Rule |
Description | |
|---|---|---|
| DC_IMAGE001_GIF | Contains image named image001.gif | |
| DC_GIF_264_127 | Found 264x127 pixel gif, possible pillz | |
| DC_IMG_HTML_RATIO | Low rawbody to pixel area ratio | |
| DC_IMG_TEXT_RATIO | Low body to pixel area ratio | |
| DC_GIF_UNO_LARGO | Message contains a single large inline gif | |
| DC_GIF_MULTI_LARGO | Message has 2+ inline gif covering lots of area | |
| DC_PNG_UNO_LARGO | Message contains a single large inline gif | |
| DC_PNG_MULTI_LARGO | Message has 2+ inline png covering lots of area | |
| DC_IMAGE_SPAM_TEXT | Possible Image-only spam with little text | |
| DC_IMAGE_SPAM_HTML | Possible Image-only spam | |
| SERRA_STOCK | Stock Scams 1 | |
| SERRA_STOCK2 | Stock Alert misspelled | |
| SERRA_STOCK3 | Stock momentum. | |
| SERRA_STOCK4 | Penny Stocks Alert. | |
| SERRA_STOCK5 | STR ONG BUY misspelling | |
| SERRA_STOCK6 | Fellow Investor | |
| SERRA_STOCK7 | Ticker | |
| SERRA_STOCK8 | WATCH THIS STOCK GO HIGHER | |
| SERRA_STOCK9 | Favorite Pick | |
| SERRA_STOCK10 | This is a paid advertisement | |
| SERRA_STOCK11 | IMMEDIATE BUY | |
| SERRA_STOCK12 | IN VESTORS WATCH OUT | |
| SERRA_STOCK13 | IN VESTORS WATCH OUT | |
| SERRA_STOCK14 | HIS ONE IS SET TO POST HUGE GAINS | |
| SERRA_STOCK15 | st0ck | |
| SERRA_STOCK16 | atonoffshore\\.com | |
| SERRA_STOCK17 | GO CYHD NOW | |
| SERRA_STOCK18 | Tex-Homa | |
| SERRA_STOCK19 | TXHE\\.PK | |
| SERRA_STOCK20 | PINK SHEETS | |
| SERRA_STOCK21 | GAINING MOMENTUM | |
| SERRA_STOCK22 | Reference price | |
| SERRA_STOCK23 | Essential letter\\. You should to read\\. | |
| SERRA_STOCK24 | Serious letter\\. You should to read\\. | |
| SERRA_STOCK25 | Texhoma | |
| SERRA_STOCK26 | Essential letter\\. You should to read\\. | |
| SERRA_STOCK27 | Essential letter\\. You should to read\\. | |
| SERRA_STOCK28 | note. You must to read | |
| SERRA_STOCK29 | AUNI | |
| SERRA_STOCK30 | P-R-O-F-I-T | |
| SERRA_STOCK31 | EGLY | |
| SERRA_STOCK32 | third quarter numbers to be out soon | |
| SERRA_STOCK33 | Call your broker now | |
| SERRA_STOCK34 | Insiders accumulating | |
| SERRA_STOCK35 | EGLY is the great deal | |
| SERRA_STOCK36 | T E R X.OB | |
| SERRA_STOCK37 | T E R X.OB | |
| SERRA_STOCK38 | R R E F | |
| SERRA_STOCK39 | Big investors are in the game already | |
| SERRA_STOCK40 | Company: Red Reef Labratories | |
| SERRA_STOCK41 | Buy Low & Sell High | |
| SERRA_STOCK42 | Stocks Quotes in attachement | |
| SERRA_FINANCE | Asking me to refinance | |
| SERRA_FINANCE2 | We were able to view your credit report | |
| SERRA_FINANCE3 | Recommendation: S T R 0 N G - B U Y !! | |
| SERRA_FINANCE4 | Recommendation: S T R 0 N G - B U Y !! | |
| SERRA_FINANCE5 | INVEST ORS WATCH OU | |
| SERRA_FINANCE6 | INVEST ORS WATCH OU | |
| SERRA_FINANCE7 | CENTRAL BANK OF NIGERIA | |
| SERRA_FINANCE8 | refinance | |
| SERRA_FINANCE9 | rock-bottom rate | |
| SERRA_FINANCE10 | Approval process will only take | |
| SERRA_FINANCE11 | Lender Focus Group | |
| SERRA_FINANCE12 | triple in a matter of days | |
| SERRA_FINANCE13 | The time to get in is now | |
| SERRA_FINANCE14 | ePassporte Information | |
| SERRA_FINANCE15 | AUNI | |
| SERRA_FINANCE16 | The big announcement | |
| SERRA_FINANCE17 | Watch AUNI soar | |
| SERRA_FINANCE18 | The earning opportunities | |
| SERRA_FINANCE19 | The earning opportunities | |
| SERRA_FINANCE20 | The promotion will be continued till the end of this week | |
| SERRA_FINANCE21 | make the price Explode | |
| SERRA_FINANCE22 | It will SOAR up next days | |
| SERRA_FINANCE23 | big traders are turning to | |
| SERRA_FINANCE24 | quadrupling of share price | |
| SERRA_FINANCE25 | MARKETWIRE | |
| SERRA_FINANCE26 | ePassporte Information | |
| SERRA_FINANCE27 | Symbol: | |
| SERRA_FINANCE28 | We can see this going well over | |
| SERRA_FINANCE29 | will be releasing big news tomorrow | |
| SERRA_FINANCE30 | We suggest you to buy today | |
| SERRA_FINANCE31 | this great stock opportunity | |
| SERRA_FINANCE32 | Rocket stock pick | |
| SERRA_FINANCE33 | Quantum Energy INC | |
| SERRA_FINANCE34 | up through the roof | |
| SERRA_FINANCE35 | up through the roof | |
| SERRA_FINANCE36 | ock your refinance | |
| SERRA_FINANCE37 | grayson1115031220 | |
| SERRA_FINANCE38 | within 24 hours | |
| SERRA_FINANCE39 | 312.683.5160 | |
| SERRA_FINANCE40 | DebtFree Immediately | |
| SERRA_FINANCE41 | fully Eradicate all of my | |
| SERRA_FINANCE42 | Loan Approval Department | |
| SERRA_FINANCE43 | Your loan has been approved. | |
| SERRA_HARDNESS | increased hardness | |
| SERRA_HARDNESS2 | Impress your girl | |
| SERRA_HARDNESS3 | erectoin | |
| SERRA_HARDNESS5 | C1al1s S0ft | |
| SERRA_HARDNESS6 | wantd to share this w\\/you | |
| SERRA_HARDNESS7 | bettyeropolncom | |
| SERRA_HARDNESS8 | Make your wife happy! | |
| SERRA_PHIT | back into sh ape | |
| SERRA_PHIT2 | obesity kiIIs | |
| SERRA_PHIT5 | thin-ner | |
| SERRA_PHIT6 | thin-ner | |
| SERRA_PHIT7 | nat+ural | |
| SERRA_PHIT8 | Ana*trim | |
| SERRA_PHIT10 | 0be\\/sity | |
| SERRA_PHIT11 | www\\.cotanos\\.com | |
| SERRA_MEDS1 | Your meds refill expires soon | |
| SERRA_MEDS2 | refill | |
| SERRA_MEDS3 | get medications | |
| SERRA_MEDS4 | Please do not hesitate as quanities are limited | |
| SERRA_MEDS5 | Weight Loss Breakthrough | |
| SERRA_MEDS6 | Weight Loss Breakthrough | |
| SERRA_MEDS7 | we lcome to the best pharmacyh | |
| SERRA_MEDS8 | Visit our new online pharmacy store | |
| SERRA_MEDS9 | pi lls | |
| SERRA_MEDS10 | get licensed medications | |
| SERRA_MEDS11 | dawproperty | |
| SERRA_MEDS12 | And get medications that you need instantly | |
| SERRA_WATCHADD | replicas in watch ads | |
| SERRA_WATCHADD2 | replicas in watch ads | |
| SERRA_SITES1 | www\\.singlesdogs\\.com | |
| SERRA_DEGREE | masters degree | |
| SERRA_DEGREE2 | Learn in your own home | |
| SERRA_DEGREE3 | home degree program | |
| SERRA_DEGREE4 | fully qualified degree | |
| SERRA_DEGREE4 | Internet Admissions Office | |
| SERRA_DEGREE5 | Evil phone number | |
| SERRA_DEGREE6 | Special Enrollment | |
| SERRA_DEGREE7 | Attention Potential Candidate | |
| SERRA_DEGREE8 | This Special Enrollment Ends Soon | |
| SERRA_DEGREE9 | 1 (310) 281 - 6248 | |
| SERRA_DEGREE10 | DIPLOOMA | |
| SERRA_DEGREE11 | Internet Admissions Office | |
| SERRA_DEGREE11 | Education awarded on life and past work experience | |
| SERRA_PHAT | South Africa\'s Kalahari Desert | |
| SERRA_PHAT2 | weigt formula | |
| SERRA_PHAT3 | adict | |
| SERRA_PHAT4 | Unhappy with the way you look | |
| SERRA_PHAT5 | Hoodia | |
| SERRA_PHAT6 | Oprah | |
| SERRA_PHAT7 | The newest and most exciting fat loss product available | |
