[Qmail] spamassassin 룰 설정 (점수부여)

참조 : https://wiki.apache.org/spamassassin/WritingRules

Perl Regex Syntax 참조: https://www.tutorialspoint.com/perl/perl_regular_expressions.htm

:: spamassassin 룰 설정 (점수부여).

원문참조 : http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

스팸어쎄신을 이용하여 스팸메일을 차단하는데 있어 스코어 점수을 이용하여
그 점수를 판단하여 스팸여부를 확인 할수 있다

local.cf에서 점수 부분을 기여하면 된다.
자신이 보내는 메일에 대해서 스팸어쎄신을 적용하려면 스팸밀터를 설치하면 되는것이다.
아래 옵션에 대한 부분은 검색해보면 많이 나올것이다

참조 : https://www.mailenable.com/forum/viewtopic.php?t=26046

[root@ns1 ~]# vi /etc/mail/spamassassin/local.cf

# SpamAssassin config file for version 3.x
# NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6
# See http://www.yrex.com/spam/spamconfig25.php for earlier versions
# Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50)
# How many hits before a message is considered spam.
required_score 10
# Change the subject of suspected spam
rewrite_header subject [SPAM]
# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe 1
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 1
use_razor2 1
use_dcc 1
use_pyzor 1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# – korean
ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all
whitelist_from *@xinet.kr *@nate.com*@naver.com
blacklist_from *@hosanna.net *@blankrome.com

위에서 whitelist_from 하고 blacklist_from을 잘 활용하면 특정 메일에 대해서는 허용 및 거부 할수 있다

위 옵션에 대한 설명

report_safe : 스팸으로 판단될 경우 원본글을 감출지 여부이다. 메일을 읽는 순간 당할수 있는 그 어떤 공격이 두렵다면 1로 해야 한다. 하지만 0으로 설정한다.

required_score : 몇점 이상을 스팸메일로 의심할것인지에 대한 설정이다. 이것은 서버관리자의 주관적인 부분이다. 그냥 5로 해도 무관하다고 본다.

use_bayes : 학습된 Bayesian Classifier를 사용할것인지에 대한 여부이다. 당연히 1로 한다.

bayes_auto_learn : 자동학습에 대한 설정이다. 정말로 확실한 스팸의 경우 분석하여 나누어진 토큰을 지속적으로 학습 시킨다. 물론 자동으로.

bayes_path : 학습된 토큰 파일을 저장할 위치이다. 기본적으로 사용자 별로 개별 저장되나 이런식으로 하여 중앙 관리가 가능하다. 저 값은 접두어다. 저 뒤로 _toks와 _seen이 붙는 파일 두개가 생긴다.

bayes_file_mode : 파일의 권한이다. 666정도면 되겠다.

skip_rbl_checks : RBL체크값을 점수에 활용한다. 나름 맹활약을 하게 된다.

use_razor2 : Vipul’s Razor라는 곳에서 운영하는 블랙리스트 공유 시스템을 활용할지 여부이다. 난 사용안했다. 설치할것이 별도로 존재한다.

use_dcc : Distributed Checksum Clearinghouse의 약자이다. 실제 홈페이지에서는 스팸을 줄이는데 특출난 효과가 있다고 설명하고 있다. 필요하다 판단되면 사용하자

use_pyzor : Razor2와 비슷한 역할을 하는것 같다. 자세한건 사용해 보지 않아서 모르겠다. 홈페이지는 여기

ok_languages : 중요하게 사용되는 언어를 설정해 주면 된다. 한국의 경우 ko를 적어주면 된다. 영어권과 메일을 주고 받을일이 많다면 en도 추가해 주자.

ok_locales : 위와 같은 역할을 한다.

score : 별도로 특정 룰에 대한 점수를 강제로 지정할 수 있다.

