Spamassassin Explanation
from Internet
| Test | Description |
|---|---|
| ACCESSDB | Message would have been caught by accessdb |
| ACT_NOW_CAPS | Talks about 'acting now' with capitals |
| ADDRESS_IN_SUBJECT | To: address appears in Subject |
| ADDR_FREE | From Address contains FREE |
| ADDR_NUMS_AT_BIGSITE | Has an address with lots of numbers at a big ISP |
| ADVANCE_FEE_1 | Appears to be advance fee fraud (Nigerian 419) |
| ADVANCE_FEE_2 | Appears to be advance fee fraud (Nigerian 419) |
| ADVANCE_FEE_3 | Appears to be advance fee fraud (Nigerian 419) |
| ADVANCE_FEE_4 | Appears to be advance fee fraud (Nigerian 419) |
| ALL_NATURAL | Spam is 100% natural?! |
| ALL_TRUSTED | Passed through trusted hosts only via SMTP |
| AMATEUR_PORN | Possible porn - Amateur Porn |
| AMAZING_STUFF | Amazing Stuff |
| AS_SEEN_ON | As seen on national TV! |
| AWL | From: address is in the auto white-list |
| BAD_CREDIT | Eliminate Bad Credit |
| BAD_ENC_HEADER | Message has bad MIME encoding in the header |
| BANG_EXERCISE | Talks about exercise with an exclamation! |
| BANG_GUAR | Something is emphatically guaranteed |
| BANG_MORE | Talks about more with an exclamation! |
| BANG_OPRAH | Talks about Oprah with an exclamation! |
| BARGAIN_URL | Includes a link to a likely spammer domain |
| BAYES_00 | Bayesian spam probability is 0 to 1% |
| BAYES_05 | Bayesian spam probability is 1 to 5% |
| BAYES_20 | Bayesian spam probability is 5 to 20% |
| BAYES_40 | Bayesian spam probability is 20 to 40% |
| BAYES_50 | Bayesian spam probability is 40 to 60% |
| BAYES_60 | Bayesian spam probability is 60 to 80% |
| BAYES_80 | Bayesian spam probability is 80 to 95% |
| BAYES_95 | Bayesian spam probability is 95 to 99% |
| BAYES_99 | Bayesian spam probability is 99 to 100% |
| BEST_PORN | Possible porn - Best, Largest, Most Porn |
| BE_BOSS | Be your own boss |
| BILLION_DOLLARS | Talks about lots of money |
| BILL_1618 | Possible mention of bill 1618 (anti-spam bill) |
| BIZ_TLD | Contains an URL in the BIZ top-level domain |
| BLANK_LINES_70_80 | Message body has 70-80% blank lines |
| BLANK_LINES_80_90 | Message body has 80-90% blank lines |
| BLANK_LINES_90_100 | Message body has 90-100% blank lines |
| BODY_8BITS | Body includes 8 consecutive 8-bit characters |
| BODY_ENHANCEMENT | Information on growing body parts |
| BODY_ENHANCEMENT2 | Information on getting larger body parts |
| CHARSET_FARAWAY | Character set indicates a foreign language |
| CHARSET_FARAWAY_HEADER | A foreign language charset used in headers |
| CHINA_HEADER | Involves 'china.com' |
| CLICK_BELOW_CAPS | Asks you to click below (in capital letters) |
| CLICK_TO_REMOVE_1 | Click to be removed |
| COMPETE | Compete for your business |
| CONFIDENTIAL_ORDER | Confidentiality on all orders |
| CONFIRMED_FORGED | Received headers are forged |
| CONSOLIDATE_DEBT | Consolidate debt, credit, or bills |
| CUM_SHOT | Possible porn - Cum Shot |
| DATE_IN_FUTURE_03_06 | Date: is 3 to 6 hours after Received: date |
| DATE_IN_FUTURE_06_12 | Date: is 6 to 12 hours after Received: date |
| DATE_IN_FUTURE_12_24 | Date: is 12 to 24 hours after Received: date |
| DATE_IN_FUTURE_24_48 | Date: is 24 to 48 hours after Received: date |
| DATE_IN_FUTURE_48_96 | Date: is 48 to 96 hours after Received: date |
| DATE_IN_FUTURE_96_XX | Date: is 96 hours or more after Received: date |
| DATE_IN_PAST_03_06 | Date: is 3 to 6 hours before Received: date |
| DATE_IN_PAST_06_12 | Date: is 6 to 12 hours before Received: date |
| DATE_IN_PAST_12_24 | Date: is 12 to 24 hours before Received: date |
| DATE_IN_PAST_24_48 | Date: is 24 to 48 hours before Received: date |
| DATE_IN_PAST_48_96 | Date: is 48 to 96 hours before Received: date |
| DATE_IN_PAST_96_XX | Date: is 96 hours or more before Received: date |
| DATE_SPAMWARE_Y2K | Date header uses unusual Y2K formatting |
| DAV_NON_HOTMAIL | Message sent using DAV, but not via Hotmail |
| DCC_CHECK | Listed in DCC (http://rhyolite.com/anti-spam/dcc/) |
| DEAR_FRIEND | Dear Friend? That's not very dear! |
| DEAR_SOMETHING | Contains 'Dear (something)' |
| DEEP_DISC_MEDS | Deep discount medications |
| DIET_1 | Lose Weight Spam |
| DIET_2 | Describes weight loss |
| DIET_3 | Describes body fat loss |
| DIGEST_MULTIPLE | Message hits more than one network digest check |
| DISGUISE_PORN | Attempts to disguise porn words |
| DISGUISE_PORN_MUNDANE | Attempts to disguise mundane words used in porn |
| DKIM_POLICY_SIGNALL | Domain Keys Identified Mail: policy says domain signs all mails |
| DKIM_POLICY_SIGNSOME | Domain Keys Identified Mail: policy says domain signs some mails |
| DKIM_POLICY_TESTING | Domain Keys Identified Mail: policy says domain is testing DK |
| DKIM_SIGNED | Domain Keys Identified Mail: message has a signature |
| DKIM_VERIFIED | Domain Keys Identified Mail: signature passes verification |
| DK_POLICY_SIGNALL | Domain Keys: policy says domain signs all mails |
| DK_POLICY_SIGNSOME | Domain Keys: policy says domain signs some mails |
| DK_POLICY_TESTING | Domain Keys: policy says domain is testing DK |
| DK_SIGNED | Domain Keys: message has an unverified signature |
| DK_VERIFIED | Domain Keys: signature passes verification |
| DNS_FROM_AHBL_RHSBL | From: sender listed in dnsbl.ahbl.org |
| DNS_FROM_RFC_ABUSE | Envelope sender in abuse.rfc-ignorant.org |
| DNS_FROM_RFC_BOGUSMX | Envelope sender in bogusmx.rfc-ignorant.org |
| DNS_FROM_RFC_DSN | Envelope sender in dsn.rfc-ignorant.org |
| DNS_FROM_RFC_POST | Envelope sender in postmaster.rfc-ignorant.org |
