참조 : https://wiki.apache.org/spamassassin/WritingRules
1 2 3 4 5 |
body LOCAL_DEMONSTRATION_RULE /test/ score LOCAL_DEMONSTRATION_RULE 0.1 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule |
Perl Regex Syntax 참조: https://www.tutorialspoint.com/perl/perl_regular_expressions.htm
원문참조 : http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
스팸어쎄신을 이용하여 스팸메일을 차단하는데 있어 스코어 점수을 이용하여
그 점수를 판단하여 스팸여부를 확인 할수 있다
local.cf에서 점수 부분을 기여하면 된다.
자신이 보내는 메일에 대해서 스팸어쎄신을 적용하려면 스팸밀터를 설치하면 되는것이다.
아래 옵션에 대한 부분은 검색해보면 많이 나올것이다
참조 : https://www.mailenable.com/forum/viewtopic.php?t=26046
[root@ns1 ~]# vi /etc/mail/spamassassin/local.cf
# SpamAssassin config file for version 3.x
# NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6
# See http://www.yrex.com/spam/spamconfig25.php for earlier versions
# Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50)
# How many hits before a message is considered spam.
required_score 10
# Change the subject of suspected spam
rewrite_header subject [SPAM]
# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe 1
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 1
use_razor2 1
use_dcc 1
use_pyzor 1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# – korean
ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all
whitelist_from *@xinet.kr *@nate.com*@naver.com
blacklist_from *@hosanna.net *@blankrome.com
위에서 whitelist_from 하고 blacklist_from을 잘 활용하면 특정 메일에 대해서는 허용 및 거부 할수 있다
위 옵션에 대한 설명
report_safe : 스팸으로 판단될 경우 원본글을 감출지 여부이다. 메일을 읽는 순간 당할수 있는 그 어떤 공격이 두렵다면 1로 해야 한다. 하지만 0으로 설정한다.
required_score : 몇점 이상을 스팸메일로 의심할것인지에 대한 설정이다. 이것은 서버관리자의 주관적인 부분이다. 그냥 5로 해도 무관하다고 본다.
use_bayes : 학습된 Bayesian Classifier를 사용할것인지에 대한 여부이다. 당연히 1로 한다.
bayes_auto_learn : 자동학습에 대한 설정이다. 정말로 확실한 스팸의 경우 분석하여 나누어진 토큰을 지속적으로 학습 시킨다. 물론 자동으로.
bayes_path : 학습된 토큰 파일을 저장할 위치이다. 기본적으로 사용자 별로 개별 저장되나 이런식으로 하여 중앙 관리가 가능하다. 저 값은 접두어다. 저 뒤로 _toks와 _seen이 붙는 파일 두개가 생긴다.
bayes_file_mode : 파일의 권한이다. 666정도면 되겠다.
skip_rbl_checks : RBL체크값을 점수에 활용한다. 나름 맹활약을 하게 된다.
use_razor2 : Vipul’s Razor라는 곳에서 운영하는 블랙리스트 공유 시스템을 활용할지 여부이다. 난 사용안했다. 설치할것이 별도로 존재한다.
use_dcc : Distributed Checksum Clearinghouse의 약자이다. 실제 홈페이지에서는 스팸을 줄이는데 특출난 효과가 있다고 설명하고 있다. 필요하다 판단되면 사용하자
use_pyzor : Razor2와 비슷한 역할을 하는것 같다. 자세한건 사용해 보지 않아서 모르겠다. 홈페이지는 여기
ok_languages : 중요하게 사용되는 언어를 설정해 주면 된다. 한국의 경우 ko를 적어주면 된다. 영어권과 메일을 주고 받을일이 많다면 en도 추가해 주자.
ok_locales : 위와 같은 역할을 한다.
score : 별도로 특정 룰에 대한 점수를 강제로 지정할 수 있다.
Test & Scoring Chart
https://www.futurequest.net/docs/SA/
Test Name | Area Tested | Description Of Test | Score Bayes off RBLs off |
ACT_NOW_CAPS | body | Talks about ‘acting now’ with capitals | 0.100 |
AC_BR_BONANZA | rawbody | Too many newlines in a row… spammy template | 0.001 |
AC_DIV_BONANZA | rawbody | Too many divs in a row… spammy template | 0.001 |
AC_FROM_MANY_DOTS | meta | Multiple periods in From user name | 3.000 |
AC_HTML_NONSENSE_TAGS | rawbody | Many consecutive multi-letter HTML tags, likely nonsense/spam | 1.000 |
AC_SPAMMY_URI_PATTERNS1 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS10 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS11 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS12 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS2 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS3 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS4 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS8 | meta | link combos match highly spammy template | 1.000 |
AC_SPAMMY_URI_PATTERNS9 | meta | link combos match highly spammy template | 1.000 |
ADMAIL | meta | “admail” and variants | 1.000 |
ADVANCE_FEE_2_NEW_FORM | meta | Advance Fee fraud and a form | 1.000 |
ADVANCE_FEE_2_NEW_MONEY | meta | Advance Fee fraud and lots of money | 1.999 |
ADVANCE_FEE_3_NEW | meta | Appears to be advance fee fraud (Nigerian 419) | 2.600 |
ADVANCE_FEE_3_NEW_FORM | meta | Advance Fee fraud and a form | 1.000 |
ADVANCE_FEE_3_NEW_MONEY | meta | Advance Fee fraud and lots of money | 2.699 |
ADVANCE_FEE_4_NEW | meta | Appears to be advance fee fraud (Nigerian 419) | 2.699 |
ADVANCE_FEE_4_NEW_MONEY | meta | Advance Fee fraud and lots of money | 2.799 |
ADVANCE_FEE_5_NEW_FRM_MNY | meta | Advance Fee fraud form and lots of money | 0.001 |
AD_PREFS | body | Advertising preferences | 0.250 |
ALIBABA_IMG_NOT_RCVD_ALI | meta | Alibaba hosted image but message not from Alibaba | 2.499 |
ALL_TRUSTED | header | Passed through trusted hosts only via SMTP | -1.000 |
AMAZON_IMG_NOT_RCVD_AMZN | meta | Amazon hosted image but message not from Amazon | 2.201 |
ANY_BOUNCE_MESSAGE | meta | Message is some kind of bounce message | 0.100 |
APOSTROPHE_FROM | header | From address contains an apostrophe | 0.148 |
APP_DEVELOPMENT_FREEM | meta | App development pitch, freemail or CHN replyto | 1.000 |
APP_DEVELOPMENT_NORDNS | meta | App development pitch, no rDNS | 1.000 |
AWL | header | Adjusted score from AWL reputation of From: address | 1.000 |
AXB_XMAILER_MIMEOLE_OL_024C2 | meta | Yet another X header trait | 3.899 |
AXB_XMAILER_MIMEOLE_OL_1ECD5 | meta | Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5 | 0.001 |
BAD_CREDIT | body | Eliminate Bad Credit | 0.100 |
BAD_ENC_HEADER | header | Message has bad MIME encoding in the header | 0.001 |
BANG_GUAR | body | Something is emphatically guaranteed | 1.000 |
BANKING_LAWS | body | Talks about banking laws | 2.399 |
BASE64_LENGTH_78_79 | body | No description provided | 0.100 |
BASE64_LENGTH_79_INF | body | base64 encoded email part uses line length greater than 79 characters | 1.379 |
BAYES_00 | body | Bayes spam probability is 0 to 1% | -3.000 |
BAYES_05 | body | Bayes spam probability is 1 to 5% | -0.500 |
BAYES_20 | body | Bayes spam probability is 5 to 20% | -0.001 |
BAYES_40 | body | Bayes spam probability is 20 to 40% | -0.001 |
BAYES_50 | body | Bayes spam probability is 40 to 60% | 2.000 |
BAYES_60 | body | Bayes spam probability is 60 to 80% | 3.000 |
BAYES_80 | body | Bayes spam probability is 80 to 95% | 4.000 |
BAYES_95 | body | Bayes spam probability is 95 to 99% | 5.000 |
BAYES_99 | body | Bayes spam probability is 99 to 100% | 6.000 |
BAYES_999 | body | Bayes spam probability is 99.9 to 100% | 7.000 |
BILLION_DOLLARS | body | Talks about lots of money | 0.001 |
BITCOIN_BOMB | meta | BitCoin + bomb | 1.000 |
BITCOIN_DEADLINE | meta | BitCoin with a deadline | 2.999 |
BITCOIN_EXTORT_01 | meta | Extortion spam, pay via BitCoin | 3.160 |
BITCOIN_MALWARE | meta | BitCoin + malware bragging | 0.121 |
BITCOIN_PAY_ME | meta | Pay me via BitCoin | 1.000 |
BITCOIN_SPAM_01 | meta | BitCoin spam pattern 01 | 1.000 |
BITCOIN_SPAM_02 | meta | BitCoin spam pattern 02 | 2.500 |
BITCOIN_SPAM_03 | meta | BitCoin spam pattern 03 | 1.000 |
BITCOIN_SPAM_04 | meta | BitCoin spam pattern 04 | 1.000 |
BITCOIN_SPAM_05 | meta | BitCoin spam pattern 05 | 0.001 |
BITCOIN_SPAM_06 | meta | BitCoin spam pattern 06 | 1.000 |
BITCOIN_SPAM_07 | meta | BitCoin spam pattern 07 | 3.499 |
BITCOIN_SPAM_08 | meta | BitCoin spam pattern 08 | 1.867 |
BITCOIN_SPAM_09 | meta | BitCoin spam pattern 09 | 1.499 |
BITCOIN_SPAM_10 | meta | BitCoin spam pattern 10 | 1.000 |
BITCOIN_SPAM_11 | meta | BitCoin spam pattern 11 | 1.000 |
BITCOIN_SPAM_12 | meta | BitCoin spam pattern 12 | 1.000 |
BITCOIN_SPF_ONLYALL | meta | Bitcoin from a domain specifically set to pass +all SPF | 0.001 |
BODY_8BITS | body | Body includes 8 consecutive 8-bit characters | 1.500 |
BODY_EMPTY | meta | No body text in message | 1.999 |
BODY_ENHANCEMENT | body | Information on growing body parts | 0.927 |
BODY_ENHANCEMENT2 | body | Information on getting larger body parts | 0.100 |
BODY_SINGLE_URI | meta | Message body is only a URI | 2.499 |
BODY_SINGLE_WORD | meta | Message body is only one word (no spaces) | 1.101 |
BODY_URI_ONLY | meta | Message body is only a URI in one line of text or for an image | 0.999 |
BOGUS_MIME_VERSION | meta | Mime version header is bogus | 1.000 |
BOGUS_MSM_HDRS | meta | Apparently bogus Microsoft email headers | 0.895 |
BOMB_FREEM | meta | Bomb + freemail | 1.000 |
BOMB_MONEY | meta | Bomb + money: bomb threat? | 1.000 |
BOUNCE_MESSAGE | meta | MTA bounce message | 0.100 |
BTC_ORG | meta | Bitcoin wallet ID + unusual header | 1.000 |
BUG6152_INVALID_DATE_TZ_ABSURD | header | No description provided | 0.100 |
BULK_RE_SUSP_NTLD | meta | Precedence bulk and RE: from a suspicious TLD | 1.000 |
CANT_SEE_AD | meta | You really want to see our spam. | 1.000 |
CHALLENGE_RESPONSE | meta | Challenge-Response message for mail you sent | 0.100 |
CHARSET_FARAWAY | body | Character set indicates a foreign language | 3.200 |
CHARSET_FARAWAY_HEADER | header | A foreign language charset used in headers | 3.200 |
CK_HELO_DYNAMIC_SPLIT_IP | header | Relay HELO’d using suspicious hostname (Split IP) | 1.499 |
CK_HELO_GENERIC | header | Relay used name indicative of a Dynamic Pool or Generic rPTR | 0.250 |
CN_B2B_SPAMMER | body | Chinese company introducing itself | 1.000 |
COMMENT_GIBBERISH | meta | Nonsense in long HTML comment | 1.000 |
COMPENSATION | meta | “Compensation” | 1.000 |
CRBOUNCE_MESSAGE | meta | Challenge-Response bounce message | 0.100 |