Test & Scoring Chart

https://www.futurequest.net/docs/SA/

Test Name Area Tested Description Of Test Score
Bayes off
RBLs off
ACT_NOW_CAPS body Talks about ‘acting now’ with capitals 0.100
AC_BR_BONANZA rawbody Too many newlines in a row… spammy template 0.001
AC_DIV_BONANZA rawbody Too many divs in a row… spammy template 0.001
AC_FROM_MANY_DOTS meta Multiple periods in From user name 3.000
AC_HTML_NONSENSE_TAGS rawbody Many consecutive multi-letter HTML tags, likely nonsense/spam 1.000
AC_SPAMMY_URI_PATTERNS1 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS10 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS11 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS12 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS2 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS3 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS4 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS8 meta link combos match highly spammy template 1.000
AC_SPAMMY_URI_PATTERNS9 meta link combos match highly spammy template 1.000
ADMAIL meta “admail” and variants 1.000
ADVANCE_FEE_2_NEW_FORM meta Advance Fee fraud and a form 1.000
ADVANCE_FEE_2_NEW_MONEY meta Advance Fee fraud and lots of money 1.999
ADVANCE_FEE_3_NEW meta Appears to be advance fee fraud (Nigerian 419) 2.600
ADVANCE_FEE_3_NEW_FORM meta Advance Fee fraud and a form 1.000
ADVANCE_FEE_3_NEW_MONEY meta Advance Fee fraud and lots of money 2.699
ADVANCE_FEE_4_NEW meta Appears to be advance fee fraud (Nigerian 419) 2.699
ADVANCE_FEE_4_NEW_MONEY meta Advance Fee fraud and lots of money 2.799
ADVANCE_FEE_5_NEW_FRM_MNY meta Advance Fee fraud form and lots of money 0.001
AD_PREFS body Advertising preferences 0.250
ALIBABA_IMG_NOT_RCVD_ALI meta Alibaba hosted image but message not from Alibaba 2.499
ALL_TRUSTED header Passed through trusted hosts only via SMTP -1.000
AMAZON_IMG_NOT_RCVD_AMZN meta Amazon hosted image but message not from Amazon 2.201
ANY_BOUNCE_MESSAGE meta Message is some kind of bounce message 0.100
APOSTROPHE_FROM header From address contains an apostrophe 0.148
APP_DEVELOPMENT_FREEM meta App development pitch, freemail or CHN replyto 1.000
APP_DEVELOPMENT_NORDNS meta App development pitch, no rDNS 1.000
AWL header Adjusted score from AWL reputation of From: address 1.000
AXB_XMAILER_MIMEOLE_OL_024C2 meta Yet another X header trait 3.899
AXB_XMAILER_MIMEOLE_OL_1ECD5 meta Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5 0.001
BAD_CREDIT body Eliminate Bad Credit 0.100
BAD_ENC_HEADER header Message has bad MIME encoding in the header 0.001
BANG_GUAR body Something is emphatically guaranteed 1.000
BANKING_LAWS body Talks about banking laws 2.399
BASE64_LENGTH_78_79 body No description provided 0.100
BASE64_LENGTH_79_INF body base64 encoded email part uses line length greater than 79 characters 1.379
BAYES_00 body Bayes spam probability is 0 to 1% -3.000
BAYES_05 body Bayes spam probability is 1 to 5% -0.500
BAYES_20 body Bayes spam probability is 5 to 20% -0.001
BAYES_40 body Bayes spam probability is 20 to 40% -0.001
BAYES_50 body Bayes spam probability is 40 to 60% 2.000
BAYES_60 body Bayes spam probability is 60 to 80% 3.000
BAYES_80 body Bayes spam probability is 80 to 95% 4.000
BAYES_95 body Bayes spam probability is 95 to 99% 5.000
BAYES_99 body Bayes spam probability is 99 to 100% 6.000
BAYES_999 body Bayes spam probability is 99.9 to 100% 7.000
BILLION_DOLLARS body Talks about lots of money 0.001
BITCOIN_BOMB meta BitCoin + bomb 1.000
BITCOIN_DEADLINE meta BitCoin with a deadline 2.999
BITCOIN_EXTORT_01 meta Extortion spam, pay via BitCoin 3.160
BITCOIN_MALWARE meta BitCoin + malware bragging 0.121
BITCOIN_PAY_ME meta Pay me via BitCoin 1.000
BITCOIN_SPAM_01 meta BitCoin spam pattern 01 1.000
BITCOIN_SPAM_02 meta BitCoin spam pattern 02 2.500
BITCOIN_SPAM_03 meta BitCoin spam pattern 03 1.000
BITCOIN_SPAM_04 meta BitCoin spam pattern 04 1.000
BITCOIN_SPAM_05 meta BitCoin spam pattern 05 0.001
BITCOIN_SPAM_06 meta BitCoin spam pattern 06 1.000
BITCOIN_SPAM_07 meta BitCoin spam pattern 07 3.499
BITCOIN_SPAM_08 meta BitCoin spam pattern 08 1.867
BITCOIN_SPAM_09 meta BitCoin spam pattern 09 1.499
BITCOIN_SPAM_10 meta BitCoin spam pattern 10 1.000
BITCOIN_SPAM_11 meta BitCoin spam pattern 11 1.000
BITCOIN_SPAM_12 meta BitCoin spam pattern 12 1.000
BITCOIN_SPF_ONLYALL meta Bitcoin from a domain specifically set to pass +all SPF 0.001
BODY_8BITS body Body includes 8 consecutive 8-bit characters 1.500
BODY_EMPTY meta No body text in message 1.999
BODY_ENHANCEMENT body Information on growing body parts 0.927
BODY_ENHANCEMENT2 body Information on getting larger body parts 0.100
BODY_SINGLE_URI meta Message body is only a URI 2.499
BODY_SINGLE_WORD meta Message body is only one word (no spaces) 1.101
BODY_URI_ONLY meta Message body is only a URI in one line of text or for an image 0.999
BOGUS_MIME_VERSION meta Mime version header is bogus 1.000
BOGUS_MSM_HDRS meta Apparently bogus Microsoft email headers 0.895
BOMB_FREEM meta Bomb + freemail 1.000
BOMB_MONEY meta Bomb + money: bomb threat? 1.000
BOUNCE_MESSAGE meta MTA bounce message 0.100
BTC_ORG meta Bitcoin wallet ID + unusual header 1.000
BUG6152_INVALID_DATE_TZ_ABSURD header No description provided 0.100
BULK_RE_SUSP_NTLD meta Precedence bulk and RE: from a suspicious TLD 1.000
CANT_SEE_AD meta You really want to see our spam. 1.000
CHALLENGE_RESPONSE meta Challenge-Response message for mail you sent 0.100
CHARSET_FARAWAY body Character set indicates a foreign language 3.200
CHARSET_FARAWAY_HEADER header A foreign language charset used in headers 3.200
CK_HELO_DYNAMIC_SPLIT_IP header Relay HELO’d using suspicious hostname (Split IP) 1.499
CK_HELO_GENERIC header Relay used name indicative of a Dynamic Pool or Generic rPTR 0.250
CN_B2B_SPAMMER body Chinese company introducing itself 1.000
COMMENT_GIBBERISH meta Nonsense in long HTML comment 1.000
COMPENSATION meta “Compensation” 1.000
CRBOUNCE_MESSAGE meta Challenge-Response bounce message 0.100
CTYPE_001C_B header No description provided 0.001
CTYPE_NULL meta Malformed Content-Type header 1.000
CURR_PRICE body No description provided 0.001
DATE_IN_FUTURE_03_06 header Date: is 3 to 6 hours after Received: date 3.399
DATE_IN_FUTURE_06_12 header Date: is 6 to 12 hours after Received: date 2.899
DATE_IN_FUTURE_12_24 header Date: is 12 to 24 hours after Received: date 2.603
DATE_IN_FUTURE_24_48 header Date: is 24 to 48 hours after Received: date 2.598
DATE_IN_FUTURE_48_96 header Date: is 48 to 96 hours after Received: date 2.384
DATE_IN_FUTURE_96_Q header Date: is 4 days to 4 months after Received: date 2.453
DATE_IN_PAST_03_06 header Date: is 3 to 6 hours before Received: date 2.399
DATE_IN_PAST_06_12 header Date: is 6 to 12 hours before Received: date 1.699
DATE_IN_PAST_12_24 header Date: is 12 to 24 hours before Received: date 0.001
DATE_IN_PAST_24_48 header Date: is 24 to 48 hours before Received: date 1.109
DATE_IN_PAST_96_XX header Date: is 96 hours or more before Received: date 2.600
DAY_I_EARNED meta Work-at-home spam 1.000
DCC_CHECK full Detected as bulk mail by DCC (dcc-servers.net) 0.000
DCC_REPUT_00_12 full DCC reputation between 0 and 12 % (mostly ham) 0.000
DCC_REPUT_13_19 full DCC reputation between 13 and 19 % 0.000
DCC_REPUT_70_89 full DCC reputation between 70 and 89 % 0.000
DCC_REPUT_90_94 full DCC reputation between 90 and 94 % 0.000
DCC_REPUT_95_98 full DCC reputation between 95 and 98 % (mostly spam) 0.000
DCC_REPUT_99_100 full DCC reputation between 99 % or higher (spam) 0.000
DC_GIF_UNO_LARGO meta Message contains a single large gif image 0.001
DC_IMAGE_SPAM_HTML meta Possible Image-only spam 0.100
DC_IMAGE_SPAM_TEXT meta Possible Image-only spam with little text 0.100
DC_PNG_UNO_LARGO meta Message contains a single large png image 0.001
DEAR_BENEFICIARY body Dear Beneficiary: 1.140
DEAR_FRIEND body Dear Friend? That’s not very dear! 2.683
DEAR_SOMETHING body Contains ‘Dear (something)’ 1.999
DEAR_WINNER body Spam with generic salutation of “dear winner” 3.099
DIET_1 body Lose Weight Spam 0.714
DIGEST_MULTIPLE meta Message hits more than one network digest check 0.000
DKIMDOMAIN_IN_DWL ??? No description provided 0.000
DKIMDOMAIN_IN_DWL_UNKNOWN ??? No description provided 0.000
DKIMWL_BL meta DKIMwl.org – Blacklisted sender 0.001
DKIMWL_BLOCKED meta ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. 0.001
DKIMWL_WL_HIGH meta DKIMwl.org – Whitelisted High sender 0.001
DKIMWL_WL_MED meta DKIMwl.org – Medium sender 0.001
DKIMWL_WL_MEDHI meta DKIMwl.org – Medium-high sender 0.001
DKIM_ADSP_ALL header No valid author signature, domain signs all mail 0.000
DKIM_ADSP_CUSTOM_HIGH header No valid author signature, adsp_override is CUSTOM_HIGH 0.001
DKIM_ADSP_CUSTOM_LOW header No valid author signature, adsp_override is CUSTOM_LOW 0.001
DKIM_ADSP_CUSTOM_MED header No valid author signature, adsp_override is CUSTOM_MED 0.001
DKIM_ADSP_DISCARD header No valid author signature, domain signs all mail and suggests discarding the rest 0.000
