http://www.jairoblanco.com
3 7, 2008
3 7, 2008
Esta lista de filtros o reglas antispam corresponden al potente y popular software SpamAssassin pero la mayoría de los programas antispam utilizan exactamente las mismas reglas. Muestra los
mensajes que devuelven los programas antispam, el área en el que se aplica
la regla, descripción y el nivel o puntos de spam que se le aplica.
| AREA DEL TEST | LOCALIZACIÓN | DESCRIPCIÓN | NOMBRE | PUNTOS DE SPAM (local, net, with bayes, with bayes+net) |
|---|---|---|---|---|
| body |
Generic Test for Unsolicited Bulk |
GTUBE | 1000.000 | |
| body | Incorporates a tracking ID number | TRACKER_ID | 2.000 1.295 2.292 1.032 | |
| body |
Weird repeated double-quotation marks |
WEIRD_QUOTING | 1.120 1.200 1.295 1.341 | |
| rawbody | Extra blank lines in base64 encoding | MIME_BASE64_BLANKS | 0 0 0.184 0.224 | |
| rawbody |
base64 attachment does not have a file name |
MIME_BASE64_NO_NAME | 0 0 0 0.224 | |
| rawbody |
Message text disguised using base64 encoding |
MIME_BASE64_TEXT | 2.048 1.522 2.749 1.885 | |
| rawbody | MIME section missing boundary | MIME_MISSING_BOUNDARY | 1 | |
| body |
Missing blank line between MIME header and body |
MISSING_MIME_HB_SEP | 1 | |
| body |
Multipart message mostly text/html MIME |
MIME_HTML_MOSTLY | 1.703 0.699 2.309 1.102 | |
| body |
Message only has text/html MIME parts |
MIME_HTML_ONLY | 0.414 0.001 0.389 0.001 | |
| rawbody |
Quoted-printable line longer than 76 chars |
MIME_QP_LONG_LINE | 0.159 0 0.234 0 | |
| body | HTML and text parts are different | MPART_ALT_DIFF | 0.425 0.137 1.142 0 | |
| body | HTML and text parts are different | MPART_ALT_DIFF_COUNT | 1.649 0 1.607 0.708 | |
| body |
MIME character set is an unknown ISO charset |
MIME_BAD_ISO_CHARSET | 3.360 3.360 3.885 4.185 | |
| body |
Character set indicates a foreign language |
CHARSET_FARAWAY | 3.200 | |
| body |
Body contains a ROT13-encoded email address |
EMAIL_ROT13 | 1.600 1.680 1.850 2.000 | |
| body | Message body has 70-80% blank lines | BLANK_LINES_70_80 | 1.499 1.236 1.757 1.805 | |
| body | Message body has 80-90% blank lines | BLANK_LINES_80_90 | 0.272 0.107 0.810 0 | |
| body | Message body has 90-100% blank lines | BLANK_LINES_90_100 | 1 | |
| body |
Message body has many words used only once |
UNIQUE_WORDS | 2.066 1.336 2.543 2.347 | |
| body |
Message body mentions many internet domains |
DOMAIN_RATIO | 0 0 0.184 0 | |
| body | IP to HTTPS link found in HTML | HTTPS_IP_MISMATCH | 1.920 1.920 2.220 2.400 | |
| rawbody |
Message looks to contain HTML-interrupted text |
INTERRUPTUS | 1.154 0.533 1.106 0.182 | |
| body | eval:check_ma_non_text() | MULTIPART_ALT_NON_TEXT | 1 | |
| header |
Passed through trusted hosts only via SMTP |
ALL_TRUSTED | -1.360 -1.440 -1.665 -1.800 | |
| header |
Informational: message was not relayed via SMTP |
NO_RELAYS | -0.001 | |
| header |
NJABL: sender is confirmed open relay |
RCVD_IN_NJABL_RELAY | 1 | |
| header |
NJABL: dialup sender did non-local SMTP |