CTYPE_001C_B | header | No description provided | 0.001 |
CTYPE_NULL | meta | Malformed Content-Type header | 1.000 |
CURR_PRICE | body | No description provided | 0.001 |
DATE_IN_FUTURE_03_06 | header | Date: is 3 to 6 hours after Received: date | 3.399 |
DATE_IN_FUTURE_06_12 | header | Date: is 6 to 12 hours after Received: date | 2.899 |
DATE_IN_FUTURE_12_24 | header | Date: is 12 to 24 hours after Received: date | 2.603 |
DATE_IN_FUTURE_24_48 | header | Date: is 24 to 48 hours after Received: date | 2.598 |
DATE_IN_FUTURE_48_96 | header | Date: is 48 to 96 hours after Received: date | 2.384 |
DATE_IN_FUTURE_96_Q | header | Date: is 4 days to 4 months after Received: date | 2.453 |
DATE_IN_PAST_03_06 | header | Date: is 3 to 6 hours before Received: date | 2.399 |
DATE_IN_PAST_06_12 | header | Date: is 6 to 12 hours before Received: date | 1.699 |
DATE_IN_PAST_12_24 | header | Date: is 12 to 24 hours before Received: date | 0.001 |
DATE_IN_PAST_24_48 | header | Date: is 24 to 48 hours before Received: date | 1.109 |
DATE_IN_PAST_96_XX | header | Date: is 96 hours or more before Received: date | 2.600 |
DAY_I_EARNED | meta | Work-at-home spam | 1.000 |
DCC_CHECK | full | Detected as bulk mail by DCC (dcc-servers.net) | 0.000 |
DCC_REPUT_00_12 | full | DCC reputation between 0 and 12 % (mostly ham) | 0.000 |
DCC_REPUT_13_19 | full | DCC reputation between 13 and 19 % | 0.000 |
DCC_REPUT_70_89 | full | DCC reputation between 70 and 89 % | 0.000 |
DCC_REPUT_90_94 | full | DCC reputation between 90 and 94 % | 0.000 |
DCC_REPUT_95_98 | full | DCC reputation between 95 and 98 % (mostly spam) | 0.000 |
DCC_REPUT_99_100 | full | DCC reputation between 99 % or higher (spam) | 0.000 |
DC_GIF_UNO_LARGO | meta | Message contains a single large gif image | 0.001 |
DC_IMAGE_SPAM_HTML | meta | Possible Image-only spam | 0.100 |
DC_IMAGE_SPAM_TEXT | meta | Possible Image-only spam with little text | 0.100 |
DC_PNG_UNO_LARGO | meta | Message contains a single large png image | 0.001 |
DEAR_BENEFICIARY | body | Dear Beneficiary: | 1.140 |
DEAR_FRIEND | body | Dear Friend? That’s not very dear! | 2.683 |
DEAR_SOMETHING | body | Contains ‘Dear (something)’ | 1.999 |
DEAR_WINNER | body | Spam with generic salutation of “dear winner” | 3.099 |
DIET_1 | body | Lose Weight Spam | 0.714 |
DIGEST_MULTIPLE | meta | Message hits more than one network digest check | 0.000 |
DKIMDOMAIN_IN_DWL | ??? | No description provided | 0.000 |
DKIMDOMAIN_IN_DWL_UNKNOWN | ??? | No description provided | 0.000 |
DKIMWL_BL | meta | DKIMwl.org – Blacklisted sender | 0.001 |
DKIMWL_BLOCKED | meta | ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | 0.001 |
DKIMWL_WL_HIGH | meta | DKIMwl.org – Whitelisted High sender | 0.001 |
DKIMWL_WL_MED | meta | DKIMwl.org – Medium sender | 0.001 |
DKIMWL_WL_MEDHI | meta | DKIMwl.org – Medium-high sender | 0.001 |
DKIM_ADSP_ALL | header | No valid author signature, domain signs all mail | 0.000 |
DKIM_ADSP_CUSTOM_HIGH | header | No valid author signature, adsp_override is CUSTOM_HIGH | 0.001 |
DKIM_ADSP_CUSTOM_LOW | header | No valid author signature, adsp_override is CUSTOM_LOW | 0.001 |
DKIM_ADSP_CUSTOM_MED | header | No valid author signature, adsp_override is CUSTOM_MED | 0.001 |
DKIM_ADSP_DISCARD | header | No valid author signature, domain signs all mail and suggests discarding the rest | 0.000 |
DKIM_ADSP_NXDOMAIN | header | No valid author signature and domain not in DNS | 0.000 |
DKIM_INVALID | meta | DKIM or DK signature exists, but is not valid | 0.100 |
DKIM_SIGNED | full | Message has a DKIM or DK signature, not necessarily valid | 0.100 |
DKIM_VALID | full | Message has at least one valid DKIM or DK signature | -0.100 |
DKIM_VALID_AU | full | Message has a valid DKIM or DK signature from author’s domain | -0.100 |
DKIM_VALID_EF | full | Message has a valid DKIM or DK signature from envelope-from domain | -0.100 |
DOS_OE_TO_MX | meta | Delivered direct to MX with OE headers | 2.602 |
DOS_OE_TO_MX_IMAGE | meta | Direct to MX with OE headers and an image | 2.886 |
DOS_OUTLOOK_TO_MX | meta | Delivered direct to MX with Outlook headers | 2.636 |
DOS_RCVD_IP_TWICE_C | header | Received from the same IP twice in a row (only one external relay; empty or IP helo) | 2.599 |
DOS_STOCK_BAT | meta | Probable pump and dump stock spam | 0.001 |
DRUGS_ANXIETY | meta | Refers to an anxiety control drug | 0.100 |
DRUGS_DIET | meta | Refers to a diet drug | 2.660 |
DRUGS_ERECTILE | meta | Refers to an erectile drug | 1.778 |
DRUGS_ERECTILE_OBFU | meta | Obfuscated reference to an erectile drug | 1.324 |
DRUGS_ERECTILE_SHORT_SHORTNER | meta | Short erectile drugs advert with T_URL_SHORTENER | 1.499 |
DRUGS_MANYKINDS | meta | Refers to at least four kinds of drugs | 2.001 |
DRUGS_MUSCLE | meta | Refers to a muscle relaxant | 0.001 |
DRUGS_SMEAR1 | body | Two or more drugs crammed together into one word | 3.300 |
DRUGS_STOCK_MIMEOLE | ??? | No description provided | 2.699 |
DRUG_ED_CAPS | body | Mentions an E.D. drug | 2.799 |
DRUG_ED_ONLINE | body | Fast Viagra Delivery | 0.696 |
DRUG_ED_SILD | body | Talks about an E.D. drug using its chemical name | 0.001 |
DX_TEXT_02 | body | “change your message stat” | 1.000 |
DX_TEXT_03 | body | “XXX Media Group” | 2.109 |
DYN_RDNS_AND_INLINE_IMAGE | meta | Contains image, and was sent by dynamic rDNS | 1.345 |
DYN_RDNS_SHORT_HELO_HTML | meta | Sent by dynamic rDNS, short HELO, and HTML | 0.001 |
DYN_RDNS_SHORT_HELO_IMAGE | meta | Short HELO string, dynamic rDNS, inline image | 1.825 |
EBAY_IMG_NOT_RCVD_EBAY | meta | E-bay hosted image but message not from E-bay | 0.980 |
EMPTY_MESSAGE | meta | Message appears to have no textual parts and no Subject: text | 2.195 |
EM_ROLEX | body | Message puts emphasis on the watch manufacturer | 0.595 |
ENCRYPTED_MESSAGE | meta | Message is encrypted, not likely to be spam | -1.000 |
END_FUTURE_EMAILS | meta | Spammy unsubscribe | 2.098 |
ENGLISH_UCE_SUBJECT | header | Subject contains an English UCE tag | 0.953 |
ENV_AND_HDR_SPF_MATCH | meta | Env and Hdr From used in default SPF WL Match | -0.500 |
EXCUSE_24 | body | Claims you wanted this ad | 1.000 |
EXCUSE_4 | body | Claims you can be removed from the list | 2.399 |
EXCUSE_REMOVE | body | Talks about how to be removed from mailings | 2.907 |
FAKE_REPLY_A1 | meta | No description provided | 3.199 |
FAKE_REPLY_B | meta | No description provided | 1.272 |
FAKE_REPLY_C | meta | No description provided | 0.688 |
FBI_MONEY | meta | The FBI wants to give you lots of money? | 1.000 |
FBI_SPOOF | meta | Claims to be FBI, but not from FBI domain | 1.000 |
FILL_THIS_FORM | meta | Fill in a form with personal information | 0.001 |
FILL_THIS_FORM_FRAUD_PHISH | ??? | No description provided | 1.195 |
FILL_THIS_FORM_LOAN | ??? | No description provided | 2.092 |
FILL_THIS_FORM_LONG | meta | Fill in a form with personal information | 2.000 |
FIN_FREE | body | Freedom of a financial nature | 0.100 |
FORGED_GMAIL_RCVD | header | ‘From’ gmail.com does not match ‘Received’ headers | 1.000 |
FORGED_HOTMAIL_RCVD2 | header | hotmail.com ‘From’ address, but no ‘Received:’ | 0.001 |
FORGED_MSGID_EXCITE | meta | Message-ID is forged, (excite.com) | 2.399 |
FORGED_MSGID_YAHOO | meta | Message-ID is forged, (yahoo.com) | 0.100 |
FORGED_MUA_EUDORA | meta | Forged mail pretending to be from Eudora | 2.828 |
FORGED_MUA_IMS | meta | Forged mail pretending to be from IMS | 2.399 |
FORGED_MUA_MOZILLA | meta | Forged mail pretending to be from Mozilla | 2.399 |
FORGED_MUA_OIMO | meta | Forged mail pretending to be from MS Outlook IMO | 2.600 |
FORGED_MUA_OUTLOOK | meta | Forged mail pretending to be from MS Outlook | 3.999 |
FORGED_MUA_THEBAT_BOUN | meta | Mail pretending to be from The Bat! (boundary) | 3.046 |
FORGED_OUTLOOK_HTML | meta | Outlook can’t send HTML message only | 0.001 |
FORGED_OUTLOOK_TAGS | meta | Outlook can’t send HTML in this format | 0.003 |
FORGED_RELAY_MUA_TO_MX | header | No description provided | 3.799 |
FORGED_SPF_HELO | meta | No description provided | 0.001 |
FORGED_TELESP_RCVD | header | Contains forged hostname for a DSL IP in Brazil | 2.499 |
FORGED_YAHOO_RCVD | header | ‘From’ yahoo.com does not match ‘Received’ headers | 2.397 |
FORM_FRAUD | meta | Fill a form and a fraud phrase | 0.999 |
FORM_FRAUD_3 | meta | Fill a form and several fraud phrases | 1.000 |
FORM_FRAUD_5 | meta | Fill a form and many fraud phrases | 2.999 |
FORM_LOW_CONTRAST | meta | Fill in a form with hidden text | 1.000 |
FOUND_YOU | meta | I found you… | 1.000 |
FREEMAIL_ENVFROM_END_DIGIT | header | Envelope-from freemail username ends in digit | 0.250 |
FREEMAIL_FORGED_FROMDOMAIN | meta | 2nd level domains in From and EnvelopeFrom freemail headers are different | 0.249 |
FREEMAIL_FORGED_REPLYTO | meta | Freemail in Reply-To, but not From | 1.199 |
FREEMAIL_FROM | header | Sender email is commonly abused enduser mail provider | 0.001 |
FREEMAIL_REPLY | meta | From and body contain different freemails | 1.000 |
FREEMAIL_REPLYTO | meta | Reply-To/From or Reply-To/body contain different freemails | 1.000 |