| DNS_FROM_RFC_WHOIS | Envelope sender in whois.rfc-ignorant.org |
| DNS_FROM_SECURITYSAGE | Envelope sender in blackholes.securitysage.com |
| DOMAIN_4U2 | Domain name containing a "4u" variant |
| DOMAIN_RATIO | Message body mentions many internet domains |
| DRUGS_ANXIETY | Refers to an anxiety control drug |
| DRUGS_ANXIETY_EREC | Refers to both an erectile and an anxiety drug |
| DRUGS_ANXIETY_OBFU | Obfuscated reference to an anxiety control drug |
| DRUGS_DIET | Refers to a diet drug |
| DRUGS_DIET_OBFU | Obfuscated reference to a diet drug |
| DRUGS_ERECTILE | Refers to an erectile drug |
| DRUGS_ERECTILE_OBFU | Obfuscated reference to an erectile drug |
| DRUGS_MANYKINDS | Refers to at least four kinds of drugs |
| DRUGS_MUSCLE | Refers to a muscle relaxant |
| DRUGS_PAIN | Refers to a pain relief drug |
| DRUGS_PAIN_OBFU | Obfuscated reference to a pain relief drug |
| DRUGS_SLEEP | Refers to a sleep aid drug |
| DRUGS_SLEEP_EREC | Refers to both an erectile and a sleep aid drug |
| DRUGS_SMEAR1 | Two or more drugs crammed together into one word |
| DRUG_DOSAGE | Talks about price per dose |
| DRUG_ED_CAPS | Mentions an E.D. drug |
| DRUG_ED_COMBO | Viagra and other drugs |
| DRUG_ED_GENERIC | Mentions Generic Viagra |
| DRUG_ED_ONLINE | Fast Viagra Delivery |
| DRUG_ED_SILD | Talks about an E.D. drug using its chemical name |
| EARN_PER_WEEK | Contains 'earn $something per week' |
| EMAIL_ROT13 | Body contains a ROT13-encoded email address |
| EMPTY_MESSAGE | Message appears to have no textual parts and no Subject: text |
| EM_ROLEX | Message puts emphasis on the watch manufacturer |
| ENGLISH_UCE_SUBJECT | Subject contains an English UCE tag |
| ENTITY_DEC_ALPHANUM | HTML contains needlessly encoded characters |
| ENV_AND_HDR_DKIM_MATCH | Env and Hdr From used in default DKIM WL Match |
| ENV_AND_HDR_DK_MATCH | Env and Hdr From used in default DK WL Match |
| ENV_AND_HDR_SPF_MATCH | Env and Hdr From used in default SPF WL Match |
| EXCUSE_10 | "if you do not wish to receive any more" |
| EXCUSE_12 | Nobody's perfect |
| EXCUSE_23 | Claims you have provided permission |
| EXCUSE_24 | Claims you wanted this ad |
| EXCUSE_4 | Claims you can be removed from the list |
| EXCUSE_6 | Claims you can be removed from the list |
| EXCUSE_REMOVE | Talks about how to be removed from mailings |
| EXTRA_CASH | Offers Extra Cash |
| EXTRA_MPART_TYPE | Header has extraneous Content-type:...type= entry |
| FAKED_UNDISC_RECIPS | Faked To "Undisclosed-Recipients" |
| FAKE_HELO_EMAIL_COM | Host HELO did not match rDNS: email.com |
| FAKE_HELO_EUDORAMAIL | Host HELO did not match rDNS: eudoramail.com |
| FAKE_HELO_EXCITE | Host HELO did not match rDNS: excite.com |
| FAKE_HELO_LYCOS | Host HELO did not match rDNS: lycos.com |
| FAKE_HELO_MAIL_COM | Host HELO did not match rDNS: mail.com |
| FAKE_HELO_MAIL_COM_DOM | Relay HELO'd with suspicious hostname (mail.com) |
| FAKE_HELO_MSN | Host HELO did not match rDNS: msn.com |
| FAKE_HELO_YAHOO_CA | Host HELO did not match rDNS: yahoo.ca |
| FAKE_OUTBLAZE_RCVD | Received header contains faked 'mr.outblaze.com' |
| FIN_FREE | Freedom of a financial nature |
| FORGED_AOL_RCVD | Received forged, contains fake AOL relays |
| FORGED_AOL_TAGS | AOL mailers can't send HTML in this format |
| FORGED_EUDORAMAIL_RCVD | Forged eudoramail.com 'Received:' header found |
| FORGED_GW05_RCVD | Forged 'by gw05' 'Received:' header found |
| FORGED_HOTMAIL_RCVD | Forged hotmail.com 'Received:' header found |
| FORGED_HOTMAIL_RCVD2 | hotmail.com 'From' address, but no 'Received:' |
| FORGED_IMS_HTML | IMS can't send HTML message only |
| FORGED_IMS_TAGS | IMS mailers can't send HTML in this format |
| FORGED_JUNO_RCVD | 'From' juno.com does not match 'Received' headers |
| FORGED_MSGID_AOL | Message-ID is forged, (aol.com) |
| FORGED_MSGID_EXCITE | Message-ID is forged, (excite.com) |
| FORGED_MSGID_HOTMAIL | Message-ID is forged, (hotmail.com) |
| FORGED_MSGID_MSN | Message-ID is forged, (msn.com) |
| FORGED_MSGID_YAHOO | Message-ID is forged, (yahoo.com) |
| FORGED_MUA_AOL_FROM | Forged mail pretending to be from AOL (by From) |
| FORGED_MUA_EUDORA | Forged mail pretending to be from Eudora |
| FORGED_MUA_IMS | Forged mail pretending to be from IMS |
| FORGED_MUA_MOZILLA | Forged mail pretending to be from Mozilla |
| FORGED_MUA_OIMO | Forged mail pretending to be from MS Outlook IMO |
| FORGED_MUA_OUTLOOK | Forged mail pretending to be from MS Outlook |
| FORGED_MUA_THEBAT_BOUN | Mail pretending to be from The Bat! (boundary) |
| FORGED_MUA_THEBAT_CS | Mail pretending to be from The Bat! (charset) |
| FORGED_OUTLOOK_HTML | Outlook can't send HTML message only |
| FORGED_OUTLOOK_TAGS | Outlook can't send HTML in this format |
| FORGED_QUALCOMM_TAGS | QUALCOMM mailers can't send HTML in this format |
| FORGED_RCVD_HELO | Received: contains a forged HELO |
| FORGED_TELESP_RCVD | Contains forged hostname for a DSL IP in Brazil |
| FORGED_THEBAT_HTML | The Bat! can't send HTML message only |
| FORGED_YAHOO_RCVD | 'From' yahoo.com does not match 'Received' headers |
| FORWARD_LOOKING | Stock Disclaimer Statement |
| FRAGMENTED_MESSAGE | Partial message |
| FREE_ACCESS | Contains 'free access' with capitals |
| FREE_PORN | Possible porn - Free Porn |
| FREE_PREVIEW | Free Preview |
| FREE_QUOTE_INSTANT | Free express or no-obligation quote |
| FREE_SAMPLE | Contains 'free sample' with capitals |
| FROM_ALL_NUMS | From numeric address (except US/Canada phones) |
| FROM_AND_TO_SAME | From and To are the same, but not exactly |
