Spamassassin: Tests und deren Beschreibung
Wer sich schon einmal näher mit Spamassassin beschäftigt hat wird wissen, dass dieses hilfreiche Werkzeug die durchgeleitete eMail mittels verschiedener Algorithmen bewertet und während der Ausführung der diversen Tests bei passender Konfiguration die als positiv erkannten Spamerkennungs-Treffer durch Schlagworte im Mailheader anzeigt.
Ein Beispiel:
X-Spam-Status: No, score=-1.5 required=8.8 tests=AWL,BAYES_00,
FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_RATIO_02,HTML_MESSAGE,
SPF_HELO_PASS autolearn=no version=3.1.1
Die Stichwörter besitzen zwar einigermaßen sprechende Namen, manchmal wäre es aber doch hilfreich, nähere Details über den positiven Treffer zu erhalten.
Hier eine Auflistung der am häufigsten anzutreffenden Schlüsselworte mit Erklärung und Ort der Erkennung:
| Schlüsselwort | Erklärung | Ort |
|---|---|---|
| ACCESSDB | Message would have been caught by accessdb | header |
| ACT_NOW_CAPS | Talks about ‘acting now’ with capitals | body |
| ADDR_FREE | From Address contains FREE | header |
| ADDRESS_IN_SUBJECT | To: address appears in Subject | header |
| ALL_NATURAL | Spam is 100% natural?! | body |
| ALL_TRUSTED | Passed through trusted hosts only via SMTP | header |
| AMATEUR_PORN | Possible porn – Amateur Porn | body |
| AMAZING_STUFF | Amazing Stuff | body |
| AS_SEEN_ON | As seen on national TV! | body |
| AWL | From: address is in the auto white-list | header |
| BAD_CREDIT | Eliminate Bad Credit | body |
| BAD_ENC_HEADER | Message has bad MIME encoding in the header | header |
| BANG_EXERCISE | Talks about exercise with an exclamation! | body |
| BANG_GUAR | Something is emphatically guaranteed | body |
| BANG_MORE | Talks about more with an exclamation! | body |
| BANG_OPRAH | Talks about Oprah with an exclamation! | body |
| BARGAIN_URL | Includes a link to a likely spammer domain | uri |
| BAYES_00 | Bayesian spam probability is 0 to 1% | body |
| BAYES_05 | Bayesian spam probability is 1 to 5% | body |
| BAYES_20 | Bayesian spam probability is 5 to 20% | body |
| BAYES_40 | Bayesian spam probability is 20 to 40% | body |
| BAYES_50 | Bayesian spam probability is 40 to 60% | body |
| BAYES_60 | Bayesian spam probability is 60 to 80% | body |
| BAYES_80 | Bayesian spam probability is 80 to 95% | body |
| BAYES_95 | Bayesian spam probability is 95 to 99% | body |
| BAYES_99 | Bayesian spam probability is 99 to 100% | body |
| BE_BOSS | Be your own boss | body |
| BEST_PORN | Possible porn – Best, Largest, Most Porn | body |
| BILL_1618 | Possible mention of bill 1618 (anti-spam bill) | body |
| BILLION_DOLLARS | Talks about lots of money | body |
| BIZ_TLD | Contains an URL in the BIZ top-level domain | uri |
| BLANK_LINES_70_80 | Message body has 70-80% blank lines | body |
| BLANK_LINES_80_90 | Message body has 80-90% blank lines | body |
| BLANK_LINES_90_100 | Message body has 90-100% blank lines | body |
| BODY_8BITS | Body includes 8 consecutive 8-bit characters | body |
| BODY_ENHANCEMENT | Information on growing body parts | body |
| BODY_ENHANCEMENT2 | Information on getting larger body parts | body |
| CHARSET_FARAWAY | Character set indicates a foreign language | body |
| CHARSET_FARAWAY_HEADER | A foreign language charset used in headers | header |
| CHINA_HEADER | Involves ‘china.com’ | header |
| CLICK_BELOW_CAPS | Asks you to click below (in capital letters) | body |
| CLICK_TO_REMOVE_1 | Click to be removed | body |
| COMPETE | Compete for your business | body |
| CONFIDENTIAL_ORDER | Confidentiality on all orders | body |
| CONSOLIDATE_DEBT | Consolidate debt, credit, or bills | body |
| CUM_SHOT | Possible porn – Cum Shot | body |
| DATE_IN_FUTURE_03_06 | Date: is 3 to 6 hours after Received: date | header |
| DATE_IN_FUTURE_06_12 | Date: is 6 to 12 hours after Received: date | header |
| DATE_IN_FUTURE_12_24 | Date: is 12 to 24 hours after Received: date | header |
| DATE_IN_FUTURE_24_48 | Date: is 24 to 48 hours after Received: date | header |
| DATE_IN_FUTURE_48_96 | Date: is 48 to 96 hours after Received: date | header |
| DATE_IN_FUTURE_96_XX | Date: is 96 hours or more after Received: date | header |
| DATE_IN_PAST_03_06 | Date: is 3 to 6 hours before Received: date | header |
| DATE_IN_PAST_06_12 | Date: is 6 to 12 hours before Received: date | header |
| DATE_IN_PAST_12_24 | Date: is 12 to 24 hours before Received: date | header |
| DATE_IN_PAST_24_48 | Date: is 24 to 48 hours before Received: date | header |
| DATE_IN_PAST_48_96 | Date: is 48 to 96 hours before Received: date | header |
| DATE_IN_PAST_96_XX | Date: is 96 hours or more before Received: date | header |
| DATE_SPAMWARE_Y2K | Date header uses unusual Y2K formatting | header |
| DCC_CHECK | Listed in DCC (http://rhyolite.com/anti-spam/dcc/) | full |
| DEAR_FRIEND | Dear Friend? That’s not very dear! | body |
| DEAR_SOMETHING | Contains ‘Dear (something)’ | body |
| DEEP_DISC_MEDS | Deep discount medications | body |
| DIET_1 | Lose Weight Spam | body |
| DIET_2 | Describes weight loss | body |
| DIET_3 | Describes body fat loss | body |
| DISGUISE_PORN | Attempts to disguise porn words | body |
| DISGUISE_PORN_MUNDANE | Attempts to disguise mundane words used in porn | body |
