FutureQuest Professional Web Hosting Flash Intro FutureQuest Community Message Forums
Activate Today! Home Web Hosting
Services
 Web Hosting
Support
 Web Hosting
Data Center
 Web Hosting
Community
 Web Hosting
About
 Web Hosting
Contact
 Web Hosting
Account Management

SpamAssassin Test & Scoring Chart

FutureQuest SpamAssassin Test & Scoring Chart

This is the current list of tests SpamAssassin performs on email with SpamAssassin Filtering enabled to determine if they're spam or not. (Version 3.2.4 Updated 2008-03-19)

You may also test specific X-Spam-Status headers via the SpamAssassin Status Decoder.
Test Name Area Tested Locale Description Of Test Score
ACT_NOW_CAPSbody--Talks about 'acting now' with capitals0.001
ADVANCE_FEE_2meta--Appears to be advance fee fraud (Nigerian 419)2.049
ADVANCE_FEE_3meta--Appears to be advance fee fraud (Nigerian 419)1.435
ADVANCE_FEE_4meta--Appears to be advance fee fraud (Nigerian 419)1.502
ANY_BOUNCE_MESSAGEmeta--Message is some kind of bounce message0.100
APOSTROPHE_FROMheader--From address contains an apostrophe0.001
AWLheader--From: address is in the auto white-list1.000
AXB_XMID_1212header--Barbera Fingerprint3.899
AXB_XMID_1510header--Brunello Fingerprint4.295
AXB_XMID_OEGOESNULLheader--Amarone Fingerprint4.216
AXB_XR_STULDAPheader--Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/3.196
AXB_XTIDX_CHAINheader--Montepulciano Fingerprint1.000
BAD_CREDITbody--Eliminate Bad Credit0.325
BAD_ENC_HEADERheader--Message has bad MIME encoding in the header2.870
BANG_GUARbody--Something is emphatically guaranteed1.237
BANKING_LAWSbody--Talks about banking laws3.096
BASE64_LENGTH_78_79body--eval:check_base64_length('78','79')3.699
BASE64_LENGTH_79_INFbody--eval:check_base64_length('79')2.763
BILLION_DOLLARSbody--Talks about lots of money0.001
BODY_8BITSbody--Body includes 8 consecutive 8-bit characters1.500
BODY_ENHANCEMENTbody--Information on growing body parts1.608
BODY_ENHANCEMENT2body--Information on getting larger body parts0.714
BOUNCE_MESSAGEmeta--MTA bounce message0.100
CHARSET_FARAWAYbody--Character set indicates a foreign language3.200
CHARSET_FARAWAY_HEADERheader--A foreign language charset used in headers3.200
CORRUPT_FROM_LINE_IN_HDRSmeta--Informational: message is corrupt, with a From line in its headers0.001
CRBOUNCE_MESSAGEmeta--Challenge-response bounce message0.100
CTYPE_001C_Ameta--(0)2.319
CUM_SHOTbody--Possible porn - Cum Shot2.796
CURR_PRICEbody--/\bCurrent Price:/2.659
DATE_IN_FUTURE_03_06header--Date: is 3 to 6 hours after Received: date0.416
DATE_IN_FUTURE_06_12header--Date: is 6 to 12 hours after Received: date3.099
DATE_IN_FUTURE_12_24header--Date: is 12 to 24 hours after Received: date3.299
DATE_IN_FUTURE_24_48header--Date: is 24 to 48 hours after Received: date2.800
DATE_IN_FUTURE_48_96header--Date: is 48 to 96 hours after Received: date3.182
DATE_IN_FUTURE_96_XXheader--Date: is 96 hours or more after Received: date3.899
DATE_IN_PAST_03_06header--Date: is 3 to 6 hours before Received: date1.394
DATE_IN_PAST_06_12header--Date: is 6 to 12 hours before Received: date1.854
DATE_IN_PAST_12_24header--Date: is 12 to 24 hours before Received: date1.770
DATE_IN_PAST_24_48header--Date: is 24 to 48 hours before Received: date1.627
DATE_IN_PAST_96_XXheader--Date: is 96 hours or more before Received: date2.320
DATE_SPAMWARE_Y2Kheader--Date header uses unusual Y2K formatting1.031
DCC_CHECKfull--Listed in DCC (http://rhyolite.com/anti-spam/dcc/)1.370
DC_GIF_UNO_LARGOmeta--Message contains a single large inline gif3.787
DC_IMAGE_SPAM_HTMLmeta--Possible Image-only spam0.001
DC_IMAGE_SPAM_TEXTmeta--Possible Image-only spam with little text0.001
DC_PNG_UNO_LARGOmeta--Message contains a single large inline gif2.092
DEAR_FRIENDbody--Dear Friend? That's not very dear!2.696
DEAR_SOMETHINGbody--Contains 'Dear (something)'2.234
DEAR_WINNERbody--/\bdear.{1,20}winner/i3.196
DIET_1body--Lose Weight Spam0.336
DIGEST_MULTIPLEmeta--Message hits more than one network digest check0.001
DKIM_POLICY_SIGNALLheader--Domain Keys Identified Mail: policy says domain signs all mails0.001
DKIM_POLICY_TESTINGheader--Domain Keys Identified Mail: policy says domain is testing DK0.001
DKIM_SIGNEDheader--Domain Keys Identified Mail: message has a signature0.001
DK_POLICY_SIGNALLheader--Domain Keys: policy says domain signs all mails0.001
DK_POLICY_TESTINGheader--Domain Keys: policy says domain is testing DK0.001
DK_SIGNEDheader--Domain Keys: message has a signature0.001
DNS_FROM_AHBL_RHSBLheader--Envelope sender listed in dnsbl.ahbl.org2.025
DNS_FROM_DOBheader--Sender from new domain (Day Old Bread)0.341
DNS_FROM_OPENWHOISheader--Envelope sender listed in bl.open-whois.org.2.431
DNS_FROM_RFC_BOGUSMXheader--Envelope sender in bogusmx.rfc-ignorant.org2.125
DNS_FROM_RFC_DSNheader--Envelope sender in dsn.rfc-ignorant.org2.527
DOS_PROVISION4body--Provision for income taxes1.000
DOS_REPORT_FIN_INCbody--Report of financial income1.000
DOS_STOCK_BATmeta--Probable pump and dump stock spam3.383
DOS_STOCK_CDYV_GENERICbody--Pump and dump stock spam1.000
DOS_STOCK_INCOME_STATEMENTmeta--Pump and dump stock income statement spam1.000
