Jairo Blanco

Blog de Jairo Blanco

Comentando tecnologías web.
Página principal » Guia rápida » Guía rápida EMail » Reglas y test de filtros AntiSpam

Reglas y test de filtros AntiSpam

Esta lista de filtros o reglas antispam corresponden al potente y popular software SpamAssassin pero la mayoría de los programas antispam utilizan exactamente las mismas reglas. Muestra los
mensajes que devuelven los programas antispam, el área en el que se aplica
la regla, descripción y el nivel o puntos de spam que se le aplica.

AREA DEL TEST LOCALIZACIÓN DESCRIPCIÓN NOMBRE PUNTOS DE SPAM
(local, net, with bayes, with bayes+net)
body Generic Test for Unsolicited Bulk
Email
GTUBE 1000.000
body Incorporates a tracking ID number TRACKER_ID 2.000 1.295 2.292 1.032
body Weird repeated double-quotation
marks
WEIRD_QUOTING 1.120 1.200 1.295 1.341
rawbody Extra blank lines in base64 encoding MIME_BASE64_BLANKS 0 0 0.184 0.224
rawbody base64 attachment does not have
a file name
MIME_BASE64_NO_NAME 0 0 0 0.224
rawbody Message text disguised using base64
encoding
MIME_BASE64_TEXT 2.048 1.522 2.749 1.885
rawbody MIME section missing boundary MIME_MISSING_BOUNDARY 1
body Missing blank line between MIME
header and body
MISSING_MIME_HB_SEP 1
body Multipart message mostly text/html
MIME
MIME_HTML_MOSTLY 1.703 0.699 2.309 1.102
body Message only has text/html MIME
parts
MIME_HTML_ONLY 0.414 0.001 0.389 0.001
rawbody Quoted-printable line longer than
76 chars
MIME_QP_LONG_LINE 0.159 0 0.234 0
body HTML and text parts are different MPART_ALT_DIFF 0.425 0.137 1.142 0
body HTML and text parts are different MPART_ALT_DIFF_COUNT 1.649 0 1.607 0.708
body MIME character set is an unknown
ISO charset
MIME_BAD_ISO_CHARSET 3.360 3.360 3.885 4.185
body Character set indicates a foreign
language
CHARSET_FARAWAY 3.200
body Body contains a ROT13-encoded email
address
EMAIL_ROT13 1.600 1.680 1.850 2.000
body Message body has 70-80% blank lines BLANK_LINES_70_80 1.499 1.236 1.757 1.805
body Message body has 80-90% blank lines BLANK_LINES_80_90 0.272 0.107 0.810 0
body Message body has 90-100% blank lines BLANK_LINES_90_100 1
body Message body has many words used
only once
UNIQUE_WORDS 2.066 1.336 2.543 2.347
body Message body mentions many internet
domains
DOMAIN_RATIO 0 0 0.184 0
body IP to HTTPS link found in HTML HTTPS_IP_MISMATCH 1.920 1.920 2.220 2.400
rawbody Message looks to contain HTML-interrupted
text
INTERRUPTUS 1.154 0.533 1.106 0.182
body eval:check_ma_non_text() MULTIPART_ALT_NON_TEXT 1
header Passed through trusted hosts only
via SMTP
ALL_TRUSTED -1.360 -1.440 -1.665 -1.800
header Informational: message was not relayed
via SMTP
NO_RELAYS -0.001
header NJABL: sender is confirmed open
relay
RCVD_IN_NJABL_RELAY 1
header NJABL: dialup sender did non-local
SMTP
RCVD_IN_NJABL_DUL 0 1.713 0 1.946
header NJABL: sender is confirmed spam
source
RCVD_IN_NJABL_SPAM 0 1.905 0 2.775
header NJABL: sent through multi-stage
open relay
RCVD_IN_NJABL_MULTI 1
header NJABL: sender is an open formmail RCVD_IN_NJABL_CGI 1
