| Schlüsselwort
| Typ
|
| ACCESSDB | Message would have been caught by accessdb
|
| ACT_NOW_CAPS | Talks about 'acting now' with capitals
|
| ADDRESS_IN_SUBJECT | To: address appears in Subject
|
| ADDR_FREE | From Address contains FREE
|
| ADDR_NUMS_AT_BIGSITE | Has an address with lots of numbers at a big ISP
|
| ADVANCE_FEE_1 | Appears to be advance fee fraud (Nigerian 419)
|
| ADVANCE_FEE_2 | Appears to be advance fee fraud (Nigerian 419)
|
| ADVANCE_FEE_3 | Appears to be advance fee fraud (Nigerian 419)
|
| ADVANCE_FEE_4 | Appears to be advance fee fraud (Nigerian 419)
|
| ALL_NATURAL | Spam is 100% natural?!
|
| ALL_TRUSTED | Passed through trusted hosts only via SMTP
|
| AMATEUR_PORN | Possible porn - Amateur Porn
|
| AMAZING_STUFF | Amazing Stuff
|
| AS_SEEN_ON | As seen on national TV!
|
| AWL | From: address is in the auto white-list
|
| BAD_CREDIT | Eliminate Bad Credit
|
| BAD_ENC_HEADER | Message has bad MIME encoding in the header
|
| BANG_EXERCISE | Talks about exercise with an exclamation!
|
| BANG_GUAR | Something is emphatically guaranteed
|
| BANG_MORE | Talks about more with an exclamation!
|
| BANG_OPRAH | Talks about Oprah with an exclamation!
|
| BARGAIN_URL | Includes a link to a likely spammer domain
|
| BAYES_00 | Bayesian spam probability is 0 to 1%
|
| BAYES_05 | Bayesian spam probability is 1 to 5%
|
| BAYES_20 | Bayesian spam probability is 5 to 20%
|
| BAYES_40 | Bayesian spam probability is 20 to 40%
|
| BAYES_50 | Bayesian spam probability is 40 to 60%
|
| BAYES_60 | Bayesian spam probability is 60 to 80%
|
| BAYES_80 | Bayesian spam probability is 80 to 95%
|
| BAYES_95 | Bayesian spam probability is 95 to 99%
|
| BAYES_99 | Bayesian spam probability is 99 to 100%
|
| BEST_PORN | Possible porn - Best, Largest, Most Porn
|
| BE_BOSS | Be your own boss
|
| BILLION_DOLLARS | Talks about lots of money
|
| BILL_1618 | Possible mention of bill 1618 (anti-spam bill)
|
| BIZ_TLD | Contains an URL in the BIZ top-level domain
|
| BLANK_LINES_70_80 | Message body has 70-80% blank lines
|
| BLANK_LINES_80_90 | Message body has 80-90% blank lines
|
| BLANK_LINES_90_100 | Message body has 90-100% blank lines
|
| BODY_8BITS | Body includes 8 consecutive 8-bit characters
|
| BODY_ENHANCEMENT | Information on growing body parts
|
| BODY_ENHANCEMENT2 | Information on getting larger body parts
|
| CHARSET_FARAWAY | Character set indicates a foreign language
|
| CHARSET_FARAWAY_HEADER | A foreign language charset used in headers
|
| CHINA_HEADER | Involves 'china.com'
|
| CLICK_BELOW_CAPS | Asks you to click below (in capital letters)
|
| CLICK_TO_REMOVE_1 | Click to be removed
|
| COMPETE | Compete for your business
|
| CONFIDENTIAL_ORDER | Confidentiality on all orders
|
| CONFIRMED_FORGED | Received headers are forged
|
| CONSOLIDATE_DEBT | Consolidate debt, credit, or bills
|
| CUM_SHOT | Possible porn - Cum Shot
|
| DATE_IN_FUTURE_03_06 | Date: is 3 to 6 hours after Received: date
|
| DATE_IN_FUTURE_06_12 | Date: is 6 to 12 hours after Received: date
|
| DATE_IN_FUTURE_12_24 | Date: is 12 to 24 hours after Received: date
|
| DATE_IN_FUTURE_24_48 | Date: is 24 to 48 hours after Received: date
|
| DATE_IN_FUTURE_48_96 | Date: is 48 to 96 hours after Received: date
|
| DATE_IN_FUTURE_96_XX | Date: is 96 hours or more after Received: date
|
| DATE_IN_PAST_03_06 | Date: is 3 to 6 hours before Received: date
|
| DATE_IN_PAST_06_12 | Date: is 6 to 12 hours before Received: date
|
| DATE_IN_PAST_12_24 | Date: is 12 to 24 hours before Received: date
|
| DATE_IN_PAST_24_48 | Date: is 24 to 48 hours before Received: date
|
| DATE_IN_PAST_48_96 | Date: is 48 to 96 hours before Received: date
|
| DATE_IN_PAST_96_XX | Date: is 96 hours or more before Received: date
|
| DATE_SPAMWARE_Y2K | Date header uses unusual Y2K formatting
|
| DAV_NON_HOTMAIL | Message sent using DAV, but not via Hotmail
|
| DCC_CHECK | Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
|
| DEAR_FRIEND | Dear Friend? That's not very dear!
