.926
FRT_OPPORTUN2ReplaceTags: Oppertun (2)1
FRT_PENIS1ReplaceTags: Penis2.299 2.293 1.029 0.731
FRT_PHARMACReplaceTags: Pharmac1
FRT_PRICEReplaceTags: Price0.001
FRT_REFINANCE1ReplaceTags: Refinance (1)1
FRT_ROLEXReplaceTags: Rolex2.699 2.183 1.440 2.699
FRT_SEXUALReplaceTags: Sexual1
FRT_SOMAReplaceTags: Soma0.000 3.280 2.099 2.871
FRT_SOMA2ReplaceTags: Soma (2)0.001 0.001 0.001 0.001
FRT_STRONG1ReplaceTags: Strong (1)1
FRT_STRONG2ReplaceTags: Strong (2)1
FRT_SYMBOLReplaceTags: Symbol1
FRT_TODAY2ReplaceTags: Today (2)0.480 0.693 1.988 0.905
FRT_VALIUM1ReplaceTags: Valium1
FRT_VALIUM2ReplaceTags: Valium (2)1
FRT_WEIGHT2ReplaceTags: Weight (2)1
FRT_XANAX1ReplaceTags: Xanax (1)1
FRT_XANAX2ReplaceTags: Xanax (2)1
FR_3TAG_3TAGLooks like 3 <e> small tags.1
FR_ALMOST_VIAG2Almost looks like viagra.2.299 1.594 2.299 1.531
FR_CANTSEETEXTPhrase class="cantseetext"1
FR_MIDERSign often seen in spams1
FR_TITLE_NUMSHTML Title is only numbers2.899 2.695 2.899 2.899
FSL_FAKE_GMAIL_RCVDX-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/3.099 2.974 1.002 2.104
FSL_FAKE_HOTMAIL_RVCDX-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/2.631 1.816 2.011 2.365
FSL_GEO_ABUSE/\/geocities\.com\/\S+(dollar) /2.699 2.699 2.313 2.167
FSL_HELO_BARE_IP_1X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i2.598 1.426 3.099 2.347
FSL_HELO_DEVICEX-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device| speedtouch)\.lan\b/i1.682 0.001 0.884 0.806
FSL_HELO_NON_FQDN_1X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i2.361 0.001 1.783 0.001
FSL_HELO_SETUPX-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i1
FSL_INTERIA_ABUSE/\/\S+\.(?:w| eu| fm)\.interia\.pl/3.899 2.664 3.080 3.106
FSL_LSPACES_ABUSE/cid\-\S+\.spaces\.live\.com/1
FSL_YG_ABUSE/\/groups\.yahoo\.com\/group\/\S+\/message\/1(dollar) /4.199
FS_ABIGGERSubject has "a bigger"1.693 1.354 2.477 1.112
FS_APPROVE_YOUSubject says approve you2.499 1.272 1.942 1.873
FS_AT_NO_COSTSubject says "At No Cost"2.499
FS_CHEAP_CAPPhrase: Cheap in Caps in Subject.1
FS_DOLLAR_BONUSSubject talks about money bonus!1
FS_EJACULAPhrase: ejaculation in subject.1
FS_ERECTIONPhrase: erection in subject.1
FS_HUGECOCKPhrase: Huge Cock1
FS_LARGE_PERCENT2Larger than 100% in subj.2.645 2.699 0.001 1.960
FS_LOW_RATESSubject says low rates1
FS_NEW_SOFT_UPLOADSubj starts with New software uploaded1
FS_NEW_XXXSubject looks like Fharmacy spams.1
FS_NO_SCRIPSubject almost says No prescription1
FS_NUDESubject says Nude2.399 1.653 1.288 1.101
FS_OBFU_PRMCYwhat could this word be?2.400 0.384 0.204 1.248
FS_PERSCRIPTIONSubject mis-spelled prescription1
FS_PHARMASUB2Looks like Phramacy subject.2.980 1.345 2.956 0.549
FS_RAMRODSubject says Ramrod1
FS_REPLICASubject says "replica"1.630 3.599 2.028 3.599
FS_REPLICAWATCHSubject says Replica watch3.237 1.715 1.733 3.015
FS_RE_APPROVPhrase: re approved1
