Table of Contents

About

SpamTitan utilizes a number of first-party and third party rulesets for capturing Spam. When viewing the Spam Tests that trigger on a mail, it can often be confusing what the Spam Test is actually doing. Here is a compilation of the descriptions of the rules utilized in SpamTitan. This includes our most common third party rulesets as well (such as KAM).


Not all SpamTests listed on this page are utilized in every SpamTitan install. A subset of these rules come out of the box, and the rest must be enabled. This is due to some of them being more aggressive. This helps the spam catch rate, however it can also cause false positives, which is why they aren't enabled by default.


Any rule not found in this list may be from a third party ruleset that we don't maintain. See the last section on this page.


Built-in Rules

  • GTUBE = Generic Test for Unsolicited Bulk Email
  • TRACKER_ID = Incorporates a tracking ID number
  • WEIRD_QUOTING = Weird repeated double-quotation marks
  • MIME_HTML_ONLY_MULTI = Multipart message only has text/html MIME parts
  • MIME_CHARSET_FARAWAY = MIME character set indicates foreign language
  • EMAIL_ROT13 = Body contains a ROT13-encoded email address
  • LONGWORDS = Long string of long words
  • MPART_ALT_DIFF = HTML and text parts are different
  • MPART_ALT_DIFF_COUNT = HTML and text parts are different
  • BLANK_LINES_80_90 = Message body has 80-90% blank lines
  • CHARSET_FARAWAY = Character set indicates a foreign language
  • MIME_BASE64_BLANKS = Extra blank lines in base64 encoding
  • MIME_BASE64_TEXT = Message text disguised using base64 encoding
  • MISSING_MIME_HB_SEP = Missing blank line between MIME header and body
  • MIME_HTML_MOSTLY = Multipart message mostly text/html MIME
  • MIME_HTML_ONLY = Message only has text/html MIME parts
  • MIME_QP_LONG_LINE = Quoted-printable line longer than 76 chars
  • MIME_BAD_ISO_CHARSET = MIME character set is an unknown ISO charset
  • HTTPS_IP_MISMATCH = IP to HTTPS link found in HTML
  • HTTPS_HTTP_MISMATCH = Link presents text as https://... however the link is to an http://... URL
  • URI_TRUNCATED = Message contained a URI which was truncated
  • NO_RECEIVED = Informational: message has no Received headers
  • ALL_TRUSTED = Passed through trusted hosts only via SMTP
  • NO_RELAYS = Informational: message was not relayed via SMTP
  • RCVD_IN_SORBS_HTTP = SORBS: sender is open HTTP proxy server
  • RCVD_IN_SORBS_SOCKS = SORBS: sender is open SOCKS proxy server
  • RCVD_IN_SORBS_MISC = SORBS: sender is open proxy server
  • RCVD_IN_SORBS_SMTP = SORBS: sender is open SMTP relay
  • RCVD_IN_SORBS_WEB = SORBS: sender is an abusable web server
  • RCVD_IN_SORBS_BLOCK = SORBS: sender demands to never be tested
  • RCVD_IN_SORBS_ZOMBIE = SORBS: sender is on a hijacked network
  • RCVD_IN_SORBS_DUL = SORBS: sent directly from dynamic IP address
  • RCVD_IN_SBL = Received via a relay in Spamhaus SBL
  • RCVD_IN_XBL = Received via a relay in Spamhaus XBL
  • RCVD_IN_PBL = Received via a relay in Spamhaus PBL
  • RCVD_IN_SBL_CSS = Received via a relay in Spamhaus SBL-CSS
  • RCVD_IN_BL_SPAMCOP_NET = Received via a relay in bl.spamcop.net
  • RCVD_IN_MAPS_RBL = Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
  • RCVD_IN_MAPS_DUL = Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html
  • RCVD_IN_MAPS_RSS = Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html
