Blacklists are lists of either IP addresses or domain names that have been accused of sending unsolicited commercial email. They are subscribed to by many Internet Service Providers (ISPs). If a website or IP address is added to a blacklist and the ISP that site is attempting to send email to subscribe to the blacklist, the email will likely not get through to the intended recipient.
While blacklists have been helpful in filtering out and reducing spam, many innocent sites are added blacklists. Often, business owners who send out opt-in, or permission-based, newsletters are reported by one of their subscribers who simply forgot that they ever subscribed. Most blacklists are automated and blacklist first and ask questions later.
Blacklists operate on a reporting system, in which an individual can forward an email they consider to be spam to the list operator, who then adds that person or entity to the list of known senders of unsolicited commercial email. Unfortunately, the operators of these blacklists are not answerable to anyone and they run their operations with extreme prejudice against anyone who is attempting to earn revenue from electronic commerce. They require no proof that the offending email was actually unsolicited, they do not notify the business in question that they have been blacklisted, nor do they offer that person or entity an opportunity to defend them before they are placed on such a list. This is a situation that begs to be abused. There have been numerous instances in which online businesses have found themselves on such a blacklist for reasons that range from the user who subscribes to a newsletter and then forgets that they did, to a competitor attempting to thin the field, to the malicious promptings of a personal grudge.
In order to check to see if your website is on a blacklist, simply go to www.openrbl.org and type in your domain name. The site will do a quick check against its database of 31 major blacklists and within seconds tell you which, if any, that your website(s) are on. Another good tool that will allow you to check to see if you are on blacklists can be found at www.senderbase.org.
If you get on a blacklist, it is often difficult to get off. You can try to visit the web site of the blacklist you are on and look for removal procedures. Some blacklists have procedures for removal, while other lists are permanent.
Spamassassin is a software program that filters or screens incoming E-mail messages. The purpose of the filter is to look for and flag or eliminate unsolicited/undesirable mail from your Inbox.
| Test |
Description |
| ACCESSDB |
Message would have been caught by
accessdb |
| ACT_NOW_CAPS |
Talks about 'acting now' with capitals |
| ADDRESS_IN_SUBJECT |
To: address appears in Subject |
| ADDR_FREE |
From Address contains FREE |
| ADDR_NUMS_AT_BIGSITE |
Has an address with lots of numbers at a big
ISP |
| ADVANCE_FEE_1 |
Appears to be advance fee fraud (Nigerian
419) |
| ADVANCE_FEE_2 |
Appears to be advance fee fraud (Nigerian
419) |
| ADVANCE_FEE_3 |
Appears to be advance fee fraud (Nigerian
419) |
| ADVANCE_FEE_4 |
Appears to be advance fee fraud (Nigerian
419) |
| ALL_NATURAL |
Spam is 100% natural?! |
| ALL_TRUSTED |
Passed through trusted hosts only via
SMTP |
| AMATEUR_PORN |
Possible porn - Amateur Porn |
| AMAZING_STUFF |
Amazing Stuff |
| AS_SEEN_ON |
As seen on national TV! |
| AWL |
From: address is in the auto white-list |
| BAD_CREDIT |
Eliminate Bad Credit |
| BAD_ENC_HEADER |
Message has bad MIME encoding in the
header |
| BANG_EXERCISE |
Talks about exercise with an
exclamation! |
| BANG_GUAR |
Something is emphatically guaranteed |
| BANG_MORE |
Talks about more with an exclamation! |
| BANG_OPRAH |
Talks about Oprah with an exclamation! |
| BARGAIN_URL |
Includes a link to a likely spammer
domain |
| BAYES_00 |
Bayesian spam probability is 0 to 1% |
| BAYES_05 |
Bayesian spam probability is 1 to 5% |
| BAYES_20 |
Bayesian spam probability is 5 to 20% |
| BAYES_40 |
Bayesian spam probability is 20 to 40% |
| BAYES_50 |
Bayesian spam probability is 40 to 60% |
| BAYES_60 |
Bayesian spam probability is 60 to 80% |
| BAYES_80 |
Bayesian spam probability is 80 to 95% |
| BAYES_95 |
Bayesian spam probability is 95 to 99% |
| BAYES_99 |
Bayesian spam probability is 99 to 100% |
| BEST_PORN |
Possible porn - Best, Largest, Most Porn |
| BE_BOSS |
Be your own boss |
| BILLION_DOLLARS |
Talks about lots of money |
| BILL_1618 |
Possible mention of bill 1618 (anti-spam
bill) |
| BIZ_TLD |
Contains an URL in the BIZ top-level domain |
| BLANK_LINES_70_80 |
Message body has 70-80% blank lines |
| BLANK_LINES_80_90 |
Message body has 80-90% blank lines |
| BLANK_LINES_90_100 |
Message body has 90-100% blank lines |
| BODY_8BITS |
Body includes 8 consecutive 8-bit
characters |
| BODY_ENHANCEMENT |
Information on growing body parts |
| BODY_ENHANCEMENT2 |
Information on getting larger body parts |
| CHARSET_FARAWAY |
Character set indicates a foreign
language |
| CHARSET_FARAWAY_HEADER |
A foreign language charset used in
headers |
| CHINA_HEADER |
Involves 'china.com' |
| CLICK_BELOW_CAPS |
Asks you to click below (in capital
letters) |
| CLICK_TO_REMOVE_1 |
Click to be removed |
| COMPETE |
Compete for your business |
| CONFIDENTIAL_ORDER |
Confidentiality on all orders |
| CONFIRMED_FORGED |
Received headers are forged |
| CONSOLIDATE_DEBT |
Consolidate debt, credit, or bills |
| CUM_SHOT |
Possible porn - Cum Shot |
| DATE_IN_FUTURE_03_06 |
Date: is 3 to 6 hours after Received:
date |
| DATE_IN_FUTURE_06_12 |
Date: is 6 to 12 hours after Received:
date |
| DATE_IN_FUTURE_12_24 |
Date: is 12 to 24 hours after Received:
date |
| DATE_IN_FUTURE_24_48 |
Date: is 24 to 48 hours after Received:
date |
| DATE_IN_FUTURE_48_96 |
Date: is 48 to 96 hours after Received:
date |
| DATE_IN_FUTURE_96_XX |
Date: is 96 hours or more after Received:
date |
| DATE_IN_PAST_03_06 |
Date: is 3 to 6 hours before Received:
date |
| DATE_IN_PAST_06_12 |
Date: is 6 to 12 hours before Received:
date |
| DATE_IN_PAST_12_24 |
Date: is 12 to 24 hours before Received:
date |
| DATE_IN_PAST_24_48 |
Date: is 24 to 48 hours before Received:
date |
| DATE_IN_PAST_48_96 |
Date: is 48 to 96 hours before Received:
date |
| DATE_IN_PAST_96_XX |