FREEMAIL_REPLYTO_END_DIGIT | header | Reply-To freemail username ends in digit | 0.250 |
FREEM_FRNUM_UNICD_EMPTY | meta | Numeric freemail From address, unicode From name and Subject, empty body | 1.000 |
FREE_QUOTE_INSTANT | body | Free express or no-obligation quote | 2.700 |
FRNAME_IN_MSG_XPRIO_NO_SUB | meta | From name in message + X-Priority + short or no subject | 1.000 |
FROMSPACE | header | Idiosyncratic “From” header format | 2.601 |
FROM_2_EMAILS_SHORT | meta | Short body and From looks like 2 different emails | 1.999 |
FROM_ADDR_WS | meta | Malformed From address | 2.661 |
FROM_BANK_NOAUTH | meta | From Bank domain but no SPF or DKIM | 0.001 |
FROM_BLANK_NAME | header | From: contains empty name | 2.099 |
FROM_DOMAIN_NOVOWEL | header | From: domain has series of non-vowel letters | 0.500 |
FROM_EXCESS_BASE64 | meta | From: base64 encoded unnecessarily | 0.001 |
FROM_FMBLA_NDBLOCKED | meta | ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | 0.001 |
FROM_FMBLA_NEWDOM | meta | From domain was registered in last 7 days | 0.001 |
FROM_FMBLA_NEWDOM14 | meta | From domain was registered in last 7-14 days | 0.001 |
FROM_FMBLA_NEWDOM28 | meta | From domain was registered in last 14-28 days | 0.001 |
FROM_GOV_DKIM_AU | meta | From Government address and DKIM signed | 0.001 |
FROM_GOV_REPLYTO_FREEMAIL | meta | From Government domain but ReplyTo is FREEMAIL | 0.001 |
FROM_GOV_SPOOF | meta | From Government domain but matches SPOOFED | 0.001 |
FROM_ILLEGAL_CHARS | header | From: has too many raw illegal characters | 2.192 |
FROM_IN_TO_AND_SUBJ | meta | From address is in To and Subject | 1.000 |
FROM_LOCAL_DIGITS | header | From: localpart has long digit sequence | 0.001 |
FROM_LOCAL_HEX | header | From: localpart has long hexadecimal sequence | 0.000 |
FROM_LOCAL_NOVOWEL | header | From: localpart has series of non-vowel letters | 0.500 |
FROM_MISSPACED | meta | From: missing whitespace | 0.200 |
FROM_MISSP_DYNIP | meta | From misspaced + dynamic rDNS | 2.444 |
FROM_MISSP_EH_MATCH | meta | From misspaced, matches envelope | 1.999 |
FROM_MISSP_FREEMAIL | meta | From misspaced + freemail provider | 3.299 |
FROM_MISSP_MSFT | meta | From misspaced + supposed Microsoft tool | 0.713 |
FROM_MISSP_REPLYTO | meta | From misspaced, has Reply-To | 0.503 |
FROM_MISSP_SPF_FAIL | meta | No description provided | 0.001 |
FROM_MISSP_TO_UNDISC | meta | From misspaced, To undisclosed | 0.001 |
FROM_MISSP_USER | meta | From misspaced, from “User” | 0.622 |
FROM_MISSP_XPRIO | meta | Misspaced FROM + X-Priority | 0.001 |
FROM_NEWDOM_BTC | meta | Newdomain with Bitcoin ID | 0.001 |
FROM_NO_USER | header | From: has no local-part before @ sign | 0.001 |
FROM_NTLD_LINKBAIT | meta | From abused NTLD with little more than a URI | 1.999 |
FROM_NTLD_REPLY_FREEMAIL | meta | From abused NTLD and Reply-To is FREEMAIL | 1.999 |
FROM_NUMBERO_NEWDOMAIN | meta | Fingerprint and new domain | 0.001 |
FROM_NUMERIC_TLD | header | From: address has numeric TLD | 1.000 |
FROM_OFFERS | header | From address is “at something-offers” | 1.000 |
FROM_PAYPAL_SPOOF | meta | From PayPal domain but matches SPOOFED | 0.001 |
FROM_STARTS_WITH_NUMS | header | From: starts with several numbers | 2.801 |
FROM_SUSPICIOUS_NTLD | meta | From abused NTLD | 0.500 |
FROM_SUSPICIOUS_NTLD_FP | meta | From abused NTLD | 1.999 |
FROM_UNBAL1 | header | From with unbalanced angle brackets, ‘>’ missing | 1.099 |
FROM_WORDY | meta | From address looks like a sentence | 2.499 |
FROM_WORDY_SHORT | meta | From address looks like a sentence + short message | 1.000 |
FROM_WSP_TRAIL | header | Trailing whitespace before ‘>’ in From header field | 1.000 |
FSL_BULK_SIG | meta | Bulk signature with no Unsubscribe | 0.001 |
FSL_CTYPE_WIN1251 | header | Content-Type only seen in 419 spam | 1.063 |
FSL_FAKE_HOTMAIL_RVCD | header | No description provided | 2.631 |
FSL_HELO_BARE_IP_1 | meta | No description provided | 2.598 |
FSL_HELO_DEVICE | header | No description provided | 0.100 |
FSL_HELO_NON_FQDN_1 | header | No description provided | 2.361 |
FSL_INTERIA_ABUSE | uri | No description provided | 3.899 |
FSL_NEW_HELO_USER | meta | Spam’s using Helo and User | 1.999 |
FSL_THIS_IS_ADV | body | This is an advertisement | 2.999 |
FUZZY_ANDROID | body | Obfuscated “android” | 1.000 |
FUZZY_BITCOIN | body | Obfuscated “Bitcoin” | 1.000 |
FUZZY_BROWSER | body | Obfuscated “browser” | 1.000 |
FUZZY_BTC_WALLET | meta | Heavily obfuscated “bitcoin wallet” | 1.000 |
FUZZY_CLICK_HERE | body | Obfuscated “click here” | 1.498 |
FUZZY_CPILL | body | Attempt to obfuscate words in spam | 0.001 |
FUZZY_CREDIT | body | Attempt to obfuscate words in spam | 1.699 |
FUZZY_DR_OZ | meta | Obfuscated Doctor Oz | 1.000 |
FUZZY_IMPORTANT | body | Obfuscated “important” | 1.000 |
FUZZY_MILLION | body | Attempt to obfuscate words in spam | 0.100 |
FUZZY_MONERO | meta | Obfuscated “Monero” | 1.000 |
FUZZY_PHARMACY | body | Attempt to obfuscate words in spam | 2.960 |
FUZZY_PHENT | body | Attempt to obfuscate words in spam | 2.799 |
FUZZY_PRICES | body | Attempt to obfuscate words in spam | 1.821 |
FUZZY_PRIVACY | body | Obfuscated “privacy” | 1.000 |
FUZZY_PROMOTION | body | Obfuscated “promotion” | 1.000 |
FUZZY_SAVINGS | body | Obfuscated “savings” | 1.000 |
FUZZY_SECURITY | body | Obfuscated “security” | 1.000 |
FUZZY_UNSUBSCRIBE | body | Obfuscated “unsubscribe” | 1.000 |
FUZZY_VPILL | body | Attempt to obfuscate words in spam | 0.001 |
FUZZY_WALLET | body | Obfuscated “Wallet” | 1.000 |
FUZZY_XPILL | body | Attempt to obfuscate words in spam | 0.100 |
GAPPY_SALES_LEADS_FREEM | meta | Obfuscated marketing text, freemail or CHN replyto | 1.000 |
GAPPY_SUBJECT | meta | Subject: contains G.a.p.p.y-T.e.x.t | 0.100 |
GB_BITCOIN_CP | meta | Localized Bitcoin scam | 2.360 |
GB_BITCOIN_NH | meta | Localized Bitcoin scam | 1.341 |
GB_FORGED_MUA_POSTFIX | meta | Forged Postfix mua headers | 1.000 |
GB_FREEMAIL_DISPTO | meta | Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails | 0.499 |
GB_FREEMAIL_DISPTO_NOTFREEM | meta | Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail | 0.500 |
GB_GOOGLE_OBFU | uri | Obfuscate url through Google redirect | 0.750 |
GB_LINKED_IMG_NOT_RCVD_LINK | meta | Linkedin hosted image but message not from Linkedin | 1.000 |
GMD_PDF_EMPTY_BODY | body | Attached PDF with empty message body | 0.250 |
GMD_PDF_ENCRYPTED | body | Attached PDF is encrypted | 0.600 |
GMD_PDF_HORIZ | body | Contains pdf 100-240 (high) x 450-800 (wide) | 0.250 |
GMD_PDF_SQUARE | body | Contains pdf 180-360 (high) x 180-360 (wide) | 0.500 |
GMD_PDF_VERT | body | Contains pdf 450-800 (high) x 100-240 (wide) | 0.900 |
GMD_PRODUCER_EASYPDF | body | PDF producer was BCL easyPDF | 0.250 |
GMD_PRODUCER_GPL | body | PDF producer was GPL Ghostscript | 0.250 |
GMD_PRODUCER_POWERPDF | body | PDF producer was PowerPDF | 0.250 |
GOOGLE_DOCS_PHISH | meta | Possible phishing via a Google Docs form | 1.000 |
GOOGLE_DOCS_PHISH_MANY | meta | Phishing via a Google Docs form | 1.000 |
GOOGLE_DRIVE_REPLY_BAD_NTLD | meta | From Google Drive and Reply-To is from a suspicious TLD | 1.000 |
GOOG_MALWARE_DNLD | meta | File download via Google – Malware? | 1.000 |
GOOG_REDIR_HTML_ONLY | meta | Google redirect to obscure spamvertised website + HTML only | 1.999 |
GOOG_REDIR_SHORT | meta | Google redirect to obscure spamvertised website + short message | 1.000 |
GTUBE | body | Generic Test for Unsolicited Bulk Email | 1000.000 |
GUARANTEED_100_PERCENT | body | One hundred percent guaranteed | 2.699 |
HDRS_LCASE | meta | Odd capitalization of message header | 0.099 |
HDRS_LCASE_IMGONLY | meta | Odd capitalization of message headers + image-only HTML | 0.099 |
HDRS_MISSP | meta | Misspaced headers | 1.000 |
HDR_ORDER_FTSDMCXX_DIRECT | meta | Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX | 1.999 |
HDR_ORDER_FTSDMCXX_NORDNS | meta | Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS | 3.055 |
HEADER_FROM_DIFFERENT_DOMAINS | header | From and EnvelopeFrom 2nd level mail domains are different | 0.249 |
HEADER_HOST_IN_BLACKLIST | ??? | No description provided | 100.000 |
HEADER_HOST_IN_WHITELIST | ??? | No description provided | -100.000 |
HEADER_SPAM | header | Bulk email fingerprint (header-based) found | 2.499 |
HELO_DYNAMIC_CHELLO_NL | header | Relay HELO’d using suspicious hostname (Chello.nl) | 2.412 |
HELO_DYNAMIC_DHCP | meta | Relay HELO’d using suspicious hostname (DHCP) | 2.602 |
HELO_DYNAMIC_DIALIN | header | Relay HELO’d using suspicious hostname (T-Dialin) | 2.629 |
HELO_DYNAMIC_HCC | meta | Relay HELO’d using suspicious hostname (HCC) | 4.299 |
HELO_DYNAMIC_HEXIP | header | Relay HELO’d using suspicious hostname (Hex IP) | 2.321 |
HELO_DYNAMIC_HOME_NL | header | Relay HELO’d using suspicious hostname (Home.nl) | 2.385 |
HELO_DYNAMIC_IPADDR | meta | Relay HELO’d using suspicious hostname (IP addr 1) | 2.633 |
HELO_DYNAMIC_IPADDR2 | meta | Relay HELO’d using suspicious hostname (IP addr 2) | 2.815 |
HELO_DYNAMIC_SPLIT_IP | header | Relay HELO’d using suspicious hostname (Split IP) | 3.031 |