  • RCVD_IN_MAPS_OPS = Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html
  • RCVD_IN_MAPS_NML = Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html
  • RCVD_IN_IADB_VOUCHED = ISIPP IADB lists as vouched-for sender
  • RCVD_IN_RP_CERTIFIED = Sender in ReturnPath Certified - Contact cert-sa@returnpath.net
  • RCVD_IN_RP_SAFE = Sender in ReturnPath Safe - Contact safe-sa@returnpath.net
  • RCVD_IN_RP_RNBL = Relay in RNBL, https://senderscore.org/blacklistlookup/
  • DKIMDOMAIN_IN_DWL = Signing domain listed in Spamhaus DWL
  • DKIMDOMAIN_IN_DWL_UNKNOWN = Unrecognized response from Spamhaus DWL
  • SUBJECT_DRUG_GAP_C = Subject contains a gappy version of 'cialis'
  • SUBJECT_DRUG_GAP_L = Subject contains a gappy version of 'levitra'
  • SUBJECT_DRUG_GAP_S = Subject contains a gappy version of 'soma'
  • SUBJECT_DRUG_GAP_VA = Subject contains a gappy version of 'valium'
  • SUBJECT_DRUG_GAP_X = Subject contains a gappy version of 'xanax'
  • DRUG_DOSAGE = Talks about price per dose
  • DRUG_ED_CAPS = Mentions an E.D. drug
  • DRUG_ED_SILD = Talks about an E.D. drug using its chemical name
  • DRUG_ED_GENERIC = Mentions Generic Viagra
  • DRUG_ED_ONLINE = Fast Viagra Delivery
  • ONLINE_PHARMACY = Online Pharmacy
  • NO_PRESCRIPTION = No prescription needed
  • VIA_GAP_GRA = Attempts to disguise the word 'viagra'
  • DRUGS_ERECTILE = Refers to an erectile drug
  • DRUGS_ERECTILE_OBFU = Obfuscated reference to an erectile drug
  • DRUGS_DIET = Refers to a diet drug
  • DRUGS_DIET_OBFU = Obfuscated reference to a diet drug
  • DRUGS_MUSCLE = Refers to a muscle relaxant
  • DRUGS_ANXIETY = Refers to an anxiety control drug
  • DRUGS_ANXIETY_OBFU = Obfuscated reference to an anxiety control drug
  • DRUGS_SMEAR1 = Two or more drugs crammed together into one word
  • DRUGS_ANXIETY_EREC = Refers to both an erectile and an anxiety drug
  • DRUGS_SLEEP_EREC = Refers to both an erectile and a sleep aid drug
  • DRUGS_MANYKINDS = Refers to at least four kinds of drugs
  • RDNS_DYNAMIC = Delivered to internal network by host with dynamic-looking rDNS
  • RDNS_NONE = Delivered to internal network by a host with no rDNS
  • HELO_STATIC_HOST = Relay HELO'd using static hostname
  • HELO_DYNAMIC_IPADDR = Relay HELO'd using suspicious hostname (IP addr 1)
  • HELO_DYNAMIC_DHCP = Relay HELO'd using suspicious hostname (DHCP)
  • HELO_DYNAMIC_HCC = Relay HELO'd using suspicious hostname (HCC)
  • HELO_DYNAMIC_ROGERS = Relay HELO'd using suspicious hostname (Rogers)
  • HELO_DYNAMIC_DIALIN = Relay HELO'd using suspicious hostname (T-Dialin)
  • HELO_DYNAMIC_HEXIP = Relay HELO'd using suspicious hostname (Hex IP)
  • HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using suspicious hostname (Split IP)
  • HELO_DYNAMIC_IPADDR2 = Relay HELO'd using suspicious hostname (IP addr 2)
  • HELO_DYNAMIC_CHELLO_NL = Relay HELO'd using suspicious hostname (Chello.nl)
  • HELO_DYNAMIC_HOME_NL = Relay HELO'd using suspicious hostname (Home.nl)
  • FREEMAIL_REPLYTO = Reply-To/From or Reply-To/body contain different freemails
  • FREEMAIL_REPLY = From and body contain different freemails
  • FREEMAIL_FROM = Sender email is commonly abused enduser mail provider
  • FREEMAIL_ENVFROM_END_DIGIT = Envelope-from freemail username ends in digit
  • FREEMAIL_REPLYTO_END_DIGIT = Reply-To freemail username ends in digit
  • FREEMAIL_FORGED_REPLYTO = Freemail in Reply-To, but not From
  • FRAGMENTED_MESSAGE = Partial message