Date: is 96 hours or more before Received:
date |
| DATE_SPAMWARE_Y2K |
Date header uses unusual Y2K formatting |
| DAV_NON_HOTMAIL |
Message sent using DAV, but not via
Hotmail |
| DCC_CHECK |
Listed in DCC
(http://rhyolite.com/anti-spam/dcc/) |
| DEAR_FRIEND |
Dear Friend? That's not very dear! |
| DEAR_SOMETHING |
Contains 'Dear (something)' |
| DEEP_DISC_MEDS |
Deep discount medications |
| DIET_1 |
Lose Weight Spam |
| DIET_2 |
Describes weight loss |
| DIET_3 |
Describes body fat loss |
| DIGEST_MULTIPLE |
Message hits more than one network digest
check |
| DISGUISE_PORN |
Attempts to disguise porn words |
| DISGUISE_PORN_MUNDANE |
Attempts to disguise mundane words used in
porn |
| DKIM_POLICY_SIGNALL |
Domain Keys Identified Mail: policy says
domain signs all mails |
| DKIM_POLICY_SIGNSOME |
Domain Keys Identified Mail: policy says
domain signs some mails |
| DKIM_POLICY_TESTING |
Domain Keys Identified Mail: policy says
domain is testing DK |
| DKIM_SIGNED |
Domain Keys Identified Mail: message has a
signature |
| DKIM_VERIFIED |
Domain Keys Identified Mail: signature passes
verification |
| DK_POLICY_SIGNALL |
Domain Keys: policy says domain signs all
mails |
| DK_POLICY_SIGNSOME |
Domain Keys: policy says domain signs some
mails |
| DK_POLICY_TESTING |
Domain Keys: policy says domain is testing
DK |
| DK_SIGNED |
Domain Keys: message has an unverified
signature |
| DK_VERIFIED |
Domain Keys: signature passes
verification |
| DNS_FROM_AHBL_RHSBL |
From: sender listed in dnsbl.ahbl.org |
| DNS_FROM_RFC_ABUSE |
Envelope sender in
abuse.rfc-ignorant.org |
| DNS_FROM_RFC_BOGUSMX |
Envelope sender in
bogusmx.rfc-ignorant.org |
| DNS_FROM_RFC_DSN |
Envelope sender in dsn.rfc-ignorant.org |
| DNS_FROM_RFC_POST |
Envelope sender in
postmaster.rfc-ignorant.org |
| DNS_FROM_RFC_WHOIS |
Envelope sender in
whois.rfc-ignorant.org |
| DNS_FROM_SECURITYSAGE |
Envelope sender in
blackholes.securitysage.com |
| DOMAIN_4U2 |
Domain name containing a "4u" variant |
| DOMAIN_RATIO |
Message body mentions many internet
domains |
| DRUGS_ANXIETY |
Refers to an anxiety control drug |
| DRUGS_ANXIETY_EREC |
Refers to both an erectile and an anxiety
drug |
| DRUGS_ANXIETY_OBFU |
Obfuscated reference to an anxiety control
drug |
| DRUGS_DIET |
Refers to a diet drug |
| DRUGS_DIET_OBFU |
Obfuscated reference to a diet drug |
| DRUGS_ERECTILE |
Refers to an erectile drug |
| DRUGS_ERECTILE_OBFU |
Obfuscated reference to an erectile drug |
| DRUGS_MANYKINDS |
Refers to at least four kinds of drugs |
| DRUGS_MUSCLE |
Refers to a muscle relaxant |
| DRUGS_PAIN |
Refers to a pain relief drug |
| DRUGS_PAIN_OBFU |
Obfuscated reference to a pain relief
drug |
| DRUGS_SLEEP |
Refers to a sleep aid drug |
| DRUGS_SLEEP_EREC |
Refers to both an erectile and a sleep aid
drug |
| DRUGS_SMEAR1 |
Two or more drugs crammed together into one
word |
| DRUG_DOSAGE |
Talks about price per dose |
| DRUG_ED_CAPS |
Mentions an E.D. drug |
| DRUG_ED_COMBO |
Viagra and other drugs |
| DRUG_ED_GENERIC |
Mentions Generic Viagra |
| DRUG_ED_ONLINE |
Fast Viagra Delivery |
| DRUG_ED_SILD |
Talks about an E.D. drug using its chemical
name |
| EARN_PER_WEEK |
Contains 'earn $something per week' |
| EMAIL_ROT13 |
Body contains a ROT13-encoded email
address |
| EMPTY_MESSAGE |
Message appears to have no textual parts and
no Subject: text |
| EM_ROLEX |
Message puts emphasis on the watch
manufacturer |
| ENGLISH_UCE_SUBJECT |
Subject contains an English UCE tag |
| ENTITY_DEC_ALPHANUM |
HTML contains needlessly encoded
characters |
| ENV_AND_HDR_DKIM_MATCH |
Env and Hdr From used in default DKIM WL
Match |
| ENV_AND_HDR_DK_MATCH |
Env and Hdr From used in default DK WL
Match |
| ENV_AND_HDR_SPF_MATCH |
Env and Hdr From used in default SPF WL
Match |
| EXCUSE_10 |
"if you do not wish to receive any more" |
| EXCUSE_12 |
Nobody's perfect |
| EXCUSE_23 |
Claims you have provided permission |
| EXCUSE_24 |
Claims you wanted this ad |
| EXCUSE_4 |
Claims you can be removed from the list |
| EXCUSE_6 |
Claims you can be removed from the list |
| EXCUSE_REMOVE |
Talks about how to be removed from
mailings |
| EXTRA_CASH |
Offers Extra Cash |
| EXTRA_MPART_TYPE |
Header has extraneous Content-type:...type=
entry |
| FAKED_UNDISC_RECIPS |
Faked To "Undisclosed-Recipients" |
| FAKE_HELO_EMAIL_COM |
Host HELO did not match rDNS: email.com |
| FAKE_HELO_EUDORAMAIL |
Host HELO did not match rDNS:
eudoramail.com |
| FAKE_HELO_EXCITE |
Host HELO did not match rDNS: excite.com |
| FAKE_HELO_LYCOS |
Host HELO did not match rDNS: lycos.com |
| FAKE_HELO_MAIL_COM |
Host HELO did not match rDNS: mail.com |
| FAKE_HELO_MAIL_COM_DOM |
Relay HELO'd with suspicious hostname
(mail.com) |
| FAKE_HELO_MSN |
Host HELO did not match rDNS: msn.com |
| FAKE_HELO_YAHOO_CA |
Host HELO did not match rDNS: yahoo.ca |
| FAKE_OUTBLAZE_RCVD |
Received header contains faked
'mr.outblaze.com' |
| FIN_FREE |
Freedom of a financial nature |
| FORGED_AOL_RCVD |
Received forged, contains fake AOL
relays |
| FORGED_AOL_TAGS |
AOL mailers can't send HTML in this
format |
| FORGED_EUDORAMAIL_RCVD |
Forged eudoramail.com 'Received:' header
found |
| FORGED_GW05_RCVD |
Forged 'by gw05' 'Received:' header
found |
| FORGED_HOTMAIL_RCVD |
Forged hotmail.com 'Received:' header
found |
| FORGED_HOTMAIL_RCVD2 |
hotmail.com 'From' address, but no
'Received:' |
| FORGED_IMS_HTML |
IMS can't send HTML message only |
| FORGED_IMS_TAGS |
IMS mailers can't send HTML in this
format |
| FORGED_JUNO_RCVD |
'From' juno.com does not match 'Received'
headers |
| FORGED_MSGID_AOL |
Message-ID is forged, (aol.com) |
| FORGED_MSGID_EXCITE |
Message-ID is forged, (excite.com) |
| FORGED_MSGID_HOTMAIL |
Message-ID is forged, (hotmail.com) |
| FORGED_MSGID_MSN |
Message-ID is forged, (msn.com) |
| FORGED_MSGID_YAHOO |
Message-ID is forged, (yahoo.com) |
| FORGED_MUA_AOL_FROM |
Forged mail pretending to be from AOL (by
From) |
| FORGED_MUA_EUDORA |
Forged mail pretending to be from Eudora |
| FORGED_MUA_IMS |
Forged mail pretending to be from IMS |
| FORGED_MUA_MOZILLA |
Forged mail pretending to be from
Mozilla |
| FORGED_MUA_OIMO |
Forged mail pretending to be from MS Outlook
IMO |
| FORGED_MUA_OUTLOOK |
Forged mail pretending to be from MS
Outlook |
| FORGED_MUA_THEBAT_BOUN |
Mail pretending to be from The Bat!