DKIM_ADSP_NXDOMAIN header No valid author signature and domain not in DNS 0.000
DKIM_INVALID meta DKIM or DK signature exists, but is not valid 0.100
DKIM_SIGNED full Message has a DKIM or DK signature, not necessarily valid 0.100
DKIM_VALID full Message has at least one valid DKIM or DK signature -0.100
DKIM_VALID_AU full Message has a valid DKIM or DK signature from author’s domain -0.100
DKIM_VALID_EF full Message has a valid DKIM or DK signature from envelope-from domain -0.100
DOS_OE_TO_MX meta Delivered direct to MX with OE headers 2.602
DOS_OE_TO_MX_IMAGE meta Direct to MX with OE headers and an image 2.886
DOS_OUTLOOK_TO_MX meta Delivered direct to MX with Outlook headers 2.636
DOS_RCVD_IP_TWICE_C header Received from the same IP twice in a row (only one external relay; empty or IP helo) 2.599
DOS_STOCK_BAT meta Probable pump and dump stock spam 0.001
DRUGS_ANXIETY meta Refers to an anxiety control drug 0.100
DRUGS_DIET meta Refers to a diet drug 2.660
DRUGS_ERECTILE meta Refers to an erectile drug 1.778
DRUGS_ERECTILE_OBFU meta Obfuscated reference to an erectile drug 1.324
DRUGS_ERECTILE_SHORT_SHORTNER meta Short erectile drugs advert with T_URL_SHORTENER 1.499
DRUGS_MANYKINDS meta Refers to at least four kinds of drugs 2.001
DRUGS_MUSCLE meta Refers to a muscle relaxant 0.001
DRUGS_SMEAR1 body Two or more drugs crammed together into one word 3.300
DRUGS_STOCK_MIMEOLE ??? No description provided 2.699
DRUG_ED_CAPS body Mentions an E.D. drug 2.799
DRUG_ED_ONLINE body Fast Viagra Delivery 0.696
DRUG_ED_SILD body Talks about an E.D. drug using its chemical name 0.001
DX_TEXT_02 body “change your message stat” 1.000
DX_TEXT_03 body “XXX Media Group” 2.109
DYN_RDNS_AND_INLINE_IMAGE meta Contains image, and was sent by dynamic rDNS 1.345
DYN_RDNS_SHORT_HELO_HTML meta Sent by dynamic rDNS, short HELO, and HTML 0.001
DYN_RDNS_SHORT_HELO_IMAGE meta Short HELO string, dynamic rDNS, inline image 1.825
EBAY_IMG_NOT_RCVD_EBAY meta E-bay hosted image but message not from E-bay 0.980
EMPTY_MESSAGE meta Message appears to have no textual parts and no Subject: text 2.195
EM_ROLEX body Message puts emphasis on the watch manufacturer 0.595
ENCRYPTED_MESSAGE meta Message is encrypted, not likely to be spam -1.000
END_FUTURE_EMAILS meta Spammy unsubscribe 2.098
ENGLISH_UCE_SUBJECT header Subject contains an English UCE tag 0.953
ENV_AND_HDR_SPF_MATCH meta Env and Hdr From used in default SPF WL Match -0.500
EXCUSE_24 body Claims you wanted this ad 1.000
EXCUSE_4 body Claims you can be removed from the list 2.399
EXCUSE_REMOVE body Talks about how to be removed from mailings 2.907
FAKE_REPLY_A1 meta No description provided 3.199
FAKE_REPLY_B meta No description provided 1.272
FAKE_REPLY_C meta No description provided 0.688
FBI_MONEY meta The FBI wants to give you lots of money? 1.000
FBI_SPOOF meta Claims to be FBI, but not from FBI domain 1.000
FILL_THIS_FORM meta Fill in a form with personal information 0.001
FILL_THIS_FORM_FRAUD_PHISH ??? No description provided 1.195
FILL_THIS_FORM_LOAN ??? No description provided 2.092
FILL_THIS_FORM_LONG meta Fill in a form with personal information 2.000
FIN_FREE body Freedom of a financial nature 0.100
FORGED_GMAIL_RCVD header ‘From’ gmail.com does not match ‘Received’ headers 1.000
FORGED_HOTMAIL_RCVD2 header hotmail.com ‘From’ address, but no ‘Received:’ 0.001
FORGED_MSGID_EXCITE meta Message-ID is forged, (excite.com) 2.399
FORGED_MSGID_YAHOO meta Message-ID is forged, (yahoo.com) 0.100
FORGED_MUA_EUDORA meta Forged mail pretending to be from Eudora 2.828
FORGED_MUA_IMS meta Forged mail pretending to be from IMS 2.399
FORGED_MUA_MOZILLA meta Forged mail pretending to be from Mozilla 2.399
FORGED_MUA_OIMO meta Forged mail pretending to be from MS Outlook IMO 2.600
FORGED_MUA_OUTLOOK meta Forged mail pretending to be from MS Outlook 3.999
FORGED_MUA_THEBAT_BOUN meta Mail pretending to be from The Bat! (boundary) 3.046
FORGED_OUTLOOK_HTML meta Outlook can’t send HTML message only 0.001
FORGED_OUTLOOK_TAGS meta Outlook can’t send HTML in this format 0.003
FORGED_RELAY_MUA_TO_MX header No description provided 3.799
FORGED_SPF_HELO meta No description provided 0.001
FORGED_TELESP_RCVD header Contains forged hostname for a DSL IP in Brazil 2.499
FORGED_YAHOO_RCVD header ‘From’ yahoo.com does not match ‘Received’ headers 2.397
FORM_FRAUD meta Fill a form and a fraud phrase 0.999
FORM_FRAUD_3 meta Fill a form and several fraud phrases 1.000
FORM_FRAUD_5 meta Fill a form and many fraud phrases 2.999
FORM_LOW_CONTRAST meta Fill in a form with hidden text 1.000
FOUND_YOU meta I found you… 1.000
FREEMAIL_ENVFROM_END_DIGIT header Envelope-from freemail username ends in digit 0.250
FREEMAIL_FORGED_FROMDOMAIN meta 2nd level domains in From and EnvelopeFrom freemail headers are different 0.249
FREEMAIL_FORGED_REPLYTO meta Freemail in Reply-To, but not From 1.199
FREEMAIL_FROM header Sender email is commonly abused enduser mail provider 0.001
FREEMAIL_REPLY meta From and body contain different freemails 1.000
FREEMAIL_REPLYTO meta Reply-To/From or Reply-To/body contain different freemails 1.000
FREEMAIL_REPLYTO_END_DIGIT header Reply-To freemail username ends in digit 0.250
FREEM_FRNUM_UNICD_EMPTY meta Numeric freemail From address, unicode From name and Subject, empty body 1.000
FREE_QUOTE_INSTANT body Free express or no-obligation quote 2.700
FRNAME_IN_MSG_XPRIO_NO_SUB meta From name in message + X-Priority + short or no subject 1.000
FROMSPACE header Idiosyncratic “From” header format 2.601
FROM_2_EMAILS_SHORT meta Short body and From looks like 2 different emails 1.999
FROM_ADDR_WS meta Malformed From address 2.661
FROM_BANK_NOAUTH meta From Bank domain but no SPF or DKIM 0.001
FROM_BLANK_NAME header From: contains empty name 2.099
FROM_DOMAIN_NOVOWEL header From: domain has series of non-vowel letters 0.500
FROM_EXCESS_BASE64 meta From: base64 encoded unnecessarily 0.001
FROM_FMBLA_NDBLOCKED meta ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. 0.001
FROM_FMBLA_NEWDOM meta From domain was registered in last 7 days 0.001
FROM_FMBLA_NEWDOM14 meta From domain was registered in last 7-14 days 0.001
FROM_FMBLA_NEWDOM28 meta From domain was registered in last 14-28 days 0.001
FROM_GOV_DKIM_AU meta From Government address and DKIM signed 0.001
FROM_GOV_REPLYTO_FREEMAIL meta From Government domain but ReplyTo is FREEMAIL 0.001
FROM_GOV_SPOOF meta From Government domain but matches SPOOFED 0.001
FROM_ILLEGAL_CHARS header From: has too many raw illegal characters 2.192
FROM_IN_TO_AND_SUBJ meta From address is in To and Subject 1.000
FROM_LOCAL_DIGITS header From: localpart has long digit sequence 0.001
FROM_LOCAL_HEX header From: localpart has long hexadecimal sequence 0.000
FROM_LOCAL_NOVOWEL header From: localpart has series of non-vowel letters 0.500
FROM_MISSPACED meta From: missing whitespace 0.200
FROM_MISSP_DYNIP meta From misspaced + dynamic rDNS 2.444
FROM_MISSP_EH_MATCH meta From misspaced, matches envelope 1.999
FROM_MISSP_FREEMAIL meta From misspaced + freemail provider 3.299
FROM_MISSP_MSFT meta From misspaced + supposed Microsoft tool 0.713
FROM_MISSP_REPLYTO meta From misspaced, has Reply-To 0.503
FROM_MISSP_SPF_FAIL meta No description provided 0.001
FROM_MISSP_TO_UNDISC meta From misspaced, To undisclosed 0.001
FROM_MISSP_USER meta From misspaced, from “User” 0.622
FROM_MISSP_XPRIO meta Misspaced FROM + X-Priority 0.001
FROM_NEWDOM_BTC meta Newdomain with Bitcoin ID 0.001
FROM_NO_USER header From: has no local-part before @ sign 0.001
FROM_NTLD_LINKBAIT meta From abused NTLD with little more than a URI 1.999
FROM_NTLD_REPLY_FREEMAIL meta From abused NTLD and Reply-To is FREEMAIL 1.999
FROM_NUMBERO_NEWDOMAIN meta Fingerprint and new domain 0.001
FROM_NUMERIC_TLD header From: address has numeric TLD 1.000
FROM_OFFERS header From address is “at something-offers” 1.000
FROM_PAYPAL_SPOOF meta From PayPal domain but matches SPOOFED 0.001
FROM_STARTS_WITH_NUMS header From: starts with several numbers 2.801
FROM_SUSPICIOUS_NTLD meta From abused NTLD 0.500
FROM_SUSPICIOUS_NTLD_FP meta From abused NTLD 1.999
FROM_UNBAL1 header From with unbalanced angle brackets, ‘>’ missing 1.099
FROM_WORDY meta From address looks like a sentence 2.499
FROM_WORDY_SHORT meta From address looks like a sentence + short message 1.000
FROM_WSP_TRAIL header Trailing whitespace before ‘>’ in From header field 1.000
FSL_BULK_SIG meta Bulk signature with no Unsubscribe 0.001
FSL_CTYPE_WIN1251 header Content-Type only seen in 419 spam 1.063
FSL_FAKE_HOTMAIL_RVCD header No description provided 2.631
FSL_HELO_BARE_IP_1 meta No description provided 2.598
FSL_HELO_DEVICE header No description provided 0.100
FSL_HELO_NON_FQDN_1 header No description provided 2.361
FSL_INTERIA_ABUSE uri No description provided 3.899
FSL_NEW_HELO_USER meta Spam’s using Helo and User 1.999
FSL_THIS_IS_ADV body This is an advertisement 2.999
FUZZY_ANDROID body Obfuscated “android” 1.000