  • FROM_BLANK_NAME = From: contains empty name
  • FROM_STARTS_WITH_NUMS = From: starts with several numbers
  • FROM_OFFERS = From address is "at something-offers"
  • FROM_NO_USER = From: has no local-part before @ sign
  • PLING_QUERY = Subject has exclamation mark and question mark
  • MSGID_SPAM_CAPS = Spam tool Message-Id: (caps variant)
  • MSGID_SPAM_LETTERS = Spam tool Message-Id: (letters variant)
  • MSGID_RANDY = Message-Id has pattern used in spam
  • MSGID_YAHOO_CAPS = Message-ID has ALLCAPS@yahoo.com
  • FORGED_MSGID_AOL = Message-ID is forged, (aol.com)
  • FORGED_MSGID_EXCITE = Message-ID is forged, (excite.com)
  • FORGED_MSGID_HOTMAIL = Message-ID is forged, (hotmail.com)
  • FORGED_MSGID_MSN = Message-ID is forged, (msn.com)
  • FORGED_MSGID_YAHOO = Message-ID is forged, (yahoo.com)
  • MSGID_FROM_MTA_HEADER = Message-Id was added by a relay
  • MSGID_SHORT = Message-ID is unusually short
  • DATE_SPAMWARE_Y2K = Date header uses unusual Y2K formatting
  • INVALID_DATE = Invalid Date: header (not RFC 2822)
  • INVALID_DATE_TZ_ABSURD = Invalid Date: header (timezone does not exist)
  • INVALID_TZ_CST = Invalid date in header (wrong CST timezone)
  • INVALID_TZ_EST = Invalid date in header (wrong EST timezone)
  • FROM_EXCESS_BASE64 = From: base64 encoded unnecessarily
  • ENGLISH_UCE_SUBJECT = Subject contains an English UCE tag
  • JAPANESE_UCE_SUBJECT = Subject contains a Japanese UCE tag
  • JAPANESE_UCE_BODY = Body contains Japanese UCE tag
  • KOREAN_UCE_SUBJECT = Subject: contains Korean unsolicited email tag
  • RCVD_DOUBLE_IP_SPAM = Bulk email fingerprint (double IP) found
  • RCVD_DOUBLE_IP_LOOSE = Received: by and from look like IP addresses
  • FORGED_TELESP_RCVD = Contains forged hostname for a DSL IP in Brazil
  • CONFIRMED_FORGED = Received headers are forged
  • MULTI_FORGED = Received headers indicate multiple forgeries
  • NONEXISTENT_CHARSET = Character set doesn't exist
  • MISSING_MID = Missing Message-Id: header
  • MISSING_DATE = Missing Date: header
  • MISSING_SUBJECT = Missing Subject: header
  • MISSING_FROM = Missing From: header
  • GAPPY_SUBJECT = Subject: contains G.a.p.p.y-T.e.x.t
  • PREVENT_NONDELIVERY = Message has Prevent-NonDelivery-Report header
  • X_IP = Message has X-IP header
  • MISSING_MIMEOLE = Message has X-MSMail-Priority, but no X-MimeOLE
  • SUBJ_AS_SEEN = Subject contains "As Seen"
  • SUBJ_DOLLARS = Subject starts with dollar amount
  • SUBJ_YOUR_FAMILY = Subject contains "Your Family"
  • RCVD_FAKE_HELO_DOTCOM = Received contains a faked HELO hostname
  • SUBJECT_DIET = Subject talks about losing pounds
  • MIME_BOUND_DD_DIGITS = Spam tool pattern in MIME boundary
  • MIME_BOUND_DIGITS_15 = Spam tool pattern in MIME boundary
  • MIME_BOUND_MANY_HEX = Spam tool pattern in MIME boundary
  • TO_MALFORMED = To: has a malformed address
  • MIME_HEADER_CTYPE_ONLY = 'Content-Type' found without required MIME headers
  • WITH_LC_SMTP = Received line contains spam-sign (lowercase smtp)
  • SUBJ_BUY = Subject line starts with Buy or Buying
  • RCVD_AM_PM = Received headers forged (AM/PM)
  • FAKE_OUTBLAZE_RCVD = Received header contains faked 'mr.outblaze.com'
  • UNCLOSED_BRACKET = Headers contain an unclosed bracket
  • FROM_DOMAIN_NOVOWEL = From: domain has series of non-vowel letters
  • FROM_LOCAL_NOVOWEL = From: localpart has series of non-vowel letters
  • FROM_LOCAL_HEX = From: localpart has long hexadecimal sequence