DOS_YOUR_PLACEmeta--Russian dating spam2.596
DRUGS_ANXIETYmeta--Refers to an anxiety control drug1.331
DRUGS_ANXIETY_ERECmeta--Refers to both an erectile and an anxiety drug0.001
DRUGS_ANXIETY_OBFUmeta--Obfuscated reference to an anxiety control drug0.001
DRUGS_DIETmeta--Refers to a diet drug0.001
DRUGS_ERECTILEmeta--Refers to an erectile drug0.646
DRUGS_ERECTILE_OBFUmeta--Obfuscated reference to an erectile drug2.113
DRUGS_HDIAheader--Subject =~ /\bhoodia\b/i2.501
DRUGS_MANYKINDSmeta--Refers to at least four kinds of drugs0.001
DRUGS_MUSCLEmeta--Refers to a muscle relaxant0.001
DRUGS_SLEEP_ERECmeta--Refers to both an erectile and a sleep aid drug1.952
DRUGS_STOCK_MIMEOLEmeta--Stock-spam forged headers found (5510)2.852
DRUG_DOSAGEbody--Talks about price per dose0.128
DRUG_ED_CAPSbody--Mentions an E.D. drug1.540
DRUG_ED_GENERICbody--Mentions Generic Viagra3.314
DRUG_ED_SILDbody--Talks about an E.D. drug using its chemical name0.001
DYN_RDNS_AND_INLINE_IMAGEmeta--Contains image, and was sent by dynamic rDNS0.001
DYN_RDNS_SHORT_HELO_HTMLmeta--Sent by dynamic rDNS, short HELO, and HTML0.287
DYN_RDNS_SHORT_HELO_IMAGEmeta--Short HELO string, dynamic rDNS, inline image0.001
EMAIL_ROT13body--Body contains a ROT13-encoded email address1.680
EMPTY_MESSAGEmeta--Message appears to have no textual parts and no Subject: text0.607
EXCUSE_24body--Claims you wanted this ad2.599
EXCUSE_4body--Claims you can be removed from the list1.934
EXCUSE_REMOVEbody--Talks about how to be removed from mailings1.477
EXTRA_MPART_TYPEheader--Header has extraneous Content-type:...type= entry1.000
FAKE_HELO_EXCITEheader--Host HELO did not match rDNS: excite.com2.552
FAKE_HELO_LYCOSheader--Host HELO did not match rDNS: lycos.com2.432
FAKE_HELO_MAIL_COMheader--Host HELO did not match rDNS: mail.com0.220
FAKE_HELO_MAIL_COM_DOMheader--Relay HELO'd with suspicious hostname (mail.com)3.196
FAKE_OUTBLAZE_RCVDheader--Received header contains faked 'mr.outblaze.com'3.496
FAKE_REPLY_Cmeta--(__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)2.197
FB_ADD_INCHESbody--Add / Gain inches2.999
FB_ALMOST_SEXbody--It's almost sex, but not!3.096
FB_ANA_TRIMbody--Broken AnaTrim phrase.3.995
FB_ANUIbody--Phrase: A_U_N_I1.618
FB_C0MPANYbody--Phrase: C0mpany2.106
FB_CAN_LONGERbody--Phrase: can last longer1.309
FB_CIALIS_LEO3body--Uses a mis-spelled version of cialis.2.815
FB_DOUBLE_0WORDSbody--Looks like double 0 words3.595
FB_EMAIL_HIERbody--Phrase: email hier1.203
FB_EXTRA_INCHESbody--Phrase: extra inches3.096
FB_FHARMACYbody--Phrase: Farmacy3.695
FB_GAPPY_ADDRESSbody--Too much spacing in Address3.399
FB_GET_MEDSbody--Looks like trying to sell meds1.097
FB_GVRbody--Looks like generic viagra0.001
FB_HEY_BRO_COMMAbody--Phrase hey bro,2.783
FB_HG_H_CAPbody--Phrase: HGH0.887
FB_HOMELOANbody--Phrase $x home loan2.014
FB_IMPRESS_GIRLbody--Phrase: impress ... girl1.757
FB_INCREASE_YOURbody--Phrase: Increase your energy3.396
FB_INDEPEND_RWDbody--Phrase: independent reward3.599
FB_LETTERS_21Bbody--Special people leave special signs!3.999
FB_LOWER_PAYMbody--Phrase: lower your monthly payments2.996
FB_MED1CATbody--Phrase: Med1cat1.000
FB_MEDS_PERCENTbody--Talks about meds and %1.000
FB_MORE_SIZEbody--Phrase: more size1.422
FB_NOT_PHONE_NUM1body--Looks like a fake phone number (1)2.599
FB_NOT_PHONE_NUM3body--Looks like a fake phone number (3)2.596
FB_NOT_SCHOOLbody--Looks like school but it's not!2.312
FB_NO_SCRIP_NEEDEDbody--Phrase: no prescription needed.2.458
FB_NUMYObody--Speaks of teenager.2.397
FB_ODD_SPACED_MONEYbody--Looks like money but has odd spacing.2.723
FB_P1LLbody--Phrase: p1ll1.088
FB_PIPEDOLLARbody--Phrase: Dollar, with pipes or 0's.2.430
FB_QUALITY_REPLICAbody--Phrase: quality replica3.899
FB_REF_CODE_SPACEbody--Refcode with spacing3.599
FB_REPLIC_CAPbody--Phrase: REPLICA3.995
FB_RE_FIbody--Looks like refi.2.696
FB_SOFTTABSbody--Phrase: Softabs4.281
FB_SPACED_PHN_3Bbody--Phone number with -- spacing. (B)2.896
FB_SPACEY_ZIPbody--Looks like a s p a c e d zipcode.1.785
FB_SSEXbody--Phrase: ssex2.001
FB_STOCK_EXPLODEbody--Looks like stocks exploding.2.696
FB_TO_STOP_DISTRObody--Phrase: to stop further distribution3.096
FB_ULTRA_ALLUREbody--Phrase: Ultra Allure2.841
FB_UNLOCK_YOUR_Gbody--Phrase: lock to your girlfriend2.696
FB_UNRESOLV_PROVbody--Pattern Replacement PROV_D1.132
FB_WORD1_END_DOLLARbody--Looks like a word ending with a $1.000
FB_YOURSELF_MASTERbody--Phrase: yourself master1.248
FB_YOUR_REFIbody--Phrase: Your refi3.306
FH_BAD_OEV1441header--Bad X-Mailer version2.393
FH_DATE_IS_19XXheader--The date is not 19xx.1.970
FH_DATE_PAST_20XXheader--The date is grossly in the future.3.384
FH_FAKE_RCVD_LINEheader--RCVD line looks faked (A)2.215
FH_FROMEML_NOTLDheader--E-mail address doesn't have TLD (.com, etc.)2.196
FH_FROM_CASHheader--From name has "cash"2.996
FH_FROM_GIVEAWAYheader--From name is giveaway.2.796
FH_FROM_HOODIAheader--From has Hoodia!!?2.696
FH_HAS_XAIMCheader--Has X-AIMC-AUTH header2.699
FH_HELO_ALMOST_IPheader--Helo is almost an IP addr.3.727
FH_HELO_ENDS_DOTheader--Helo ends with a dot.3.020
FH_HELO_EQ_610HEXheader--Helo is 6-10 hex chr's.4.099
FH_HELO_EQ_CHARTERheader--Helo is d-d-d-d charter.com1.258
