Skip to content

Test Name Area Tested Locale Description Of Test Score
ACT_NOW_CAPSbody--Talks about 'acting now' with capitals0.001
ADVANCE_FEE_2meta--Appears to be advance fee fraud (Nigerian 419)2.049
ADVANCE_FEE_3meta--Appears to be advance fee fraud (Nigerian 419)1.435
ADVANCE_FEE_4meta--Appears to be advance fee fraud (Nigerian 419)1.502
ANY_BOUNCE_MESSAGEmeta--Message is some kind of bounce message0.100
APOSTROPHE_FROMheader--From address contains an apostrophe0.001
AWLheader--From: address is in the auto white-list1.000
AXB_XMID_1212header--Barbera Fingerprint3.899
AXB_XMID_1510header--Brunello Fingerprint4.295
AXB_XMID_OEGOESNULLheader--Amarone Fingerprint4.216
AXB_XR_STULDAPheader--Received =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/3.196
AXB_XTIDX_CHAINheader--Montepulciano Fingerprint1.000
BAD_CREDITbody--Eliminate Bad Credit0.325
BAD_ENC_HEADERheader--Message has bad MIME encoding in the header2.870
BANG_GUARbody--Something is emphatically guaranteed1.237
BANKING_LAWSbody--Talks about banking laws3.096
BASE64_LENGTH_78_79body--eval:check_base64_length('78','79')3.699
BASE64_LENGTH_79_INFbody--eval:check_base64_length('79')2.763
BILLION_DOLLARSbody--Talks about lots of money0.001
BODY_8BITSbody--Body includes 8 consecutive 8-bit characters1.500
BODY_ENHANCEMENTbody--Information on growing body parts1.608
BODY_ENHANCEMENT2body--Information on getting larger body parts0.714
BOUNCE_MESSAGEmeta--MTA bounce message0.100
CHARSET_FARAWAYbody--Character set indicates a foreign language3.200
CHARSET_FARAWAY_HEADERheader--A foreign language charset used in headers3.200
CORRUPT_FROM_LINE_IN_HDRSmeta--Informational: message is corrupt, with a From line in its headers0.001
CRBOUNCE_MESSAGEmeta--Challenge-response bounce message0.100
CTYPE_001C_Ameta--(0)2.319
CUM_SHOTbody--Possible porn - Cum Shot2.796
CURR_PRICEbody--/\bCurrent Price:/2.659
DATE_IN_FUTURE_03_06header--Date: is 3 to 6 hours after Received: date0.416
DATE_IN_FUTURE_06_12header--Date: is 6 to 12 hours after Received: date3.099
DATE_IN_FUTURE_12_24header--Date: is 12 to 24 hours after Received: date3.299
DATE_IN_FUTURE_24_48header--Date: is 24 to 48 hours after Received: date2.800
DATE_IN_FUTURE_48_96header--Date: is 48 to 96 hours after Received: date3.182
DATE_IN_FUTURE_96_XXheader--Date: is 96 hours or more after Received: date3.899
DATE_IN_PAST_03_06header--Date: is 3 to 6 hours before Received: date1.394
DATE_IN_PAST_06_12header--Date: is 6 to 12 hours before Received: date1.854
DATE_IN_PAST_12_24header--Date: is 12 to 24 hours before Received: date1.770
DATE_IN_PAST_24_48header--Date: is 24 to 48 hours before Received: date1.627
DATE_IN_PAST_96_XXheader--Date: is 96 hours or more before Received: date2.320
DATE_SPAMWARE_Y2Kheader--Date header uses unusual Y2K formatting1.031
DCC_CHECKfull--Listed in DCC (http://rhyolite.com/anti-spam/dcc/)1.370
DC_GIF_UNO_LARGOmeta--Message contains a single large inline gif3.787
DC_IMAGE_SPAM_HTMLmeta--Possible Image-only spam0.001
DC_IMAGE_SPAM_TEXTmeta--Possible Image-only spam with little text0.001
DC_PNG_UNO_LARGOmeta--Message contains a single large inline gif2.092
DEAR_FRIENDbody--Dear Friend? That's not very dear!2.696
DEAR_SOMETHINGbody--Contains 'Dear (something)'2.234
DEAR_WINNERbody--/\bdear.{1,20}winner/i3.196
DIET_1body--Lose Weight Spam0.336
DIGEST_MULTIPLEmeta--Message hits more than one network digest check0.001
DKIM_POLICY_SIGNALLheader--Domain Keys Identified Mail: policy says domain signs all mails0.001
DKIM_POLICY_TESTINGheader--Domain Keys Identified Mail: policy says domain is testing DK0.001
DKIM_SIGNEDheader--Domain Keys Identified Mail: message has a signature0.001
DK_POLICY_SIGNALLheader--Domain Keys: policy says domain signs all mails0.001
DK_POLICY_TESTINGheader--Domain Keys: policy says domain is testing DK0.001
DK_SIGNEDheader--Domain Keys: message has a signature0.001
DNS_FROM_AHBL_RHSBLheader--Envelope sender listed in dnsbl.ahbl.org2.025
DNS_FROM_DOBheader--Sender from new domain (Day Old Bread)0.341
DNS_FROM_OPENWHOISheader--Envelope sender listed in bl.open-whois.org.2.431
DNS_FROM_RFC_BOGUSMXheader--Envelope sender in bogusmx.rfc-ignorant.org2.125
DNS_FROM_RFC_DSNheader--Envelope sender in dsn.rfc-ignorant.org2.527
DOS_PROVISION4body--Provision for income taxes1.000
DOS_REPORT_FIN_INCbody--Report of financial income1.000
DOS_STOCK_BATmeta--Probable pump and dump stock spam3.383
DOS_STOCK_CDYV_GENERICbody--Pump and dump stock spam1.000
DOS_STOCK_INCOME_STATEMENTmeta--Pump and dump stock income statement spam1.000
DOS_YOUR_PLACEmeta--Russian dating spam2.596
DRUGS_ANXIETYmeta--Refers to an anxiety control drug1.331
DRUGS_ANXIETY_ERECmeta--Refers to both an erectile and an anxiety drug0.001
DRUGS_ANXIETY_OBFUmeta--Obfuscated reference to an anxiety control drug0.001
DRUGS_DIETmeta--Refers to a diet drug0.001
DRUGS_ERECTILEmeta--Refers to an erectile drug0.646
DRUGS_ERECTILE_OBFUmeta--Obfuscated reference to an erectile drug2.113
DRUGS_HDIAheader--Subject =~ /\bhoodia\b/i2.501
DRUGS_MANYKINDSmeta--Refers to at least four kinds of drugs0.001
DRUGS_MUSCLEmeta--Refers to a muscle relaxant0.001
DRUGS_SLEEP_ERECmeta--Refers to both an erectile and a sleep aid drug1.952
DRUGS_STOCK_MIMEOLEmeta--Stock-spam forged headers found (5510)2.852
DRUG_DOSAGEbody--Talks about price per dose0.128
DRUG_ED_CAPSbody--Mentions an E.D. drug1.540
DRUG_ED_GENERICbody--Mentions Generic Viagra3.314
DRUG_ED_SILDbody--Talks about an E.D. drug using its chemical name0.001