header NJABL: sender is an open proxy RCVD_IN_NJABL_PROXY 0 0.327 0 0.721
header SORBS: sender is open HTTP proxy
server
RCVD_IN_SORBS_HTTP 1
header SORBS: sender is open SOCKS proxy
server
RCVD_IN_SORBS_SOCKS 0 1.823 0 2.159
header SORBS: sender is open proxy server RCVD_IN_SORBS_MISC 1
header SORBS: sender is open SMTP relay RCVD_IN_SORBS_SMTP 0 0 0 0.201
header SORBS: sender is a abuseable web
server
RCVD_IN_SORBS_WEB 0 1.236 0 1.456
header SORBS: sender demands to never be
tested
RCVD_IN_SORBS_BLOCK 1
header SORBS: sender is on a hijacked network RCVD_IN_SORBS_ZOMBIE 0 0.240 0 0.258
header SORBS: sent directly from dynamic
IP address
RCVD_IN_SORBS_DUL 0 1.988 0 2.046
header Received via a relay in Spamhaus
SBL
RCVD_IN_SBL 0 2.712 0 3.160
header Received via a relay in Spamhaus
XBL
RCVD_IN_XBL 0 3.114 0 3.897
header Envelope sender in dsn.rfc-ignorant.org DNS_FROM_RFC_DSN 0 2.872 0 2.597
header Envelope sender in postmaster.rfc-ignorant.org DNS_FROM_RFC_POST 0 1.440 0 1.708
header Envelope sender in abuse.rfc-ignorant.org DNS_FROM_RFC_ABUSE 0 0.479 0 0.200
header Envelope sender in whois.rfc-ignorant.org DNS_FROM_RFC_WHOIS 0 0.879 0 1.447
header Envelope sender in bogusmx.rfc-ignorant.org DNS_FROM_RFC_BOGUSMX 0 2.034 0 1.945
header CompleteWhois: sender on bogons
IP block
RCVD_IN_WHOIS_BOGONS 0 1.811 0 2.430
header CompleteWhois: sender on hijacked
IP block
RCVD_IN_WHOIS_HIJACKED 0 1.0 0 1.0
header CompleteWhois: sender on invalid
IP block
RCVD_IN_WHOIS_INVALID 0 2.151 0 2.234
header Received via a relay in list.dsbl.org RCVD_IN_DSBL 0 1.801 0 2.600
header From: sender listed in dnsbl.ahbl.org DNS_FROM_AHBL_RHSBL 0 0.306 0 0.231
header Envelope sender in blackholes.securitysage.com DNS_FROM_SECURITYSAGE 0 2.001 0 1.513
header Received via a relay in bl.spamcop.net RCVD_IN_BL_SPAMCOP_NET 0 1.332 0 1.558
header Relay in RBL, http://www.mail-abuse.org/rbl/ RCVD_IN_MAPS_RBL 1
header Relay in DUL, http://www.mail-abuse.org/dul/ RCVD_IN_MAPS_DUL 1
header Relay in RSS, http://www.mail-abuse.org/rss/ RCVD_IN_MAPS_RSS 1
header Relay in NML, http://www.mail-abuse.org/nml/ RCVD_IN_MAPS_NML 1
header Sender is in Bonded Sender Program
(trusted relay)
RCVD_IN_BSP_TRUSTED 0 -4.3 0 -4.3
header Sender is in Bonded Sender Program
(other relay)
RCVD_IN_BSP_OTHER 0 -0.1 0 -0.1
header ISIPP IADB lists as vouched-for
sender
RCVD_IN_IADB_VOUCHED 0 -1.825 0 -2.200
header Habeas Accredited Confirmed Opt-In
or Better
HABEAS_ACCREDITED_COI 0 -8.0 0 -8.0
header Habeas Accredited Opt-In or Better HABEAS_ACCREDITED_SOI 0 -4.3 0 -4.3
header Habeas Checked HABEAS_CHECKED 0 -0.2 0 -0.2
header Subject contains a gappy version
of ‘cialis’
SUBJECT_DRUG_GAP_C 2.880 1.035 3.140 0.614
header Subject contains a gappy version
of ‘levitra’
SUBJECT_DRUG_GAP_L 1.840 1.840 2.118 2.300
header Subject contains a gappy version
of ‘phentermine’
SUBJECT_DRUG_GAP_P 0.542 0.563 0.834 0.699
header Subject contains a gappy version
of ’soma’
SUBJECT_DRUG_GAP_S 1.729 0.378 2.498 1.581