| DK_POLICY_SIGNALL | Domain Keys: policy says domain signs all mails | header |
| DK_POLICY_SIGNSOME | Domain Keys: policy says domain signs some mails | header |
| DK_POLICY_TESTING | Domain Keys: policy says domain is testing DK | header |
| DK_SIGNED | Domain Keys: message has an unverified signature | header |
| DK_VERIFIED | Domain Keys: signature passes verification | header |
| DNS_FROM_AHBL_RHSBL | From: sender listed in dnsbl.ahbl.org | header |
| DNS_FROM_RFC_ABUSE | Envelope sender in abuse.rfc-ignorant.org | header |
| DNS_FROM_RFC_BOGUSMX | Envelope sender in bogusmx.rfc-ignorant.org | header |
| DNS_FROM_RFC_DSN | Envelope sender in dsn.rfc-ignorant.org | header |
| DNS_FROM_RFC_POST | Envelope sender in postmaster.rfc-ignorant.org | header |
| DNS_FROM_RFC_WHOIS | Envelope sender in whois.rfc-ignorant.org | header |
| DNS_FROM_SECURITYSAGE | Envelope sender in blackholes.securitysage.com | header |
| DOMAIN_4U2 | Domain name containing a "4u" variant | uri |
| DOMAIN_RATIO | Message body mentions many internet domains | body |
| DRUG_DOSAGE | Talks about price per dose | body |
| DRUG_ED_CAPS | Mentions an E.D. drug | body |
| DRUG_ED_COMBO | Viagra and other drugs | body |
| DRUG_ED_GENERIC | Mentions Generic Viagra | body |
| DRUG_ED_ONLINE | Fast Viagra Delivery | body |
| DRUG_ED_SILD | Talks about an E.D. drug using its chemical name | body |
| DRUGS_SMEAR1 | Two or more drugs crammed together into one word | body |
| EARN_PER_WEEK | Contains ‘earn (dollar) something per week’ | body |
| EM_ROLEX | Message puts emphasis on the watch manufacturer | body |
| EMAIL_ROT13 | Body contains a ROT13-encoded email address | body |
| ENGLISH_UCE_SUBJECT | Subject contains an English UCE tag | header |
| ENTITY_DEC_ALPHANUM | HTML contains needlessly encoded characters | rawbody |
| EXCUSE_10 | "if you do not wish to receive any more" | body |
| EXCUSE_12 | Nobody’s perfect | body |
| EXCUSE_23 | Claims you have provided permission | body |
| EXCUSE_24 | Claims you wanted this ad | body |
| EXCUSE_4 | Claims you can be removed from the list | body |
| EXCUSE_6 | Claims you can be removed from the list | body |
| EXCUSE_REMOVE | Talks about how to be removed from mailings | body |
| EXTRA_CASH | Offers Extra Cash | body |
| EXTRA_MPART_TYPE | Header has extraneous Content-type:…type= entry | header |
| FAKE_HELO_EMAIL_COM | Host HELO did not match rDNS: email.com | header |
| FAKE_HELO_EUDORAMAIL | Host HELO did not match rDNS: eudoramail.com | header |
| FAKE_HELO_EXCITE | Host HELO did not match rDNS: excite.com | header |
| FAKE_HELO_LYCOS | Host HELO did not match rDNS: lycos.com | header |
| FAKE_HELO_MAIL_COM | Host HELO did not match rDNS: mail.com | header |
| FAKE_HELO_MAIL_COM_DOM | Relay HELO’d with suspicious hostname (mail.com) | header |
| FAKE_HELO_MSN | Host HELO did not match rDNS: msn.com | header |
| FAKE_HELO_YAHOO_CA | Host HELO did not match rDNS: yahoo.ca | header |
| FAKE_OUTBLAZE_RCVD | Received header contains faked ‘mr.outblaze.com’ | header |
| FAKED_UNDISC_RECIPS | Faked To "Undisclosed-Recipients" | header |
| FIN_FREE | Freedom of a financial nature | body |
| FORGED_AOL_RCVD | Received forged, contains fake AOL relays | header |
| FORGED_EUDORAMAIL_RCVD | Forged eudoramail.com ‘Received:’ header found | header |
| FORGED_GW05_RCVD | Forged ‘by gw05′ ‘Received:’ header found | header |
| FORGED_HOTMAIL_RCVD | Forged hotmail.com ‘Received:’ header found | header |
| FORGED_HOTMAIL_RCVD2 | hotmail.com ‘From’ address, but no ‘Received:’ | header |
| FORGED_JUNO_RCVD | ‘From’ juno.com does not match ‘Received’ headers | header |
| FORGED_RCVD_HELO | Received: contains a forged HELO | header |
| FORGED_TELESP_RCVD | Contains forged hostname for a DSL IP in Brazil | header |
| FORGED_YAHOO_RCVD | ‘From’ yahoo.com does not match ‘Received’ headers |
header |
| FORWARD_LOOKING | Stock Disclaimer Statement | body |
| FRAGMENTED_MESSAGE | Partial message | header |
| FREE_ACCESS | Contains ‘free access’ with capitals | body |
| FREE_PORN | Possible porn – Free Porn | body |
| FREE_PREVIEW | Free Preview | body |
| FREE_QUOTE_INSTANT | Free express or no-obligation quote | body |
| FREE_SAMPLE | Contains ‘free sample’ with capitals | body |
| FROM_ALL_NUMS | From numeric address (except US/Canada phones) | header |
| FROM_AND_TO_SAME | From and To are the same, but not exactly | header |
| FROM_BLANK_NAME | From: contains empty name | header |
| FROM_DOMAIN_NOVOWEL | From: domain has series of non-vowel letters | header |
| FROM_ENDS_IN_NUMS | From: ends in many numbers | header |
| FROM_HAS_MIXED_NUMS | From: contains numbers mixed in with letters | header |
| FROM_HAS_ULINE_NUMS | From: contains an underline and numbers/letters | header |
| FROM_ILLEGAL_CHARS | From: has too many raw illegal characters | header |
| FROM_LOCAL_DIGITS | From: localpart has long digit sequence | header |
| FROM_LOCAL_HEX | From: localpart has long hexadecimal sequence | header |
| FROM_LOCAL_NOVOWEL | From: localpart has series of non-vowel letters | header |
| FROM_NO_LOWER | From address has no lower-case characters | header |
| FROM_NO_USER | From: has no local-part before @ sign | header |
| FROM_NONSENDING_DOMAIN | Message is from domain that never sends email | header |