FH_HELO_EQ_D_D_D_Dheader--Helo is d-d-d-d0.498
FH_HOST_EQ_DYNAMICIPheader--Host is dynamicip3.097
FH_HOST_EQ_PACBELL_Dheader--Host is pacbell.net dsl0.893
FH_HOST_EQ_VERIZON_Pheader--Host is pool-.+verizon.net1.105
FH_MSGID_000000header--Special MSGID4.299
FH_MSGID_01C67header--Special MSGID0.495
FH_MSGID_01C70XXXheader--MESSAGE ID seen often!!!3.895
FH_MSGID_REPLACEheader--Broken Replace Template2.079
FH_MSGID_XXBLAHheader--Common sign in msg-id's 12/21/20064.495
FH_MSGID_XXXheader--Message-Id = @xxx3.196
FH_RE_NEW_DDDheader--Subject is Re: new \d\d\d1.209
FH_XMAIL_REPLACEheader--Broken Replace Template2.142
FH_XMAIL_RND_833header--Special X-Mailer Version1.000
FIN_FREEbody--Freedom of a financial nature2.599
FM_DOESNT_SAY_STOCKmeta--It's a stock spam but doesn't say stock4.295
FM_FAKE_53COM_SPOOFmeta--Spoof mail from 53.com?3.096
FM_FAKE_HELO_VERIZONmeta--Looks like a fake verizon.net helo.2.573
FM_FRM_RN_L_BRACKmeta--From name has > but not <3.096
FM_LIKE_STOCKSmeta--It looks like a duck, it's a duck!2.940
FM_LUX_GIFTS_REDUCEDmeta--Luxury Gifts with dd%2.486
FM_MANY_DRUG_WORDSmeta--Lot's of almost drug words1.161
FM_MORTGAGE4PLUSmeta--Looks like a mortgage spam (4+)1.000
FM_MORTGAGE5PLUSmeta--Looks like a mortgage spam (5+)3.099
FM_MULTI_LUX_GIFTSmeta--Talks about variety of luxury gifts2.494
FM_PHN_NODNSmeta--Phone spacing + no dns2.538
FM_RATSIGN_1106meta--Fingerprint seen in lots of spam. 11/20060.250
FM_RE_HELLO_SPAMmeta--Re: Hello / hi2.798
FM_ROLEX_ADSmeta--Looks like Rolex spams.3.999
FM_SCHOOLINGmeta--Meta Combo Phrase for Schooling (2)2.386
FM_SCHOOL_DIPLOMAmeta--Meta for Schooling + Diploma.0.776
FM_SCHOOL_TYPESmeta--Meta Combo Phrase for Schooling3.096
FM_SEX_HELODDDDmeta--Sex words + helo = dddd2.332
FM_VIAGRA_SPAM1114meta--Signs of a Viagra spam 11/14/20062.191
FM_XMAIL_F_OUTheader--Looks like Fake Outlook?4.199
FORGED_HOTMAIL_RCVD2header--hotmail.com 'From' address, but no 'Received:'1.117
FORGED_IMS_HTMLmeta--IMS can't send HTML message only2.050
FORGED_IMS_TAGSmeta--IMS mailers can't send HTML in this format1.579
FORGED_MSGID_AOLmeta--Message-ID is forged, (aol.com)0.001
FORGED_MSGID_HOTMAILmeta--Message-ID is forged, (hotmail.com)2.706
FORGED_MSGID_MSNmeta--Message-ID is forged, (msn.com)1.222
FORGED_MSGID_YAHOOmeta--Message-ID is forged, (yahoo.com)3.211
FORGED_MUA_EUDORAmeta--Forged mail pretending to be from Eudora1.665
FORGED_MUA_IMSmeta--Forged mail pretending to be from IMS2.033
FORGED_MUA_MOZILLAmeta--Forged mail pretending to be from Mozilla2.696
FORGED_MUA_OIMOmeta--Forged mail pretending to be from MS Outlook IMO3.595
FORGED_MUA_OUTLOOKmeta--Forged mail pretending to be from MS Outlook4.199
FORGED_MUA_THEBAT_BOUNmeta--Mail pretending to be from The Bat! (boundary)1.019
FORGED_MUA_THEBAT_CSmeta--Mail pretending to be from The Bat! (charset)0.854
FORGED_OUTLOOK_HTMLmeta--Outlook can't send HTML message only0.001
FORGED_OUTLOOK_TAGSmeta--Outlook can't send HTML in this format0.001
FORGED_QUALCOMM_TAGSmeta--QUALCOMM mailers can't send HTML in this format3.127
FORGED_THEBAT_HTMLmeta--The Bat! can't send HTML message only2.407
FORGED_YAHOO_RCVDheader--'From' yahoo.com does not match 'Received' headers1.408
FRAGMENTED_MESSAGEheader--Partial message2.500
FREE_QUOTE_INSTANTbody--Free express or no-obligation quote2.499
FROM_BLANK_NAMEheader--From: contains empty name2.212
FROM_DOMAIN_NOVOWELheader--From: domain has series of non-vowel letters3.099
FROM_EXCESS_BASE64meta--From: base64 encoded unnecessarily1.984
FROM_ILLEGAL_CHARSheader--From: has too many raw illegal characters3.999
FROM_LOCAL_DIGITSheader--From: localpart has long digit sequence0.001
FROM_LOCAL_HEXheader--From: localpart has long hexadecimal sequence2.733
FROM_LOCAL_NOVOWELheader--From: localpart has series of non-vowel letters3.196
FROM_NO_USERheader--From: has no local-part before @ sign0.499
FROM_OFFERSheader--From address is "at something-offers"1.145
FROM_STARTS_WITH_NUMSheader--From: starts with many numbers0.723
FRT_BIGGERMEM1body--ReplaceTags: Bigger / Larger, Penis / Member0.001
FRT_DISCOUNTbody--ReplaceTags: Discount2.996
FRT_DOLLARbody--ReplaceTags: Dollar2.596
FRT_GUARANTEE1body--ReplaceTags: Guarantee (1)2.819
FRT_LEVITRAbody--ReplaceTags: Levitra0.745
FRT_MEETINGbody--ReplaceTags: Meeting2.699
FRT_OFFER2body--ReplaceTags: Offer (2)1.590
FRT_OPPORTUN1body--ReplaceTags: Oppertun (1)1.000
FRT_OPPORTUN2body--ReplaceTags: Oppertun (2)2.699
FRT_PENIS1body--ReplaceTags: Penis3.074
FRT_PRICEbody--ReplaceTags: Price2.531
FRT_REFINANCE1body--ReplaceTags: Refinance (1)2.727
FRT_ROLEXbody--ReplaceTags: Rolex3.096
FRT_SEXUALbody--ReplaceTags: Sexual3.196
FRT_STRONG1body--ReplaceTags: Strong (1)2.919
FRT_STRONG2body--ReplaceTags: Strong (2)0.001
FRT_SYMBOLbody--ReplaceTags: Symbol3.561
FRT_TODAY2body--ReplaceTags: Today (2)2.460
FRT_VALIUM1body--ReplaceTags: Valium3.049
FRT_VALIUM2body--ReplaceTags: Valium (2)1.933
FRT_WEIGHT2body--ReplaceTags: Weight (2)2.930
FRT_XANAX1body--ReplaceTags: Xanax (1)3.799
FRT_XANAX2body--ReplaceTags: Xanax (2)0.001
FR_3TAG_3TAGrawbody--Looks like 3 <e> small tags.0.998
FR_ALMOST_VIAG2rawbody--Almost looks like viagra.2.376