header Subject contains a gappy version
of ‘valium’
SUBJECT_DRUG_GAP_VA 2.437 2.442 2.743 2.619
header Subject contains a gappy version
of ‘vicodin’
SUBJECT_DRUG_GAP_VIC 2.720 2.720 3.145 2.656
header Subject contains a gappy version
of ‘xanax’
SUBJECT_DRUG_GAP_X 2.262 2.334 2.447 2.401
body Talks about price per dose DRUG_DOSAGE 2.337 1.592 2.745 2.242
body Mentions an E.D. drug DRUG_ED_CAPS 0.547 0.352 1.011 0.501
body Viagra and other drugs DRUG_ED_COMBO 1.280 1.280 1.353 1.375
body Talks about an E.D. drug using its
chemical name
DRUG_ED_SILD 1.440 0 1.594 0
body Mentions Generic Viagra DRUG_ED_GENERIC 2.140 1.814 2.461 1.807
body Fast Viagra Delivery DRUG_ED_ONLINE 2.160 2.160 2.498 2.700
body Deep discount medications DEEP_DISC_MEDS 1.440 1.132 1.665 1.177
body Online Pharmacy ONLINE_PHARMACY 2.720 2.102 3.145 2.043
body No prescription needed NO_PRESCRIPTION 3.200 2.888 3.700 3.887
body Attempts to disguise the word ‘viagra’ VIA_GAP_GRA 2.480 2.419 2.867 2.529
body Two or more drugs crammed together
into one word
DRUGS_SMEAR1 1.310 1.372 1.576 1.337
header Host HELO did not match rDNS: msn.com FAKE_HELO_MSN 2.080 2.060 2.358 2.509
header Host HELO did not match rDNS: mail.com FAKE_HELO_MAIL_COM 1.920 1.920 2.220 2.369
header Host HELO did not match rDNS: email.com FAKE_HELO_EMAIL_COM 1.440 1.440 1.665 1.335
header Host HELO did not match rDNS: eudoramail.com FAKE_HELO_EUDORAMAIL 1.360 1.440 1.665 1.705
header Host HELO did not match rDNS: excite.com FAKE_HELO_EXCITE 1
header Host HELO did not match rDNS: lycos.com FAKE_HELO_LYCOS 1
header Host HELO did not match rDNS: yahoo.ca FAKE_HELO_YAHOO_CA 1.186 1.353 1.466 1.599
header Relay HELO’d with suspicious hostname
(mail.com)
FAKE_HELO_MAIL_COM_DOM 2.160 2.160 2.498 2.700
header Relay HELO’d using suspicious hostname
(IP addr 1)
HELO_DYNAMIC_IPADDR 3.360 3.360 3.885 4.200
header Relay HELO’d using suspicious hostname
(DHCP)
HELO_DYNAMIC_DHCP 3.280 2.664 3.792 3.066
header Relay HELO’d using suspicious hostname
(HCC)
HELO_DYNAMIC_HCC 3.280 3.280 3.792 4.100
header Relay HELO’d using suspicious hostname
(ATTBI.com)
HELO_DYNAMIC_ATTBI 2.400 2.400 2.775 2.692
header Relay HELO’d using suspicious hostname
(Rogers)
HELO_DYNAMIC_ROGERS 1.840 1.203 2.127 1.580
header Relay HELO’d using suspicious hostname
(Adelphia)
HELO_DYNAMIC_ADELPHIA 1.680 1.680 1.942 1.787
header Relay HELO’d using suspicious hostname
(T-Dialin)
HELO_DYNAMIC_DIALIN 2.080 2.080 2.405 2.600
header Relay HELO’d using suspicious hostname
(Hex IP)
HELO_DYNAMIC_HEXIP 1.280 1.280 1.480 1.600
header Relay HELO’d using suspicious hostname
(Split IP)
HELO_DYNAMIC_SPLIT_IP 2.880 2.880 3.330 2.191
header Relay HELO’d using suspicious hostname
(YahooBB)
HELO_DYNAMIC_YAHOOBB 2.240 2.240 2.590 2.800
header Relay HELO’d using suspicious hostname
(OptOnline)
HELO_DYNAMIC_OOL 1.840 1.839 2.127 2.012
header Relay HELO’d using suspicious hostname
(IP addr 2)
HELO_DYNAMIC_IPADDR2 3.280 3.213 3.792 3.818
header Relay HELO’d using suspicious hostname