| FROM_OFFERS | From address is "at something-offers" | header |
| FROM_STARTS_WITH_NUMS | From: starts with many numbers | header |
| FRONTPAGE | Frontpage used to create the message | rawbody |
| FULL_REFUND | Offers a full refund | body |
| FUZZY_AFFORDABLE | Attempt to obfuscate words in spam | body |
| FUZZY_AMBIEN | Attempt to obfuscate words in spam | body |
| FUZZY_BILLION | Attempt to obfuscate words in spam | body |
| FUZZY_CELEBREX | Attempt to obfuscate words in spam | body |
| FUZZY_CPILL | Attempt to obfuscate words in spam | body |
| FUZZY_CREDIT | Attempt to obfuscate words in spam | body |
| FUZZY_ERECT | Attempt to obfuscate words in spam | body |
| FUZZY_FOLLOW | Attempt to obfuscate words in spam | body |
| FUZZY_GUARANTEE | Attempt to obfuscate words in spam | body |
| FUZZY_MEDICATION | Attempt to obfuscate words in spam | body |
| FUZZY_MILF | Attempt to obfuscate words in spam | body |
| FUZZY_MILLION | Attempt to obfuscate words in spam | body |
| FUZZY_MONEY | Attempt to obfuscate words in spam | body |
| FUZZY_MORTGAGE | Attempt to obfuscate words in spam | body |
| FUZZY_OBLIGATION | Attempt to obfuscate words in spam | body |
| FUZZY_OFFERS | Attempt to obfuscate words in spam | body |
| FUZZY_PHARMACY | Attempt to obfuscate words in spam | body |
| FUZZY_PHENT | Attempt to obfuscate words in spam | body |
| FUZZY_PLEASE | Attempt to obfuscate words in spam | body |
| FUZZY_PRESCRIPT | Attempt to obfuscate words in spam | body |
| FUZZY_PRICES | Attempt to obfuscate words in spam | body |
| FUZZY_REFINANCE | Attempt to obfuscate words in spam | body |
| FUZZY_REMOVE | Attempt to obfuscate words in spam | body |
| FUZZY_ROLEX | Attempt to obfuscate words in spam | body |
| FUZZY_SOFTWARE | Attempt to obfuscate words in spam | body |
| FUZZY_THOUSANDS | Attempt to obfuscate words in spam | body |
| FUZZY_TRAMADOL | Attempt to obfuscate words in spam | body |
| FUZZY_VICODIN | Attempt to obfuscate words in spam | body |
| FUZZY_VIOXX | Attempt to obfuscate words in spam | body |
| FUZZY_VLIUM | Attempt to obfuscate words in spam | body |
| FUZZY_VPILL | Attempt to obfuscate words in spam | body |
| FUZZY_XPILL | Attempt to obfuscate words in spam | body |
| GAPPY_SUBJECT | Subject: contains G.a.p.p.y-T.e.x.t | header |
| GET_PAID | Get Paid | body |
| GTUBE | Generic Test for Unsolicited Bulk Email | body |
| GUARANTEED_100_PERCENT | One hundred percent guaranteed | body |
| GUARANTEED_STUFF | Guaranteed Stuff | body |
| HABEAS_ACCREDITED_COI | Habeas Accredited Confirmed Opt-In or Better | header |
| HABEAS_ACCREDITED_SOI | Habeas Accredited Opt-In or Better | header |
| HABEAS_CHECKED | Habeas Checked | header |
| HAIR_LOSS | Cures Baldness | body |
| HARDCORE_PORN | Possible porn – Hardcore Porn | body |
| HASHCASH_20 | Contains valid Hashcash token (20 bits) | header |
| HASHCASH_21 | Contains valid Hashcash token (21 bits) | header |
| HASHCASH_22 | Contains valid Hashcash token (22 bits) | header |
| HASHCASH_23 | Contains valid Hashcash token (23 bits) | header |
| HASHCASH_24 | Contains valid Hashcash token (24 bits) | header |
| HASHCASH_25 | Contains valid Hashcash token (25 bits) | header |
| HASHCASH_2SPEND | Hashcash token already spent in another mail | header |
| HASHCASH_HIGH | Contains valid Hashcash token (>25 bits) | header |
| HDR_ORDER_MTSRIX | Headers are in order found in spam (MTSRIX) | header |
| HDR_ORDER_TRIMRS | Headers are in order found in spam (TRIMRS) | header |
| HEAD_ILLEGAL_CHARS | Headers have too many raw illegal characters | header |
| HEAD_LONG | Message headers are very long | header |
| HEADER_COUNT_CTYPE | Multiple Content-Type headers found | header |
| HEADER_SPAM | Bulk email fingerprint (header-based) found | header |
| HELO_DYNAMIC_ADELPHIA | Relay HELO’d using suspicious hostname (Adelphia) | header |
| HELO_DYNAMIC_ATTBI | Relay HELO’d using suspicious hostname (ATTBI.com) | header |
| HELO_DYNAMIC_CHELLO_NL | Relay HELO’d using suspicious hostname (Chello.nl) | header |
| HELO_DYNAMIC_CHELLO_NO | Relay HELO’d using suspicious hostname (Chello.no) |
header |
| HELO_DYNAMIC_COMCAST | Relay HELO’d using suspicious hostname (Comcast) | header |
| HELO_DYNAMIC_DHCP | Relay HELO’d using suspicious hostname (DHCP) | header |
| HELO_DYNAMIC_DIALIN | Relay HELO’d using suspicious hostname (T-Dialin) | header |
| HELO_DYNAMIC_HCC | Relay HELO’d using suspicious hostname (HCC) | header |
| HELO_DYNAMIC_HEXIP | Relay HELO’d using suspicious hostname (Hex IP) | header |
| HELO_DYNAMIC_HOME_NL | Relay HELO’d using suspicious hostname (Home.nl) | header |
| HELO_DYNAMIC_IPADDR | Relay HELO’d using suspicious hostname (IP addr 1) | header |
| HELO_DYNAMIC_IPADDR2 | Relay HELO’d using suspicious hostname (IP addr 2) | header |
| HELO_DYNAMIC_NTL | Relay HELO’d using suspicious hostname (NTL) | header |
| HELO_DYNAMIC_OOL | Relay HELO’d using suspicious hostname (OptOnline) |
header |
| HELO_DYNAMIC_ROGERS | Relay HELO’d using suspicious hostname (Rogers) | header |
| HELO_DYNAMIC_RR2 | Relay HELO’d using suspicious hostname (RR 2) | header |
| HELO_DYNAMIC_SPLIT_IP | Relay HELO’d using suspicious hostname (Split IP) | header |
| HELO_DYNAMIC_TELIA | Relay HELO’d using suspicious hostname (Telia) | header |