(boundary) |
| FORGED_MUA_THEBAT_CS |
Mail pretending to be from The Bat!
(charset) |
| FORGED_OUTLOOK_HTML |
Outlook can't send HTML message only |
| FORGED_OUTLOOK_TAGS |
Outlook can't send HTML in this format |
| FORGED_QUALCOMM_TAGS |
QUALCOMM mailers can't send HTML in this
format |
| FORGED_RCVD_HELO |
Received: contains a forged HELO |
| FORGED_TELESP_RCVD |
Contains forged hostname for a DSL IP in
Brazil |
| FORGED_THEBAT_HTML |
The Bat! can't send HTML message only |
| FORGED_YAHOO_RCVD |
'From' yahoo.com does not match 'Received'
headers |
| FORWARD_LOOKING |
Stock Disclaimer Statement |
| FRAGMENTED_MESSAGE |
Partial message |
| FREE_ACCESS |
Contains 'free access' with capitals |
| FREE_PORN |
Possible porn - Free Porn |
| FREE_PREVIEW |
Free Preview |
| FREE_QUOTE_INSTANT |
Free express or no-obligation quote |
| FREE_SAMPLE |
Contains 'free sample' with capitals |
| FROM_ALL_NUMS |
From numeric address (except US/Canada
phones) |
| FROM_AND_TO_SAME |
From and To are the same, but not
exactly |
| FROM_BLANK_NAME |
From: contains empty name |
| FROM_DOMAIN_NOVOWEL |
From: domain has series of non-vowel
letters |
| FROM_ENDS_IN_NUMS |
From: ends in many numbers |
| FROM_EXCESS_BASE64 |
From: base64 encoded unnecessarily |
| FROM_EXCESS_QP |
From: quoted-printable encoded
unnecessarily |
| FROM_HAS_MIXED_NUMS |
From: contains numbers mixed in with
letters |
| FROM_HAS_ULINE_NUMS |
From: contains an underline and
numbers/letters |
| FROM_ILLEGAL_CHARS |
From: has too many raw illegal
characters |
| FROM_LOCAL_DIGITS |
From: localpart has long digit sequence |
| FROM_LOCAL_HEX |
From: localpart has long hexadecimal
sequence |
| FROM_LOCAL_NOVOWEL |
From: localpart has series of non-vowel
letters |
| FROM_NONSENDING_DOMAIN |
Message is from domain that never sends
email |
| FROM_NO_LOWER |
From address has no lower-case
characters |
| FROM_NO_USER |
From: has no local-part before @ sign |
| FROM_OFFERS |
From address is "at something-offers" |
| FROM_STARTS_WITH_NUMS |
From: starts with many numbers |
| FRONTPAGE |
Frontpage used to create the message |
| FULL_REFUND |
Offers a full refund |
| FUZZY_AFFORDABLE |
Attempt to obfuscate words in spam |
| FUZZY_AMBIEN |
Attempt to obfuscate words in spam |
| FUZZY_BILLION |
Attempt to obfuscate words in spam |
| FUZZY_CELEBREX |
Attempt to obfuscate words in spam |
| FUZZY_CPILL |
Attempt to obfuscate words in spam |
| FUZZY_CREDIT |
Attempt to obfuscate words in spam |
| FUZZY_ERECT |
Attempt to obfuscate words in spam |
| FUZZY_FOLLOW |
Attempt to obfuscate words in spam |
| FUZZY_GUARANTEE |
Attempt to obfuscate words in spam |
| FUZZY_MEDICATION |
Attempt to obfuscate words in spam |
| FUZZY_MILF |
Attempt to obfuscate words in spam |
| FUZZY_MILLION |
Attempt to obfuscate words in spam |
| FUZZY_MONEY |
Attempt to obfuscate words in spam |
| FUZZY_MORTGAGE |
Attempt to obfuscate words in spam |
| FUZZY_OBLIGATION |
Attempt to obfuscate words in spam |
| FUZZY_OFFERS |
Attempt to obfuscate words in spam |
| FUZZY_PHARMACY |
Attempt to obfuscate words in spam |
| FUZZY_PHENT |
Attempt to obfuscate words in spam |
| FUZZY_PLEASE |
Attempt to obfuscate words in spam |
| FUZZY_PRESCRIPT |
Attempt to obfuscate words in spam |
| FUZZY_PRICES |
Attempt to obfuscate words in spam |
| FUZZY_REFINANCE |
Attempt to obfuscate words in spam |
| FUZZY_REMOVE |
Attempt to obfuscate words in spam |
| FUZZY_ROLEX |
Attempt to obfuscate words in spam |
| FUZZY_SOFTWARE |
Attempt to obfuscate words in spam |
| FUZZY_THOUSANDS |
Attempt to obfuscate words in spam |
| FUZZY_TRAMADOL |
Attempt to obfuscate words in spam |
| FUZZY_VICODIN |
Attempt to obfuscate words in spam |
| FUZZY_VIOXX |
Attempt to obfuscate words in spam |
| FUZZY_VLIUM |
Attempt to obfuscate words in spam |
| FUZZY_VPILL |
Attempt to obfuscate words in spam |
| FUZZY_XPILL |
Attempt to obfuscate words in spam |
| GAPPY_SUBJECT |
Subject: contains G.a.p.p.y-T.e.x.t |
| GET_PAID |
Get Paid |
| GTUBE |
Generic Test for Unsolicited Bulk Email |
| GUARANTEED_100_PERCENT |
One hundred percent guaranteed |
| GUARANTEED_STUFF |
Guaranteed Stuff |
| HABEAS_ACCREDITED_COI |
Habeas Accredited Confirmed Opt-In or
Better |
| HABEAS_ACCREDITED_SOI |
Habeas Accredited Opt-In or Better |
| HABEAS_CHECKED |
Habeas Checked |
| HAIR_LOSS |
Cures Baldness |
| HARDCORE_PORN |
Possible porn - Hardcore Porn |
| HASHCASH_20 |
Contains valid Hashcash token (20 bits) |
| HASHCASH_21 |
Contains valid Hashcash token (21 bits) |
| HASHCASH_22 |
Contains valid Hashcash token (22 bits) |
| HASHCASH_23 |
Contains valid Hashcash token (23 bits) |
| HASHCASH_24 |
Contains valid Hashcash token (24 bits) |
| HASHCASH_25 |
Contains valid Hashcash token (25 bits) |
| HASHCASH_2SPEND |
Hashcash token already spent in another
mail |
| HASHCASH_HIGH |
Contains valid Hashcash token (>25
bits) |
| HDR_ORDER_MTSRIX |
Headers are in order found in spam
(MTSRIX) |
| HDR_ORDER_TRIMRS |
Headers are in order found in spam
(TRIMRS) |
| HEADER_COUNT_CTYPE |
Multiple Content-Type headers found |
| HEADER_SPAM |
Bulk email fingerprint (header-based)
found |
| HEAD_ILLEGAL_CHARS |
Headers have too many raw illegal
characters |
| HEAD_LONG |
Message headers are very long |
| HELO_DYNAMIC_ADELPHIA |
Relay HELO'd using suspicious hostname
(Adelphia) |
| HELO_DYNAMIC_ATTBI |
Relay HELO'd using suspicious hostname
(ATTBI.com) |
| HELO_DYNAMIC_CHELLO_NL |
Relay HELO'd using suspicious hostname
(Chello.nl) |
| HELO_DYNAMIC_CHELLO_NO |
Relay HELO'd using suspicious hostname
(Chello.no) |
| HELO_DYNAMIC_COMCAST |
Relay HELO'd using suspicious hostname
(Comcast) |
| HELO_DYNAMIC_DHCP |
Relay HELO'd using suspicious hostname