(RR 2)
HELO_DYNAMIC_RR2 1.440 1.440 1.665 1.605
header Relay HELO’d using suspicious hostname
(Comcast)
HELO_DYNAMIC_COMCAST 2.800 2.800 3.237 3.500
header Relay HELO’d using suspicious hostname
(Telia)
HELO_DYNAMIC_TELIA 1
header Relay HELO’d using suspicious hostname
(VTR)
HELO_DYNAMIC_VTR 1.440 1.492 1.757 1.287
header Relay HELO’d using suspicious hostname
(Chello.no)
HELO_DYNAMIC_CHELLO_NO 1
header Relay HELO’d using suspicious hostname
(Chello.nl)
HELO_DYNAMIC_CHELLO_NL 1.624 0 2.035 0.170
header Relay HELO’d using suspicious hostname
(Veloxzone)
HELO_DYNAMIC_VELOX 1
header Relay HELO’d using suspicious hostname
(NTL)
HELO_DYNAMIC_NTL 1.360 1.360 1.573 1.481
header Relay HELO’d using suspicious hostname
(Home.nl)
HELO_DYNAMIC_HOME_NL 1.600 1.600 1.850 2.000
header Message headers are very long HEAD_LONG 2.5
header Partial message FRAGMENTED_MESSAGE 2.5
header Missing blank line between message
header and body
MISSING_HB_SEP 2.5
header Informational: message has unparseable
relay lines
UNPARSEABLE_RELAY 0.001
header From: does not include a real name NO_REAL_NAME 0 0.550 0 0.961
header From: contains empty name FROM_BLANK_NAME 1.659 1.467 0.936 1.534
header From: ends in many numbers FROM_ENDS_IN_NUMS 1.880 2.160 2.405 2.530
header From: starts with many numbers FROM_STARTS_WITH_NUMS 1.337 0.283 1.829 0.724
header From: contains numbers mixed in
with letters
FROM_HAS_MIXED_NUMS 1.760 1.510 2.127 2.155
header From: contains an underline and
numbers/letters
FROM_HAS_ULINE_NUMS 0.744 0.217 0.310 0.291
header From numeric address (except US/Canada
phones)
FROM_ALL_NUMS 1.972 1.920 2.312 2.500
header From address is “at something-offers” FROM_OFFERS 1.680 1.641 1.865 1.960
header From: has no local-part before @
sign
FROM_NO_USER 1
header To: has no local-part before @ sign TO_NO_USER 1
header To: is empty TO_EMPTY 0 0 0.115 0.268
header Reply-To: is empty REPLY_TO_EMPTY 0.449 0.640 0.512 0.600
header To: repeats address as real name TO_ADDRESS_EQ_REAL 1
header Valid-looking To “undisclosed-recipients” UNDISC_RECIPS 0.960 0.883 0.712 0.841
header Faked To “Undisclosed-Recipients” FAKED_UNDISC_RECIPS 1
header Subject has exclamation mark and
question mark
PLING_QUERY 0 0.326 0.623 0.514
header Subject contains a unique ID SUBJ_HAS_UNIQ_ID 0.895 0 1.387 0.190
header Subject contains lots of white space SUBJ_HAS_SPACES 1.758 0.651 2.306 0.870
header Subject is all capitals SUBJ_ALL_CAPS 1.049 1.166 0.459 0.997
header Spam tool Message-Id: (99×9xx99
variant)
MSGID_SPAM_99X9XX99 1
header Spam tool Message-Id: (alpha-numeric
variant)
MSGID_SPAM_ALPHA_NUM 1.920 1.920 2.220 2.255
header Spam tool Message-Id: (caps variant) MSGID_SPAM_CAPS 3.520 3.520 4.070 4.400
header Spam tool Message-Id: (letters variant) MSGID_SPAM_LETTERS 2.400 2.349 2.867 3.021
header Spam tool Message-Id: (12-zeroes
variant)
MSGID_SPAM_ZEROES 1.222 1.360 1.264 1.607
header Message-Id has no hostname MSGID_NO_HOST 0.533 0.129 0.787 0.285