FUZZY_BITCOIN body Obfuscated “Bitcoin” 1.000
FUZZY_BROWSER body Obfuscated “browser” 1.000
FUZZY_BTC_WALLET meta Heavily obfuscated “bitcoin wallet” 1.000
FUZZY_CLICK_HERE body Obfuscated “click here” 1.498
FUZZY_CPILL body Attempt to obfuscate words in spam 0.001
FUZZY_CREDIT body Attempt to obfuscate words in spam 1.699
FUZZY_DR_OZ meta Obfuscated Doctor Oz 1.000
FUZZY_IMPORTANT body Obfuscated “important” 1.000
FUZZY_MILLION body Attempt to obfuscate words in spam 0.100
FUZZY_MONERO meta Obfuscated “Monero” 1.000
FUZZY_PHARMACY body Attempt to obfuscate words in spam 2.960
FUZZY_PHENT body Attempt to obfuscate words in spam 2.799
FUZZY_PRICES body Attempt to obfuscate words in spam 1.821
FUZZY_PRIVACY body Obfuscated “privacy” 1.000
FUZZY_PROMOTION body Obfuscated “promotion” 1.000
FUZZY_SAVINGS body Obfuscated “savings” 1.000
FUZZY_SECURITY body Obfuscated “security” 1.000
FUZZY_UNSUBSCRIBE body Obfuscated “unsubscribe” 1.000
FUZZY_VPILL body Attempt to obfuscate words in spam 0.001
FUZZY_WALLET body Obfuscated “Wallet” 1.000
FUZZY_XPILL body Attempt to obfuscate words in spam 0.100
GAPPY_SALES_LEADS_FREEM meta Obfuscated marketing text, freemail or CHN replyto 1.000
GAPPY_SUBJECT meta Subject: contains G.a.p.p.y-T.e.x.t 0.100
GB_BITCOIN_CP meta Localized Bitcoin scam 2.360
GB_BITCOIN_NH meta Localized Bitcoin scam 1.341
GB_FORGED_MUA_POSTFIX meta Forged Postfix mua headers 1.000
GB_FREEMAIL_DISPTO meta Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails 0.499
GB_FREEMAIL_DISPTO_NOTFREEM meta Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail 0.500
GB_GOOGLE_OBFU uri Obfuscate url through Google redirect 0.750
GB_LINKED_IMG_NOT_RCVD_LINK meta Linkedin hosted image but message not from Linkedin 1.000
GMD_PDF_EMPTY_BODY body Attached PDF with empty message body 0.250
GMD_PDF_ENCRYPTED body Attached PDF is encrypted 0.600
GMD_PDF_HORIZ body Contains pdf 100-240 (high) x 450-800 (wide) 0.250
GMD_PDF_SQUARE body Contains pdf 180-360 (high) x 180-360 (wide) 0.500
GMD_PDF_VERT body Contains pdf 450-800 (high) x 100-240 (wide) 0.900
GMD_PRODUCER_EASYPDF body PDF producer was BCL easyPDF 0.250
GMD_PRODUCER_GPL body PDF producer was GPL Ghostscript 0.250
GMD_PRODUCER_POWERPDF body PDF producer was PowerPDF 0.250
GOOGLE_DOCS_PHISH meta Possible phishing via a Google Docs form 1.000
GOOGLE_DOCS_PHISH_MANY meta Phishing via a Google Docs form 1.000
GOOGLE_DRIVE_REPLY_BAD_NTLD meta From Google Drive and Reply-To is from a suspicious TLD 1.000
GOOG_MALWARE_DNLD meta File download via Google – Malware? 1.000
GOOG_REDIR_HTML_ONLY meta Google redirect to obscure spamvertised website + HTML only 1.999
GOOG_REDIR_SHORT meta Google redirect to obscure spamvertised website + short message 1.000
GTUBE body Generic Test for Unsolicited Bulk Email 1000.000
GUARANTEED_100_PERCENT body One hundred percent guaranteed 2.699
HDRS_LCASE meta Odd capitalization of message header 0.099
HDRS_LCASE_IMGONLY meta Odd capitalization of message headers + image-only HTML 0.099
HDRS_MISSP meta Misspaced headers 1.000
HDR_ORDER_FTSDMCXX_DIRECT meta Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX 1.999
HDR_ORDER_FTSDMCXX_NORDNS meta Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS 3.055
HEADER_FROM_DIFFERENT_DOMAINS header From and EnvelopeFrom 2nd level mail domains are different 0.249
HEADER_HOST_IN_BLACKLIST ??? No description provided 100.000
HEADER_HOST_IN_WHITELIST ??? No description provided -100.000
HEADER_SPAM header Bulk email fingerprint (header-based) found 2.499
HELO_DYNAMIC_CHELLO_NL header Relay HELO’d using suspicious hostname (Chello.nl) 2.412
HELO_DYNAMIC_DHCP meta Relay HELO’d using suspicious hostname (DHCP) 2.602
HELO_DYNAMIC_DIALIN header Relay HELO’d using suspicious hostname (T-Dialin) 2.629
HELO_DYNAMIC_HCC meta Relay HELO’d using suspicious hostname (HCC) 4.299
HELO_DYNAMIC_HEXIP header Relay HELO’d using suspicious hostname (Hex IP) 2.321
HELO_DYNAMIC_HOME_NL header Relay HELO’d using suspicious hostname (Home.nl) 2.385
HELO_DYNAMIC_IPADDR meta Relay HELO’d using suspicious hostname (IP addr 1) 2.633
HELO_DYNAMIC_IPADDR2 meta Relay HELO’d using suspicious hostname (IP addr 2) 2.815
HELO_DYNAMIC_SPLIT_IP header Relay HELO’d using suspicious hostname (Split IP) 3.031
HELO_LH_HOME ??? No description provided 0.001
HELO_LOCALHOST header No description provided 2.639
HELO_MISC_IP meta Looking for more Dynamic IP Relays 0.250
HELO_NO_DOMAIN meta Relay reports its domain incorrectly 0.001
HELO_OEM header No description provided 2.899
HELO_STATIC_HOST meta Relay HELO’d using static hostname -0.001
HEXHASH_WORD meta Multiple instances of word + hexadecimal hash 2.598
HIDE_WIN_STATUS rawbody Javascript to hide URLs in browser 0.001
HK_LOTTO meta No description provided 0.999
HK_NAME_DRUGS header From name contains drugs 4.299
HK_NAME_MR_MRS meta No description provided 1.000
HK_RANDOM_ENVFROM header Envelope sender username looks random 2.638
HK_RANDOM_FROM header From username looks random 1.000
HK_RANDOM_REPLYTO header Reply-To username looks random 0.941
HK_RCVD_IP_MULTICAST header No description provided 0.338
HK_SCAM meta No description provided 1.999
HOSTED_IMG_DIRECT_MX meta Image hosted at large ecomm site, message direct-to-mx 2.048
HOSTED_IMG_DQ_UNSUB meta Image hosted at large ecomm site, IP addr unsub link 1.000
HOSTED_IMG_FREEM meta Image hosted at large ecomm site or redirected, freemail from or reply-to 2.288
HOSTED_IMG_MULTI meta Multiple images hosted at different large ecomm sites or redirected 2.559
HTML_CHARSET_FARAWAY meta A foreign language charset used in HTML markup 0.500
HTML_COMMENT_SAVED_URL body HTML message is a saved web page 0.198
HTML_EMBEDS body HTML with embedded plugin object 0.001
HTML_ENTITY_ASCII meta Obfuscated ASCII 1.000
HTML_ENTITY_ASCII_TINY meta Obfuscated ASCII + tiny fonts 1.000
HTML_EXTRA_CLOSE body HTML contains far too many close tags 0.001
HTML_FONT_FACE_BAD body HTML font face is not a word 0.001
HTML_FONT_LOW_CONTRAST body HTML font color similar or identical to background 0.713
HTML_FONT_SIZE_HUGE body HTML font size is huge 0.001
HTML_FONT_SIZE_LARGE body HTML font size is large 0.001
HTML_IMAGE_ONLY_04 body HTML: images with 0-400 bytes of words 1.680
HTML_IMAGE_ONLY_08 body HTML: images with 400-800 bytes of words 0.585
HTML_IMAGE_ONLY_12 body HTML: images with 800-1200 bytes of words 1.381
HTML_IMAGE_ONLY_16 body HTML: images with 1200-1600 bytes of words 1.969
HTML_IMAGE_ONLY_20 body HTML: images with 1600-2000 bytes of words 2.109
HTML_IMAGE_ONLY_24 body HTML: images with 2000-2400 bytes of words 2.799
HTML_IMAGE_ONLY_28 body HTML: images with 2400-2800 bytes of words 2.799
HTML_IMAGE_ONLY_32 body HTML: images with 2800-3200 bytes of words 2.196
HTML_IMAGE_RATIO_02 body HTML has a low ratio of text to image area 0.001
HTML_IMAGE_RATIO_04 body HTML has a low ratio of text to image area 0.001
HTML_IMAGE_RATIO_06 body HTML has a low ratio of text to image area 0.001
HTML_IMAGE_RATIO_08 body HTML has a low ratio of text to image area 0.001
HTML_MESSAGE body HTML included in message 0.001
HTML_MIME_NO_HTML_TAG meta HTML-only message, but there is no HTML tag 0.001
HTML_NONELEMENT_30_40 body 30% to 40% of HTML elements are non-standard 0.000
HTML_OBFUSCATE_05_10 body Message is 5% to 10% HTML obfuscation 0.601
HTML_OBFUSCATE_10_20 body Message is 10% to 20% HTML obfuscation 0.174
HTML_OBFUSCATE_20_30 body Message is 20% to 30% HTML obfuscation 2.499
HTML_OBFUSCATE_90_100 body Message is 90% to 100% HTML obfuscation 2.000
HTML_OFF_PAGE meta HTML element rendered well off the displayed page 2.999
HTML_SHORT_CENTER meta HTML is very short with CENTER tag 3.799
HTML_SHORT_LINK_IMG_1 meta HTML is very short with a linked image 2.215
HTML_SHORT_LINK_IMG_2 meta HTML is very short with a linked image 1.419
HTML_SHORT_LINK_IMG_3 meta HTML is very short with a linked image 0.691
HTML_SHRT_CMNT_OBFU_MANY meta Obfuscation with many short HTML comments 1.000
HTML_SINGLET_MANY meta Many single-letter HTML format blocks 2.499
HTML_TAG_BALANCE_BODY body HTML has unbalanced “body” tags 0.100
HTML_TAG_BALANCE_HEAD body HTML has unbalanced “head” tags 0.520
HTML_TEXT_INVISIBLE_FONT meta HTML hidden text 1.000
HTML_TEXT_INVISIBLE_STYLE meta HTML hidden text + other spam signs 0.001
HTML_TITLE_SUBJ_DIFF meta No description provided 1.149
HTTPS_HTTP_MISMATCH body No description provided 0.100
HTTP_ESCAPED_HOST uri Uses %-escapes inside a URL’s hostname 0.100
HTTP_EXCESSIVE_ESCAPES uri Completely unnecessary %-escapes inside a URL 0.001
IMG_ONLY_FM_DOM_INFO meta HTML image-only message from .info domain 2.197
IMPOTENCE body Impotence cure 1.539
INVALID_DATE header Invalid Date: header (not RFC 2822) 1.701
INVALID_DATE_TZ_ABSURD header Invalid Date: header (timezone does not exist) 0.262
INVALID_MSGID meta Message-Id is not valid, according to RFC 2822 2.602
INVESTMENT_ADVICE body Message mentions investment advice 0.100
IP_LINK_PLUS uri Dotted-decimal IP address followed by CGI 0.001