DYN_RDNS_AND_INLINE_IMAGEmeta--Contains image, and was sent by dynamic rDNS0.001
DYN_RDNS_SHORT_HELO_HTMLmeta--Sent by dynamic rDNS, short HELO, and HTML0.287
DYN_RDNS_SHORT_HELO_IMAGEmeta--Short HELO string, dynamic rDNS, inline image0.001
EMAIL_ROT13body--Body contains a ROT13-encoded email address1.680
EMPTY_MESSAGEmeta--Message appears to have no textual parts and no Subject: text0.607
EXCUSE_24body--Claims you wanted this ad2.599
EXCUSE_4body--Claims you can be removed from the list1.934
EXCUSE_REMOVEbody--Talks about how to be removed from mailings1.477
EXTRA_MPART_TYPEheader--Header has extraneous Content-type:...type= entry1.000
FAKE_HELO_EXCITEheader--Host HELO did not match rDNS: excite.com2.552
FAKE_HELO_LYCOSheader--Host HELO did not match rDNS: lycos.com2.432
FAKE_HELO_MAIL_COMheader--Host HELO did not match rDNS: mail.com0.220
FAKE_HELO_MAIL_COM_DOMheader--Relay HELO'd with suspicious hostname (mail.com)3.196
FAKE_OUTBLAZE_RCVDheader--Received header contains faked 'mr.outblaze.com'3.496
FAKE_REPLY_Cmeta--(__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)2.197
FB_ADD_INCHESbody--Add / Gain inches2.999
FB_ALMOST_SEXbody--It's almost sex, but not!3.096
FB_ANA_TRIMbody--Broken AnaTrim phrase.3.995
FB_ANUIbody--Phrase: A_U_N_I1.618
FB_C0MPANYbody--Phrase: C0mpany2.106
FB_CAN_LONGERbody--Phrase: can last longer1.309
FB_CIALIS_LEO3body--Uses a mis-spelled version of cialis.2.815
FB_DOUBLE_0WORDSbody--Looks like double 0 words3.595
FB_EMAIL_HIERbody--Phrase: email hier1.203
FB_EXTRA_INCHESbody--Phrase: extra inches3.096
FB_FHARMACYbody--Phrase: Farmacy3.695
FB_GAPPY_ADDRESSbody--Too much spacing in Address3.399
FB_GET_MEDSbody--Looks like trying to sell meds1.097
FB_GVRbody--Looks like generic viagra0.001
FB_HEY_BRO_COMMAbody--Phrase hey bro,2.783
FB_HG_H_CAPbody--Phrase: HGH0.887
FB_HOMELOANbody--Phrase $x home loan2.014
FB_IMPRESS_GIRLbody--Phrase: impress ... girl1.757
FB_INCREASE_YOURbody--Phrase: Increase your energy3.396
FB_INDEPEND_RWDbody--Phrase: independent reward3.599
FB_LETTERS_21Bbody--Special people leave special signs!3.999
FB_LOWER_PAYMbody--Phrase: lower your monthly payments2.996
FB_MED1CATbody--Phrase: Med1cat1.000
FB_MEDS_PERCENTbody--Talks about meds and %1.000
FB_MORE_SIZEbody--Phrase: more size1.422
FB_NOT_PHONE_NUM1body--Looks like a fake phone number (1)2.599
FB_NOT_PHONE_NUM3body--Looks like a fake phone number (3)2.596
FB_NOT_SCHOOLbody--Looks like school but it's not!2.312
FB_NO_SCRIP_NEEDEDbody--Phrase: no prescription needed.2.458
FB_NUMYObody--Speaks of teenager.2.397
FB_ODD_SPACED_MONEYbody--Looks like money but has odd spacing.2.723
FB_P1LLbody--Phrase: p1ll1.088
FB_PIPEDOLLARbody--Phrase: Dollar, with pipes or 0's.2.430
FB_QUALITY_REPLICAbody--Phrase: quality replica3.899
FB_REF_CODE_SPACEbody--Refcode with spacing3.599
FB_REPLIC_CAPbody--Phrase: REPLICA3.995
FB_RE_FIbody--Looks like refi.2.696
FB_SOFTTABSbody--Phrase: Softabs4.281
FB_SPACED_PHN_3Bbody--Phone number with -- spacing. (B)2.896
FB_SPACEY_ZIPbody--Looks like a s p a c e d zipcode.1.785
FB_SSEXbody--Phrase: ssex2.001
FB_STOCK_EXPLODEbody--Looks like stocks exploding.2.696
FB_TO_STOP_DISTRObody--Phrase: to stop further distribution3.096
FB_ULTRA_ALLUREbody--Phrase: Ultra Allure2.841
FB_UNLOCK_YOUR_Gbody--Phrase: lock to your girlfriend2.696
FB_UNRESOLV_PROVbody--Pattern Replacement PROV_D1.132
FB_WORD1_END_DOLLARbody--Looks like a word ending with a $1.000
FB_YOURSELF_MASTERbody--Phrase: yourself master1.248
FB_YOUR_REFIbody--Phrase: Your refi3.306
FH_BAD_OEV1441header--Bad X-Mailer version2.393
FH_DATE_IS_19XXheader--The date is not 19xx.1.970
FH_DATE_PAST_20XXheader--The date is grossly in the future.3.384
FH_FAKE_RCVD_LINEheader--RCVD line looks faked (A)2.215
FH_FROMEML_NOTLDheader--E-mail address doesn't have TLD (.com, etc.)2.196
FH_FROM_CASHheader--From name has "cash"2.996
FH_FROM_GIVEAWAYheader--From name is giveaway.2.796
FH_FROM_HOODIAheader--From has Hoodia!!?2.696
FH_HAS_XAIMCheader--Has X-AIMC-AUTH header2.699
FH_HELO_ALMOST_IPheader--Helo is almost an IP addr.3.727
FH_HELO_ENDS_DOTheader--Helo ends with a dot.3.020
FH_HELO_EQ_610HEXheader--Helo is 6-10 hex chr's.4.099
FH_HELO_EQ_CHARTERheader--Helo is d-d-d-d charter.com1.258
FH_HELO_EQ_D_D_D_Dheader--Helo is d-d-d-d0.498
FH_HOST_EQ_DYNAMICIPheader--Host is dynamicip3.097
FH_HOST_EQ_PACBELL_Dheader--Host is pacbell.net dsl0.893
FH_HOST_EQ_VERIZON_Pheader--Host is pool-.+verizon.net1.105
FH_MSGID_000000header--Special MSGID4.299
FH_MSGID_01C67header--Special MSGID0.495
FH_MSGID_01C70XXXheader--MESSAGE ID seen often!!!3.895
FH_MSGID_REPLACEheader--Broken Replace Template2.079
FH_MSGID_XXBLAHheader--Common sign in msg-id's 12/21/20064.495
FH_MSGID_XXXheader--Message-Id = @xxx3.196
FH_RE_NEW_DDDheader--Subject is Re: new \d\d\d1.209
FH_XMAIL_REPLACEheader--Broken Replace Template2.142
FH_XMAIL_RND_833header--Special X-Mailer Version1.000
FIN_FREEbody--Freedom of a financial nature2.599
FM_DOESNT_SAY_STOCKmeta--It's a stock spam but doesn't say stock4.295
FM_FAKE_53COM_SPOOFmeta--Spoof mail from 53.com?3.096
FM_FAKE_HELO_VERIZONmeta--Looks like a fake verizon.net helo.2.573
FM_FRM_RN_L_BRACKmeta--From name has > but not <3.096
FM_LIKE_STOCKSmeta--It looks like a duck, it's a duck!2.940
FM_LUX_GIFTS_REDUCEDmeta--Luxury Gifts with dd%2.486
FM_MANY_DRUG_WORDSmeta--Lot's of almost drug words1.161
FM_MORTGAGE4PLUSmeta--Looks like a mortgage spam (4+)1.000
FM_MORTGAGE5PLUSmeta--Looks like a mortgage spam (5+)3.099
FM_MULTI_LUX_GIFTSmeta--Talks about variety of luxury gifts2.494