header Message-Id is fake (in Outlook Express
format)
MSGID_OUTLOOK_INVALID 2.080 2.027 2.405 2.600
header Message-ID has ALLCAPS@yahoo.com MSGID_YAHOO_CAPS 2.466 1.273 2.720 2.399
header Message-Id for external message
added locally
MSGID_FROM_MTA_ID 1.103 0.927 1.183 1.393
header Message-Id was added by a hotmail.com
relay
MSGID_FROM_MTA_HOTMAIL 1
header Message-ID is unusually long MSGID_LONG 0.899 0.267 1.188 1.204
header Message-ID is unusually short MSGID_SHORT 2.480 2.465 2.821 3.100
header Message-ID contains multiple ‘@’
characters
MSGID_MULTIPLE_AT 2.880 1.375 3.187 1.914
header Date header uses unusual Y2K formatting DATE_SPAMWARE_Y2K 1.859 1.822 1.944 0.745
header Invalid Date: header (not RFC 2822) INVALID_DATE 1.700 1.760 2.005 2.193
header Invalid Date: header (timezone does
not exist)
INVALID_DATE_TZ_ABSURD 1.360 1.346 1.573 1.700
header Invalid date in header (wrong CST
timezone)
INVALID_TZ_CST 2.043 0.153 2.419 0.867
header Invalid date in header (wrong EST
timezone)
INVALID_TZ_EST 2.720 0.737 3.145 1.883
header Invalid date in header (wrong GMT/UTC
timezone)
INVALID_TZ_GMT 1.928 1.111 2.163 1.042
header Date: is 3 to 6 hours before Received:
date
DATE_IN_PAST_03_06 0.736 0 1.122 0.478
header Date: is 6 to 12 hours before Received:
date
DATE_IN_PAST_06_12 0.846 0.746 0.926 0.827
header Date: is 12 to 24 hours before Received:
date
DATE_IN_PAST_12_24 0.960 0.881 1.036 1.247
header Date: is 24 to 48 hours before Received:
date
DATE_IN_PAST_24_48 0.801 0.805 0.976 0.880
header Date: is 48 to 96 hours before Received:
date
DATE_IN_PAST_48_96 0.383 0.501 0.400 0.379
header Date: is 96 hours or more before
Received: date
DATE_IN_PAST_96_XX 1.752 1.572 2.101 2.020
header Date: is 3 to 6 hours after Received:
date
DATE_IN_FUTURE_03_06 2.061 2.007 2.275 1.961
header Date: is 6 to 12 hours after Received:
date
DATE_IN_FUTURE_06_12 1.680 1.498 1.883 1.668
header Date: is 12 to 24 hours after Received:
date
DATE_IN_FUTURE_12_24 2.320 2.316 2.775 2.767
header Date: is 24 to 48 hours after Received:
date
DATE_IN_FUTURE_24_48 2.080 2.080 2.498 2.688
header Date: is 48 to 96 hours after Received:
date
DATE_IN_FUTURE_48_96 1.680 1.680 1.942 2.100
header Date: is 96 hours or more after
Received: date
DATE_IN_FUTURE_96_XX 1.920 1.888 2.276 2.403
header Headers contain an unresolved template UNRESOLVED_TEMPLATE 1.520 0.687 1.923 1.324
header Subject: has too many raw illegal
characters
SUBJ_ILLEGAL_CHARS 3.360 3.360 3.978 4.279
header From: has too many raw illegal characters FROM_ILLEGAL_CHARS 3.280 3.280 3.792 4.100
header Headers have too many raw illegal
characters
HEAD_ILLEGAL_CHARS 1.652 1.519 1.796 1.606
header Subject: MIME encoded twice SUBJECT_ENCODED_TWICE 0.888 1.543 1.293 1.723
header Subject contains an English UCE
tag
ENGLISH_UCE_SUBJECT 1.415 0.250 1.850 0.740
header Subject contains a Japanese UCE
tag
JAPANESE_UCE_SUBJECT 1.280 1.360 1.480 1.700
header Subject: contains Korean unsolicited
email tag
KOREAN_UCE_SUBJECT 2.480 2.480 2.867 3.100