(DHCP) |
| HELO_DYNAMIC_DIALIN |
Relay HELO'd using suspicious hostname
(T-Dialin) |
| HELO_DYNAMIC_HCC |
Relay HELO'd using suspicious hostname
(HCC) |
| HELO_DYNAMIC_HEXIP |
Relay HELO'd using suspicious hostname (Hex
IP) |
| HELO_DYNAMIC_HOME_NL |
Relay HELO'd using suspicious hostname
(Home.nl) |
| HELO_DYNAMIC_IPADDR |
Relay HELO'd using suspicious hostname (IP
addr 1) |
| HELO_DYNAMIC_IPADDR2 |
Relay HELO'd using suspicious hostname (IP
addr 2) |
| HELO_DYNAMIC_NTL |
Relay HELO'd using suspicious hostname
(NTL) |
| HELO_DYNAMIC_OOL |
Relay HELO'd using suspicious hostname
(OptOnline) |
| HELO_DYNAMIC_ROGERS |
Relay HELO'd using suspicious hostname
(Rogers) |
| HELO_DYNAMIC_RR2 |
Relay HELO'd using suspicious hostname (RR
2) |
| HELO_DYNAMIC_SPLIT_IP |
Relay HELO'd using suspicious hostname (Split
IP) |
| HELO_DYNAMIC_TELIA |
Relay HELO'd using suspicious hostname
(Telia) |
| HELO_DYNAMIC_VELOX |
Relay HELO'd using suspicious hostname
(Veloxzone) |
| HELO_DYNAMIC_VTR |
Relay HELO'd using suspicious hostname
(VTR) |
| HELO_DYNAMIC_YAHOOBB |
Relay HELO'd using suspicious hostname
(YahooBB) |
| HG_HORMONE |
Talks about hormones for human growth |
| HIDDEN_CHARGES |
Talks about Hidden Charges |
| HIDE_WIN_STATUS |
Javascript to hide URLs in browser |
| HOT_NASTY |
Possible porn - Hot, Nasty, Wild, Young |
| HTML_00_10 |
Message is 0% to 10% HTML |
| HTML_10_20 |
Message is 10% to 20% HTML |
| HTML_20_30 |
Message is 20% to 30% HTML |
| HTML_30_40 |
Message is 30% to 40% HTML |
| HTML_40_50 |
Message is 40% to 50% HTML |
| HTML_50_60 |
Message is 50% to 60% HTML |
| HTML_60_70 |
Message is 60% to 70% HTML |
| HTML_70_80 |
Message is 70% to 80% HTML |
| HTML_80_90 |
Message is 80% to 90% HTML |
| HTML_90_100 |
Message is 90% to 100% HTML |
| HTML_ATTR_BAD |
HTML has many bad attributes in tags |
| HTML_ATTR_UNIQUE |
HTML appears to have random attributes in
tags |
| HTML_BACKHAIR_2 |
HTML tags used to obfuscate words |
| HTML_BACKHAIR_4 |
HTML tags used to obfuscate words |
| HTML_BACKHAIR_8 |
HTML tags used to obfuscate words |
| HTML_BADTAG_00_10 |
HTML message is 0% to 10% bad tags |
| HTML_BADTAG_10_20 |
HTML message is 10% to 20% bad tags |
| HTML_BADTAG_20_30 |
HTML message is 20% to 30% bad tags |
| HTML_BADTAG_30_40 |
HTML message is 30% to 40% bad tags |
| HTML_BADTAG_40_50 |
HTML message is 40% to 50% bad tags |
| HTML_BADTAG_50_60 |
HTML message is 50% to 60% bad tags |
| HTML_BADTAG_60_70 |
HTML message is 60% to 70% bad tags |
| HTML_BADTAG_70_80 |
HTML message is 70% to 80% bad tags |
| HTML_BADTAG_80_90 |
HTML message is 80% to 90% bad tags |
| HTML_BADTAG_90_100 |
HTML message is 90% to 100% bad tags |
| HTML_CHARSET_FARAWAY |
A foreign language charset used in HTML
markup |
| HTML_COMMENT_SAVED_URL |
HTML message is a saved web page |
| HTML_COMMENT_SHORT |
HTML comment is very short |
| HTML_EHTML2 |
HTML has doubled end HTML tag |
| HTML_EMBEDS |
HTML with embedded plugin object |
| HTML_EVENT_UNSAFE |
HTML contains unsafe auto-executing code |
| HTML_EXTRA_CLOSE |
HTML contains far too many close tags |
| HTML_FONT_BIG |
HTML tag for a big font size |
| HTML_FONT_FACE_BAD |
HTML font face is not a word |
| HTML_FONT_FACE_CAPS |
HTML font face has excess capital
characters |
| HTML_FONT_INVISIBLE |
HTML font color is same as background |
| HTML_FONT_LOW_CONTRAST |
HTML font color similar to background |
| HTML_FONT_SIZE_HUGE |
HTML font size is huge |
| HTML_FONT_SIZE_LARGE |
HTML font size is large |
| HTML_FONT_SIZE_NONE |
HTML font size is negative |
| HTML_FONT_SIZE_TINY |
HTML font size is tiny |
| HTML_FONT_TINY |
HTML tag for a tiny font size |
| HTML_FORMACTION_MAILTO |
HTML includes a form which sends mail |
| HTML_IMAGE_ONLY_04 |
HTML: images with 0-400 bytes of words |
| HTML_IMAGE_ONLY_08 |
HTML: images with 400-800 bytes of words |
| HTML_IMAGE_ONLY_12 |
HTML: images with 800-1200 bytes of
words |
| HTML_IMAGE_ONLY_16 |
HTML: images with 1200-1600 bytes of
words |
| HTML_IMAGE_ONLY_20 |
HTML: images with 1600-2000 bytes of
words |
| HTML_IMAGE_ONLY_24 |
HTML: images with 2000-2400 bytes of
words |
| HTML_IMAGE_ONLY_28 |
HTML: images with 2400-2800 bytes of
words |
| HTML_IMAGE_ONLY_32 |
HTML: images with 2800-3200 bytes of
words |
| HTML_IMAGE_RATIO_02 |
HTML has a low ratio of text to image
area |
| HTML_IMAGE_RATIO_04 |
HTML has a low ratio of text to image
area |
| HTML_IMAGE_RATIO_06 |
HTML has a low ratio of text to image
area |
| HTML_IMAGE_RATIO_08 |
HTML has a low ratio of text to image
area |
| HTML_LINK_OPT_OUT |
HTML link text says "opt out" or similar |
| HTML_LINK_PUSH_HERE |
HTML link text says "push here" or
similar |
| HTML_MESSAGE |
HTML included in message |
| HTML_MIME_NO_HTML_TAG |
HTML-only message, but there is no HTML
tag |
| HTML_MISSING_CTYPE |
Message is HTML without HTML
Content-Type |
| HTML_NONELEMENT_00_10 |
0% to 10% of HTML elements are
non-standard |
| HTML_NONELEMENT_10_20 |
10% to 20% of HTML elements are
non-standard |
| HTML_NONELEMENT_20_30 |
20% to 30% of HTML elements are
non-standard |
| HTML_NONELEMENT_30_40 |
30% to 40% of HTML elements are
non-standard |
| HTML_NONELEMENT_40_50 |
40% to 50% of HTML elements are
non-standard |
| HTML_NONELEMENT_50_60 |
50% to 60% of HTML elements are
non-standard |
| HTML_NONELEMENT_60_70 |
60% to 70% of HTML elements are
non-standard |
| HTML_NONELEMENT_70_80 |
70% to 80% of HTML elements are
non-standard |
| HTML_NONELEMENT_80_90 |
80% to 90% of HTML elements are
non-standard |
| HTML_NONELEMENT_90_100 |
90% to 100% of HTML elements are
non-standard |
| HTML_OBFUSCATE_05_10 |
Message is 5% to 10% HTML obfuscation |
| HTML_OBFUSCATE_10_20 |
