|
Area Tested
|
Locale
|
Description of Test
|
TEST NAME
|
DEFAULT SCORES
(local, net, with bayes, with bayes+net)
|
MORE INFO
(additional wiki docs)
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000.000
|
Wiki
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
2.699 2.696 2.000 2.003
|
Wiki
|
|
body
|
|
Weird repeated double-quotation marks
|
WEIRD_QUOTING
|
2.799 2.796 1.428 1.396
|
Wiki
|
|
body
|
|
Body contains a ROT13-encoded email address
|
EMAIL_ROT13
|
1.600 1.680 1.850 2.000
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF
|
2.498 1.143 1.456 0.739
|
Wiki
|
|
body
|
|
HTML and text parts are different
|
MPART_ALT_DIFF_COUNT
|
2.899 1.882 1.500 1.110
|
Wiki
|
|
body
|
|
Message body has 80-90% blank lines
|
BLANK_LINES_80_90
|
1
|
Wiki
|
|
body
|
|
eval:tvd_vertical_words('0','10')
|
TVD_SPACE_RATIO
|
2.899 2.899 2.307 2.219
|
Wiki
|
|
body
|
|
eval:check_ma_non_text()
|
MULTIPART_ALT_NON_TEXT
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
Wiki
|
|
rawbody
|
|
Extra blank lines in base64 encoding
|
MIME_BASE64_BLANKS
|
0.221 0.001 0.016 0.041
|
Wiki
|
|
rawbody
|
|
Message text disguised using base64 encoding
|
MIME_BASE64_TEXT
|
2.701 2.796 1.709 1.753
|
Wiki
|
|
body
|
|
Missing blank line between MIME header and body
|
MISSING_MIME_HB_SEP
|
2.599 2.699 2.205 2.119
|
Wiki
|
|
body
|
|
Multipart message mostly text/html MIME
|
MIME_HTML_MOSTLY
|
0.001
|
Wiki
|
|
body
|
|
Message only has text/html MIME parts
|
MIME_HTML_ONLY
|
2.299 1.672 1.925 1.457
|
Wiki
|
|
rawbody
|
|
Quoted-printable line longer than 76 chars
|
MIME_QP_LONG_LINE
|
2.499 1.819 1.500 1.396
|
Wiki
|
|
body
|
|
MIME character set is an unknown ISO charset
|
MIME_BAD_ISO_CHARSET
|
3.363 2.831 2.768 0.346
|
Wiki
|
|
body
|
|
IP to HTTPS link found in HTML
|
HTTPS_IP_MISMATCH
|
2.697 2.896 2.899 2.897
|
Wiki
|
|
body
|
|
Message contained a URI which was truncated
|
URI_TRUNCATED
|
0.001
|
Wiki
|
|
header
|
|
Passed through trusted hosts only via SMTP
|
ALL_TRUSTED
|
-1.360 -1.440 -1.665 -1.800
|
Wiki
|
|
header
|
|
Informational: message was not relayed via SMTP
|
NO_RELAYS
|
-0.001
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed open relay
|
RCVD_IN_NJABL_RELAY
|
0 1.841 0 2.696
|
Wiki
|
|
header
|
|
NJABL: sender is confirmed spam source
|
RCVD_IN_NJABL_SPAM
|
0 3.096 0 2.072
|
Wiki
|
|
header
|
|
NJABL: sent through multi-stage open relay
|
RCVD_IN_NJABL_MULTI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open formmail
|
RCVD_IN_NJABL_CGI
|
1
|
Wiki
|
|
header
|
|
NJABL: sender is an open proxy
|
RCVD_IN_NJABL_PROXY
|
0 1.693 0 1.643
|
Wiki
|
|
header
|
|
SORBS: sender is open HTTP proxy server
|
RCVD_IN_SORBS_HTTP
|
0 0.001 0 0.001
|
Wiki
|
|
header
|
|
SORBS: sender is open SOCKS proxy server
|
RCVD_IN_SORBS_SOCKS
|
0 0.182 0 0.801
|
Wiki
|
|
header
|
|
SORBS: sender is open proxy server
|
RCVD_IN_SORBS_MISC
|
0 0.001 0 0.353
|
Wiki
|
|
header
|
|
SORBS: sender is open SMTP relay
|
RCVD_IN_SORBS_SMTP
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is a abuseable web server
|
RCVD_IN_SORBS_WEB
|
0 1.117 0 0.619
|
Wiki
|
|
header
|
|
SORBS: sender demands to never be tested
|
RCVD_IN_SORBS_BLOCK
|
1
|
Wiki
|
|
header
|
|
SORBS: sender is on a hijacked network
|
RCVD_IN_SORBS_ZOMBIE
|
1
|
Wiki
|
|
header
|
|
SORBS: sent directly from dynamic IP address
|
RCVD_IN_SORBS_DUL
|
0 1.615 0 0.877
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus SBL
|
RCVD_IN_SBL
|
0 2.810 0 1.551
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus XBL
|
RCVD_IN_XBL
|
0 2.896 0 3.033
|
Wiki
|
|
header
|
|
Received via a relay in Spamhaus PBL
|
RCVD_IN_PBL
|
0 0.509 0 0.905
|
Wiki
|
|
header
|
|
Envelope sender in dsn.rfc-ignorant.org
|
DNS_FROM_RFC_DSN
|
0 2.527 0 1.495
|
Wiki
|
|
header
|
|
Envelope sender in bogusmx.rfc-ignorant.org
|
DNS_FROM_RFC_BOGUSMX
|
0 2.125 0 1.482
|
Wiki
|
|
header
|
|
CompleteWhois: sender on bogons IP block
|
RCVD_IN_WHOIS_BOGONS
|
1
|
Wiki
|
|
header
|
|
CompleteWhois: sender on hijacked IP block
|
RCVD_IN_WHOIS_HIJACKED
|
0 1.000 0 1.000
|
Wiki
|
|
header
|
|
CompleteWhois: sender on invalid IP block
|
RCVD_IN_WHOIS_INVALID
|
0 1.199 0 0.400
|
Wiki
|
|
header
|
|
Received via a relay in list.dsbl.org
|
RCVD_IN_DSBL
|
0 0.753 0 0.961
|
Wiki
|
|
header
|
|
Envelope sender listed in dnsbl.ahbl.org
|
DNS_FROM_AHBL_RHSBL
|
0 2.025 0 0.692
|
Wiki
|
|
header
|
|
Envelope sender in blackholes.securitysage.com
|
DNS_FROM_SECURITYSAGE
|
0 0.127 0 0.001
|
Wiki
|
|
header
|
|
Received via a relay in bl.spamcop.net
|
RCVD_IN_BL_SPAMCOP_NET
|
0 2.188 0 1.960
|
Wiki
|
|
header
|
|
Relay in RBL, http://www.mail-abuse.org/rbl/
|
RCVD_IN_MAPS_RBL
|
1
|
Wiki
|
|
header
|
|
Relay in DUL, http://www.mail-abuse.org/dul/
|
RCVD_IN_MAPS_DUL
|
1
|
Wiki
|
|
header
|
|
Relay in RSS, http://www.mail-abuse.org/rss/
|
RCVD_IN_MAPS_RSS
|
1
|
Wiki
|
|
header
|
|
Relay in NML, http://www.mail-abuse.org/nml/
|
RCVD_IN_MAPS_NML
|
1
|
Wiki
|
|
header
|
|
Sender is in Bonded Sender Program (trusted relay)
|
RCVD_IN_BSP_TRUSTED
|
0 -4.3 0 -4.3
|
Wiki
|
|
header
|
|
Sender is in Bonded Sender Program (other relay)
|
RCVD_IN_BSP_OTHER
|
0 -0.1 0 -0.1
|
Wiki
|
|
header
|
|
ISIPP IADB lists as vouched-for sender
|
RCVD_IN_IADB_VOUCHED
|
0 -2.2 0 -2.2
|
Wiki
|
|
header
|
|
Habeas Accredited Confirmed Opt-In or Better
|
HABEAS_ACCREDITED_COI
|
0 -8.0 0 -8.0
|
Wiki
|
|
header
|
|
Habeas Accredited Opt-In or Better
|
HABEAS_ACCREDITED_SOI
|
0 -4.3 0 -4.3
|
Wiki
|
|
header
|
|
Habeas Checked
|
HABEAS_CHECKED
|
0 -0.2 0 -0.2
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'cialis'
|
SUBJECT_DRUG_GAP_C
|
0.001 0.001 0.508 0.003
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'levitra'
|
SUBJECT_DRUG_GAP_L
|
1.047 1.831 2.407 2.515
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'soma'
|
SUBJECT_DRUG_GAP_S
|
1
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'valium'
|
SUBJECT_DRUG_GAP_VA
|
1.876 2.596 1.035 1.014
|
Wiki
|
|
header
|
|
Subject contains a gappy version of 'xanax'
|
SUBJECT_DRUG_GAP_X
|
1.478 2.052 2.298 1.766
|
Wiki
|
|
body
|
|
Talks about price per dose
|
DRUG_DOSAGE