FM_PHN_NODNSmeta--Phone spacing + no dns2.538
FM_RATSIGN_1106meta--Fingerprint seen in lots of spam. 11/20060.250
FM_RE_HELLO_SPAMmeta--Re: Hello / hi2.798
FM_ROLEX_ADSmeta--Looks like Rolex spams.3.999
FM_SCHOOLINGmeta--Meta Combo Phrase for Schooling (2)2.386
FM_SCHOOL_DIPLOMAmeta--Meta for Schooling + Diploma.0.776
FM_SCHOOL_TYPESmeta--Meta Combo Phrase for Schooling3.096
FM_SEX_HELODDDDmeta--Sex words + helo = dddd2.332
FM_VIAGRA_SPAM1114meta--Signs of a Viagra spam 11/14/20062.191
FM_XMAIL_F_OUTheader--Looks like Fake Outlook?4.199
FORGED_HOTMAIL_RCVD2header--hotmail.com 'From' address, but no 'Received:'1.117
FORGED_IMS_HTMLmeta--IMS can't send HTML message only2.050
FORGED_IMS_TAGSmeta--IMS mailers can't send HTML in this format1.579
FORGED_MSGID_AOLmeta--Message-ID is forged, (aol.com)0.001
FORGED_MSGID_HOTMAILmeta--Message-ID is forged, (hotmail.com)2.706
FORGED_MSGID_MSNmeta--Message-ID is forged, (msn.com)1.222
FORGED_MSGID_YAHOOmeta--Message-ID is forged, (yahoo.com)3.211
FORGED_MUA_EUDORAmeta--Forged mail pretending to be from Eudora1.665
FORGED_MUA_IMSmeta--Forged mail pretending to be from IMS2.033
FORGED_MUA_MOZILLAmeta--Forged mail pretending to be from Mozilla2.696
FORGED_MUA_OIMOmeta--Forged mail pretending to be from MS Outlook IMO3.595
FORGED_MUA_OUTLOOKmeta--Forged mail pretending to be from MS Outlook4.199
FORGED_MUA_THEBAT_BOUNmeta--Mail pretending to be from The Bat! (boundary)1.019
FORGED_MUA_THEBAT_CSmeta--Mail pretending to be from The Bat! (charset)0.854
FORGED_OUTLOOK_HTMLmeta--Outlook can't send HTML message only0.001
FORGED_OUTLOOK_TAGSmeta--Outlook can't send HTML in this format0.001
FORGED_QUALCOMM_TAGSmeta--QUALCOMM mailers can't send HTML in this format3.127
FORGED_THEBAT_HTMLmeta--The Bat! can't send HTML message only2.407
FORGED_YAHOO_RCVDheader--'From' yahoo.com does not match 'Received' headers1.408
FRAGMENTED_MESSAGEheader--Partial message2.500
FREE_QUOTE_INSTANTbody--Free express or no-obligation quote2.499
FROM_BLANK_NAMEheader--From: contains empty name2.212
FROM_DOMAIN_NOVOWELheader--From: domain has series of non-vowel letters3.099
FROM_EXCESS_BASE64meta--From: base64 encoded unnecessarily1.984
FROM_ILLEGAL_CHARSheader--From: has too many raw illegal characters3.999
FROM_LOCAL_DIGITSheader--From: localpart has long digit sequence0.001
FROM_LOCAL_HEXheader--From: localpart has long hexadecimal sequence2.733
FROM_LOCAL_NOVOWELheader--From: localpart has series of non-vowel letters3.196
FROM_NO_USERheader--From: has no local-part before @ sign0.499
FROM_OFFERSheader--From address is "at something-offers"1.145
FROM_STARTS_WITH_NUMSheader--From: starts with many numbers0.723
FRT_BIGGERMEM1body--ReplaceTags: Bigger / Larger, Penis / Member0.001
FRT_DISCOUNTbody--ReplaceTags: Discount2.996
FRT_DOLLARbody--ReplaceTags: Dollar2.596
FRT_GUARANTEE1body--ReplaceTags: Guarantee (1)2.819
FRT_LEVITRAbody--ReplaceTags: Levitra0.745
FRT_MEETINGbody--ReplaceTags: Meeting2.699
FRT_OFFER2body--ReplaceTags: Offer (2)1.590
FRT_OPPORTUN1body--ReplaceTags: Oppertun (1)1.000
FRT_OPPORTUN2body--ReplaceTags: Oppertun (2)2.699
FRT_PENIS1body--ReplaceTags: Penis3.074
FRT_PRICEbody--ReplaceTags: Price2.531
FRT_REFINANCE1body--ReplaceTags: Refinance (1)2.727
FRT_ROLEXbody--ReplaceTags: Rolex3.096
FRT_SEXUALbody--ReplaceTags: Sexual3.196
FRT_STRONG1body--ReplaceTags: Strong (1)2.919
FRT_STRONG2body--ReplaceTags: Strong (2)0.001
FRT_SYMBOLbody--ReplaceTags: Symbol3.561
FRT_TODAY2body--ReplaceTags: Today (2)2.460
FRT_VALIUM1body--ReplaceTags: Valium3.049
FRT_VALIUM2body--ReplaceTags: Valium (2)1.933
FRT_WEIGHT2body--ReplaceTags: Weight (2)2.930
FRT_XANAX1body--ReplaceTags: Xanax (1)3.799
FRT_XANAX2body--ReplaceTags: Xanax (2)0.001
FR_3TAG_3TAGrawbody--Looks like 3 <e> small tags.0.998
FR_ALMOST_VIAG2rawbody--Almost looks like viagra.2.376
FR_MIDERrawbody--Sign often seen in spams1.706
FS_AT_NO_COSTheader--Subject says "At No Cost"2.596
FS_CHEAP_CAPheader--Phrase: Cheap in Caps in Subject.0.001
FS_DOLLAR_BONUSheader--Subject talks about money bonus!2.696
FS_EJACULAheader--Phrase: ejaculation in subject.2.996
FS_ERECTIONheader--Phrase: erection in subject.2.020
FS_LARGE_PERCENT2header--Larger than 100% in subj.1.037
FS_LOWER_YOURheader--Phrase: lower your1.000
FS_LOW_RATESheader--Subject says low rates1.763
FS_NEW_SOFT_UPLOADheader--Subj starts with New software uploaded1.154
FS_NEW_XXXheader--Subject looks like Fharmacy spams.0.616
FS_NO_SCRIPheader--Subject almost says No prescription2.422
FS_OBFU_PRMCYheader--what could this word be?0.722
FS_PHARMASUB2header--Looks like Phramacy subject.3.895
FS_RAMRODheader--Subject says Ramrod2.820
FS_REPLICAheader--Subject says "replica"1.179
FS_REPLICAWATCHheader--Subject says Replica watch3.799
FS_START_DOYOU2header--Subject starts with Do you dream,have,want,love, etc.3.099
FS_START_LOSEheader--Subject starts with Lose2.596
FS_TEEN_BADheader--Subject says something bad about teens2.596
FS_TIP_DDDheader--Phrase: subject = tip ddd0.021
FS_WEIGHT_LOSSheader--Subject says Weight Loss1.000
FS_WILL_HELPheader--Subject says will help3.299
FUZZY_AMBIENbody--Attempt to obfuscate words in spam0.962
FUZZY_CPILLbody--Attempt to obfuscate words in spam0.001
FUZZY_CREDITbody--Attempt to obfuscate words in spam0.522
FUZZY_ERECTbody--Attempt to obfuscate words in spam0.708
FUZZY_GUARANTEEbody--Attempt to obfuscate words in spam0.962
FUZZY_MEDICATIONbody--Attempt to obfuscate words in spam0.001
FUZZY_MERIDIAbody--/<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i0.778