FR_MIDERrawbody--Sign often seen in spams1.706
FS_AT_NO_COSTheader--Subject says "At No Cost"2.596
FS_CHEAP_CAPheader--Phrase: Cheap in Caps in Subject.0.001
FS_DOLLAR_BONUSheader--Subject talks about money bonus!2.696
FS_EJACULAheader--Phrase: ejaculation in subject.2.996
FS_ERECTIONheader--Phrase: erection in subject.2.020
FS_LARGE_PERCENT2header--Larger than 100% in subj.1.037
FS_LOWER_YOURheader--Phrase: lower your1.000
FS_LOW_RATESheader--Subject says low rates1.763
FS_NEW_SOFT_UPLOADheader--Subj starts with New software uploaded1.154
FS_NEW_XXXheader--Subject looks like Fharmacy spams.0.616
FS_NO_SCRIPheader--Subject almost says No prescription2.422
FS_OBFU_PRMCYheader--what could this word be?0.722
FS_PHARMASUB2header--Looks like Phramacy subject.3.895
FS_RAMRODheader--Subject says Ramrod2.820
FS_REPLICAheader--Subject says "replica"1.179
FS_REPLICAWATCHheader--Subject says Replica watch3.799
FS_START_DOYOU2header--Subject starts with Do you dream,have,want,love, etc.3.099
FS_START_LOSEheader--Subject starts with Lose2.596
FS_TEEN_BADheader--Subject says something bad about teens2.596
FS_TIP_DDDheader--Phrase: subject = tip ddd0.021
FS_WEIGHT_LOSSheader--Subject says Weight Loss1.000
FS_WILL_HELPheader--Subject says will help3.299
FUZZY_AMBIENbody--Attempt to obfuscate words in spam0.962
FUZZY_CPILLbody--Attempt to obfuscate words in spam0.001
FUZZY_CREDITbody--Attempt to obfuscate words in spam0.522
FUZZY_ERECTbody--Attempt to obfuscate words in spam0.708
FUZZY_GUARANTEEbody--Attempt to obfuscate words in spam0.962
FUZZY_MEDICATIONbody--Attempt to obfuscate words in spam0.001
FUZZY_MERIDIAbody--/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i0.778
FUZZY_MILLIONbody--Attempt to obfuscate words in spam2.325
FUZZY_MONEYbody--Attempt to obfuscate words in spam2.796
FUZZY_MORTGAGEbody--Attempt to obfuscate words in spam3.296
FUZZY_OBLIGATIONbody--Attempt to obfuscate words in spam2.796
FUZZY_OFFERSbody--Attempt to obfuscate words in spam1.032
FUZZY_PHARMACYbody--Attempt to obfuscate words in spam2.999
FUZZY_PRESCRIPTbody--Attempt to obfuscate words in spam2.644
FUZZY_PRICESbody--Attempt to obfuscate words in spam2.458
FUZZY_REFINANCEbody--Attempt to obfuscate words in spam0.001
FUZZY_SOFTWAREbody--Attempt to obfuscate words in spam2.860
FUZZY_VLIUMbody--Attempt to obfuscate words in spam0.001
FUZZY_VPILLbody--Attempt to obfuscate words in spam0.001
FUZZY_XPILLbody--Attempt to obfuscate words in spam3.314
FU_COMMON_SUBS2uri--Sub-dir seen often in spam (2).2.057
FU_ENDS_NUMS_DOTS_CLKuri--Ends with clk/d+.d+.d+3.196
FU_END_ETuri--ET Phone Home?3.599
FU_HOODIAuri--URL has hoodia in it.1.484
FU_LONG_QUERY3uri--URL has a long file name with .aspx extension.0.001
FU_MIDERuri--URL has /gal/2.024
FU_UKGEOCITIESuri--URL with [a-z]{2}.geocities.com3.296
FU_URI_TRACKER_Turi--URI style tracker (T)3.895
GAPPY_SUBJECTheader--Subject: contains G.a.p.p.y-T.e.x.t2.001
GEO_QUERY_STRINGuri--/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i2.696
GTUBEbody--Generic Test for Unsolicited Bulk Email1000.000
GUARANTEED_100_PERCENTbody--One hundred percent guaranteed0.965
HASHCASH_2SPENDheader--Hashcash token already spent in another mail0.100
HDR_ORDER_FTSDMCXX_001Cmeta--Header order similar to spam (FTSDMCXX/MID variant)1.937
HDR_ORDER_FTSDMCXX_BATmeta--Header order similar to spam (FTSDMCXX/boundary variant)2.739
HEADER_COUNT_CTYPEheader--Multiple Content-Type headers found0.671
HEADER_COUNT_SUBJECTheader--Multiple Subject headers found3.099
HEADER_SPAMheader--Bulk email fingerprint (header-based) found3.396
HEAD_ILLEGAL_CHARSheader--Headers have too many raw illegal characters3.729
HEAD_LONGheader--Message headers are very long2.500
HELO_DYNAMIC_CHELLO_NLheader--Relay HELO'd using suspicious hostname (Chello.nl)3.599
HELO_DYNAMIC_DHCPheader--Relay HELO'd using suspicious hostname (DHCP)1.520
HELO_DYNAMIC_DIALINheader--Relay HELO'd using suspicious hostname (T-Dialin)3.995
HELO_DYNAMIC_HCCheader--Relay HELO'd using suspicious hostname (HCC)4.295
HELO_DYNAMIC_HEXIPheader--Relay HELO'd using suspicious hostname (Hex IP)3.099
HELO_DYNAMIC_HOME_NLheader--Relay HELO'd using suspicious hostname (Home.nl)3.496
HELO_DYNAMIC_IPADDRheader--Relay HELO'd using suspicious hostname (IP addr 1)2.935
HELO_DYNAMIC_IPADDR2header--Relay HELO'd using suspicious hostname (IP addr 2)4.395
HELO_DYNAMIC_SPLIT_IPheader--Relay HELO'd using suspicious hostname (Split IP)4.199
HELO_FRIENDheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i0.001
HELO_LH_HOMEheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i3.169
HELO_LH_LDheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i0.792
HELO_LOCALHOSTheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i4.499
HELO_OEMheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|oem\S*) /i3.296
HG_HORMONEmeta--Talks about hormones for human growth2.292
HIDE_WIN_STATUSrawbody--Javascript to hide URLs in browser2.213
HIGH_CODEPAGE_URIuri--/^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i2.500
HS_BODY_UPLOADED_SOFTWAREbody--Somebody has uploaded some new software for you1.992