|
| DEAR_SOMETHING | Contains 'Dear (something)'
|
| DEEP_DISC_MEDS | Deep discount medications
|
| DIET_1 | Lose Weight Spam
|
| DIET_2 | Describes weight loss
|
| DIET_3 | Describes body fat loss
|
| DIGEST_MULTIPLE | Message hits more than one network digest check
|
| DISGUISE_PORN | Attempts to disguise porn words
|
| DISGUISE_PORN_MUNDANE | Attempts to disguise mundane words used in porn
|
| DKIM_POLICY_SIGNALL | Domain Keys Identified Mail: policy says domain signs all mails
|
| DKIM_POLICY_SIGNSOME | Domain Keys Identified Mail: policy says domain signs some mails
|
| DKIM_POLICY_TESTING | Domain Keys Identified Mail: policy says domain is testing DK
|
| DKIM_SIGNED | Domain Keys Identified Mail: message has a signature
|
| DKIM_VERIFIED | Domain Keys Identified Mail: signature passes verification
|
| DK_POLICY_SIGNALL | Domain Keys: policy says domain signs all mails
|
| DK_POLICY_SIGNSOME | Domain Keys: policy says domain signs some mails
|
| DK_POLICY_TESTING | Domain Keys: policy says domain is testing DK
|
| DK_SIGNED | Domain Keys: message has an unverified signature
|
| DK_VERIFIED | Domain Keys: signature passes verification
|
| DNS_FROM_AHBL_RHSBL | From: sender listed in dnsbl.ahbl.org
|
| DNS_FROM_RFC_ABUSE | Envelope sender in abuse.rfc-ignorant.org
|
| DNS_FROM_RFC_BOGUSMX | Envelope sender in bogusmx.rfc-ignorant.org
|
| DNS_FROM_RFC_DSN | Envelope sender in dsn.rfc-ignorant.org
|
| DNS_FROM_RFC_POST | Envelope sender in postmaster.rfc-ignorant.org
|
| DNS_FROM_RFC_WHOIS | Envelope sender in whois.rfc-ignorant.org
|
| DNS_FROM_SECURITYSAGE | Envelope sender in blackholes.securitysage.com
|
| DOMAIN_4U2 | Domain name containing a "4u" variant
|
| DOMAIN_RATIO | Message body mentions many internet domains
|
| DRUGS_ANXIETY | Refers to an anxiety control drug
|
| DRUGS_ANXIETY_EREC | Refers to both an erectile and an anxiety drug
|
| DRUGS_ANXIETY_OBFU | Obfuscated reference to an anxiety control drug
|
| DRUGS_DIET | Refers to a diet drug
|
| DRUGS_DIET_OBFU | Obfuscated reference to a diet drug
|
| DRUGS_ERECTILE | Refers to an erectile drug
|
| DRUGS_ERECTILE_OBFU | Obfuscated reference to an erectile drug
|
| DRUGS_MANYKINDS | Refers to at least four kinds of drugs
|
| DRUGS_MUSCLE | Refers to a muscle relaxant
|
| DRUGS_PAIN | Refers to a pain relief drug
|
| DRUGS_PAIN_OBFU | Obfuscated reference to a pain relief drug
|
| DRUGS_SLEEP | Refers to a sleep aid drug
|
| DRUGS_SLEEP_EREC | Refers to both an erectile and a sleep aid drug
|
| DRUGS_SMEAR1 | Two or more drugs crammed together into one word
|
| DRUG_DOSAGE | Talks about price per dose
|
| DRUG_ED_CAPS | Mentions an E.D. drug
|
| DRUG_ED_COMBO | Viagra and other drugs
|
| DRUG_ED_GENERIC | Mentions Generic Viagra
|
| DRUG_ED_ONLINE | Fast Viagra Delivery
|
| DRUG_ED_SILD | Talks about an E.D. drug using its chemical name
|
| EARN_PER_WEEK | Contains 'earn $something per week'
|
| EMAIL_ROT13 | Body contains a ROT13-encoded email address
|
| EMPTY_MESSAGE | Message appears to have no textual parts and no Subject: text
|
| EM_ROLEX | Message puts emphasis on the watch manufacturer
|
| ENGLISH_UCE_SUBJECT | Subject contains an English UCE tag
|
| ENTITY_DEC_ALPHANUM | HTML contains needlessly encoded characters
|
| ENV_AND_HDR_DKIM_MATCH | Env and Hdr From used in default DKIM WL Match
|
| ENV_AND_HDR_DK_MATCH | Env and Hdr From used in default DK WL Match
|
| ENV_AND_HDR_SPF_MATCH | Env and Hdr From used in default SPF WL Match
|
| EXCUSE_10 | "if you do not wish to receive any more"
|
| EXCUSE_12 | Nobody's perfect
|
| EXCUSE_23 | Claims you have provided permission
|
| EXCUSE_24 | Claims you wanted this ad
|
| EXCUSE_4 | Claims you can be removed from the list
|
| EXCUSE_6 | Claims you can be removed from the list
|
| EXCUSE_REMOVE | Talks about how to be removed from mailings
|
| EXTRA_CASH | Offers Extra Cash
|
| EXTRA_MPART_TYPE | Header has extraneous Content-type:...type= entry
|
| FAKED_UNDISC_RECIPS | Faked To "Undisclosed-Recipients"
|
| FAKE_HELO_EMAIL_COM | Host HELO did not match rDNS: email.com
|
| FAKE_HELO_EUDORAMAIL | Host HELO did not match rDNS: eudoramail.com
|
| FAKE_HELO_EXCITE | Host HELO did not match rDNS: excite.com
|
| FAKE_HELO_LYCOS | Host HELO did not match rDNS: lycos.com
|
| FAKE_HELO_MAIL_COM | Host HELO did not match rDNS: mail.com
|
| FAKE_HELO_MAIL_COM_DOM | Relay HELO'd with suspicious hostname (mail.com)
|
| FAKE_HELO_MSN | Host HELO did not match rDNS: msn.com
|
| FAKE_HELO_YAHOO_CA | Host HELO did not match rDNS: yahoo.ca
|
| FAKE_OUTBLAZE_RCVD | Received header contains faked 'mr.outblaze.com'
|
| FIN_FREE | Freedom of a financial nature
|
| FORGED_AOL_RCVD | Received forged, contains fake AOL relays
|
| FORGED_AOL_TAGS | AOL mailers can't send HTML in this format
|
| FORGED_EUDORAMAIL_RCVD | Forged eudoramail.com 'Received:' header found
|
| FORGED_GW05_RCVD | Forged 'by gw05' 'Received:' header found
|
| FORGED_HOTMAIL_RCVD | Forged hotmail.com 'Received:' header found
|
| FORGED_HOTMAIL_RCVD2 | hotmail.com 'From' address, but no 'Received:'
|
| FORGED_IMS_HTML | IMS can't send HTML message only
|
| FORGED_IMS_TAGS | IMS mailers can't send HTML in this format
|
| FORGED_JUNO_RCVD | 'From' juno.com does not match 'Received' headers
|
| FORGED_MSGID_AOL | Message-ID is forged, (aol.com)
|
| FORGED_MSGID_EXCITE | Message-ID is forged, (excite.com)
|
| FORGED_MSGID_HOTMAIL | Message-ID is forged, (hotmail.com)
|
| FORGED_MSGID_MSN | Message-ID is forged, (msn.com)
|
| FORGED_MSGID_YAHOO | Message-ID is forged, (yahoo.com)
|
| FORGED_MUA_AOL_FROM | Forged mail pretending to be from AOL (by From)
|
| FORGED_MUA_EUDORA | Forged mail pretending to be from Eudora
|
| FORGED_MUA_IMS | Forged mail pretending to be from IMS