RCVD_IN_NJABL_DUL | 0 1.713 0 1.946 | |
| header |
NJABL: sender is confirmed spam source |
RCVD_IN_NJABL_SPAM | 0 1.905 0 2.775 | |
| header |
NJABL: sent through multi-stage open relay |
RCVD_IN_NJABL_MULTI | 1 | |
| header | NJABL: sender is an open formmail | RCVD_IN_NJABL_CGI | 1 | |
| header | NJABL: sender is an open proxy | RCVD_IN_NJABL_PROXY | 0 0.327 0 0.721 | |
| header |
SORBS: sender is open HTTP proxy server |
RCVD_IN_SORBS_HTTP | 1 | |
| header |
SORBS: sender is open SOCKS proxy server |
RCVD_IN_SORBS_SOCKS | 0 1.823 0 2.159 | |
| header | SORBS: sender is open proxy server | RCVD_IN_SORBS_MISC | 1 | |
| header | SORBS: sender is open SMTP relay | RCVD_IN_SORBS_SMTP | 0 0 0 0.201 | |
| header |
SORBS: sender is a abuseable web server |
RCVD_IN_SORBS_WEB | 0 1.236 0 1.456 | |
| header |
SORBS: sender demands to never be tested |
RCVD_IN_SORBS_BLOCK | 1 | |
| header | SORBS: sender is on a hijacked network | RCVD_IN_SORBS_ZOMBIE | 0 0.240 0 0.258 | |
| header |
SORBS: sent directly from dynamic IP address |
RCVD_IN_SORBS_DUL | 0 1.988 0 2.046 | |
| header |
Received via a relay in Spamhaus SBL |
RCVD_IN_SBL | 0 2.712 0 3.160 | |
| header |
Received via a relay in Spamhaus XBL |
RCVD_IN_XBL | 0 3.114 0 3.897 | |
| header | Envelope sender in dsn.rfc-ignorant.org | DNS_FROM_RFC_DSN | 0 2.872 0 2.597 | |
| header | Envelope sender in postmaster.rfc-ignorant.org | DNS_FROM_RFC_POST | 0 1.440 0 1.708 | |
| header | Envelope sender in abuse.rfc-ignorant.org | DNS_FROM_RFC_ABUSE | 0 0.479 0 0.200 | |
| header | Envelope sender in whois.rfc-ignorant.org | DNS_FROM_RFC_WHOIS | 0 0.879 0 1.447 | |
| header | Envelope sender in bogusmx.rfc-ignorant.org | DNS_FROM_RFC_BOGUSMX | 0 2.034 0 1.945 | |
| header |
CompleteWhois: sender on bogons IP block |
RCVD_IN_WHOIS_BOGONS | 0 1.811 0 2.430 | |
| header |
CompleteWhois: sender on hijacked IP block |
RCVD_IN_WHOIS_HIJACKED | 0 1.0 0 1.0 | |
| header |
CompleteWhois: sender on invalid IP block |
RCVD_IN_WHOIS_INVALID | 0 2.151 0 2.234 | |
| header | Received via a relay in list.dsbl.org | RCVD_IN_DSBL | 0 1.801 0 2.600 | |
| header | From: sender listed in dnsbl.ahbl.org | DNS_FROM_AHBL_RHSBL | 0 0.306 0 0.231 | |
| header | Envelope sender in blackholes.securitysage.com | DNS_FROM_SECURITYSAGE | 0 2.001 0 1.513 | |
| header | Received via a relay in bl.spamcop.net | RCVD_IN_BL_SPAMCOP_NET | 0 1.332 0 1.558 | |
| header | Relay in RBL, http://www.mail-abuse.org/rbl/ | RCVD_IN_MAPS_RBL | 1 | |
| header | Relay in DUL, http://www.mail-abuse.org/dul/ | RCVD_IN_MAPS_DUL | 1 | |
| header | Relay in RSS, http://www.mail-abuse.org/rss/ | RCVD_IN_MAPS_RSS | 1 | |
| header | Relay in NML, http://www.mail-abuse.org/nml/ | RCVD_IN_MAPS_NML | 1 | |
| header |
Sender is in Bonded Sender Program (trusted relay) |
RCVD_IN_BSP_TRUSTED | 0 -4.3 0 -4.3 | |
| header |
Sender is in Bonded Sender Program (other relay) |
RCVD_IN_BSP_OTHER | 0 -0.1 0 -0.1 | |
| header |