|
2.514 0.128 1.621 1.623
|
Wiki
|
|
body
|
|
Mentions an E.D. drug
|
DRUG_ED_CAPS
|
0.329 1.540 2.417 0.322
|
Wiki
|
|
body
|
|
Talks about an E.D. drug using its chemical name
|
DRUG_ED_SILD
|
0.001 0.001 1.026 1.185
|
Wiki
|
|
body
|
|
Mentions Generic Viagra
|
DRUG_ED_GENERIC
|
3.286 3.314 2.001 1.558
|
Wiki
|
|
body
|
|
Fast Viagra Delivery
|
DRUG_ED_ONLINE
|
1
|
Wiki
|
|
body
|
|
Online Pharmacy
|
ONLINE_PHARMACY
|
2.701 1.484 0.057 0.001
|
Wiki
|
|
body
|
|
No prescription needed
|
NO_PRESCRIPTION
|
2.573 2.757 2.944 2.619
|
Wiki
|
|
body
|
|
Attempts to disguise the word 'viagra'
|
VIA_GAP_GRA
|
2.203 1.053 2.004 0.133
|
Wiki
|
|
body
|
|
Two or more drugs crammed together into one word
|
DRUGS_SMEAR1
|
1
|
Wiki
|
|
header
|
|
Delivered to trusted network by a host with no rDNS
|
RDNS_NONE
|
0.1
|
Wiki
|
|
header
|
|
Relay HELO'd with suspicious hostname (mail.com)
|
FAKE_HELO_MAIL_COM_DOM
|
3.199 3.196 2.812 3.199
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 1)
|
HELO_DYNAMIC_IPADDR
|
4.399 2.935 2.643 2.426
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (DHCP)
|
HELO_DYNAMIC_DHCP
|
2.298 1.520 1.536 1.398
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (HCC)
|
HELO_DYNAMIC_HCC
|
4.299 4.295 4.299 4.295
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Rogers)
|
HELO_DYNAMIC_ROGERS
|
1
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (T-Dialin)
|
HELO_DYNAMIC_DIALIN
|
3.999 3.995 3.999 3.384
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Hex IP)
|
HELO_DYNAMIC_HEXIP
|
3.099 3.099 3.100 2.204
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Split IP)
|
HELO_DYNAMIC_SPLIT_IP
|
4.199 4.199 4.199 3.493
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (IP addr 2)
|
HELO_DYNAMIC_IPADDR2
|
4.399 4.395 4.400 4.395
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Chello.nl)
|
HELO_DYNAMIC_CHELLO_NL
|
3.600 3.599 3.599 3.595
|
Wiki
|
|
header
|
|
Relay HELO'd using suspicious hostname (Home.nl)
|
HELO_DYNAMIC_HOME_NL
|
3.499 3.496 3.499 3.463
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: msn.com
|
FAKE_HELO_MSN
|
1
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: mail.com
|
FAKE_HELO_MAIL_COM
|
1.755 0.220 2.600 1.317
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: email.com
|
FAKE_HELO_EMAIL_COM
|
1
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: excite.com
|
FAKE_HELO_EXCITE
|
2.599 2.552 2.599 2.598
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: lycos.com
|
FAKE_HELO_LYCOS
|
2.459 2.432 2.497 2.599
|
Wiki
|
|
header
|
|
Host HELO did not match rDNS: yahoo.ca
|
FAKE_HELO_YAHOO_CA
|
1
|
Wiki
|
|
header
|
|
Partial message
|
FRAGMENTED_MESSAGE
|
2.5
|
Wiki
|
|
header
|
|
From: contains empty name
|
FROM_BLANK_NAME
|
2.215 2.212 2.100 0.760
|
Wiki
|
|
header
|
|
From: starts with many numbers
|
FROM_STARTS_WITH_NUMS
|
2.302 0.723 1.232 1.499
|
Wiki
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
2.601 1.145 2.699 0.001
|
Wiki
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
2.199 0.499 2.081 1.483
|
Wiki
|
|
header
|
|
Subject has exclamation mark and question mark
|
PLING_QUERY
|
2.160 1.333 1.400 1.390
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (caps variant)
|
MSGID_SPAM_CAPS
|
4.199 4.195 4.199 4.195
|
Wiki
|
|
header
|
|
Spam tool Message-Id: (letters variant)
|
MSGID_SPAM_LETTERS
|
2.861 1.637 0.866 1.188
|
Wiki
|
|
header
|
|
Message-ID has ALLCAPS@yahoo.com
|
MSGID_YAHOO_CAPS
|
1.197 0.448 2.921 3.107
|
Wiki
|
|
header
|
|
Message-ID is unusually short
|
MSGID_SHORT
|
0.200 0.232 0.690 1.078
|
Wiki
|
|
header
|
|
Message-ID contains multiple '@' characters
|
MSGID_MULTIPLE_AT
|
1.221 1.211 1.571 1.449
|
Wiki
|
|
header
|
|
Date header uses unusual Y2K formatting
|
DATE_SPAMWARE_Y2K
|
2.057 1.031 2.912 2.883
|
Wiki
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
2.303 1.651 1.329 1.245
|
Wiki
|
|
header
|
|
Invalid Date: header (timezone does not exist)
|
INVALID_DATE_TZ_ABSURD
|
0.197 0.243 2.284 2.191
|
Wiki
|
|
header
|
|
Invalid date in header (wrong CST timezone)
|
INVALID_TZ_CST
|
1.704 0.862 1.583 2.079
|
Wiki
|
|
header
|
|
Invalid date in header (wrong EST timezone)
|
INVALID_TZ_EST
|
2.601 2.065 2.265 2.696
|
Wiki
|
|
header
|
|
Subject contains an English UCE tag
|
ENGLISH_UCE_SUBJECT
|
1
|
Wiki
|
|
header
|
|
Subject contains a Japanese UCE tag
|
JAPANESE_UCE_SUBJECT
|
1
|
Wiki
|
|
header
|
|
Subject: contains Korean unsolicited email tag
|
KOREAN_UCE_SUBJECT
|
3.099 1.111 2.114 2.962
|
Wiki
|
|
header
|
|
Contains forged hostname for a DSL IP in Brazil
|
FORGED_TELESP_RCVD
|
1
|
Wiki
|
|
header
|
|
Character set doesn't exist
|
NONEXISTENT_CHARSET
|
1
|
Wiki
|
|
header
|
|
Missing Message-Id: header
|
MISSING_MID
|
0.001
|
Wiki
|
|
header
|
|
Missing Date: header
|
MISSING_DATE
|
0.001
|
Wiki
|
|
header
|
|
Subject: contains G.a.p.p.y-T.e.x.t
|
GAPPY_SUBJECT
|
2.104 2.001 0.941 1.020
|
Wiki
|
|
header
|
|
Message has Prevent-NonDelivery-Report header
|
PREVENT_NONDELIVERY
|
1.515 1.640 1.737 1.600
|
Wiki
|
|
header
|
|
Message has X-IP header
|
X_IP
|
2.840 1.943 2.744 3.177
|
Wiki
|
|
header
|
|
Subject contains "As Seen"
|
SUBJ_AS_SEEN
|
1
|
Wiki
|
|
header
|
|
Subject starts with dollar amount
|
SUBJ_DOLLARS
|
2.399 0.842 1.501 1.421
|
Wiki
|
|
header
|
|
Subject contains "Your Bills" or similar
|
SUBJ_YOUR_DEBT
|
2.899 2.896 2.576 2.622
|
Wiki
|
|
header
|
|
Subject contains "Your Family"
|
SUBJ_YOUR_FAMILY
|
2.799 2.647 2.000 1.043
|
Wiki
|
|
header
|
|
Received contains a faked HELO hostname
|
RCVD_FAKE_HELO_DOTCOM
|
2.789 2.775 2.899 2.592
|
Wiki
|
|
header
|
|
Subject talks about losing pounds
|
SUBJECT_DIET
|
2.527 1.621 2.084 1.466
|
Wiki
|
|
header
|
|
Header has extraneous Content-type:...type= entry
|
EXTRA_MPART_TYPE
|
1.0
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DD_DIGITS
|
3.869 4.199 3.386 1.466
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_DIGITS_15
|
2.899 2.896 2.899 2.896
|
Wiki
|
|
header
|
|
Spam tool pattern in MIME boundary
|
MIME_BOUND_MANY_HEX
|
0.001 0.001 1.472 0.803
|
Wiki
|
|
header
|
|
To: has a malformed address