|
| FORGED_MUA_MOZILLA | Forged mail pretending to be from Mozilla
|
| FORGED_MUA_OIMO | Forged mail pretending to be from MS Outlook IMO
|
| FORGED_MUA_OUTLOOK | Forged mail pretending to be from MS Outlook
|
| FORGED_MUA_THEBAT_BOUN | Mail pretending to be from The Bat! (boundary)
|
| FORGED_MUA_THEBAT_CS | Mail pretending to be from The Bat! (charset)
|
| FORGED_OUTLOOK_HTML | Outlook can't send HTML message only
|
| FORGED_OUTLOOK_TAGS | Outlook can't send HTML in this format
|
| FORGED_QUALCOMM_TAGS | QUALCOMM mailers can't send HTML in this format
|
| FORGED_RCVD_HELO | Received: contains a forged HELO
|
| FORGED_TELESP_RCVD | Contains forged hostname for a DSL IP in Brazil
|
| FORGED_THEBAT_HTML | The Bat! can't send HTML message only
|
| FORGED_YAHOO_RCVD | 'From' yahoo.com does not match 'Received' headers
|
| FORWARD_LOOKING | Stock Disclaimer Statement
|
| FRAGMENTED_MESSAGE | Partial message
|
| FREE_ACCESS | Contains 'free access' with capitals
|
| FREE_PORN | Possible porn - Free Porn
|
| FREE_PREVIEW | Free Preview
|
| FREE_QUOTE_INSTANT | Free express or no-obligation quote
|
| FREE_SAMPLE | Contains 'free sample' with capitals
|
| FROM_ALL_NUMS | From numeric address (except US/Canada phones)
|
| FROM_AND_TO_SAME | From and To are the same, but not exactly
|
| FROM_BLANK_NAME | From: contains empty name
|
| FROM_DOMAIN_NOVOWEL | From: domain has series of non-vowel letters
|
| FROM_ENDS_IN_NUMS | From: ends in many numbers
|
| FROM_EXCESS_BASE64 | From: base64 encoded unnecessarily
|
| FROM_EXCESS_QP | From: quoted-printable encoded unnecessarily
|
| FROM_HAS_MIXED_NUMS | From: contains numbers mixed in with letters
|
| FROM_HAS_ULINE_NUMS | From: contains an underline and numbers/letters
|
| FROM_ILLEGAL_CHARS | From: has too many raw illegal characters
|
| FROM_LOCAL_DIGITS | From: localpart has long digit sequence
|
| FROM_LOCAL_HEX | From: localpart has long hexadecimal sequence
|
| FROM_LOCAL_NOVOWEL | From: localpart has series of non-vowel letters
|
| FROM_NONSENDING_DOMAIN | Message is from domain that never sends email
|
| FROM_NO_LOWER | From address has no lower-case characters
|
| FROM_NO_USER | From: has no local-part before @ sign
|
| FROM_OFFERS | From address is "at something-offers"
|
| FROM_STARTS_WITH_NUMS | From: starts with many numbers
|
| FRONTPAGE | Frontpage used to create the message
|
| FULL_REFUND | Offers a full refund
|
| FUZZY_AFFORDABLE | Attempt to obfuscate words in spam
|
| FUZZY_AMBIEN | Attempt to obfuscate words in spam
|
| FUZZY_BILLION | Attempt to obfuscate words in spam
|
| FUZZY_CELEBREX | Attempt to obfuscate words in spam
|
| FUZZY_CPILL | Attempt to obfuscate words in spam
|
| FUZZY_CREDIT | Attempt to obfuscate words in spam
|
| FUZZY_ERECT | Attempt to obfuscate words in spam
|
| FUZZY_FOLLOW | Attempt to obfuscate words in spam
|
| FUZZY_GUARANTEE | Attempt to obfuscate words in spam
|
| FUZZY_MEDICATION | Attempt to obfuscate words in spam
|
| FUZZY_MILF | Attempt to obfuscate words in spam
|
| FUZZY_MILLION | Attempt to obfuscate words in spam
|
| FUZZY_MONEY | Attempt to obfuscate words in spam
|
| FUZZY_MORTGAGE | Attempt to obfuscate words in spam
|
| FUZZY_OBLIGATION | Attempt to obfuscate words in spam
|
| FUZZY_OFFERS | Attempt to obfuscate words in spam
|
| FUZZY_PHARMACY | Attempt to obfuscate words in spam
|
| FUZZY_PHENT | Attempt to obfuscate words in spam
|
| FUZZY_PLEASE | Attempt to obfuscate words in spam
|
| FUZZY_PRESCRIPT | Attempt to obfuscate words in spam
|
| FUZZY_PRICES | Attempt to obfuscate words in spam
|
| FUZZY_REFINANCE | Attempt to obfuscate words in spam
|
| FUZZY_REMOVE | Attempt to obfuscate words in spam
|
| FUZZY_ROLEX | Attempt to obfuscate words in spam
|
| FUZZY_SOFTWARE | Attempt to obfuscate words in spam
|
| FUZZY_THOUSANDS | Attempt to obfuscate words in spam
|
| FUZZY_TRAMADOL | Attempt to obfuscate words in spam
|
| FUZZY_VICODIN | Attempt to obfuscate words in spam
|
| FUZZY_VIOXX | Attempt to obfuscate words in spam
|
| FUZZY_VLIUM | Attempt to obfuscate words in spam
|
| FUZZY_VPILL | Attempt to obfuscate words in spam
|
| FUZZY_XPILL | Attempt to obfuscate words in spam
|
| GAPPY_SUBJECT | Subject: contains G.a.p.p.y-T.e.x.t
|
| GET_PAID | Get Paid
|
| GTUBE | Generic Test for Unsolicited Bulk Email
|
| GUARANTEED_100_PERCENT | One hundred percent guaranteed
|
| GUARANTEED_STUFF | Guaranteed Stuff
|
| HABEAS_ACCREDITED_COI | Habeas Accredited Confirmed Opt-In or Better
|
| HABEAS_ACCREDITED_SOI | Habeas Accredited Opt-In or Better
|
| HABEAS_CHECKED | Habeas Checked
|
| HAIR_LOSS | Cures Baldness
|
| HARDCORE_PORN | Possible porn - Hardcore Porn
|
| HASHCASH_20 | Contains valid Hashcash token (20 bits)
|
| HASHCASH_21 | Contains valid Hashcash token (21 bits)
|
| HASHCASH_22 | Contains valid Hashcash token (22 bits)
|
| HASHCASH_23 | Contains valid Hashcash token (23 bits)
|
| HASHCASH_24 | Contains valid Hashcash token (24 bits)
|
| HASHCASH_25 | Contains valid Hashcash token (25 bits)
|
| HASHCASH_2SPEND | Hashcash token already spent in another mail
|
| HASHCASH_HIGH | Contains valid Hashcash token (>25 bits)
|
| HDR_ORDER_MTSRIX | Headers are in order found in spam (MTSRIX)
|
| HDR_ORDER_TRIMRS | Headers are in order found in spam (TRIMRS)
|
| HEADER_COUNT_CTYPE | Multiple Content-Type headers found
|
| HEADER_SPAM | Bulk email fingerprint (header-based) found
|
| HEAD_ILLEGAL_CHARS | Headers have too many raw illegal characters
|
| HEAD_LONG | Message headers are very long
|
| HELO_DYNAMIC_ADELPHIA | Relay HELO'd using suspicious hostname (Adelphia)
|
| HELO_DYNAMIC_ATTBI | Relay HELO'd using suspicious hostname (ATTBI.com)
|