ISIPP IADB lists as vouched-for sender |
RCVD_IN_IADB_VOUCHED | 0 -1.825 0 -2.200 | |
| header |
Habeas Accredited Confirmed Opt-In or Better |
HABEAS_ACCREDITED_COI | 0 -8.0 0 -8.0 | |
| header | Habeas Accredited Opt-In or Better | HABEAS_ACCREDITED_SOI | 0 -4.3 0 -4.3 | |
| header | Habeas Checked | HABEAS_CHECKED | 0 -0.2 0 -0.2 | |
| header |
Subject contains a gappy version of ‘cialis’ |
SUBJECT_DRUG_GAP_C | 2.880 1.035 3.140 0.614 | |
| header |
Subject contains a gappy version of ‘levitra’ |
SUBJECT_DRUG_GAP_L | 1.840 1.840 2.118 2.300 | |
| header |
Subject contains a gappy version of ‘phentermine’ |
SUBJECT_DRUG_GAP_P | 0.542 0.563 0.834 0.699 | |
| header |
Subject contains a gappy version of ’soma’ |
SUBJECT_DRUG_GAP_S | 1.729 0.378 2.498 1.581 | |
| header |
Subject contains a gappy version of ‘valium’ |
SUBJECT_DRUG_GAP_VA | 2.437 2.442 2.743 2.619 | |
| header |
Subject contains a gappy version of ‘vicodin’ |
SUBJECT_DRUG_GAP_VIC | 2.720 2.720 3.145 2.656 | |
| header |
Subject contains a gappy version of ‘xanax’ |
SUBJECT_DRUG_GAP_X | 2.262 2.334 2.447 2.401 | |
| body | Talks about price per dose | DRUG_DOSAGE | 2.337 1.592 2.745 2.242 | |
| body | Mentions an E.D. drug | DRUG_ED_CAPS | 0.547 0.352 1.011 0.501 | |
| body | Viagra and other drugs | DRUG_ED_COMBO | 1.280 1.280 1.353 1.375 | |
| body |
Talks about an E.D. drug using its chemical name |
DRUG_ED_SILD | 1.440 0 1.594 0 | |
| body | Mentions Generic Viagra | DRUG_ED_GENERIC | 2.140 1.814 2.461 1.807 | |
| body | Fast Viagra Delivery | DRUG_ED_ONLINE | 2.160 2.160 2.498 2.700 | |
| body | Deep discount medications | DEEP_DISC_MEDS | 1.440 1.132 1.665 1.177 | |
| body | Online Pharmacy | ONLINE_PHARMACY | 2.720 2.102 3.145 2.043 | |
| body | No prescription needed | NO_PRESCRIPTION | 3.200 2.888 3.700 3.887 | |
| body | Attempts to disguise the word ‘viagra’ | VIA_GAP_GRA | 2.480 2.419 2.867 2.529 | |
| body |
Two or more drugs crammed together into one word |
DRUGS_SMEAR1 | 1.310 1.372 1.576 1.337 | |
| header | Host HELO did not match rDNS: msn.com | FAKE_HELO_MSN | 2.080 2.060 2.358 2.509 | |
| header | Host HELO did not match rDNS: mail.com | FAKE_HELO_MAIL_COM | 1.920 1.920 2.220 2.369 | |
| header | Host HELO did not match rDNS: email.com | FAKE_HELO_EMAIL_COM | 1.440 1.440 1.665 1.335 | |
| header | Host HELO did not match rDNS: eudoramail.com | FAKE_HELO_EUDORAMAIL | 1.360 1.440 1.665 1.705 | |
| header | Host HELO did not match rDNS: excite.com | FAKE_HELO_EXCITE | 1 | |
| header | Host HELO did not match rDNS: lycos.com | FAKE_HELO_LYCOS | 1 | |
| header | Host HELO did not match rDNS: yahoo.ca | FAKE_HELO_YAHOO_CA | 1.186 1.353 1.466 1.599 | |
| header |
Relay HELO’d with suspicious hostname (mail.com) |
FAKE_HELO_MAIL_COM_DOM | 2.160 2.160 2.498 2.700 | |
| header |
Relay HELO’d using suspicious hostname (IP addr 1) |
HELO_DYNAMIC_IPADDR | 3.360 3.360 3.885 4.200 | |
| header |
Relay HELO’d using suspicious hostname (DHCP) |