|
TO_MALFORMED
|
0.001 0.001 0.001 1.170
|
Wiki
|
|
header
|
|
Received line contains spam-sign (lowercase smtp)
|
WITH_LC_SMTP
|
1
|
Wiki
|
|
header
|
|
Subject line starts with Buy or Buying
|
SUBJ_BUY
|
2.702 0.900 0.999 0.001
|
Wiki
|
|
header
|
|
Received headers forged (AM/PM)
|
RCVD_AM_PM
|
1.529 1.688 2.833 0.545
|
Wiki
|
|
header
|
|
Received header contains faked 'mr.outblaze.com'
|
FAKE_OUTBLAZE_RCVD
|
3.499 3.496 3.304 2.271
|
Wiki
|
|
header
|
|
Headers contain an unclosed bracket
|
UNCLOSED_BRACKET
|
2.687 2.083 1.580 2.206
|
Wiki
|
|
header
|
|
From: domain has series of non-vowel letters
|
FROM_DOMAIN_NOVOWEL
|
3.000 3.099 2.999 2.592
|
Wiki
|
|
header
|
|
From: localpart has series of non-vowel letters
|
FROM_LOCAL_NOVOWEL
|
3.199 3.196 3.199 3.196
|
Wiki
|
|
header
|
|
From: localpart has long hexadecimal sequence
|
FROM_LOCAL_HEX
|
2.602 2.733 1.432 1.399
|
Wiki
|
|
header
|
|
From: localpart has long digit sequence
|
FROM_LOCAL_DIGITS
|
0.001
|
Wiki
|
|
header
|
|
Cc: after X-Priority: (bulk email fingerprint)
|
X_PRIORITY_CC
|
2.599 1.492 2.599 2.596
|
Wiki
|
|
header
|
|
Message has bad MIME encoding in the header
|
BAD_ENC_HEADER
|
3.499 2.870 1.947 1.810
|
Wiki
|
|
header
|
|
A foreign language charset used in headers
|
CHARSET_FARAWAY_HEADER
|
3.200
|
Wiki
|
|
header
|
|
Subject: has too many raw illegal characters
|
SUBJ_ILLEGAL_CHARS
|
1.173 1.527 1.954 1.586
|
Wiki
|
|
header
|
|
From: has too many raw illegal characters
|
FROM_ILLEGAL_CHARS
|
2.922 3.999 3.999 3.995
|
Wiki
|
|
header
|
|
Headers have too many raw illegal characters
|
HEAD_ILLEGAL_CHARS
|
3.799 3.729 3.799 3.622
|
Wiki
|
|
header
|
|
hotmail.com 'From' address, but no 'Received:'
|
FORGED_HOTMAIL_RCVD2
|
1.947 1.117 1.498 1.502
|
Wiki
|
|
header
|
|
'From' yahoo.com does not match 'Received' headers
|
FORGED_YAHOO_RCVD
|
2.299 1.408 1.889 2.297
|
Wiki
|
|
header
|
|
Recipient list is sorted by address
|
SORTED_RECIPS
|
2.925 1.800 1.972 1.125
|
Wiki
|
|
header
|
|
Similar addresses in recipient list
|
SUSPICIOUS_RECIPS
|
3.199 3.196 2.299 2.912
|
Wiki
|
|
header
|
|
Missing To: header
|
MISSING_HEADERS
|
1.899 1.581 1.500 1.292
|
Wiki
|
|
header
|
|
Received: says mail sent around the world (HELO)
|
ROUND_THE_WORLD_LOCAL
|
2.699 2.696 2.700 2.696
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours before Received: date
|
DATE_IN_PAST_03_06
|
2.299 1.394 1.306 0.044
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours before Received: date
|
DATE_IN_PAST_06_12
|
2.504 1.854 1.499 1.069
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours before Received: date
|
DATE_IN_PAST_12_24
|
2.499 1.770 1.503 0.992
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours before Received: date
|
DATE_IN_PAST_24_48
|
2.300 1.627 1.498 1.219
|
Wiki
|
|
header
|
|
Date: is 96 hours or more before Received: date
|
DATE_IN_PAST_96_XX
|
2.952 2.320 1.800 1.690
|
Wiki
|
|
header
|
|
Date: is 3 to 6 hours after Received: date
|
DATE_IN_FUTURE_03_06
|
2.303 0.416 1.461 0.274
|
Wiki
|
|
header
|
|
Date: is 6 to 12 hours after Received: date
|
DATE_IN_FUTURE_06_12
|
3.099 3.099 2.136 1.897
|
Wiki
|
|
header
|
|
Date: is 12 to 24 hours after Received: date
|
DATE_IN_FUTURE_12_24
|
3.300 3.299 3.000 2.189
|
Wiki
|
|
header
|
|
Date: is 24 to 48 hours after Received: date
|
DATE_IN_FUTURE_24_48
|
3.599 2.800 3.599 3.196
|
Wiki
|
|
header
|
|
Date: is 48 to 96 hours after Received: date
|
DATE_IN_FUTURE_48_96
|
3.199 3.182 3.199 3.199
|
Wiki
|
|
header
|
|
Date: is 96 hours or more after Received: date
|
DATE_IN_FUTURE_96_XX
|
3.899 3.899 2.598 1.439
|
Wiki
|
|
header
|
|
Headers contain an unresolved template
|
UNRESOLVED_TEMPLATE
|
2.801 3.325 3.499 3.132
|
Wiki
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
2.299 1.806 1.926 2.077
|
Wiki
|
|
header
|
|
Local part of To: address appears in Subject
|
LOCALPART_IN_SUBJECT
|
2.499 2.497 1.641 2.020
|
Wiki
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_INVALID
|
2.899 2.896 2.899 2.899
|
Wiki
|
|
header
|
|
Multiple Content-Type headers found
|
HEADER_COUNT_CTYPE
|
2.699 0.671 2.390 3.026
|
Wiki
|
|
header
|
|
Message headers are very long
|
HEAD_LONG
|
2.5
|
Wiki
|
|
header
|
|
Missing blank line between message header and body
|
MISSING_HB_SEP
|
2.5
|
Wiki
|
|
header
|
|
Informational: message has unparseable relay lines
|
UNPARSEABLE_RELAY
|
0.001
|
Wiki
|
|
header
|
|
Received: HELO and IP do not match, but should
|
RCVD_HELO_IP_MISMATCH
|
2.401 2.320 2.627 2.837
|
Wiki
|
|
header
|
|
Received: contains an IP address used for HELO
|
RCVD_NUMERIC_HELO
|
2.599 2.599 2.272 2.067
|
Wiki
|
|
header
|
|
Received: contains illegal IP address
|
RCVD_ILLEGAL_IP
|
3.199 3.196 2.902 1.908
|
Wiki
|
|
header
|
|
Host HELO'd as a big ISP, but had no rDNS
|
NO_RDNS_DOTCOM_HELO
|
2.411 0.799 0.000 0.001
|
Wiki
|
|
rawbody
|
|
Javascript to hide URLs in browser
|
HIDE_WIN_STATUS
|
2.499 2.213 2.499 2.499
|
Wiki
|
|
body
|
|
HTML included in message
|
HTML_MESSAGE
|
0.001
|
Wiki
|
|
body
|
|
HTML comment is very short
|
HTML_COMMENT_SHORT
|
0.001 0.001 0.032 0.727
|
Wiki
|
|
body
|
|
HTML message is a saved web page
|
HTML_COMMENT_SAVED_URL
|
1.677 1.820 0.492 0.114
|
Wiki
|
|
body
|
|
HTML with embedded plugin object
|
HTML_EMBEDS
|
1.083 0.440 0.001 0.056
|
Wiki
|
|
body
|
|
HTML contains far too many close tags
|
HTML_EXTRA_CLOSE
|
1.041 1.089 2.502 2.809
|
Wiki
|
|
body
|
|
HTML font size is large
|
HTML_FONT_SIZE_LARGE
|
0.147 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
HTML font size is huge
|
HTML_FONT_SIZE_HUGE
|
0.804 0.389 0.001 0.057
|
Wiki
|
|
body
|
|
HTML font color similar to background
|
HTML_FONT_LOW_CONTRAST
|
0.131 0.543 0.663 0.124
|
Wiki
|
|
body
|
|
HTML font face is not a word
|
HTML_FONT_FACE_BAD
|
0.923 0.606 0.650 0.884
|
Wiki
|
|
body
|
|
HTML includes a form which sends mail
|
HTML_FORMACTION_MAILTO
|
1
|
Wiki
|
|
body
|
|
HTML: images with 0-400 bytes of words
|
HTML_IMAGE_ONLY_04
|
2.502 1.462 1.875 2.041
|
Wiki
|
|
body
|
|
HTML: images with 400-800 bytes of words
|
HTML_IMAGE_ONLY_08
|
2.554 2.432 2.045 1.787
|