FS_START_DOYOU2Subject starts with Do you dream,have,want,love, etc.2.799 2.799 2.799 2.800
FS_START_LOSESubject starts with Lose0.249 0.176 1.424 1.809
FS_TEEN_BADSubject says something bad about teens1
FS_TIP_DDDPhrase: subject = tip ddd1
FS_WEIGHT_LOSSSubject says Weight Loss1.894 1.541 2.501 2.036
FS_WILL_HELPSubject says will help2.599 0.893 2.484 0.734
FS_WITH_SMALLSubject says With ... small1
FUZZY_MERIDIA/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i1
FU_COMMON_SUBS2Sub-dir seen often in spam (2).2.801 2.650 2.823 0.292
FU_ENDS_NUMS_DOTS_CLKEnds with clk/d+.d+.d+1
FU_END_ETET Phone Home?1
FU_HOODIAURL has hoodia in it.1
FU_LONG_QUERY3URL has a long file name with .aspx extension.1
FU_MIDERURL has /gal/1
FU_UKGEOCITIESURL with [a-z]{2}.geocities.com1
FU_URI_TRACKER_TURI style tracker (T)1
GEO_QUERY_STRING/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i1
HDRS_MISSPMisspaced headers1
HEADER_COUNT_SUBJECTMultiple Subject headers found1
HELO_FRIENDX-Spam-Relays-External =~ /^[^\]]+ helo=friend /i1
HELO_LH_HOMEX-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home| lan) /i0.001 2.023 0.537 1.736
HELO_LH_LDX-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i1
HELO_LOCALHOSTX-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i2.639 3.603 2.915 3.828
HELO_OEMX-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc| oem\S*) /i2.899 2.899 1.234 0.270
HK_NAME_DRUGSFrom name contains drugs4.299 0.001 3.077 0.552
HK_NAME_FREEFrom name mentions free stuff1
HK_RANDOM_ENVFROMEnvelope sender username looks random2.638 0.626 1.798 0.001
HK_SCAM_N2/\bnext of kin\b/i1
HS_BOBAX_MID_2Bobax? Message-Id: <0IX000EJXVWDA000@example.com>2.762 2.612 1.243 1.437
HS_BODY_UPLOADED_SOFTWARESomebody has uploaded some new software for you1
HS_DRUG_DOLLAR_1Contains a drug and price-like pattern.0.001
HS_DRUG_DOLLAR_2Contains a drug and price-like pattern.0.001
HS_DRUG_DOLLAR_3Contains a drug and price-like pattern.0.001
HS_GETMEOFFLinks to common unsubscribe script: 'getmeoff.php'1
HS_INDEX_PARAMLink contains a common tracker pattern.1.105 0.023 1.203 0.574
HS_MEETUP_FOR_SEXTalks about meeting up for sex.1
HS_SUBJ_NEW_SOFTWARESubject starts with 'New software uploaded by'1
HS_SUBJ_ONLINE_PHARMACEUTICALSubject contains the phrase 'Online pharmaceutical'1
HS_VPXLContains VPXL, yet the recommended dose is only 2 tablets.3.211 1.399 2.696 1.948
HTTPS_HTTP_MISMATCHeval:check_https_http_mismatch('1','10')0.557 0.000 1.778 1.989
JM_I_FEEL_LUCKY/(?:\&| \?)btnI=ec(?:(dollar) | \&)/1
JM_RCVD_QMAILV1Received =~ /by \S+ \(Qmailv1\) with ESMTP/1
KB_DATE_CONTAINS_TABDate:raw =~ /^\t/3.800 3.799 3.799 2.751
KB_RATWARE_OUTLOOK_08ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\./msi1
KB_RATWARE_OUTLOOK_12ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi1
KB_RATWARE_OUTLOOK_16ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi1