| SERRA_PHAT8 | Have a look at what people say | |
| SERRA_EVIL_SUBJECT1 | Re: Fr\\.iendship | |
| SERRA_SCAM_NAME | Mohammad Messkoob | |
| SERRA_SCAM_NAME2 | Yukos Oil Company | |
| SERRA_GAMBLE1 | See you soon on our tables | |
| SERRA_HTML_MOSTLY | Multipart message mostly text/html MIME | |
| SERRA_HTML_ONLY | Message only has text/html MIME parts | |
| SERRA_HTML_MOSTLY | Message only has text/html MIME parts | |
| INLINE_IMAGE | Inline Images | |
| SERRA_GIF_STOX1 | Inline Gif with little HTML | |
| SERRA_GIF_STOX2 | Inline Gif with little HTML | |
| SERRA_GIF_STOX3 | Inline Gif with little HTML | |
| ADVANCE_FEE_1 | Appears to be advance fee fraud (Nigerian 419) | |
| ADVANCE_FEE_2 | Appears to be advance fee fraud (Nigerian 419) | |
| ADVANCE_FEE_3 | Appears to be advance fee fraud (Nigerian 419) | |
| ADVANCE_FEE_4 | Appears to be advance fee fraud (Nigerian 419) | |
| GTUBE | Generic Test for Unsolicited Bulk Email | |
| TRACKER_ID | Incorporates a tracking ID number | |
| WEIRD_QUOTING | Weird repeated double-quotation marks | |
| __MIME_BASE64 | Includes a base64 attachment | |
| __MIME_QP | Includes a quoted-printable attachment | |
| MIME_BASE64_BLANKS | Extra blank lines in base64 encoding | |
| MIME_BASE64_NO_NAME | base64 attachment does not have a file name | |
| MIME_BASE64_TEXT | Message text disguised using base64 encoding | |
| MIME_MISSING_BOUNDARY | MIME section missing boundary | |
| MISSING_MIME_HB_SEP | Missing blank line between MIME header and body | |
| MIME_HTML_MOSTLY | Multipart message mostly text/html MIME | |
| MIME_HTML_ONLY | Message only has text/html MIME parts | |
| MIME_HTML_ONLY_MULTI | Multipart message only has text/html MIME parts | |
| MIME_QP_LONG_LINE | Quoted-printable line longer than 76 chars | |
| MIME_CHARSET_FARAWAY | MIME character set indicates foreign language | |
| MPART_ALT_DIFF | HTML and text parts are different | |
| MPART_ALT_DIFF_COUNT | HTML and text parts are different | |
| MIME_BAD_ISO_CHARSET | MIME character set is an unknown ISO charset | |
| CHARSET_FARAWAY | Character set indicates a foreign language | |
| EMAIL_ROT13 | Body contains a ROT13-encoded email address | |
| BLANK_LINES_70_80 | Message body has 70-80% blank lines | |
| BLANK_LINES_80_90 | Message body has 80-90% blank lines | |
| BLANK_LINES_90_100 | Message body has 90-100% blank lines | |
| UNIQUE_WORDS | Message body has many words used only once | |
| DOMAIN_RATIO | Message body mentions many internet domains | |
| LONGWORDS | Long string of long words | |
| HTTPS_IP_MISMATCH | IP to HTTPS link found in HTML | |
| INTERRUPTUS | Message looks to contain HTML-interrupted text | |
| ALL_TRUSTED | Passed through trusted hosts only via SMTP | |
| NO_RELAYS | Informational: message was not relayed via SMTP | |
| NO_RECEIVED | Informational: message has no Received headers | |
| __RCVD_IN_NJABL | Received via a relay in combined.njabl.org | |
| RCVD_IN_NJABL_RELAY | NJABL: sender is confirmed open relay | |
| RCVD_IN_NJABL_DUL | NJABL: dialup sender did non-local SMTP | |
| RCVD_IN_NJABL_SPAM | NJABL: sender is confirmed spam source | |
| RCVD_IN_NJABL_MULTI | NJABL: sent through multi-stage open relay | |
| RCVD_IN_NJABL_CGI | NJABL: sender is an open formmail | |
| RCVD_IN_NJABL_PROXY | NJABL: sender is an open proxy | |
| __RCVD_IN_SORBS | SORBS: sender is listed in SORBS | |
| RCVD_IN_SORBS_HTTP | SORBS: sender is open HTTP proxy server | |
| RCVD_IN_SORBS_SOCKS | SORBS: sender is open SOCKS proxy server | |
| RCVD_IN_SORBS_MISC | SORBS: sender is open proxy server | |
| RCVD_IN_SORBS_SMTP | SORBS: sender is open SMTP relay | |
| RCVD_IN_SORBS_WEB | SORBS: sender is a abuseable web server | |
| RCVD_IN_SORBS_BLOCK | SORBS: sender demands to never be tested | |
| RCVD_IN_SORBS_ZOMBIE | SORBS: sender is on a hijacked network | |
| RCVD_IN_SORBS_DUL | SORBS: sent directly from dynamic IP address | |
| __RCVD_IN_SBL_XBL | Received via a relay in Spamhaus SBL+XBL | |
| RCVD_IN_SBL | Received via a relay in Spamhaus SBL | |
| RCVD_IN_XBL | Received via a relay in Spamhaus XBL | |
| DNS_FROM_RFC_DSN | Envelope sender in dsn.rfc-ignorant.org | |
| DNS_FROM_RFC_POST | Envelope sender in postmaster.rfc-ignorant.org | |
| DNS_FROM_RFC_ABUSE | Envelope sender in abuse.rfc-ignorant.org | |
| DNS_FROM_RFC_WHOIS | Envelope sender in whois.rfc-ignorant.org | |
| DNS_FROM_RFC_BOGUSMX | Envelope sender in bogusmx.rfc-ignorant.org | |
| RCVD_IN_WHOIS_BOGONS | CompleteWhois: sender on bogons IP block | |
| RCVD_IN_WHOIS_HIJACKED | CompleteWhois: sender on hijacked IP block | |
| RCVD_IN_WHOIS_INVALID | CompleteWhois: sender on invalid IP block | |
| RCVD_IN_DSBL | Received via a relay in list.dsbl.org | |
| DNS_FROM_AHBL_RHSBL | From: sender listed in dnsbl.ahbl.org | |
| DNS_FROM_SECURITYSAGE | Envelope sender in blackholes.securitysage.com | |
| RCVD_IN_BL_SPAMCOP_NET | Received via a relay in bl.spamcop.net | |
| RCVD_IN_MAPS_RBL | Relay in RBL, http://www.mail-abuse.org/rbl/ | |
| RCVD_IN_MAPS_DUL | Relay in DUL, http://www.mail-abuse.org/dul/ | |
| RCVD_IN_MAPS_RSS | Relay in RSS, http://www.mail-abuse.org/rss/ | |
| RCVD_IN_MAPS_NML | Relay in NML, http://www.mail-abuse.org/nml/ | |
| RCVD_IN_BSP_TRUSTED | Sender is in Bonded Sender Program (trusted relay) | |
| RCVD_IN_BSP_OTHER | Sender is in Bonded Sender Program (other relay) | |
| RCVD_IN_IADB_VOUCHED | ISIPP IADB lists as vouched-for sender | |
| HABEAS_ACCREDITED_COI | Habeas Accredited Confirmed Opt-In or Better | |
| HABEAS_ACCREDITED_SOI | Habeas Accredited Opt-In or Better | |
| HABEAS_CHECKED | Habeas Checked | |
| SUBJECT_DRUG_GAP_C | Subject contains a gappy version of \'cialis\' | |
| SUBJECT_DRUG_GAP_L | Subject contains a gappy version of \'levitra\' | |
| SUBJECT_DRUG_GAP_P | Subject contains a gappy version of \'phentermine\' | |
| SUBJECT_DRUG_GAP_S | Subject contains a gappy version of \'soma\' | |
| SUBJECT_DRUG_GAP_VA | Subject contains a gappy version of \'valium\' | |
| SUBJECT_DRUG_GAP_VIC | Subject contains a gappy version of \'vicodin\' | |
| SUBJECT_DRUG_GAP_X | Subject contains a gappy version of \'xanax\' | |
| DRUG_DOSAGE | Talks about price per dose | |
| DRUG_ED_CAPS | Mentions an E.D. drug | |
| DRUG_ED_COMBO | Viagra and other drugs | |
| DRUG_ED_SILD | Talks about an E.D. drug using its chemical name | |
| DRUG_ED_GENERIC | Mentions Generic Viagra | |
| DRUG_ED_ONLINE | Fast Viagra Delivery | |
| DEEP_DISC_MEDS | Deep discount medications | |
| ONLINE_PHARMACY | Online Pharmacy | |
| NO_PRESCRIPTION | No prescription needed | |
| VIA_GAP_GRA | Attempts to disguise the word \'viagra\' | |