Wiki
|
|
body
|
|
HTML: images with 800-1200 bytes of words
|
HTML_IMAGE_ONLY_12
|
2.552 2.245 2.779 2.460
|
Wiki
|
|
body
|
|
HTML: images with 1200-1600 bytes of words
|
HTML_IMAGE_ONLY_16
|
2.646 2.498 2.078 1.526
|
Wiki
|
|
body
|
|
HTML: images with 1600-2000 bytes of words
|
HTML_IMAGE_ONLY_20
|
2.401 1.808 1.500 1.546
|
Wiki
|
|
body
|
|
HTML: images with 2000-2400 bytes of words
|
HTML_IMAGE_ONLY_24
|
2.400 2.207 1.501 1.552
|
Wiki
|
|
body
|
|
HTML: images with 2400-2800 bytes of words
|
HTML_IMAGE_ONLY_28
|
2.500 1.519 2.115 1.561
|
Wiki
|
|
body
|
|
HTML: images with 2800-3200 bytes of words
|
HTML_IMAGE_ONLY_32
|
2.353 1.318 2.004 1.778
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_02
|
1.518 0.550 0.573 0.383
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_04
|
1.561 0.170 0.863 0.172
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_06
|
0.401 0.001 0.501 0.001
|
Wiki
|
|
body
|
|
HTML has a low ratio of text to image area
|
HTML_IMAGE_RATIO_08
|
0.203 0.001 0.179 0.001
|
Wiki
|
|
body
|
|
Message is 5% to 10% HTML obfuscation
|
HTML_OBFUSCATE_05_10
|
0.638 0.572 0.000 0.001
|
Wiki
|
|
body
|
|
Message is 10% to 20% HTML obfuscation
|
HTML_OBFUSCATE_10_20
|
2.600 3.196 2.487 2.601
|
Wiki
|
|
body
|
|
Message is 20% to 30% HTML obfuscation
|
HTML_OBFUSCATE_20_30
|
3.199 2.747 3.199 3.196
|
Wiki
|
|
body
|
|
Message is 30% to 40% HTML obfuscation
|
HTML_OBFUSCATE_30_40
|
2.599 2.599 2.214 1.362
|
Wiki
|
|
body
|
|
Message is 50% to 60% HTML obfuscation
|
HTML_OBFUSCATE_50_60
|
1
|
Wiki
|
|
body
|
|
Message is 70% to 80% HTML obfuscation
|
HTML_OBFUSCATE_70_80
|
1
|
Wiki
|
|
body
|
|
Message is 90% to 100% HTML obfuscation
|
HTML_OBFUSCATE_90_100
|
1
|
Wiki
|
|
body
|
|
HTML has unbalanced "body" tags
|
HTML_TAG_BALANCE_BODY
|
1.253 0.807 1.082 1.263
|
Wiki
|
|
body
|
|
HTML has unbalanced "head" tags
|
HTML_TAG_BALANCE_HEAD
|
2.498 1.370 0.533 1.334
|
Wiki
|
|
body
|
|
HTML has "bgsound" tag
|
HTML_TAG_EXIST_BGSOUND
|
1
|
Wiki
|
|
body
|
|
HTML message is 40% to 50% bad tags
|
HTML_BADTAG_40_50
|
1
|
Wiki
|
|
body
|
|
HTML message is 50% to 60% bad tags
|
HTML_BADTAG_50_60
|
1
|
Wiki
|
|
body
|
|
HTML message is 60% to 70% bad tags
|
HTML_BADTAG_60_70
|
1
|
Wiki
|
|
body
|
|
HTML message is 90% to 100% bad tags
|
HTML_BADTAG_90_100
|
1
|
Wiki
|
|
body
|
|
30% to 40% of HTML elements are non-standard
|
HTML_NONELEMENT_30_40
|
1.024 1.775 0.074 0.001
|
Wiki
|
|
body
|
|
40% to 50% of HTML elements are non-standard
|
HTML_NONELEMENT_40_50
|
0.322 0.001 1.707 0.944
|
Wiki
|
|
body
|
|
60% to 70% of HTML elements are non-standard
|
HTML_NONELEMENT_60_70
|
1
|
Wiki
|
|
body
|
|
80% to 90% of HTML elements are non-standard
|
HTML_NONELEMENT_80_90
|
1
|
Wiki
|
|
body
|
|
Message has HTML IFRAME tag with SRC URI
|
HTML_IFRAME_SRC
|
0.001 0.001 0.000 0.043
|
Wiki
|
|
header
|
|
Envelope sender has no MX or A DNS records
|
NO_DNS_FOR_FROM
|
0 1.407 0 1.496
|
Wiki
|
|
header
|
|
Received: says mail sent around the world (DNS)
|
ROUND_THE_WORLD
|
1
|
Wiki
|
|
body
|
|
Removal phrase right before a link
|
REMOVE_BEFORE_LINK
|
0.001 0.001 0.010 0.001
|
Wiki
|
|
body
|
|
One hundred percent guaranteed
|
GUARANTEED_100_PERCENT
|
0.571 0.965 0.001 0.012
|
Wiki
|
|
body
|
|
Dear Friend? That's not very dear!
|
DEAR_FRIEND
|
2.649 2.696 2.699 2.699
|
Wiki
|
|
body
|
|
Contains 'Dear (something)'
|
DEAR_SOMETHING
|
2.799 2.234 1.721 1.605
|
Wiki
|
|
body
|
|
Talks about lots of money
|
BILLION_DOLLARS
|
2.658 0.001 1.603 1.875
|
Wiki
|
|
body
|
|
Claims you can be removed from the list
|
EXCUSE_4
|
1.999 1.934 0.001 1.336
|
Wiki
|
|
body
|
|
Claims you wanted this ad
|
EXCUSE_24
|
2.599 2.599 2.600 2.596
|
Wiki
|
|
body
|
|
Talks about how to be removed from mailings
|
EXCUSE_REMOVE
|
2.999 1.477 2.999 0.001
|
Wiki
|
|
body
|
|
Tells you about a strong buy
|
STRONG_BUY
|
3.599 2.478 2.623 2.488
|
Wiki
|
|
body
|
|
Offers a alert about a stock
|
STOCK_ALERT
|
2.899 2.889 2.899 2.897
|
Wiki
|
|
body
|
|
Not registered investment advisor
|
NOT_ADVISOR
|
1
|
Wiki
|
|
body
|
|
'Prestigious Non-Accredited Universities'
|
PREST_NON_ACCREDITED
|
1
|
Wiki
|
|
body
|
|
Information on growing body parts
|
BODY_ENHANCEMENT
|
1.799 1.608 1.499 0.309
|
Wiki
|
|
body
|
|
Information on getting larger body parts
|
BODY_ENHANCEMENT2
|
1.659 0.714 0.122 0.001
|
Wiki
|
|
body
|
|
Impotence cure
|
IMPOTENCE
|
2.608 1.678 2.862 1.886
|
Wiki
|
|
body
|
|
Talks about a million North American dollars
|
NA_DOLLARS
|
2.385 1.129 1.506 1.329
|
Wiki
|
|
body
|
|
Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)
|
US_DOLLARS_3
|
2.342 1.165 1.046 0.630
|
Wiki
|
|
body
|
|
Talks about millions of dollars
|
MILLION_USD
|
2.391 1.777 1.501 1.528
|
Wiki
|
|
body
|
|
Contains urgent matter
|
URG_BIZ
|
2.384 0.667 1.511 1.585
|
Wiki
|
|
body
|
|
Money back guarantee
|
MONEY_BACK
|
0.939 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Free express or no-obligation quote
|
FREE_QUOTE_INSTANT
|
2.500 2.499 1.499 1.496
|
Wiki
|
|
body
|
|
Eliminate Bad Credit
|
BAD_CREDIT
|
2.602 0.325 1.500 0.001
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_YOUR_HOME
|
2.699 0.001 2.699 2.039
|
Wiki
|
|
body
|
|
Home refinancing
|
REFINANCE_NOW
|
2.393 0.169 1.933 0.556
|
Wiki
|
|
body
|
|
No Medical Exams
|
NO_MEDICAL
|
1
|
Wiki
|
|
body
|
|
Lose Weight Spam
|
DIET_1
|
2.472 0.336 1.442 0.083
|
Wiki
|
|
body
|
|
Freedom of a financial nature
|
FIN_FREE
|
2.599 2.599 2.599 2.596
|
Wiki
|
|
body
|
|
Stock Disclaimer Statement
|
FORWARD_LOOKING
|
1
|
Wiki
|
|
body
|
|
One Time Rip Off
|
ONE_TIME
|
1
|
Wiki
|
|
body
|
|
Join Millions of Americans
|
JOIN_MILLIONS
|
1.398 1.807 2.912 1.777
|
Wiki
|
|
body
|
|
Claims you registered with a partner
|
MARKETING_PARTNERS
|
2.599 2.355 1.614 1.295
|
Wiki
|
|
body
|
|
Lowest Price
|
LOW_PRICE
|
1.903 1.159 0.743 0.001
|
Wiki
|
|
body
|
|
People just leave money laying around
|
UNCLAIMED_MONEY
|
3.099 2.985 2.943 3.096
|
Wiki
|
|
body
|
|
Message seems to contain rot13ed address
|
OBSCURED_EMAIL
|
1.899 0.012 0.000 0.001
|
Wiki
|
|
body
|
|
Talks about Oprah with an exclamation!