| FROM_BLANK_NAME | From: contains empty name |
| FROM_DOMAIN_NOVOWEL | From: domain has series of non-vowel letters |
| FROM_ENDS_IN_NUMS | From: ends in many numbers |
| FROM_EXCESS_BASE64 | From: base64 encoded unnecessarily |
| FROM_EXCESS_QP | From: quoted-printable encoded unnecessarily |
| FROM_HAS_MIXED_NUMS | From: contains numbers mixed in with letters |
| FROM_HAS_ULINE_NUMS | From: contains an underline and numbers/letters |
| FROM_ILLEGAL_CHARS | From: has too many raw illegal characters |
| FROM_LOCAL_DIGITS | From: localpart has long digit sequence |
| FROM_LOCAL_HEX | From: localpart has long hexadecimal sequence |
| FROM_LOCAL_NOVOWEL | From: localpart has series of non-vowel letters |
| FROM_NONSENDING_DOMAIN | Message is from domain that never sends email |
| FROM_NO_LOWER | From address has no lower-case characters |
| FROM_NO_USER | From: has no local-part before @ sign |
| FROM_OFFERS | From address is "at something-offers" |
| FROM_STARTS_WITH_NUMS | From: starts with many numbers |
| FRONTPAGE | Frontpage used to create the message |
| FULL_REFUND | Offers a full refund |
| FUZZY_AFFORDABLE | Attempt to obfuscate words in spam |
| FUZZY_AMBIEN | Attempt to obfuscate words in spam |
| FUZZY_BILLION | Attempt to obfuscate words in spam |
| FUZZY_CELEBREX | Attempt to obfuscate words in spam |
| FUZZY_CPILL | Attempt to obfuscate words in spam |
| FUZZY_CREDIT | Attempt to obfuscate words in spam |
| FUZZY_ERECT | Attempt to obfuscate words in spam |
| FUZZY_FOLLOW | Attempt to obfuscate words in spam |
| FUZZY_GUARANTEE | Attempt to obfuscate words in spam |
| FUZZY_MEDICATION | Attempt to obfuscate words in spam |
| FUZZY_MILF | Attempt to obfuscate words in spam |
| FUZZY_MILLION | Attempt to obfuscate words in spam |
| FUZZY_MONEY | Attempt to obfuscate words in spam |
| FUZZY_MORTGAGE | Attempt to obfuscate words in spam |
| FUZZY_OBLIGATION | Attempt to obfuscate words in spam |
| FUZZY_OFFERS | Attempt to obfuscate words in spam |
| FUZZY_PHARMACY | Attempt to obfuscate words in spam |
| FUZZY_PHENT | Attempt to obfuscate words in spam |
| FUZZY_PLEASE | Attempt to obfuscate words in spam |
| FUZZY_PRESCRIPT | Attempt to obfuscate words in spam |
| FUZZY_PRICES | Attempt to obfuscate words in spam |
| FUZZY_REFINANCE | Attempt to obfuscate words in spam |
| FUZZY_REMOVE | Attempt to obfuscate words in spam |
| FUZZY_ROLEX | Attempt to obfuscate words in spam |
| FUZZY_SOFTWARE | Attempt to obfuscate words in spam |
| FUZZY_THOUSANDS | Attempt to obfuscate words in spam |
| FUZZY_TRAMADOL | Attempt to obfuscate words in spam |
| FUZZY_VICODIN | Attempt to obfuscate words in spam |
| FUZZY_VIOXX | Attempt to obfuscate words in spam |
| FUZZY_VLIUM | Attempt to obfuscate words in spam |
| FUZZY_VPILL | Attempt to obfuscate words in spam |
| FUZZY_XPILL | Attempt to obfuscate words in spam |
| GAPPY_SUBJECT | Subject: contains G.a.p.p.y-T.e.x.t |
| GET_PAID | Get Paid |
| GTUBE | Generic Test for Unsolicited Bulk Email |
| GUARANTEED_100_PERCENT | One hundred percent guaranteed |
| GUARANTEED_STUFF | Guaranteed Stuff |
| HABEAS_ACCREDITED_COI | Habeas Accredited Confirmed Opt-In or Better |
| HABEAS_ACCREDITED_SOI | Habeas Accredited Opt-In or Better |
| HABEAS_CHECKED | Habeas Checked |
| HAIR_LOSS | Cures Baldness |
| HARDCORE_PORN | Possible porn - Hardcore Porn |
| HASHCASH_20 | Contains valid Hashcash token (20 bits) |
| HASHCASH_21 | Contains valid Hashcash token (21 bits) |
| HASHCASH_22 | Contains valid Hashcash token (22 bits) |
| HASHCASH_23 | Contains valid Hashcash token (23 bits) |
| HASHCASH_24 | Contains valid Hashcash token (24 bits) |
| HASHCASH_25 | Contains valid Hashcash token (25 bits) |
| HASHCASH_2SPEND | Hashcash token already spent in another mail |
| HASHCASH_HIGH | Contains valid Hashcash token (>25 bits) |
| HDR_ORDER_MTSRIX | Headers are in order found in spam (MTSRIX) |
| HDR_ORDER_TRIMRS | Headers are in order found in spam (TRIMRS) |
| HEADER_COUNT_CTYPE | Multiple Content-Type headers found |
| HEADER_SPAM | Bulk email fingerprint (header-based) found |
| HEAD_ILLEGAL_CHARS | Headers have too many raw illegal characters |
| HEAD_LONG | Message headers are very long |
| HELO_DYNAMIC_ADELPHIA | Relay HELO'd using suspicious hostname (Adelphia) |
| HELO_DYNAMIC_ATTBI | Relay HELO'd using suspicious hostname (ATTBI.com) |
| HELO_DYNAMIC_CHELLO_NL | Relay HELO'd using suspicious hostname (Chello.nl) |
| HELO_DYNAMIC_CHELLO_NO | Relay HELO'd using suspicious hostname (Chello.no) |
| HELO_DYNAMIC_COMCAST | Relay HELO'd using suspicious hostname (Comcast) |
| HELO_DYNAMIC_DHCP | Relay HELO'd using suspicious hostname (DHCP) |
| HELO_DYNAMIC_DIALIN | Relay HELO'd using suspicious hostname (T-Dialin) |
| HELO_DYNAMIC_HCC | Relay HELO'd using suspicious hostname (HCC) |
| HELO_DYNAMIC_HEXIP | Relay HELO'd using suspicious hostname (Hex IP) |
| HELO_DYNAMIC_HOME_NL | Relay HELO'd using suspicious hostname (Home.nl) |
| HELO_DYNAMIC_IPADDR | Relay HELO'd using suspicious hostname (IP addr 1) |
| HELO_DYNAMIC_IPADDR2 | Relay HELO'd using suspicious hostname (IP addr 2) |
| HELO_DYNAMIC_NTL | Relay HELO'd using suspicious hostname (NTL) |
| HELO_DYNAMIC_OOL | Relay HELO'd using suspicious hostname (OptOnline) |
| HELO_DYNAMIC_ROGERS | Relay HELO'd using suspicious hostname (Rogers) |
| HELO_DYNAMIC_RR2 | Relay HELO'd using suspicious hostname (RR 2) |
| HELO_DYNAMIC_SPLIT_IP | Relay HELO'd using suspicious hostname (Split IP) |
| HELO_DYNAMIC_TELIA | Relay HELO'd using suspicious hostname (Telia) |