| HELO_DYNAMIC_VELOX | Relay HELO’d using suspicious hostname (Veloxzone) | header |
| HELO_DYNAMIC_VTR | Relay HELO’d using suspicious hostname (VTR) | header |
| HELO_DYNAMIC_YAHOOBB | Relay HELO’d using suspicious hostname (YahooBB) | header |
| HIDDEN_CHARGES | Talks about Hidden Charges | body |
| HIDE_WIN_STATUS | Javascript to hide URLs in browser | rawbody |
| HIGH_CODEPAGE_URI | /^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/i | uri |
| HOT_NASTY | Possible porn – Hot, Nasty, Wild, Young | body |
| HTML_00_10 | Message is 0% to 10% HTML | body |
| HTML_10_20 | Message is 10% to 20% HTML | body |
| HTML_20_30 | Message is 20% to 30% HTML | body |
| HTML_30_40 | Message is 30% to 40% HTML | body |
| HTML_40_50 | Message is 40% to 50% HTML | body |
| HTML_50_60 | Message is 50% to 60% HTML | body |
| HTML_60_70 | Message is 60% to 70% HTML | body |
| HTML_70_80 | Message is 70% to 80% HTML | body |
| HTML_80_90 | Message is 80% to 90% HTML | body |
| HTML_90_100 | Message is 90% to 100% HTML | body |
| HTML_ATTR_BAD | HTML has many bad attributes in tags | body |
| HTML_ATTR_UNIQUE | HTML appears to have random attributes in tags | body |
| HTML_BACKHAIR_2 | HTML tags used to obfuscate words | body |
| HTML_BACKHAIR_4 | HTML tags used to obfuscate words | body |
| HTML_BACKHAIR_8 | HTML tags used to obfuscate words | body |
| HTML_BADTAG_00_10 | HTML message is 0% to 10% bad tags | body |
| HTML_BADTAG_10_20 | HTML message is 10% to 20% bad tags | body |
| HTML_BADTAG_20_30 | HTML message is 20% to 30% bad tags | body |
| HTML_BADTAG_30_40 | HTML message is 30% to 40% bad tags | body |
| HTML_BADTAG_40_50 | HTML message is 40% to 50% bad tags | body |
| HTML_BADTAG_50_60 | HTML message is 50% to 60% bad tags | body |
| HTML_BADTAG_60_70 | HTML message is 60% to 70% bad tags | body |
| HTML_BADTAG_70_80 | HTML message is 70% to 80% bad tags | body |
| HTML_BADTAG_80_90 | HTML message is 80% to 90% bad tags | body |
| HTML_BADTAG_90_100 | HTML message is 90% to 100% bad tags | body |
| HTML_COMMENT_SAVED_URL | HTML message is a saved web page | body |
| HTML_COMMENT_SHORT | HTML comment is very short | body |
| HTML_EHTML2 | HTML has doubled end HTML tag | rawbody |
| HTML_EMBEDS | HTML with embedded plugin object | body |
| HTML_EVENT_UNSAFE | HTML contains unsafe auto-executing code | body |
| HTML_EXTRA_CLOSE | HTML contains far too many close tags | body |
| HTML_FONT_BIG | HTML tag for a big font size | body |
| HTML_FONT_FACE_BAD | HTML font face is not a word | body |
| HTML_FONT_FACE_CAPS | HTML font face has excess capital characters | body |
| HTML_FONT_INVISIBLE | HTML font color is same as background | body |
| HTML_FONT_LOW_CONTRAST | HTML font color similar to background | body |
| HTML_FONT_SIZE_HUGE | HTML font size is huge | body |
| HTML_FONT_SIZE_LARGE | HTML font size is large | body |
| HTML_FONT_SIZE_NONE | HTML font size is negative | body |
| HTML_FONT_SIZE_TINY | HTML font size is tiny | body |
| HTML_FONT_TINY | HTML tag for a tiny font size | body |
| HTML_FORMACTION_MAILTO | HTML includes a form which sends mail | body |
| HTML_IMAGE_ONLY_04 | HTML: images with 0-400 bytes of words | body |
| HTML_IMAGE_ONLY_08 | HTML: images with 400-800 bytes of words | body |
| HTML_IMAGE_ONLY_12 | HTML: images with 800-1200 bytes of words | body |
| HTML_IMAGE_ONLY_16 | HTML: images with 1200-1600 bytes of words | body |
| HTML_IMAGE_ONLY_20 | HTML: images with 1600-2000 bytes of words | body |
| HTML_IMAGE_ONLY_24 | HTML: images with 2000-2400 bytes of words | body |
| HTML_IMAGE_ONLY_28 | HTML: images with 2400-2800 bytes of words | body |
| HTML_IMAGE_ONLY_32 | HTML: images with 2800-3200 bytes of words | body |
| HTML_IMAGE_RATIO_02 | HTML has a low ratio of text to image area | body |
| HTML_IMAGE_RATIO_04 | HTML has a low ratio of text to image area | body |
| HTML_IMAGE_RATIO_06 | HTML has a low ratio of text to image area | body |
| HTML_IMAGE_RATIO_08 | HTML has a low ratio of text to image area | body |
| HTML_LINK_IMAGE_BUG | HTML link plus image plus web bug | body |
| HTML_LINK_OPT_OUT | HTML link text says "opt out" or similar | body |
| HTML_LINK_PUSH_HERE | HTML link text says "push here" or similar | body |
| HTML_MESSAGE | HTML included in message | body |
| HTML_NONELEMENT_00_10 | 0% to 10% of HTML elements are non-standard | body |
| HTML_NONELEMENT_10_20 | 10% to 20% of HTML elements are non-standard | body |
| HTML_NONELEMENT_20_30 | 20% to 30% of HTML elements are non-standard | body |
| HTML_NONELEMENT_30_40 | 30% to 40% of HTML elements are non-standard | body |
| HTML_NONELEMENT_40_50 | 40% to 50% of HTML elements are non-standard | body |
| HTML_NONELEMENT_50_60 | 50% to 60% of HTML elements are non-standard | body |
| HTML_NONELEMENT_60_70 | 60% to 70% of HTML elements are non-standard | body |
| HTML_NONELEMENT_70_80 | 70% to 80% of HTML elements are non-standard | body |
| HTML_NONELEMENT_80_90 | 80% to 90% of HTML elements are non-standard | body |
| HTML_NONELEMENT_90_100 | 90% to 100% of HTML elements are non-standard | body |
| HTML_OBFUSCATE_05_10 | Message is 5% to 10% HTML obfuscation | body |
| HTML_OBFUSCATE_10_20 | Message is 10% to 20% HTML obfuscation | body |