| DRUGS_ERECTILE | Refers to an erectile drug | |
| DRUGS_ERECTILE_OBFU | Obfuscated reference to an erectile drug | |
| DRUGS_DIET | Refers to a diet drug | |
| DRUGS_DIET_OBFU | Obfuscated reference to a diet drug | |
| DRUGS_PAIN | Refers to a pain relief drug | |
| DRUGS_PAIN_OBFU | Obfuscated reference to a pain relief drug | |
| DRUGS_SLEEP | Refers to a sleep aid drug | |
| DRUGS_MUSCLE | Refers to a muscle relaxant | |
| DRUGS_ANXIETY | Refers to an anxiety control drug | |
| DRUGS_ANXIETY_OBFU | Obfuscated reference to an anxiety control drug | |
| DRUGS_SMEAR1 | Two or more drugs crammed together into one word | |
| DRUGS_ANXIETY_EREC | Refers to both an erectile and an anxiety drug | |
| DRUGS_SLEEP_EREC | Refers to both an erectile and a sleep aid drug | |
| DRUGS_MANYKINDS | Refers to at least four kinds of drugs | |
| FAKE_HELO_MSN | Host HELO did not match rDNS: msn.com | |
| FAKE_HELO_MAIL_COM | Host HELO did not match rDNS: mail.com | |
| FAKE_HELO_EMAIL_COM | Host HELO did not match rDNS: email.com | |
| FAKE_HELO_EUDORAMAIL | Host HELO did not match rDNS: eudoramail.com | |
| FAKE_HELO_EXCITE | Host HELO did not match rDNS: excite.com | |
| FAKE_HELO_LYCOS | Host HELO did not match rDNS: lycos.com | |
| FAKE_HELO_YAHOO_CA | Host HELO did not match rDNS: yahoo.ca | |
| FAKE_HELO_MAIL_COM_DOM | Relay HELO\'d with suspicious hostname (mail.com) | |
| HELO_DYNAMIC_IPADDR | Relay HELO\'d using suspicious hostname (IP addr 1) | |
| HELO_DYNAMIC_DHCP | Relay HELO\'d using suspicious hostname (DHCP) | |
| HELO_DYNAMIC_HCC | Relay HELO\'d using suspicious hostname (HCC) | |
| HELO_DYNAMIC_ATTBI | Relay HELO\'d using suspicious hostname (ATTBI.com) | |
| HELO_DYNAMIC_ROGERS | Relay HELO\'d using suspicious hostname (Rogers) | |
| HELO_DYNAMIC_ADELPHIA | Relay HELO\'d using suspicious hostname (Adelphia) | |
| HELO_DYNAMIC_DIALIN | Relay HELO\'d using suspicious hostname (T-Dialin) | |
| HELO_DYNAMIC_HEXIP | Relay HELO\'d using suspicious hostname (Hex IP) | |
| HELO_DYNAMIC_SPLIT_IP | Relay HELO\'d using suspicious hostname (Split IP) | |
| HELO_DYNAMIC_YAHOOBB | Relay HELO\'d using suspicious hostname (YahooBB) | |
| HELO_DYNAMIC_OOL | Relay HELO\'d using suspicious hostname (OptOnline) | |
| HELO_DYNAMIC_IPADDR2 | Relay HELO\'d using suspicious hostname (IP addr 2) | |
| HELO_DYNAMIC_RR2 | Relay HELO\'d using suspicious hostname (RR 2) | |
| HELO_DYNAMIC_COMCAST | Relay HELO\'d using suspicious hostname (Comcast) | |
| HELO_DYNAMIC_TELIA | Relay HELO\'d using suspicious hostname (Telia) | |
| HELO_DYNAMIC_VTR | Relay HELO\'d using suspicious hostname (VTR) | |
| HELO_DYNAMIC_CHELLO_NO | Relay HELO\'d using suspicious hostname (Chello.no) | |
| HELO_DYNAMIC_CHELLO_NL | Relay HELO\'d using suspicious hostname (Chello.nl) | |
| HELO_DYNAMIC_VELOX | Relay HELO\'d using suspicious hostname (Veloxzone) | |
| HELO_DYNAMIC_NTL | Relay HELO\'d using suspicious hostname (NTL) | |
| HELO_DYNAMIC_HOME_NL | Relay HELO\'d using suspicious hostname (Home.nl) | |
| HEAD_LONG | Message headers are very long | |
| FRAGMENTED_MESSAGE | Partial message | |
| MISSING_HB_SEP | Missing blank line between message header and body | |
| UNPARSEABLE_RELAY | Informational: message has unparseable relay lines | |
| NO_REAL_NAME | From: does not include a real name | |
| FROM_BLANK_NAME | From: contains empty name | |
| FROM_ENDS_IN_NUMS | From: ends in many numbers | |
| FROM_STARTS_WITH_NUMS | From: starts with many numbers | |
| FROM_HAS_MIXED_NUMS | From: contains numbers mixed in with letters | |
| FROM_HAS_ULINE_NUMS | From: contains an underline and numbers/letters | |
| FROM_ALL_NUMS | From numeric address (except US/Canada phones) | |
| ADDR_NUMS_AT_BIGSITE | Has an address with lots of numbers at a big ISP | |
| FROM_OFFERS | From address is \"at something-offers\" | |
| FROM_NO_USER | From: has no local-part before @ sign | |
| TO_NO_USER | To: has no local-part before @ sign | |
| TO_EMPTY | To: is empty | |
| REPLY_TO_EMPTY | Reply-To: is empty | |
| TO_ADDRESS_EQ_REAL | To: repeats address as real name | |
| UNDISC_RECIPS | Valid-looking To \"undisclosed-recipients\" | |
| FAKED_UNDISC_RECIPS | Faked To \"Undisclosed-Recipients\" | |
| PLING_QUERY | Subject has exclamation mark and question mark | |
| SUBJ_HAS_UNIQ_ID | Subject contains a unique ID | |
| SUBJ_HAS_SPACES | Subject contains lots of white space | |
| SUBJ_ALL_CAPS | Subject is all capitals | |
| MSGID_SPAM_99X9XX99 | Spam tool Message-Id: (99x9xx99 variant) | |
| MSGID_SPAM_ALPHA_NUM | Spam tool Message-Id: (alpha-numeric variant) | |
| MSGID_SPAM_CAPS | Spam tool Message-Id: (caps variant) | |
| MSGID_SPAM_LETTERS | Spam tool Message-Id: (letters variant) | |
| MSGID_SPAM_ZEROES | Spam tool Message-Id: (12-zeroes variant) | |
| MSGID_NO_HOST | Message-Id has no hostname | |
| MSGID_OUTLOOK_INVALID | Message-Id is fake (in Outlook Express format) | |
| MSGID_DOLLARS | Message-Id has pattern used in spam | |
| MSGID_RANDY | Message-Id has pattern used in spam | |
| MSGID_YAHOO_CAPS | Message-ID has ALLCAPS@yahoo.com | |
| FORGED_MSGID_AOL | Message-ID is forged, (aol.com) | |
| FORGED_MSGID_EXCITE | Message-ID is forged, (excite.com) | |
| FORGED_MSGID_HOTMAIL | Message-ID is forged, (hotmail.com) | |
| FORGED_MSGID_MSN | Message-ID is forged, (msn.com) | |
| FORGED_MSGID_YAHOO | Message-ID is forged, (yahoo.com) | |
| MSGID_FROM_MTA_HEADER | Message-Id was added by a relay | |
| MSGID_FROM_MTA_ID | Message-Id for external message added locally | |
| MSGID_FROM_MTA_HOTMAIL | Message-Id was added by a hotmail.com relay | |
| MSGID_LONG | Message-ID is unusually long | |
| MSGID_SHORT | Message-ID is unusually short | |
| MSGID_MULTIPLE_AT | Message-ID contains multiple \'@\' characters | |
| DATE_SPAMWARE_Y2K | Date header uses unusual Y2K formatting | |
| INVALID_DATE | Invalid Date: header (not RFC 2822) | |
| INVALID_DATE_TZ_ABSURD | Invalid Date: header (timezone does not exist) | |
| INVALID_TZ_CST | Invalid date in header (wrong CST timezone) | |
| INVALID_TZ_EST | Invalid date in header (wrong EST timezone) | |
| INVALID_TZ_GMT | Invalid date in header (wrong GMT/UTC timezone) | |
| DATE_IN_PAST_03_06 | Date: is 3 to 6 hours before Received: date | |
| DATE_IN_PAST_06_12 | Date: is 6 to 12 hours before Received: date | |
| DATE_IN_PAST_12_24 | Date: is 12 to 24 hours before Received: date | |
| DATE_IN_PAST_24_48 | Date: is 24 to 48 hours before Received: date | |
| DATE_IN_PAST_48_96 | Date: is 48 to 96 hours before Received: date | |
| DATE_IN_PAST_96_XX | Date: is 96 hours or more before Received: date | |