| HELO_DYNAMIC_VELOX | Relay HELO'd using suspicious hostname (Veloxzone) |
| HELO_DYNAMIC_VTR | Relay HELO'd using suspicious hostname (VTR) |
| HELO_DYNAMIC_YAHOOBB | Relay HELO'd using suspicious hostname (YahooBB) |
| HG_HORMONE | Talks about hormones for human growth |
| HIDDEN_CHARGES | Talks about Hidden Charges |
| HIDE_WIN_STATUS | Javascript to hide URLs in browser |
| HOT_NASTY | Possible porn - Hot, Nasty, Wild, Young |
| HTML_00_10 | Message is 0% to 10% HTML |
| HTML_10_20 | Message is 10% to 20% HTML |
| HTML_20_30 | Message is 20% to 30% HTML |
| HTML_30_40 | Message is 30% to 40% HTML |
| HTML_40_50 | Message is 40% to 50% HTML |
| HTML_50_60 | Message is 50% to 60% HTML |
| HTML_60_70 | Message is 60% to 70% HTML |
| HTML_70_80 | Message is 70% to 80% HTML |
| HTML_80_90 | Message is 80% to 90% HTML |
| HTML_90_100 | Message is 90% to 100% HTML |
| HTML_ATTR_BAD | HTML has many bad attributes in tags |
| HTML_ATTR_UNIQUE | HTML appears to have random attributes in tags |
| HTML_BACKHAIR_2 | HTML tags used to obfuscate words |
| HTML_BACKHAIR_4 | HTML tags used to obfuscate words |
| HTML_BACKHAIR_8 | HTML tags used to obfuscate words |
| HTML_BADTAG_00_10 | HTML message is 0% to 10% bad tags |
| HTML_BADTAG_10_20 | HTML message is 10% to 20% bad tags |
| HTML_BADTAG_20_30 | HTML message is 20% to 30% bad tags |
| HTML_BADTAG_30_40 | HTML message is 30% to 40% bad tags |
| HTML_BADTAG_40_50 | HTML message is 40% to 50% bad tags |
| HTML_BADTAG_50_60 | HTML message is 50% to 60% bad tags |
| HTML_BADTAG_60_70 | HTML message is 60% to 70% bad tags |
| HTML_BADTAG_70_80 | HTML message is 70% to 80% bad tags |
| HTML_BADTAG_80_90 | HTML message is 80% to 90% bad tags |
| HTML_BADTAG_90_100 | HTML message is 90% to 100% bad tags |
| HTML_CHARSET_FARAWAY | A foreign language charset used in HTML markup |
| HTML_COMMENT_SAVED_URL | HTML message is a saved web page |
| HTML_COMMENT_SHORT | HTML comment is very short |
| HTML_EHTML2 | HTML has doubled end HTML tag |
| HTML_EMBEDS | HTML with embedded plugin object |
| HTML_EVENT_UNSAFE | HTML contains unsafe auto-executing code |
| HTML_EXTRA_CLOSE | HTML contains far too many close tags |
| HTML_FONT_BIG | HTML tag for a big font size |
| HTML_FONT_FACE_BAD | HTML font face is not a word |
| HTML_FONT_FACE_CAPS | HTML font face has excess capital characters |
| HTML_FONT_INVISIBLE | HTML font color is same as background |
| HTML_FONT_LOW_CONTRAST | HTML font color similar to background |
| HTML_FONT_SIZE_HUGE | HTML font size is huge |
| HTML_FONT_SIZE_LARGE | HTML font size is large |
| HTML_FONT_SIZE_NONE | HTML font size is negative |
| HTML_FONT_SIZE_TINY | HTML font size is tiny |
| HTML_FONT_TINY | HTML tag for a tiny font size |
| HTML_FORMACTION_MAILTO | HTML includes a form which sends mail |
| HTML_IMAGE_ONLY_04 | HTML: images with 0-400 bytes of words |
| HTML_IMAGE_ONLY_08 | HTML: images with 400-800 bytes of words |
| HTML_IMAGE_ONLY_12 | HTML: images with 800-1200 bytes of words |
| HTML_IMAGE_ONLY_16 | HTML: images with 1200-1600 bytes of words |
| HTML_IMAGE_ONLY_20 | HTML: images with 1600-2000 bytes of words |
| HTML_IMAGE_ONLY_24 | HTML: images with 2000-2400 bytes of words |
| HTML_IMAGE_ONLY_28 | HTML: images with 2400-2800 bytes of words |
| HTML_IMAGE_ONLY_32 | HTML: images with 2800-3200 bytes of words |
| HTML_IMAGE_RATIO_02 | HTML has a low ratio of text to image area |
| HTML_IMAGE_RATIO_04 | HTML has a low ratio of text to image area |
| HTML_IMAGE_RATIO_06 | HTML has a low ratio of text to image area |
| HTML_IMAGE_RATIO_08 | HTML has a low ratio of text to image area |
| HTML_LINK_OPT_OUT | HTML link text says "opt out" or similar |
| HTML_LINK_PUSH_HERE | HTML link text says "push here" or similar |
| HTML_MESSAGE | HTML included in message |
| HTML_MIME_NO_HTML_TAG | HTML-only message, but there is no HTML tag |
| HTML_MISSING_CTYPE | Message is HTML without HTML Content-Type |
| HTML_NONELEMENT_00_10 | 0% to 10% of HTML elements are non-standard |
| HTML_NONELEMENT_10_20 | 10% to 20% of HTML elements are non-standard |
| HTML_NONELEMENT_20_30 | 20% to 30% of HTML elements are non-standard |
| HTML_NONELEMENT_30_40 | 30% to 40% of HTML elements are non-standard |
| HTML_NONELEMENT_40_50 | 40% to 50% of HTML elements are non-standard |
| HTML_NONELEMENT_50_60 | 50% to 60% of HTML elements are non-standard |
| HTML_NONELEMENT_60_70 | 60% to 70% of HTML elements are non-standard |
| HTML_NONELEMENT_70_80 | 70% to 80% of HTML elements are non-standard |
| HTML_NONELEMENT_80_90 | 80% to 90% of HTML elements are non-standard |
| HTML_NONELEMENT_90_100 | 90% to 100% of HTML elements are non-standard |
| HTML_OBFUSCATE_05_10 | Message is 5% to 10% HTML obfuscation |
| HTML_OBFUSCATE_10_20 | Message is 10% to 20% HTML obfuscation |
| HTML_OBFUSCATE_20_30 | Message is 20% to 30% HTML obfuscation |
| HTML_OBFUSCATE_30_40 | Message is 30% to 40% HTML obfuscation |
| HTML_OBFUSCATE_40_50 | Message is 40% to 50% HTML obfuscation |
| HTML_OBFUSCATE_50_60 | Message is 50% to 60% HTML obfuscation |
| HTML_OBFUSCATE_60_70 | Message is 60% to 70% HTML obfuscation |
| HTML_OBFUSCATE_70_80 | Message is 70% to 80% HTML obfuscation |
| HTML_OBFUSCATE_80_90 | Message is 80% to 90% HTML obfuscation |
| HTML_OBFUSCATE_90_100 | Message is 90% to 100% HTML obfuscation |
| HTML_SHORT_CENTER | HTML is very short with CENTER tag |
| HTML_SHORT_COMMENT | HTML is very short with HTML comments |
| HTML_SHORT_LENGTH | HTML is extremely short |