HS_DRUG_DOLLAR_1body--Contains a drug and price-like pattern.1.350
HS_DRUG_DOLLAR_2body--Contains a drug and price-like pattern.1.119
HS_DRUG_DOLLAR_3body--Contains a drug and price-like pattern.1.901
HS_DRUG_DOLLAR_MANYmeta--Contains several drug and dollar-like patterns.0.688
HS_FORGED_OE_FWmeta--Outlook does not prefix forwards with "FW:"2.796
HS_INDEX_PARAMuri--Link contains a common tracker pattern.0.001
HS_SUBJ_NEW_SOFTWAREheader--Subject starts with 'New software uploaded by'0.253
HTML_CHARSET_FARAWAYmeta--A foreign language charset used in HTML markup0.500
HTML_COMMENT_SAVED_URLbody--HTML message is a saved web page1.820
HTML_COMMENT_SHORTbody--HTML comment is very short0.001
HTML_EMBEDSbody--HTML with embedded plugin object0.440
HTML_EXTRA_CLOSEbody--HTML contains far too many close tags1.089
HTML_FONT_FACE_BADbody--HTML font face is not a word0.606
HTML_FONT_LOW_CONTRASTbody--HTML font color similar to background0.543
HTML_FONT_SIZE_HUGEbody--HTML font size is huge0.389
HTML_FONT_SIZE_LARGEbody--HTML font size is large0.001
HTML_IFRAME_SRCbody--Message has HTML IFRAME tag with SRC URI0.001
HTML_IMAGE_ONLY_04body--HTML: images with 0-400 bytes of words1.462
HTML_IMAGE_ONLY_08body--HTML: images with 400-800 bytes of words2.432
HTML_IMAGE_ONLY_12body--HTML: images with 800-1200 bytes of words2.245
HTML_IMAGE_ONLY_16body--HTML: images with 1200-1600 bytes of words2.498
HTML_IMAGE_ONLY_20body--HTML: images with 1600-2000 bytes of words1.808
HTML_IMAGE_ONLY_24body--HTML: images with 2000-2400 bytes of words2.207
HTML_IMAGE_ONLY_28body--HTML: images with 2400-2800 bytes of words1.519
HTML_IMAGE_ONLY_32body--HTML: images with 2800-3200 bytes of words1.318
HTML_IMAGE_RATIO_02body--HTML has a low ratio of text to image area0.550
HTML_IMAGE_RATIO_04body--HTML has a low ratio of text to image area0.170
HTML_IMAGE_RATIO_06body--HTML has a low ratio of text to image area0.001
HTML_IMAGE_RATIO_08body--HTML has a low ratio of text to image area0.001
HTML_MESSAGEbody--HTML included in message0.001
HTML_MIME_NO_HTML_TAGmeta--HTML-only message, but there is no HTML tag1.052
HTML_MISSING_CTYPEmeta--Message is HTML without HTML Content-Type2.380
HTML_NONELEMENT_30_40body--30% to 40% of HTML elements are non-standard1.775
HTML_NONELEMENT_40_50body--40% to 50% of HTML elements are non-standard0.001
HTML_OBFUSCATE_05_10body--Message is 5% to 10% HTML obfuscation0.572
HTML_OBFUSCATE_10_20body--Message is 10% to 20% HTML obfuscation3.196
HTML_OBFUSCATE_20_30body--Message is 20% to 30% HTML obfuscation2.747
HTML_OBFUSCATE_30_40body--Message is 30% to 40% HTML obfuscation2.599
HTML_SHORT_CENTERmeta--HTML is very short with CENTER tag0.001
HTML_SHORT_LINK_IMG_1meta--HTML is very short with a linked image1.078
HTML_SHORT_LINK_IMG_2meta--HTML is very short with a linked image0.239
HTML_SHORT_LINK_IMG_3meta--HTML is very short with a linked image0.556
HTML_TAG_BALANCE_BODYbody--HTML has unbalanced "body" tags0.807
HTML_TAG_BALANCE_HEADbody--HTML has unbalanced "head" tags1.370
HTML_TITLE_SUBJ_DIFFmeta--__HTML_TITLE_SUBJ_DIFF && !__MIME_ATTACHMENT0.805
HTTPS_IP_MISMATCHbody--IP to HTTPS link found in HTML2.896
HTTP_77uri--Contains an URL-encoded hostname (HTTP77)0.001
HTTP_ESCAPED_HOSTuri--Uses %-escapes inside a URL's hostname0.001
HTTP_EXCESSIVE_ESCAPESuri--Completely unnecessary %-escapes inside a URL0.964
IMPOTENCEbody--Impotence cure1.678
INVALID_DATEheader--Invalid Date: header (not RFC 2822)1.651
INVALID_DATE_TZ_ABSURDheader--Invalid Date: header (timezone does not exist)0.243
INVALID_MSGIDmeta--Message-Id is not valid, according to RFC 28222.603
INVALID_TZ_CSTheader--Invalid date in header (wrong CST timezone)0.862
INVALID_TZ_ESTheader--Invalid date in header (wrong EST timezone)2.065
INVESTMENT_ADVICEbody--Message mentions investment advice0.001
IP_LINK_PLUSuri--Dotted-decimal IP address followed by CGI0.001
JM_RCVD_QMAILV1header--Received =~ /by \S+ \(Qmailv1\) with ESMTP/3.995
JM_TORA_XMmeta--(__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)3.096
JOIN_MILLIONSbody--Join Millions of Americans1.807
KAM_LOTTO1meta--Likely to be a e-Lotto Scam Email1.569
KAM_LOTTO2meta--Highly Likely to be a e-Lotto Scam Email1.190
KAM_LOTTO3meta--Almost certain to be a e-Lotto Scam Email1.000
KAM_STOCKOTCmeta--(0)2.328
KAM_STOCKTIP15meta--(0)0.001
KOREAN_UCE_SUBJECTheader--Subject: contains Korean unsolicited email tag1.111
LOCALPART_IN_SUBJECTheader--Local part of To: address appears in Subject2.497
LONGWORDSmeta--Long string of long words3.196
LONG_TERM_PRICEbody--/long\W+term\W+(target|projected)(\W+price)?/i0.212
LOOPHOLE_1body--A loop hole in the banking laws?2.474
LOTTERY_1meta--(__DBLCLAIM && __CASHPRZ)3.196
LOW_PRICEbody--Lowest Price1.159
L_SPAM_TOOL_13header--Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/4.499
MALE_ENHANCEbody--Message talks about enhancing men2.596
MARKETING_PARTNERSbody--Claims you registered with a partner2.355
MICROSOFT_EXECUTABLEbody--Message includes Microsoft executable program0.100
MID_DEGREESheader--Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/4.195
MILLION_USDbody--Talks about millions of dollars1.777
MIME_BAD_ISO_CHARSETbody--MIME character set is an unknown ISO charset2.831