|
BANG_OPRAH
|
1
|
Wiki
|
|
body
|
|
Talks about 'acting now' with capitals
|
ACT_NOW_CAPS
|
0.948 0.001 1.259 0.792
|
Wiki
|
|
body
|
|
Talks about a bigger drive for sex
|
MORE_SEX
|
3.699 2.321 1.631 1.183
|
Wiki
|
|
body
|
|
Something is emphatically guaranteed
|
BANG_GUAR
|
2.002 1.237 1.500 0.939
|
Wiki
|
|
body
|
|
Message mentions investment advice
|
INVESTMENT_ADVICE
|
0.001 0.001 0.421 0.042
|
Wiki
|
|
body
|
|
Message talks about enhancing men
|
MALE_ENHANCE
|
2.600 2.596 2.599 2.596
|
Wiki
|
|
body
|
|
Message says that prices aren't too expensive
|
PRICES_ARE_AFFORDABLE
|
2.195 0.001 2.444 0.001
|
Wiki
|
|
body
|
|
Message talks about a replica watch
|
REPLICA_WATCH
|
3.399 3.396 3.399 3.396
|
Wiki
|
|
body
|
|
Message puts emphasis on the watch manufacturer
|
EM_ROLEX
|
1
|
Wiki
|
|
body
|
|
Possible porn - Free Porn
|
FREE_PORN
|
1
|
Wiki
|
|
body
|
|
Possible porn - Cum Shot
|
CUM_SHOT
|
2.799 2.796 2.632 2.799
|
Wiki
|
|
body
|
|
Possible porn - Live Porn
|
LIVE_PORN
|
1
|
Wiki
|
|
header
|
|
Subject indicates sexually-explicit content
|
SUBJECT_SEXUAL
|
2.900 0.116 1.499 0.001
|
Wiki
|
|
header
|
|
Bulk email fingerprint (eGroups) found
|
RATWARE_EGROUPS
|
2.673 2.379 3.181 2.001
|
Wiki
|
|
header
|
|
X-Mailer has malformed Outlook Express version
|
RATWARE_OE_MALFORMED
|
0.581 2.095 2.624 2.927
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Mozilla malformed) found
|
RATWARE_MOZ_MALFORMED
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (mPOP Web-Mail)
|
RATWARE_MPOP_WEBMAIL
|
1
|
Wiki
|
|
rawbody
|
|
Contains a hashbuster in Send-Safe format
|
RATWARE_HASH_DASH
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Gecko faked) found
|
RATWARE_GECKO_BUILD
|
1
|
Wiki
|
|
header
|
|
Bulk email fingerprint (X-Message-Info) found
|
X_MESSAGE_INFO
|
3.499 3.496 3.330 1.597
|
Wiki
|
|
header
|
|
Bulk email fingerprint (header-based) found
|
HEADER_SPAM
|
3.399 3.396 3.399 3.396
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received PF) found
|
RATWARE_RCVD_PF
|
3.899 3.895 3.900 3.847
|
Wiki
|
|
header
|
|
Bulk email fingerprint (Received @) found
|
RATWARE_RCVD_AT
|
1.918 0.650 1.741 0.213
|
Wiki
|
|
header
|
|
Bulk email fingerprint (envfrom) found
|
RATWARE_EFROM
|
3.799 3.795 3.799 1.529
|
Wiki
|
|
uri
|
|
/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i
|
HIGH_CODEPAGE_URI
|
2.5
|
Wiki
|
|
uri
|
|
Uses a numeric IP address in URL
|
NUMERIC_HTTP_ADDR
|
0.919 0.001 0.312 0.001
|
Wiki
|
|
uri
|
|
Uses %-escapes inside a URL's hostname
|
HTTP_ESCAPED_HOST
|
0.001 0.001 0.071 0.134
|
Wiki
|
|
uri
|
|
Completely unnecessary %-escapes inside a URL
|
HTTP_EXCESSIVE_ESCAPES
|
2.701 0.964 1.500 0.001
|
Wiki
|
|
uri
|
|
Dotted-decimal IP address followed by CGI
|
IP_LINK_PLUS
|
0.000 0.001 0.001 0.001
|
Wiki
|
|
uri
|
|
Uses non-standard port number for HTTP
|
WEIRD_PORT
|
1.599 1.499 1.089 0.001
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_RD_REDIR
|
0.001 0.000 3.000 0.000
|
Wiki
|
|
uri
|
|
Has Yahoo Redirect URI
|
YAHOO_DRS_REDIR
|
1.007 0.313 1.189 1.103
|
Wiki
|
|
uri
|
|
Contains an URL-encoded hostname (HTTP77)
|
HTTP_77
|
3.199 0.001 3.199 1.414
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle
|
SPOOF_COM2OTH
|
2.840 0.848 1.996 2.044
|
Wiki
|
|
uri
|
|
URI contains ".com" in middle and end
|
SPOOF_COM2COM
|
0.001 0.341 2.051 2.272
|
Wiki
|
|
uri
|
|
URI contains ".net" or ".org", then ".com"
|
SPOOF_NET2COM
|
2.899 2.896 2.037 1.586
|
Wiki
|
|
uri
|
|
URI hostname has long hexadecimal sequence
|
URI_HEX
|
1.777 1.316 1.395 0.368
|
Wiki
|
|
uri
|
|
URI hostname has long non-vowel sequence
|
URI_NOVOWEL
|
2.899 2.543 1.764 1.620
|
Wiki
|
|
uri
|
|
URI contains suspicious unsubscribe link
|
URI_UNSUBSCRIBE
|
2.794 3.092 1.538 2.737
|
Wiki
|
|
uri
|
|
CGI in .info TLD other than third-level "www"
|
URI_NO_WWW_INFO_CGI
|
2.720 0.601 3.138 1.043
|
Wiki
|
|
uri
|
|
CGI in .biz TLD other than third-level "www"
|
URI_NO_WWW_BIZ_CGI
|
1
|
Wiki
|
|
uri
|
|
Uses a dotted-decimal IP address in URL
|
NORMAL_HTTP_TO_IP
|
0.101 0.001 0.001 0.001
|
Wiki
|
|
body
|
|
Bayesian spam probability is 0 to 1%
|
BAYES_00
|
0 0 -2.312 -2.599
|
Wiki
|
|
body
|
|
Bayesian spam probability is 1 to 5%
|
BAYES_05
|
0 0 -1.110 -1.110
|
Wiki
|
|
body
|
|
Bayesian spam probability is 5 to 20%
|
BAYES_20
|
0 0 -0.740 -0.740
|
Wiki
|
|
body
|
|
Bayesian spam probability is 20 to 40%
|
BAYES_40
|
0 0 -0.185 -0.185
|
Wiki
|
|
body
|
|
Bayesian spam probability is 40 to 60%
|
BAYES_50
|
0 0 0.001 0.001
|
Wiki
|
|
body
|
|
Bayesian spam probability is 60 to 80%
|
BAYES_60
|
0 0 1.0 1.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 80 to 95%
|
BAYES_80
|
0 0 2.0 2.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 95 to 99%
|
BAYES_95
|
0 0 3.0 3.0
|
Wiki
|
|
body
|
|
Bayesian spam probability is 99 to 100%
|
BAYES_99
|
0 0 3.5 3.5
|
Wiki
|
|
header
|
|
Message would have been caught by accessdb
|
ACCESSDB
|
1
|
Wiki
|
|
body
|
|
Message includes Microsoft executable program
|
MICROSOFT_EXECUTABLE
|
0.100
|
Wiki
|
|
body
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.100
|
Wiki
|
|
full
|
|
Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
DCC_CHECK
|
0 1.37 0 2.17
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: message has a signature
|
DKIM_SIGNED
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: signature passes verification
|
DKIM_VERIFIED
|
-0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain is testing DK
|
DKIM_POLICY_TESTING
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain signs some mails
|
DKIM_POLICY_SIGNSOME
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys Identified Mail: policy says domain signs all mails
|
DKIM_POLICY_SIGNALL
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: message has a signature
|
DK_SIGNED