header From and To are the same, but not
exactly
FROM_AND_TO_SAME 1
header Received: contains a forged HELO FORGED_RCVD_HELO 0 0 0 0.135
header Received: HELO and IP do not match,
but should
RCVD_HELO_IP_MISMATCH 3.200 3.200 3.700 4.000
header Received: contains an IP address
used for HELO
RCVD_NUMERIC_HELO 1.440 1.253 1.665 1.500
header Received: contains illegal IP address RCVD_ILLEGAL_IP 1.585 0.234 1.813 0.288
header Received by mail server with no
name
RCVD_BY_IP 0.280 0 0 0
header Received forged, contains fake AOL
relays
FORGED_AOL_RCVD 0.001
header Contains forged hostname for a DSL
IP in Brazil
FORGED_TELESP_RCVD 1.280 0 1.470 0
header Forged hotmail.com ‘Received:’ header
found
FORGED_HOTMAIL_RCVD 2.402 2.152 2.820 2.255
header hotmail.com ‘From’ address, but
no ‘Received:’
FORGED_HOTMAIL_RCVD2 1.653 0.549 2.127 1.162
header Forged eudoramail.com ‘Received:’
header found
FORGED_EUDORAMAIL_RCVD 1.130 0.528 1.454 0.217
header ‘From’ yahoo.com does not match
‘Received’ headers
FORGED_YAHOO_RCVD 1.506 0.928 1.794 1.849
header ‘From’ juno.com does not match ‘Received’
headers
FORGED_JUNO_RCVD 1.693 1.478 1.787 1.914
header Forged ‘by gw05′ ‘Received:’ header
found
FORGED_GW05_RCVD 0.001
header Character set doesn’t exist NONEXISTENT_CHARSET 1.280 1.280 1.480 1.506
header A foreign language charset used
in headers
CHARSET_FARAWAY_HEADER 3.200
header Sent with ‘X-Priority’ set to high X_PRIORITY_HIGH 0 0.122 0 0.433
header Sent with ‘X-Msmail-Priority’ set
to high
X_MSMAIL_PRIORITY_HIGH 1
header Received: says mail sent around
the world (HELO)
ROUND_THE_WORLD_LOCAL 1.840 1.429 2.127 1.659
header Missing Date: header MISSING_DATE 1
header Missing To: header MISSING_HEADERS 0 0.189 0 0
header Similar addresses in recipient list SUSPICIOUS_RECIPS 2.240 0.849 2.267 1.757
header Recipient list is sorted by address SORTED_RECIPS 2.800 1.530 3.237 1.960
header Subject: contains G.a.p.p.y-T.e.x.t GAPPY_SUBJECT 1.600 1.625 1.785 1.995
header Message has Prevent-NonDelivery-Report
header
PREVENT_NONDELIVERY 1.515 1.640 1.737 1.600
header Message has X-IP header X_IP 2.803 1.848 3.286 2.305
header Message has X-Library header X_LIBRARY 1.920 1.920 2.220 2.400
header Message has X-Message-flag header
(odd case)
X_MESSAGE_FLAG_ODD 2.080 2.080 2.405 2.600
header Subject contains “As Seen” SUBJ_AS_SEEN 1.511 0 1.757 0
header Subject starts with dollar amount SUBJ_DOLLARS 0.650 0.381 0.636 0.301
header Subject contains “For Only” SUBJ_FOR_ONLY 1.104 0.316 1.268 0.415
header Subject contains “FREE” in CAPS SUBJ_FREE_CAP 1
header Subject starts with “Free” SUB_FREE_OFFER 0.286 0 0 0
header Subject GUARANTEED SUBJ_GUARANTEED 1.360 1.421 1.623 1.785
header Subject starts with “Hello” SUB_HELLO 1.840 1.760 2.027 2.141
header Subject includes “life insurance” SUBJ_LIFE_INSURANCE 1.520 1.520 1.757 1.900
header Subject contains “Your Bills” or
similar
SUBJ_YOUR_DEBT 1.405 0.577 1.757 1.106
header Subject contains “Your Family” SUBJ_YOUR_FAMILY 1.600 0.338 1.850 1.157