| HELO_DYNAMIC_CHELLO_NL | Relay HELO'd using suspicious hostname (Chello.nl)
|
| HELO_DYNAMIC_CHELLO_NO | Relay HELO'd using suspicious hostname (Chello.no)
|
| HELO_DYNAMIC_COMCAST | Relay HELO'd using suspicious hostname (Comcast)
|
| HELO_DYNAMIC_DHCP | Relay HELO'd using suspicious hostname (DHCP)
|
| HELO_DYNAMIC_DIALIN | Relay HELO'd using suspicious hostname (T-Dialin)
|
| HELO_DYNAMIC_HCC | Relay HELO'd using suspicious hostname (HCC)
|
| HELO_DYNAMIC_HEXIP | Relay HELO'd using suspicious hostname (Hex IP)
|
| HELO_DYNAMIC_HOME_NL | Relay HELO'd using suspicious hostname (Home.nl)
|
| HELO_DYNAMIC_IPADDR | Relay HELO'd using suspicious hostname (IP addr 1)
|
| HELO_DYNAMIC_IPADDR2 | Relay HELO'd using suspicious hostname (IP addr 2)
|
| HELO_DYNAMIC_NTL | Relay HELO'd using suspicious hostname (NTL)
|
| HELO_DYNAMIC_OOL | Relay HELO'd using suspicious hostname (OptOnline)
|
| HELO_DYNAMIC_ROGERS | Relay HELO'd using suspicious hostname (Rogers)
|
| HELO_DYNAMIC_RR2 | Relay HELO'd using suspicious hostname (RR 2)
|
| HELO_DYNAMIC_SPLIT_IP | Relay HELO'd using suspicious hostname (Split IP)
|
| HELO_DYNAMIC_TELIA | Relay HELO'd using suspicious hostname (Telia)
|
| HELO_DYNAMIC_VELOX | Relay HELO'd using suspicious hostname (Veloxzone)
|
| HELO_DYNAMIC_VTR | Relay HELO'd using suspicious hostname (VTR)
|
| HELO_DYNAMIC_YAHOOBB | Relay HELO'd using suspicious hostname (YahooBB)
|
| HG_HORMONE | Talks about hormones for human growth
|
| HIDDEN_CHARGES | Talks about Hidden Charges
|
| HIDE_WIN_STATUS | Javascript to hide URLs in browser
|
| HOT_NASTY | Possible porn - Hot, Nasty, Wild, Young
|
| HTML_00_10 | Message is 0% to 10% HTML
|
| HTML_10_20 | Message is 10% to 20% HTML
|
| HTML_20_30 | Message is 20% to 30% HTML
|
| HTML_30_40 | Message is 30% to 40% HTML
|
| HTML_40_50 | Message is 40% to 50% HTML
|
| HTML_50_60 | Message is 50% to 60% HTML
|
| HTML_60_70 | Message is 60% to 70% HTML
|
| HTML_70_80 | Message is 70% to 80% HTML
|
| HTML_80_90 | Message is 80% to 90% HTML
|
| HTML_90_100 | Message is 90% to 100% HTML
|
| HTML_ATTR_BAD | HTML has many bad attributes in tags
|
| HTML_ATTR_UNIQUE | HTML appears to have random attributes in tags
|
| HTML_BACKHAIR_2 | HTML tags used to obfuscate words
|
| HTML_BACKHAIR_4 | HTML tags used to obfuscate words
|
| HTML_BACKHAIR_8 | HTML tags used to obfuscate words
|
| HTML_BADTAG_00_10 | HTML message is 0% to 10% bad tags
|
| HTML_BADTAG_10_20 | HTML message is 10% to 20% bad tags
|
| HTML_BADTAG_20_30 | HTML message is 20% to 30% bad tags
|
| HTML_BADTAG_30_40 | HTML message is 30% to 40% bad tags
|
| HTML_BADTAG_40_50 | HTML message is 40% to 50% bad tags
|
| HTML_BADTAG_50_60 | HTML message is 50% to 60% bad tags
|
| HTML_BADTAG_60_70 | HTML message is 60% to 70% bad tags
|
| HTML_BADTAG_70_80 | HTML message is 70% to 80% bad tags
|
| HTML_BADTAG_80_90 | HTML message is 80% to 90% bad tags
|
| HTML_BADTAG_90_100 | HTML message is 90% to 100% bad tags
|
| HTML_CHARSET_FARAWAY | A foreign language charset used in HTML markup
|
| HTML_COMMENT_SAVED_URL | HTML message is a saved web page
|
| HTML_COMMENT_SHORT | HTML comment is very short
|
| HTML_EHTML2 | HTML has doubled end HTML tag
|
| HTML_EMBEDS | HTML with embedded plugin object
|
| HTML_EVENT_UNSAFE | HTML contains unsafe auto-executing code
|
| HTML_EXTRA_CLOSE | HTML contains far too many close tags
|
| HTML_FONT_BIG | HTML tag for a big font size
|
| HTML_FONT_FACE_BAD | HTML font face is not a word
|
| HTML_FONT_FACE_CAPS | HTML font face has excess capital characters
|
| HTML_FONT_INVISIBLE | HTML font color is same as background
|
| HTML_FONT_LOW_CONTRAST | HTML font color similar to background
|
| HTML_FONT_SIZE_HUGE | HTML font size is huge
|
| HTML_FONT_SIZE_LARGE | HTML font size is large
|
| HTML_FONT_SIZE_NONE | HTML font size is negative
|
| HTML_FONT_SIZE_TINY | HTML font size is tiny
|
| HTML_FONT_TINY | HTML tag for a tiny font size
|
| HTML_FORMACTION_MAILTO | HTML includes a form which sends mail
|
| HTML_IMAGE_ONLY_04 | HTML: images with 0-400 bytes of words
|
| HTML_IMAGE_ONLY_08 | HTML: images with 400-800 bytes of words
|
| HTML_IMAGE_ONLY_12 | HTML: images with 800-1200 bytes of words
|
| HTML_IMAGE_ONLY_16 | HTML: images with 1200-1600 bytes of words
|
| HTML_IMAGE_ONLY_20 | HTML: images with 1600-2000 bytes of words
|
| HTML_IMAGE_ONLY_24 | HTML: images with 2000-2400 bytes of words
|
| HTML_IMAGE_ONLY_28 | HTML: images with 2400-2800 bytes of words
|
| HTML_IMAGE_ONLY_32 | HTML: images with 2800-3200 bytes of words
|
| HTML_IMAGE_RATIO_02 | HTML has a low ratio of text to image area
|
| HTML_IMAGE_RATIO_04 | HTML has a low ratio of text to image area
|
| HTML_IMAGE_RATIO_06 | HTML has a low ratio of text to image area
|
| HTML_IMAGE_RATIO_08 | HTML has a low ratio of text to image area
|
| HTML_LINK_OPT_OUT | HTML link text says "opt out" or similar
|
| HTML_LINK_PUSH_HERE | HTML link text says "push here" or similar
|
| HTML_MESSAGE | HTML included in message
|
| HTML_MIME_NO_HTML_TAG | HTML-only message, but there is no HTML tag
|
| HTML_MISSING_CTYPE | Message is HTML without HTML Content-Type
|
| HTML_NONELEMENT_00_10 | 0% to 10% of HTML elements are non-standard
|
| HTML_NONELEMENT_10_20 | 10% to 20% of HTML elements are non-standard
|
| HTML_NONELEMENT_20_30 | 20% to 30% of HTML elements are non-standard
|
| HTML_NONELEMENT_30_40 | 30% to 40% of HTML elements are non-standard
|
| HTML_NONELEMENT_40_50 | 40% to 50% of HTML elements are non-standard
|
| HTML_NONELEMENT_50_60 | 50% to 60% of HTML elements are non-standard
|
| HTML_NONELEMENT_60_70 | 60% to 70% of HTML elements are non-standard
|
| HTML_NONELEMENT_70_80 | 70% to 80% of HTML elements are non-standard
|
| HTML_NONELEMENT_80_90 | 80% to 90% of HTML elements are non-standard