HELO_DYNAMIC_DHCP | 3.280 2.664 3.792 3.066 | |
| header |
Relay HELO’d using suspicious hostname (HCC) |
HELO_DYNAMIC_HCC | 3.280 3.280 3.792 4.100 | |
| header |
Relay HELO’d using suspicious hostname (ATTBI.com) |
HELO_DYNAMIC_ATTBI | 2.400 2.400 2.775 2.692 | |
| header |
Relay HELO’d using suspicious hostname (Rogers) |
HELO_DYNAMIC_ROGERS | 1.840 1.203 2.127 1.580 | |
| header |
Relay HELO’d using suspicious hostname (Adelphia) |
HELO_DYNAMIC_ADELPHIA | 1.680 1.680 1.942 1.787 | |
| header |
Relay HELO’d using suspicious hostname (T-Dialin) |
HELO_DYNAMIC_DIALIN | 2.080 2.080 2.405 2.600 | |
| header |
Relay HELO’d using suspicious hostname (Hex IP) |
HELO_DYNAMIC_HEXIP | 1.280 1.280 1.480 1.600 | |
| header |
Relay HELO’d using suspicious hostname (Split IP) |
HELO_DYNAMIC_SPLIT_IP | 2.880 2.880 3.330 2.191 | |
| header |
Relay HELO’d using suspicious hostname (YahooBB) |
HELO_DYNAMIC_YAHOOBB | 2.240 2.240 2.590 2.800 | |
| header |
Relay HELO’d using suspicious hostname (OptOnline) |
HELO_DYNAMIC_OOL | 1.840 1.839 2.127 2.012 | |
| header |
Relay HELO’d using suspicious hostname (IP addr 2) |
HELO_DYNAMIC_IPADDR2 | 3.280 3.213 3.792 3.818 | |
| header |
Relay HELO’d using suspicious hostname (RR 2) |
HELO_DYNAMIC_RR2 | 1.440 1.440 1.665 1.605 | |
| header |
Relay HELO’d using suspicious hostname (Comcast) |
HELO_DYNAMIC_COMCAST | 2.800 2.800 3.237 3.500 | |
| header |
Relay HELO’d using suspicious hostname (Telia) |
HELO_DYNAMIC_TELIA | 1 | |
| header |
Relay HELO’d using suspicious hostname (VTR) |
HELO_DYNAMIC_VTR | 1.440 1.492 1.757 1.287 | |
| header |
Relay HELO’d using suspicious hostname (Chello.no) |
HELO_DYNAMIC_CHELLO_NO | 1 | |
| header |
Relay HELO’d using suspicious hostname (Chello.nl) |
HELO_DYNAMIC_CHELLO_NL | 1.624 0 2.035 0.170 | |
| header |
Relay HELO’d using suspicious hostname (Veloxzone) |
HELO_DYNAMIC_VELOX | 1 | |
| header |
Relay HELO’d using suspicious hostname (NTL) |
HELO_DYNAMIC_NTL | 1.360 1.360 1.573 1.481 | |
| header |
Relay HELO’d using suspicious hostname (Home.nl) |
HELO_DYNAMIC_HOME_NL | 1.600 1.600 1.850 2.000 | |
| header | Message headers are very long | HEAD_LONG | 2.5 | |
| header | Partial message | FRAGMENTED_MESSAGE | 2.5 | |
| header |
Missing blank line between message header and body |
MISSING_HB_SEP | 2.5 | |
| header |
Informational: message has unparseable relay lines |
UNPARSEABLE_RELAY | 0.001 | |
| header | From: does not include a real name | NO_REAL_NAME | 0 0.550 0 0.961 | |
| header | From: contains empty name | FROM_BLANK_NAME | 1.659 1.467 0.936 1.534 | |
| header | From: ends in many numbers | FROM_ENDS_IN_NUMS | 1.880 2.160 2.405 2.530 | |
| header | From: starts with many numbers | FROM_STARTS_WITH_NUMS | 1.337 0.283 1.829 0.724 | |
| header |
From: contains numbers mixed in with letters |
FROM_HAS_MIXED_NUMS | 1.760 1.510 2.127 2.155 | |
| header |
From: contains an underline and numbers/letters |
FROM_HAS_ULINE_NUMS | 0.744 0.217 0.310 0.291 | |
| header |