KB_RATWARE_OUTLOOK_MIDALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi4.400 4.400 2.503 1.499
LIVEFILESTOREm~livefilestore.com/~3.300 2.570 3.183 0.771
LONG_TERM_PRICE/long\W+term\W+(target| projected)(\W+price)?/i0.001
LOOPHOLE_1A loop hole in the banking laws?1
LOTTO_AGENTClaims Agent1
L_SPAM_TOOL_13Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /0.539 0.485 0.494 1.333
MID_DEGREESMessage-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /1
MIME_BOUND_EQ_RELContent-Type =~ /boundary="=====================_\d+==\.REL"/s1
NULL_IN_BODYMessage has NUL (ASCII 0) byte in message0.511 0.498 2.056 1.596
RCVD_BAD_IDReceived =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar) \%&'()*:<=>?\@\[\]^\`{| }~]| ;\S)/1
RCVD_FORGED_WROTEForged 'Received' header found ('wrote:' spam)1
RCVD_FORGED_WROTE2Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s1
RCVD_IN_BRBL_LASTEXTeval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')0 1.644 0 1.449
RCVD_IN_CSSReceived via a relay in Spamhaus CSS0 1.0 0 1.0
RCVD_IN_DNSWL_HISender listed at http://www.dnswl.org/, high trust0 -5 0 -5
RCVD_IN_DNSWL_LOWSender listed at http://www.dnswl.org/, low trust0 -0.7 0 -0.7
RCVD_IN_DNSWL_MEDSender listed at http://www.dnswl.org/, medium trust0 -2.3 0 -2.3
RCVD_IN_DNSWL_NONESender listed at http://www.dnswl.org/, low trust0 -0.0001 0 -0.0001
RCVD_IN_IADB_DKIADB: Sender publishes Domain Keys record0 -0.223 0 -0.095
RCVD_IN_IADB_DOPTINIADB: All mailing list mail is confirmed opt-in0 -4 0 -4
RCVD_IN_IADB_DOPTIN_GT50IADB: Confirmed opt-in used more than 50% of the time1
RCVD_IN_IADB_DOPTIN_LT50IADB: Confirmed opt-in used less than 50% of the time0 -0.001 0 -0.001
RCVD_IN_IADB_EDDBIADB: Participates in Email Deliverability Database1
RCVD_IN_IADB_EPIAIADB: Member of Email Processing Industry Alliance1
RCVD_IN_IADB_GOODMAILIADB: Sender has been certified by GoodMail1
RCVD_IN_IADB_LISTEDParticipates in the IADB system0 -0.380 0 -0.001
RCVD_IN_IADB_LOOSEIADB: Adds relationship addrs w/out opt-in1
RCVD_IN_IADB_MI_CPEARIADB: Complies with Michigan's CPEAR law1
RCVD_IN_IADB_MI_CPR_30IADB: Checked lists against Michigan's CPR within 30 days1
RCVD_IN_IADB_MI_CPR_MATIADB: Sends no material under Michigan's CPR0 -0.332 0 -0.000
RCVD_IN_IADB_ML_DOPTINIADB: Mailing list email only, confirmed opt-in0 -6 0 -6
RCVD_IN_IADB_NOCONTROLIADB: Has absolutely no mailing controls in place1
RCVD_IN_IADB_OOOIADB: One-to-one/transactional email only1
RCVD_IN_IADB_OPTINIADB: All mailing list mail is opt-in0 -2.057 0 -1.470
RCVD_IN_IADB_OPTIN_GT50IADB: Opt-in used more than 50% of the time0 -1.208 0 -0.007
RCVD_IN_IADB_OPTIN_LT50IADB: Opt-in used less than 50% of the time1
RCVD_IN_IADB_OPTOUTONLYIADB: Scrapes addresses, pure opt-out only1
RCVD_IN_IADB_RDNSIADB: Sender has reverse DNS record0 -0.167 0 -0.235