HELO_LH_HOME | ??? | No description provided | 0.001 |
HELO_LOCALHOST | header | No description provided | 2.639 |
HELO_MISC_IP | meta | Looking for more Dynamic IP Relays | 0.250 |
HELO_NO_DOMAIN | meta | Relay reports its domain incorrectly | 0.001 |
HELO_OEM | header | No description provided | 2.899 |
HELO_STATIC_HOST | meta | Relay HELO’d using static hostname | -0.001 |
HEXHASH_WORD | meta | Multiple instances of word + hexadecimal hash | 2.598 |
HIDE_WIN_STATUS | rawbody | Javascript to hide URLs in browser | 0.001 |
HK_LOTTO | meta | No description provided | 0.999 |
HK_NAME_DRUGS | header | From name contains drugs | 4.299 |
HK_NAME_MR_MRS | meta | No description provided | 1.000 |
HK_RANDOM_ENVFROM | header | Envelope sender username looks random | 2.638 |
HK_RANDOM_FROM | header | From username looks random | 1.000 |
HK_RANDOM_REPLYTO | header | Reply-To username looks random | 0.941 |
HK_RCVD_IP_MULTICAST | header | No description provided | 0.338 |
HK_SCAM | meta | No description provided | 1.999 |
HOSTED_IMG_DIRECT_MX | meta | Image hosted at large ecomm site, message direct-to-mx | 2.048 |
HOSTED_IMG_DQ_UNSUB | meta | Image hosted at large ecomm site, IP addr unsub link | 1.000 |
HOSTED_IMG_FREEM | meta | Image hosted at large ecomm site or redirected, freemail from or reply-to | 2.288 |
HOSTED_IMG_MULTI | meta | Multiple images hosted at different large ecomm sites or redirected | 2.559 |
HTML_CHARSET_FARAWAY | meta | A foreign language charset used in HTML markup | 0.500 |
HTML_COMMENT_SAVED_URL | body | HTML message is a saved web page | 0.198 |
HTML_EMBEDS | body | HTML with embedded plugin object | 0.001 |
HTML_ENTITY_ASCII | meta | Obfuscated ASCII | 1.000 |
HTML_ENTITY_ASCII_TINY | meta | Obfuscated ASCII + tiny fonts | 1.000 |
HTML_EXTRA_CLOSE | body | HTML contains far too many close tags | 0.001 |
HTML_FONT_FACE_BAD | body | HTML font face is not a word | 0.001 |
HTML_FONT_LOW_CONTRAST | body | HTML font color similar or identical to background | 0.713 |
HTML_FONT_SIZE_HUGE | body | HTML font size is huge | 0.001 |
HTML_FONT_SIZE_LARGE | body | HTML font size is large | 0.001 |
HTML_IMAGE_ONLY_04 | body | HTML: images with 0-400 bytes of words | 1.680 |
HTML_IMAGE_ONLY_08 | body | HTML: images with 400-800 bytes of words | 0.585 |
HTML_IMAGE_ONLY_12 | body | HTML: images with 800-1200 bytes of words | 1.381 |
HTML_IMAGE_ONLY_16 | body | HTML: images with 1200-1600 bytes of words | 1.969 |
HTML_IMAGE_ONLY_20 | body | HTML: images with 1600-2000 bytes of words | 2.109 |
HTML_IMAGE_ONLY_24 | body | HTML: images with 2000-2400 bytes of words | 2.799 |
HTML_IMAGE_ONLY_28 | body | HTML: images with 2400-2800 bytes of words | 2.799 |
HTML_IMAGE_ONLY_32 | body | HTML: images with 2800-3200 bytes of words | 2.196 |
HTML_IMAGE_RATIO_02 | body | HTML has a low ratio of text to image area | 0.001 |
HTML_IMAGE_RATIO_04 | body | HTML has a low ratio of text to image area | 0.001 |
HTML_IMAGE_RATIO_06 | body | HTML has a low ratio of text to image area | 0.001 |
HTML_IMAGE_RATIO_08 | body | HTML has a low ratio of text to image area | 0.001 |
HTML_MESSAGE | body | HTML included in message | 0.001 |
HTML_MIME_NO_HTML_TAG | meta | HTML-only message, but there is no HTML tag | 0.001 |
HTML_NONELEMENT_30_40 | body | 30% to 40% of HTML elements are non-standard | 0.000 |
HTML_OBFUSCATE_05_10 | body | Message is 5% to 10% HTML obfuscation | 0.601 |
HTML_OBFUSCATE_10_20 | body | Message is 10% to 20% HTML obfuscation | 0.174 |
HTML_OBFUSCATE_20_30 | body | Message is 20% to 30% HTML obfuscation | 2.499 |
HTML_OBFUSCATE_90_100 | body | Message is 90% to 100% HTML obfuscation | 2.000 |
HTML_OFF_PAGE | meta | HTML element rendered well off the displayed page | 2.999 |
HTML_SHORT_CENTER | meta | HTML is very short with CENTER tag | 3.799 |
HTML_SHORT_LINK_IMG_1 | meta | HTML is very short with a linked image | 2.215 |
HTML_SHORT_LINK_IMG_2 | meta | HTML is very short with a linked image | 1.419 |
HTML_SHORT_LINK_IMG_3 | meta | HTML is very short with a linked image | 0.691 |
HTML_SHRT_CMNT_OBFU_MANY | meta | Obfuscation with many short HTML comments | 1.000 |
HTML_SINGLET_MANY | meta | Many single-letter HTML format blocks | 2.499 |
HTML_TAG_BALANCE_BODY | body | HTML has unbalanced “body” tags | 0.100 |
HTML_TAG_BALANCE_HEAD | body | HTML has unbalanced “head” tags | 0.520 |
HTML_TEXT_INVISIBLE_FONT | meta | HTML hidden text | 1.000 |
HTML_TEXT_INVISIBLE_STYLE | meta | HTML hidden text + other spam signs | 0.001 |
HTML_TITLE_SUBJ_DIFF | meta | No description provided | 1.149 |
HTTPS_HTTP_MISMATCH | body | No description provided | 0.100 |
HTTP_ESCAPED_HOST | uri | Uses %-escapes inside a URL’s hostname | 0.100 |
HTTP_EXCESSIVE_ESCAPES | uri | Completely unnecessary %-escapes inside a URL | 0.001 |
IMG_ONLY_FM_DOM_INFO | meta | HTML image-only message from .info domain | 2.197 |
IMPOTENCE | body | Impotence cure | 1.539 |
INVALID_DATE | header | Invalid Date: header (not RFC 2822) | 1.701 |
INVALID_DATE_TZ_ABSURD | header | Invalid Date: header (timezone does not exist) | 0.262 |
INVALID_MSGID | meta | Message-Id is not valid, according to RFC 2822 | 2.602 |
INVESTMENT_ADVICE | body | Message mentions investment advice | 0.100 |
IP_LINK_PLUS | uri | Dotted-decimal IP address followed by CGI | 0.001 |
JOIN_MILLIONS | body | Join Millions of Americans | 0.100 |
KB_DATE_CONTAINS_TAB | meta | No description provided | 3.800 |
KB_FAKED_THE_BAT | meta | No description provided | 2.432 |
KB_FORGED_MOZ4 | header | Mozilla 4 uses X-Mailer | 3.999 |
KB_RATWARE_MSGID | meta | No description provided | 4.099 |
KB_RATWARE_OUTLOOK_MID | header | No description provided | 4.400 |
KHOP_FAKE_EBAY | meta | Sender falsely claims to be from eBay | 0.001 |
KHOP_HELO_FCRDNS | meta | Relay HELO differs from its IP’s reverse DNS | 0.400 |
LIST_PARTIAL_SHORT_MSG | meta | Incomplete mailing list headers + short message | 2.499 |
LIST_PRTL_PUMPDUMP | meta | Incomplete List-* headers and stock pump-and-dump | 1.000 |
LIST_PRTL_SAME_USER | meta | Incomplete List-* headers and from+to user the same | 0.001 |
LITECOIN_EXTORT_01 | meta | Extortion spam, pay via BitCoin | 0.001 |
LIVEFILESTORE | uri | No description provided | 0.100 |
LOCALPART_IN_SUBJECT | header | Local part of To: address appears in Subject | 0.001 |
LONGWORDS | meta | Long string of long words | 2.199 |
LONG_HEX_URI | meta | Very long purely hexadecimal URI | 2.999 |
LONG_IMG_URI | meta | Image URI with very long path component – web bug? | 0.503 |
LONG_TERM_PRICE | body | No description provided | 0.001 |
LOTS_OF_MONEY | meta | Huge… sums of money | 0.001 |
LOTTERY_1 | meta | No description provided | 0.001 |
LOTTERY_PH_004470 | meta | No description provided | 0.100 |
LOW_PRICE | body | Lowest Price | 0.100 |
LUCRATIVE | meta | Make lots of money! | 1.000 |
L_SPAM_TOOL_13 | header | No description provided | 0.539 |
MAILING_LIST_MULTI | meta | Multiple indicators imply a widely-seen list manager | 1.000 |
MALE_ENHANCE | body | Message talks about enhancing men | 3.100 |
MALF_HTML_B64 | meta | Malformatted base64-encoded HTML content | 2.206 |
MALWARE_NORDNS | meta | Malware bragging + no rDNS | 1.015 |
MALWARE_PASSWORD | meta | Malware bragging + “password” | 2.858 |
MANY_HDRS_LCASE | meta | Odd capitalization of multiple message headers | 0.099 |
MANY_SPAN_IN_TEXT | meta | Many <SPAN> tags embedded within text | 1.000 |
MARKETING_PARTNERS | body | Claims you registered with a partner | 0.553 |
MAY_BE_FORGED | meta | Relay IP’s reverse DNS does not resolve to IP | 1.499 |
MICROSOFT_EXECUTABLE | body | Message includes Microsoft executable program | 0.100 |
MILLION_HUNDRED | body | Million “One to Nine” Hundred | 0.001 |
MIMEOLE_DIRECT_TO_MX | meta | MIMEOLE + direct-to-MX | 1.999 |
MIMEPART_LIMIT_EXCEEDED | body | Message has too many MIME parts | 0.001 |
MIME_BASE64_TEXT | rawbody | Message text disguised using base64 encoding | 0.001 |
MIME_BOUND_DD_DIGITS | header | Spam tool pattern in MIME boundary | 3.016 |
MIME_BOUND_DIGITS_15 | header | Spam tool pattern in MIME boundary | 0.100 |
MIME_CHARSET_FARAWAY | meta | MIME character set indicates foreign language | 2.450 |
MIME_HEADER_CTYPE_ONLY | meta | ‘Content-Type’ found without required MIME headers | 0.100 |
MIME_HTML_MOSTLY | body | Multipart message mostly text/html MIME | 0.100 |
MIME_HTML_ONLY | body | Message only has text/html MIME parts | 0.100 |
MIME_HTML_ONLY_MULTI | meta | Multipart message only has text/html MIME parts | 0.000 |
MIME_NO_TEXT | meta | No (properly identified) text body parts | 1.000 |
MIME_PHP_NO_TEXT | meta | No text body parts, X-Mailer: PHP | 2.800 |
MIME_QP_LONG_LINE | rawbody | Quoted-printable line longer than 76 chars | 0.001 |
MIME_SUSPECT_NAME | body | MIME filename does not match content | 0.100 |
MISSING_DATE | meta | Missing Date: header | 2.739 |
MISSING_FROM | meta | Missing From: header | 1.000 |
MISSING_HEADERS | header | Missing To: header | 0.915 |
MISSING_MID | meta | Missing Message-Id: header | 0.552 |