| HTML_OBFUSCATE_20_30 | Message is 20% to 30% HTML obfuscation | body |
| HTML_OBFUSCATE_30_40 | Message is 30% to 40% HTML obfuscation | body |
| HTML_OBFUSCATE_40_50 | Message is 40% to 50% HTML obfuscation | body |
| HTML_OBFUSCATE_50_60 | Message is 50% to 60% HTML obfuscation | body |
| HTML_OBFUSCATE_60_70 | Message is 60% to 70% HTML obfuscation | body |
| HTML_OBFUSCATE_70_80 | Message is 70% to 80% HTML obfuscation | body |
| HTML_OBFUSCATE_80_90 | Message is 80% to 90% HTML obfuscation | body |
| HTML_OBFUSCATE_90_100 | Message is 90% to 100% HTML obfuscation | body |
| HTML_SHORT_LENGTH | HTML is extremely short | body |
| HTML_SHOUTING3 | HTML has very strong "shouting" markup | body |
| HTML_SHOUTING4 | HTML has very strong "shouting" markup | body |
| HTML_SHOUTING5 | HTML has very strong "shouting" markup | body |
| HTML_SHOUTING6 | HTML has very strong "shouting" markup | body |
| HTML_SHOUTING7 | HTML has very strong "shouting" markup | body |
| HTML_TAG_BALANCE_BODY | HTML has unbalanced "body" tags | body |
| HTML_TAG_BALANCE_HEAD | HTML has unbalanced "head" tags | body |
| HTML_TAG_EXIST_BGSOUND | HTML has "bgsound" tag | body |
| HTML_TAG_EXIST_MARQUEE | HTML has "marquee" tag | body |
| HTML_TAG_EXIST_TBODY | HTML has "tbody" tag | body |
| HTML_TEXT_AFTER_BODY | HTML contains text after BODY close tag | body |
| HTML_TEXT_AFTER_HTML | HTML contains text after HTML close tag | body |
| HTML_TINY_FONT | body contains 1 or 0-point font | rawbody |
| HTML_TITLE_EMPTY | HTML title contains no text | body |
| HTML_TITLE_UNTITLED | HTML title contains "Untitled" | body |
| HTML_WEB_BUGS | Image tag intended to identify you | body |
| HTTP_77 | Contains an URL-encoded hostname (HTTP77) | uri |
| HTTP_CTRL_CHARS_HOST | Uses control sequences inside a URL hostname | uri |
| HTTP_ESCAPED_HOST | Uses %-escapes inside a URL’s hostname | uri |
| HTTP_EXCESSIVE_ESCAPES | Completely unnecessary %-escapes inside a URL | uri |
| HTTPS_IP_MISMATCH | IP to HTTPS link found in HTML | body |
| IMPOTENCE | Impotence cure | body |
| INFO_TLD | Contains an URL in the INFO top-level domain | uri |
| INTERRUPTUS | Message looks to contain HTML-interrupted text | rawbody |
| INVALID_DATE | Invalid Date: header (not RFC 2822) | header |
| INVALID_DATE_TZ_ABSURD | Invalid Date: header (timezone does not exist) | header |
| INVALID_TZ_CST | Invalid date in header (wrong CST timezone) | header |
| INVALID_TZ_EST | Invalid date in header (wrong EST timezone) | header |
| INVALID_TZ_GMT | Invalid date in header (wrong GMT/UTC timezone) | header |
| INVESTMENT_ADVICE | Message mentions investment advice | body |
| INVESTMENT_EXPERT | Message mentions investment expert | body |
| IP_LINK_PLUS | Dotted-decimal IP address followed by CGI | uri |
| JAPANESE_UCE_SUBJECT | Subject contains a Japanese UCE tag | header |
| JOIN_MILLIONS | Join Millions of Americans | body |
| KOREAN_UCE_SUBJECT | Subject: contains Korean unsolicited email tag | header |
| LIVE_PORN | Possible porn – Live Porn | body |
| LOCALPART_IN_SUBJECT | Local part of To: address appears in Subject | header |
| LOTS_OF_STUFF | Thousands or millions of pictures, movies, etc. | body |
| LOW_PRICE | Lowest Price | body |
| MAILTO_SUBJ_REMOVE | mailto URI includes removal text | rawbody |
| MAILTO_TO_REMOVE | Includes a ‘remove’ email address | uri |
| MAILTO_TO_SPAM_ADDR | Includes a link to a likely spammer email | uri |
| MALE_ENHANCE | Message talks about enhancing men | body |
| MARKETING_PARTNERS | Claims you registered with a partner | body |
| MEET_SINGLES | Meet Singles | body |
| MICRO_CAP_WARNING | SEC-mandated penny-stock warning | body |
| MICROSOFT_EXECUTABLE | Message includes Microsoft executable program | body |
| MILLION_USD | Talks about millions of dollars | body |
| MIME_BAD_ISO_CHARSET | MIME character set is an unknown ISO charset | body |
| MIME_BASE64_BLANKS | Extra blank lines in base64 encoding | rawbody |
| MIME_BASE64_NO_NAME | base64 attachment does not have a file name | rawbody |
| MIME_BASE64_TEXT | Message text disguised using base64 encoding | rawbody |
| MIME_BOUND_DD_DIGITS | Spam tool pattern in MIME boundary | header |
| MIME_BOUND_DIGITS_15 | Spam tool pattern in MIME boundary | header |
| MIME_BOUND_DIGITS_7 | Spam tool pattern in MIME boundary | header |
| MIME_BOUND_MANY_HEX | Spam tool pattern in MIME boundary | header |
| MIME_BOUND_RKFINDY | Spam tool pattern in MIME boundary (rfkindy) | header |
| MIME_HTML_MOSTLY | Multipart message mostly text/html MIME | body |
| MIME_HTML_ONLY | Message only has text/html MIME parts | body |
| MIME_MISSING_BOUNDARY | MIME section missing boundary | rawbody |
| MIME_QP_LONG_LINE | Quoted-printable line longer than 76 chars | rawbody |
| MIME_SUSPECT_NAME | MIME filename does not match content | body |
| MISSING_DATE | Missing Date: header | header |
| MISSING_HB_SEP | Missing blank line between message header and body | header |
| MISSING_HEADERS | Missing To: header | header |
| MISSING_MIME_HB_SEP | Missing blank line between MIME header and body | body |
| ML_MARKETING | Multi Level Marketing mentioned | body |
| MONEY_BACK | Money back guarantee | body |
| MORE_SEX | Talks about a bigger drive for sex | body |
| MORTGAGE_BEST | Information on mortgages | body |