| HTML_SHORT_LINK_IMG_1 | HTML is very short with a linked image |
| HTML_SHORT_LINK_IMG_2 | HTML is very short with a linked image |
| HTML_SHORT_LINK_IMG_3 | HTML is very short with a linked image |
| HTML_SHOUTING3 | HTML has very strong "shouting" markup |
| HTML_SHOUTING4 | HTML has very strong "shouting" markup |
| HTML_SHOUTING5 | HTML has very strong "shouting" markup |
| HTML_SHOUTING6 | HTML has very strong "shouting" markup |
| HTML_SHOUTING7 | HTML has very strong "shouting" markup |
| HTML_TAG_BALANCE_BODY | HTML has unbalanced "body" tags |
| HTML_TAG_BALANCE_HEAD | HTML has unbalanced "head" tags |
| HTML_TAG_EXIST_BGSOUND | HTML has "bgsound" tag |
| HTML_TAG_EXIST_MARQUEE | HTML has "marquee" tag |
| HTML_TAG_EXIST_TBODY | HTML has "tbody" tag |
| HTML_TEXT_AFTER_BODY | HTML contains text after BODY close tag |
| HTML_TEXT_AFTER_HTML | HTML contains text after HTML close tag |
| HTML_TINY_FONT | body contains 1 or 0-point font |
| HTML_TITLE_EMPTY | HTML title contains no text |
| HTML_TITLE_LONG | HTML title is very long |
| HTML_TITLE_UNTITLED | HTML title contains "Untitled" |
| HTTPS_IP_MISMATCH | IP to HTTPS link found in HTML |
| HTTP_77 | Contains an URL-encoded hostname (HTTP77) |
| HTTP_CTRL_CHARS_HOST | Uses control sequences inside a URL hostname |
| HTTP_ESCAPED_HOST | Uses %-escapes inside a URL's hostname |
| HTTP_EXCESSIVE_ESCAPES | Completely unnecessary %-escapes inside a URL |
| IMPOTENCE | Impotence cure |
| INFO_TLD | Contains an URL in the INFO top-level domain |
| INTERRUPTUS | Message looks to contain HTML-interrupted text |
| INVALID_DATE | Invalid Date: header (not RFC 2822) |
| INVALID_DATE_TZ_ABSURD | Invalid Date: header (timezone does not exist) |
| INVALID_MSGID | Message-Id is not valid, according to RFC 2822 |
| INVALID_TZ_CST | Invalid date in header (wrong CST timezone) |
| INVALID_TZ_EST | Invalid date in header (wrong EST timezone) |
| INVALID_TZ_GMT | Invalid date in header (wrong GMT/UTC timezone) |
| INVESTMENT_ADVICE | Message mentions investment advice |
| INVESTMENT_EXPERT | Message mentions investment expert |
| IP_LINK_PLUS | Dotted-decimal IP address followed by CGI |
| JAPANESE_UCE_SUBJECT | Subject contains a Japanese UCE tag |
| JOIN_MILLIONS | Join Millions of Americans |
| JS_FROMCHARCODE | Document is built from a Javascript charcode array |
| KOREAN_UCE_SUBJECT | Subject: contains Korean unsolicited email tag |
| LIVE_PORN | Possible porn - Live Porn |
| LOCALPART_IN_SUBJECT | Local part of To: address appears in Subject |
| LONGWORDS | Long string of long words |
| LOTS_OF_STUFF | Thousands or millions of pictures, movies, etc. |
| LOW_PRICE | Lowest Price |
| MAILTO_SUBJ_REMOVE | mailto URI includes removal text |
| MAILTO_TO_REMOVE | Includes a 'remove' email address |
| MAILTO_TO_SPAM_ADDR | Includes a link to a likely spammer email |
| MALE_ENHANCE | Message talks about enhancing men |
| MANY_EXCLAMATIONS | Subject has many exclamations |
| MARKETING_PARTNERS | Claims you registered with a partner |
| MEET_SINGLES | Meet Singles |
| MICROSOFT_EXECUTABLE | Message includes Microsoft executable program |
| MICRO_CAP_WARNING | SEC-mandated penny-stock warning |
| MILLION_USD | Talks about millions of dollars |
| MIME_BAD_ISO_CHARSET | MIME character set is an unknown ISO charset |
| MIME_BASE64_BLANKS | Extra blank lines in base64 encoding |
| MIME_BASE64_NO_NAME | base64 attachment does not have a file name |
| MIME_BASE64_TEXT | Message text disguised using base64 encoding |
| MIME_BOUND_DD_DIGITS | Spam tool pattern in MIME boundary |
| MIME_BOUND_DIGITS_15 | Spam tool pattern in MIME boundary |
| MIME_BOUND_DIGITS_7 | Spam tool pattern in MIME boundary |
| MIME_BOUND_MANY_HEX | Spam tool pattern in MIME boundary |
| MIME_BOUND_NEXTPART | Spam tool pattern in MIME boundary |
| MIME_BOUND_RKFINDY | Spam tool pattern in MIME boundary (rfkindy) |
| MIME_CHARSET_FARAWAY | MIME character set indicates foreign language |
| MIME_HEADER_CTYPE_ONLY | 'Content-Type' found without required MIME headers |
| MIME_HTML_MOSTLY | Multipart message mostly text/html MIME |
| MIME_HTML_ONLY | Message only has text/html MIME parts |
| MIME_HTML_ONLY_MULTI | Multipart message only has text/html MIME parts |
| MIME_MISSING_BOUNDARY | MIME section missing boundary |
| MIME_QP_LONG_LINE | Quoted-printable line longer than 76 chars |
| MIME_SUSPECT_NAME | MIME filename does not match content |
| MISSING_DATE | Missing Date: header |
| MISSING_HB_SEP | Missing blank line between message header and body |
| MISSING_HEADERS | Missing To: header |
| MISSING_MIMEOLE | Message has X-MSMail-Priority, but no X-MimeOLE |
| MISSING_MIME_HB_SEP | Missing blank line between MIME header and body |
| MISSING_SUBJECT | Missing Subject: header |
| ML_MARKETING | Multi Level Marketing mentioned |
| MONEY_BACK | Money back guarantee |
| MORE_SEX | Talks about a bigger drive for sex |
| MORTGAGE_BEST | Information on mortgages |
| MORTGAGE_PITCH | Looks like mortgage pitch |
| MORTGAGE_RATES | Information on mortgage rates |
| MPART_ALT_DIFF | HTML and text parts are different |
| MPART_ALT_DIFF_COUNT | HTML and text parts are different |
| MSGID_DOLLARS | Message-Id has pattern used in spam |
| MSGID_FROM_MTA_HEADER | Message-Id was added by a relay |
| MSGID_FROM_MTA_HOTMAIL | Message-Id was added by a hotmail.com relay |
| MSGID_FROM_MTA_ID | Message-Id for external message added locally |
| MSGID_LONG | Message-ID is unusually long |
| MSGID_MULTIPLE_AT | Message-ID contains multiple '@' characters |