Message is 10% to 20% HTML obfuscation |
| HTML_OBFUSCATE_20_30 |
Message is 20% to 30% HTML obfuscation |
| HTML_OBFUSCATE_30_40 |
Message is 30% to 40% HTML obfuscation |
| HTML_OBFUSCATE_40_50 |
Message is 40% to 50% HTML obfuscation |
| HTML_OBFUSCATE_50_60 |
Message is 50% to 60% HTML obfuscation |
| HTML_OBFUSCATE_60_70 |
Message is 60% to 70% HTML obfuscation |
| HTML_OBFUSCATE_70_80 |
Message is 70% to 80% HTML obfuscation |
| HTML_OBFUSCATE_80_90 |
Message is 80% to 90% HTML obfuscation |
| HTML_OBFUSCATE_90_100 |
Message is 90% to 100% HTML obfuscation |
| HTML_SHORT_CENTER |
HTML is very short with CENTER tag |
| HTML_SHORT_COMMENT |
HTML is very short with HTML comments |
| HTML_SHORT_LENGTH |
HTML is extremely short |
| HTML_SHORT_LINK_IMG_1 |
HTML is very short with a linked image |
| HTML_SHORT_LINK_IMG_2 |
HTML is very short with a linked image |
| HTML_SHORT_LINK_IMG_3 |
HTML is very short with a linked image |
| HTML_SHOUTING3 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING4 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING5 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING6 |
HTML has very strong "shouting" markup |
| HTML_SHOUTING7 |
HTML has very strong "shouting" markup |
| HTML_TAG_BALANCE_BODY |
HTML has unbalanced "body" tags |
| HTML_TAG_BALANCE_HEAD |
HTML has unbalanced "head" tags |
| HTML_TAG_EXIST_BGSOUND |
HTML has "bgsound" tag |
| HTML_TAG_EXIST_MARQUEE |
HTML has "marquee" tag |
| HTML_TAG_EXIST_TBODY |
HTML has "tbody" tag |
| HTML_TEXT_AFTER_BODY |
HTML contains text after BODY close tag |
| HTML_TEXT_AFTER_HTML |
HTML contains text after HTML close tag |
| HTML_TINY_FONT |
body contains 1 or 0-point font |
| HTML_TITLE_EMPTY |
HTML title contains no text |
| HTML_TITLE_LONG |
HTML title is very long |
| HTML_TITLE_UNTITLED |
HTML title contains "Untitled" |
| HTTPS_IP_MISMATCH |
IP to HTTPS link found in HTML |
| HTTP_77 |
Contains an URL-encoded hostname
(HTTP77) |
| HTTP_CTRL_CHARS_HOST |
Uses control sequences inside a URL
hostname |
| HTTP_ESCAPED_HOST |
Uses %-escapes inside a URL's hostname |
| HTTP_EXCESSIVE_ESCAPES |
Completely unnecessary %-escapes inside a
URL |
| IMPOTENCE |
Impotence cure |
| INFO_TLD |
Contains an URL in the INFO top-level domain |
| INTERRUPTUS |
Message looks to contain HTML-interrupted
text |
| INVALID_DATE |
Invalid Date: header (not RFC 2822) |
| INVALID_DATE_TZ_ABSURD |
Invalid Date: header (timezone does not
exist) |
| INVALID_MSGID |
Message-Id is not valid, according to RFC
2822 |
| INVALID_TZ_CST |
Invalid date in header (wrong CST
timezone) |
| INVALID_TZ_EST |
Invalid date in header (wrong EST
timezone) |
| INVALID_TZ_GMT |
Invalid date in header (wrong GMT/UTC
timezone) |
| INVESTMENT_ADVICE |
Message mentions investment advice |
| INVESTMENT_EXPERT |
Message mentions investment expert |
| IP_LINK_PLUS |
Dotted-decimal IP address followed by
CGI |
| JAPANESE_UCE_SUBJECT |
Subject contains a Japanese UCE tag |
| JOIN_MILLIONS |
Join Millions of Americans |
| JS_FROMCHARCODE |
Document is built from a Javascript charcode
array |
| KOREAN_UCE_SUBJECT |
Subject: contains Korean unsolicited email
tag |
| LIVE_PORN |
Possible porn - Live Porn |
| LOCALPART_IN_SUBJECT |
Local part of To: address appears in
Subject |
| LONGWORDS |
Long string of long words |
| LOTS_OF_STUFF |
Thousands or millions of pictures, movies,
etc. |
| LOW_PRICE |
Lowest Price |
| MAILTO_SUBJ_REMOVE |
mailto URI includes removal text |
| MAILTO_TO_REMOVE |
Includes a 'remove' email address |
| MAILTO_TO_SPAM_ADDR |
Includes a link to a likely spammer
email |
| MALE_ENHANCE |
Message talks about enhancing men |
| MANY_EXCLAMATIONS |
Subject has many exclamations |
| MARKETING_PARTNERS |
Claims you registered with a partner |
| MEET_SINGLES |
Meet Singles |
| MICROSOFT_EXECUTABLE |
Message includes Microsoft executable
program |
| MICRO_CAP_WARNING |
SEC-mandated penny-stock warning |
| MILLION_USD |
Talks about millions of dollars |
| MIME_BAD_ISO_CHARSET |
MIME character set is an unknown ISO
charset |
| MIME_BASE64_BLANKS |
Extra blank lines in base64 encoding |
| MIME_BASE64_NO_NAME |
base64 attachment does not have a file
name |
| MIME_BASE64_TEXT |
Message text disguised using base64
encoding |
| MIME_BOUND_DD_DIGITS |
Spam tool pattern in MIME boundary |
| MIME_BOUND_DIGITS_15 |
Spam tool pattern in MIME boundary |
| MIME_BOUND_DIGITS_7 |
Spam tool pattern in MIME boundary |
| MIME_BOUND_MANY_HEX |
Spam tool pattern in MIME boundary |
| MIME_BOUND_NEXTPART |
Spam tool pattern in MIME boundary |
| MIME_BOUND_RKFINDY |
Spam tool pattern in MIME boundary
(rfkindy) |
| MIME_CHARSET_FARAWAY |
MIME character set indicates foreign
language |
| MIME_HEADER_CTYPE_ONLY |
'Content-Type' found without required MIME
headers |
| MIME_HTML_MOSTLY |
Multipart message mostly text/html MIME |
| MIME_HTML_ONLY |
Message only has text/html MIME parts |
| MIME_HTML_ONLY_MULTI |
Multipart message only has text/html MIME
parts |
| MIME_MISSING_BOUNDARY |
MIME section missing boundary |
| MIME_QP_LONG_LINE |
Quoted-printable line longer than 76
chars |
| MIME_SUSPECT_NAME |
MIME filename does not match content |
| MISSING_DATE |
Missing Date: header |
| MISSING_HB_SEP |
Missing blank line between message header and
body |
| MISSING_HEADERS |
Missing To: header |
| MISSING_MIMEOLE |
Message has X-MSMail-Priority, but no
X-MimeOLE |
| MISSING_MIME_HB_SEP |
Missing blank line between MIME header and
body |
| MISSING_SUBJECT |
Missing Subject: header |
| ML_MARKETING |
Multi Level Marketing mentioned |
| MONEY_BACK |
Money back guarantee |
| MORE_SEX |
Talks about a bigger drive for sex |
| MORTGAGE_BEST |