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: signature passes verification
|
DK_VERIFIED
|
-0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain is testing DK
|
DK_POLICY_TESTING
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain signs some mails
|
DK_POLICY_SIGNSOME
|
0.001
|
Wiki
|
|
header
|
|
Domain Keys: policy says domain signs all mails
|
DK_POLICY_SIGNALL
|
0.001
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (20 bits)
|
HASHCASH_20
|
-0.500
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (21 bits)
|
HASHCASH_21
|
-0.700
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (22 bits)
|
HASHCASH_22
|
-1.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (23 bits)
|
HASHCASH_23
|
-2.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (24 bits)
|
HASHCASH_24
|
-3.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (25 bits)
|
HASHCASH_25
|
-4.000
|
Wiki
|
|
header
|
|
Contains valid Hashcash token (>25 bits)
|
HASHCASH_HIGH
|
-5.000
|
Wiki
|
|
header
|
|
Hashcash token already spent in another mail
|
HASHCASH_2SPEND
|
0.100
|
Wiki
|
|
full
|
|
Listed in Pyzor (http://pyzor.sf.net/)
|
PYZOR_CHECK
|
0 2.834 0 3.700
|
Wiki
|
|
full
|
|
Listed in Razor2 (http://razor.sf.net/)
|
RAZOR2_CHECK
|
0 0.5 0 0.5
|
Wiki
|
|
full
|
|
Razor2 gives confidence level above 50%
|
RAZOR2_CF_RANGE_51_100
|
0 0.5 0 0.5
|
Wiki
|
|
full
|
|
Razor2 gives engine 4 confidence level above 50%
|
RAZOR2_CF_RANGE_E4_51_100
|
0 1.5 0 1.5
|
Wiki
|
|
full
|
|
Razor2 gives engine 8 confidence level above 50%
|
RAZOR2_CF_RANGE_E8_51_100
|
0 1.5 0 1.5
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_MEDS
|
3.800 2.812 3.799 3.799
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_CHEAP
|
1
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_PENIS
|
3.099 1.308 3.100 3.096
|
Wiki
|
|
header
|
|
Attempt to obfuscate words in Subject:
|
SUBJECT_FUZZY_TION
|
1.100 0.410 0.749 0.156
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AFFORDABLE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_AMBIEN
|
1.520 0.962 0.195 1.026
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_BILLION
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CPILL
|
0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_CREDIT
|
1.696 0.522 0.740 1.238
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ERECT
|
2.529 0.708 1.736 0.804
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_GUARANTEE
|
2.496 0.962 2.899 1.252
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MEDICATION
|
0.307 0.001 2.637 2.717
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MILLION
|
2.173 2.325 1.797 2.529
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MONEY
|
2.799 2.796 2.799 2.799
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_MORTGAGE
|
3.299 3.296 3.036 1.880
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OBLIGATION
|
2.799 2.796 2.799 2.469
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_OFFERS
|
3.299 1.032 2.199 1.246
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHARMACY
|
2.999 2.999 2.090 1.704
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PHENT
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRESCRIPT
|
2.699 2.644 1.704 1.604
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_PRICES
|
2.801 2.458 1.665 1.304
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REFINANCE
|
2.102 0.001 0.505 0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_REMOVE
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_ROLEX
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_SOFTWARE
|
2.797 2.860 3.169 3.471
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_THOUSANDS
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VLIUM
|
0.001
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VIOXX
|
1
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_VPILL
|
1.004 0.001 0.480 0.687
|
Wiki
|
|
body
|
|
Attempt to obfuscate words in spam
|
FUZZY_XPILL
|
3.399 3.314 1.549 1.746
|
Wiki
|
|
header
|
|
SPF: sender matches SPF record
|
SPF_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (neutral)
|
SPF_NEUTRAL
|
2.199 1.210 0.756 0.686
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (fail)
|
SPF_FAIL
|
2.600 0.992 1.669 0.693
|
Wiki
|
|
header
|
|
SPF: sender does not match SPF record (softfail)
|
SPF_SOFTFAIL
|
2.301 0.654 0.698 0.596
|
Wiki
|
|
header
|
|
SPF: HELO matches SPF record
|
SPF_HELO_PASS
|
-0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (neutral)
|
SPF_HELO_NEUTRAL
|
2.231 2.000 0.744 0.576
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (fail)
|
SPF_HELO_FAIL
|
2.298 0.365 0.540 0.001
|
Wiki
|
|
header
|
|
SPF: HELO does not match SPF record (softfail)
|
SPF_HELO_SOFTFAIL
|
2.599 1.533 1.427 0.841
|
Wiki
|
|
body
|
|
Message written in an undesired language
|
UNWANTED_LANGUAGE_BODY
|
2.800
|
Wiki
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the SBL blocklist
|
URIBL_SBL
|
0 2.468 0 1.499
|
Wiki
|
|
body
|
|
Contains an URL listed in the SC SURBL blocklist
|
URIBL_SC_SURBL
|
0 2.523 0 0.474
|
Wiki
|
|
body
|
|
Contains an URL listed in the WS SURBL blocklist
|
URIBL_WS_SURBL
|
0 2.100 0 1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the PH SURBL blocklist
|
URIBL_PH_SURBL
|
0 2.035 0 1.787
|
Wiki
|
|
body
|
|
Contains an URL listed in the OB SURBL blocklist
|
URIBL_OB_SURBL
|
0 2.132 0 1.500
|
Wiki
|
|
body
|
|
Contains an URL listed in the AB SURBL blocklist
|
URIBL_AB_SURBL
|
0 1.613 0 1.860
|
Wiki
|
|
body
|
|
Contains an URL listed in the JP SURBL blocklist
|
URIBL_JP_SURBL
|
0 2.857 0 1.501
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL blacklist
|
URIBL_BLACK
|
0 1.961 0 1.955
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL greylist
|
URIBL_GREY
|
0.25
|
Wiki
|
|
body
|
|
Contains an URL listed in the URIBL redlist
|
URIBL_RED
|
0.001
|
Wiki
|
|
header
|
|
From: address is in the auto white-list