|
| HTML_NONELEMENT_90_100 | 90% to 100% of HTML elements are non-standard
|
| HTML_OBFUSCATE_05_10 | Message is 5% to 10% HTML obfuscation
|
| HTML_OBFUSCATE_10_20 | Message is 10% to 20% HTML obfuscation
|
| HTML_OBFUSCATE_20_30 | Message is 20% to 30% HTML obfuscation
|
| HTML_OBFUSCATE_30_40 | Message is 30% to 40% HTML obfuscation
|
| HTML_OBFUSCATE_40_50 | Message is 40% to 50% HTML obfuscation
|
| HTML_OBFUSCATE_50_60 | Message is 50% to 60% HTML obfuscation
|
| HTML_OBFUSCATE_60_70 | Message is 60% to 70% HTML obfuscation
|
| HTML_OBFUSCATE_70_80 | Message is 70% to 80% HTML obfuscation
|
| HTML_OBFUSCATE_80_90 | Message is 80% to 90% HTML obfuscation
|
| HTML_OBFUSCATE_90_100 | Message is 90% to 100% HTML obfuscation
|
| HTML_SHORT_CENTER | HTML is very short with CENTER tag
|
| HTML_SHORT_COMMENT | HTML is very short with HTML comments
|
| HTML_SHORT_LENGTH | HTML is extremely short
|
| HTML_SHORT_LINK_IMG_1 | HTML is very short with a linked image
|
| HTML_SHORT_LINK_IMG_2 | HTML is very short with a linked image
|
| HTML_SHORT_LINK_IMG_3 | HTML is very short with a linked image
|
| HTML_SHOUTING3 | HTML has very strong "shouting" markup
|
| HTML_SHOUTING4 | HTML has very strong "shouting" markup
|
| HTML_SHOUTING5 | HTML has very strong "shouting" markup
|
| HTML_SHOUTING6 | HTML has very strong "shouting" markup
|
| HTML_SHOUTING7 | HTML has very strong "shouting" markup
|
| HTML_TAG_BALANCE_BODY | HTML has unbalanced "body" tags
|
| HTML_TAG_BALANCE_HEAD | HTML has unbalanced "head" tags
|
| HTML_TAG_EXIST_BGSOUND | HTML has "bgsound" tag
|
| HTML_TAG_EXIST_MARQUEE | HTML has "marquee" tag
|
| HTML_TAG_EXIST_TBODY | HTML has "tbody" tag
|
| HTML_TEXT_AFTER_BODY | HTML contains text after BODY close tag
|
| HTML_TEXT_AFTER_HTML | HTML contains text after HTML close tag
|
| HTML_TINY_FONT | body contains 1 or 0-point font
|
| HTML_TITLE_EMPTY | HTML title contains no text
|
| HTML_TITLE_LONG | HTML title is very long
|
| HTML_TITLE_UNTITLED | HTML title contains "Untitled"
|
| HTTPS_IP_MISMATCH | IP to HTTPS link found in HTML
|
| HTTP_77 | Contains an URL-encoded hostname (HTTP77)
|
| HTTP_CTRL_CHARS_HOST | Uses control sequences inside a URL hostname
|
| HTTP_ESCAPED_HOST | Uses %-escapes inside a URL's hostname
|
| HTTP_EXCESSIVE_ESCAPES | Completely unnecessary %-escapes inside a URL
|
| IMPOTENCE | Impotence cure
|
| INFO_TLD | Contains an URL in the INFO top-level domain
|
| INTERRUPTUS | Message looks to contain HTML-interrupted text
|
| INVALID_DATE | Invalid Date: header (not RFC 2822)
|
| INVALID_DATE_TZ_ABSURD | Invalid Date: header (timezone does not exist)
|
| INVALID_MSGID | Message-Id is not valid, according to RFC 2822
|
| INVALID_TZ_CST | Invalid date in header (wrong CST timezone)
|
| INVALID_TZ_EST | Invalid date in header (wrong EST timezone)
|
| INVALID_TZ_GMT | Invalid date in header (wrong GMT/UTC timezone)
|
| INVESTMENT_ADVICE | Message mentions investment advice
|
| INVESTMENT_EXPERT | Message mentions investment expert
|
| IP_LINK_PLUS | Dotted-decimal IP address followed by CGI
|
| JAPANESE_UCE_SUBJECT | Subject contains a Japanese UCE tag
|
| JOIN_MILLIONS | Join Millions of Americans
|
| JS_FROMCHARCODE | Document is built from a Javascript charcode array
|
| KOREAN_UCE_SUBJECT | Subject: contains Korean unsolicited email tag
|
| LIVE_PORN | Possible porn - Live Porn
|
| LOCALPART_IN_SUBJECT | Local part of To: address appears in Subject
|
| LONGWORDS | Long string of long words
|
| LOTS_OF_STUFF | Thousands or millions of pictures, movies, etc.
|
| LOW_PRICE | Lowest Price
|
| MAILTO_SUBJ_REMOVE | mailto URI includes removal text
|
| MAILTO_TO_REMOVE | Includes a 'remove' email address
|
| MAILTO_TO_SPAM_ADDR | Includes a link to a likely spammer email
|
| MALE_ENHANCE | Message talks about enhancing men
|
| MANY_EXCLAMATIONS | Subject has many exclamations
|
| MARKETING_PARTNERS | Claims you registered with a partner
|
| MEET_SINGLES | Meet Singles
|
| MICROSOFT_EXECUTABLE | Message includes Microsoft executable program
|
| MICRO_CAP_WARNING | SEC-mandated penny-stock warning
|
| MILLION_USD | Talks about millions of dollars
|
| MIME_BAD_ISO_CHARSET | MIME character set is an unknown ISO charset
|
| MIME_BASE64_BLANKS | Extra blank lines in base64 encoding
|
| MIME_BASE64_NO_NAME | base64 attachment does not have a file name
|
| MIME_BASE64_TEXT | Message text disguised using base64 encoding
|
| MIME_BOUND_DD_DIGITS | Spam tool pattern in MIME boundary
|
| MIME_BOUND_DIGITS_15 | Spam tool pattern in MIME boundary
|
| MIME_BOUND_DIGITS_7 | Spam tool pattern in MIME boundary
|
| MIME_BOUND_MANY_HEX | Spam tool pattern in MIME boundary
|
| MIME_BOUND_NEXTPART | Spam tool pattern in MIME boundary
|
| MIME_BOUND_RKFINDY | Spam tool pattern in MIME boundary (rfkindy)
|
| MIME_CHARSET_FARAWAY | MIME character set indicates foreign language
|
| MIME_HEADER_CTYPE_ONLY | 'Content-Type' found without required MIME headers
|
| MIME_HTML_MOSTLY | Multipart message mostly text/html MIME
|
| MIME_HTML_ONLY | Message only has text/html MIME parts
|
| MIME_HTML_ONLY_MULTI | Multipart message only has text/html MIME parts
|
| MIME_MISSING_BOUNDARY | MIME section missing boundary
|
| MIME_QP_LONG_LINE | Quoted-printable line longer than 76 chars
|
| MIME_SUSPECT_NAME | MIME filename does not match content
|
| MISSING_DATE | Missing Date: header
|
| MISSING_HB_SEP | Missing blank line between message header and body
|
| MISSING_HEADERS | Missing To: header
|
| MISSING_MIMEOLE | Message has X-MSMail-Priority, but no X-MimeOLE
|
| MISSING_MIME_HB_SEP | Missing blank line between MIME header and body
|
| MISSING_SUBJECT | Missing Subject: header
|