| DATE_IN_FUTURE_03_06 | Date: is 3 to 6 hours after Received: date | |
| DATE_IN_FUTURE_06_12 | Date: is 6 to 12 hours after Received: date | |
| DATE_IN_FUTURE_12_24 | Date: is 12 to 24 hours after Received: date | |
| DATE_IN_FUTURE_24_48 | Date: is 24 to 48 hours after Received: date | |
| DATE_IN_FUTURE_48_96 | Date: is 48 to 96 hours after Received: date | |
| DATE_IN_FUTURE_96_XX | Date: is 96 hours or more after Received: date | |
| UNRESOLVED_TEMPLATE | Headers contain an unresolved template | |
| SUBJ_ILLEGAL_CHARS | Subject: has too many raw illegal characters | |
| FROM_ILLEGAL_CHARS | From: has too many raw illegal characters | |
| HEAD_ILLEGAL_CHARS | Headers have too many raw illegal characters | |
| SUBJECT_EXCESS_QP | Subject: quoted-printable encoded unnecessarily | |
| SUBJECT_EXCESS_BASE64 | Subject: base64 encoded encoded unnecessarily | |
| FROM_EXCESS_QP | From: quoted-printable encoded unnecessarily | |
| FROM_EXCESS_BASE64 | From: base64 encoded unnecessarily | |
| SUBJECT_ENCODED_TWICE | Subject: MIME encoded twice | |
| ENGLISH_UCE_SUBJECT | Subject contains an English UCE tag | |
| JAPANESE_UCE_SUBJECT | Subject contains a Japanese UCE tag | |
| KOREAN_UCE_SUBJECT | Subject: contains Korean unsolicited email tag | |
| FROM_AND_TO_SAME | From and To are the same, but not exactly | |
| FORGED_RCVD_HELO | Received: contains a forged HELO | |
| RCVD_HELO_IP_MISMATCH | Received: HELO and IP do not match, but should | |
| RCVD_NUMERIC_HELO | Received: contains an IP address used for HELO | |
| RCVD_ILLEGAL_IP | Received: contains illegal IP address | |
| RCVD_BY_IP | Received by mail server with no name | |
| RCVD_DOUBLE_IP_SPAM | Bulk email fingerprint (double IP) found | |
| RCVD_DOUBLE_IP_LOOSE | Received: by and from look like IP addresses | |
| FORGED_AOL_RCVD | Received forged, contains fake AOL relays | |
| FORGED_TELESP_RCVD | Contains forged hostname for a DSL IP in Brazil | |
| FORGED_HOTMAIL_RCVD | Forged hotmail.com \'Received:\' header found | |
| FORGED_HOTMAIL_RCVD2 | hotmail.com \'From\' address, but no \'Received:\' | |
| FORGED_EUDORAMAIL_RCVD | Forged eudoramail.com \'Received:\' header found | |
| FORGED_YAHOO_RCVD | \'From\' yahoo.com does not match \'Received\' headers | |
| FORGED_JUNO_RCVD | \'From\' juno.com does not match \'Received\' headers | |
| FORGED_GW05_RCVD | Forged \'by gw05\' \'Received:\' header found | |
| CONFIRMED_FORGED | Received headers are forged | |
| MULTI_FORGED | Received headers indicate multiple forgeries | |
| NONEXISTENT_CHARSET | Character set doesn\'t exist | |
| CHARSET_FARAWAY_HEADER | A foreign language charset used in headers | |
| X_PRIORITY_HIGH | Sent with \'X-Priority\' set to high | |
| X_MSMAIL_PRIORITY_HIGH | Sent with \'X-Msmail-Priority\' set to high | |
| ROUND_THE_WORLD_LOCAL | Received: says mail sent around the world (HELO) | |
| MISSING_DATE | Missing Date: header | |
| MISSING_HEADERS | Missing To: header | |
| MISSING_SUBJECT | Missing Subject: header | |
| SUSPICIOUS_RECIPS | Similar addresses in recipient list | |
| SORTED_RECIPS | Recipient list is sorted by address | |
| GAPPY_SUBJECT | Subject: contains G.a.p.p.y-T.e.x.t | |
| PREVENT_NONDELIVERY | Message has Prevent-NonDelivery-Report header | |
| X_IP | Message has X-IP header | |
| X_LIBRARY | Message has X-Library header | |
| X_MESSAGE_FLAG_ODD | Message has X-Message-flag header (odd case) | |
| MISSING_MIMEOLE | Message has X-MSMail-Priority, but no X-MimeOLE | |
| PRIORITY_NO_NAME | Message has priority, but no user agent name | |
| SUBJ_AS_SEEN | Subject contains \"As Seen\" | |
| SUBJ_DOLLARS | Subject starts with dollar amount | |
| SUBJ_FOR_ONLY | Subject contains \"For Only\" | |
| SUBJ_FREE_CAP | Subject contains \"FREE\" in CAPS | |
| SUB_FREE_OFFER | Subject starts with \"Free\" | |
| SUBJ_GUARANTEED | Subject GUARANTEED | |
| SUB_HELLO | Subject starts with \"Hello\" | |
| SUBJ_LIFE_INSURANCE | Subject includes \"life insurance\" | |
| SUBJ_YOUR_DEBT | Subject contains \"Your Bills\" or similar | |
| SUBJ_YOUR_FAMILY | Subject contains \"Your Family\" | |
| SUBJ_YOUR_OWN | Subject contains \"Your Own\" | |
| RCVD_FAKE_HELO_DOTCOM | Received contains a faked HELO hostname | |
| ADDRESS_IN_SUBJECT | To: address appears in Subject | |
| LOCALPART_IN_SUBJECT | Local part of To: address appears in Subject | |
| SUBJECT_DIET | Subject talks about losing pounds | |
| EXTRA_MPART_TYPE | Header has extraneous Content-type:...type= entry | |
| TO_RECIP_MARKER | To header contains \'recipient\' marker | |
| MIME_BOUND_DD_DIGITS | Spam tool pattern in MIME boundary | |
| MIME_BOUND_DIGITS_7 | Spam tool pattern in MIME boundary | |
| MIME_BOUND_DIGITS_15 | Spam tool pattern in MIME boundary | |
| MIME_BOUND_MANY_HEX | Spam tool pattern in MIME boundary | |
| MIME_BOUND_NEXTPART | Spam tool pattern in MIME boundary | |
| MIME_BOUND_RKFINDY | Spam tool pattern in MIME boundary (rfkindy) | |
| TO_MALFORMED | To: has a malformed address | |
| ADDR_FREE | From Address contains FREE | |
| TO_TXT | Sent to a text file | |
| CHINA_HEADER | Involves \'china.com\' | |
| MIME_HEADER_CTYPE_ONLY | \'Content-Type\' found without required MIME headers | |
| WITH_LC_SMTP | Received line contains spam-sign (lowercase smtp) | |
| FROM_NO_LOWER | From address has no lower-case characters | |
| SUBJ_BUY | Subject line starts with Buy or Buying | |
| RCVD_AM_PM | Received headers forged (AM/PM) | |
| HEADER_COUNT_CTYPE | Multiple Content-Type headers found | |
| NO_RDNS_DOTCOM_HELO | Host HELO\'d as a big ISP, but had no rDNS | |
| X_ORIG_IP_NOT_IPV4 | X-Originating-IP doesn\'t look like IPv4 address | |
| X_AUTH_WARN_FAKED | X-Authentication-Warning header looks faked | |
| FAKE_OUTBLAZE_RCVD | Received header contains faked \'mr.outblaze.com\' | |
| FROM_NONSENDING_DOMAIN | Message is from domain that never sends email | |
| SUBJ_2_NUM_PARENS | Subject contains common spam sign (2 numbers) | |
| UNCLOSED_BRACKET | Headers contain an unclosed bracket | |
| ORG_MIME_TOOLS | Organization is MIME-tools | |
| X_MIME_AUTOCONVERTED | Message has X-MIME-Autoconverted \"Yes\" header | |
| DAV_NON_HOTMAIL | Message sent using DAV, but not via Hotmail | |
| FROM_DOMAIN_NOVOWEL | From: domain has series of non-vowel letters | |
| FROM_LOCAL_NOVOWEL | From: localpart has series of non-vowel letters | |
| SUBJECT_NOVOWEL | Subject: has long non-vowel letter sequence | |
| FROM_LOCAL_HEX | From: localpart has long hexadecimal sequence | |
| FROM_LOCAL_DIGITS | From: localpart has long digit sequence | |
| X_MAILER_SPAM | X-Mailer: header is bulk email fingerprint | |