JOIN_MILLIONS body Join Millions of Americans 0.100
KB_DATE_CONTAINS_TAB meta No description provided 3.800
KB_FAKED_THE_BAT meta No description provided 2.432
KB_FORGED_MOZ4 header Mozilla 4 uses X-Mailer 3.999
KB_RATWARE_MSGID meta No description provided 4.099
KB_RATWARE_OUTLOOK_MID header No description provided 4.400
KHOP_FAKE_EBAY meta Sender falsely claims to be from eBay 0.001
KHOP_HELO_FCRDNS meta Relay HELO differs from its IP’s reverse DNS 0.400
LIST_PARTIAL_SHORT_MSG meta Incomplete mailing list headers + short message 2.499
LIST_PRTL_PUMPDUMP meta Incomplete List-* headers and stock pump-and-dump 1.000
LIST_PRTL_SAME_USER meta Incomplete List-* headers and from+to user the same 0.001
LITECOIN_EXTORT_01 meta Extortion spam, pay via BitCoin 0.001
LIVEFILESTORE uri No description provided 0.100
LOCALPART_IN_SUBJECT header Local part of To: address appears in Subject 0.001
LONGWORDS meta Long string of long words 2.199
LONG_HEX_URI meta Very long purely hexadecimal URI 2.999
LONG_IMG_URI meta Image URI with very long path component – web bug? 0.503
LONG_TERM_PRICE body No description provided 0.001
LOTS_OF_MONEY meta Huge… sums of money 0.001
LOTTERY_1 meta No description provided 0.001
LOTTERY_PH_004470 meta No description provided 0.100
LOW_PRICE body Lowest Price 0.100
LUCRATIVE meta Make lots of money! 1.000
L_SPAM_TOOL_13 header No description provided 0.539
MAILING_LIST_MULTI meta Multiple indicators imply a widely-seen list manager 1.000
MALE_ENHANCE body Message talks about enhancing men 3.100
MALF_HTML_B64 meta Malformatted base64-encoded HTML content 2.206
MALWARE_NORDNS meta Malware bragging + no rDNS 1.015
MALWARE_PASSWORD meta Malware bragging + “password” 2.858
MANY_HDRS_LCASE meta Odd capitalization of multiple message headers 0.099
MANY_SPAN_IN_TEXT meta Many <SPAN> tags embedded within text 1.000
MARKETING_PARTNERS body Claims you registered with a partner 0.553
MAY_BE_FORGED meta Relay IP’s reverse DNS does not resolve to IP 1.499
MICROSOFT_EXECUTABLE body Message includes Microsoft executable program 0.100
MILLION_HUNDRED body Million “One to Nine” Hundred 0.001
MIMEOLE_DIRECT_TO_MX meta MIMEOLE + direct-to-MX 1.999
MIMEPART_LIMIT_EXCEEDED body Message has too many MIME parts 0.001
MIME_BASE64_TEXT rawbody Message text disguised using base64 encoding 0.001
MIME_BOUND_DD_DIGITS header Spam tool pattern in MIME boundary 3.016
MIME_BOUND_DIGITS_15 header Spam tool pattern in MIME boundary 0.100
MIME_CHARSET_FARAWAY meta MIME character set indicates foreign language 2.450
MIME_HEADER_CTYPE_ONLY meta ‘Content-Type’ found without required MIME headers 0.100
MIME_HTML_MOSTLY body Multipart message mostly text/html MIME 0.100
MIME_HTML_ONLY body Message only has text/html MIME parts 0.100
MIME_HTML_ONLY_MULTI meta Multipart message only has text/html MIME parts 0.000
MIME_NO_TEXT meta No (properly identified) text body parts 1.000
MIME_PHP_NO_TEXT meta No text body parts, X-Mailer: PHP 2.800
MIME_QP_LONG_LINE rawbody Quoted-printable line longer than 76 chars 0.001
MIME_SUSPECT_NAME body MIME filename does not match content 0.100
MISSING_DATE meta Missing Date: header 2.739
MISSING_FROM meta Missing From: header 1.000
MISSING_HEADERS header Missing To: header 0.915
MISSING_MID meta Missing Message-Id: header 0.552
MISSING_MIMEOLE meta Message has X-MSMail-Priority, but no X-MimeOLE 0.392
MISSING_MIME_HB_SEP body Missing blank line between MIME header and body 0.001
MISSING_SUBJECT meta Missing Subject: header 0.001
MIXED_ES meta Too many es are not es 2.599
MONERO_EXTORT_01 meta Extortion spam, pay via Monero cryptocurrency 1.000
MONEY_ATM_CARD meta Lots of money on an ATM card 1.122
MONEY_BACK body Money back guarantee 2.910
MONEY_FORM_SHORT meta Lots of money if you fill out a short form 2.500
MONEY_FRAUD_3 meta Lots of money and several fraud phrases 2.799
MONEY_FRAUD_5 meta Lots of money and many fraud phrases 2.189
MONEY_FRAUD_8 meta Lots of money and very many fraud phrases 3.199
MONEY_FROM_41 meta Lots of money from Africa 1.999
MONEY_FROM_MISSP meta Lots of money and misspaced From 1.999
MORE_SEX body Talks about a bigger drive for sex 2.799
MPART_ALT_DIFF body HTML and text parts are different 2.246
MPART_ALT_DIFF_COUNT body HTML and text parts are different 2.799
MSGID_FROM_MTA_HEADER meta Message-Id was added by a relay 0.401
MSGID_MULTIPLE_AT header Message-ID contains multiple ‘@’ characters 1.000
MSGID_OUTLOOK_INVALID header Message-Id is fake (in Outlook Express format) 3.899
MSGID_RANDY meta Message-Id has pattern used in spam 2.196
MSGID_SHORT header Message-ID is unusually short 0.001
MSGID_SPAM_CAPS header Spam tool Message-Id: (caps variant) 2.366
MSGID_YAHOO_CAPS header Message-ID has ALLCAPS@yahoo.com 0.797
MSM_PRIO_REPTO meta MSMail priority header + Reply-to + short subject 1.000
MSOE_MID_WRONG_CASE meta No description provided 0.993
NEWEGG_IMG_NOT_RCVD_NEGG meta Newegg hosted image but message not from Newegg 1.000
NML_ADSP_CUSTOM_HIGH meta ADSP custom_high hit, and not from a mailing list 0.000
NML_ADSP_CUSTOM_LOW meta ADSP custom_low hit, and not from a mailing list 0.000
NML_ADSP_CUSTOM_MED meta ADSP custom_med hit, and not from a mailing list 0.000
NORDNS_LOW_CONTRAST meta No rDNS + hidden text 1.883
NORMAL_HTTP_TO_IP uri URI host has a public dotted-decimal IPv4 address 0.159
NO_DNS_FOR_FROM header Envelope sender has no MX or A DNS records 0.000
NO_FM_NAME_IP_HOSTN meta No From name + hostname using IP address 0.101
NO_HEADERS_MESSAGE meta Message appears to be missing most RFC-822 headers 0.001
NO_MEDICAL body No Medical Exams 2.199
NO_PRESCRIPTION body No prescription needed 1.915
NO_RDNS_DOTCOM_HELO header Host HELO’d as a big ISP, but had no rDNS 3.100
NO_RECEIVED meta Informational: message has no Received headers -0.001
NO_RELAYS header Informational: message was not relayed via SMTP -0.001
NSL_RCVD_FROM_USER header Received from User 2.601
NSL_RCVD_HELO_USER header Received from HELO User 0.167
NULL_IN_BODY full Message has NUL (ASCII 0) byte in message 0.511
NUMBEREND_LINKBAIT meta Domain ends in a large number and very short body with link 0.999
NUMBERONLY_BITCOIN_EXP meta Domain ends in a large number and very short body with link 0.318
NUMERIC_HTTP_ADDR uri Uses a numeric IP address in URL 0.000
OBFUSCATING_COMMENT meta HTML comments which obfuscate text 0.000
OBFU_BITCOIN meta Obfuscated BitCoin references 2.999
OBFU_JVSCR_ESC rawbody Injects content using obfuscated javascript 1.000
OBFU_TEXT_ATTACH mimeheader Text attachment with non-text MIME type 1.000
ONE_TIME body One Time Rip Off 1.840
ONLINE_MKTG_CNSLT body No description provided 2.899
ONLINE_PHARMACY body Online Pharmacy 0.843
OOOBOUNCE_MESSAGE meta Out Of Office bounce message 0.100
PART_CID_STOCK meta Has a spammy image attachment (by Content-ID) 0.001
PART_CID_STOCK_LESS meta Has a spammy image attachment (by Content-ID, more specific) 0.000
PDS_BTC_ID meta FP reduced Bitcoin ID 0.499
PDS_BTC_MSGID meta Bitcoin ID with T_MSGID_NOFQDN2 1.000
PDS_DBL_URL_TNB_RUNON meta Double-url and To no arrows, from runon 1.796
PDS_FRNOM_TODOM_NAKED_TO meta Naked to From name equals to Domain 1.499
PDS_FROM_2_EMAILS meta No description provided 2.401
PDS_FROM_NAME_TO_DOMAIN meta From:name looks like To:domain 1.000
PDS_HELO_SPF_FAIL meta High profile HELO that fails SPF 0.001
PDS_HP_HELO_NORDNS meta High profile HELO with no sender rDNS 0.847
PDS_LTC_AHACKER meta Litecoin Hacker 2.999
PDS_LTC_CP meta Localized Bitcoin scam 2.999
PDS_LTC_HUSH meta LTC, it is between us 1.287
PDS_NAKED_TO_NUMERO meta Naked-to, numberonly domain 1.999
PDS_PHPEXP_BOT meta PHP exploit bot sender 1.500
PDS_PHPE_URISHORTENER meta URI Shortener with PHP eval 1.999
PDS_PHP_EVAL meta PHP header shows eval’d code 1.499
PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE meta Forged replyto and __PDS_TONAME_EQ_TOLOCAL 1.999
PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE meta To: name matches everything in local email – LCASE headers 1.999
PDS_TONAME_EQ_TOLOCAL_SHORT meta Short body with To: name matches everything in local email 1.999
PDS_TONAME_EQ_TOLOCAL_VSHORT meta Very short body and From looks like 2 different emails 1.000
PDS_TO_EQ_FROM_NAME meta From: name same as To: address 0.001
PDS_X_PHP_WP_EXP meta X-PHP-Script shows sent from a WordPress PHP script where you would not expect one 1.499
PERCENT_RANDOM meta Message has a random macro in it 2.999
PHOTO_EDITING_DIRECT meta Image editing service, direct to MX 1.000
PHOTO_EDITING_FREEM meta Image editing service, freemail or CHN replyto 1.000
PHP_NOVER_MUA meta Mail from PHP with no version number 1.000
PHP_ORIG_SCRIPT meta Sent by bot & other signs 2.499
PHP_SCRIPT_MUA meta Sent by PHP script, no version number 1.000
PLING_QUERY meta Subject has exclamation mark and question mark 0.100
PP_MIME_FAKE_ASCII_TEXT body MIME text/plain claims to be ASCII but isn’t 1.000
PP_TOO_MUCH_UNICODE02 body Is text/plain but has many unicode escapes 0.500