FUZZY_MILLIONbody--Attempt to obfuscate words in spam2.325
FUZZY_MONEYbody--Attempt to obfuscate words in spam2.796
FUZZY_MORTGAGEbody--Attempt to obfuscate words in spam3.296
FUZZY_OBLIGATIONbody--Attempt to obfuscate words in spam2.796
FUZZY_OFFERSbody--Attempt to obfuscate words in spam1.032
FUZZY_PHARMACYbody--Attempt to obfuscate words in spam2.999
FUZZY_PRESCRIPTbody--Attempt to obfuscate words in spam2.644
FUZZY_PRICESbody--Attempt to obfuscate words in spam2.458
FUZZY_REFINANCEbody--Attempt to obfuscate words in spam0.001
FUZZY_SOFTWAREbody--Attempt to obfuscate words in spam2.860
FUZZY_VLIUMbody--Attempt to obfuscate words in spam0.001
FUZZY_VPILLbody--Attempt to obfuscate words in spam0.001
FUZZY_XPILLbody--Attempt to obfuscate words in spam3.314
FU_COMMON_SUBS2uri--Sub-dir seen often in spam (2).2.057
FU_ENDS_NUMS_DOTS_CLKuri--Ends with clk/d+.d+.d+3.196
FU_END_ETuri--ET Phone Home?3.599
FU_HOODIAuri--URL has hoodia in it.1.484
FU_LONG_QUERY3uri--URL has a long file name with .aspx extension.0.001
FU_MIDERuri--URL has /gal/2.024
FU_UKGEOCITIESuri--URL with [a-z]{2}.geocities.com3.296
FU_URI_TRACKER_Turi--URI style tracker (T)3.895
GAPPY_SUBJECTheader--Subject: contains G.a.p.p.y-T.e.x.t2.001
GEO_QUERY_STRINGuri--/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i2.696
GTUBEbody--Generic Test for Unsolicited Bulk Email1000.000
GUARANTEED_100_PERCENTbody--One hundred percent guaranteed0.965
HASHCASH_2SPENDheader--Hashcash token already spent in another mail0.100
HDR_ORDER_FTSDMCXX_001Cmeta--Header order similar to spam (FTSDMCXX/MID variant)1.937
HDR_ORDER_FTSDMCXX_BATmeta--Header order similar to spam (FTSDMCXX/boundary variant)2.739
HEADER_COUNT_CTYPEheader--Multiple Content-Type headers found0.671
HEADER_COUNT_SUBJECTheader--Multiple Subject headers found3.099
HEADER_SPAMheader--Bulk email fingerprint (header-based) found3.396
HEAD_ILLEGAL_CHARSheader--Headers have too many raw illegal characters3.729
HEAD_LONGheader--Message headers are very long2.500
HELO_DYNAMIC_CHELLO_NLheader--Relay HELO'd using suspicious hostname (Chello.nl)3.599
HELO_DYNAMIC_DHCPheader--Relay HELO'd using suspicious hostname (DHCP)1.520
HELO_DYNAMIC_DIALINheader--Relay HELO'd using suspicious hostname (T-Dialin)3.995
HELO_DYNAMIC_HCCheader--Relay HELO'd using suspicious hostname (HCC)4.295
HELO_DYNAMIC_HEXIPheader--Relay HELO'd using suspicious hostname (Hex IP)3.099
HELO_DYNAMIC_HOME_NLheader--Relay HELO'd using suspicious hostname (Home.nl)3.496
HELO_DYNAMIC_IPADDRheader--Relay HELO'd using suspicious hostname (IP addr 1)2.935
HELO_DYNAMIC_IPADDR2header--Relay HELO'd using suspicious hostname (IP addr 2)4.395
HELO_DYNAMIC_SPLIT_IPheader--Relay HELO'd using suspicious hostname (Split IP)4.199
HELO_FRIENDheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=friend /i0.001
HELO_LH_HOMEheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i3.169
HELO_LH_LDheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost\.localdomain /i0.792
HELO_LOCALHOSTheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=localhost /i4.499
HELO_OEMheader--X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=(?:pc|oem\S*) /i3.296
HG_HORMONEmeta--Talks about hormones for human growth2.292
HIDE_WIN_STATUSrawbody--Javascript to hide URLs in browser2.213
HIGH_CODEPAGE_URIuri--/^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i2.500
HS_BODY_UPLOADED_SOFTWAREbody--Somebody has uploaded some new software for you1.992
HS_DRUG_DOLLAR_1body--Contains a drug and price-like pattern.1.350
HS_DRUG_DOLLAR_2body--Contains a drug and price-like pattern.1.119
HS_DRUG_DOLLAR_3body--Contains a drug and price-like pattern.1.901
HS_DRUG_DOLLAR_MANYmeta--Contains several drug and dollar-like patterns.0.688
HS_FORGED_OE_FWmeta--Outlook does not prefix forwards with "FW:"2.796
HS_INDEX_PARAMuri--Link contains a common tracker pattern.0.001
HS_SUBJ_NEW_SOFTWAREheader--Subject starts with 'New software uploaded by'0.253
HTML_CHARSET_FARAWAYmeta--A foreign language charset used in HTML markup0.500
HTML_COMMENT_SAVED_URLbody--HTML message is a saved web page1.820
HTML_COMMENT_SHORTbody--HTML comment is very short0.001
HTML_EMBEDSbody--HTML with embedded plugin object0.440
HTML_EXTRA_CLOSEbody--HTML contains far too many close tags1.089
HTML_FONT_FACE_BADbody--HTML font face is not a word0.606
HTML_FONT_LOW_CONTRASTbody--HTML font color similar to background0.543
HTML_FONT_SIZE_HUGEbody--HTML font size is huge0.389
HTML_FONT_SIZE_LARGEbody--HTML font size is large0.001
HTML_IFRAME_SRCbody--Message has HTML IFRAME tag with SRC URI0.001
HTML_IMAGE_ONLY_04body--HTML: images with 0-400 bytes of words1.462
HTML_IMAGE_ONLY_08body--HTML: images with 400-800 bytes of words2.432
HTML_IMAGE_ONLY_12body--HTML: images with 800-1200 bytes of words2.245
HTML_IMAGE_ONLY_16body--HTML: images with 1200-1600 bytes of words2.498
HTML_IMAGE_ONLY_20body--HTML: images with 1600-2000 bytes of words1.808
HTML_IMAGE_ONLY_24body--HTML: images with 2000-2400 bytes of words2.207
HTML_IMAGE_ONLY_28body--HTML: images with 2400-2800 bytes of words1.519
HTML_IMAGE_ONLY_32body--HTML: images with 2800-3200 bytes of words1.318
HTML_IMAGE_RATIO_02body--HTML has a low ratio of text to image area0.550
HTML_IMAGE_RATIO_04body--HTML has a low ratio of text to image area0.170
HTML_IMAGE_RATIO_06body--HTML has a low ratio of text to image area0.001
HTML_IMAGE_RATIO_08body--HTML has a low ratio of text to image area0.001
HTML_MESSAGEbody--HTML included in message0.001