| TO_CC_NONE | No To: or Cc: header | |
| X_PRIORITY_CC | Cc: after X-Priority: (bulk email fingerprint) | |
| SUBJ_CONSONANTS | Subject contains consecutive consonants in \"word\" | |
| BAD_ENC_HEADER | Message has bad MIME encoding in the header | |
| HTML_MESSAGE | HTML included in message | |
| HTML_00_10 | Message is 0% to 10% HTML | |
| HTML_10_20 | Message is 10% to 20% HTML | |
| HTML_20_30 | Message is 20% to 30% HTML | |
| HTML_30_40 | Message is 30% to 40% HTML | |
| HTML_40_50 | Message is 40% to 50% HTML | |
| HTML_50_60 | Message is 50% to 60% HTML | |
| HTML_60_70 | Message is 60% to 70% HTML | |
| HTML_70_80 | Message is 70% to 80% HTML | |
| HTML_80_90 | Message is 80% to 90% HTML | |
| HTML_90_100 | Message is 90% to 100% HTML | |
| HTML_SHOUTING3 | HTML has very strong \"shouting\" markup | |
| HTML_SHOUTING4 | HTML has very strong \"shouting\" markup | |
| HTML_SHOUTING5 | HTML has very strong \"shouting\" markup | |
| HTML_SHOUTING6 | HTML has very strong \"shouting\" markup | |
| HTML_SHOUTING7 | HTML has very strong \"shouting\" markup | |
| HTML_TEXT_AFTER_HTML | HTML contains text after HTML close tag | |
| HTML_TEXT_AFTER_BODY | HTML contains text after BODY close tag | |
| HTML_COMMENT_SHORT | HTML comment is very short | |
| HTML_COMMENT_SAVED_URL | HTML message is a saved web page | |
| HTML_EMBEDS | HTML with embedded plugin object | |
| HTML_EVENT_UNSAFE | HTML contains unsafe auto-executing code | |
| HTML_EXTRA_CLOSE | HTML contains far too many close tags | |
| HTML_FONT_SIZE_TINY | HTML font size is tiny | |
| HTML_FONT_SIZE_NONE | HTML font size is negative | |
| HTML_FONT_SIZE_LARGE | HTML font size is large | |
| HTML_FONT_SIZE_HUGE | HTML font size is huge | |
| HTML_FONT_BIG | HTML tag for a big font size | |
| HTML_FONT_TINY | HTML tag for a tiny font size | |
| HTML_FONT_INVISIBLE | HTML font color is same as background | |
| HTML_FONT_LOW_CONTRAST | HTML font color similar to background | |
| HTML_FONT_FACE_BAD | HTML font face is not a word | |
| HTML_FONT_FACE_CAPS | HTML font face has excess capital characters | |
| HTML_FORMACTION_MAILTO | HTML includes a form which sends mail | |
| HTML_IMAGE_ONLY_04 | HTML: images with 0-400 bytes of words | |
| HTML_IMAGE_ONLY_08 | HTML: images with 400-800 bytes of words | |
| HTML_IMAGE_ONLY_12 | HTML: images with 800-1200 bytes of words | |
| HTML_IMAGE_ONLY_16 | HTML: images with 1200-1600 bytes of words | |
| HTML_IMAGE_ONLY_20 | HTML: images with 1600-2000 bytes of words | |
| HTML_IMAGE_ONLY_24 | HTML: images with 2000-2400 bytes of words | |
| HTML_IMAGE_ONLY_28 | HTML: images with 2400-2800 bytes of words | |
| HTML_IMAGE_ONLY_32 | HTML: images with 2800-3200 bytes of words | |
| HTML_IMAGE_RATIO_02 | HTML has a low ratio of text to image area | |
| HTML_IMAGE_RATIO_04 | HTML has a low ratio of text to image area | |
| HTML_IMAGE_RATIO_06 | HTML has a low ratio of text to image area | |
| HTML_IMAGE_RATIO_08 | HTML has a low ratio of text to image area | |
| HTML_LINK_PUSH_HERE | HTML link text says \"push here\" or similar | |
| HTML_LINK_OPT_OUT | HTML link text says \"opt out\" or similar | |
| HTML_OBFUSCATE_05_10 | Message is 5% to 10% HTML obfuscation | |
| HTML_OBFUSCATE_10_20 | Message is 10% to 20% HTML obfuscation | |
| HTML_OBFUSCATE_20_30 | Message is 20% to 30% HTML obfuscation | |
| HTML_OBFUSCATE_30_40 | Message is 30% to 40% HTML obfuscation | |
| HTML_OBFUSCATE_40_50 | Message is 40% to 50% HTML obfuscation | |
| HTML_OBFUSCATE_50_60 | Message is 50% to 60% HTML obfuscation | |
| HTML_OBFUSCATE_60_70 | Message is 60% to 70% HTML obfuscation | |
| HTML_OBFUSCATE_70_80 | Message is 70% to 80% HTML obfuscation | |
| HTML_OBFUSCATE_80_90 | Message is 80% to 90% HTML obfuscation | |
| HTML_OBFUSCATE_90_100 | Message is 90% to 100% HTML obfuscation | |
| HTML_BACKHAIR_2 | HTML tags used to obfuscate words | |
| HTML_BACKHAIR_4 | HTML tags used to obfuscate words | |
| HTML_BACKHAIR_8 | HTML tags used to obfuscate words | |
| HTML_ATTR_BAD | HTML has many bad attributes in tags | |
| HTML_ATTR_UNIQUE | HTML appears to have random attributes in tags | |
| HTML_TAG_BALANCE_BODY | HTML has unbalanced \"body\" tags | |
| HTML_TAG_BALANCE_HEAD | HTML has unbalanced \"head\" tags | |
| HTML_TAG_EXIST_BGSOUND | HTML has \"bgsound\" tag | |
| HTML_TAG_EXIST_MARQUEE | HTML has \"marquee\" tag | |
| HTML_TAG_EXIST_TBODY | HTML has \"tbody\" tag | |
| HTML_BADTAG_00_10 | HTML message is 0% to 10% bad tags | |
| HTML_BADTAG_10_20 | HTML message is 10% to 20% bad tags | |
| HTML_BADTAG_20_30 | HTML message is 20% to 30% bad tags | |
| HTML_BADTAG_30_40 | HTML message is 30% to 40% bad tags | |
| HTML_BADTAG_40_50 | HTML message is 40% to 50% bad tags | |
| HTML_BADTAG_50_60 | HTML message is 50% to 60% bad tags | |
| HTML_BADTAG_60_70 | HTML message is 60% to 70% bad tags | |
| HTML_BADTAG_70_80 | HTML message is 70% to 80% bad tags | |
| HTML_BADTAG_80_90 | HTML message is 80% to 90% bad tags | |
| HTML_BADTAG_90_100 | HTML message is 90% to 100% bad tags | |
| HTML_NONELEMENT_00_10 | 0% to 10% of HTML elements are non-standard | |
| HTML_NONELEMENT_10_20 | 10% to 20% of HTML elements are non-standard | |
| HTML_NONELEMENT_20_30 | 20% to 30% of HTML elements are non-standard | |
| HTML_NONELEMENT_30_40 | 30% to 40% of HTML elements are non-standard | |
| HTML_NONELEMENT_40_50 | 40% to 50% of HTML elements are non-standard | |
| HTML_NONELEMENT_50_60 | 50% to 60% of HTML elements are non-standard | |
| HTML_NONELEMENT_60_70 | 60% to 70% of HTML elements are non-standard | |
| HTML_NONELEMENT_70_80 | 70% to 80% of HTML elements are non-standard | |
| HTML_NONELEMENT_80_90 | 80% to 90% of HTML elements are non-standard | |
| HTML_NONELEMENT_90_100 | 90% to 100% of HTML elements are non-standard | |
| HTML_SHORT_LINK_IMG_1 | HTML is very short with a linked image | |
| HTML_SHORT_LINK_IMG_2 | HTML is very short with a linked image | |
| HTML_SHORT_LINK_IMG_3 | HTML is very short with a linked image | |
| HTML_SHORT_LENGTH | HTML is extremely short | |
| HTML_SHORT_COMMENT | HTML is very short with HTML comments | |
| HTML_SHORT_CENTER | HTML is very short with CENTER tag | |
| HTML_TITLE_EMPTY | HTML title contains no text | |
| HTML_TITLE_LONG | HTML title is very long | |
| HTML_TITLE_UNTITLED | HTML title contains \"Untitled\" | |
| HTML_CHARSET_FARAWAY | A foreign language charset used in HTML markup | |
| HTML_MIME_NO_HTML_TAG | HTML-only message, but there is no HTML tag | |
| HTML_MISSING_CTYPE | Message is HTML without HTML Content-Type | |
| HIDE_WIN_STATUS | Javascript to hide URLs in browser | |