MISSING_MIMEOLE | meta | Message has X-MSMail-Priority, but no X-MimeOLE | 0.392 |
MISSING_MIME_HB_SEP | body | Missing blank line between MIME header and body | 0.001 |
MISSING_SUBJECT | meta | Missing Subject: header | 0.001 |
MIXED_ES | meta | Too many es are not es | 2.599 |
MONERO_EXTORT_01 | meta | Extortion spam, pay via Monero cryptocurrency | 1.000 |
MONEY_ATM_CARD | meta | Lots of money on an ATM card | 1.122 |
MONEY_BACK | body | Money back guarantee | 2.910 |
MONEY_FORM_SHORT | meta | Lots of money if you fill out a short form | 2.500 |
MONEY_FRAUD_3 | meta | Lots of money and several fraud phrases | 2.799 |
MONEY_FRAUD_5 | meta | Lots of money and many fraud phrases | 2.189 |
MONEY_FRAUD_8 | meta | Lots of money and very many fraud phrases | 3.199 |
MONEY_FROM_41 | meta | Lots of money from Africa | 1.999 |
MONEY_FROM_MISSP | meta | Lots of money and misspaced From | 1.999 |
MORE_SEX | body | Talks about a bigger drive for sex | 2.799 |
MPART_ALT_DIFF | body | HTML and text parts are different | 2.246 |
MPART_ALT_DIFF_COUNT | body | HTML and text parts are different | 2.799 |
MSGID_FROM_MTA_HEADER | meta | Message-Id was added by a relay | 0.401 |
MSGID_MULTIPLE_AT | header | Message-ID contains multiple ‘@’ characters | 1.000 |
MSGID_OUTLOOK_INVALID | header | Message-Id is fake (in Outlook Express format) | 3.899 |
MSGID_RANDY | meta | Message-Id has pattern used in spam | 2.196 |
MSGID_SHORT | header | Message-ID is unusually short | 0.001 |
MSGID_SPAM_CAPS | header | Spam tool Message-Id: (caps variant) | 2.366 |
MSGID_YAHOO_CAPS | header | Message-ID has ALLCAPS@yahoo.com | 0.797 |
MSM_PRIO_REPTO | meta | MSMail priority header + Reply-to + short subject | 1.000 |
MSOE_MID_WRONG_CASE | meta | No description provided | 0.993 |
NEWEGG_IMG_NOT_RCVD_NEGG | meta | Newegg hosted image but message not from Newegg | 1.000 |
NML_ADSP_CUSTOM_HIGH | meta | ADSP custom_high hit, and not from a mailing list | 0.000 |
NML_ADSP_CUSTOM_LOW | meta | ADSP custom_low hit, and not from a mailing list | 0.000 |
NML_ADSP_CUSTOM_MED | meta | ADSP custom_med hit, and not from a mailing list | 0.000 |
NORDNS_LOW_CONTRAST | meta | No rDNS + hidden text | 1.883 |
NORMAL_HTTP_TO_IP | uri | URI host has a public dotted-decimal IPv4 address | 0.159 |
NO_DNS_FOR_FROM | header | Envelope sender has no MX or A DNS records | 0.000 |
NO_FM_NAME_IP_HOSTN | meta | No From name + hostname using IP address | 0.101 |
NO_HEADERS_MESSAGE | meta | Message appears to be missing most RFC-822 headers | 0.001 |
NO_MEDICAL | body | No Medical Exams | 2.199 |
NO_PRESCRIPTION | body | No prescription needed | 1.915 |
NO_RDNS_DOTCOM_HELO | header | Host HELO’d as a big ISP, but had no rDNS | 3.100 |
NO_RECEIVED | meta | Informational: message has no Received headers | -0.001 |
NO_RELAYS | header | Informational: message was not relayed via SMTP | -0.001 |
NSL_RCVD_FROM_USER | header | Received from User | 2.601 |
NSL_RCVD_HELO_USER | header | Received from HELO User | 0.167 |
NULL_IN_BODY | full | Message has NUL (ASCII 0) byte in message | 0.511 |
NUMBEREND_LINKBAIT | meta | Domain ends in a large number and very short body with link | 0.999 |
NUMBERONLY_BITCOIN_EXP | meta | Domain ends in a large number and very short body with link | 0.318 |
NUMERIC_HTTP_ADDR | uri | Uses a numeric IP address in URL | 0.000 |
OBFUSCATING_COMMENT | meta | HTML comments which obfuscate text | 0.000 |
OBFU_BITCOIN | meta | Obfuscated BitCoin references | 2.999 |
OBFU_JVSCR_ESC | rawbody | Injects content using obfuscated javascript | 1.000 |
OBFU_TEXT_ATTACH | mimeheader | Text attachment with non-text MIME type | 1.000 |
ONE_TIME | body | One Time Rip Off | 1.840 |
ONLINE_MKTG_CNSLT | body | No description provided | 2.899 |
ONLINE_PHARMACY | body | Online Pharmacy | 0.843 |
OOOBOUNCE_MESSAGE | meta | Out Of Office bounce message | 0.100 |
PART_CID_STOCK | meta | Has a spammy image attachment (by Content-ID) | 0.001 |
PART_CID_STOCK_LESS | meta | Has a spammy image attachment (by Content-ID, more specific) | 0.000 |
PDS_BTC_ID | meta | FP reduced Bitcoin ID | 0.499 |
PDS_BTC_MSGID | meta | Bitcoin ID with T_MSGID_NOFQDN2 | 1.000 |
PDS_DBL_URL_TNB_RUNON | meta | Double-url and To no arrows, from runon | 1.796 |
PDS_FRNOM_TODOM_NAKED_TO | meta | Naked to From name equals to Domain | 1.499 |
PDS_FROM_2_EMAILS | meta | No description provided | 2.401 |
PDS_FROM_NAME_TO_DOMAIN | meta | From:name looks like To:domain | 1.000 |
PDS_HELO_SPF_FAIL | meta | High profile HELO that fails SPF | 0.001 |
PDS_HP_HELO_NORDNS | meta | High profile HELO with no sender rDNS | 0.847 |
PDS_LTC_AHACKER | meta | Litecoin Hacker | 2.999 |
PDS_LTC_CP | meta | Localized Bitcoin scam | 2.999 |
PDS_LTC_HUSH | meta | LTC, it is between us | 1.287 |
PDS_NAKED_TO_NUMERO | meta | Naked-to, numberonly domain | 1.999 |
PDS_PHPEXP_BOT | meta | PHP exploit bot sender | 1.500 |
PDS_PHPE_URISHORTENER | meta | URI Shortener with PHP eval | 1.999 |
PDS_PHP_EVAL | meta | PHP header shows eval’d code | 1.499 |
PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | meta | Forged replyto and __PDS_TONAME_EQ_TOLOCAL | 1.999 |
PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | meta | To: name matches everything in local email – LCASE headers | 1.999 |
PDS_TONAME_EQ_TOLOCAL_SHORT | meta | Short body with To: name matches everything in local email | 1.999 |
PDS_TONAME_EQ_TOLOCAL_VSHORT | meta | Very short body and From looks like 2 different emails | 1.000 |
PDS_TO_EQ_FROM_NAME | meta | From: name same as To: address | 0.001 |
PDS_X_PHP_WP_EXP | meta | X-PHP-Script shows sent from a WordPress PHP script where you would not expect one | 1.499 |
PERCENT_RANDOM | meta | Message has a random macro in it | 2.999 |
PHOTO_EDITING_DIRECT | meta | Image editing service, direct to MX | 1.000 |
PHOTO_EDITING_FREEM | meta | Image editing service, freemail or CHN replyto | 1.000 |
PHP_NOVER_MUA | meta | Mail from PHP with no version number | 1.000 |
PHP_ORIG_SCRIPT | meta | Sent by bot & other signs | 2.499 |
PHP_SCRIPT_MUA | meta | Sent by PHP script, no version number | 1.000 |
PLING_QUERY | meta | Subject has exclamation mark and question mark | 0.100 |
PP_MIME_FAKE_ASCII_TEXT | body | MIME text/plain claims to be ASCII but isn’t | 1.000 |
PP_TOO_MUCH_UNICODE02 | body | Is text/plain but has many unicode escapes | 0.500 |
PP_TOO_MUCH_UNICODE05 | body | Is text/plain but has many unicode escapes | 1.000 |
PRICES_ARE_AFFORDABLE | body | Message says that prices aren’t too expensive | 0.794 |
PUMPDUMP | meta | Pump-and-dump stock scam phrase | 1.000 |
PUMPDUMP_MULTI | meta | Pump-and-dump stock scam phrases | 1.000 |
PUMPDUMP_TIP | meta | Pump-and-dump stock tip | 1.000 |
PYZOR_CHECK | full | Listed in Pyzor (https://pyzor.readthedocs.io/en/latest/) | 0.000 |
RAND_HEADER_MANY | meta | Many random gibberish message headers | 1.000 |
RATWARE_EFROM | header | Bulk email fingerprint (envfrom) found | 0.100 |
RATWARE_EGROUPS | header | Bulk email fingerprint (eGroups) found | 1.898 |
RATWARE_MPOP_WEBMAIL | header | Bulk email fingerprint (mPOP Web-Mail) | 1.153 |
RATWARE_MS_HASH | meta | Bulk email fingerprint (msgid ms hash) found | 2.036 |
RATWARE_NAME_ID | meta | Bulk email fingerprint (msgid from) found | 3.099 |
RATWARE_NO_RDNS | meta | Suspicious MsgID and MIME boundary + no rDNS | 2.645 |
RATWARE_OUTLOOK_NONAME | meta | Bulk email fingerprint (Outlook no name) found | 2.964 |
RATWARE_ZERO_TZ | meta | Bulk email fingerprint (+0000) found | 2.392 |
RAZOR2_CF_RANGE_51_100 | full | Razor2 gives confidence level above 50% | 0.000 |
RAZOR2_CHECK | full | Listed in Razor2 (http://razor.sf.net/) | 0.000 |
RCVD_DBL_DQ | header | Malformatted message header | 1.000 |
RCVD_DOUBLE_IP_LOOSE | meta | Received: by and from look like IP addresses | 1.150 |
RCVD_DOUBLE_IP_SPAM | meta | Bulk email fingerprint (double IP) found | 2.411 |
RCVD_FAKE_HELO_DOTCOM | header | Received contains a faked HELO hostname | 2.799 |
RCVD_HELO_IP_MISMATCH | header | Received: HELO and IP do not match, but should | 1.680 |
RCVD_ILLEGAL_IP | header | Received: contains illegal IP address | 1.300 |
RCVD_IN_BL_SPAMCOP_NET | header | Received via a relay in bl.spamcop.net | 0.000 |
RCVD_IN_DNSWL_BLOCKED | header | ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | 0.000 |
RCVD_IN_DNSWL_HI | header | Sender listed at https://www.dnswl.org/, high trust | 0.000 |
RCVD_IN_DNSWL_LOW | header | Sender listed at https://www.dnswl.org/, low trust | 0.000 |
RCVD_IN_DNSWL_MED | header | Sender listed at https://www.dnswl.org/, medium trust | 0.000 |
RCVD_IN_DNSWL_NONE | header | Sender listed at https://www.dnswl.org/, no trust | 0.000 |
RCVD_IN_IADB_DK | header | IADB: Sender publishes Domain Keys record | 0.000 |
RCVD_IN_IADB_DOPTIN | header | IADB: All mailing list mail is confirmed opt-in | 0.000 |
RCVD_IN_IADB_DOPTIN_LT50 | header | IADB: Confirmed opt-in used less than 50% of the time | 0.000 |
RCVD_IN_IADB_LISTED | header | Participates in the IADB system | 0.000 |
RCVD_IN_IADB_MI_CPR_MAT | header | IADB: Sends no material under Michigan’s CPR | 0.000 |