Information on mortgages |
| MORTGAGE_PITCH |
Looks like mortgage pitch |
| MORTGAGE_RATES |
Information on mortgage rates |
| MPART_ALT_DIFF |
HTML and text parts are different |
| MPART_ALT_DIFF_COUNT |
HTML and text parts are different |
| MSGID_DOLLARS |
Message-Id has pattern used in spam |
| MSGID_FROM_MTA_HEADER |
Message-Id was added by a relay |
| MSGID_FROM_MTA_HOTMAIL |
Message-Id was added by a hotmail.com
relay |
| MSGID_FROM_MTA_ID |
Message-Id for external message added
locally |
| MSGID_LONG |
Message-ID is unusually long |
| MSGID_MULTIPLE_AT |
Message-ID contains multiple '@'
characters |
| MSGID_NO_HOST |
Message-Id has no hostname |
| MSGID_OUTLOOK_INVALID |
Message-Id is fake (in Outlook Express
format) |
| MSGID_RANDY |
Message-Id has pattern used in spam |
| MSGID_RATWARE1 |
Bulk email fingerprint found |
| MSGID_SHORT |
Message-ID is unusually short |
| MSGID_SPAM_99X9XX99 |
Spam tool Message-Id: (99x9xx99 variant) |
| MSGID_SPAM_ALPHA_NUM |
Spam tool Message-Id: (alpha-numeric
variant) |
| MSGID_SPAM_CAPS |
Spam tool Message-Id: (caps variant) |
| MSGID_SPAM_LETTERS |
Spam tool Message-Id: (letters variant) |
| MSGID_SPAM_ZEROES |
Spam tool Message-Id: (12-zeroes
variant) |
| MSGID_YAHOO_CAPS |
Message-ID has ALLCAPS@yahoo.com |
| MULTI_FORGED |
Received headers indicate multiple
forgeries |
| NASTY_GIRLS |
Possible porn - Nasty Girls |
| NA_DOLLARS |
Talks about a million North American
dollars |
| NONEXISTENT_CHARSET |
Character set doesn't exist |
| NORMAL_HTTP_TO_IP |
Uses a dotted-decimal IP address in URL |
| NOT_ADVISOR |
Not registered investment advisor |
| NO_COST |
No such thing as a free lunch (3) |
| NO_DNS_FOR_FROM |
Envelope sender has no MX or A DNS
records |
| NO_FORMS |
No Claim Forms |
| NO_MEDICAL |
No Medical Exams |
| NO_OBLIGATION |
There is no obligation |
| NO_PRESCRIPTION |
No prescription needed |
| NO_RDNS_DOTCOM_HELO |
Host HELO'd as a big ISP, but had no
rDNS |
| NO_REAL_NAME |
From: does not include a real name |
| NO_RECEIVED |
Informational: message has no Received
headers |
| NO_RELAYS |
Informational: message was not relayed via
SMTP |
| NUMERIC_HTTP_ADDR |
Uses a numeric IP address in URL |
| OBFUSCATING_COMMENT |
HTML comments which obfuscate text |
| OBSCURED_EMAIL |
Message seems to contain rot13ed address |
| OFFSHORE_SCAM |
Off Shore Scams |
| ONE_TIME |
One Time Rip Off |
| ONLINE_PHARMACY |
Online Pharmacy |
| OPTING_OUT_CAPS |
Talks about opting out (capitalized
version) |
| ORG_MIME_TOOLS |
Organization is MIME-tools |
| PERCENT_RANDOM |
Message has a random macro in it |
| PLING_PLING |
Subject has lots of exclamation marks |
| PLING_QUERY |
Subject has exclamation mark and question
mark |
| PORN_15 |
Possible porn - various types of feline |
| PORN_16 |
Possible porn - nasty, dirty, little
etc. |
| PORN_URL_MISC |
URL uses words/phrases which indicate porn
(misc) |
| PORN_URL_SEX |
URL uses words/phrases which indicate porn
(sex) |
| PORN_URL_SLUT |
URL uses words/phrases which indicate porn
(slut) |
| PREST_NON_ACCREDITED |
'Prestigious Non-Accredited
Universities' |
| PREVENT_NONDELIVERY |
Message has Prevent-NonDelivery-Report
header |
| PRICES_ARE_AFFORDABLE |
Message says that prices aren't too
expensive |
| PRIORITY_NO_NAME |
Message has priority, but no user agent
name |
| PYZOR_CHECK |
Listed in Pyzor (http://pyzor.sf.net/) |
| QUALIFY_FOR_THIS |
Qualify for this special... |
| RATWARE_BOUND_PIECE |
Bulk email fingerprint (piece boundary)
found |
| RATWARE_EFROM |
Bulk email fingerprint (envfrom) found |
| RATWARE_EGROUPS |
Bulk email fingerprint (eGroups) found |
| RATWARE_GECKO_BUILD |
Bulk email fingerprint (Gecko faked)
found |
| RATWARE_HASH_2 |
Bulk email fingerprint (hash 2) found |
| RATWARE_HASH_2_V2 |
Bulk email fingerprint (hash 2 v2) found |
| RATWARE_HASH_DASH |
Contains a hashbuster in Send-Safe
format |
| RATWARE_JPFREE |
Bulk email fingerprint (jpfree) found |
| RATWARE_MOZ_MALFORMED |
Bulk email fingerprint (Mozilla malformed)
found |
| RATWARE_MPOP_WEBMAIL |
Bulk email fingerprint (mPOP Web-Mail) |
| RATWARE_MS_HASH |
Bulk email fingerprint (msgid ms hash)
found |
| RATWARE_NAME_ID |
Bulk email fingerprint (msgid from)
found |
| RATWARE_NETIP |
Bulk email fingerprint (netIP) found |
| RATWARE_OE_MALFORMED |
X-Mailer has malformed Outlook Express
version |
| RATWARE_OUTLOOK_NONAME |
Bulk email fingerprint (Outlook no name)
found |
| RATWARE_RCVD_AT |
Bulk email fingerprint (Received @)
found |
| RATWARE_RCVD_LC_ESMTP |
Bulk email fingerprint ('esmtp' Received)
found |
| RATWARE_RCVD_PF |
Bulk email fingerprint (Received PF)
found |
| RATWARE_STORM_URI |
Bulk email fingerprint (StormPost) found |
| RATWARE_ZERO_TZ |
Bulk email fingerprint (+0000) found |
| RAZOR2_CF_RANGE_51_100 |
Razor2 gives confidence level above 50% |
| RAZOR2_CF_RANGE_E4_51_100 |
Razor2 gives engine 4 confidence level above
50% |
| RAZOR2_CF_RANGE_E8_51_100 |
Razor2 gives engine 8 confidence level above
50% |
| RAZOR2_CHECK |
Listed in Razor2 (http://razor.sf.net/) |
| RCVD_AM_PM |
Received headers forged (AM/PM) |
| RCVD_BONUS_SPC_DATE |
Bulk email fingerprint (bonus space)
found |
| RCVD_BY_IP |
Received by mail server with no name |
| RCVD_DOUBLE_IP_LOOSE |
Received: by and from look like IP
addresses |
| RCVD_DOUBLE_IP_SPAM |
Bulk email fingerprint (double IP) found |
| RCVD_FAKE_HELO_DOTCOM |
Received contains a faked HELO hostname |
| RCVD_HELO_IP_MISMATCH |
Received: HELO and IP do not match, but
should |
| RCVD_ILLEGAL_IP |
Received: contains illegal IP address |
| RCVD_IN_BL_SPAMCOP_NET |
Received via a relay in bl.spamcop.net |
| RCVD_IN_BSP_OTHER |
Sender is in Bonded Sender Program (other