MIME_BASE64_BLANKSrawbody--Extra blank lines in base64 encoding0.001
MIME_BASE64_TEXTrawbody--Message text disguised using base64 encoding2.796
MIME_BOUND_DD_DIGITSheader--Spam tool pattern in MIME boundary4.199
MIME_BOUND_DIGITS_15header--Spam tool pattern in MIME boundary2.896
MIME_BOUND_EQ_RELheader--Content-Type =~ /boundary="=====================_\d+==\.REL"/s0.845
MIME_BOUND_MANY_HEXheader--Spam tool pattern in MIME boundary0.001
MIME_CHARSET_FARAWAYmeta--MIME character set indicates foreign language2.450
MIME_HEADER_CTYPE_ONLYmeta--'Content-Type' found without required MIME headers0.856
MIME_HTML_MOSTLYbody--Multipart message mostly text/html MIME0.001
MIME_HTML_ONLYbody--Message only has text/html MIME parts1.672
MIME_HTML_ONLY_MULTImeta--Multipart message only has text/html MIME parts0.001
MIME_QP_LONG_LINErawbody--Quoted-printable line longer than 76 chars1.819
MIME_SUSPECT_NAMEbody--MIME filename does not match content0.100
MISSING_DATEheader--Missing Date: header0.001
MISSING_HB_SEPheader--Missing blank line between message header and body2.500
MISSING_HEADERSheader--Missing To: header1.581
MISSING_MIDheader--Missing Message-Id: header0.001
MISSING_MIMEOLEmeta--Message has X-MSMail-Priority, but no X-MimeOLE0.001
MISSING_MIME_HB_SEPbody--Missing blank line between MIME header and body2.699
MISSING_SUBJECTmeta--Missing Subject: header1.285
MONEY_BACKbody--Money back guarantee0.001
MORE_SEXbody--Talks about a bigger drive for sex2.321
MPART_ALT_DIFFbody--HTML and text parts are different1.143
MPART_ALT_DIFF_COUNTbody--HTML and text parts are different1.882
MSGID_DOLLARS_RANDOMmeta--__MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK3.296
MSGID_FROM_MTA_HEADERmeta--Message-Id was added by a relay1.495
MSGID_MULTIPLE_ATheader--Message-ID contains multiple '@' characters1.211
MSGID_OUTLOOK_INVALIDheader--Message-Id is fake (in Outlook Express format)2.896
MSGID_RANDYmeta--Message-Id has pattern used in spam0.001
MSGID_SHORTheader--Message-ID is unusually short0.232
MSGID_SPAM_CAPSheader--Spam tool Message-Id: (caps variant)4.195
MSGID_SPAM_LETTERSheader--Spam tool Message-Id: (letters variant)1.637
MSGID_YAHOO_CAPSheader--Message-ID has ALLCAPS@yahoo.com0.448
MSOE_MID_WRONG_CASEmeta--(__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)0.699
MULTIPART_ALT_NON_TEXTbody--eval:check_ma_non_text()2.696
NA_DOLLARSbody--Talks about a million North American dollars1.129
NORMAL_HTTP_TO_IPuri--Uses a dotted-decimal IP address in URL0.001
NO_DNS_FOR_FROMheader--Envelope sender has no MX or A DNS records1.407
NO_HEADERS_MESSAGEmeta--Message appears to be missing most RFC-822 headers0.001
NO_PRESCRIPTIONbody--No prescription needed2.757
NO_RDNS_DOTCOM_HELOheader--Host HELO'd as a big ISP, but had no rDNS0.799
NULL_IN_BODYfull--Message has NUL (ASCII 0) byte in message1.489
NUMERIC_HTTP_ADDRuri--Uses a numeric IP address in URL0.001
OBFUSCATING_COMMENTmeta--HTML comments which obfuscate text0.230
OBSCURED_EMAILbody--Message seems to contain rot13ed address0.012
ONLINE_PHARMACYbody--Online Pharmacy1.484
OUTLOOK_3416header--Claims to be sent by an unusual build of Outlook (3416)1.695
PART_CID_STOCKmeta--Has a spammy image attachment (by Content-ID)1.231
PART_CID_STOCK_LESSmeta--Has a spammy image attachment (by Content-ID, more specific)0.001
PERCENT_RANDOMmeta--Message has a random macro in it3.196
PLING_QUERYheader--Subject has exclamation mark and question mark1.333
PREVENT_NONDELIVERYheader--Message has Prevent-NonDelivery-Report header1.640
PRICES_ARE_AFFORDABLEbody--Message says that prices aren't too expensive0.001
PYZOR_CHECKfull--Listed in Pyzor (http://pyzor.sf.net/)2.834
RATWARE_EFROMheader--Bulk email fingerprint (envfrom) found3.795
RATWARE_EGROUPSheader--Bulk email fingerprint (eGroups) found2.379
RATWARE_MS_HASHmeta--Bulk email fingerprint (msgid ms hash) found2.779
RATWARE_OE_MALFORMEDheader--X-Mailer has malformed Outlook Express version2.095
RATWARE_OUTLOOK_NONAMEmeta--Bulk email fingerprint (Outlook no name) found0.001
RATWARE_RCVD_ATheader--Bulk email fingerprint (Received @) found0.650
RATWARE_RCVD_PFheader--Bulk email fingerprint (Received PF) found3.895
RAZOR2_CF_RANGE_51_100full--Razor2 gives confidence level above 50%0.500
RAZOR2_CF_RANGE_E4_51_100full--Razor2 gives engine 4 confidence level above 50%1.500
RAZOR2_CF_RANGE_E8_51_100full--Razor2 gives engine 8 confidence level above 50%1.500
RAZOR2_CHECKfull--Listed in Razor2 (http://razor.sf.net/)0.500
RCVD_AM_PMheader--Received headers forged (AM/PM)1.688
RCVD_BAD_IDheader--Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*:<=>?\@\[\]^\`{|}~]|;\S)/2.088
RCVD_DOUBLE_IP_LOOSEmeta--Received: by and from look like IP addresses0.001
RCVD_DOUBLE_IP_SPAMmeta--Bulk email fingerprint (double IP) found3.895
RCVD_FAKE_HELO_DOTCOMheader--Received contains a faked HELO hostname2.775
RCVD_FORGED_WROTEheader--Forged 'Received' header found ('wrote:' spam)4.479
RCVD_FORGED_WROTE2header--Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s2.736
RCVD_HELO_IP_MISMATCHheader--Received: HELO and IP do not match, but should2.320