RCVD_IN_IADB_ML_DOPTIN | header | IADB: Mailing list email only, confirmed opt-in | 0.000 |
RCVD_IN_IADB_OPTIN | header | IADB: All mailing list mail is opt-in | 0.000 |
RCVD_IN_IADB_OPTIN_GT50 | header | IADB: Opt-in used more than 50% of the time | 0.000 |
RCVD_IN_IADB_RDNS | header | IADB: Sender has reverse DNS record | 0.000 |
RCVD_IN_IADB_SENDERID | header | IADB: Sender publishes Sender ID record | 0.000 |
RCVD_IN_IADB_SPF | header | IADB: Sender publishes SPF record | 0.000 |
RCVD_IN_IADB_UT_CPR_MAT | header | IADB: Sends no material under Utah’s CPR | 0.000 |
RCVD_IN_IADB_VOUCHED | header | ISIPP IADB lists as vouched-for sender | 0.000 |
RCVD_IN_MSPIKE_BL | meta | Mailspike blacklisted | 0.010 |
RCVD_IN_MSPIKE_H2 | header | Average reputation (+2) | 0.001 |
RCVD_IN_MSPIKE_H3 | header | Good reputation (+3) | -0.010 |
RCVD_IN_MSPIKE_H4 | header | Very Good reputation (+4) | -0.010 |
RCVD_IN_MSPIKE_H5 | header | Excellent reputation (+5) | -1.000 |
RCVD_IN_MSPIKE_L2 | header | Suspicious reputation (-2) | 1.000 |
RCVD_IN_MSPIKE_L3 | header | Low reputation (-3) | 0.900 |
RCVD_IN_MSPIKE_L4 | header | Bad reputation (-4) | 1.700 |
RCVD_IN_MSPIKE_L5 | header | Very bad reputation (-5) | 2.500 |
RCVD_IN_MSPIKE_WL | meta | Mailspike good senders | -0.010 |
RCVD_IN_MSPIKE_ZBI | meta | No description provided | 2.700 |
RCVD_IN_PBL | header | Received via a relay in Spamhaus PBL | 0.000 |
RCVD_IN_PSBL | header | Received via a relay in PSBL | 0.000 |
RCVD_IN_RP_CERTIFIED | header | Sender in ReturnPath Certified – Contact cert-sa@returnpath.net | 0.000 |
RCVD_IN_RP_RNBL | header | Relay in RNBL, https://senderscore.org/blacklistlookup/ | 0.000 |
RCVD_IN_RP_SAFE | header | Sender in ReturnPath Safe – Contact safe-sa@returnpath.net | 0.000 |
RCVD_IN_SBL | header | Received via a relay in Spamhaus SBL | 0.000 |
RCVD_IN_SBL_CSS | header | Received via a relay in Spamhaus SBL-CSS | 0.000 |
RCVD_IN_SORBS_DUL | header | SORBS: sent directly from dynamic IP address | 0.000 |
RCVD_IN_SORBS_HTTP | header | SORBS: sender is open HTTP proxy server | 0.000 |
RCVD_IN_SORBS_SOCKS | header | SORBS: sender is open SOCKS proxy server | 0.000 |
RCVD_IN_SORBS_WEB | header | SORBS: sender is an abusable web server | 0.000 |
RCVD_IN_XBL | header | Received via a relay in Spamhaus XBL | 0.000 |
RCVD_IN_ZEN_BLOCKED | header | ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ | 0.000 |
RCVD_IN_ZEN_BLOCKED_OPENDNS | header | ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ | 0.000 |
RCVD_NUMERIC_HELO | ??? | No description provided | 0.001 |
RDNS_DYNAMIC | meta | Delivered to internal network by host with dynamic-looking rDNS | 2.639 |
RDNS_LOCALHOST | header | Sender’s public rDNS is “localhost” | 3.700 |
RDNS_NONE | meta | Delivered to internal network by a host with no rDNS | 2.399 |
RDNS_NUM_TLD_ATCHNX | meta | Relay rDNS has numeric TLD + suspicious attachment | 2.640 |
RDNS_NUM_TLD_XM | meta | Relay rDNS has numeric TLD + suspicious headers | 3.000 |
REMOVE_BEFORE_LINK | body | Removal phrase right before a link | 0.100 |
REPLICA_WATCH | body | Message talks about a replica watch | 3.487 |
REPLYTO_WITHOUT_TO_CC | meta | No description provided | 2.399 |
REPTO_QUOTE_YAHOO | meta | Yahoo! doesn’t do quoting like this | 0.001 |
RP_MATCHES_RCVD | ??? | No description provided | -0.001 |
SB_GIF_AND_NO_URIS | meta | No description provided | 2.199 |
SEO_SUSP_NTLD | meta | SEO offer from suspicious TLD | 1.000 |
SERGIO_SUBJECT_PORN014 | header | F\*\*\* garbled subject | 3.099 |
SERGIO_SUBJECT_VIAGRA01 | header | Viagra garbled subject | 2.823 |
SHOPIFY_IMG_NOT_RCVD_SFY | meta | Shopify hosted image but message not from Shopify | 2.499 |
SHORTENER_SHORT_IMG | meta | Short HTML + image + URL shortener | 0.133 |
SHORT_HELO_AND_INLINE_IMAGE | meta | Short HELO string, with inline image | 0.100 |
SHORT_IMG_SUSP_NTLD | meta | Short HTML + image + suspicious TLD | 1.000 |
SHORT_SHORTNER | meta | Short body with little more than a link to a shortener | 1.999 |
SHORT_TERM_PRICE | body | No description provided | 0.001 |
SINGLETS_LOW_CONTRAST | meta | Single-letter formatted HTML + hidden text | 1.377 |
SORTED_RECIPS | header | Recipient list is sorted by address | 1.801 |
SPAMMY_XMAILER | meta | X-Mailer string is common in spam and not in ham | 2.650 |
SPF_FAIL | header | SPF: sender does not match SPF record (fail) | 0.000 |
SPF_HELO_FAIL | header | SPF: HELO does not match SPF record (fail) | 0.000 |
SPF_HELO_NEUTRAL | header | SPF: HELO does not match SPF record (neutral) | 0.000 |
SPF_HELO_NONE | header | SPF: HELO does not publish an SPF Record | 0.001 |
SPF_HELO_PASS | header | SPF: HELO matches SPF record | -0.001 |
SPF_HELO_SOFTFAIL | header | SPF: HELO does not match SPF record (softfail) | 0.000 |
SPF_NEUTRAL | header | SPF: sender does not match SPF record (neutral) | 0.000 |
SPF_NONE | header | SPF: sender does not publish an SPF Record | 0.001 |
SPF_PASS | header | SPF: sender matches SPF record | -0.001 |
SPF_SOFTFAIL | header | SPF: sender does not match SPF record (softfail) | 0.000 |
SPOOFED_FREEMAIL | meta | No description provided | 0.001 |
SPOOFED_FREEMAIL_NO_RDNS | meta | From SPOOFED_FREEMAIL and no rDNS | 1.500 |
SPOOFED_FREEM_REPTO | meta | Forged freemail sender with freemail reply-to | 0.001 |
SPOOFED_FREEM_REPTO_CHN | meta | Forged freemail sender with Chinese freemail reply-to | 0.001 |
SPOOFED_FREEM_REPTO_RUS | meta | Forged freemail sender with Russian freemail reply-to | 0.001 |
SPOOF_COM2COM | uri | URI contains “.com” in middle and end | 0.001 |
SPOOF_COM2OTH | uri | URI contains “.com” in middle | 0.001 |
STATIC_XPRIO_OLE | meta | Static RDNS + X-Priority + MIMEOLE | 1.999 |
STOCK_IMG_CTYPE | meta | Stock spam image part, with distinctive Content-Type header | 0.001 |
STOCK_IMG_HDR_FROM | meta | Stock spam image part, with distinctive From line | 0.001 |
STOCK_IMG_HTML | meta | Stock spam image part, with distinctive HTML | 0.000 |
STOCK_IMG_OUTLOOK | meta | Stock spam image part, with Outlook-like features | 0.001 |
STOCK_LOW_CONTRAST | meta | Stocks + hidden text | 1.392 |
STOCK_TIP | meta | Stock tips | 1.000 |
STOX_REPLY_TYPE | header | No description provided | 1.898 |
STOX_REPLY_TYPE_WITHOUT_QUOTES | meta | No description provided | 3.099 |
STYLE_GIBBERISH | ??? | No description provided | 0.100 |
SUBJECT_DIET | header | Subject talks about losing pounds | 1.927 |
SUBJECT_DRUG_GAP_C | header | Subject contains a gappy version of ‘cialis’ | 2.108 |
SUBJECT_DRUG_GAP_L | header | Subject contains a gappy version of ‘levitra’ | 2.799 |
SUBJECT_FUZZY_CHEAP | header | Attempt to obfuscate words in Subject: | 0.641 |
SUBJECT_IN_BLACKLIST | header | Subject: contains string in the user’s black-list | 100.000 |
SUBJECT_IN_WHITELIST | header | Subject: contains string in the user’s white-list | -100.000 |
SUBJECT_NEEDS_ENCODING | meta | Subject is encoded but does not specify the encoding | 0.498 |
SUBJ_ALL_CAPS | header | Subject is all capitals | 0.500 |
SUBJ_AS_SEEN | header | Subject contains “As Seen” | 2.711 |
SUBJ_BRKN_WORDNUMS | meta | Subject contains odd word breaks and numbers | 1.000 |
SUBJ_BUY | header | Subject line starts with Buy or Buying | 0.594 |
SUBJ_DOLLARS | header | Subject starts with dollar amount | 0.100 |
SUBJ_ILLEGAL_CHARS | meta | Subject: has too many raw illegal characters | 0.620 |
SUBJ_OBFU_PUNCT_FEW | meta | Possible punctuation-obfuscated Subject: header | 0.749 |
SUBJ_OBFU_PUNCT_MANY | meta | Punctuation-obfuscated Subject: header | 1.749 |
SUBJ_UNNEEDED_HTML | meta | Unneeded HTML formatting in Subject: | 1.000 |
SUBJ_YOUR_FAMILY | header | Subject contains “Your Family” | 2.910 |
SURBL_BLOCKED | body | ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | 1.000 |
SUSPICIOUS_RECIPS | header | Similar addresses in recipient list | 2.499 |
SUSPNTLD_EXPIRATION_EXTORT | meta | Susp NTLD with an expiration notice and lotsa money | 2.000 |
SYSADMIN | meta | Supposedly from your IT department | 1.000 |
TBIRD_SUSP_MIME_BDRY | meta | Unlikely Thunderbird MIME boundary | 2.400 |
TEQF_USR_IMAGE | meta | To and from user nearly same + image | 1.000 |
TEQF_USR_MSGID_HEX | meta | To and from user nearly same + unusual message ID | 1.000 |
TEQF_USR_MSGID_MALF | meta | To and from user nearly same + malformed message ID | 1.000 |
THEBAT_UNREG | header | No description provided | 2.599 |
THIS_AD | meta | “This ad” and variants | 1.940 |
THIS_IS_ADV_SUSP_NTLD | meta | This is an advertisement from a suspicious TLD | 1.000 |
TONOM_EQ_TOLOC_SHRT_PSHRTNER | meta | Short subject with potential shortener and To:name eq To:local | 1.499 |
TONOM_EQ_TOLOC_SHRT_SHRTNER | meta | Short email with shortener and To:name eq To:local | 1.499 |
TO_EQ_FM_DIRECT_MX | meta | To == From and direct-to-MX | 1.588 |
TO_EQ_FM_DOM_HTML_IMG | meta | To domain == From domain and HTML image link | 0.001 |
TO_EQ_FM_DOM_HTML_ONLY | meta | To domain == From domain and HTML only | 0.001 |
TO_EQ_FM_DOM_SPF_FAIL | meta | To domain == From domain and external SPF failed | 0.001 |