| ML_MARKETING | Multi Level Marketing mentioned
|
| MONEY_BACK | Money back guarantee
|
| MORE_SEX | Talks about a bigger drive for sex
|
| MORTGAGE_BEST | Information on mortgages
|
| MORTGAGE_PITCH | Looks like mortgage pitch
|
| MORTGAGE_RATES | Information on mortgage rates
|
| MPART_ALT_DIFF | HTML and text parts are different
|
| MPART_ALT_DIFF_COUNT | HTML and text parts are different
|
| MSGID_DOLLARS | Message-Id has pattern used in spam
|
| MSGID_FROM_MTA_HEADER | Message-Id was added by a relay
|
| MSGID_FROM_MTA_HOTMAIL | Message-Id was added by a hotmail.com relay
|
| MSGID_FROM_MTA_ID | Message-Id for external message added locally
|
| MSGID_LONG | Message-ID is unusually long
|
| MSGID_MULTIPLE_AT | Message-ID contains multiple '@' characters
|
| MSGID_NO_HOST | Message-Id has no hostname
|
| MSGID_OUTLOOK_INVALID | Message-Id is fake (in Outlook Express format)
|
| MSGID_RANDY | Message-Id has pattern used in spam
|
| MSGID_RATWARE1 | Bulk email fingerprint found
|
| MSGID_SHORT | Message-ID is unusually short
|
| MSGID_SPAM_99X9XX99 | Spam tool Message-Id: (99x9xx99 variant)
|
| MSGID_SPAM_ALPHA_NUM | Spam tool Message-Id: (alpha-numeric variant)
|
| MSGID_SPAM_CAPS | Spam tool Message-Id: (caps variant)
|
| MSGID_SPAM_LETTERS | Spam tool Message-Id: (letters variant)
|
| MSGID_SPAM_ZEROES | Spam tool Message-Id: (12-zeroes variant)
|
| MSGID_YAHOO_CAPS | Message-ID has ALLCAPS@yahoo.com
|
| MULTI_FORGED | Received headers indicate multiple forgeries
|
| NASTY_GIRLS | Possible porn - Nasty Girls
|
| NA_DOLLARS | Talks about a million North American dollars
|
| NONEXISTENT_CHARSET | Character set doesn't exist
|
| NORMAL_HTTP_TO_IP | Uses a dotted-decimal IP address in URL
|
| NOT_ADVISOR | Not registered investment advisor
|
| NO_COST | No such thing as a free lunch (3)
|
| NO_DNS_FOR_FROM | Envelope sender has no MX or A DNS records
|
| NO_FORMS | No Claim Forms
|
| NO_MEDICAL | No Medical Exams
|
| NO_OBLIGATION | There is no obligation
|
| NO_PRESCRIPTION | No prescription needed
|
| NO_RDNS_DOTCOM_HELO | Host HELO'd as a big ISP, but had no rDNS
|
| NO_REAL_NAME | From: does not include a real name
|
| NO_RECEIVED | Informational: message has no Received headers
|
| NO_RELAYS | Informational: message was not relayed via SMTP
|
| NUMERIC_HTTP_ADDR | Uses a numeric IP address in URL
|
| OBFUSCATING_COMMENT | HTML comments which obfuscate text
|
| OBSCURED_EMAIL | Message seems to contain rot13ed address
|
| OFFSHORE_SCAM | Off Shore Scams
|
| ONE_TIME | One Time Rip Off
|
| ONLINE_PHARMACY | Online Pharmacy
|
| OPTING_OUT_CAPS | Talks about opting out (capitalized version)
|
| ORG_MIME_TOOLS | Organization is MIME-tools
|
| PERCENT_RANDOM | Message has a random macro in it
|
| PLING_PLING | Subject has lots of exclamation marks
|
| PLING_QUERY | Subject has exclamation mark and question mark
|
| PORN_15 | Possible porn - various types of feline
|
| PORN_16 | Possible porn - nasty, dirty, little etc.
|
| PORN_URL_MISC | URL uses words/phrases which indicate porn (misc)
|
| PORN_URL_SEX | URL uses words/phrases which indicate porn (sex)
|
| PORN_URL_SLUT | URL uses words/phrases which indicate porn (slut)
|
| PREST_NON_ACCREDITED | 'Prestigious Non-Accredited Universities'
|
| PREVENT_NONDELIVERY | Message has Prevent-NonDelivery-Report header
|
| PRICES_ARE_AFFORDABLE | Message says that prices aren't too expensive
|
| PRIORITY_NO_NAME | Message has priority, but no user agent name
|
| PYZOR_CHECK | Listed in Pyzor (http://pyzor.sf.net/)
|
| QUALIFY_FOR_THIS | Qualify for this special...
|
| RATWARE_BOUND_PIECE | Bulk email fingerprint (piece boundary) found
|
| RATWARE_EFROM | Bulk email fingerprint (envfrom) found
|
| RATWARE_EGROUPS | Bulk email fingerprint (eGroups) found
|
| RATWARE_GECKO_BUILD | Bulk email fingerprint (Gecko faked) found
|
| RATWARE_HASH_2 | Bulk email fingerprint (hash 2) found
|
| RATWARE_HASH_2_V2 | Bulk email fingerprint (hash 2 v2) found
|
| RATWARE_HASH_DASH | Contains a hashbuster in Send-Safe format
|
| RATWARE_JPFREE | Bulk email fingerprint (jpfree) found
|
| RATWARE_MOZ_MALFORMED | Bulk email fingerprint (Mozilla malformed) found
|
| RATWARE_MPOP_WEBMAIL | Bulk email fingerprint (mPOP Web-Mail)
|
| RATWARE_MS_HASH | Bulk email fingerprint (msgid ms hash) found
|
| RATWARE_NAME_ID | Bulk email fingerprint (msgid from) found
|
| RATWARE_NETIP | Bulk email fingerprint (netIP) found
|
| RATWARE_OE_MALFORMED | X-Mailer has malformed Outlook Express version
|
| RATWARE_OUTLOOK_NONAME | Bulk email fingerprint (Outlook no name) found
|
| RATWARE_RCVD_AT | Bulk email fingerprint (Received @) found
|
| RATWARE_RCVD_LC_ESMTP | Bulk email fingerprint ('esmtp' Received) found
|
| RATWARE_RCVD_PF | Bulk email fingerprint (Received PF) found
|
| RATWARE_STORM_URI | Bulk email fingerprint (StormPost) found
|
| RATWARE_ZERO_TZ | Bulk email fingerprint (+0000) found
|
| RAZOR2_CF_RANGE_51_100 | Razor2 gives confidence level above 50%
|
| RAZOR2_CF_RANGE_E4_51_100 | Razor2 gives engine 4 confidence level above 50%
|
| RAZOR2_CF_RANGE_E8_51_100 | Razor2 gives engine 8 confidence level above 50%
|
| RAZOR2_CHECK | Listed in Razor2 (http://razor.sf.net/)
|
| RCVD_AM_PM | Received headers forged (AM/PM)
|
| RCVD_BONUS_SPC_DATE | Bulk email fingerprint (bonus space) found
|
| RCVD_BY_IP | Received by mail server with no name
|
| RCVD_DOUBLE_IP_LOOSE | Received: by and from look like IP addresses
|
| RCVD_DOUBLE_IP_SPAM | Bulk email fingerprint (double IP) found
|
| RCVD_FAKE_HELO_DOTCOM | Received contains a faked HELO hostname
|
| RCVD_HELO_IP_MISMATCH | Received: HELO and IP do not match, but should
|
| RCVD_ILLEGAL_IP | Received: contains illegal IP address
|