header Subject contains “Your Own” SUBJ_YOUR_OWN 1.023 0.127 0.865 0.811
header Received contains a faked HELO hostname RCVD_FAKE_HELO_DOTCOM 2.160 1.652 2.590 2.281
header To: address appears in Subject ADDRESS_IN_SUBJECT 1.053 0 0.919 0.533
header Local part of To: address appears
in Subject
LOCALPART_IN_SUBJECT 1.559 1.561 1.757 1.900
header Subject talks about losing pounds SUBJECT_DIET 1.812 0.623 2.127 1.330
header Header has extraneous Content-type:…type=
entry
EXTRA_MPART_TYPE 0.847 0.815 0.733 1.091
header To header contains ‘recipient’ marker TO_RECIP_MARKER 1.044 1.033 1.168 1.038
header Spam tool pattern in MIME boundary MIME_BOUND_DD_DIGITS 3.600 3.600 4.162 4.500
header Spam tool pattern in MIME boundary MIME_BOUND_DIGITS_7 1
header Spam tool pattern in MIME boundary MIME_BOUND_DIGITS_15 2.400 2.400 2.775 2.949
header Spam tool pattern in MIME boundary MIME_BOUND_MANY_HEX 2.160 2.144 2.498 2.700
header Spam tool pattern in MIME boundary
(rfkindy)
MIME_BOUND_RKFINDY 2.160 2.160 2.498 2.700
header To: has a malformed address TO_MALFORMED 1
header From Address contains FREE ADDR_FREE 0.469 0 1.118 0.205
header Sent to a text file TO_TXT 1.360 1.360 1.573 1.492
header Involves ‘china.com’ CHINA_HEADER 1.440 1.440 1.665 1.800
header Received line contains spam-sign
(lowercase smtp)
WITH_LC_SMTP 1.440 1.440 1.665 1.621
header From address has no lower-case characters FROM_NO_LOWER 0.365 0.201 0.534 0.141
header Subject line starts with Buy or
Buying
SUBJ_BUY 1.311 0.116 0.701 0.255
header Received headers forged (AM/PM) RCVD_AM_PM 1.760 1.726 2.035 1.662
header Multiple Content-Type headers found HEADER_COUNT_CTYPE 1.336 1.440 1.665 1.800
header Host HELO’d as a big ISP, but had
no rDNS
NO_RDNS_DOTCOM_HELO 0.356 0 0 0
header X-Originating-IP doesn’t look like
IPv4 address
X_ORIG_IP_NOT_IPV4 1
header X-Authentication-Warning header
looks faked
X_AUTH_WARN_FAKED 0 0 0.189 0.206
header Received header contains faked ‘mr.outblaze.com’ FAKE_OUTBLAZE_RCVD 2.480 2.480 2.867 3.100
header Message is from domain that never
sends email
FROM_NONSENDING_DOMAIN 1.280 1.254 1.480 1.336
header Subject contains common spam sign
(2 numbers)
SUBJ_2_NUM_PARENS 0.952 1.074 1.026 1.206
header Headers contain an unclosed bracket UNCLOSED_BRACKET 2.480 2.480 2.867 2.900
header Organization is MIME-tools ORG_MIME_TOOLS 1.760 1.760 2.035 1.920
header Message has X-MIME-Autoconverted “Yes” header X_MIME_AUTOCONVERTED 2.080 2.080 2.405 2.236
header From: domain has series of non-vowel
letters
FROM_DOMAIN_NOVOWEL 1.582 1.592 1.903 2.100
header From: localpart has series of non-vowel
letters
FROM_LOCAL_NOVOWEL 2.480 2.331 2.867 2.861
header Subject: has long non-vowel letter
sequence
SUBJECT_NOVOWEL 0 0.131 0.327 0.155
header From: localpart has long hexadecimal
sequence
FROM_LOCAL_HEX 2.000 1.343 2.240 1.305
header From: localpart has long digit sequence FROM_LOCAL_DIGITS 1
header X-Mailer: header is bulk email fingerprint X_MAILER_SPAM 1.840 0.720 1.879 1.365