From numeric address (except US/Canada phones) |
FROM_ALL_NUMS | 1.972 1.920 2.312 2.500 | |
| header | From address is “at something-offers” | FROM_OFFERS | 1.680 1.641 1.865 1.960 | |
| header |
From: has no local-part before @ sign |
FROM_NO_USER | 1 | |
| header | To: has no local-part before @ sign | TO_NO_USER | 1 | |
| header | To: is empty | TO_EMPTY | 0 0 0.115 0.268 | |
| header | Reply-To: is empty | REPLY_TO_EMPTY | 0.449 0.640 0.512 0.600 | |
| header | To: repeats address as real name | TO_ADDRESS_EQ_REAL | 1 | |
| header | Valid-looking To “undisclosed-recipients” | UNDISC_RECIPS | 0.960 0.883 0.712 0.841 | |
| header | Faked To “Undisclosed-Recipients” | FAKED_UNDISC_RECIPS | 1 | |
| header |
Subject has exclamation mark and question mark |
PLING_QUERY | 0 0.326 0.623 0.514 | |
| header | Subject contains a unique ID | SUBJ_HAS_UNIQ_ID | 0.895 0 1.387 0.190 | |
| header | Subject contains lots of white space | SUBJ_HAS_SPACES | 1.758 0.651 2.306 0.870 | |
| header | Subject is all capitals | SUBJ_ALL_CAPS | 1.049 1.166 0.459 0.997 | |
| header |
Spam tool Message-Id: (99×9xx99 variant) |
MSGID_SPAM_99X9XX99 | 1 | |
| header |
Spam tool Message-Id: (alpha-numeric variant) |
MSGID_SPAM_ALPHA_NUM | 1.920 1.920 2.220 2.255 | |
| header | Spam tool Message-Id: (caps variant) | MSGID_SPAM_CAPS | 3.520 3.520 4.070 4.400 | |
| header | Spam tool Message-Id: (letters variant) | MSGID_SPAM_LETTERS | 2.400 2.349 2.867 3.021 | |
| header |
Spam tool Message-Id: (12-zeroes variant) |
MSGID_SPAM_ZEROES | 1.222 1.360 1.264 1.607 | |
| header | Message-Id has no hostname | MSGID_NO_HOST | 0.533 0.129 0.787 0.285 | |
| header |
Message-Id is fake (in Outlook Express format) |
MSGID_OUTLOOK_INVALID | 2.080 2.027 2.405 2.600 | |
| header | Message-ID has ALLCAPS@yahoo.com | MSGID_YAHOO_CAPS | 2.466 1.273 2.720 2.399 | |
| header |
Message-Id for external message added locally |
MSGID_FROM_MTA_ID | 1.103 0.927 1.183 1.393 | |
| header |
Message-Id was added by a hotmail.com relay |
MSGID_FROM_MTA_HOTMAIL | 1 | |
| header | Message-ID is unusually long | MSGID_LONG | 0.899 0.267 1.188 1.204 | |
| header | Message-ID is unusually short | MSGID_SHORT | 2.480 2.465 2.821 3.100 | |
| header |
Message-ID contains multiple ‘@’ characters |
MSGID_MULTIPLE_AT | 2.880 1.375 3.187 1.914 | |
| header | Date header uses unusual Y2K formatting | DATE_SPAMWARE_Y2K | 1.859 1.822 1.944 0.745 | |
| header | Invalid Date: header (not RFC 2822) | INVALID_DATE | 1.700 1.760 2.005 2.193 | |
| header |
Invalid Date: header (timezone does not exist) |
INVALID_DATE_TZ_ABSURD | 1.360 1.346 1.573 1.700 | |
| header |
Invalid date in header (wrong CST timezone) |
INVALID_TZ_CST | 2.043 0.153 2.419 0.867 | |
| header |
Invalid date in header (wrong EST timezone) |
INVALID_TZ_EST | 2.720 0.737 3.145 1.883 | |
| header |
Invalid date in header (wrong GMT/UTC timezone) |
INVALID_TZ_GMT | 1.928 1.111 2.163 1.042 | |
| header |
Date: is 3 to 6 hours before Received: date |