| RCVD_IN_BL_SPAMCOP_NET | Received via a relay in bl.spamcop.net
|
| RCVD_IN_BSP_OTHER | Sender is in Bonded Sender Program (other relay)
|
| RCVD_IN_BSP_TRUSTED | Sender is in Bonded Sender Program (trusted relay)
|
| RCVD_IN_DSBL | Received via a relay in list.dsbl.org
|
| RCVD_IN_IADB_VOUCHED | ISIPP IADB lists as vouched-for sender
|
| RCVD_IN_MAPS_DUL | Relay in DUL, http://www.mail-abuse.org/dul/
|
| RCVD_IN_MAPS_NML | Relay in NML, http://www.mail-abuse.org/nml/
|
| RCVD_IN_MAPS_RBL | Relay in RBL, http://www.mail-abuse.org/rbl/
|
| RCVD_IN_MAPS_RSS | Relay in RSS, http://www.mail-abuse.org/rss/
|
| RCVD_IN_NJABL_CGI | NJABL: sender is an open formmail
|
| RCVD_IN_NJABL_DUL | NJABL: dialup sender did non-local SMTP
|
| RCVD_IN_NJABL_MULTI | NJABL: sent through multi-stage open relay
|
| RCVD_IN_NJABL_PROXY | NJABL: sender is an open proxy
|
| RCVD_IN_NJABL_RELAY | NJABL: sender is confirmed open relay
|
| RCVD_IN_NJABL_SPAM | NJABL: sender is confirmed spam source
|
| RCVD_IN_SBL | Received via a relay in Spamhaus SBL
|
| RCVD_IN_SORBS_BLOCK | SORBS: sender demands to never be tested
|
| RCVD_IN_SORBS_DUL | SORBS: sent directly from dynamic IP address
|
| RCVD_IN_SORBS_HTTP | SORBS: sender is open HTTP proxy server
|
| RCVD_IN_SORBS_MISC | SORBS: sender is open proxy server
|
| RCVD_IN_SORBS_SMTP | SORBS: sender is open SMTP relay
|
| RCVD_IN_SORBS_SOCKS | SORBS: sender is open SOCKS proxy server
|
| RCVD_IN_SORBS_WEB | SORBS: sender is a abuseable web server
|
| RCVD_IN_SORBS_ZOMBIE | SORBS: sender is on a hijacked network
|
| RCVD_IN_WHOIS_BOGONS | CompleteWhois: sender on bogons IP block
|
| RCVD_IN_WHOIS_HIJACKED | CompleteWhois: sender on hijacked IP block
|
| RCVD_IN_WHOIS_INVALID | CompleteWhois: sender on invalid IP block
|
| RCVD_IN_XBL | Received via a relay in Spamhaus XBL
|
| RCVD_NUMERIC_HELO | Received: contains an IP address used for HELO
|
| RECEIVE_OFFER | Receive a special offer
|
| REFINANCE_NOW | Home refinancing
|
| REFINANCE_YOUR_HOME | Home refinancing
|
| REMOVE_BEFORE_LINK | Removal phrase right before a link
|
| REMOVE_PAGE | URL of page called "remove"
|
| REMOVE_POSTAL | Send real mail to be unsubscribed
|
| REPLICA_WATCH | Message talks about a replica watch
|
| REPLY_TO_EMPTY | Reply-To: is empty
|
| REPTO_OVERQUOTE_THEBAT | The Bat! doesn't do quoting like this
|
| REPTO_QUOTE_AOL | AOL doesn't do quoting like this
|
| REPTO_QUOTE_IMS | IMS doesn't do quoting like this
|
| REPTO_QUOTE_MSN | MSN doesn't do quoting like this
|
| REPTO_QUOTE_QUALCOMM | Qualcomm/Eudora doesn't do quoting like this
|
| REPTO_QUOTE_YAHOO | Yahoo! doesn't do quoting like this
|
| RESISTANCE_IS_FUTILE | Resistance to this spam is futile
|
| REVERSE_AGING | Reverses Aging
|
| RISK_FREE | Risk free. Suuurreeee....
|
| ROUND_THE_WORLD | Received: says mail sent around the world (DNS)
|
| ROUND_THE_WORLD_LOCAL | Received: says mail sent around the world (HELO)
|
| RUDE_HTML | Spammer message says you need an HTML mailer
|
| SATIS_GUAR | Mail guarantees satisfaction
|
| SAVE_THOUSANDS | Save big money
|
| SEE_FOR_YOURSELF | See for yourself
|
| SENT_IN_COMPLIANCE | Claims compliance with spam regulations
|
| SOMETHING_FOR_ADULTS | Possible porn - Adult Web Sites
|
| SOME_BREAKTHROUGH | Describes some sort of breakthrough
|
| SORTED_RECIPS | Recipient list is sorted by address
|
| SPF_FAIL | SPF: sender does not match SPF record (fail)
|
| SPF_HELO_FAIL | SPF: HELO does not match SPF record (fail)
|
| SPF_HELO_NEUTRAL | SPF: HELO does not match SPF record (neutral)
|
| SPF_HELO_PASS | SPF: HELO matches SPF record
|
| SPF_HELO_SOFTFAIL | SPF: HELO does not match SPF record (softfail)
|
| SPF_NEUTRAL | SPF: sender does not match SPF record (neutral)
|
| SPF_PASS | SPF: sender matches SPF record
|
| SPF_SOFTFAIL | SPF: sender does not match SPF record (softfail)
|
| SPOOF_COM2COM | URI contains ".com" in middle and end
|
| SPOOF_COM2OTH | URI contains ".com" in middle
|
| SPOOF_NET2COM | URI contains ".net" or ".org", then ".com"
|
| SPOOF_OURI | URI has items in odd places
|
| STOCK_ALERT | Offers a alert about a stock
|
| STRONG_BUY | Tells you about a strong buy
|
| SUBJECT_DIET | Subject talks about losing pounds
|
| SUBJECT_DRUG_GAP_C | Subject contains a gappy version of 'cialis'
|
| SUBJECT_DRUG_GAP_L | Subject contains a gappy version of 'levitra'
|
| SUBJECT_DRUG_GAP_P | Subject contains a gappy version of 'phentermine'
|
| SUBJECT_DRUG_GAP_S | Subject contains a gappy version of 'soma'
|
| SUBJECT_DRUG_GAP_VA | Subject contains a gappy version of 'valium'
|
| SUBJECT_DRUG_GAP_VIC | Subject contains a gappy version of 'vicodin'
|
| SUBJECT_DRUG_GAP_X | Subject contains a gappy version of 'xanax'
|
| SUBJECT_ENCODED_TWICE | Subject: MIME encoded twice
|
| SUBJECT_EXCESS_BASE64 | Subject: base64 encoded encoded unnecessarily
|
| SUBJECT_EXCESS_QP | Subject: quoted-printable encoded unnecessarily
|
| SUBJECT_FUZZY_CHEAP | Attempt to obfuscate words in Subject:
|
| SUBJECT_FUZZY_MEDS | Attempt to obfuscate words in Subject:
|
| SUBJECT_FUZZY_PENIS | Attempt to obfuscate words in Subject:
|
| SUBJECT_FUZZY_TION | Attempt to obfuscate words in Subject:
|
| SUBJECT_IN_BLACKLIST | Subject: contains string in the user's black-list
|
| SUBJECT_IN_WHITELIST | Subject: contains string in the user's white-list
|
| SUBJECT_NOVOWEL | Subject: has long non-vowel letter sequence
|
| SUBJECT_SEXUAL | Subject indicates sexually-explicit content
|
| SUBJ_2_NUM_PARENS | Subject contains common spam sign (2 numbers)
|
| SUBJ_ALL_CAPS | Subject is all capitals
|
| SUBJ_AS_SEEN | Subject contains "As Seen"
|
| SUBJ_BUY | Subject line starts with Buy or Buying
|
| SUBJ_CONSONANTS | Subject contains consecutive consonants in "word"
|