| OBFUSCATING_COMMENT | HTML comments which obfuscate text | |
| JS_FROMCHARCODE | Document is built from a Javascript charcode array | |
| ENTITY_DEC_ALPHANUM | HTML contains needlessly encoded characters | |
| HTML_EHTML2 | HTML has doubled end HTML tag | |
| HTML_TINY_FONT | body contains 1 or 0-point font | |
| MANY_EXCLAMATIONS | Subject has many exclamations | |
| UPPERCASE_25_50 | message body is 25-50% uppercase | |
| UPPERCASE_50_75 | message body is 50-75% uppercase | |
| UPPERCASE_75_100 | message body is 75-100% uppercase | |
| PLING_PLING | Subject has lots of exclamation marks | |
| INVALID_MSGID | Message-Id is not valid, according to RFC 2822 | |
| FORGED_MUA_MOZILLA | Forged mail pretending to be from Mozilla | |
| PERCENT_RANDOM | Message has a random macro in it | |
| EMPTY_MESSAGE | Message appears to have no textual parts and no Subject: text | |
| DIGEST_MULTIPLE | Message hits more than one network digest check | |
| NO_DNS_FOR_FROM | Envelope sender has no MX or A DNS records | |
| ROUND_THE_WORLD | Received: says mail sent around the world (DNS) | |
| REMOVE_POSTAL | Send real mail to be unsubscribed | |
| REMOVE_BEFORE_LINK | Removal phrase right before a link | |
| CLICK_BELOW_CAPS | Asks you to click below (in capital letters) | |
| CLICK_TO_REMOVE_1 | Click to be removed | |
| SENT_IN_COMPLIANCE | Claims compliance with spam regulations | |
| BILL_1618 | Possible mention of bill 1618 (anti-spam bill) | |
| FULL_REFUND | Offers a full refund | |
| NO_COST | No such thing as a free lunch (3) | |
| GUARANTEED_100_PERCENT | One hundred percent guaranteed | |
| DEAR_FRIEND | Dear Friend? That\'s not very dear! | |
| DEAR_SOMETHING | Contains \'Dear (something)\' | |
| BILLION_DOLLARS | Talks about lots of money | |
| OPTING_OUT_CAPS | Talks about opting out (capitalized version) | |
| EXCUSE_4 | Claims you can be removed from the list | |
| EXCUSE_6 | Claims you can be removed from the list | |
| EXCUSE_10 | \"if you do not wish to receive any more\" | |
| EXCUSE_12 | Nobody\'s perfect | |
| EXCUSE_23 | Claims you have provided permission | |
| EXCUSE_24 | Claims you wanted this ad | |
| EXCUSE_REMOVE | Talks about how to be removed from mailings | |
| STRONG_BUY | Tells you about a strong buy | |
| WE_HONOR_ALL | Claims to honor removal requests | |
| STOCK_ALERT | Offers a alert about a stock | |
| MICRO_CAP_WARNING | SEC-mandated penny-stock warning | |
| NOT_ADVISOR | Not registered investment advisor | |
| SOME_BREAKTHROUGH | Describes some sort of breakthrough | |
| PREST_NON_ACCREDITED | \'Prestigious Non-Accredited Universities\' | |
| BODY_ENHANCEMENT | Information on growing body parts | |
| BODY_ENHANCEMENT2 | Information on getting larger body parts | |
| IMPOTENCE | Impotence cure | |
| MORTGAGE_BEST | Information on mortgages | |
| MORTGAGE_PITCH | Looks like mortgage pitch | |
| MORTGAGE_RATES | Information on mortgage rates | |
| MAILTO_SUBJ_REMOVE | mailto URI includes removal text | |
| NA_DOLLARS | Talks about a million North American dollars | |
| US_DOLLARS_3 | Mentions millions of $ ($NN,NNN,NNN.NN) | |
| MILLION_USD | Talks about millions of dollars | |
| FRONTPAGE | Frontpage used to create the message | |
| RESISTANCE_IS_FUTILE | Resistance to this spam is futile | |
| URG_BIZ | Contains urgent matter | |
| EARN_PER_WEEK | Contains \'earn $something per week\' | |
| ALL_NATURAL | Spam is 100% natural?! | |
| MONEY_BACK | Money back guarantee | |
| NO_OBLIGATION | There is no obligation | |
| RISK_FREE | Risk free. Suuurreeee.... | |
| AS_SEEN_ON | As seen on national TV! | |
| OFFSHORE_SCAM | Off Shore Scams | |
| WHY_PAY_MORE | Why Pay More? | |
| RECEIVE_OFFER | Receive a special offer | |
| FREE_QUOTE_INSTANT | Free express or no-obligation quote | |
| BAD_CREDIT | Eliminate Bad Credit | |
| CONSOLIDATE_DEBT | Consolidate debt, credit, or bills | |
| REFINANCE_YOUR_HOME | Home refinancing | |
| REFINANCE_NOW | Home refinancing | |
| NO_MEDICAL | No Medical Exams | |
| NO_FORMS | No Claim Forms | |
| WHY_WAIT | What are you waiting for | |
| YOU_CAN_SEARCH | You can search for anyone | |
| GUARANTEED_STUFF | Guaranteed Stuff | |
| AMAZING_STUFF | Amazing Stuff | |
| DIET_1 | Lose Weight Spam | |
| DIET_2 | Describes weight loss | |
| DIET_3 | Describes body fat loss | |
| REVERSE_AGING | Reverses Aging | |
| HAIR_LOSS | Cures Baldness | |
| WRINKLES | Removes Wrinkles | |
| WHILE_YOU_SLEEP | While you Sleep | |
| HIDDEN_CHARGES | Talks about Hidden Charges | |
| FIN_FREE | Freedom of a financial nature | |
| FORWARD_LOOKING | Stock Disclaimer Statement | |
| SATIS_GUAR | Mail guarantees satisfaction | |
| HG_HORMONE | Talks about hormones for human growth | |
| EXTRA_CASH | Offers Extra Cash | |
| GET_PAID | Get Paid | |
| ONE_TIME | One Time Rip Off | |
| COMPETE | Compete for your business | |
| MEET_SINGLES | Meet Singles | |
| JOIN_MILLIONS | Join Millions of Americans | |
| BE_BOSS | Be your own boss | |
| ML_MARKETING | Multi Level Marketing mentioned | |
| CONFIDENTIAL_ORDER | Confidentiality on all orders | |
| SAVE_THOUSANDS | Save big money | |
| MARKETING_PARTNERS | Claims you registered with a partner | |
| FREE_PREVIEW | Free Preview | |
| FREE_ACCESS | Contains \'free access\' with capitals | |
| FREE_SAMPLE | Contains \'free sample\' with capitals | |
| LOW_PRICE | Lowest Price | |
| UNCLAIMED_MONEY | People just leave money laying around | |
| OBSCURED_EMAIL | Message seems to contain rot13ed address | |
| BANG_EXERCISE | Talks about exercise with an exclamation! | |
| BANG_MORE | Talks about more with an exclamation! | |
| BANG_OPRAH | Talks about Oprah with an exclamation! | |
| ACT_NOW_CAPS | Talks about \'acting now\' with capitals | |
| MORE_SEX | Talks about a bigger drive for sex | |
| BANG_GUAR | Something is emphatically guaranteed | |
| SEE_FOR_YOURSELF | See for yourself | |
| RUDE_HTML | Spammer message says you need an HTML mailer | |
| INVESTMENT_ADVICE | Message mentions investment advice | |
| INVESTMENT_EXPERT | Message mentions investment expert | |
| QUALIFY_FOR_THIS | Qualify for this special... | |
| MALE_ENHANCE | Message talks about enhancing men | |
| PRICES_ARE_AFFORDABLE | Message says that prices aren\'t too expensive | |
| REPLICA_WATCH | Message talks about a replica watch | |
| EM_ROLEX | Message puts emphasis on the watch manufacturer | |
| FREE_PORN | Possible porn - Free Porn | |
| CUM_SHOT | Possible porn - Cum Shot | |
| LIVE_PORN | Possible porn - Live Porn | |
| HARDCORE_PORN | Possible porn - Hardcore Porn | |
| HOT_NASTY | Possible porn - Hot, Nasty, Wild, Young | |
| BEST_PORN | Possible porn - Best, Largest, Most Porn | |