HTML_MIME_NO_HTML_TAGmeta--HTML-only message, but there is no HTML tag1.052
HTML_MISSING_CTYPEmeta--Message is HTML without HTML Content-Type2.380
HTML_NONELEMENT_30_40body--30% to 40% of HTML elements are non-standard1.775
HTML_NONELEMENT_40_50body--40% to 50% of HTML elements are non-standard0.001
HTML_OBFUSCATE_05_10body--Message is 5% to 10% HTML obfuscation0.572
HTML_OBFUSCATE_10_20body--Message is 10% to 20% HTML obfuscation3.196
HTML_OBFUSCATE_20_30body--Message is 20% to 30% HTML obfuscation2.747
HTML_OBFUSCATE_30_40body--Message is 30% to 40% HTML obfuscation2.599
HTML_SHORT_CENTERmeta--HTML is very short with CENTER tag0.001
HTML_SHORT_LINK_IMG_1meta--HTML is very short with a linked image1.078
HTML_SHORT_LINK_IMG_2meta--HTML is very short with a linked image0.239
HTML_SHORT_LINK_IMG_3meta--HTML is very short with a linked image0.556
HTML_TAG_BALANCE_BODYbody--HTML has unbalanced "body" tags0.807
HTML_TAG_BALANCE_HEADbody--HTML has unbalanced "head" tags1.370
HTML_TITLE_SUBJ_DIFFmeta--__HTML_TITLE_SUBJ_DIFF && !__MIME_ATTACHMENT0.805
HTTPS_IP_MISMATCHbody--IP to HTTPS link found in HTML2.896
HTTP_77uri--Contains an URL-encoded hostname (HTTP77)0.001
HTTP_ESCAPED_HOSTuri--Uses %-escapes inside a URL's hostname0.001
HTTP_EXCESSIVE_ESCAPESuri--Completely unnecessary %-escapes inside a URL0.964
IMPOTENCEbody--Impotence cure1.678
INVALID_DATEheader--Invalid Date: header (not RFC 2822)1.651
INVALID_DATE_TZ_ABSURDheader--Invalid Date: header (timezone does not exist)0.243
INVALID_MSGIDmeta--Message-Id is not valid, according to RFC 28222.603
INVALID_TZ_CSTheader--Invalid date in header (wrong CST timezone)0.862
INVALID_TZ_ESTheader--Invalid date in header (wrong EST timezone)2.065
INVESTMENT_ADVICEbody--Message mentions investment advice0.001
IP_LINK_PLUSuri--Dotted-decimal IP address followed by CGI0.001
JM_RCVD_QMAILV1header--Received =~ /by \S+ \(Qmailv1\) with ESMTP/3.995
JM_TORA_XMmeta--(__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)3.096
JOIN_MILLIONSbody--Join Millions of Americans1.807
KAM_LOTTO1meta--Likely to be a e-Lotto Scam Email1.569
KAM_LOTTO2meta--Highly Likely to be a e-Lotto Scam Email1.190
KAM_LOTTO3meta--Almost certain to be a e-Lotto Scam Email1.000
KAM_STOCKOTCmeta--(0)2.328
KAM_STOCKTIP15meta--(0)0.001
KOREAN_UCE_SUBJECTheader--Subject: contains Korean unsolicited email tag1.111
LOCALPART_IN_SUBJECTheader--Local part of To: address appears in Subject2.497
LONGWORDSmeta--Long string of long words3.196
LONG_TERM_PRICEbody--/long\W+term\W+(target|projected)(\W+price)?/i0.212
LOOPHOLE_1body--A loop hole in the banking laws?2.474
LOTTERY_1meta--(__DBLCLAIM && __CASHPRZ)3.196
LOW_PRICEbody--Lowest Price1.159
L_SPAM_TOOL_13header--Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/4.499
MALE_ENHANCEbody--Message talks about enhancing men2.596
MARKETING_PARTNERSbody--Claims you registered with a partner2.355
MICROSOFT_EXECUTABLEbody--Message includes Microsoft executable program0.100
MID_DEGREESheader--Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/4.195
MILLION_USDbody--Talks about millions of dollars1.777
MIME_BAD_ISO_CHARSETbody--MIME character set is an unknown ISO charset2.831
MIME_BASE64_BLANKSrawbody--Extra blank lines in base64 encoding0.001
MIME_BASE64_TEXTrawbody--Message text disguised using base64 encoding2.796
MIME_BOUND_DD_DIGITSheader--Spam tool pattern in MIME boundary4.199
MIME_BOUND_DIGITS_15header--Spam tool pattern in MIME boundary2.896
MIME_BOUND_EQ_RELheader--Content-Type =~ /boundary="=====================_\d+==\.REL"/s0.845
MIME_BOUND_MANY_HEXheader--Spam tool pattern in MIME boundary0.001
MIME_CHARSET_FARAWAYmeta--MIME character set indicates foreign language2.450
MIME_HEADER_CTYPE_ONLYmeta--'Content-Type' found without required MIME headers0.856
MIME_HTML_MOSTLYbody--Multipart message mostly text/html MIME0.001
MIME_HTML_ONLYbody--Message only has text/html MIME parts1.672
MIME_HTML_ONLY_MULTImeta--Multipart message only has text/html MIME parts0.001
MIME_QP_LONG_LINErawbody--Quoted-printable line longer than 76 chars1.819
MIME_SUSPECT_NAMEbody--MIME filename does not match content0.100
MISSING_DATEheader--Missing Date: header0.001
MISSING_HB_SEPheader--Missing blank line between message header and body2.500
MISSING_HEADERSheader--Missing To: header1.581
MISSING_MIDheader--Missing Message-Id: header0.001
MISSING_MIMEOLEmeta--Message has X-MSMail-Priority, but no X-MimeOLE0.001
MISSING_MIME_HB_SEPbody--Missing blank line between MIME header and body2.699
MISSING_SUBJECTmeta--Missing Subject: header1.285
MONEY_BACKbody--Money back guarantee0.001
MORE_SEXbody--Talks about a bigger drive for sex2.321
MPART_ALT_DIFFbody--HTML and text parts are different1.143
MPART_ALT_DIFF_COUNTbody--HTML and text parts are different1.882
MSGID_DOLLARS_RANDOMmeta--__MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK3.296
MSGID_FROM_MTA_HEADERmeta--Message-Id was added by a relay1.495
MSGID_MULTIPLE_ATheader--Message-ID contains multiple '@' characters1.211
MSGID_OUTLOOK_INVALIDheader--Message-Id is fake (in Outlook Express format)2.896
MSGID_RANDYmeta--Message-Id has pattern used in spam0.001
MSGID_SHORTheader--Message-ID is unusually short0.232
MSGID_SPAM_CAPSheader--Spam tool Message-Id: (caps variant)4.195
MSGID_SPAM_LETTERSheader--Spam tool Message-Id: (letters variant)1.637
MSGID_YAHOO_CAPSheader--Message-ID has ALLCAPS@yahoo.com0.448
MSOE_MID_WRONG_CASEmeta--(__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)0.699