DATE_IN_PAST_03_06 | 0.736 0 1.122 0.478 | |
| header |
Date: is 6 to 12 hours before Received: date |
DATE_IN_PAST_06_12 | 0.846 0.746 0.926 0.827 | |
| header |
Date: is 12 to 24 hours before Received: date |
DATE_IN_PAST_12_24 | 0.960 0.881 1.036 1.247 | |
| header |
Date: is 24 to 48 hours before Received: date |
DATE_IN_PAST_24_48 | 0.801 0.805 0.976 0.880 | |
| header |
Date: is 48 to 96 hours before Received: date |
DATE_IN_PAST_48_96 | 0.383 0.501 0.400 0.379 | |
| header |
Date: is 96 hours or more before Received: date |
DATE_IN_PAST_96_XX | 1.752 1.572 2.101 2.020 | |
| header |
Date: is 3 to 6 hours after Received: date |
DATE_IN_FUTURE_03_06 | 2.061 2.007 2.275 1.961 | |
| header |
Date: is 6 to 12 hours after Received: date |
DATE_IN_FUTURE_06_12 | 1.680 1.498 1.883 1.668 | |
| header |
Date: is 12 to 24 hours after Received: date |
DATE_IN_FUTURE_12_24 | 2.320 2.316 2.775 2.767 | |
| header |
Date: is 24 to 48 hours after Received: date |
DATE_IN_FUTURE_24_48 | 2.080 2.080 2.498 2.688 | |
| header |
Date: is 48 to 96 hours after Received: date |
DATE_IN_FUTURE_48_96 | 1.680 1.680 1.942 2.100 | |
| header |
Date: is 96 hours or more after Received: date |
DATE_IN_FUTURE_96_XX | 1.920 1.888 2.276 2.403 | |
| header | Headers contain an unresolved template | UNRESOLVED_TEMPLATE | 1.520 0.687 1.923 1.324 | |
| header |
Subject: has too many raw illegal characters |
SUBJ_ILLEGAL_CHARS | 3.360 3.360 3.978 4.279 | |
| header | From: has too many raw illegal characters | FROM_ILLEGAL_CHARS | 3.280 3.280 3.792 4.100 | |
| header |
Headers have too many raw illegal characters |
HEAD_ILLEGAL_CHARS | 1.652 1.519 1.796 1.606 | |
| header | Subject: MIME encoded twice | SUBJECT_ENCODED_TWICE | 0.888 1.543 1.293 1.723 | |
| header |
Subject contains an English UCE tag |
ENGLISH_UCE_SUBJECT | 1.415 0.250 1.850 0.740 | |
| header |
Subject contains a Japanese UCE tag |
JAPANESE_UCE_SUBJECT | 1.280 1.360 1.480 1.700 | |
| header |
Subject: contains Korean unsolicited email tag |
KOREAN_UCE_SUBJECT | 2.480 2.480 2.867 3.100 | |
| header |
From and To are the same, but not exactly |
FROM_AND_TO_SAME | 1 | |
| header | Received: contains a forged HELO | FORGED_RCVD_HELO | 0 0 0 0.135 | |
| header |
Received: HELO and IP do not match, but should |
RCVD_HELO_IP_MISMATCH | 3.200 3.200 3.700 4.000 | |
| header |
Received: contains an IP address used for HELO |
RCVD_NUMERIC_HELO | 1.440 1.253 1.665 1.500 | |
| header | Received: contains illegal IP address | RCVD_ILLEGAL_IP | 1.585 0.234 1.813 0.288 | |
| header |
Received by mail server with no name |
RCVD_BY_IP | 0.280 0 0 0 | |
| header |
Received forged, contains fake AOL relays |
FORGED_AOL_RCVD | 0.001 | |
| header |
Contains forged hostname for a DSL IP in Brazil |
FORGED_TELESP_RCVD | 1.280 0 1.470 0 | |
| header |
Forged hotmail.com ‘Received:’ header found |
FORGED_HOTMAIL_RCVD | 2.402 2.152 2.820 2.255 | |
| header |
hotmail.com ‘From’ address, but no ‘Received:’ |