  • FROM_LOCAL_DIGITS = From: localpart has long digit sequence
  • X_PRIORITY_CC = Cc: after X-Priority: (bulk email fingerprint)
  • BAD_ENC_HEADER = Message has bad MIME encoding in the header
  • RCVD_ILLEGAL_IP = Received: contains illegal IP address
  • CHARSET_FARAWAY_HEADER = A foreign language charset used in headers
  • SUBJ_ILLEGAL_CHARS = Subject: has too many raw illegal characters
  • FROM_ILLEGAL_CHARS = From: has too many raw illegal characters
  • HEAD_ILLEGAL_CHARS = Headers have too many raw illegal characters
  • FORGED_HOTMAIL_RCVD2 = hotmail.com 'From' address, but no 'Received:'
  • FORGED_YAHOO_RCVD = 'From' yahoo.com does not match 'Received' headers
  • SORTED_RECIPS = Recipient list is sorted by address
  • SUSPICIOUS_RECIPS = Similar addresses in recipient list
  • MISSING_HEADERS = Missing To: header
  • DATE_IN_PAST_03_06 = Date: is 3 to 6 hours before Received: date
  • DATE_IN_PAST_06_12 = Date: is 6 to 12 hours before Received: date
  • DATE_IN_PAST_12_24 = Date: is 12 to 24 hours before Received: date
  • DATE_IN_PAST_24_48 = Date: is 24 to 48 hours before Received: date
  • DATE_IN_PAST_96_XX = Date: is 96 hours or more before Received: date
  • DATE_IN_FUTURE_03_06 = Date: is 3 to 6 hours after Received: date
  • DATE_IN_FUTURE_06_12 = Date: is 6 to 12 hours after Received: date
  • DATE_IN_FUTURE_12_24 = Date: is 12 to 24 hours after Received: date
  • DATE_IN_FUTURE_24_48 = Date: is 24 to 48 hours after Received: date
  • DATE_IN_FUTURE_48_96 = Date: is 48 to 96 hours after Received: date
  • DATE_IN_FUTURE_96_XX = Date: is 96 hours or more after Received: date
  • UNRESOLVED_TEMPLATE = Headers contain an unresolved template
  • SUBJ_ALL_CAPS = Subject is all capitals
  • LOCALPART_IN_SUBJECT = Local part of To: address appears in Subject
  • MSGID_OUTLOOK_INVALID = Message-Id is fake (in Outlook Express format)
  • HEADER_COUNT_CTYPE = Multiple Content-Type headers found
  • HEAD_LONG = Message headers are very long
  • MISSING_HB_SEP = Missing blank line between message header and body
  • UNPARSEABLE_RELAY = Informational: message has unparseable relay lines
  • RCVD_HELO_IP_MISMATCH = Received: HELO and IP do not match, but should
  • RCVD_NUMERIC_HELO = Received: contains an IP address used for HELO
  • NO_RDNS_DOTCOM_HELO = Host HELO'd as a big ISP, but had no rDNS
  • HTML_SHORT_LINK_IMG_1 = HTML is very short with a linked image
  • HTML_SHORT_LINK_IMG_2 = HTML is very short with a linked image
  • HTML_SHORT_LINK_IMG_3 = HTML is very short with a linked image
  • HTML_SHORT_CENTER = HTML is very short with CENTER tag
  • HTML_CHARSET_FARAWAY = A foreign language charset used in HTML markup
  • HTML_MIME_NO_HTML_TAG = HTML-only message, but there is no HTML tag
  • HTML_MISSING_CTYPE = Message is HTML without HTML Content-Type
  • HIDE_WIN_STATUS = Javascript to hide URLs in browser
  • OBFUSCATING_COMMENT = HTML comments which obfuscate text
  • JS_FROMCHARCODE = Document is built from a Javascript charcode array
  • HTML_MESSAGE = HTML included in message
  • HTML_COMMENT_SHORT = HTML comment is very short
  • HTML_COMMENT_SAVED_URL = HTML message is a saved web page
  • HTML_EMBEDS = HTML with embedded plugin object
  • HTML_EXTRA_CLOSE = HTML contains far too many close tags
  • HTML_FONT_SIZE_LARGE = HTML font size is large
  • HTML_FONT_SIZE_HUGE = HTML font size is huge