MULTIPART_ALT_NON_TEXTbody--eval:check_ma_non_text()2.696
NA_DOLLARSbody--Talks about a million North American dollars1.129
NORMAL_HTTP_TO_IPuri--Uses a dotted-decimal IP address in URL0.001
NO_DNS_FOR_FROMheader--Envelope sender has no MX or A DNS records1.407
NO_HEADERS_MESSAGEmeta--Message appears to be missing most RFC-822 headers0.001
NO_PRESCRIPTIONbody--No prescription needed2.757
NO_RDNS_DOTCOM_HELOheader--Host HELO'd as a big ISP, but had no rDNS0.799
NULL_IN_BODYfull--Message has NUL (ASCII 0) byte in message1.489
NUMERIC_HTTP_ADDRuri--Uses a numeric IP address in URL0.001
OBFUSCATING_COMMENTmeta--HTML comments which obfuscate text0.230
OBSCURED_EMAILbody--Message seems to contain rot13ed address0.012
ONLINE_PHARMACYbody--Online Pharmacy1.484
OUTLOOK_3416header--Claims to be sent by an unusual build of Outlook (3416)1.695
PART_CID_STOCKmeta--Has a spammy image attachment (by Content-ID)1.231
PART_CID_STOCK_LESSmeta--Has a spammy image attachment (by Content-ID, more specific)0.001
PERCENT_RANDOMmeta--Message has a random macro in it3.196
PLING_QUERYheader--Subject has exclamation mark and question mark1.333
PREVENT_NONDELIVERYheader--Message has Prevent-NonDelivery-Report header1.640
PRICES_ARE_AFFORDABLEbody--Message says that prices aren't too expensive0.001
PYZOR_CHECKfull--Listed in Pyzor (http://pyzor.sf.net/)2.834
RATWARE_EFROMheader--Bulk email fingerprint (envfrom) found3.795
RATWARE_EGROUPSheader--Bulk email fingerprint (eGroups) found2.379
RATWARE_MS_HASHmeta--Bulk email fingerprint (msgid ms hash) found2.779
RATWARE_OE_MALFORMEDheader--X-Mailer has malformed Outlook Express version2.095
RATWARE_OUTLOOK_NONAMEmeta--Bulk email fingerprint (Outlook no name) found0.001
RATWARE_RCVD_ATheader--Bulk email fingerprint (Received @) found0.650
RATWARE_RCVD_PFheader--Bulk email fingerprint (Received PF) found3.895
RAZOR2_CF_RANGE_51_100full--Razor2 gives confidence level above 50%0.500
RAZOR2_CF_RANGE_E4_51_100full--Razor2 gives engine 4 confidence level above 50%1.500
RAZOR2_CF_RANGE_E8_51_100full--Razor2 gives engine 8 confidence level above 50%1.500
RAZOR2_CHECKfull--Listed in Razor2 (http://razor.sf.net/)0.500
RCVD_AM_PMheader--Received headers forged (AM/PM)1.688
RCVD_BAD_IDheader--Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*:<=>?\@\[\]^\`{|}~]|;\S)/2.088
RCVD_DOUBLE_IP_LOOSEmeta--Received: by and from look like IP addresses0.001
RCVD_DOUBLE_IP_SPAMmeta--Bulk email fingerprint (double IP) found3.895
RCVD_FAKE_HELO_DOTCOMheader--Received contains a faked HELO hostname2.775
RCVD_FORGED_WROTEheader--Forged 'Received' header found ('wrote:' spam)4.479
RCVD_FORGED_WROTE2header--Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s2.736
RCVD_HELO_IP_MISMATCHheader--Received: HELO and IP do not match, but should2.320
RCVD_ILLEGAL_IPheader--Received: contains illegal IP address3.196
RCVD_IN_BL_SPAMCOP_NETheader--Received via a relay in bl.spamcop.net2.188
RCVD_IN_DOBheader--Received via relay in new domain (Day Old Bread)0.835
RCVD_IN_DSBLheader--Received via a relay in list.dsbl.org0.753
RCVD_IN_NJABL_PROXYheader--NJABL: sender is an open proxy1.693
RCVD_IN_NJABL_RELAYheader--NJABL: sender is confirmed open relay1.841
RCVD_IN_NJABL_SPAMheader--NJABL: sender is confirmed spam source3.096
RCVD_IN_PBLheader--Received via a relay in Spamhaus PBL0.509
RCVD_IN_SBLheader--Received via a relay in Spamhaus SBL2.810
RCVD_IN_SORBS_DULheader--SORBS: sent directly from dynamic IP address1.615
RCVD_IN_SORBS_HTTPheader--SORBS: sender is open HTTP proxy server0.001
RCVD_IN_SORBS_MISCheader--SORBS: sender is open proxy server0.001
RCVD_IN_SORBS_SOCKSheader--SORBS: sender is open SOCKS proxy server0.182
RCVD_IN_SORBS_WEBheader--SORBS: sender is a abuseable web server1.117
RCVD_IN_XBLheader--Received via a relay in Spamhaus XBL2.896
RCVD_MAIL_COMheader--Forged Received header (contains post.com or mail.com)1.452
RCVD_NUMERIC_HELOheader--Received: contains an IP address used for HELO2.599
RDNS_DYNAMICmeta--Delivered to trusted network by host with dynamic-looking rDNS0.100
RDNS_NONEmeta--Delivered to trusted network by a host with no rDNS0.100
REFINANCE_NOWbody--Home refinancing0.169
REFINANCE_YOUR_HOMEbody--Home refinancing0.001
REMOVE_BEFORE_LINKbody--Removal phrase right before a link0.001
REPLICA_WATCHbody--Message talks about a replica watch3.396
REPTO_OVERQUOTE_THEBATmeta--The Bat! doesn't do quoting like this3.499
REPTO_QUOTE_AOLmeta--AOL doesn't do quoting like this1.595
REPTO_QUOTE_IMSmeta--IMS doesn't do quoting like this0.314
REPTO_QUOTE_MSNmeta--MSN doesn't do quoting like this2.689
REPTO_QUOTE_QUALCOMMmeta--Qualcomm/Eudora doesn't do quoting like this0.415
REPTO_QUOTE_YAHOOmeta--Yahoo! doesn't do quoting like this0.729
ROUND_THE_WORLD_LOCALheader--Received: says mail sent around the world (HELO)2.696
SB_GIF_AND_NO_URISmeta--(__GIF_ATTACH&&!__HAS_ANY_URI& &!__HAS_ANY_EMAIL)1.257
SHORT_HELO_AND_INLINE_IMAGEmeta--Short HELO string, with inline image0.702
SHORT_TERM_PRICEbody--/short\W+term\W+(target|projected)(\W+price)?/i1.950
SORTED_RECIPSheader--Recipient list is sorted by address1.800
SPAMMY_XMAILERmeta--X-Mailer string is common in spam and not in ham2.333
SPF_FAILheader--SPF: sender does not match SPF record (fail)0.992
SPF_HELO_FAILheader--SPF: HELO does not match SPF record (fail)0.365
SPF_HELO_NEUTRALheader--SPF: HELO does not match SPF record (neutral)2.000
SPF_HELO_SOFTFAILheader--SPF: HELO does not match SPF record (softfail)1.533
SPF_NEUTRALheader--SPF: sender does not match SPF record (neutral)1.210