relay) |
| RCVD_IN_BSP_TRUSTED |
Sender is in Bonded Sender Program (trusted
relay) |
| RCVD_IN_DSBL |
Received via a relay in list.dsbl.org |
| RCVD_IN_IADB_VOUCHED |
ISIPP IADB lists as vouched-for sender |
| RCVD_IN_MAPS_DUL |
Relay in DUL,
http://www.mail-abuse.org/dul/ |
| RCVD_IN_MAPS_NML |
Relay in NML,
http://www.mail-abuse.org/nml/ |
| RCVD_IN_MAPS_RBL |
Relay in RBL,
http://www.mail-abuse.org/rbl/ |
| RCVD_IN_MAPS_RSS |
Relay in RSS,
http://www.mail-abuse.org/rss/ |
| RCVD_IN_NJABL_CGI |
NJABL: sender is an open formmail |
| RCVD_IN_NJABL_DUL |
NJABL: dialup sender did non-local SMTP |
| RCVD_IN_NJABL_MULTI |
NJABL: sent through multi-stage open
relay |
| RCVD_IN_NJABL_PROXY |
NJABL: sender is an open proxy |
| RCVD_IN_NJABL_RELAY |
NJABL: sender is confirmed open relay |
| RCVD_IN_NJABL_SPAM |
NJABL: sender is confirmed spam source |
| RCVD_IN_SBL |
Received via a relay in Spamhaus SBL |
| RCVD_IN_SORBS_BLOCK |
SORBS: sender demands to never be tested |
| RCVD_IN_SORBS_DUL |
SORBS: sent directly from dynamic IP
address |
| RCVD_IN_SORBS_HTTP |
SORBS: sender is open HTTP proxy server |
| RCVD_IN_SORBS_MISC |
SORBS: sender is open proxy server |
| RCVD_IN_SORBS_SMTP |
SORBS: sender is open SMTP relay |
| RCVD_IN_SORBS_SOCKS |
SORBS: sender is open SOCKS proxy server |
| RCVD_IN_SORBS_WEB |
SORBS: sender is a abuseable web server |
| RCVD_IN_SORBS_ZOMBIE |
SORBS: sender is on a hijacked network |
| RCVD_IN_WHOIS_BOGONS |
CompleteWhois: sender on bogons IP block |
| RCVD_IN_WHOIS_HIJACKED |
CompleteWhois: sender on hijacked IP
block |
| RCVD_IN_WHOIS_INVALID |
CompleteWhois: sender on invalid IP
block |
| RCVD_IN_XBL |
Received via a relay in Spamhaus XBL |
| RCVD_NUMERIC_HELO |
Received: contains an IP address used for
HELO |
| RECEIVE_OFFER |
Receive a special offer |
| REFINANCE_NOW |
Home refinancing |
| REFINANCE_YOUR_HOME |
Home refinancing |
| REMOVE_BEFORE_LINK |
Removal phrase right before a link |
| REMOVE_PAGE |
URL of page called "remove" |
| REMOVE_POSTAL |
Send real mail to be unsubscribed |
| REPLICA_WATCH |
Message talks about a replica watch |
| REPLY_TO_EMPTY |
Reply-To: is empty |
| REPTO_OVERQUOTE_THEBAT |
The Bat! doesn't do quoting like this |
| REPTO_QUOTE_AOL |
AOL doesn't do quoting like this |
| REPTO_QUOTE_IMS |
IMS doesn't do quoting like this |
| REPTO_QUOTE_MSN |
MSN doesn't do quoting like this |
| REPTO_QUOTE_QUALCOMM |
Qualcomm/Eudora doesn't do quoting like
this |
| REPTO_QUOTE_YAHOO |
Yahoo! doesn't do quoting like this |
| RESISTANCE_IS_FUTILE |
Resistance to this spam is futile |
| REVERSE_AGING |
Reverses Aging |
| RISK_FREE |
Risk free. Suuurreeee.... |
| ROUND_THE_WORLD |
Received: says mail sent around the world
(DNS) |
| ROUND_THE_WORLD_LOCAL |
Received: says mail sent around the world
(HELO) |
| RUDE_HTML |
Spammer message says you need an HTML
mailer |
| SATIS_GUAR |
Mail guarantees satisfaction |
| SAVE_THOUSANDS |
Save big money |
| SEE_FOR_YOURSELF |
See for yourself |
| SENT_IN_COMPLIANCE |
Claims compliance with spam regulations |
| SOMETHING_FOR_ADULTS |
Possible porn - Adult Web Sites |
| SOME_BREAKTHROUGH |
Describes some sort of breakthrough |
| SORTED_RECIPS |
Recipient list is sorted by address |
| SPF_FAIL |
SPF: sender does not match SPF record
(fail) |
| SPF_HELO_FAIL |
SPF: HELO does not match SPF record
(fail) |
| SPF_HELO_NEUTRAL |
SPF: HELO does not match SPF record
(neutral) |
| SPF_HELO_PASS |
SPF: HELO matches SPF record |
| SPF_HELO_SOFTFAIL |
SPF: HELO does not match SPF record
(softfail) |
| SPF_NEUTRAL |
SPF: sender does not match SPF record
(neutral) |
| SPF_PASS |
SPF: sender matches SPF record |
| SPF_SOFTFAIL |
SPF: sender does not match SPF record
(softfail) |
| SPOOF_COM2COM |
URI contains ".com" in middle and end |
| SPOOF_COM2OTH |
URI contains ".com" in middle |
| SPOOF_NET2COM |
URI contains ".net" or ".org", then
".com" |
| SPOOF_OURI |
URI has items in odd places |
| STOCK_ALERT |
Offers a alert about a stock |
| STRONG_BUY |
Tells you about a strong buy |
| SUBJECT_DIET |
Subject talks about losing pounds |
| SUBJECT_DRUG_GAP_C |
Subject contains a gappy version of
'cialis' |
| SUBJECT_DRUG_GAP_L |
Subject contains a gappy version of
'levitra' |
| SUBJECT_DRUG_GAP_P |
Subject contains a gappy version of
'phentermine' |
| SUBJECT_DRUG_GAP_S |
Subject contains a gappy version of
'soma' |
| SUBJECT_DRUG_GAP_VA |
Subject contains a gappy version of
'valium' |
| SUBJECT_DRUG_GAP_VIC |
Subject contains a gappy version of
'vicodin' |
| SUBJECT_DRUG_GAP_X |
Subject contains a gappy version of
'xanax' |
| SUBJECT_ENCODED_TWICE |
Subject: MIME encoded twice |
| SUBJECT_EXCESS_BASE64 |
Subject: base64 encoded encoded
unnecessarily |
| SUBJECT_EXCESS_QP |
Subject: quoted-printable encoded
unnecessarily |
| SUBJECT_FUZZY_CHEAP |
Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_MEDS |
Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_PENIS |
Attempt to obfuscate words in Subject: |
| SUBJECT_FUZZY_TION |
Attempt to obfuscate words in Subject: |
| SUBJECT_IN_BLACKLIST |
Subject: contains string in the user's
black-list |
| SUBJECT_IN_WHITELIST |
Subject: contains string in the user's
white-list |
| SUBJECT_NOVOWEL |
Subject: has long non-vowel letter
sequence |
| SUBJECT_SEXUAL |
Subject indicates sexually-explicit
content |
| SUBJ_2_NUM_PARENS |
Subject contains common spam sign (2
numbers) |
| SUBJ_ALL_CAPS |
Subject is all capitals |
| SUBJ_AS_SEEN |
Subject contains "As Seen" |
| SUBJ_BUY |
Subject line starts with Buy or Buying |
| SUBJ_CONSONANTS |
Subject contains consecutive consonants in
"word" |
| SUBJ_DOLLARS |
Subject starts with dollar amount |