RCVD_IN_IADB_SENDERIDIADB: Sender publishes Sender ID record0 -0.001 0 -0.001
RCVD_IN_IADB_SPFIADB: Sender publishes SPF record0 -0.001 0 -0.059
RCVD_IN_IADB_UNVERIFIED_1IADB: Accepts unverified sign-ups1
RCVD_IN_IADB_UNVERIFIED_2IADB: Accepts unverified sign-ups, gives chance to opt out1
RCVD_IN_IADB_UT_CPEARIADB: Complies with Utah's CPEAR law1
RCVD_IN_IADB_UT_CPR_30IADB: Checked lists against Utah's CPR within 30 days1
RCVD_IN_IADB_UT_CPR_MATIADB: Sends no material under Utah's CPR0 -0.095 0 -0.001
RCVD_IN_PSBLReceived via a relay in PSBL0 2.700 0 2.700
RCVD_IN_RP_CERTIFIEDSender is in Return Path Certified (trusted relay)0.0 -3.0 0.0 -3.0
RCVD_IN_RP_RNBLRelay in RNBL, https://senderscore.org/blacklistlookup/0 1.284 0 1.310
RCVD_IN_RP_SAFESender is in Return Path Safe (trusted relay)0.0 -2.0 0.0 -2.0
RCVD_MAIL_COMForged Received header (contains post.com or mail.com)1
RDNS_LOCALHOSTSender's public rDNS is "localhost"3.700 0.969 2.345 0.001
SANE_04e8bf28eb445199a7f11b943c44d209Email.Spam.Gen3177.Sanesecurity.080516111.712 3.185 2.654 1.337
SANE_1c4f3286fa4aed6424ced88bfaf8b09cEmail.Spam.Gen3234.Sanesecurity.080523093.199 2.040 3.199 1.502
SANE_2b173a7fb7518c75ac8a2d294d773fd8Email.Spam.Sanesecurity.Url_24962.976 1.117 1.951 0.942
SANE_3b92eda751c992f230f215fb7eb36844Email.Spam.Gen158.Sanesecurity.070127000.001 0.626 0.585 3.040
SANE_4ef8302546bf270a19baf98508afacc4Email.Spam.Gen1941.Sanesecurity.071125192.231 3.464 2.266 3.543
SANE_7429530a7398f43f1f1b795f9420714eEmail.Spam.Gen2507.Sanesecurity.080213033.999 1.655 2.776 1.479
SANE_91eb43f705d25c804374a746d7519660Email.Malware.Sanesecurity.070113003.099 2.803 2.746 1.572
SANE_d0d2b0f6373bf91253d66dd74c594b87Email.Spam.Sanesecurity.Url_24993.799 2.040 2.710 1.494
SHORT_TERM_PRICE/short\W+term\W+(target| projected)(\W+price)?/i0.001
STOX_REPLY_TYPEContent-Type =~ /text\/plain; .* reply-type=original/1.898 0.212 0.141 0.439
TAB_IN_FROMFrom starts with a tab1
THEBAT_UNREGX-Mailer =~ /^The Bat! .{0,20} UNREG(dollar) /2.599 1.843 2.324 1.524
TT_MSGID_TRUNCScora: Message-Id ends after left-bracket + digits0.748 0.023 1.434 1.448
TVD_ACT_193/\bact of (?:193| nineteen thirty)/i1
TVD_APPROVED/you.{1,2}re .{0,20}approved/i2.356 2.599 2.599 2.090
TVD_DEAR_HOMEOWNER/^dear homeowner/i1
TVD_ENVFROM_APOSTEnvelopeFrom =~ /\'/1
TVD_FINGER_02Content-Type =~ /^text\/plain(?:; (?:format=flowed| charset="Windows-1252"| reply-type=original)){3}/i0.001 1.544 1.394 1.215
TVD_FLOAT_GENERAL/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i1
TVD_FUZZY_DEGREE/<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i1
TVD_FUZZY_FINANCE/(?!finance)<F><I><N><A><N><C><E>/i1
TVD_FUZZY_FIXED_RATE/<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i1
TVD_FUZZY_MICROCAP/<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i1
TVD_FUZZY_PHARMACEUTICAL/<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i1