SPF_SOFTFAILheader--SPF: sender does not match SPF record (softfail)0.654
SPOOF_COM2COMuri--URI contains ".com" in middle and end0.341
SPOOF_COM2OTHuri--URI contains ".com" in middle0.848
SPOOF_NET2COMuri--URI contains ".net" or ".org", then ".com"2.896
STOCK_ALERTbody--Offers a alert about a stock2.889
STOCK_IMG_CTYPEmeta--Stock spam image part, with distinctive Content-Type header0.001
STOCK_IMG_HDR_FROMmeta--Stock spam image part, with distinctive From line0.001
STOCK_IMG_HTMLmeta--Stock spam image part, with distinctive HTML0.001
STOCK_IMG_OUTLOOKmeta--Stock spam image part, with Outlook-like features0.001
STOCK_PRICESmeta--(SHORT_TERM_PRICE && LONG_TERM_PRICE)0.184
STOX_AND_PRICEmeta--CURR_PRICE && STOX_REPLY_TYPE2.373
STOX_REPLY_TYPEheader--Content-Type =~ /text\/plain; .* reply-type=original/0.001
STRONG_BUYbody--Tells you about a strong buy2.478
SUBJECT_DIETheader--Subject talks about losing pounds1.621
SUBJECT_DRUG_GAP_Cheader--Subject contains a gappy version of 'cialis'0.001
SUBJECT_DRUG_GAP_Lheader--Subject contains a gappy version of 'levitra'1.831
SUBJECT_DRUG_GAP_VAheader--Subject contains a gappy version of 'valium'2.596
SUBJECT_DRUG_GAP_Xheader--Subject contains a gappy version of 'xanax'2.052
SUBJECT_FUZZY_MEDSheader--Attempt to obfuscate words in Subject:2.812
SUBJECT_FUZZY_PENISheader--Attempt to obfuscate words in Subject:1.308
SUBJECT_FUZZY_TIONheader--Attempt to obfuscate words in Subject:0.410
SUBJECT_FUZZY_VPILLmeta--Attempt to obfuscate words in Subject:3.299
SUBJECT_IN_BLACKLISTheader--Subject: contains string in the user's black-list100.000
SUBJECT_NEEDS_ENCODINGmeta--(!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME1.277
SUBJECT_SEXUALheader--Subject indicates sexually-explicit content0.116
SUBJ_ALL_CAPSheader--Subject is all capitals1.806
SUBJ_BUYheader--Subject line starts with Buy or Buying0.900
SUBJ_DOLLARSheader--Subject starts with dollar amount0.842
SUBJ_ILLEGAL_CHARSheader--Subject: has too many raw illegal characters1.527
SUBJ_RE_NUMmeta--Subject is faking 'The Bat!' responses2.667
SUBJ_YOUR_DEBTheader--Subject contains "Your Bills" or similar2.896
SUBJ_YOUR_FAMILYheader--Subject contains "Your Family"2.647
SUSPICIOUS_RECIPSheader--Similar addresses in recipient list3.196
TEMPLATE_203_RCVDheader--Received =~ /from 192.168.0.\d+ \(203-219-/1.000
TO_MALFORMEDheader--To: has a malformed address0.001
TRACKER_IDbody--Incorporates a tracking ID number2.696
TT_MSGID_TRUNCheader--Scora: Message-Id ends after left-bracket + digits1.874
TT_OBSCURED_VALIUMmeta--Scora: obscured "VALIUM" in subject0.462
TT_OBSCURED_VIAGRAmeta--Scora: obscured "VIAGRA" in subject2.154
TVD_ACT_193body--/\bact of (?:193|nineteen thirty)/i3.420
TVD_APPROVEDbody--/you.{1,2}re .{0,20}approved/i2.558
TVD_APP_LOANbody--/approved .{0,20}loan/i1.000
TVD_DEAR_HOMEOWNERbody--/^dear homeowner/i2.599
TVD_EB_PHISHmeta--__FROM_EBAY && NORMAL_HTTP_TO_IP2.996
TVD_ENVFROM_APOSTheader--EnvelopeFrom =~ /\'/3.307
TVD_FINGER_02header--Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i2.720
TVD_FLOAT_GENERALrawbody--/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i1.114
TVD_FUZZY_SYMBOLbody--/<inter W2><post P2>(?!symbol)<S><Y><M><B><O><L>/i1.435
TVD_PH_RECbody--Message has a phrase standard for phishing mails2.996
TVD_PH_SUBJ_ACCOUNTS_POSTheader--Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure| verify|restore| flagged|limited|unusual| report|notif(?:y|ication)| suspen(?:d|ded|sion)| confirm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/i2.996
TVD_PH_SUBJ_METAmeta--__TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST1.000
TVD_PH_SUBJ_URGENTheader--Subject =~ /^urgent(?:[\s\W]*$|.{1,40}(?:alert|response |assistance|proposal|reply| warning|noti(?:ce|fication)| greeting|matter))/i2.102
TVD_PP_PHISHmeta--__FROM_PAYPAL && NORMAL_HTTP_TO_IP3.099
TVD_QUAL_MEDSbody--/\bquality med(?:ication)?s\b/i4.123
TVD_RATWARE_CBheader--Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i2.914
TVD_RATWARE_MSGID_02header--Message-ID =~ /^[^<]*<[a-z]+\@/1.688
TVD_RCVD_IPheader--Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/1.617
TVD_RCVD_IP4header--Received =~ /^from\s+(?:\d+\.){3}\d+\s/3.344
TVD_RCVD_SINGLEheader--Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/0.303
TVD_SECTIONbody--/\bSection (?:27A|21B)/i3.317
TVD_SPACED_SUBJECT_WORD3header--Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/3.599
TVD_SPACE_RATIObody--eval:tvd_vertical_words('0','10')2.899
TVD_STOCK1body--eval:check_stock_info('2')3.792
TVD_SUBJ_OWEheader--Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i3.196
TVD_SUBJ_WIPE_DEBTheader--Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i2.896
TVD_VISIT_PHARMAbody--/Online Ph.rmacy/i0.001
TVD_VIS_HIDDENrawbody--/<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i1.908
UNCLAIMED_MONEYbody--People just leave money laying around2.985
UNCLOSED_BRACKETheader--Headers contain an unclosed bracket2.083
UNPARSEABLE_RELAYheader--Informational: message has unparseable relay lines0.001
UNRESOLVED_TEMPLATEheader--Headers contain an unresolved template3.325
UNWANTED_LANGUAGE_BODYbody--Message written in an undesired language2.800
UPPERCASE_50_75meta--message body is 50-75% uppercase0.490
UPPERCASE_75_100meta--message body is 75-100% uppercase1.930
URG_BIZbody--Contains urgent matter0.667
URIBL_AB_SURBLbody--Contains an URL listed in the AB SURBL blocklist1.613
URIBL_BLACKbody--Contains an URL listed in the URIBL blacklist1.961
URIBL_GREYbody--Contains an URL listed in the URIBL greylist0.250