| MSGID_NO_HOST | Message-Id has no hostname |
| MSGID_OUTLOOK_INVALID | Message-Id is fake (in Outlook Express format) |
| MSGID_RANDY | Message-Id has pattern used in spam |
| MSGID_RATWARE1 | Bulk email fingerprint found |
| MSGID_SHORT | Message-ID is unusually short |
| MSGID_SPAM_99X9XX99 | Spam tool Message-Id: (99x9xx99 variant) |
| MSGID_SPAM_ALPHA_NUM | Spam tool Message-Id: (alpha-numeric variant) |
| MSGID_SPAM_CAPS | Spam tool Message-Id: (caps variant) |
| MSGID_SPAM_LETTERS | Spam tool Message-Id: (letters variant) |
| MSGID_SPAM_ZEROES | Spam tool Message-Id: (12-zeroes variant) |
| MSGID_YAHOO_CAPS | Message-ID has ALLCAPS@yahoo.com |
| MULTI_FORGED | Received headers indicate multiple forgeries |
| NASTY_GIRLS | Possible porn - Nasty Girls |
| NA_DOLLARS | Talks about a million North American dollars |
| NONEXISTENT_CHARSET | Character set doesn't exist |
| NORMAL_HTTP_TO_IP | Uses a dotted-decimal IP address in URL |
| NOT_ADVISOR | Not registered investment advisor |
| NO_COST | No such thing as a free lunch (3) |
| NO_DNS_FOR_FROM | Envelope sender has no MX or A DNS records |
| NO_FORMS | No Claim Forms |
| NO_MEDICAL | No Medical Exams |
| NO_OBLIGATION | There is no obligation |
| NO_PRESCRIPTION | No prescription needed |
| NO_RDNS_DOTCOM_HELO | Host HELO'd as a big ISP, but had no rDNS |
| NO_REAL_NAME | From: does not include a real name |
| NO_RECEIVED | Informational: message has no Received headers |
| NO_RELAYS | Informational: message was not relayed via SMTP |
| NUMERIC_HTTP_ADDR | Uses a numeric IP address in URL |
| OBFUSCATING_COMMENT | HTML comments which obfuscate text |
| OBSCURED_EMAIL | Message seems to contain rot13ed address |
| OFFSHORE_SCAM | Off Shore Scams |
| ONE_TIME | One Time Rip Off |
| ONLINE_PHARMACY | Online Pharmacy |
| OPTING_OUT_CAPS | Talks about opting out (capitalized version) |
| ORG_MIME_TOOLS | Organization is MIME-tools |
| PERCENT_RANDOM | Message has a random macro in it |
| PLING_PLING | Subject has lots of exclamation marks |
| PLING_QUERY | Subject has exclamation mark and question mark |
| PORN_15 | Possible porn - various types of feline |
| PORN_16 | Possible porn - nasty, dirty, little etc. |
| PORN_URL_MISC | URL uses words/phrases which indicate porn (misc) |
| PORN_URL_SEX | URL uses words/phrases which indicate porn (sex) |
| PORN_URL_SLUT | URL uses words/phrases which indicate porn (slut) |
| PREST_NON_ACCREDITED | 'Prestigious Non-Accredited Universities' |
| PREVENT_NONDELIVERY | Message has Prevent-NonDelivery-Report header |
| PRICES_ARE_AFFORDABLE | Message says that prices aren't too expensive |
| PRIORITY_NO_NAME | Message has priority, but no user agent name |
| PYZOR_CHECK | Listed in Pyzor (http://pyzor.sf.net/) |
| QUALIFY_FOR_THIS | Qualify for this special... |
| RATWARE_BOUND_PIECE | Bulk email fingerprint (piece boundary) found |
| RATWARE_EFROM | Bulk email fingerprint (envfrom) found |
| RATWARE_EGROUPS | Bulk email fingerprint (eGroups) found |
| RATWARE_GECKO_BUILD | Bulk email fingerprint (Gecko faked) found |
| RATWARE_HASH_2 | Bulk email fingerprint (hash 2) found |
| RATWARE_HASH_2_V2 | Bulk email fingerprint (hash 2 v2) found |
| RATWARE_HASH_DASH | Contains a hashbuster in Send-Safe format |
| RATWARE_JPFREE | Bulk email fingerprint (jpfree) found |
| RATWARE_MOZ_MALFORMED | Bulk email fingerprint (Mozilla malformed) found |
| RATWARE_MPOP_WEBMAIL | Bulk email fingerprint (mPOP Web-Mail) |
| RATWARE_MS_HASH | Bulk email fingerprint (msgid ms hash) found |
| RATWARE_NAME_ID | Bulk email fingerprint (msgid from) found |
| RATWARE_NETIP | Bulk email fingerprint (netIP) found |
| RATWARE_OE_MALFORMED | X-Mailer has malformed Outlook Express version |
| RATWARE_OUTLOOK_NONAME | Bulk email fingerprint (Outlook no name) found |
| RATWARE_RCVD_AT | Bulk email fingerprint (Received @) found |
| RATWARE_RCVD_LC_ESMTP | Bulk email fingerprint ('esmtp' Received) found |
| RATWARE_RCVD_PF | Bulk email fingerprint (Received PF) found |
| RATWARE_STORM_URI | Bulk email fingerprint (StormPost) found |
| RATWARE_ZERO_TZ | Bulk email fingerprint (+0000) found |
| RAZOR2_CF_RANGE_51_100 | Razor2 gives confidence level above 50% |
| RAZOR2_CF_RANGE_E4_51_100 | Razor2 gives engine 4 confidence level above 50% |
| RAZOR2_CF_RANGE_E8_51_100 | Razor2 gives engine 8 confidence level above 50% |
| RAZOR2_CHECK | Listed in Razor2 (http://razor.sf.net/) |
| RCVD_AM_PM | Received headers forged (AM/PM) |
| RCVD_BONUS_SPC_DATE | Bulk email fingerprint (bonus space) found |
| RCVD_BY_IP | Received by mail server with no name |
| RCVD_DOUBLE_IP_LOOSE | Received: by and from look like IP addresses |
| RCVD_DOUBLE_IP_SPAM | Bulk email fingerprint (double IP) found |
| RCVD_FAKE_HELO_DOTCOM | Received contains a faked HELO hostname |
| RCVD_HELO_IP_MISMATCH | Received: HELO and IP do not match, but should |
| RCVD_ILLEGAL_IP | Received: contains illegal IP address |
| RCVD_IN_BL_SPAMCOP_NET | Received via a relay in bl.spamcop.net |
| RCVD_IN_BSP_OTHER | Sender is in Bonded Sender Program (other relay) |
| RCVD_IN_BSP_TRUSTED | Sender is in Bonded Sender Program (trusted relay) |
| RCVD_IN_DSBL | Received via a relay in list.dsbl.org |
| RCVD_IN_IADB_VOUCHED | ISIPP IADB lists as vouched-for sender |
| RCVD_IN_MAPS_DUL | Relay in DUL, http://www.mail-abuse.org/dul/ |
| RCVD_IN_MAPS_NML | Relay in NML, http://www.mail-abuse.org/nml/ |
| RCVD_IN_MAPS_RBL | Relay in RBL, http://www.mail-abuse.org/rbl/ |
| RCVD_IN_MAPS_RSS | Relay in RSS, http://www.mail-abuse.org/rss/ |