TO_EQ_FM_HTML_ONLY | meta | To == From and HTML only | 0.001 |
TO_EQ_FM_SPF_FAIL | meta | To == From and external SPF failed | 0.001 |
TO_IN_SUBJ | meta | To address is in Subject | 0.100 |
TO_MALFORMED | header | To: has a malformed address | 0.100 |
TO_NAME_SUBJ_NO_RDNS | meta | Recipient username in subject + no rDNS | 2.602 |
TO_NO_BRKTS_DYNIP | meta | To: lacks brackets and dynamic rDNS | 1.961 |
TO_NO_BRKTS_FROM_MSSP | meta | Multiple header formatting problems | 2.499 |
TO_NO_BRKTS_HTML_IMG | meta | To: lacks brackets and HTML and one image | 1.999 |
TO_NO_BRKTS_HTML_ONLY | meta | To: lacks brackets and HTML only | 1.999 |
TO_NO_BRKTS_MSFT | meta | To: lacks brackets and supposed Microsoft tool | 2.499 |
TO_NO_BRKTS_NORDNS_HTML | meta | To: lacks brackets and no rDNS and HTML only | 1.496 |
TO_NO_BRKTS_PCNT | meta | To: lacks brackets + percentage | 2.499 |
TRACKER_ID | body | Incorporates a tracking ID number | 0.100 |
TT_MSGID_TRUNC | header | Scora: Message-Id ends after left-bracket + digits | 0.748 |
TVD_APPROVED | body | Body states that the recipient has been approved | 1.000 |
TVD_FINGER_02 | header | No description provided | 0.001 |
TVD_FW_GRAPHIC_NAME_LONG | mimeheader | Long image attachment name | 0.001 |
TVD_FW_GRAPHIC_NAME_MID | mimeheader | Medium sized image attachment name | 0.600 |
TVD_INCREASE_SIZE | body | Advertising for penis enlargement | 1.529 |
TVD_IP_OCT | uri | No description provided | 2.348 |
TVD_PH_BODY_ACCOUNTS_PRE | meta | The body matches phrases such as “accounts suspended”, “account credited”, “account verification” | 0.001 |
TVD_PH_REC | body | Message includes a phrase commonly used in phishing mails | 0.100 |
TVD_PH_SEC | body | Message includes a phrase commonly used in phishing mails | 0.100 |
TVD_QUAL_MEDS | body | The body matches phrases such as “quality meds” or “quality medication” | 2.697 |
TVD_RCVD_IP | header | Message was received from an IP address | 0.001 |
TVD_RCVD_IP4 | header | Message was received from an IPv4 address | 0.001 |
TVD_RCVD_SPACE_BRACKET | header | No description provided | 0.001 |
TVD_SPACE_ENCODED | meta | Space ratio & encoded subject | 1.500 |
TVD_SPACE_RATIO | meta | No description provided | 0.001 |
TVD_SPACE_RATIO_MINFP | meta | Space ratio | 1.500 |
TVD_SUBJ_ACC_NUM | header | Subject has spammy looking monetary reference | 0.100 |
TVD_SUBJ_WIPE_DEBT | header | Spam advertising a way to eliminate debt | 2.599 |
TVD_VISIT_PHARMA | body | Body mentions online pharmacy | 1.957 |
TW_GIBBERISH_MANY | meta | Lots of gibberish text to spoof pattern matching filters | 1.000 |
TXREP | header | Score normalizing based on sender’s reputation | 1.000 |
T_ACH_CANCELLED_EXE | meta | “ACH cancelled” probable malware | 0.100 |
T_ANY_PILL_PRICE | meta | Prices for pills | 0.100 |
T_CDISP_SZ_MANY | mimeheader | Suspicious MIME header | 0.100 |
T_DATE_IN_FUTURE_Q_PLUS | header | Date: is over 4 months after Received: date | 0.100 |
T_DOC_ATTACH_NO_EXT | meta | Document attachment with suspicious name | 0.100 |
T_DOS_OUTLOOK_TO_MX_IMAGE | meta | Direct to MX with Outlook headers and an image | 0.100 |
T_DOS_ZIP_HARDCORE | mimeheader | hardcore.zip file attached; quite certainly a virus | 0.100 |
T_EMRCP | body | “Excess Maximum Return Capital Profit” scam | 0.100 |
T_FILL_THIS_FORM_FRAUD_PHISH | meta | Answer suspicious question(s) | 0.100 |
T_FILL_THIS_FORM_LOAN | meta | Answer loan question(s) | 0.100 |
T_FILL_THIS_FORM_SHORT | meta | Fill in a short form with personal information | 0.100 |
T_FORGED_TBIRD_IMG_SIZE | meta | Likely forged Thunderbird image spam | 0.100 |
T_FREEMAIL_DOC_PDF | meta | MS document or PDF attachment, from freemail | 0.100 |
T_FREEMAIL_DOC_PDF_BCC | meta | MS document or PDF attachment, from freemail, all recipients hidden | 0.100 |
T_FREEMAIL_RVW_ATTCH | meta | Please review attached document, from freemail | 0.100 |
T_FROMNAME_EQUALS_TO | meta | From:name matches To: | 0.100 |
T_FROMNAME_SPOOFED_EMAIL | meta | From:name looks like a spoofed email | 0.100 |
T_FUZZY_OPTOUT | body | Obfuscated opt-out text | 0.100 |
T_GB_FREEM_FROM_NOT_REPLY | meta | From: and Reply-To: have different freemail domains | 0.100 |
T_GB_FROMNAME_SPOOFED_EMAIL_IP | meta | From:name looks like a spoofed email from a spoofed ip | 0.100 |
T_HTML_ATTACH | meta | HTML attachment to bypass scanning? | 0.100 |
T_HTML_TAG_BALANCE_CENTER | meta | Malformatted HTML | 0.100 |
T_ISO_ATTACH | meta | ISO attachment – possible malware delivery | 0.100 |
T_KAM_HTML_FONT_INVALID | body | Test for Invalidly Named or Formatted Colors in HTML | 0.100 |
T_LARGE_PCT_AFTER_MANY | meta | Many large percentages after… | 0.100 |
T_LOTTO_AGENT | meta | Claims Agent | 0.100 |
T_LOTTO_AGENT_FM | header | Claims Agent | 0.100 |
T_LOTTO_AGENT_RPLY | meta | Claims Agent | 0.100 |
T_LOTTO_URI | uri | Claims Department URL | 0.100 |
T_MALW_ATTACH | meta | Attachment filename suspicious, probable malware exploit | 0.100 |
T_MANY_PILL_PRICE | meta | Prices for many pills | 0.100 |
T_MIME_MALF | meta | Malformed MIME: headers in body | 0.100 |
T_MONEY_PERCENT | meta | X% of a lot of money for you | 0.100 |
T_OBFU_ATTACH_MISSP | meta | Obfuscated attachment type and misspaced From | 0.100 |
T_OBFU_DOC_ATTACH | mimeheader | MS Document attachment with generic MIME type | 0.100 |
T_OBFU_GIF_ATTACH | mimeheader | GIF attachment with generic MIME type | 0.100 |
T_OBFU_HTML_ATTACH | mimeheader | HTML attachment with non-text MIME type | 0.100 |
T_OBFU_HTML_ATT_MALW | meta | HTML attachment with incorrect MIME type – possible malware | 0.100 |
T_OBFU_JPG_ATTACH | mimeheader | JPG attachment with generic MIME type | 0.100 |
T_OBFU_PDF_ATTACH | mimeheader | PDF attachment with generic MIME type | 0.100 |
T_OFFER_ONLY_AMERICA | meta | Offer only available to US | 0.100 |
T_PDS_BTC_AHACKER | meta | Bitcoin Hacker | 0.100 |
T_PDS_BTC_HACKER | meta | Bitcoin Hacker | 0.100 |
T_PDS_BTC_NTLD | meta | Bitcoin suspect NTLD | 0.100 |
T_PDS_LTC_HACKER | meta | Litecoin Hacker | 0.100 |
T_REMOTE_IMAGE | meta | Message contains an external image | 0.100 |
T_SENT_TO_EMAIL_ADDR | meta | Email was sent to email address | 0.100 |
T_SHARE_50_50 | meta | Share the money 50/50 | 0.100 |
T_SPF_HELO_PERMERROR | header | SPF: test of HELO record failed (permerror) | 0.100 |
T_SPF_HELO_TEMPERROR | header | SPF: test of HELO record failed (temperror) | 0.100 |
T_SPF_PERMERROR | header | SPF: test of record failed (permerror) | 0.100 |
T_SPF_TEMPERROR | header | SPF: test of record failed (temperror) | 0.100 |
T_WON_MONEY_ATTACH | meta | You won lots of money! See attachment. | 0.100 |
T_WON_NBDY_ATTACH | meta | You won lots of money! See attachment. | 0.100 |
T_ZW_OBFU_BITCOIN | meta | Obfuscated text + bitcoin ID – possible extortion | 0.100 |
T_ZW_OBFU_FREEM | meta | Obfuscated text + freemail | 0.100 |
T_ZW_OBFU_FROMTOSUBJ | meta | Obfuscated text + from in to and subject | 0.100 |
UC_GIBBERISH_OBFU | meta | Multiple instances of “word VERYLONGGIBBERISH word” | 1.000 |
UNCLAIMED_MONEY | body | People just leave money laying around | 2.699 |
UNCLOSED_BRACKET | header | Headers contain an unclosed bracket | 2.699 |
UNICODE_OBFU_ASC | meta | Obfuscating text with unicode | 2.500 |
UNICODE_OBFU_ZW | meta | Obfuscating text with hidden characters | 1.000 |
UNPARSEABLE_RELAY | meta | Informational: message has unparseable relay lines | 0.001 |
UNRESOLVED_TEMPLATE | header | Headers contain an unresolved template | 3.035 |
UNWANTED_LANGUAGE_BODY | body | Message written in an undesired language | 2.800 |
UPGRADE_MAILBOX | meta | Upgrade your mailbox! (phishing?) | 1.272 |
UPPERCASE_50_75 | meta | message body is 50-75% uppercase | 0.001 |
UPPERCASE_75_100 | meta | message body is 75-100% uppercase | 1.480 |
URG_BIZ | body | Contains urgent matter | 1.750 |
URIBL_ABUSE_SURBL | body | Contains an URL listed in the ABUSE SURBL blocklist | 0.000 |
URIBL_CR_SURBL | body | Contains an URL listed in the CR SURBL blocklist | 0.000 |
URIBL_CSS | body | Contains an URL’s NS IP listed in the Spamhaus CSS blocklist | 0.000 |
URIBL_CSS_A | body | Contains URL’s A record listed in the Spamhaus CSS blocklist | 0.000 |
URIBL_DBL_ABUSE_BOTCC | body | Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_ABUSE_MALW | body | Contains an abused malware URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_ABUSE_PHISH | body | Contains an abused phishing URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_ABUSE_REDIR | body | Contains an abused redirector URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_ABUSE_SPAM | body | Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_BLOCKED | body | ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ | 0.000 |
URIBL_DBL_BLOCKED_OPENDNS | body | ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ | 0.000 |
URIBL_DBL_BOTNETCC | body | Contains a botned C&C URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_ERROR | body | Error: queried the Spamhaus DBL blocklist for an IP | 0.000 |