|
AWL
|
1
|
Wiki
|
|
header
|
|
From: address is in the user's black-list
|
USER_IN_BLACKLIST
|
100.000
|
Wiki
|
|
header
|
|
From: address is in the user's white-list
|
USER_IN_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default white-list
|
USER_IN_DEF_WHITELIST
|
-15.000
|
Wiki
|
|
header
|
|
User is listed in 'blacklist_to'
|
USER_IN_BLACKLIST_TO
|
10.000
|
Wiki
|
|
header
|
|
User is listed in 'whitelist_to'
|
USER_IN_WHITELIST_TO
|
-6.000
|
Wiki
|
|
header
|
|
User is listed in 'more_spam_to'
|
USER_IN_MORE_SPAM_TO
|
-20.000
|
Wiki
|
|
header
|
|
User is listed in 'all_spam_to'
|
USER_IN_ALL_SPAM_TO
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the user's DK whitelist
|
USER_IN_DK_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DK white-list
|
USER_IN_DEF_DK_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's DKIM whitelist
|
USER_IN_DKIM_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default DKIM white-list
|
USER_IN_DEF_DKIM_WL
|
-7.500
|
Wiki
|
|
header
|
|
From: address is in the user's SPF whitelist
|
USER_IN_SPF_WHITELIST
|
-100.000
|
Wiki
|
|
header
|
|
From: address is in the default SPF white-list
|
USER_IN_DEF_SPF_WL
|
-7.500
|
Wiki
|
|
header
|
|
Subject: contains string in the user's white-list
|
SUBJECT_IN_WHITELIST
|
-100
|
Wiki
|
|
header
|
|
Subject: contains string in the user's black-list
|
SUBJECT_IN_BLACKLIST
|
100
|
Wiki
|
|
header
|
|
From address contains an apostrophe
|
APOSTROPHE_FROM
|
0.002 0.001 1.597 0.001
|
Wiki
|
|
header
|
|
Message-Id =~ /^<[0-9]{12}\.[0-9]{12}\@/
|
AXB_XMID_1212
|
3.899 3.899 3.899 3.496
|
Wiki
|
|
header
|
|
Message-Id =~ /<[0-9A-F]{15}\.[0-9A-F]{10}\@/
|
AXB_XMID_1510
|
4.299 4.295 3.893 3.015
|
Wiki
|
|
header
|
|
Message-ID =~ /^<[0-9-a-f]{12}\(dollar) [0-9-a-f]{8}\(dollar) [0]{8}\@/
|
AXB_XMID_OEGOESNULL
|
4.291 4.216 1.083 2.034
|
Wiki
|
|
header
|
|
Received =~ /\([123456790]{1,2}\.[0-9]{1,2}\.[0-9]{1}\/[0-9]{1,2}\.[0-9]{2}\.[0-9]{1}\)/
|
AXB_XM_SENDMAIL_NOT
|
1
|
Wiki
|
|
header
|
|
Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/
|
AXB_XR_STULDAP
|
3.199 3.196 3.199 3.004
|
Wiki
|
|
header
|
|
Thread-Index =~ /(?:\*| \<\>| \)| \()/
|
AXB_XTIDX_CHAIN
|
1
|
Wiki
|
|
body
|
|
Talks about banking laws
|
BANKING_LAWS
|
3.099 3.096 2.900 2.002
|
Wiki
|
|
body
|
|
eval:check_base64_length('78','79')
|
BASE64_LENGTH_78_79
|
3.699 3.699 3.133 2.783
|
Wiki
|
|
body
|
|
eval:check_base64_length('79')
|
BASE64_LENGTH_79_INF
|
3.900 2.763 2.962 1.496
|
Wiki
|
|
body
|
|
/^\xEF\xBB\xBFMessage-ID:/
|
BROKEN_RATWARE_BOM
|
2.699 2.267 2.440 2.473
|
Wiki
|
|
header
|
|
Content-Type =~
/multipart.{0,200}boundary=\"----=_NextPart_000_0001_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_A
|
2.299 2.319 1.500 1.498
|
Wiki
|
|
header
|
|
Content-Type =~
/multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
|
CTYPE_001C_B
|
1
|
Wiki
|
|
body
|
|
/\bCurrent Price:/
|
CURR_PRICE
|
4.161 2.659 1.412 1.588
|
Wiki
|
|
body
|
|
/\bdear.{1,20}winner/i
|
DEAR_WINNER
|
3.199 3.196 3.199 3.197
|
Wiki
|
|
full
|
|
/<DIV align=3Dcenter><A href=3D=\n/
|
DIV_CENTER_A_HREF
|
3.799 3.795 3.799 2.590
|
Wiki
|
|
header
|
|
Sender from new domain (Day Old Bread)
|
DNS_FROM_DOB
|
0 0.341 0 0.732
|
Wiki
|
|
header
|
|
Envelope sender listed in bl.open-whois.org.
|
DNS_FROM_OPENWHOIS
|
0 2.431 0 1.130
|
Wiki
|
|
body
|
|
Provision for income taxes
|
DOS_PROVISION4
|
1.5
|
Wiki
|
|
body
|
|
Report of financial income
|
DOS_REPORT_FIN_INC
|
0.5
|
Wiki
|
|
body
|
|
Pump and dump stock spam
|
DOS_STOCK_CDYV_GENERIC
|
2.5
|
Wiki
|
|
uri
|
|
Found an asterisk in a URI
|
DOS_URI_ASTERISK
|
1
|
Wiki
|
|
header
|
|
Subject =~ /\bhoodia\b/i
|
DRUGS_HDIA
|
2.529 2.501 2.483 2.697
|
Wiki
|
|
body
|
|
Add / Gain inches
|
FB_ADD_INCHES
|
2.999 2.999 2.620 2.131
|
Wiki
|
|
body
|
|
It's almost sex, but not!
|
FB_ALMOST_SEX
|
3.099 3.096 2.841 2.110
|
Wiki
|
|
body
|
|
Broken AnaTrim phrase.
|
FB_ANA_TRIM
|
3.999 3.995 3.797 3.764
|
Wiki
|
|
body
|
|
Phrase: A_U_N_I
|
FB_ANUI
|
0.431 1.618 2.634 0.823
|
Wiki
|
|
body
|
|
Phrase: [BM]Illi0n
|
FB_BILLI0N
|
1
|
Wiki
|
|
body
|
|
Phrase: C0mpany
|
FB_C0MPANY
|
2.799 2.106 2.799 2.455
|
Wiki
|
|
body
|
|
Phrase: can last longer
|
FB_CAN_LONGER
|
1.403 1.309 0.474 0.442
|
Wiki
|
|
body
|
|
Uses a mis-spelled version of cialis.
|
FB_CIALIS_LEO3
|
2.628 2.815 3.001 1.441
|
Wiki
|
|
body
|
|
Looks like double 0 words
|
FB_DOUBLE_0WORDS
|
3.599 3.595 3.599 3.533
|
Wiki
|
|
body
|
|
Phrase: email hier
|
FB_EMAIL_HIER
|
0.342 1.203 2.941 2.189
|
Wiki
|
|
body
|
|
Phrase: extra inches
|
FB_EXTRA_INCHES
|
1.234 3.096 2.081 2.442
|
Wiki
|
|
body
|
|
Looks like numbers with O's insted of 0's
|
FB_FAKE_NUMBERS
|
1
|
Wiki
|
|
body
|
|
Looks like fake numbers (4)
|
FB_FAKE_NUMS4
|
1
|
Wiki
|
|
body
|
|
Phrase: Farmacy
|
FB_FHARMACY
|
3.699 3.695 2.819 3.576
|
Wiki
|
|
body
|
|
Phrase: forward look with 0's
|
FB_FORWARD_LOOK
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
body
|
|
Too much spacing in Address
|
FB_GAPPY_ADDRESS
|
3.399 3.399 3.399 2.674
|
Wiki
|
|
body
|
|
Looks like trying to sell meds
|
FB_GET_MEDS
|
3.599 1.097 1.501 0.803
|
Wiki
|
|
body
|
|
Looks like generic viagra
|
FB_GVR
|
0.469 0.001 0.001 0.127
|
Wiki
|
|
body
|
|
Phrase hey bro,
|
FB_HEY_BRO_COMMA
|
3.099 2.783 3.099 2.331
|
Wiki
|
|
body
|
|
Phrase: HGH
|
FB_HG_H_CAP
|
1.885 0.887 0.007 0.274
|
Wiki
|
|
body
|
|
Phrase (dollar) x home loan
|
FB_HOMELOAN
|
2.487 2.014 2.003 0.710
|
Wiki
|
|
body
|
|
Phrase: impress ... girl
|
FB_IMPRESS_GIRL
|
2.197 1.757 1.964 2.581
|
Wiki
|
|
body
|
|
Phrase: Increase your energy
|
FB_INCREASE_YOUR
|
3.399 3.396 3.399 3.396
|
Wiki
|
|
body
|
|
Phrase: independent reward
|
FB_INDEPEND_RWD
|
3.599 3.599 3.600 3.595
|
Wiki
|
|
body
|
|
Phrase: L0an
|
FB_L0AN
|
1
|
Wiki
|
|
body
|
|
Special people leave special signs!