| SUBJ_DOLLARS | Subject starts with dollar amount
|
| SUBJ_FOR_ONLY | Subject contains "For Only"
|
| SUBJ_FREE_CAP | Subject contains "FREE" in CAPS
|
| SUBJ_GUARANTEED | Subject GUARANTEED
|
| SUBJ_HAS_SPACES | Subject contains lots of white space
|
| SUBJ_HAS_UNIQ_ID | Subject contains a unique ID
|
| SUBJ_ILLEGAL_CHARS | Subject: has too many raw illegal characters
|
| SUBJ_LIFE_INSURANCE | Subject includes "life insurance"
|
| SUBJ_YOUR_DEBT | Subject contains "Your Bills" or similar
|
| SUBJ_YOUR_FAMILY | Subject contains "Your Family"
|
| SUBJ_YOUR_OWN | Subject contains "Your Own"
|
| SUB_FREE_OFFER | Subject starts with "Free"
|
| SUB_HELLO | Subject starts with "Hello"
|
| SUSPICIOUS_RECIPS | Similar addresses in recipient list
|
| TERRA_ES | Contains URI to a document hosted at 'terra.es'
|
| TO_ADDRESS_EQ_REAL | To: repeats address as real name
|
| TO_CC_NONE | No To: or Cc: header
|
| TO_EMPTY | To: is empty
|
| TO_MALFORMED | To: has a malformed address
|
| TO_NO_USER | To: has no local-part before @ sign
|
| TO_RECIP_MARKER | To header contains 'recipient' marker
|
| TO_TXT | Sent to a text file
|
| TRACKER_ID | Incorporates a tracking ID number
|
| UNCLAIMED_MONEY | People just leave money laying around
|
| UNCLOSED_BRACKET | Headers contain an unclosed bracket
|
| UNDISC_RECIPS | Valid-looking To "undisclosed-recipients"
|
| UNIQUE_WORDS | Message body has many words used only once
|
| UNPARSEABLE_RELAY | Informational: message has unparseable relay lines
|
| UNRESOLVED_TEMPLATE | Headers contain an unresolved template
|
| UNWANTED_LANGUAGE_BODY | Message written in an undesired language
|
| UPPERCASE_25_50 | message body is 25-50% uppercase
|
| UPPERCASE_50_75 | message body is 50-75% uppercase
|
| UPPERCASE_75_100 | message body is 75-100% uppercase
|
| URG_BIZ | Contains urgent matter
|
| URIBL_AB_SURBL | Contains an URL listed in the AB SURBL blocklist
|
| URIBL_JP_SURBL | Contains an URL listed in the JP SURBL blocklist
|
| URIBL_OB_SURBL | Contains an URL listed in the OB SURBL blocklist
|
| URIBL_PH_SURBL | Contains an URL listed in the PH SURBL blocklist
|
| URIBL_SBL | Contains an URL listed in the SBL blocklist
|
| URIBL_SC_SURBL | Contains an URL listed in the SC SURBL blocklist
|
| URIBL_WS_SURBL | Contains an URL listed in the WS SURBL blocklist
|
| URI_4YOU | Message has URI 4you
|
| URI_AFFILIATE | Contains a URI with an affiliate ID code
|
| URI_DIGITS | URI hostname has long digit sequence
|
| URI_HEX | URI hostname has long hexadecimal sequence
|
| URI_IS_POUND | Filename is just a '\#'; probably a JS trick
|
| URI_NOVOWEL | URI hostname has long non-vowel sequence
|
| URI_NO_WWW_ANY_CGI | CGI with long hostname other fourth-level "www"
|
| URI_NO_WWW_BIZ_CGI | CGI in .biz TLD other than third-level "www"
|
| URI_NO_WWW_INFO_CGI | CGI in .info TLD other than third-level "www"
|
| URI_OFFERS | Message has link to company offers
|
| URI_REDIRECTOR | Message has HTTP redirector URI
|
| URI_SCHEME_MIXED_CASE | URI scheme has mixed uppercase and lowercase
|
| URI_UNSUBSCRIBE | URI contains suspicious unsubscribe link
|
| URI_UPPER_LOWER | URI contains capitalized hostname parts ("Abcde")
|
| USERPASS | URL contains username and (optional) password
|
| USER_IN_ALL_SPAM_TO | User is listed in 'all_spam_to'
|
| USER_IN_BLACKLIST | From: address is in the user's black-list
|
| USER_IN_BLACKLIST_TO | User is listed in 'blacklist_to'
|
| USER_IN_DEF_DKIM_WL | From: address is in the default DKIM white-list
|
| USER_IN_DEF_DK_WL | From: address is in the default DK white-list
|
| USER_IN_DEF_SPF_WL | From: address is in the default SPF white-list
|
| USER_IN_DEF_WHITELIST | From: address is in the default white-list
|
| USER_IN_DKIM_WHITELIST | From: address is in the user's DKIM whitelist
|
| USER_IN_DK_WHITELIST | From: address is in the user's DK whitelist
|
| USER_IN_MORE_SPAM_TO | User is listed in 'more_spam_to'
|
| USER_IN_SPF_WHITELIST | From: address is in the user's SPF whitelist
|
| USER_IN_WHITELIST | From: address is in the user's white-list
|
| USER_IN_WHITELIST_TO | User is listed in 'whitelist_to'
|
| US_DOLLARS_3 | Mentions millions of $ ($NN,NNN,NNN.NN)
|
| VIA_GAP_GRA | Attempts to disguise the word 'viagra'
|
| WEIRD_PORT | Uses non-standard port number for HTTP
|
| WEIRD_QUOTING | Weird repeated double-quotation marks
|
| WE_HONOR_ALL | Claims to honor removal requests
|
| WHILE_YOU_SLEEP | While you Sleep
|
| WHY_PAY_MORE | Why Pay More?
|
| WHY_WAIT | What are you waiting for
|
| WITH_LC_SMTP | Received line contains spam-sign (lowercase smtp)
|
| WRINKLES | Removes Wrinkles
|
| X_AUTH_WARN_FAKED | X-Authentication-Warning header looks faked
|
| X_IP | Message has X-IP header
|
| X_LIBRARY | Message has X-Library header
|
| X_MAILER_SPAM | X-Mailer: header is bulk email fingerprint
|
| X_MESSAGE_FLAG_ODD | Message has X-Message-flag header (odd case)
|
| X_MESSAGE_INFO | Bulk email fingerprint (X-Message-Info) found
|
| X_MIME_AUTOCONVERTED | Message has X-MIME-Autoconverted "Yes" header
|
| X_MSMAIL_PRIORITY_HIGH | Sent with 'X-Msmail-Priority' set to high
|
| X_ORIG_IP_NOT_IPV4 | X-Originating-IP doesn't look like IPv4 address
|
| X_PRIORITY_CC | Cc: after X-Priority: (bulk email fingerprint)
|
| X_PRIORITY_HIGH | Sent with 'X-Priority' set to high
|
| YAHOO_DRS_REDIR | Has Yahoo Redirect URI
|
| YAHOO_RD_REDIR | Has Yahoo Redirect URI
|
| YOU_CAN_SEARCH | You can search for anyone
|
| __MIME_BASE64 | Includes a base64 attachment
|
| __MIME_QP | Includes a quoted-printable attachment
|
| __RCVD_IN_NJABL | Received via a relay in combined.njabl.org
|
| __RCVD_IN_SBL_XBL | Received via a relay in Spamhaus SBL+XBL
|
| __RCVD_IN_SORBS | SORBS: sender is listed in SORBS
|