| RCVD_IN_NJABL_CGI | NJABL: sender is an open formmail |
| RCVD_IN_NJABL_DUL | NJABL: dialup sender did non-local SMTP |
| RCVD_IN_NJABL_MULTI | NJABL: sent through multi-stage open relay |
| RCVD_IN_NJABL_PROXY | NJABL: sender is an open proxy |
| RCVD_IN_NJABL_RELAY | NJABL: sender is confirmed open relay |
| RCVD_IN_NJABL_SPAM | NJABL: sender is confirmed spam source |
| RCVD_IN_SBL | Received via a relay in Spamhaus SBL |
| RCVD_IN_SORBS_BLOCK | SORBS: sender demands to never be tested |
| RCVD_IN_SORBS_DUL | SORBS: sent directly from dynamic IP address |
| RCVD_IN_SORBS_HTTP | SORBS: sender is open HTTP proxy server |
| RCVD_IN_SORBS_MISC | SORBS: sender is open proxy server |
| RCVD_IN_SORBS_SMTP | SORBS: sender is open SMTP relay |
| RCVD_IN_SORBS_SOCKS | SORBS: sender is open SOCKS proxy server |
| RCVD_IN_SORBS_WEB | SORBS: sender is a abuseable web server |
| RCVD_IN_SORBS_ZOMBIE | SORBS: sender is on a hijacked network |
| RCVD_IN_WHOIS_BOGONS | CompleteWhois: sender on bogons IP block |
| RCVD_IN_WHOIS_HIJACKED | CompleteWhois: sender on hijacked IP block |
| RCVD_IN_WHOIS_INVALID | CompleteWhois: sender on invalid IP block |
| RCVD_IN_XBL | Received via a relay in Spamhaus XBL |
| RCVD_NUMERIC_HELO | Received: contains an IP address used for HELO |
| RECEIVE_OFFER | Receive a special offer |
| REFINANCE_NOW | Home refinancing |
| REFINANCE_YOUR_HOME | Home refinancing |
| REMOVE_BEFORE_LINK | Removal phrase right before a link |
| REMOVE_PAGE | URL of page called "remove" |
| REMOVE_POSTAL | Send real mail to be unsubscribed |
| REPLICA_WATCH | Message talks about a replica watch |
| REPLY_TO_EMPTY | Reply-To: is empty |
| REPTO_OVERQUOTE_THEBAT | The Bat! doesn't do quoting like this |
| REPTO_QUOTE_AOL | AOL doesn't do quoting like this |
| REPTO_QUOTE_IMS | IMS doesn't do quoting like this |
| REPTO_QUOTE_MSN | MSN doesn't do quoting like this |
| REPTO_QUOTE_QUALCOMM | Qualcomm/Eudora doesn't do quoting like this |
| REPTO_QUOTE_YAHOO | Yahoo! doesn't do quoting like this |
| RESISTANCE_IS_FUTILE | Resistance to this spam is futile |
| REVERSE_AGING | Reverses Aging |
| RISK_FREE | Risk free. Suuurreeee.... |
| ROUND_THE_WORLD | Received: says mail sent around the world (DNS) |
| ROUND_THE_WORLD_LOCAL | Received: says mail sent around the world (HELO) |
| RUDE_HTML | Spammer message says you need an HTML mailer |
| SATIS_GUAR | Mail guarantees satisfaction |
| SAVE_THOUSANDS | Save big money |
| SEE_FOR_YOURSELF | See for yourself |
| SENT_IN_COMPLIANCE | Claims compliance with spam regulations |
| SOMETHING_FOR_ADULTS | Possible porn - Adult Web Sites |
| SOME_BREAKTHROUGH | Describes some sort of breakthrough |
| SORTED_RECIPS | Recipient list is sorted by address |
| SPF_FAIL | SPF: sender does not match SPF record (fail) |
| SPF_HELO_FAIL | SPF: HELO does not match SPF record (fail) |
| SPF_HELO_NEUTRAL | SPF: HELO does not match SPF record (neutral) |
| SPF_HELO_PASS | SPF: HELO matches SPF record |
| SPF_HELO_SOFTFAIL | SPF: HELO does not match SPF record (softfail) |
| SPF_NEUTRAL | SPF: sender does not match SPF record (neutral) |
| SPF_PASS | SPF: sender matches SPF record |
| SPF_SOFTFAIL | SPF: sender does not match SPF record (softfail) |
| SPOOF_COM2COM | URI contains ".com" in middle and end |
| SPOOF_COM2OTH | URI contains ".com" in middle |
| SPOOF_NET2COM | URI contains ".net" or ".org", then ".com" |
| SPOOF_OURI | URI has items in odd places |
| STOCK_ALERT | Offers a alert about a stock |
| STRONG_BUY | Tells you about a strong buy |
| SUBJECT_DIET | Subject talks about losing pounds |
| SUBJECT_DRUG_GAP_C | Subject contains a gappy version of 'cialis' |
| SUBJECT_DRUG_GAP_L | Subject contains a gappy version of 'levitra' |
| SUBJECT_DRUG_GAP_P | Subject contains a gappy version of 'phentermine' |
| SUBJECT_DRUG_GAP_S | Subject contains a gappy version of 'soma' |
| SUBJECT_DRUG_GAP_VA | Subject contains a gappy version of 'valium' |
| SUBJECT_DRUG_GAP_VIC | Subject contains a gappy version of 'vicodin' |
| SUBJECT_DRUG_GAP_X | Subject contains a gappy version of 'xanax' |
| SUBJECT_ENCODED_TWICE | Subject: MIME encoded twice |
| SUBJECT_EXCESS_BASE64 | Subject: base64 encoded encoded unnecessarily |
| SUBJECT_EXCESS_QP | Subject: quoted-printable encoded unnecessarily |
| SUBJECT_FUZZY_CHEAP | Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_MEDS | Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_PENIS | Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_TION | Attempt to obfuscate words in Subject: |
| SUBJECT_IN_BLACKLIST | Subject: contains string in the user's black-list |
| SUBJECT_IN_WHITELIST | Subject: contains string in the user's white-list |
| SUBJECT_NOVOWEL | Subject: has long non-vowel letter sequence |
| SUBJECT_SEXUAL | Subject indicates sexually-explicit content |
| SUBJ_2_NUM_PARENS | Subject contains common spam sign (2 numbers) |
| SUBJ_ALL_CAPS | Subject is all capitals |
| SUBJ_AS_SEEN | Subject contains "As Seen" |
| SUBJ_BUY | Subject line starts with Buy or Buying |
| SUBJ_CONSONANTS | Subject contains consecutive consonants in "word" |
| SUBJ_DOLLARS | Subject starts with dollar amount |
| SUBJ_FOR_ONLY | Subject contains "For Only" |
| SUBJ_FREE_CAP | Subject contains "FREE" in CAPS |
| SUBJ_GUARANTEED | Subject GUARANTEED |
| SUBJ_HAS_SPACES | Subject contains lots of white space |
| SUBJ_HAS_UNIQ_ID | Subject contains a unique ID |
| SUBJ_ILLEGAL_CHARS | Subject: has too many raw illegal characters |
| SUBJ_LIFE_INSURANCE | Subject includes "life insurance" |