PP_TOO_MUCH_UNICODE05 body Is text/plain but has many unicode escapes 1.000
PRICES_ARE_AFFORDABLE body Message says that prices aren’t too expensive 0.794
PUMPDUMP meta Pump-and-dump stock scam phrase 1.000
PUMPDUMP_MULTI meta Pump-and-dump stock scam phrases 1.000
PUMPDUMP_TIP meta Pump-and-dump stock tip 1.000
PYZOR_CHECK full Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) 0.000
RAND_HEADER_MANY meta Many random gibberish message headers 1.000
RATWARE_EFROM header Bulk email fingerprint (envfrom) found 0.100
RATWARE_EGROUPS header Bulk email fingerprint (eGroups) found 1.898
RATWARE_MPOP_WEBMAIL header Bulk email fingerprint (mPOP Web-Mail) 1.153
RATWARE_MS_HASH meta Bulk email fingerprint (msgid ms hash) found 2.036
RATWARE_NAME_ID meta Bulk email fingerprint (msgid from) found 3.099
RATWARE_NO_RDNS meta Suspicious MsgID and MIME boundary + no rDNS 2.645
RATWARE_OUTLOOK_NONAME meta Bulk email fingerprint (Outlook no name) found 2.964
RATWARE_ZERO_TZ meta Bulk email fingerprint (+0000) found 2.392
RAZOR2_CF_RANGE_51_100 full Razor2 gives confidence level above 50% 0.000
RAZOR2_CHECK full Listed in Razor2 (http://razor.sf.net/) 0.000
RCVD_DBL_DQ header Malformatted message header 1.000
RCVD_DOUBLE_IP_LOOSE meta Received: by and from look like IP addresses 1.150
RCVD_DOUBLE_IP_SPAM meta Bulk email fingerprint (double IP) found 2.411
RCVD_FAKE_HELO_DOTCOM header Received contains a faked HELO hostname 2.799
RCVD_HELO_IP_MISMATCH header Received: HELO and IP do not match, but should 1.680
RCVD_ILLEGAL_IP header Received: contains illegal IP address 1.300
RCVD_IN_BL_SPAMCOP_NET header Received via a relay in bl.spamcop.net 0.000
RCVD_IN_DNSWL_BLOCKED header ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. 0.000
RCVD_IN_DNSWL_HI header Sender listed at https://www.dnswl.org/, high trust 0.000
RCVD_IN_DNSWL_LOW header Sender listed at https://www.dnswl.org/, low trust 0.000
RCVD_IN_DNSWL_MED header Sender listed at https://www.dnswl.org/, medium trust 0.000
RCVD_IN_DNSWL_NONE header Sender listed at https://www.dnswl.org/, no trust 0.000
RCVD_IN_IADB_DK header IADB: Sender publishes Domain Keys record 0.000
RCVD_IN_IADB_DOPTIN header IADB: All mailing list mail is confirmed opt-in 0.000
RCVD_IN_IADB_DOPTIN_LT50 header IADB: Confirmed opt-in used less than 50% of the time 0.000
RCVD_IN_IADB_LISTED header Participates in the IADB system 0.000
RCVD_IN_IADB_MI_CPR_MAT header IADB: Sends no material under Michigan’s CPR 0.000
RCVD_IN_IADB_ML_DOPTIN header IADB: Mailing list email only, confirmed opt-in 0.000
RCVD_IN_IADB_OPTIN header IADB: All mailing list mail is opt-in 0.000
RCVD_IN_IADB_OPTIN_GT50 header IADB: Opt-in used more than 50% of the time 0.000
RCVD_IN_IADB_RDNS header IADB: Sender has reverse DNS record 0.000
RCVD_IN_IADB_SENDERID header IADB: Sender publishes Sender ID record 0.000
RCVD_IN_IADB_SPF header IADB: Sender publishes SPF record 0.000
RCVD_IN_IADB_UT_CPR_MAT header IADB: Sends no material under Utah’s CPR 0.000
RCVD_IN_IADB_VOUCHED header ISIPP IADB lists as vouched-for sender 0.000
RCVD_IN_MSPIKE_BL meta Mailspike blacklisted 0.010
RCVD_IN_MSPIKE_H2 header Average reputation (+2) 0.001
RCVD_IN_MSPIKE_H3 header Good reputation (+3) -0.010
RCVD_IN_MSPIKE_H4 header Very Good reputation (+4) -0.010
RCVD_IN_MSPIKE_H5 header Excellent reputation (+5) -1.000
RCVD_IN_MSPIKE_L2 header Suspicious reputation (-2) 1.000
RCVD_IN_MSPIKE_L3 header Low reputation (-3) 0.900
RCVD_IN_MSPIKE_L4 header Bad reputation (-4) 1.700
RCVD_IN_MSPIKE_L5 header Very bad reputation (-5) 2.500
RCVD_IN_MSPIKE_WL meta Mailspike good senders -0.010
RCVD_IN_MSPIKE_ZBI meta No description provided 2.700
RCVD_IN_PBL header Received via a relay in Spamhaus PBL 0.000
RCVD_IN_PSBL header Received via a relay in PSBL 0.000
RCVD_IN_RP_CERTIFIED header Sender in ReturnPath Certified – Contact cert-sa@returnpath.net 0.000
RCVD_IN_RP_RNBL header Relay in RNBL, https://senderscore.org/blacklistlookup/ 0.000
RCVD_IN_RP_SAFE header Sender in ReturnPath Safe – Contact safe-sa@returnpath.net 0.000
RCVD_IN_SBL header Received via a relay in Spamhaus SBL 0.000
RCVD_IN_SBL_CSS header Received via a relay in Spamhaus SBL-CSS 0.000
RCVD_IN_SORBS_DUL header SORBS: sent directly from dynamic IP address 0.000
RCVD_IN_SORBS_HTTP header SORBS: sender is open HTTP proxy server 0.000
RCVD_IN_SORBS_SOCKS header SORBS: sender is open SOCKS proxy server 0.000
RCVD_IN_SORBS_WEB header SORBS: sender is an abusable web server 0.000
RCVD_IN_XBL header Received via a relay in Spamhaus XBL 0.000
RCVD_IN_ZEN_BLOCKED header ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ 0.000
RCVD_IN_ZEN_BLOCKED_OPENDNS header ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ 0.000
RCVD_NUMERIC_HELO ??? No description provided 0.001
RDNS_DYNAMIC meta Delivered to internal network by host with dynamic-looking rDNS 2.639
RDNS_LOCALHOST header Sender’s public rDNS is “localhost” 3.700
RDNS_NONE meta Delivered to internal network by a host with no rDNS 2.399
RDNS_NUM_TLD_ATCHNX meta Relay rDNS has numeric TLD + suspicious attachment 2.640
RDNS_NUM_TLD_XM meta Relay rDNS has numeric TLD + suspicious headers 3.000
REMOVE_BEFORE_LINK body Removal phrase right before a link 0.100
REPLICA_WATCH body Message talks about a replica watch 3.487
REPLYTO_WITHOUT_TO_CC meta No description provided 2.399
REPTO_QUOTE_YAHOO meta Yahoo! doesn’t do quoting like this 0.001
RP_MATCHES_RCVD ??? No description provided -0.001
SB_GIF_AND_NO_URIS meta No description provided 2.199
SEO_SUSP_NTLD meta SEO offer from suspicious TLD 1.000
SERGIO_SUBJECT_PORN014 header F\*\*\* garbled subject 3.099
SERGIO_SUBJECT_VIAGRA01 header Viagra garbled subject 2.823
SHOPIFY_IMG_NOT_RCVD_SFY meta Shopify hosted image but message not from Shopify 2.499
SHORTENER_SHORT_IMG meta Short HTML + image + URL shortener 0.133
SHORT_HELO_AND_INLINE_IMAGE meta Short HELO string, with inline image 0.100
SHORT_IMG_SUSP_NTLD meta Short HTML + image + suspicious TLD 1.000
SHORT_SHORTNER meta Short body with little more than a link to a shortener 1.999
SHORT_TERM_PRICE body No description provided 0.001
SINGLETS_LOW_CONTRAST meta Single-letter formatted HTML + hidden text 1.377
SORTED_RECIPS header Recipient list is sorted by address 1.801
SPAMMY_XMAILER meta X-Mailer string is common in spam and not in ham 2.650
SPF_FAIL header SPF: sender does not match SPF record (fail) 0.000
SPF_HELO_FAIL header SPF: HELO does not match SPF record (fail) 0.000
SPF_HELO_NEUTRAL header SPF: HELO does not match SPF record (neutral) 0.000
SPF_HELO_NONE header SPF: HELO does not publish an SPF Record 0.001
SPF_HELO_PASS header SPF: HELO matches SPF record -0.001
SPF_HELO_SOFTFAIL header SPF: HELO does not match SPF record (softfail) 0.000
SPF_NEUTRAL header SPF: sender does not match SPF record (neutral) 0.000
SPF_NONE header SPF: sender does not publish an SPF Record 0.001
SPF_PASS header SPF: sender matches SPF record -0.001
SPF_SOFTFAIL header SPF: sender does not match SPF record (softfail) 0.000
SPOOFED_FREEMAIL meta No description provided 0.001
SPOOFED_FREEMAIL_NO_RDNS meta From SPOOFED_FREEMAIL and no rDNS 1.500
SPOOFED_FREEM_REPTO meta Forged freemail sender with freemail reply-to 0.001
SPOOFED_FREEM_REPTO_CHN meta Forged freemail sender with Chinese freemail reply-to 0.001
SPOOFED_FREEM_REPTO_RUS meta Forged freemail sender with Russian freemail reply-to 0.001
SPOOF_COM2COM uri URI contains “.com” in middle and end 0.001
SPOOF_COM2OTH uri URI contains “.com” in middle 0.001
STATIC_XPRIO_OLE meta Static RDNS + X-Priority + MIMEOLE 1.999
STOCK_IMG_CTYPE meta Stock spam image part, with distinctive Content-Type header 0.001
STOCK_IMG_HDR_FROM meta Stock spam image part, with distinctive From line 0.001
STOCK_IMG_HTML meta Stock spam image part, with distinctive HTML 0.000
STOCK_IMG_OUTLOOK meta Stock spam image part, with Outlook-like features 0.001
STOCK_LOW_CONTRAST meta Stocks + hidden text 1.392
STOCK_TIP meta Stock tips 1.000
STOX_REPLY_TYPE header No description provided 1.898
STOX_REPLY_TYPE_WITHOUT_QUOTES meta No description provided 3.099
STYLE_GIBBERISH ??? No description provided 0.100
SUBJECT_DIET header Subject talks about losing pounds 1.927
SUBJECT_DRUG_GAP_C header Subject contains a gappy version of ‘cialis’ 2.108
SUBJECT_DRUG_GAP_L header Subject contains a gappy version of ‘levitra’ 2.799
SUBJECT_FUZZY_CHEAP header Attempt to obfuscate words in Subject: 0.641
SUBJECT_IN_BLACKLIST header Subject: contains string in the user’s black-list 100.000
SUBJECT_IN_WHITELIST header Subject: contains string in the user’s white-list -100.000
SUBJECT_NEEDS_ENCODING meta Subject is encoded but does not specify the encoding 0.498
SUBJ_ALL_CAPS header Subject is all capitals 0.500
SUBJ_AS_SEEN header Subject contains “As Seen” 2.711
SUBJ_BRKN_WORDNUMS meta Subject contains odd word breaks and numbers 1.000
SUBJ_BUY header Subject line starts with Buy or Buying 0.594