URIBL_DBL_MALWARE | body | Contains a malware URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_PHISH | body | Contains a Phishing URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_DBL_SPAM | body | Contains a spam URL listed in the Spamhaus DBL blocklist | 0.000 |
URIBL_MW_SURBL | body | Contains a URL listed in the MW SURBL blocklist | 0.000 |
URIBL_PH_SURBL | body | Contains an URL listed in the PH SURBL blocklist | 0.000 |
URIBL_RHS_DOB | body | Contains an URI of a new domain (Day Old Bread) | 0.000 |
URIBL_SBL | body | Contains an URL’s NS IP listed in the Spamhaus SBL blocklist | 0.000 |
URIBL_SBL_A | body | Contains URL’s A record listed in the Spamhaus SBL blocklist | 0.000 |
URIBL_WS_SURBL | body | Contains an URL listed in the WS SURBL blocklist | 0.000 |
URIBL_ZEN_BLOCKED | body | ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/ | 0.000 |
URIBL_ZEN_BLOCKED_OPENDNS | body | ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ | 0.000 |
URI_DATA | meta | “data:” URI – possible malware or phish | 1.000 |
URI_DQ_UNSUB | meta | IP-address unsubscribe URI | 1.000 |
URI_GOOGLE_PROXY | meta | Accessing a blacklisted URI or obscuring source of phish via Google proxy? | 2.399 |
URI_HEX | uri | URI hostname has long hexadecimal sequence | 0.100 |
URI_HEX_IP | meta | URI with hex-encoded IP-address host | 1.000 |
URI_HOST_IN_BLACKLIST | body | Host or Domain is listed in the user’s URI black-list | 100.000 |
URI_HOST_IN_WHITELIST | body | Host or Domain is listed in the user’s URI white-list | -100.000 |
URI_IMG_WP_REDIR | meta | Image via WordPress “accelerator” proxy | 1.000 |
URI_NOVOWEL | uri | URI hostname has long non-vowel sequence | 0.500 |
URI_NO_WWW_BIZ_CGI | uri | CGI in .biz TLD other than third-level “www” | 1.000 |
URI_NO_WWW_INFO_CGI | uri | CGI in .info TLD other than third-level “www” | 1.000 |
URI_ONLY_MSGID_MALF | meta | URI only + malformed message ID | 1.803 |
URI_OPTOUT_3LD | uri | Opt-out URI, suspicious hostname | 1.000 |
URI_OPTOUT_USME | uri | Opt-out URI, unusual TLD | 1.000 |
URI_PHISH | meta | Phishing using web form | 2.252 |
URI_PHP_REDIR | meta | PHP redirect to different URL (link obfuscation) | 3.499 |
URI_TRUNCATED | body | Message contained a URI which was truncated | 0.001 |
URI_TRY_3LD | uri | “Try it” URI, suspicious hostname | 1.791 |
URI_TRY_USME | meta | “Try it” URI, unusual TLD | 1.000 |
URI_WPADMIN | meta | WordPress login/admin URI, possible phishing | 1.000 |
URI_WP_DIRINDEX | meta | URI for compromised WordPress site, possible malware | 1.538 |
URI_WP_HACKED | meta | URI for compromised WordPress site, possible malware | 3.499 |
URI_WP_HACKED_2 | meta | URI for compromised WordPress site, possible malware | 2.499 |
USB_DRIVES | meta | Trying to sell custom USB flash drives | 1.000 |
USER_IN_ALL_SPAM_TO | header | User is listed in ‘all_spam_to’ | -100.000 |
USER_IN_BLACKLIST | header | From: address is in the user’s black-list | 100.000 |
USER_IN_BLACKLIST_TO | header | User is listed in ‘blacklist_to’ | 10.000 |
USER_IN_DEF_DKIM_WL | header | From: address is in the default DKIM white-list | -7.500 |
USER_IN_DEF_SPF_WL | header | From: address is in the default SPF white-list | -7.500 |
USER_IN_DEF_WHITELIST | header | From: address is in the default white-list | -15.000 |
USER_IN_DKIM_WHITELIST | header | From: address is in the user’s DKIM whitelist | -100.000 |
USER_IN_MORE_SPAM_TO | header | User is listed in ‘more_spam_to’ | -20.000 |
USER_IN_SPF_WHITELIST | header | From: address is in the user’s SPF whitelist | -100.000 |
USER_IN_WHITELIST | header | From: address is in the user’s white-list | -100.000 |
USER_IN_WHITELIST_TO | header | User is listed in ‘whitelist_to’ | -6.000 |
VBOUNCE_MESSAGE | meta | Virus-scanner bounce message | 0.100 |
VPS_NO_NTLD | meta | vps[0-9] domain at a suspiscious TLD | 1.000 |
WALMART_IMG_NOT_RCVD_WAL | meta | Walmart hosted image but message not from Walmart | 1.000 |
WEIRD_PORT | uri | Uses non-standard port number for HTTP | 0.001 |
WEIRD_QUOTING | body | Weird repeated double-quotation marks | 0.001 |
XM_PHPMAILER_FORGED | meta | Apparently forged header | 1.000 |
XPRIO | meta | Has X-Priority header | 2.250 |
XPRIO_SHORT_SUBJ | meta | Has X-Priority header + short subject | 2.500 |
XPRIO_URL_SHORTNER | meta | X-Priority header and short URL | 0.340 |
X_IP | header | Message has X-IP header | 0.001 |
X_MAILER_CME_6543_MSN | header | No description provided | 2.886 |
YOU_INHERIT | meta | Discussing your inheritance | 0.001 |
__DC_GIF_MULTI_LARGO | meta | Message has 2+ inline gif covering lots of area | 1.000 |
__DC_IMG_HTML_RATIO | rawbody | Low rawbody to pixel area ratio | 1.000 |
__DC_IMG_TEXT_RATIO | body | Low body to pixel area ratio | 1.000 |
__DC_PNG_MULTI_LARGO | meta | Message has 2+ png images covering lots of area | 1.000 |
__DKIM_DEPENDABLE | full | A validation failure not attributable to truncation | 1.000 |
__FORGED_TBIRD_IMG | meta | Possibly forged Thunderbird image spam | 1.000 |
__FROM_41_FREEMAIL | meta | Sent from Africa + freemail provider | 1.000 |
__GB_BITCOIN_CP_DE | meta | German Bitcoin scam | 1.000 |
__GB_BITCOIN_CP_EN | meta | English Bitcoin scam | 1.000 |
__GB_BITCOIN_CP_ES | meta | Spanish Bitcoin scam | 1.000 |
__GB_BITCOIN_CP_FR | meta | French Bitcoin scam | 1.000 |
__GB_BITCOIN_CP_IT | meta | Italian Bitcoin scam | 1.000 |
__GB_BITCOIN_CP_NL | meta | Dutch Bitcoin scam | 1.000 |
__GB_BITCOIN_CP_SE | meta | Swedish Bitcoin scam | 1.000 |
__HAS_HREF | rawbody | Has an anchor tag with a href attribute in non-quoted line | 1.000 |
__HAS_HREF_ONECASE | rawbody | Has an anchor tag with a href attribute in non-quoted line with consistent case | 1.000 |
__HAS_IMG_SRC | rawbody | Has an img tag on a non-quoted line | 1.000 |
__HAS_IMG_SRC_ONECASE | rawbody | Has an img tag on a non-quoted line with consistent case | 1.000 |
__KAM_BODY_LENGTH_LT_1024 | body | The length of the body of the email is less than 1024 bytes. | 1.000 |
__KAM_BODY_LENGTH_LT_128 | body | The length of the body of the email is less than 128 bytes. | 1.000 |
__KAM_BODY_LENGTH_LT_256 | body | The length of the body of the email is less than 256 bytes. | 1.000 |
__KAM_BODY_LENGTH_LT_512 | body | The length of the body of the email is less than 512 bytes. | 1.000 |
__MIME_BASE64 | rawbody | Includes a base64 attachment | 1.000 |
__MIME_QP | rawbody | Includes a quoted-printable attachment | 1.000 |
__ML_TURNS_SP_TO_TAB | header | A mailing list changing a space to a TAB | 1.000 |
__NSL_ORIG_FROM_41 | header | Originates from 41.0.0.0/8 | 1.000 |
__NSL_RCVD_FROM_41 | header | Received from 41.0.0.0/8 | 1.000 |
__RCVD_IN_MSPIKE_Z | header | Spam wave participant | 1.000 |
__RCVD_IN_SORBS | header | SORBS: sender is listed in SORBS | 1.000 |
__RCVD_IN_ZEN | header | Received via a relay in Spamhaus Zen | 1.000 |
__RDNS_DYNAMIC_ADELPHIA | header | Relay HELO’d using suspicious hostname (Adelphia) | 1.000 |
__RDNS_DYNAMIC_ATTBI | header | Relay HELO’d using suspicious hostname (ATTBI.com) | 1.000 |
__RDNS_DYNAMIC_CHELLO_NL | header | Relay HELO’d using suspicious hostname (Chello.nl) | 1.000 |
__RDNS_DYNAMIC_CHELLO_NO | header | Relay HELO’d using suspicious hostname (Chello.no) | 1.000 |
__RDNS_DYNAMIC_COMCAST | header | Relay HELO’d using suspicious hostname (Comcast) | 1.000 |
__RDNS_DYNAMIC_DHCP | header | Relay HELO’d using suspicious hostname (DHCP) | 1.000 |
__RDNS_DYNAMIC_DIALIN | header | Relay HELO’d using suspicious hostname (T-Dialin) | 1.000 |
__RDNS_DYNAMIC_HCC | header | Relay HELO’d using suspicious hostname (HCC) | 1.000 |
__RDNS_DYNAMIC_HEXIP | header | Relay HELO’d using suspicious hostname (Hex IP) | 1.000 |
__RDNS_DYNAMIC_IPADDR | header | Relay HELO’d using suspicious hostname (IP addr 1) | 1.000 |
__RDNS_DYNAMIC_NTL | header | Relay HELO’d using suspicious hostname (NTL) | 1.000 |
__RDNS_DYNAMIC_OOL | header | Relay HELO’d using suspicious hostname (OptOnline) | 1.000 |
__RDNS_DYNAMIC_ROGERS | header | Relay HELO’d using suspicious hostname (Rogers) | 1.000 |
__RDNS_DYNAMIC_RR2 | header | Relay HELO’d using suspicious hostname (RR 2) | 1.000 |
__RDNS_DYNAMIC_SPLIT_IP | header | Relay HELO’d using suspicious hostname (Split IP) | 1.000 |
__RDNS_DYNAMIC_TELIA | header | Relay HELO’d using suspicious hostname (Telia) | 1.000 |
__RDNS_DYNAMIC_VELOX | header | Relay HELO’d using suspicious hostname (Veloxzone) | 1.000 |
__RDNS_DYNAMIC_VTR | header | Relay HELO’d using suspicious hostname (VTR) | 1.000 |
__RDNS_DYNAMIC_YAHOOBB | header | Relay HELO’d using suspicious hostname (YahooBB) | 1.000 |
__TO_EQ_FROM | meta | To: same as From: | 1.000 |
__TO_EQ_FROM_DOM | meta | To: domain same as From: domain | 1.000 |
__TO_EQ_FROM_USR | meta | To: username same as From: username | 1.000 |
__TO_EQ_FROM_USR_NN | meta | To: username same as From: username sans trailing nums | 1.000 |
__VIA_ML | meta | Mail from a mailing list | 1.000 |
__VIA_RESIGNER | meta | Mail through a popular signing remailer | 1.000 |
whitelist_from : 믿을 수 있는 메일주소를 지정해주자. 매우 중요한 거래처의 메일이나 같은 서버의 메일은 굳이 점수를 매길필요가 없다.
다음의 SPF설정은 SPF의 신뢰도를 믿고 점수를 -해주겠다는 뜻을 가지게 된다