RCVD_ILLEGAL_IPheader--Received: contains illegal IP address3.196
RCVD_IN_BL_SPAMCOP_NETheader--Received via a relay in bl.spamcop.net2.188
RCVD_IN_DOBheader--Received via relay in new domain (Day Old Bread)0.835
RCVD_IN_DSBLheader--Received via a relay in list.dsbl.org0.753
RCVD_IN_NJABL_PROXYheader--NJABL: sender is an open proxy1.693
RCVD_IN_NJABL_RELAYheader--NJABL: sender is confirmed open relay1.841
RCVD_IN_NJABL_SPAMheader--NJABL: sender is confirmed spam source3.096
RCVD_IN_PBLheader--Received via a relay in Spamhaus PBL0.509
RCVD_IN_SBLheader--Received via a relay in Spamhaus SBL2.810
RCVD_IN_SORBS_DULheader--SORBS: sent directly from dynamic IP address1.615
RCVD_IN_SORBS_HTTPheader--SORBS: sender is open HTTP proxy server0.001
RCVD_IN_SORBS_MISCheader--SORBS: sender is open proxy server0.001
RCVD_IN_SORBS_SOCKSheader--SORBS: sender is open SOCKS proxy server0.182
RCVD_IN_SORBS_WEBheader--SORBS: sender is a abuseable web server1.117
RCVD_IN_XBLheader--Received via a relay in Spamhaus XBL2.896
RCVD_MAIL_COMheader--Forged Received header (contains post.com or mail.com)1.452
RCVD_NUMERIC_HELOheader--Received: contains an IP address used for HELO2.599
RDNS_DYNAMICmeta--Delivered to trusted network by host with dynamic-looking rDNS0.100
RDNS_NONEmeta--Delivered to trusted network by a host with no rDNS0.100
REFINANCE_NOWbody--Home refinancing0.169
REFINANCE_YOUR_HOMEbody--Home refinancing0.001
REMOVE_BEFORE_LINKbody--Removal phrase right before a link0.001
REPLICA_WATCHbody--Message talks about a replica watch3.396
REPTO_OVERQUOTE_THEBATmeta--The Bat! doesn't do quoting like this3.499
REPTO_QUOTE_AOLmeta--AOL doesn't do quoting like this1.595
REPTO_QUOTE_IMSmeta--IMS doesn't do quoting like this0.314
REPTO_QUOTE_MSNmeta--MSN doesn't do quoting like this2.689
REPTO_QUOTE_QUALCOMMmeta--Qualcomm/Eudora doesn't do quoting like this0.415
REPTO_QUOTE_YAHOOmeta--Yahoo! doesn't do quoting like this0.729
ROUND_THE_WORLD_LOCALheader--Received: says mail sent around the world (HELO)2.696
SB_GIF_AND_NO_URISmeta--(__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)1.257
SHORT_HELO_AND_INLINE_IMAGEmeta--Short HELO string, with inline image0.702
SHORT_TERM_PRICEbody--/short\W+term\W+(target|projected)(\W+price)?/i1.950
SORTED_RECIPSheader--Recipient list is sorted by address1.800
SPAMMY_XMAILERmeta--X-Mailer string is common in spam and not in ham2.333
SPF_FAILheader--SPF: sender does not match SPF record (fail)0.992
SPF_HELO_FAILheader--SPF: HELO does not match SPF record (fail)0.365
SPF_HELO_NEUTRALheader--SPF: HELO does not match SPF record (neutral)2.000
SPF_HELO_SOFTFAILheader--SPF: HELO does not match SPF record (softfail)1.533
SPF_NEUTRALheader--SPF: sender does not match SPF record (neutral)1.210
SPF_SOFTFAILheader--SPF: sender does not match SPF record (softfail)0.654
SPOOF_COM2COMuri--URI contains ".com" in middle and end0.341
SPOOF_COM2OTHuri--URI contains ".com" in middle0.848
SPOOF_NET2COMuri--URI contains ".net" or ".org", then ".com"2.896
STOCK_ALERTbody--Offers a alert about a stock2.889
STOCK_IMG_CTYPEmeta--Stock spam image part, with distinctive Content-Type header0.001
STOCK_IMG_HDR_FROMmeta--Stock spam image part, with distinctive From line0.001
STOCK_IMG_HTMLmeta--Stock spam image part, with distinctive HTML0.001
STOCK_IMG_OUTLOOKmeta--Stock spam image part, with Outlook-like features0.001
STOCK_PRICESmeta--(SHORT_TERM_PRICE && LONG_TERM_PRICE)0.184
STOX_AND_PRICEmeta--CURR_PRICE && STOX_REPLY_TYPE2.373
STOX_REPLY_TYPEheader--Content-Type =~ /text\/plain; .* reply-type=original/0.001
STRONG_BUYbody--Tells you about a strong buy2.478
SUBJECT_DIETheader--Subject talks about losing pounds1.621
SUBJECT_DRUG_GAP_Cheader--Subject contains a gappy version of 'cialis'0.001
SUBJECT_DRUG_GAP_Lheader--Subject contains a gappy version of 'levitra'1.831
SUBJECT_DRUG_GAP_VAheader--Subject contains a gappy version of 'valium'2.596
SUBJECT_DRUG_GAP_Xheader--Subject contains a gappy version of 'xanax'2.052
SUBJECT_FUZZY_MEDSheader--Attempt to obfuscate words in Subject:2.812
SUBJECT_FUZZY_PENISheader--Attempt to obfuscate words in Subject:1.308
SUBJECT_FUZZY_TIONheader--Attempt to obfuscate words in Subject:0.410
SUBJECT_FUZZY_VPILLmeta--Attempt to obfuscate words in Subject:3.299
SUBJECT_IN_BLACKLISTheader--Subject: contains string in the user's black-list100.000
SUBJECT_NEEDS_ENCODINGmeta--(!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME1.277
SUBJECT_SEXUALheader--Subject indicates sexually-explicit content0.116
SUBJ_ALL_CAPSheader--Subject is all capitals1.806
SUBJ_BUYheader--Subject line starts with Buy or Buying0.900
SUBJ_DOLLARSheader--Subject starts with dollar amount0.842
SUBJ_ILLEGAL_CHARSheader--Subject: has too many raw illegal characters1.527
SUBJ_RE_NUMmeta--Subject is faking 'The Bat!' responses2.667
SUBJ_YOUR_DEBTheader--Subject contains "Your Bills" or similar2.896
SUBJ_YOUR_FAMILYheader--Subject contains "Your Family"2.647
SUSPICIOUS_RECIPSheader--Similar addresses in recipient list3.196
TEMPLATE_203_RCVDheader--Received =~ /from 192.168.0.\d+ \(203-219-/1.000
TO_MALFORMEDheader--To: has a malformed address0.001
TRACKER_IDbody--Incorporates a tracking ID number2.696