FORGED_HOTMAIL_RCVD2 | 1.653 0.549 2.127 1.162 | |
| header |
Forged eudoramail.com ‘Received:’ header found |
FORGED_EUDORAMAIL_RCVD | 1.130 0.528 1.454 0.217 | |
| header |
‘From’ yahoo.com does not match ‘Received’ headers |
FORGED_YAHOO_RCVD | 1.506 0.928 1.794 1.849 | |
| header |
‘From’ juno.com does not match ‘Received’ headers |
FORGED_JUNO_RCVD | 1.693 1.478 1.787 1.914 | |
| header |
Forged ‘by gw05′ ‘Received:’ header found |
FORGED_GW05_RCVD | 0.001 | |
| header | Character set doesn’t exist | NONEXISTENT_CHARSET | 1.280 1.280 1.480 1.506 | |
| header |
A foreign language charset used in headers |
CHARSET_FARAWAY_HEADER | 3.200 | |
| header | Sent with ‘X-Priority’ set to high | X_PRIORITY_HIGH | 0 0.122 0 0.433 | |
| header |
Sent with ‘X-Msmail-Priority’ set to high |
X_MSMAIL_PRIORITY_HIGH | 1 | |
| header |
Received: says mail sent around the world (HELO) |
ROUND_THE_WORLD_LOCAL | 1.840 1.429 2.127 1.659 | |
| header | Missing Date: header | MISSING_DATE | 1 | |
| header | Missing To: header | MISSING_HEADERS | 0 0.189 0 0 | |
| header | Similar addresses in recipient list | SUSPICIOUS_RECIPS | 2.240 0.849 2.267 1.757 | |
| header | Recipient list is sorted by address | SORTED_RECIPS | 2.800 1.530 3.237 1.960 | |
| header | Subject: contains G.a.p.p.y-T.e.x.t | GAPPY_SUBJECT | 1.600 1.625 1.785 1.995 | |
| header |
Message has Prevent-NonDelivery-Report header |
PREVENT_NONDELIVERY | 1.515 1.640 1.737 1.600 | |
| header | Message has X-IP header | X_IP | 2.803 1.848 3.286 2.305 | |
| header | Message has X-Library header | X_LIBRARY | 1.920 1.920 2.220 2.400 | |
| header |
Message has X-Message-flag header (odd case) |
X_MESSAGE_FLAG_ODD | 2.080 2.080 2.405 2.600 | |
| header | Subject contains “As Seen” | SUBJ_AS_SEEN | 1.511 0 1.757 0 | |
| header | Subject starts with dollar amount | SUBJ_DOLLARS | 0.650 0.381 0.636 0.301 | |
| header | Subject contains “For Only” | SUBJ_FOR_ONLY | 1.104 0.316 1.268 0.415 | |
| header | Subject contains “FREE” in CAPS | SUBJ_FREE_CAP | 1 | |
| header | Subject starts with “Free” | SUB_FREE_OFFER | 0.286 0 0 0 | |
| header | Subject GUARANTEED | SUBJ_GUARANTEED | 1.360 1.421 1.623 1.785 | |
| header | Subject starts with “Hello” | SUB_HELLO | 1.840 1.760 2.027 2.141 | |
| header | Subject includes “life insurance” | SUBJ_LIFE_INSURANCE | 1.520 1.520 1.757 1.900 | |
| header |
Subject contains “Your Bills” or similar |
SUBJ_YOUR_DEBT | 1.405 0.577 1.757 1.106 | |
| header | Subject contains “Your Family” | SUBJ_YOUR_FAMILY | 1.600 0.338 1.850 1.157 | |
| header | Subject contains “Your Own” | SUBJ_YOUR_OWN | 1.023 0.127 0.865 0.811 | |
| header | Received contains a faked HELO hostname | RCVD_FAKE_HELO_DOTCOM | 2.160 1.652 2.590 2.281 | |
| header | To: address appears in Subject | ADDRESS_IN_SUBJECT | 1.053 0 0.919 0.533 | |
| header |
Local part of To: address appears in Subject |
LOCALPART_IN_SUBJECT | 1.559 1.561 1.757 1.900 | |