| MORTGAGE_PITCH | Looks like mortgage pitch | body |
| MORTGAGE_RATES | Information on mortgage rates | body |
| MPART_ALT_DIFF | HTML and text parts are different | body |
| MPART_ALT_DIFF_COUNT | HTML and text parts are different | body |
| MSGID_FROM_MTA_HOTMAIL | Message-Id was added by a hotmail.com relay | header |
| MSGID_FROM_MTA_ID | Message-Id for external message added locally | header |
| MSGID_LONG | Message-ID is unusually long | header |
| MSGID_MULTIPLE_AT | Message-ID contains multiple ‘@’ characters | header |
| MSGID_NO_HOST | Message-Id has no hostname | header |
| MSGID_OUTLOOK_INVALID | Message-Id is fake (in Outlook Express format) | header |
| MSGID_RATWARE1 | Bulk email fingerprint found | header |
| MSGID_SHORT | Message-ID is unusually short | header |
| MSGID_SPAM_99X9XX99 | Spam tool Message-Id: (99x9xx99 variant) | header |
| MSGID_SPAM_ALPHA_NUM | Spam tool Message-Id: (alpha-numeric variant) | header |
| MSGID_SPAM_CAPS | Spam tool Message-Id: (caps variant) | header |
| MSGID_SPAM_LETTERS | Spam tool Message-Id: (letters variant) | header |
| MSGID_SPAM_ZEROES | Spam tool Message-Id: (12-zeroes variant) | header |
| MSGID_YAHOO_CAPS | Message-ID has ALLCAPS@yahoo.com | header |
| NA_DOLLARS | Talks about a million North American dollars | body |
| NASTY_GIRLS | Possible porn – Nasty Girls | body |
| NO_COST | No such thing as a free lunch (3) | body |
| NO_DNS_FOR_FROM | Envelope sender has no MX or A DNS records | header |
| NO_FORMS | No Claim Forms | body |
| NO_MEDICAL | No Medical Exams | body |
| NO_OBLIGATION | There is no obligation | body |
| NO_PRESCRIPTION | No prescription needed | body |
| NO_RDNS_DOTCOM_HELO | Host HELO’d as a big ISP, but had no rDNS | header |
| NO_REAL_NAME | From: does not include a real name | header |
| NO_RELAYS | Informational: message was not relayed via SMTP | header |
| NONEXISTENT_CHARSET | Character set doesn’t exist | header |
| NORMAL_HTTP_TO_IP | Uses a dotted-decimal IP address in URL | uri |
| NOT_ADVISOR | Not registered investment advisor | body |
| NUMERIC_HTTP_ADDR | Uses a numeric IP address in URL | uri |
| OBSCURED_EMAIL | Message seems to contain rot13ed address | body |
| OFFSHORE_SCAM | Off Shore Scams | body |
| ONE_TIME | One Time Rip Off | body |
| ONLINE_PHARMACY | Online Pharmacy | body |
| OPTING_OUT_CAPS | Talks about opting out (capitalized version) | body |
| ORG_MIME_TOOLS | Organization is MIME-tools | header |
| PLING_QUERY | Subject has exclamation mark and question mark | header |
| PORN_15 | Possible porn – various types of feline | body |
| PORN_16 | Possible porn – nasty, dirty, little etc. | body |
| PORN_URL_MISC | URL uses words/phrases which indicate porn (misc) | uri |
| PORN_URL_SEX | URL uses words/phrases which indicate porn (sex) | uri |
| PORN_URL_SLUT | URL uses words/phrases which indicate porn (slut) | uri |
| PREST_NON_ACCREDITED | ‘Prestigious Non-Accredited Universities’ | body |
| PREVENT_NONDELIVERY | Message has Prevent-NonDelivery-Report header | header |
| PRICES_ARE_AFFORDABLE | Message says that prices aren’t too expensive | body |
| PYZOR_CHECK | Listed in Pyzor (http://pyzor.sf.net/) | full |
| QUALIFY_FOR_THIS | Qualify for this special… | body |
| RATWARE_BOUND_PIECE | Bulk email fingerprint (piece boundary) found | header |
| RATWARE_EFROM | Bulk email fingerprint (envfrom) found | header |
| RATWARE_EGROUPS | Bulk email fingerprint (eGroups) found | header |
| RATWARE_GECKO_BUILD | Bulk email fingerprint (Gecko faked) found | header |
| RATWARE_HASH_2 | Bulk email fingerprint (hash 2) found | header |
| RATWARE_HASH_2_V2 | Bulk email fingerprint (hash 2 v2) found | header |
| RATWARE_HASH_DASH | Contains a hashbuster in Send-Safe format | rawbody |
| RATWARE_JPFREE | Bulk email fingerprint (jpfree) found | header |
| RATWARE_MOZ_MALFORMED | Bulk email fingerprint (Mozilla malformed) found | header |
| RATWARE_MPOP_WEBMAIL | Bulk email fingerprint (mPOP Web-Mail) | header |
| RATWARE_NETIP | Bulk email fingerprint (netIP) found | header |
| RATWARE_OE_MALFORMED | X-Mailer has malformed Outlook Express version | header |
| RATWARE_RCVD_AT | Bulk email fingerprint (Received @) found | header |
| RATWARE_RCVD_LC_ESMTP | Bulk email fingerprint (‘esmtp’ Received) found | header |
| RATWARE_RCVD_PF | Bulk email fingerprint (Received PF) found | header |
| RATWARE_STORM_URI | Bulk email fingerprint (StormPost) found | uri |
| RAZOR2_CF_RANGE_51_100 | Razor2 gives confidence level above 50% | full |
| RAZOR2_CF_RANGE_E4_51_100 | Razor2 gives engine 4 confidence level above 50% | full |
| RAZOR2_CF_RANGE_E8_51_100 | Razor2 gives engine 8 confidence level above 50% | full |
| RAZOR2_CHECK | Listed in Razor2 (http://razor.sf.net/) | full |
| RCVD_AM_PM | Received headers forged (AM/PM) | header |
| RCVD_BONUS_SPC_DATE | Bulk email fingerprint (bonus space) found | header |
| RCVD_BY_IP | Received by mail server with no name | header |
| RCVD_FAKE_HELO_DOTCOM | Received contains a faked HELO hostname | header |
| RCVD_HELO_IP_MISMATCH | Received: HELO and IP do not match, but should | header |
| RCVD_ILLEGAL_IP | Received: contains illegal IP address | header |
| RCVD_IN_BL_SPAMCOP_NET | Received via a relay in bl.spamcop.net | header |