| SUBJ_YOUR_DEBT | Subject contains "Your Bills" or similar |
| SUBJ_YOUR_FAMILY | Subject contains "Your Family" |
| SUBJ_YOUR_OWN | Subject contains "Your Own" |
| SUB_FREE_OFFER | Subject starts with "Free" |
| SUB_HELLO | Subject starts with "Hello" |
| SUSPICIOUS_RECIPS | Similar addresses in recipient list |
| TERRA_ES | Contains URI to a document hosted at 'terra.es' |
| TO_ADDRESS_EQ_REAL | To: repeats address as real name |
| TO_CC_NONE | No To: or Cc: header |
| TO_EMPTY | To: is empty |
| TO_MALFORMED | To: has a malformed address |
| TO_NO_USER | To: has no local-part before @ sign |
| TO_RECIP_MARKER | To header contains 'recipient' marker |
| TO_TXT | Sent to a text file |
| TRACKER_ID | Incorporates a tracking ID number |
| UNCLAIMED_MONEY | People just leave money laying around |
| UNCLOSED_BRACKET | Headers contain an unclosed bracket |
| UNDISC_RECIPS | Valid-looking To "undisclosed-recipients" |
| UNIQUE_WORDS | Message body has many words used only once |
| UNPARSEABLE_RELAY | Informational: message has unparseable relay lines |
| UNRESOLVED_TEMPLATE | Headers contain an unresolved template |
| UNWANTED_LANGUAGE_BODY | Message written in an undesired language |
| UPPERCASE_25_50 | message body is 25-50% uppercase |
| UPPERCASE_50_75 | message body is 50-75% uppercase |
| UPPERCASE_75_100 | message body is 75-100% uppercase |
| URG_BIZ | Contains urgent matter |
| URIBL_AB_SURBL | Contains an URL listed in the AB SURBL blocklist |
| URIBL_JP_SURBL | Contains an URL listed in the JP SURBL blocklist |
| URIBL_OB_SURBL | Contains an URL listed in the OB SURBL blocklist |
| URIBL_PH_SURBL | Contains an URL listed in the PH SURBL blocklist |
| URIBL_SBL | Contains an URL listed in the SBL blocklist |
| URIBL_SC_SURBL | Contains an URL listed in the SC SURBL blocklist |
| URIBL_WS_SURBL | Contains an URL listed in the WS SURBL blocklist |
| URI_4YOU | Message has URI 4you |
| URI_AFFILIATE | Contains a URI with an affiliate ID code |
| URI_DIGITS | URI hostname has long digit sequence |
| URI_HEX | URI hostname has long hexadecimal sequence |
| URI_IS_POUND | Filename is just a '\#'; probably a JS trick |
| URI_NOVOWEL | URI hostname has long non-vowel sequence |
| URI_NO_WWW_ANY_CGI | CGI with long hostname other fourth-level "www" |
| URI_NO_WWW_BIZ_CGI | CGI in .biz TLD other than third-level "www" |
| URI_NO_WWW_INFO_CGI | CGI in .info TLD other than third-level "www" |
| URI_OFFERS | Message has link to company offers |
| URI_REDIRECTOR | Message has HTTP redirector URI |
| URI_SCHEME_MIXED_CASE | URI scheme has mixed uppercase and lowercase |
| URI_UNSUBSCRIBE | URI contains suspicious unsubscribe link |
| URI_UPPER_LOWER | URI contains capitalized hostname parts ("Abcde") |
| USERPASS | URL contains username and (optional) password |
| USER_IN_ALL_SPAM_TO | User is listed in 'all_spam_to' |
| USER_IN_BLACKLIST | From: address is in the user's black-list |
| USER_IN_BLACKLIST_TO | User is listed in 'blacklist_to' |
| USER_IN_DEF_DKIM_WL | From: address is in the default DKIM white-list |
| USER_IN_DEF_DK_WL | From: address is in the default DK white-list |
| USER_IN_DEF_SPF_WL | From: address is in the default SPF white-list |
| USER_IN_DEF_WHITELIST | From: address is in the default white-list |
| USER_IN_DKIM_WHITELIST | From: address is in the user's DKIM whitelist |
| USER_IN_DK_WHITELIST | From: address is in the user's DK whitelist |
| USER_IN_MORE_SPAM_TO | User is listed in 'more_spam_to' |
| USER_IN_SPF_WHITELIST | From: address is in the user's SPF whitelist |
| USER_IN_WHITELIST | From: address is in the user's white-list |
| USER_IN_WHITELIST_TO | User is listed in 'whitelist_to' |
| US_DOLLARS_3 | Mentions millions of $ ($NN,NNN,NNN.NN) |
| VIA_GAP_GRA | Attempts to disguise the word 'viagra' |
| WEIRD_PORT | Uses non-standard port number for HTTP |
| WEIRD_QUOTING | Weird repeated double-quotation marks |
| WE_HONOR_ALL | Claims to honor removal requests |
| WHILE_YOU_SLEEP | While you Sleep |
| WHY_PAY_MORE | Why Pay More? |
| WHY_WAIT | What are you waiting for |
| WITH_LC_SMTP | Received line contains spam-sign (lowercase smtp) |
| WRINKLES | Removes Wrinkles |
| X_AUTH_WARN_FAKED | X-Authentication-Warning header looks faked |
| X_IP | Message has X-IP header |
| X_LIBRARY | Message has X-Library header |
| X_MAILER_SPAM | X-Mailer: header is bulk email fingerprint |
| X_MESSAGE_FLAG_ODD | Message has X-Message-flag header (odd case) |
| X_MESSAGE_INFO | Bulk email fingerprint (X-Message-Info) found |
| X_MIME_AUTOCONVERTED | Message has X-MIME-Autoconverted "Yes" header |
| X_MSMAIL_PRIORITY_HIGH | Sent with 'X-Msmail-Priority' set to high |
| X_ORIG_IP_NOT_IPV4 | X-Originating-IP doesn't look like IPv4 address |
| X_PRIORITY_CC | Cc: after X-Priority: (bulk email fingerprint) |
| X_PRIORITY_HIGH | Sent with 'X-Priority' set to high |
| YAHOO_DRS_REDIR | Has Yahoo Redirect URI |
| YAHOO_RD_REDIR | Has Yahoo Redirect URI |
| YOU_CAN_SEARCH | You can search for anyone |
| __MIME_BASE64 | Includes a base64 attachment |
| __MIME_QP | Includes a quoted-printable attachment |
| __RCVD_IN_NJABL | Received via a relay in combined.njabl.org |
| __RCVD_IN_SBL_XBL | Received via a relay in Spamhaus SBL+XBL |
| __RCVD_IN_SORBS | SORBS: sender is listed in SORBS |
If you are looking for software for sending bulk email, bulk email marketing, newsletter marketing, mailing list management or email tracking, please feel free to trial our effective solution Nesox Email Marketer.
Next - 10 Reasons Not to Spam
Related
None