|
FB_LETTERS_21B
|
3.999 3.999 3.999 3.995
|
Wiki
|
|
body
|
|
Phrase: lower your monthly payments
|
FB_LOWER_PAYM
|
3.000 2.996 2.999 2.996
|
Wiki
|
|
body
|
|
Phrase: Med1cat
|
FB_MED1CAT
|
1
|
Wiki
|
|
body
|
|
Talks about meds and %
|
FB_MEDS_PERCENT
|
1
|
Wiki
|
|
body
|
|
Phrase: more size
|
FB_MORE_SIZE
|
1.166 1.422 2.013 0.397
|
Wiki
|
|
body
|
|
Looks like a fake phone number (1)
|
FB_NOT_PHONE_NUM1
|
2.600 2.599 2.599 2.596
|
Wiki
|
|
body
|
|
Looks like a fake phone number (3)
|
FB_NOT_PHONE_NUM3
|
2.599 2.596 2.599 2.599
|
Wiki
|
|
body
|
|
Looks like school but it's not!
|
FB_NOT_SCHOOL
|
3.099 2.312 1.868 2.961
|
Wiki
|
|
body
|
|
Phrase: no prescription needed.
|
FB_NO_SCRIP_NEEDED
|
3.088 2.458 2.403 3.228
|
Wiki
|
|
body
|
|
Speaks of teenager.
|
FB_NUMYO
|
2.400 2.397 2.399 2.397
|
Wiki
|
|
body
|
|
Speaks of 20+ year old.
|
FB_NUMYO2
|
1
|
Wiki
|
|
body
|
|
Looks like money but has odd spacing.
|
FB_ODD_SPACED_MONEY
|
2.303 2.723 2.697 1.959
|
Wiki
|
|
body
|
|
Mis-spelled online
|
FB_ONIINE
|
1
|
Wiki
|
|
body
|
|
Phrase: p1ll
|
FB_P1LL
|
0.467 1.088 1.552 1.814
|
Wiki
|
|
body
|
|
Phrase: penis growth
|
FB_PENIS_GROWTH
|
1
|
Wiki
|
|
body
|
|
Phrase: Dollar, with pipes or 0's.
|
FB_PIPEDOLLAR
|
2.599 2.430 2.599 2.599
|
Wiki
|
|
body
|
|
Looks like illion, but it's not
|
FB_PIPE_ILLION
|
1
|
Wiki
|
|
body
|
|
Talks about prolonged hardness
|
FB_PROLONGED_HARD
|
1
|
Wiki
|
|
body
|
|
Phrase: quality replica
|
FB_QUALITY_REPLICA
|
3.899 3.899 3.899 2.949
|
Wiki
|
|
body
|
|
Refcode with spacing
|
FB_REF_CODE_SPACE
|
3.599
|
Wiki
|
|
body
|
|
Phrase: REPLICA
|
FB_REPLIC_CAP
|
4.000 3.995 3.567 3.242
|
Wiki
|
|
body
|
|
Looks like refi.
|
FB_RE_FI
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
body
|
|
Phrase: Roller is th
|
FB_ROLLER_IS_T
|
1
|
Wiki
|
|
body
|
|
Phrase: rolx
|
FB_ROLX
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
body
|
|
Phrase: Softabs
|
FB_SOFTTABS
|
4.299 4.281 4.064 3.513
|
Wiki
|
|
body
|
|
Phrase: F R E E
|
FB_SPACED_FREE
|
1
|
Wiki
|
|
body
|
|
Phone number with -- spacing. (B)
|
FB_SPACED_PHN_3B
|
2.899 2.896 2.899 2.896
|
Wiki
|
|
body
|
|
Looks like a s p a c e d zipcode.
|
FB_SPACEY_ZIP
|
2.687 1.785 3.099 1.680
|
Wiki
|
|
body
|
|
Phrase: SPUR-M
|
FB_SPUR_M
|
1
|
Wiki
|
|
body
|
|
Phrase: ssex
|
FB_SSEX
|
2.019 2.001 2.556 2.489
|
Wiki
|
|
body
|
|
Looks like stocks exploding.
|
FB_STOCK_EXPLODE
|
2.699 2.696 1.927 1.833
|
Wiki
|
|
body
|
|
Mis-spelled symbol.
|
FB_SYMBLO
|
1
|
Wiki
|
|
body
|
|
Phrase: this advertiser
|
FB_THIS_ADVERT
|
1
|
Wiki
|
|
body
|
|
Phrase: thousand personal
|
FB_THOUS_PERSONAL
|
0.000 0.000 3.000 1.000
|
Wiki
|
|
body
|
|
Phrase: to stop further distribution
|
FB_TO_STOP_DISTRO
|
3.099 3.096 3.099 3.096
|
Wiki
|
|
body
|
|
Phrase: Ultra Allure
|
FB_ULTRA_ALLURE
|
2.999 2.841 2.374 2.999
|
Wiki
|
|
body
|
|
Phrase: lock to your girlfriend
|
FB_UNLOCK_YOUR_G
|
2.699 2.696 2.618 2.002
|
Wiki
|
|
body
|
|
Pattern Replacement PROV_D
|
FB_UNRESOLV_PROV
|
1.606 1.132 2.429 0.765
|
Wiki
|
|
body
|
|
Looks like a word ending with a (dollar)
|
FB_WORD1_END_DOLLAR
|
1
|
Wiki
|
|
body
|
|
Phrase: yourself master
|
FB_YOURSELF_MASTER
|
0.421 1.248 1.557 2.011
|
Wiki
|
|
body
|
|
Phrase: Your refi
|
FB_YOUR_REFI
|
2.701 3.306 3.300 3.518
|
Wiki
|
|
header
|
|
Bad X-Mailer version
|
FH_BAD_OEV1441
|
0.974 2.393 2.440 2.401
|
Wiki
|
|
header
|
|
The date is not 19xx.
|
FH_DATE_IS_19XX
|
1.947 1.970 2.512 2.199
|
Wiki
|
|
header
|
|
The date is grossly in the future.
|
FH_DATE_PAST_20XX
|
2.075 3.384 3.554 3.188
|
Wiki
|
|
header
|
|
RCVD line looks faked (A)
|
FH_FAKE_RCVD_LINE
|
2.230 2.215 2.670 2.470
|
Wiki
|
|
header
|
|
E-mail address doesn't have TLD (.com, etc.)
|
FH_FROMEML_NOTLD
|
2.699 2.196 2.699 2.696
|
Wiki
|
|
header
|
|
From name has "cash"
|
FH_FROM_CASH
|
2.999 2.996 2.999 2.996
|
Wiki
|
|
header
|
|
From name says Get
|
FH_FROM_GET_NAME
|
1
|
Wiki
|
|
header
|
|
From name is giveaway.
|
FH_FROM_GIVEAWAY
|
2.799 2.796 2.799 1.597
|
Wiki
|
|
header
|
|
From has Hoodia!!?
|
FH_FROM_HOODIA
|
2.699 2.696 2.699 2.696
|
Wiki
|
|
header
|
|
Has X-AIMC-AUTH header
|
FH_HAS_XAIMC
|
2.699 2.699 2.699 2.696
|
Wiki
|
|
header
|
|
Has X-ID
|
FH_HAS_XID
|
2.400 2.399 2.399 2.397
|
Wiki
|
|
header
|
|
Helo is almost an IP addr.
|
FH_HELO_ALMOST_IP
|
3.222 3.727 3.463 3.565
|
Wiki
|
|
header
|
|
Helo ends with a dot.
|
FH_HELO_ENDS_DOT
|
3.599 3.020 1.395 2.308
|
Wiki
|
|
header
|
|
Helo is 6-10 hex chr's.
|
FH_HELO_EQ_610HEX
|
4.099 4.099 4.099 4.095
|
Wiki
|
|
header
|
|
Helo is d-d-d-d charter.com
|
FH_HELO_EQ_CHARTER
|
0.359 1.258 1.495 1.044
|
Wiki
|
|
header
|
|
Helo is d-d-d-d
|
FH_HELO_EQ_D_D_D_D
|
2.399 0.498 0.561 0.001
|
Wiki
|
|
header
|
|
Faked helo of gmail-smtp-in
|
FH_HELO_GMAILSMTP
|
1
|
Wiki
|
|
header
|
|
The host almost looks like an IP addr.
|
FH_HOST_ALMOST_IP
|
4.099 3.791 2.170 1.751
|
Wiki
|
|
header
|
|
Host is dynamicip
|
FH_HOST_EQ_DYNAMICIP
|
0.964 3.097 3.103 4.058
|
Wiki
|
|
header
|
|
Host starts with d-d-d-d
|
FH_HOST_EQ_D_D_D_D
|
2.599 1.992 1.692 1.212
|
Wiki
|
|
header
|
|
Host is d-d-d-d
|