| RCVD_IN_BSP_OTHER | Sender is in Bonded Sender Program (other relay) | header |
| RCVD_IN_BSP_TRUSTED | Sender is in Bonded Sender Program (trusted relay) | header |
| RCVD_IN_DSBL | Received via a relay in list.dsbl.org | header |
| RCVD_IN_IADB_VOUCHED | ISIPP IADB lists as vouched-for sender | header |
| RCVD_IN_MAPS_DUL | Relay in DUL, http://www.mail-abuse.org/dul/ | header |
| RCVD_IN_MAPS_NML | Relay in NML, http://www.mail-abuse.org/nml/ | header |
| RCVD_IN_MAPS_RBL | Relay in RBL, http://www.mail-abuse.org/rbl/ | header |
| RCVD_IN_MAPS_RSS | Relay in RSS, http://www.mail-abuse.org/rss/ | header |
| RCVD_IN_NJABL_CGI | NJABL: sender is an open formmail | header |
| RCVD_IN_NJABL_DUL | NJABL: dialup sender did non-local SMTP | header |
| RCVD_IN_NJABL_MULTI | NJABL: sent through multi-stage open relay | header |
| RCVD_IN_NJABL_PROXY | NJABL: sender is an open proxy | header |
| RCVD_IN_NJABL_RELAY | NJABL: sender is confirmed open relay | header |
| RCVD_IN_NJABL_SPAM | NJABL: sender is confirmed spam source | header |
| RCVD_IN_SBL | Received via a relay in Spamhaus SBL | header |
| RCVD_IN_SORBS_BLOCK | SORBS: sender demands to never be tested | header |
| RCVD_IN_SORBS_DUL | SORBS: sent directly from dynamic IP address | header |
| RCVD_IN_SORBS_HTTP | SORBS: sender is open HTTP proxy server | header |
| RCVD_IN_SORBS_MISC | SORBS: sender is open proxy server | header |
| RCVD_IN_SORBS_SMTP | SORBS: sender is open SMTP relay | header |
| RCVD_IN_SORBS_SOCKS | SORBS: sender is open SOCKS proxy server | header |
| RCVD_IN_SORBS_WEB | SORBS: sender is a abuseable web server | header |
| RCVD_IN_SORBS_ZOMBIE | SORBS: sender is on a hijacked network | header |
| RCVD_IN_WHOIS_BOGONS | CompleteWhois: sender on bogons IP block | header |
| RCVD_IN_WHOIS_HIJACKED | CompleteWhois: sender on hijacked IP block | header |
| RCVD_IN_WHOIS_INVALID | CompleteWhois: sender on invalid IP block | header |
| RCVD_IN_XBL | Received via a relay in Spamhaus XBL | header |
| RCVD_NUMERIC_HELO | Received: contains an IP address used for HELO | header |
| RECEIVE_OFFER | Receive a special offer | body |
| REFINANCE_NOW | Home refinancing | body |
| REFINANCE_YOUR_HOME | Home refinancing | body |
| REMOVE_BEFORE_LINK | Removal phrase right before a link | body |
| REMOVE_PAGE | URL of page called "remove" | uri |
| REMOVE_POSTAL | Send real mail to be unsubscribed | body |
| REPLICA_WATCH | Message talks about a replica watch | body |
| REPLY_TO_EMPTY | Reply-To: is empty | header |
| RESISTANCE_IS_FUTILE | Resistance to this spam is futile | body |
| REVERSE_AGING | Reverses Aging | body |
| RISK_FREE | Risk free. Suuurreeee…. | body |
| ROUND_THE_WORLD | Received: says mail sent around the world (DNS) | header |
| ROUND_THE_WORLD_LOCAL | Received: says mail sent around the world (HELO) | header |
| SATIS_GUAR | Mail guarantees satisfaction | body |
| SAVE_THOUSANDS | Save big money | body |
| SEE_FOR_YOURSELF | See for yourself | body |
| SENT_IN_COMPLIANCE | Claims compliance with spam regulations | body |
| SOME_BREAKTHROUGH | Describes some sort of breakthrough | body |
| SOMETHING_FOR_ADULTS | Possible porn – Adult Web Sites | body |
| SORTED_RECIPS | Recipient list is sorted by address | header |
| SPF_FAIL | SPF: sender does not match SPF record (fail) | header |
| SPF_HELO_FAIL | SPF: HELO does not match SPF record (fail) | header |
| SPF_HELO_NEUTRAL | SPF: HELO does not match SPF record (neutral) | header |
| SPF_HELO_PASS | SPF: HELO matches SPF record | header |
| SPF_HELO_SOFTFAIL | SPF: HELO does not match SPF record (softfail) | header |
| SPF_NEUTRAL | SPF: sender does not match SPF record (neutral) | header |
| SPF_PASS | SPF: sender matches SPF record | header |
| SPF_SOFTFAIL | SPF: sender does not match SPF record (softfail) | header |
| SPOOF_COM2COM | URI contains ".com" in middle and end | uri |
| SPOOF_COM2OTH | URI contains ".com" in middle | uri |
| SPOOF_NET2COM | URI contains ".net" or ".org", then ".com" | uri |
| SPOOF_OURI | URI has items in odd places | uri |
| STOCK_ALERT | Offers a alert about a stock | body |
| STRONG_BUY | Tells you about a strong buy | body |
| SUB_FREE_OFFER | Subject starts with "Free" | header |
| SUB_HELLO | Subject starts with "Hello" | header |
| SUBJ_2_NUM_PARENS | Subject contains common spam sign (2 numbers) | header |
| SUBJ_ALL_CAPS | Subject is all capitals | header |
| SUBJ_AS_SEEN | Subject contains "As Seen" | header |
| SUBJ_BUY | Subject line starts with Buy or Buying | header |
| SUBJ_CONSONANTS | Subject contains consecutive consonants in "word" | header |
| SUBJ_DOLLARS | Subject starts with dollar amount | header |
| SUBJ_FOR_ONLY | Subject contains "For Only" | header |
| SUBJ_FREE_CAP | Subject contains "FREE" in CAPS | header |
| SUBJ_GUARANTEED | Subject GUARANTEED | header |
| SUBJ_HAS_SPACES | Subject contains lots of white space | header |
| SUBJ_HAS_UNIQ_ID | Subject contains a unique ID | header |
| SUBJ_ILLEGAL_CHARS | Subject: has too many raw illegal characters | header |
| SUBJ_LIFE_INSURANCE | Subject includes "life insurance" | header |
| SUBJ_YOUR_DEBT | Subject contains "Your Bills" or similar | header |
| SUBJ_YOUR_FAMILY | Subject contains "Your Family" | header |