URIBL_JP_SURBLbody--Contains an URL listed in the JP SURBL blocklist2.857
URIBL_OB_SURBLbody--Contains an URL listed in the OB SURBL blocklist2.132
URIBL_PH_SURBLbody--Contains an URL listed in the PH SURBL blocklist2.035
URIBL_REDbody--Contains an URL listed in the URIBL redlist0.001
URIBL_RHS_AHBLbody--Contains an URI listed in rhsbl.ahbl.org.1.000
URIBL_RHS_DOBbody--Contains an URI of a new domain (Day Old Bread)0.901
URIBL_SBLbody--Contains an URL listed in the SBL blocklist2.468
URIBL_SC_SURBLbody--Contains an URL listed in the SC SURBL blocklist2.523
URIBL_WS_SURBLbody--Contains an URL listed in the WS SURBL blocklist2.100
URI_HEXuri--URI hostname has long hexadecimal sequence1.316
URI_NOVOWELuri--URI hostname has long non-vowel sequence2.543
URI_NO_WWW_INFO_CGIuri--CGI in .info TLD other than third-level "www"0.601
URI_TRUNCATEDbody--Message contained a URI which was truncated0.001
URI_UNSUBSCRIBEuri--URI contains suspicious unsubscribe link3.092
USER_IN_BLACKLISTheader--From: address is in the user's black-list100.000
USER_IN_BLACKLIST_TOheader--User is listed in 'blacklist_to'10.000
US_DOLLARS_3body--Mentions millions of $ ($NN,NNN,NNN.NN)1.165
VBOUNCE_MESSAGEmeta--Virus-scanner bounce message0.100
VIA_GAP_GRAbody--Attempts to disguise the word 'viagra'1.053
WEIRD_PORTuri--Uses non-standard port number for HTTP1.499
WEIRD_QUOTINGbody--Weird repeated double-quotation marks2.796
WHOIS_AITPRIVbody--URL registered as an AIT Private Registration3.995
WHOIS_CONTACTPRIVbody--URL registered to contactprivacy.com2.696
WHOIS_DMNBYPROXYbody--Contains URL registered to Domains by Proxy0.260
WHOIS_MONIKER_PRIVbody--URL registered to Moniker Privacy Protection2.596
WHOIS_MYPRIVREGbody--URL registered to myprivateregistration.com0.156
WHOIS_NAMEKINGbody--URL registered to NameKing1.477
WHOIS_NETSOLPRbody--URL registered as a NetSol Private Registration0.001
WHOIS_PRIVACYPOSTbody--Contains URL registered to PrivacyPost0.647
WHOIS_PRIVPROTbody--URL registered to WHOIS Privacy Protection2.801
WHOIS_REGISTERFLYbody--Contains URL registered to RegisterFly3.196
WHOIS_SECUREWHOISbody--Contains URL registered to SecureWhois2.696
WHOIS_UNLISTEDbody--Contains URL registered to Unlisted-Whois.com2.170
WHOIS_WHOISGUARDbody--URL registered to WhoisGuard3.399
XMAILER_MIMEOLE_OL_015D5meta--(__XM_OL_015D5 && __MO_OL_015D5)0.907
XMAILER_MIMEOLE_OL_07794meta--(__XM_OL_07794 && __MO_OL_07794)1.613
XMAILER_MIMEOLE_OL_09BB4meta--(__XM_OL_09BB4 && __MO_OL_09BB4)0.681
XMAILER_MIMEOLE_OL_1ECD5meta--(__XM_OL_1ECD5 && __MO_OL_1ECD5)2.796
XMAILER_MIMEOLE_OL_20C99meta--(__XM_OL_20C99 && __MO_OL_20C99)1.046
XMAILER_MIMEOLE_OL_22B61meta--(__XM_OL_22B61 && __MO_OL_22B61)3.795
XMAILER_MIMEOLE_OL_25340meta--(__XM_OL_25340 && __MO_OL_25340)3.513
XMAILER_MIMEOLE_OL_32D97meta--(__XM_OL_32D97 && __MO_OL_32D97)2.896
XMAILER_MIMEOLE_OL_3857Fmeta--(__XM_OL_3857F && __MO_OL_3857F)0.509
XMAILER_MIMEOLE_OL_3AC1Dmeta--(__XM_OL_3AC1D && __MO_OL_3AC1D)1.323
XMAILER_MIMEOLE_OL_3D61Dmeta--(__XM_OL_3D61D && __MO_OL_3D61D)1.308
XMAILER_MIMEOLE_OL_465CDmeta--(__XM_OL_465CD && __MO_OL_465CD)3.576
XMAILER_MIMEOLE_OL_4B815meta--(__XM_OL_4B815 && __MO_OL_4B815)0.407
XMAILER_MIMEOLE_OL_4BF4Cmeta--(__XM_OL_4BF4C && __MO_OL_4BF4C)0.438
XMAILER_MIMEOLE_OL_4EEDBmeta--(__XM_OL_4EEDB && __MO_OL_4EEDB)3.595
XMAILER_MIMEOLE_OL_4F240meta--(__XM_OL_4F240 && __MO_OL_4F240)1.850
XMAILER_MIMEOLE_OL_58CB5meta--(__XM_OL_58CB5 && __MO_OL_58CB5)3.599
XMAILER_MIMEOLE_OL_5B79Ameta--(__XM_OL_5B79A && __MO_OL_5B79A)1.453
XMAILER_MIMEOLE_OL_6554Ameta--(__XM_OL_6554A && __MO_OL_6554A)0.934
XMAILER_MIMEOLE_OL_72641meta--(__XM_OL_72641 && __MO_OL_72641)0.746
XMAILER_MIMEOLE_OL_7533Emeta--(__XM_OL_7533E && __MO_OL_7533E)1.113
XMAILER_MIMEOLE_OL_812FFmeta--(__XM_OL_812FF && __MO_OL_812FF)1.847
XMAILER_MIMEOLE_OL_83BF7meta--(__XM_OL_83BF7 && __MO_OL_83BF7)1.209
XMAILER_MIMEOLE_OL_8627Emeta--(__XM_OL_8627E && __MO_OL_8627E)3.895
XMAILER_MIMEOLE_OL_8E893meta--(__XM_OL_8E893 && __MO_OL_8E893)2.896
XMAILER_MIMEOLE_OL_91287meta--(__XM_OL_91287 && __MO_OL_91287)1.577
XMAILER_MIMEOLE_OL_9B90Bmeta--(__XM_OL_9B90B && __MO_OL_9B90B)1.502
XMAILER_MIMEOLE_OL_A50F8meta--(__XM_OL_A50F8 && __MO_OL_A50F8)3.399
XMAILER_MIMEOLE_OL_A842Emeta--(__XM_OL_A842E && __MO_OL_A842E)0.963
XMAILER_MIMEOLE_OL_ADFF7meta--(__XM_OL_ADFF7 && __MO_OL_ADFF7)2.759
XMAILER_MIMEOLE_OL_B30D1meta--(__XM_OL_B30D1 && __MO_OL_B30D1)1.748
XMAILER_MIMEOLE_OL_B4B40meta--(__XM_OL_B4B40 && __MO_OL_B4B40)1.765
XMAILER_MIMEOLE_OL_B9B11meta--(__XM_OL_B9B11 && __MO_OL_B9B11)3.496
XMAILER_MIMEOLE_OL_BC7E6meta--(__XM_OL_BC7E6 && __MO_OL_BC7E6)3.695
XMAILER_MIMEOLE_OL_C65FAmeta--(__XM_OL_C65FA && __MO_OL_C65FA)2.308
XMAILER_MIMEOLE_OL_C9068meta--(__XM_OL_C9068 && __MO_OL_C9068)1.975
XMAILER_MIMEOLE_OL_CAC8Fmeta--(__XM_OL_CAC8F && __MO_OL_CAC8F)0.702
XMAILER_MIMEOLE_OL_CF0C0meta--(__XM_OL_CF0C0 && __MO_OL_CF0C0)2.088
XMAILER_MIMEOLE_OL_EF20Bmeta--(__XM_OL_EF20B && __MO_OL_EF20B)1.048
XMAILER_MIMEOLE_OL_F3B05meta--(__XM_OL_F3B05 && __MO_OL_F3B05)2.217
XMAILER_MIMEOLE_OL_F475Emeta--(__XM_OL_F475E && __MO_OL_F475E)0.627
XMAILER_MIMEOLE_OL_F6D01meta--(__XM_OL_F6D01 && __MO_OL_F6D01)3.496
XMAILER_MIMEOLE_OL_FF5C8meta--(__XM_OL_FF5C8 && __MO_OL_FF5C8)3.091
X_IPheader--Message has X-IP header1.943
X_MESSAGE_INFOheader--Bulk email fingerprint (X-Message-Info) found3.496
X_PRIORITY_CCheader--Cc: after X-Priority: (bulk email fingerprint)1.492
YAHOO_DRS_REDIRuri--Has Yahoo Redirect URI0.313

Member access:

Which? works for you