SUBJ_DOLLARS header Subject starts with dollar amount 0.100
SUBJ_ILLEGAL_CHARS meta Subject: has too many raw illegal characters 0.620
SUBJ_OBFU_PUNCT_FEW meta Possible punctuation-obfuscated Subject: header 0.749
SUBJ_OBFU_PUNCT_MANY meta Punctuation-obfuscated Subject: header 1.749
SUBJ_UNNEEDED_HTML meta Unneeded HTML formatting in Subject: 1.000
SUBJ_YOUR_FAMILY header Subject contains “Your Family” 2.910
SURBL_BLOCKED body ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. 1.000
SUSPICIOUS_RECIPS header Similar addresses in recipient list 2.499
SUSPNTLD_EXPIRATION_EXTORT meta Susp NTLD with an expiration notice and lotsa money 2.000
SYSADMIN meta Supposedly from your IT department 1.000
TBIRD_SUSP_MIME_BDRY meta Unlikely Thunderbird MIME boundary 2.400
TEQF_USR_IMAGE meta To and from user nearly same + image 1.000
TEQF_USR_MSGID_HEX meta To and from user nearly same + unusual message ID 1.000
TEQF_USR_MSGID_MALF meta To and from user nearly same + malformed message ID 1.000
THEBAT_UNREG header No description provided 2.599
THIS_AD meta “This ad” and variants 1.940
THIS_IS_ADV_SUSP_NTLD meta This is an advertisement from a suspicious TLD 1.000
TONOM_EQ_TOLOC_SHRT_PSHRTNER meta Short subject with potential shortener and To:name eq To:local 1.499
TONOM_EQ_TOLOC_SHRT_SHRTNER meta Short email with shortener and To:name eq To:local 1.499
TO_EQ_FM_DIRECT_MX meta To == From and direct-to-MX 1.588
TO_EQ_FM_DOM_HTML_IMG meta To domain == From domain and HTML image link 0.001
TO_EQ_FM_DOM_HTML_ONLY meta To domain == From domain and HTML only 0.001
TO_EQ_FM_DOM_SPF_FAIL meta To domain == From domain and external SPF failed 0.001
TO_EQ_FM_HTML_ONLY meta To == From and HTML only 0.001
TO_EQ_FM_SPF_FAIL meta To == From and external SPF failed 0.001
TO_IN_SUBJ meta To address is in Subject 0.100
TO_MALFORMED header To: has a malformed address 0.100
TO_NAME_SUBJ_NO_RDNS meta Recipient username in subject + no rDNS 2.602
TO_NO_BRKTS_DYNIP meta To: lacks brackets and dynamic rDNS 1.961
TO_NO_BRKTS_FROM_MSSP meta Multiple header formatting problems 2.499
TO_NO_BRKTS_HTML_IMG meta To: lacks brackets and HTML and one image 1.999
TO_NO_BRKTS_HTML_ONLY meta To: lacks brackets and HTML only 1.999
TO_NO_BRKTS_MSFT meta To: lacks brackets and supposed Microsoft tool 2.499
TO_NO_BRKTS_NORDNS_HTML meta To: lacks brackets and no rDNS and HTML only 1.496
TO_NO_BRKTS_PCNT meta To: lacks brackets + percentage 2.499
TRACKER_ID body Incorporates a tracking ID number 0.100
TT_MSGID_TRUNC header Scora: Message-Id ends after left-bracket + digits 0.748
TVD_APPROVED body Body states that the recipient has been approved 1.000
TVD_FINGER_02 header No description provided 0.001
TVD_FW_GRAPHIC_NAME_LONG mimeheader Long image attachment name 0.001
TVD_FW_GRAPHIC_NAME_MID mimeheader Medium sized image attachment name 0.600
TVD_INCREASE_SIZE body Advertising for penis enlargement 1.529
TVD_IP_OCT uri No description provided 2.348
TVD_PH_BODY_ACCOUNTS_PRE meta The body matches phrases such as “accounts suspended”, “account credited”, “account verification” 0.001
TVD_PH_REC body Message includes a phrase commonly used in phishing mails 0.100
TVD_PH_SEC body Message includes a phrase commonly used in phishing mails 0.100
TVD_QUAL_MEDS body The body matches phrases such as “quality meds” or “quality medication” 2.697
TVD_RCVD_IP header Message was received from an IP address 0.001
TVD_RCVD_IP4 header Message was received from an IPv4 address 0.001
TVD_RCVD_SPACE_BRACKET header No description provided 0.001
TVD_SPACE_ENCODED meta Space ratio & encoded subject 1.500
TVD_SPACE_RATIO meta No description provided 0.001
TVD_SPACE_RATIO_MINFP meta Space ratio 1.500
TVD_SUBJ_ACC_NUM header Subject has spammy looking monetary reference 0.100
TVD_SUBJ_WIPE_DEBT header Spam advertising a way to eliminate debt 2.599
TVD_VISIT_PHARMA body Body mentions online pharmacy 1.957
TW_GIBBERISH_MANY meta Lots of gibberish text to spoof pattern matching filters 1.000
TXREP header Score normalizing based on sender’s reputation 1.000
T_ACH_CANCELLED_EXE meta “ACH cancelled” probable malware 0.100
T_ANY_PILL_PRICE meta Prices for pills 0.100
T_CDISP_SZ_MANY mimeheader Suspicious MIME header 0.100
T_DATE_IN_FUTURE_Q_PLUS header Date: is over 4 months after Received: date 0.100
T_DOC_ATTACH_NO_EXT meta Document attachment with suspicious name 0.100
T_DOS_OUTLOOK_TO_MX_IMAGE meta Direct to MX with Outlook headers and an image 0.100
T_DOS_ZIP_HARDCORE mimeheader hardcore.zip file attached; quite certainly a virus 0.100
T_EMRCP body “Excess Maximum Return Capital Profit” scam 0.100
T_FILL_THIS_FORM_FRAUD_PHISH meta Answer suspicious question(s) 0.100
T_FILL_THIS_FORM_LOAN meta Answer loan question(s) 0.100
T_FILL_THIS_FORM_SHORT meta Fill in a short form with personal information 0.100
T_FORGED_TBIRD_IMG_SIZE meta Likely forged Thunderbird image spam 0.100
T_FREEMAIL_DOC_PDF meta MS document or PDF attachment, from freemail 0.100
T_FREEMAIL_DOC_PDF_BCC meta MS document or PDF attachment, from freemail, all recipients hidden 0.100
T_FREEMAIL_RVW_ATTCH meta Please review attached document, from freemail 0.100
T_FROMNAME_EQUALS_TO meta From:name matches To: 0.100
T_FROMNAME_SPOOFED_EMAIL meta From:name looks like a spoofed email 0.100
T_FUZZY_OPTOUT body Obfuscated opt-out text 0.100
T_GB_FREEM_FROM_NOT_REPLY meta From: and Reply-To: have different freemail domains 0.100
T_GB_FROMNAME_SPOOFED_EMAIL_IP meta From:name looks like a spoofed email from a spoofed ip 0.100
T_HTML_ATTACH meta HTML attachment to bypass scanning? 0.100
T_HTML_TAG_BALANCE_CENTER meta Malformatted HTML 0.100
T_ISO_ATTACH meta ISO attachment – possible malware delivery 0.100
T_KAM_HTML_FONT_INVALID body Test for Invalidly Named or Formatted Colors in HTML 0.100
T_LARGE_PCT_AFTER_MANY meta Many large percentages after… 0.100
T_LOTTO_AGENT meta Claims Agent 0.100
T_LOTTO_AGENT_FM header Claims Agent 0.100
T_LOTTO_AGENT_RPLY meta Claims Agent 0.100
T_LOTTO_URI uri Claims Department URL 0.100
T_MALW_ATTACH meta Attachment filename suspicious, probable malware exploit 0.100
T_MANY_PILL_PRICE meta Prices for many pills 0.100
T_MIME_MALF meta Malformed MIME: headers in body 0.100
T_MONEY_PERCENT meta X% of a lot of money for you 0.100
T_OBFU_ATTACH_MISSP meta Obfuscated attachment type and misspaced From 0.100
T_OBFU_DOC_ATTACH mimeheader MS Document attachment with generic MIME type 0.100
T_OBFU_GIF_ATTACH mimeheader GIF attachment with generic MIME type 0.100
T_OBFU_HTML_ATTACH mimeheader HTML attachment with non-text MIME type 0.100
T_OBFU_HTML_ATT_MALW meta HTML attachment with incorrect MIME type – possible malware 0.100
T_OBFU_JPG_ATTACH mimeheader JPG attachment with generic MIME type 0.100
T_OBFU_PDF_ATTACH mimeheader PDF attachment with generic MIME type 0.100
T_OFFER_ONLY_AMERICA meta Offer only available to US 0.100
T_PDS_BTC_AHACKER meta Bitcoin Hacker 0.100
T_PDS_BTC_HACKER meta Bitcoin Hacker 0.100
T_PDS_BTC_NTLD meta Bitcoin suspect NTLD 0.100
T_PDS_LTC_HACKER meta Litecoin Hacker 0.100
T_REMOTE_IMAGE meta Message contains an external image 0.100
T_SENT_TO_EMAIL_ADDR meta Email was sent to email address 0.100
T_SHARE_50_50 meta Share the money 50/50 0.100
T_SPF_HELO_PERMERROR header SPF: test of HELO record failed (permerror) 0.100
T_SPF_HELO_TEMPERROR header SPF: test of HELO record failed (temperror) 0.100
T_SPF_PERMERROR header SPF: test of record failed (permerror) 0.100
T_SPF_TEMPERROR header SPF: test of record failed (temperror) 0.100
T_WON_MONEY_ATTACH meta You won lots of money! See attachment. 0.100
T_WON_NBDY_ATTACH meta You won lots of money! See attachment. 0.100
T_ZW_OBFU_BITCOIN meta Obfuscated text + bitcoin ID – possible extortion 0.100
T_ZW_OBFU_FREEM meta Obfuscated text + freemail 0.100
T_ZW_OBFU_FROMTOSUBJ meta Obfuscated text + from in to and subject 0.100
UC_GIBBERISH_OBFU meta Multiple instances of “word VERYLONGGIBBERISH word” 1.000
UNCLAIMED_MONEY body People just leave money laying around 2.699
UNCLOSED_BRACKET header Headers contain an unclosed bracket 2.699
UNICODE_OBFU_ASC meta Obfuscating text with unicode 2.500
UNICODE_OBFU_ZW meta Obfuscating text with hidden characters 1.000
UNPARSEABLE_RELAY meta Informational: message has unparseable relay lines 0.001
UNRESOLVED_TEMPLATE header Headers contain an unresolved template 3.035
UNWANTED_LANGUAGE_BODY body Message written in an undesired language 2.800
UPGRADE_MAILBOX meta Upgrade your mailbox! (phishing?) 1.272
UPPERCASE_50_75 meta message body is 50-75% uppercase 0.001
UPPERCASE_75_100 meta message body is 75-100% uppercase 1.480
URG_BIZ body Contains urgent matter 1.750
URIBL_ABUSE_SURBL body Contains an URL listed in the ABUSE SURBL blocklist 0.000
URIBL_CR_SURBL body Contains an URL listed in the CR SURBL blocklist 0.000
URIBL_CSS body Contains an URL’s NS IP listed in the Spamhaus CSS blocklist 0.000
URIBL_CSS_A body Contains URL’s A record listed in the Spamhaus CSS blocklist 0.000