TVD_FUZZY_SYMBOL/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i1
TVD_INCREASE_SIZE/\bsize of .{1,20}(?:penis| dick| manhood)/i1.529 0.601 1.055 0.001
TVD_LINK_SAVE/\blink to save\b/i1
TVD_PCT_OFFSubject =~ /(?:Jan| Feb| Mar| Apr| May| Jun| Jul| Aug| Sep| Oct| Nov| Dec)\S* \d+% OFF/1
TVD_PH_BODY_ACCOUNTS_PRE/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/i1.201 1.527 1.327 2.393
TVD_PH_RECMessage has a phrase standard for phishing mails3.127 2.026 3.266 1.784
TVD_PH_SECMessage has a phrase standard for phishing mails0.291 1.498 0.869 1.764
TVD_PH_SUBJ_ACCOUNTS_POSTSubject =~ /\b(?:(?:re-?)?activat[a-z]*| secure| verify| restore| flagged| limited| unusual| update| report| notif(?:y| ication)| suspen(?:d| ded| sion)| co(?:n| m)firm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i2.602 2.607 2.497 3.099
TVD_PH_SUBJ_SEC_MEASURESSubject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i2.284 1.522 1.675 1.145
TVD_PH_SUBJ_URGENTSubject =~ /^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert| response| assistance| proposal| reply| warning| noti(?:ce| fication)| greeting| matter))/i1.251 2.326 2.255 2.800
TVD_QUAL_MEDS/\bquality med(?:ication)?s\b/i2.697 2.397 2.799 2.483
TVD_RATWARE_CBContent-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i1
TVD_RATWARE_CB_2Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/1
TVD_RATWARE_MSGID_02Message-ID =~ /^[^<]*<[a-z]+\@/1
TVD_RCVD_IPReceived =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/0.001 0.054 0.001 0.695
TVD_RCVD_IP4Received =~ /^from\s+(?:\d+\.){3}\d+\s/0.159 1.495 0.674 1.596
TVD_RCVD_SINGLEReceived =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/0.242 1.213 0.001 2.172
TVD_RCVD_SPACE_BRACKETReceived =~ /\(\[(?!UNIX:)[^\[\]]*\s/0.001 0.001 0.001 0.001
TVD_SECTION/\bSection (?:27A| 21B)/i1
TVD_SILLY_URI_OBFUm!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!i1
TVD_SPACED_SUBJECT_WORD3Subject =~ /^(?:(?:Re| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) /1
TVD_STOCK1eval:check_stock_info('2')1
TVD_SUBJ_ACC_NUMSubject has spammy looking monetary reference0.001 2.199 2.199 2.198
TVD_SUBJ_FINGER_03Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) /1
TVD_SUBJ_OWESubject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe| indebted)\s+(?:\w+\s+)+an\s*other/i1
TVD_SUBJ_WIPE_DEBTSubject =~ /(?:wipe out| remove| get (?:rid| out) of| eradicate) .{0,20}(?:owe| debt| obligation)/i2.599 2.291 2.599 1.004
TVD_VISIT_PHARMA/Online Ph.rmacy/i1.957 1.196 0.417 1.406
TVD_VIS_HIDDEN/<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i1
URIBL_RHS_DOBContains an URI of a new domain (Day Old Bread)0 0.276 0 1.514
URI_OBFU_WWWObfuscated URI3.099 3.099 2.306 2.475
X_MAILER_CME_6543_MSNX-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*(dollar) /2.886 2.004 3.002 3.348
  • No labels