| SUBJ_YOUR_OWN | Subject contains "Your Own" | header |
| SUBJECT_DIET | Subject talks about losing pounds | header |
| SUBJECT_DRUG_GAP_C | Subject contains a gappy version of ‘cialis’ | header |
| SUBJECT_DRUG_GAP_L | Subject contains a gappy version of ‘levitra’ | header |
| SUBJECT_DRUG_GAP_P | Subject contains a gappy version of ‘phentermine’ | header |
| SUBJECT_DRUG_GAP_S | Subject contains a gappy version of ‘soma’ | header |
| SUBJECT_DRUG_GAP_VA | Subject contains a gappy version of ‘valium’ | header |
| SUBJECT_DRUG_GAP_VIC | Subject contains a gappy version of ‘vicodin’ | header |
| SUBJECT_DRUG_GAP_X | Subject contains a gappy version of ‘xanax’ | header |
| SUBJECT_SEXUAL | Subject indicates sexually-explicit content | header |
| SUSPICIOUS_RECIPS | Similar addresses in recipient list | header |
| TERRA_ES | Contains URI to a document hosted at ‘terra.es’ | uri |
| TO_ADDRESS_EQ_REAL | To: repeats address as real name | header |
| TO_EMPTY | To: is empty | header |
| TO_MALFORMED | To: has a malformed address | header |
| TO_NO_USER | To: has no local-part before @ sign | header |
| TO_RECIP_MARKER | To header contains ‘recipient’ marker | header |
| TO_TXT | Sent to a text file | header |
| TRACKER_ID | Incorporates a tracking ID number | body |
| UNCLAIMED_MONEY | People just leave money laying around | body |
| UNCLOSED_BRACKET | Headers contain an unclosed bracket | header |
| UNDISC_RECIPS | Valid-looking To "undisclosed-recipients" | header |
| UNIQUE_WORDS | Message body has many words used only once | body |
| UNPARSEABLE_RELAY | Informational: message has unparseable relay lines | header |
| UNRESOLVED_TEMPLATE | Headers contain an unresolved template | header |
| UNWANTED_LANGUAGE_BODY | Message written in an undesired language | body |
| URG_BIZ | Contains urgent matter | body |
| URI_4YOU | Message has URI 4you | uri |
| URI_AFFILIATE | Contains a URI with an affiliate ID code | uri |
| URI_DIGITS | URI hostname has long digit sequence | uri |
| URI_HEX | URI hostname has long hexadecimal sequence | uri |
| URI_UPPER_LOWER | URI contains capitalized hostname parts ("Abcde") | uri |
| URIBL_AB_SURBL | Contains an URL listed in the AB SURBL blocklist | body |
| URIBL_JP_SURBL | Contains an URL listed in the JP SURBL blocklist | body |
| URIBL_OB_SURBL | Contains an URL listed in the OB SURBL blocklist | body |
| URIBL_PH_SURBL | Contains an URL listed in the PH SURBL blocklist | body |
| URIBL_SBL | Contains an URL listed in the SBL blocklist | body |
| URIBL_SC_SURBL | Contains an URL listed in the SC SURBL blocklist | body |
| URIBL_WS_SURBL | Contains an URL listed in the WS SURBL blocklist | body |
| US_DOLLARS_3 | Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN) |
body |
| USER_IN_ALL_SPAM_TO | User is listed in ‘all_spam_to’ | header |
| USER_IN_BLACKLIST | From: address is in the user’s black-list | header |
| USER_IN_BLACKLIST_TO | User is listed in ‘blacklist_to’ | header |
| USER_IN_DEF_SPF_WL | From: address is in the default SPF white-list | header |
| USER_IN_DEF_WHITELIST | From: address is in the default white-list | header |
| USER_IN_MORE_SPAM_TO | User is listed in ‘more_spam_to’ | header |
| USER_IN_SPF_WHITELIST | From: address is in the user’s SPF whitelist | header |
| USER_IN_WHITELIST | From: address is in the user’s white-list | header |
| USER_IN_WHITELIST_TO | User is listed in ‘whitelist_to’ | header |
| USERPASS | URL contains username and (optional) password | uri |
| VIA_GAP_GRA | Attempts to disguise the word ‘viagra’ | body |
| WE_HONOR_ALL | Claims to honor removal requests | body |
| WEIRD_PORT | Uses non-standard port number for HTTP | uri |
| WEIRD_QUOTING | Weird repeated double-quotation marks | body |
| WHILE_YOU_SLEEP | While you Sleep | body |
| WHY_PAY_MORE | Why Pay More? | body |
| WHY_WAIT | What are you waiting for | body |
| WITH_LC_SMTP | Received line contains spam-sign (lowercase smtp) | header |
| WRINKLES | Removes Wrinkles | body |
| X_AUTH_WARN_FAKED | X-Authentication-Warning header looks faked | header |
| X_IP | Message has X-IP header | header |
| X_LIBRARY | Message has X-Library header | header |
| X_MAILER_SPAM | X-Mailer: header is bulk email fingerprint | header |
| X_MESSAGE_FLAG_ODD | Message has X-Message-flag header (odd case) | header |
| X_MESSAGE_INFO | Bulk email fingerprint (X-Message-Info) found | header |
| X_MIME_AUTOCONVERTED | Message has X-MIME-Autoconverted "Yes" header | header |
| X_MSMAIL_PRIORITY_HIGH | Sent with ‘X-Msmail-Priority’ set to high | header |
| X_ORIG_IP_NOT_IPV4 | X-Originating-IP doesn’t look like IPv4 address | header |
| X_PRIORITY_CC | Cc: after X-Priority: (bulk email fingerprint) | header |
| X_PRIORITY_HIGH | Sent with ‘X-Priority’ set to high | header |
| YAHOO_DRS_REDIR | Has Yahoo Redirect URI | uri |
| YAHOO_RD_REDIR | Has Yahoo Redirect URI | uri |
| YOU_CAN_SEARCH | You can search for anyone | body |
Die vollständige Auflistung aller Test der aktuellen Spamassassin-Version und früherer Versionen finden sich bei Spamassassin.
November 24th, 2011 at 18:20
Da geht doch was bei Vidable!Laufend neue News seit Anfang September und da kommt noch mehr. Könnte es sein, dass da mehr dahinter steckt?. Was haltet ihr davon?