| SUBJ_FOR_ONLY |
Subject contains "For Only" |
| SUBJ_FREE_CAP |
Subject contains "FREE" in CAPS |
| SUBJ_GUARANTEED |
Subject GUARANTEED |
| SUBJ_HAS_SPACES |
Subject contains lots of white space |
| SUBJ_HAS_UNIQ_ID |
Subject contains a unique ID |
| SUBJ_ILLEGAL_CHARS |
Subject: has too many raw illegal
characters |
| SUBJ_LIFE_INSURANCE |
Subject includes "life insurance" |
| SUBJ_YOUR_DEBT |
Subject contains "Your Bills" or similar |
| SUBJ_YOUR_FAMILY |
Subject contains "Your Family" |
| SUBJ_YOUR_OWN |
Subject contains "Your Own" |
| SUB_FREE_OFFER |
Subject starts with "Free" |
| SUB_HELLO |
Subject starts with "Hello" |
| SUSPICIOUS_RECIPS |
Similar addresses in recipient list |
| TERRA_ES |
Contains URI to a document hosted at
'terra.es' |
| TO_ADDRESS_EQ_REAL |
To: repeats address as real name |
| TO_CC_NONE |
No To: or Cc: header |
| TO_EMPTY |
To: is empty |
| TO_MALFORMED |
To: has a malformed address |
| TO_NO_USER |
To: has no local-part before @ sign |
| TO_RECIP_MARKER |
To header contains 'recipient' marker |
| TO_TXT |
Sent to a text file |
| TRACKER_ID |
Incorporates a tracking ID number |
| UNCLAIMED_MONEY |
People just leave money laying around |
| UNCLOSED_BRACKET |
Headers contain an unclosed bracket |
| UNDISC_RECIPS |
Valid-looking To
"undisclosed-recipients" |
| UNIQUE_WORDS |
Message body has many words used only
once |
| UNPARSEABLE_RELAY |
Informational: message has unparseable relay
lines |
| UNRESOLVED_TEMPLATE |
Headers contain an unresolved template |
| UNWANTED_LANGUAGE_BODY |
Message written in an undesired language |
| UPPERCASE_25_50 |
message body is 25-50% uppercase |
| UPPERCASE_50_75 |
message body is 50-75% uppercase |
| UPPERCASE_75_100 |
message body is 75-100% uppercase |
| URG_BIZ |
Contains urgent matter |
| URIBL_AB_SURBL |
Contains an URL listed in the AB SURBL
blocklist |
| URIBL_JP_SURBL |
Contains an URL listed in the JP SURBL
blocklist |
| URIBL_OB_SURBL |
Contains an URL listed in the OB SURBL
blocklist |
| URIBL_PH_SURBL |
Contains an URL listed in the PH SURBL
blocklist |
| URIBL_SBL |
Contains an URL listed in the SBL
blocklist |
| URIBL_SC_SURBL |
Contains an URL listed in the SC SURBL
blocklist |
| URIBL_WS_SURBL |
Contains an URL listed in the WS SURBL
blocklist |
| URI_4YOU |
Message has URI 4you |
| URI_AFFILIATE |
Contains a URI with an affiliate ID code |
| URI_DIGITS |
URI hostname has long digit sequence |
| URI_HEX |
URI hostname has long hexadecimal
sequence |
| URI_IS_POUND |
Filename is just a '\#'; probably a JS
trick |
| URI_NOVOWEL |
URI hostname has long non-vowel sequence |
| URI_NO_WWW_ANY_CGI |
CGI with long hostname other fourth-level
"www" |
| URI_NO_WWW_BIZ_CGI |
CGI in .biz TLD other than third-level
"www" |
| URI_NO_WWW_INFO_CGI |
CGI in .info TLD other than third-level
"www" |
| URI_OFFERS |
Message has link to company offers |
| URI_REDIRECTOR |
Message has HTTP redirector URI |
| URI_SCHEME_MIXED_CASE |
URI scheme has mixed uppercase and
lowercase |
| URI_UNSUBSCRIBE |
URI contains suspicious unsubscribe link |
| URI_UPPER_LOWER |
URI contains capitalized hostname parts
("Abcde") |
| USERPASS |
URL contains username and (optional)
password |
| USER_IN_ALL_SPAM_TO |
User is listed in 'all_spam_to' |
| USER_IN_BLACKLIST |
From: address is in the user's
black-list |
| USER_IN_BLACKLIST_TO |
User is listed in 'blacklist_to' |
| USER_IN_DEF_DKIM_WL |
From: address is in the default DKIM
white-list |
| USER_IN_DEF_DK_WL |
From: address is in the default DK
white-list |
| USER_IN_DEF_SPF_WL |
From: address is in the default SPF
white-list |
| USER_IN_DEF_WHITELIST |
From: address is in the default
white-list |
| USER_IN_DKIM_WHITELIST |
From: address is in the user's DKIM
whitelist |
| USER_IN_DK_WHITELIST |
From: address is in the user's DK
whitelist |
| USER_IN_MORE_SPAM_TO |
User is listed in 'more_spam_to' |
| USER_IN_SPF_WHITELIST |
From: address is in the user's SPF
whitelist |
| USER_IN_WHITELIST |
From: address is in the user's
white-list |
| USER_IN_WHITELIST_TO |
User is listed in 'whitelist_to' |
| US_DOLLARS_3 |
Mentions millions of $ ($NN,NNN,NNN.NN) |
| VIA_GAP_GRA |
Attempts to disguise the word 'viagra' |
| WEIRD_PORT |
Uses non-standard port number for HTTP |
| WEIRD_QUOTING |
Weird repeated double-quotation marks |
| WE_HONOR_ALL |
Claims to honor removal requests |
| WHILE_YOU_SLEEP |
While you Sleep |
| WHY_PAY_MORE |
Why Pay More? |
| WHY_WAIT |
What are you waiting for |
| WITH_LC_SMTP |
Received line contains spam-sign (lowercase
smtp) |
| WRINKLES |
Removes Wrinkles |
| X_AUTH_WARN_FAKED |
X-Authentication-Warning header looks
faked |
| X_IP |
Message has X-IP header |
| X_LIBRARY |
Message has X-Library header |
| X_MAILER_SPAM |
X-Mailer: header is bulk email
fingerprint |
| X_MESSAGE_FLAG_ODD |
Message has X-Message-flag header (odd
case) |
| X_MESSAGE_INFO |
Bulk email fingerprint (X-Message-Info)
found |
| X_MIME_AUTOCONVERTED |
Message has X-MIME-Autoconverted "Yes"
header |
| X_MSMAIL_PRIORITY_HIGH |
Sent with 'X-Msmail-Priority' set to
high |
| X_ORIG_IP_NOT_IPV4 |
X-Originating-IP doesn't look like IPv4
address |
| X_PRIORITY_CC |
Cc: after X-Priority: (bulk email
fingerprint) |
| X_PRIORITY_HIGH |
Sent with 'X-Priority' set to high |
| YAHOO_DRS_REDIR |
Has Yahoo Redirect URI |
| YAHOO_RD_REDIR |
Has Yahoo Redirect URI |
| YOU_CAN_SEARCH |
You can search for anyone |
| __MIME_BASE64 |
Includes a base64 attachment |
| __MIME_QP |
Includes a quoted-printable attachment |
| __RCVD_IN_NJABL |
Received via a relay in
combined.njabl.org |
| __RCVD_IN_SBL_XBL |
Received via a relay in Spamhaus SBL+XBL |
| __RCVD_IN_SORBS |
SORBS: sender is listed in
SORBS |