| header | Subject talks about losing pounds | SUBJECT_DIET | 1.812 0.623 2.127 1.330 | |
| header |
Header has extraneous Content-type:…type= entry |
EXTRA_MPART_TYPE | 0.847 0.815 0.733 1.091 | |
| header | To header contains ‘recipient’ marker | TO_RECIP_MARKER | 1.044 1.033 1.168 1.038 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DD_DIGITS | 3.600 3.600 4.162 4.500 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DIGITS_7 | 1 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DIGITS_15 | 2.400 2.400 2.775 2.949 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_MANY_HEX | 2.160 2.144 2.498 2.700 | |
| header |
Spam tool pattern in MIME boundary (rfkindy) |
MIME_BOUND_RKFINDY | 2.160 2.160 2.498 2.700 | |
| header | To: has a malformed address | TO_MALFORMED | 1 | |
| header | From Address contains FREE | ADDR_FREE | 0.469 0 1.118 0.205 | |
| header | Sent to a text file | TO_TXT | 1.360 1.360 1.573 1.492 | |
| header | Involves ‘china.com’ | CHINA_HEADER | 1.440 1.440 1.665 1.800 | |
| header |
Received line contains spam-sign (lowercase smtp) |
WITH_LC_SMTP | 1.440 1.440 1.665 1.621 | |
| header | From address has no lower-case characters | FROM_NO_LOWER | 0.365 0.201 0.534 0.141 | |
| header |
Subject line starts with Buy or Buying |
SUBJ_BUY | 1.311 0.116 0.701 0.255 | |
| header | Received headers forged (AM/PM) | RCVD_AM_PM | 1.760 1.726 2.035 1.662 | |
| header | Multiple Content-Type headers found | HEADER_COUNT_CTYPE | 1.336 1.440 1.665 1.800 | |
| header |
Host HELO’d as a big ISP, but had no rDNS |
NO_RDNS_DOTCOM_HELO | 0.356 0 0 0 | |
| header |
X-Originating-IP doesn’t look like IPv4 address |
X_ORIG_IP_NOT_IPV4 | 1 | |
| header |
X-Authentication-Warning header looks faked |
X_AUTH_WARN_FAKED | 0 0 0.189 0.206 | |
| header | Received header contains faked ‘mr.outblaze.com’ | FAKE_OUTBLAZE_RCVD | 2.480 2.480 2.867 3.100 | |
| header |
Message is from domain that never sends email |
FROM_NONSENDING_DOMAIN | 1.280 1.254 1.480 1.336 | |
| header |
Subject contains common spam sign (2 numbers) |
SUBJ_2_NUM_PARENS | 0.952 1.074 1.026 1.206 | |
| header | Headers contain an unclosed bracket | UNCLOSED_BRACKET | 2.480 2.480 2.867 2.900 | |
| header | Organization is MIME-tools | ORG_MIME_TOOLS | 1.760 1.760 2.035 1.920 | |
| header | Message has X-MIME-Autoconverted “Yes” header | X_MIME_AUTOCONVERTED | 2.080 2.080 2.405 2.236 | |
| header |
From: domain has series of non-vowel letters |
FROM_DOMAIN_NOVOWEL | 1.582 1.592 1.903 2.100 | |
| header |
From: localpart has series of non-vowel letters |
FROM_LOCAL_NOVOWEL | 2.480 2.331 2.867 2.861 | |
| header |
Subject: has long non-vowel letter sequence |
SUBJECT_NOVOWEL | 0 0.131 0.327 0.155 | |
| header |
From: localpart has long hexadecimal sequence |
FROM_LOCAL_HEX | 2.000 1.343 2.240 1.305 | |
| header | From: localpart has long digit sequence | FROM_LOCAL_DIGITS | 1 | |
| header | X-Mailer: header is bulk email fingerprint | X_MAILER_SPAM | 1.840 0.720 1.879 1.365 | |