| NASTY_GIRLS | Possible porn - Nasty Girls | |
| AMATEUR_PORN | Possible porn - Amateur Porn | |
| SOMETHING_FOR_ADULTS | Possible porn - Adult Web Sites | |
| PORN_15 | Possible porn - various types of feline | |
| PORN_16 | Possible porn - nasty, dirty, little etc. | |
| LOTS_OF_STUFF | Thousands or millions of pictures, movies, etc. | |
| DISGUISE_PORN | Attempts to disguise porn words | |
| DISGUISE_PORN_MUNDANE | Attempts to disguise mundane words used in porn | |
| PORN_URL_SEX | URL uses words/phrases which indicate porn (sex) | |
| PORN_URL_SLUT | URL uses words/phrases which indicate porn (slut) | |
| PORN_URL_MISC | URL uses words/phrases which indicate porn (misc) | |
| SUBJECT_SEXUAL | Subject indicates sexually-explicit content | |
| RATWARE_EGROUPS | Bulk email fingerprint (eGroups) found | |
| RATWARE_HASH_2 | Bulk email fingerprint (hash 2) found | |
| RATWARE_HASH_2_V2 | Bulk email fingerprint (hash 2 v2) found | |
| RATWARE_JPFREE | Bulk email fingerprint (jpfree) found | |
| RATWARE_STORM_URI | Bulk email fingerprint (StormPost) found | |
| RATWARE_OE_MALFORMED | X-Mailer has malformed Outlook Express version | |
| RATWARE_RCVD_LC_ESMTP | Bulk email fingerprint (\'esmtp\' Received) found | |
| RATWARE_MOZ_MALFORMED | Bulk email fingerprint (Mozilla malformed) found | |
| RATWARE_MPOP_WEBMAIL | Bulk email fingerprint (mPOP Web-Mail) | |
| FORGED_MUA_IMS | Forged mail pretending to be from IMS | |
| FORGED_MUA_OUTLOOK | Forged mail pretending to be from MS Outlook | |
| FORGED_MUA_OIMO | Forged mail pretending to be from MS Outlook IMO | |
| FORGED_MUA_EUDORA | Forged mail pretending to be from Eudora | |
| FORGED_MUA_AOL_FROM | Forged mail pretending to be from AOL (by From) | |
| FORGED_MUA_THEBAT_CS | Mail pretending to be from The Bat! (charset) | |
| FORGED_MUA_THEBAT_BOUN | Mail pretending to be from The Bat! (boundary) | |
| FORGED_OUTLOOK_HTML | Outlook can\'t send HTML message only | |
| FORGED_IMS_HTML | IMS can\'t send HTML message only | |
| FORGED_THEBAT_HTML | The Bat! can\'t send HTML message only | |
| REPTO_OVERQUOTE_THEBAT | The Bat! doesn\'t do quoting like this | |
| REPTO_QUOTE_AOL | AOL doesn\'t do quoting like this | |
| REPTO_QUOTE_IMS | IMS doesn\'t do quoting like this | |
| REPTO_QUOTE_MSN | MSN doesn\'t do quoting like this | |
| REPTO_QUOTE_QUALCOMM | Qualcomm/Eudora doesn\'t do quoting like this | |
| REPTO_QUOTE_YAHOO | Yahoo! doesn\'t do quoting like this | |
| FORGED_QUALCOMM_TAGS | QUALCOMM mailers can\'t send HTML in this format | |
| FORGED_AOL_TAGS | AOL mailers can\'t send HTML in this format | |
| FORGED_IMS_TAGS | IMS mailers can\'t send HTML in this format | |
| FORGED_OUTLOOK_TAGS | Outlook can\'t send HTML in this format | |
| RATWARE_HASH_DASH | Contains a hashbuster in Send-Safe format | |
| RATWARE_NETIP | Bulk email fingerprint (netIP) found | |
| RATWARE_GECKO_BUILD | Bulk email fingerprint (Gecko faked) found | |
| HDR_ORDER_MTSRIX | Headers are in order found in spam (MTSRIX) | |
| HDR_ORDER_TRIMRS | Headers are in order found in spam (TRIMRS) | |
| RATWARE_ZERO_TZ | Bulk email fingerprint (+0000) found | |
| RCVD_BONUS_SPC_DATE | Bulk email fingerprint (bonus space) found | |
| X_MESSAGE_INFO | Bulk email fingerprint (X-Message-Info) found | |
| HEADER_SPAM | Bulk email fingerprint (header-based) found | |
| RATWARE_RCVD_PF | Bulk email fingerprint (Received PF) found | |
| RATWARE_RCVD_AT | Bulk email fingerprint (Received @) found | |
| RATWARE_OUTLOOK_NONAME | Bulk email fingerprint (Outlook no name) found | |
| MSGID_RATWARE1 | Bulk email fingerprint found | |
| RATWARE_BOUND_PIECE | Bulk email fingerprint (piece boundary) found | |
| RATWARE_NAME_ID | Bulk email fingerprint (msgid from) found | |
| RATWARE_MS_HASH | Bulk email fingerprint (msgid ms hash) found | |
| RATWARE_EFROM | Bulk email fingerprint (envfrom) found | |
| NUMERIC_HTTP_ADDR | Uses a numeric IP address in URL | |
| NORMAL_HTTP_TO_IP | Uses a dotted-decimal IP address in URL | |
| HTTP_ESCAPED_HOST | Uses %-escapes inside a URL\'s hostname | |
| HTTP_CTRL_CHARS_HOST | Uses control sequences inside a URL hostname | |
| HTTP_EXCESSIVE_ESCAPES | Completely unnecessary %-escapes inside a URL | |
| IP_LINK_PLUS | Dotted-decimal IP address followed by CGI | |
| REMOVE_PAGE | URL of page called \"remove\" | |
| MAILTO_TO_SPAM_ADDR | Includes a link to a likely spammer email | |
| MAILTO_TO_REMOVE | Includes a \'remove\' email address | |
| WEIRD_PORT | Uses non-standard port number for HTTP | |
| USERPASS | URL contains username and (optional) password | |
| URI_IS_POUND | Filename is just a \'\\#\'; probably a JS trick | |
| BARGAIN_URL | Includes a link to a likely spammer domain | |
| BIZ_TLD | Contains an URL in the BIZ top-level domain | |
| INFO_TLD | Contains an URL in the INFO top-level domain | |
| YAHOO_RD_REDIR | Has Yahoo Redirect URI | |
| YAHOO_DRS_REDIR | Has Yahoo Redirect URI | |
| URI_OFFERS | Message has link to company offers | |
| URI_4YOU | Message has URI 4you | |
| TERRA_ES | Contains URI to a document hosted at \'terra.es\' | |
| HTTP_77 | Contains an URL-encoded hostname (HTTP77) | |
| URI_AFFILIATE | Contains a URI with an affiliate ID code | |
| URI_REDIRECTOR | Message has HTTP redirector URI | |
| SPOOF_COM2OTH | URI contains \".com\" in middle | |
| SPOOF_COM2COM | URI contains \".com\" in middle and end | |
| SPOOF_NET2COM | URI contains \".net\" or \".org\", then \".com\" | |
| SPOOF_OURI | URI has items in odd places | |
| URI_DIGITS | URI hostname has long digit sequence | |
| URI_HEX | URI hostname has long hexadecimal sequence | |
| URI_NOVOWEL | URI hostname has long non-vowel sequence | |
| URI_UNSUBSCRIBE | URI contains suspicious unsubscribe link | |
| URI_UPPER_LOWER | URI contains capitalized hostname parts (\"Abcde\") | |
| URI_NO_WWW_INFO_CGI | CGI in .info TLD other than third-level \"www\" | |
| URI_NO_WWW_BIZ_CGI | CGI in .biz TLD other than third-level \"www\" | |
| URI_NO_WWW_ANY_CGI | CGI with long hostname other fourth-level \"www\" | |
| URI_SCHEME_MIXED_CASE | URI scheme has mixed uppercase and lowercase | |
| DOMAIN_4U2 | Domain name containing a \"4u\" variant | |
| BAYES_00 | Bayesian spam probability is 0 to 1% | |
| BAYES_05 | Bayesian spam probability is 1 to 5% | |
| BAYES_20 | Bayesian spam probability is 5 to 20% | |
| BAYES_40 | Bayesian spam probability is 20 to 40% | |
| BAYES_50 | Bayesian spam probability is 40 to 60% | |
| BAYES_60 | Bayesian spam probability is 60 to 80% | |
| BAYES_80 | Bayesian spam probability is 80 to 95% | |
| BAYES_95 | Bayesian spam probability is 95 to 99% | |