URIBL_DBL_ABUSE_BOTCC body Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_ABUSE_MALW body Contains an abused malware URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_ABUSE_PHISH body Contains an abused phishing URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_ABUSE_REDIR body Contains an abused redirector URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_ABUSE_SPAM body Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_BLOCKED body ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ 0.000
URIBL_DBL_BLOCKED_OPENDNS body ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ 0.000
URIBL_DBL_BOTNETCC body Contains a botned C&C URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_ERROR body Error: queried the Spamhaus DBL blocklist for an IP 0.000
URIBL_DBL_MALWARE body Contains a malware URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_PHISH body Contains a Phishing URL listed in the Spamhaus DBL blocklist 0.000
URIBL_DBL_SPAM body Contains a spam URL listed in the Spamhaus DBL blocklist 0.000
URIBL_MW_SURBL body Contains a URL listed in the MW SURBL blocklist 0.000
URIBL_PH_SURBL body Contains an URL listed in the PH SURBL blocklist 0.000
URIBL_RHS_DOB body Contains an URI of a new domain (Day Old Bread) 0.000
URIBL_SBL body Contains an URL’s NS IP listed in the Spamhaus SBL blocklist 0.000
URIBL_SBL_A body Contains URL’s A record listed in the Spamhaus SBL blocklist 0.000
URIBL_WS_SURBL body Contains an URL listed in the WS SURBL blocklist 0.000
URIBL_ZEN_BLOCKED body ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ 0.000
URIBL_ZEN_BLOCKED_OPENDNS body ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ 0.000
URI_DATA meta “data:” URI – possible malware or phish 1.000
URI_DQ_UNSUB meta IP-address unsubscribe URI 1.000
URI_GOOGLE_PROXY meta Accessing a blacklisted URI or obscuring source of phish via Google proxy? 2.399
URI_HEX uri URI hostname has long hexadecimal sequence 0.100
URI_HEX_IP meta URI with hex-encoded IP-address host 1.000
URI_HOST_IN_BLACKLIST body Host or Domain is listed in the user’s URI black-list 100.000
URI_HOST_IN_WHITELIST body Host or Domain is listed in the user’s URI white-list -100.000
URI_IMG_WP_REDIR meta Image via WordPress “accelerator” proxy 1.000
URI_NOVOWEL uri URI hostname has long non-vowel sequence 0.500
URI_NO_WWW_BIZ_CGI uri CGI in .biz TLD other than third-level “www” 1.000
URI_NO_WWW_INFO_CGI uri CGI in .info TLD other than third-level “www” 1.000
URI_ONLY_MSGID_MALF meta URI only + malformed message ID 1.803
URI_OPTOUT_3LD uri Opt-out URI, suspicious hostname 1.000
URI_OPTOUT_USME uri Opt-out URI, unusual TLD 1.000
URI_PHISH meta Phishing using web form 2.252
URI_PHP_REDIR meta PHP redirect to different URL (link obfuscation) 3.499
URI_TRUNCATED body Message contained a URI which was truncated 0.001
URI_TRY_3LD uri “Try it” URI, suspicious hostname 1.791
URI_TRY_USME meta “Try it” URI, unusual TLD 1.000
URI_WPADMIN meta WordPress login/admin URI, possible phishing 1.000
URI_WP_DIRINDEX meta URI for compromised WordPress site, possible malware 1.538
URI_WP_HACKED meta URI for compromised WordPress site, possible malware 3.499
URI_WP_HACKED_2 meta URI for compromised WordPress site, possible malware 2.499
USB_DRIVES meta Trying to sell custom USB flash drives 1.000
USER_IN_ALL_SPAM_TO header User is listed in ‘all_spam_to’ -100.000
USER_IN_BLACKLIST header From: address is in the user’s black-list 100.000
USER_IN_BLACKLIST_TO header User is listed in ‘blacklist_to’ 10.000
USER_IN_DEF_DKIM_WL header From: address is in the default DKIM white-list -7.500
USER_IN_DEF_SPF_WL header From: address is in the default SPF white-list -7.500
USER_IN_DEF_WHITELIST header From: address is in the default white-list -15.000
USER_IN_DKIM_WHITELIST header From: address is in the user’s DKIM whitelist -100.000
USER_IN_MORE_SPAM_TO header User is listed in ‘more_spam_to’ -20.000
USER_IN_SPF_WHITELIST header From: address is in the user’s SPF whitelist -100.000
USER_IN_WHITELIST header From: address is in the user’s white-list -100.000
USER_IN_WHITELIST_TO header User is listed in ‘whitelist_to’ -6.000
VBOUNCE_MESSAGE meta Virus-scanner bounce message 0.100
VPS_NO_NTLD meta vps[0-9] domain at a suspiscious TLD 1.000
WALMART_IMG_NOT_RCVD_WAL meta Walmart hosted image but message not from Walmart 1.000
WEIRD_PORT uri Uses non-standard port number for HTTP 0.001
WEIRD_QUOTING body Weird repeated double-quotation marks 0.001
XM_PHPMAILER_FORGED meta Apparently forged header 1.000
XPRIO meta Has X-Priority header 2.250
XPRIO_SHORT_SUBJ meta Has X-Priority header + short subject 2.500
XPRIO_URL_SHORTNER meta X-Priority header and short URL 0.340
X_IP header Message has X-IP header 0.001
X_MAILER_CME_6543_MSN header No description provided 2.886
YOU_INHERIT meta Discussing your inheritance 0.001
__DC_GIF_MULTI_LARGO meta Message has 2+ inline gif covering lots of area 1.000
__DC_IMG_HTML_RATIO rawbody Low rawbody to pixel area ratio 1.000
__DC_IMG_TEXT_RATIO body Low body to pixel area ratio 1.000
__DC_PNG_MULTI_LARGO meta Message has 2+ png images covering lots of area 1.000
__DKIM_DEPENDABLE full A validation failure not attributable to truncation 1.000
__FORGED_TBIRD_IMG meta Possibly forged Thunderbird image spam 1.000
__FROM_41_FREEMAIL meta Sent from Africa + freemail provider 1.000
__GB_BITCOIN_CP_DE meta German Bitcoin scam 1.000
__GB_BITCOIN_CP_EN meta English Bitcoin scam 1.000
__GB_BITCOIN_CP_ES meta Spanish Bitcoin scam 1.000
__GB_BITCOIN_CP_FR meta French Bitcoin scam 1.000
__GB_BITCOIN_CP_IT meta Italian Bitcoin scam 1.000
__GB_BITCOIN_CP_NL meta Dutch Bitcoin scam 1.000
__GB_BITCOIN_CP_SE meta Swedish Bitcoin scam 1.000
__HAS_HREF rawbody Has an anchor tag with a href attribute in non-quoted line 1.000
__HAS_HREF_ONECASE rawbody Has an anchor tag with a href attribute in non-quoted line with consistent case 1.000
__HAS_IMG_SRC rawbody Has an img tag on a non-quoted line 1.000
__HAS_IMG_SRC_ONECASE rawbody Has an img tag on a non-quoted line with consistent case 1.000
__KAM_BODY_LENGTH_LT_1024 body The length of the body of the email is less than 1024 bytes. 1.000
__KAM_BODY_LENGTH_LT_128 body The length of the body of the email is less than 128 bytes. 1.000
__KAM_BODY_LENGTH_LT_256 body The length of the body of the email is less than 256 bytes. 1.000
__KAM_BODY_LENGTH_LT_512 body The length of the body of the email is less than 512 bytes. 1.000
__MIME_BASE64 rawbody Includes a base64 attachment 1.000
__MIME_QP rawbody Includes a quoted-printable attachment 1.000
__ML_TURNS_SP_TO_TAB header A mailing list changing a space to a TAB 1.000
__NSL_ORIG_FROM_41 header Originates from 41.0.0.0/8 1.000
__NSL_RCVD_FROM_41 header Received from 41.0.0.0/8 1.000
__RCVD_IN_MSPIKE_Z header Spam wave participant 1.000
__RCVD_IN_SORBS header SORBS: sender is listed in SORBS 1.000
__RCVD_IN_ZEN header Received via a relay in Spamhaus Zen 1.000
__RDNS_DYNAMIC_ADELPHIA header Relay HELO’d using suspicious hostname (Adelphia) 1.000
__RDNS_DYNAMIC_ATTBI header Relay HELO’d using suspicious hostname (ATTBI.com) 1.000
__RDNS_DYNAMIC_CHELLO_NL header Relay HELO’d using suspicious hostname (Chello.nl) 1.000
__RDNS_DYNAMIC_CHELLO_NO header Relay HELO’d using suspicious hostname (Chello.no) 1.000
__RDNS_DYNAMIC_COMCAST header Relay HELO’d using suspicious hostname (Comcast) 1.000
__RDNS_DYNAMIC_DHCP header Relay HELO’d using suspicious hostname (DHCP) 1.000
__RDNS_DYNAMIC_DIALIN header Relay HELO’d using suspicious hostname (T-Dialin) 1.000
__RDNS_DYNAMIC_HCC header Relay HELO’d using suspicious hostname (HCC) 1.000
__RDNS_DYNAMIC_HEXIP header Relay HELO’d using suspicious hostname (Hex IP) 1.000
__RDNS_DYNAMIC_IPADDR header Relay HELO’d using suspicious hostname (IP addr 1) 1.000
__RDNS_DYNAMIC_NTL header Relay HELO’d using suspicious hostname (NTL) 1.000
__RDNS_DYNAMIC_OOL header Relay HELO’d using suspicious hostname (OptOnline) 1.000
__RDNS_DYNAMIC_ROGERS header Relay HELO’d using suspicious hostname (Rogers) 1.000
__RDNS_DYNAMIC_RR2 header Relay HELO’d using suspicious hostname (RR 2) 1.000
__RDNS_DYNAMIC_SPLIT_IP header Relay HELO’d using suspicious hostname (Split IP) 1.000
__RDNS_DYNAMIC_TELIA header Relay HELO’d using suspicious hostname (Telia) 1.000
__RDNS_DYNAMIC_VELOX header Relay HELO’d using suspicious hostname (Veloxzone) 1.000
__RDNS_DYNAMIC_VTR header Relay HELO’d using suspicious hostname (VTR) 1.000
__RDNS_DYNAMIC_YAHOOBB header Relay HELO’d using suspicious hostname (YahooBB) 1.000
__TO_EQ_FROM meta To: same as From: 1.000
__TO_EQ_FROM_DOM meta To: domain same as From: domain 1.000
__TO_EQ_FROM_USR meta To: username same as From: username 1.000
__TO_EQ_FROM_USR_NN meta To: username same as From: username sans trailing nums 1.000
__VIA_ML meta Mail from a mailing list 1.000
__VIA_RESIGNER meta Mail through a popular signing remailer 1.000

 

whitelist_from : 믿을 수 있는 메일주소를 지정해주자. 매우 중요한 거래처의 메일이나 같은 서버의 메일은 굳이 점수를 매길필요가 없다.

다음의 SPF설정은 SPF의 신뢰도를 믿고 점수를 -해주겠다는 뜻을 가지게 된다