TT_MSGID_TRUNCheader--Scora: Message-Id ends after left-bracket + digits1.874
TT_OBSCURED_VALIUMmeta--Scora: obscured "VALIUM" in subject0.462
TT_OBSCURED_VIAGRAmeta--Scora: obscured "VIAGRA" in subject2.154
TVD_ACT_193body--/\bact of (?:193|nineteen thirty)/i3.420
TVD_APPROVEDbody--/you.{1,2}re .{0,20}approved/i2.558
TVD_APP_LOANbody--/approved .{0,20}loan/i1.000
TVD_DEAR_HOMEOWNERbody--/^dear homeowner/i2.599
TVD_EB_PHISHmeta--__FROM_EBAY && NORMAL_HTTP_TO_IP2.996
TVD_ENVFROM_APOSTheader--EnvelopeFrom =~ /\'/3.307
TVD_FINGER_02header--Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i2.720
TVD_FLOAT_GENERALrawbody--/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i1.114
TVD_FUZZY_SYMBOLbody--/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i1.435
TVD_PH_RECbody--Message has a phrase standard for phishing mails2.996
TVD_PH_SUBJ_ACCOUNTS_POSTheader--Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)|confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i2.996
TVD_PH_SUBJ_METAmeta--__TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST1.000
TVD_PH_SUBJ_URGENTheader--Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response|assistance|proposal|reply|warning|noti(?:ce|fication)|greeting|matter))/i2.102
TVD_PP_PHISHmeta--__FROM_PAYPAL && NORMAL_HTTP_TO_IP3.099
TVD_QUAL_MEDSbody--/\bquality med(?:ication)?s\b/i4.123
TVD_RATWARE_CBheader--Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i2.914
TVD_RATWARE_MSGID_02header--Message-ID =~ /^[^<]*<[a-z]+\@/1.688
TVD_RCVD_IPheader--Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/1.617
TVD_RCVD_IP4header--Received =~ /^from\s+(?:\d+\.){3}\d+\s/3.344
TVD_RCVD_SINGLEheader--Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/0.303
TVD_SECTIONbody--/\bSection (?:27A|21B)/i3.317
TVD_SPACED_SUBJECT_WORD3header--Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/3.599
TVD_SPACE_RATIObody--eval:tvd_vertical_words('0','10')2.899
TVD_STOCK1body--eval:check_stock_info('2')3.792
TVD_SUBJ_OWEheader--Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i3.196
TVD_SUBJ_WIPE_DEBTheader--Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i2.896
TVD_VISIT_PHARMAbody--/Online Ph.rmacy/i0.001
TVD_VIS_HIDDENrawbody--/<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i1.908
UNCLAIMED_MONEYbody--People just leave money laying around2.985
UNCLOSED_BRACKETheader--Headers contain an unclosed bracket2.083
UNPARSEABLE_RELAYheader--Informational: message has unparseable relay lines0.001
UNRESOLVED_TEMPLATEheader--Headers contain an unresolved template3.325
UNWANTED_LANGUAGE_BODYbody--Message written in an undesired language2.800
UPPERCASE_50_75meta--message body is 50-75% uppercase0.490
UPPERCASE_75_100meta--message body is 75-100% uppercase1.930
URG_BIZbody--Contains urgent matter0.667
URIBL_AB_SURBLbody--Contains an URL listed in the AB SURBL blocklist1.613
URIBL_BLACKbody--Contains an URL listed in the URIBL blacklist1.961
URIBL_GREYbody--Contains an URL listed in the URIBL greylist0.250
URIBL_JP_SURBLbody--Contains an URL listed in the JP SURBL blocklist2.857
URIBL_OB_SURBLbody--Contains an URL listed in the OB SURBL blocklist2.132
URIBL_PH_SURBLbody--Contains an URL listed in the PH SURBL blocklist2.035
URIBL_REDbody--Contains an URL listed in the URIBL redlist0.001
URIBL_RHS_AHBLbody--Contains an URI listed in rhsbl.ahbl.org.1.000
URIBL_RHS_DOBbody--Contains an URI of a new domain (Day Old Bread)0.901
URIBL_SBLbody--Contains an URL listed in the SBL blocklist2.468
URIBL_SC_SURBLbody--Contains an URL listed in the SC SURBL blocklist2.523
URIBL_WS_SURBLbody--Contains an URL listed in the WS SURBL blocklist2.100
URI_HEXuri--URI hostname has long hexadecimal sequence1.316
URI_NOVOWELuri--URI hostname has long non-vowel sequence2.543
URI_NO_WWW_INFO_CGIuri--CGI in .info TLD other than third-level "www"0.601
URI_TRUNCATEDbody--Message contained a URI which was truncated0.001
URI_UNSUBSCRIBEuri--URI contains suspicious unsubscribe link3.092
USER_IN_BLACKLISTheader--From: address is in the user's black-list100.000
USER_IN_BLACKLIST_TOheader--User is listed in 'blacklist_to'10.000
US_DOLLARS_3body--Mentions millions of $ ($NN,NNN,NNN.NN)1.165
VBOUNCE_MESSAGEmeta--Virus-scanner bounce message0.100
VIA_GAP_GRAbody--Attempts to disguise the word 'viagra'1.053
WEIRD_PORTuri--Uses non-standard port number for HTTP1.499
WEIRD_QUOTINGbody--Weird repeated double-quotation marks2.796
WHOIS_AITPRIVbody--URL registered as an AIT Private Registration3.995
WHOIS_CONTACTPRIVbody--URL registered to contactprivacy.com2.696
WHOIS_DMNBYPROXYbody--Contains URL registered to Domains by Proxy0.260
WHOIS_MONIKER_PRIVbody--URL registered to Moniker Privacy Protection2.596
WHOIS_MYPRIVREGbody--URL registered to myprivateregistration.com0.156
WHOIS_NAMEKINGbody--URL registered to NameKing1.477
WHOIS_NETSOLPRbody--URL registered as a NetSol Private Registration0.001
WHOIS_PRIVACYPOSTbody--Contains URL registered to PrivacyPost0.647
WHOIS_PRIVPROTbody--URL registered to WHOIS Privacy Protection2.801
WHOIS_REGISTERFLYbody--Contains URL registered to RegisterFly3.196
WHOIS_SECUREWHOISbody--C