| BAYES_99 | Bayesian spam probability is 99 to 100% | |
| ACCESSDB | Message would have been caught by accessdb | |
| MICROSOFT_EXECUTABLE | Message includes Microsoft executable program | |
| MIME_SUSPECT_NAME | MIME filename does not match content | |
| DCC_CHECK | Listed in DCC (http://rhyolite.com/anti-spam/dcc/) | |
| DKIM_SIGNED | Domain Keys Identified Mail: message has a signature | |
| DKIM_VERIFIED | Domain Keys Identified Mail: signature passes verification | |
| DKIM_POLICY_SIGNSOME | Domain Keys Identified Mail: policy says domain signs some mails | |
| DKIM_POLICY_SIGNALL | Domain Keys Identified Mail: policy says domain signs all mails | |
| DKIM_POLICY_TESTING | Domain Keys Identified Mail: policy says domain is testing DK | |
| DK_SIGNED | Domain Keys: message has an unverified signature | |
| DK_VERIFIED | Domain Keys: signature passes verification | |
| DK_POLICY_SIGNSOME | Domain Keys: policy says domain signs some mails | |
| DK_POLICY_SIGNALL | Domain Keys: policy says domain signs all mails | |
| DK_POLICY_TESTING | Domain Keys: policy says domain is testing DK | |
| HASHCASH_20 | Contains valid Hashcash token (20 bits) | |
| HASHCASH_21 | Contains valid Hashcash token (21 bits) | |
| HASHCASH_22 | Contains valid Hashcash token (22 bits) | |
| HASHCASH_23 | Contains valid Hashcash token (23 bits) | |
| HASHCASH_24 | Contains valid Hashcash token (24 bits) | |
| HASHCASH_25 | Contains valid Hashcash token (25 bits) | |
| HASHCASH_HIGH | Contains valid Hashcash token (>25 bits) | |
| HASHCASH_2SPEND | Hashcash token already spent in another mail | |
| PYZOR_CHECK | Listed in Pyzor (http://pyzor.sf.net/) | |
| RAZOR2_CHECK | Listed in Razor2 (http://razor.sf.net/) | |
| RAZOR2_CF_RANGE_51_100 | Razor2 gives confidence level above 50% | |
| RAZOR2_CF_RANGE_E4_51_100 | Razor2 gives engine 4 confidence level above 50% | |
| RAZOR2_CF_RANGE_E8_51_100 | Razor2 gives engine 8 confidence level above 50% | |
| SUBJECT_FUZZY_MEDS | Attempt to obfuscate words in Subject: | |
| SUBJECT_FUZZY_MEDS | Attempt to obfuscate words in Subject: | |
| SUBJECT_FUZZY_CHEAP | Attempt to obfuscate words in Subject: | |
| SUBJECT_FUZZY_PENIS | Attempt to obfuscate words in Subject: | |
| SUBJECT_FUZZY_TION | Attempt to obfuscate words in Subject: | |
| FUZZY_AFFORDABLE | Attempt to obfuscate words in spam | |
| FUZZY_AMBIEN | Attempt to obfuscate words in spam | |
| FUZZY_BILLION | Attempt to obfuscate words in spam | |
| FUZZY_CELEBREX | Attempt to obfuscate words in spam | |
| FUZZY_CPILL | Attempt to obfuscate words in spam | |
| FUZZY_CREDIT | Attempt to obfuscate words in spam | |
| FUZZY_ERECT | Attempt to obfuscate words in spam | |
| FUZZY_FOLLOW | Attempt to obfuscate words in spam | |
| FUZZY_GUARANTEE | Attempt to obfuscate words in spam | |
| FUZZY_MEDICATION | Attempt to obfuscate words in spam | |
| FUZZY_MILF | Attempt to obfuscate words in spam | |
| FUZZY_MILLION | Attempt to obfuscate words in spam | |
| FUZZY_MONEY | Attempt to obfuscate words in spam | |
| FUZZY_MORTGAGE | Attempt to obfuscate words in spam | |
| FUZZY_OBLIGATION | Attempt to obfuscate words in spam | |
| FUZZY_OFFERS | Attempt to obfuscate words in spam | |
| FUZZY_PHARMACY | Attempt to obfuscate words in spam | |
| FUZZY_PHENT | Attempt to obfuscate words in spam | |
| FUZZY_PLEASE | Attempt to obfuscate words in spam | |
| FUZZY_PRESCRIPT | Attempt to obfuscate words in spam | |
| FUZZY_PRICES | Attempt to obfuscate words in spam | |
| FUZZY_REFINANCE | Attempt to obfuscate words in spam | |
| FUZZY_REMOVE | Attempt to obfuscate words in spam | |
| FUZZY_ROLEX | Attempt to obfuscate words in spam | |
| FUZZY_SOFTWARE | Attempt to obfuscate words in spam | |
| FUZZY_THOUSANDS | Attempt to obfuscate words in spam | |
| FUZZY_TRAMADOL | Attempt to obfuscate words in spam | |
| FUZZY_VLIUM | Attempt to obfuscate words in spam | |
| FUZZY_VICODIN | Attempt to obfuscate words in spam | |
| FUZZY_VIOXX | Attempt to obfuscate words in spam | |
| FUZZY_VPILL | Attempt to obfuscate words in spam | |
| FUZZY_XPILL | Attempt to obfuscate words in spam | |
| SPF_PASS | SPF: sender matches SPF record | |
| SPF_NEUTRAL | SPF: sender does not match SPF record (neutral) | |
| SPF_FAIL | SPF: sender does not match SPF record (fail) | |
| SPF_SOFTFAIL | SPF: sender does not match SPF record (softfail) | |
| SPF_HELO_PASS | SPF: HELO matches SPF record | |
| SPF_HELO_NEUTRAL | SPF: HELO does not match SPF record (neutral) | |
| SPF_HELO_FAIL | SPF: HELO does not match SPF record (fail) | |
| SPF_HELO_SOFTFAIL | SPF: HELO does not match SPF record (softfail) | |
| UNWANTED_LANGUAGE_BODY | Message written in an undesired language | |
| BODY_8BITS | Body includes 8 consecutive 8-bit characters | |
| URIBL_SBL | Contains an URL listed in the SBL blocklist | |
| URIBL_SC_SURBL | Contains an URL listed in the SC SURBL blocklist | |
| URIBL_WS_SURBL | Contains an URL listed in the WS SURBL blocklist | |
| URIBL_PH_SURBL | Contains an URL listed in the PH SURBL blocklist | |
| URIBL_OB_SURBL | Contains an URL listed in the OB SURBL blocklist | |
| URIBL_AB_SURBL | Contains an URL listed in the AB SURBL blocklist | |
| URIBL_JP_SURBL | Contains an URL listed in the JP SURBL blocklist | |
| AWL | From: address is in the auto white-list | |
| USER_IN_BLACKLIST | From: address is in the user\'s black-list | |
| USER_IN_WHITELIST | From: address is in the user\'s white-list | |
| USER_IN_DEF_WHITELIST | From: address is in the default white-list | |
| USER_IN_BLACKLIST_TO | User is listed in \'blacklist_to\' | |
| USER_IN_WHITELIST_TO | User is listed in \'whitelist_to\' | |
| USER_IN_MORE_SPAM_TO | User is listed in \'more_spam_to\' | |
| USER_IN_ALL_SPAM_TO | User is listed in \'all_spam_to\' | |
| USER_IN_DK_WHITELIST | From: address is in the user\'s DK whitelist | |
| USER_IN_DEF_DK_WL | From: address is in the default DK white-list | |
| ENV_AND_HDR_DK_MATCH | Env and Hdr From used in default DK WL Match | |
| USER_IN_DKIM_WHITELIST | From: address is in the user\'s DKIM whitelist | |
| USER_IN_DEF_DKIM_WL | From: address is in the default DKIM white-list | |
| ENV_AND_HDR_DKIM_MATCH | Env and Hdr From used in default DKIM WL Match | |
| USER_IN_SPF_WHITELIST | From: address is in the user\'s SPF whitelist | |
| USER_IN_DEF_SPF_WL | From: address is in the default SPF white-list | |
| ENV_AND_HDR_SPF_MATCH | Env and Hdr From used in default SPF WL Match | |
| SUBJECT_IN_WHITELIST | Subject: contains string in the user\'s white-list | |
| SUBJECT_IN_BLACKLIST | Subject: contains string in the user\'s black-list |