  • HTML_FONT_LOW_CONTRAST = HTML font color similar or identical to background
  • HTML_FONT_FACE_BAD = HTML font face is not a word
  • HTML_FORMACTION_MAILTO = HTML includes a form which sends mail
  • HTML_IMAGE_ONLY_04 = HTML: images with 0-400 bytes of words
  • HTML_IMAGE_ONLY_08 = HTML: images with 400-800 bytes of words
  • HTML_IMAGE_ONLY_12 = HTML: images with 800-1200 bytes of words
  • HTML_IMAGE_ONLY_16 = HTML: images with 1200-1600 bytes of words
  • HTML_IMAGE_ONLY_20 = HTML: images with 1600-2000 bytes of words
  • HTML_IMAGE_ONLY_24 = HTML: images with 2000-2400 bytes of words
  • HTML_IMAGE_ONLY_28 = HTML: images with 2400-2800 bytes of words
  • HTML_IMAGE_ONLY_32 = HTML: images with 2800-3200 bytes of words
  • HTML_IMAGE_RATIO_02 = HTML has a low ratio of text to image area
  • HTML_IMAGE_RATIO_04 = HTML has a low ratio of text to image area
  • HTML_IMAGE_RATIO_06 = HTML has a low ratio of text to image area
  • HTML_IMAGE_RATIO_08 = HTML has a low ratio of text to image area
  • HTML_OBFUSCATE_05_10 = Message is 5% to 10% HTML obfuscation
  • HTML_OBFUSCATE_10_20 = Message is 10% to 20% HTML obfuscation
  • HTML_OBFUSCATE_20_30 = Message is 20% to 30% HTML obfuscation
  • HTML_OBFUSCATE_30_40 = Message is 30% to 40% HTML obfuscation
  • HTML_OBFUSCATE_50_60 = Message is 50% to 60% HTML obfuscation
  • HTML_OBFUSCATE_70_80 = Message is 70% to 80% HTML obfuscation
  • HTML_OBFUSCATE_90_100 = Message is 90% to 100% HTML obfuscation
  • HTML_TAG_BALANCE_BODY = HTML has unbalanced "body" tags
  • HTML_TAG_BALANCE_HEAD = HTML has unbalanced "head" tags
  • HTML_TAG_EXIST_BGSOUND = HTML has "bgsound" tag
  • HTML_BADTAG_40_50 = HTML message is 40% to 50% bad tags
  • HTML_BADTAG_50_60 = HTML message is 50% to 60% bad tags
  • HTML_BADTAG_60_70 = HTML message is 60% to 70% bad tags
  • HTML_BADTAG_90_100 = HTML message is 90% to 100% bad tags
  • HTML_NONELEMENT_30_40 = 30% to 40% of HTML elements are non-standard
  • HTML_NONELEMENT_40_50 = 40% to 50% of HTML elements are non-standard
  • HTML_NONELEMENT_60_70 = 60% to 70% of HTML elements are non-standard
  • HTML_NONELEMENT_80_90 = 80% to 90% of HTML elements are non-standard
  • HTML_IFRAME_SRC = Message has HTML IFRAME tag with SRC URI
  • DC_GIF_UNO_LARGO = Message contains a single large gif image
  • DC_PNG_UNO_LARGO = Message contains a single large png image
  • DC_IMAGE_SPAM_TEXT = Possible Image-only spam with little text
  • DC_IMAGE_SPAM_HTML = Possible Image-only spam
  • RCVD_IN_MSPIKE_L5 = Very bad reputation (-5)
  • RCVD_IN_MSPIKE_L4 = Bad reputation (-4)
  • RCVD_IN_MSPIKE_L3 = Low reputation (-3)
  • RCVD_IN_MSPIKE_L2 = Suspicious reputation (-2)
  • RCVD_IN_MSPIKE_H5 = Excellent reputation (+5)
  • RCVD_IN_MSPIKE_H4 = Very Good reputation (+4)
  • RCVD_IN_MSPIKE_H3 = Good reputation (+3)
  • RCVD_IN_MSPIKE_H2 = Average reputation (+2)
  • RCVD_IN_MSPIKE_BL = Mailspike blacklisted
  • RCVD_IN_MSPIKE_WL = Mailspike good senders
  • UPPERCASE_50_75 = message body is 50-75% uppercase
  • UPPERCASE_75_100 = message body is 75-100% uppercase
  • INVALID_MSGID = Message-Id is not valid, according to RFC 2822
  • FORGED_MUA_MOZILLA = Forged mail pretending to be from Mozilla
  • PERCENT_RANDOM = Message has a random macro in it
  • EMPTY_MESSAGE = Message appears to have no textual parts and no Subject: text
  • NO_HEADERS_MESSAGE = Message appears to be missing most RFC-822 headers
  • DIGEST_MULTIPLE = Message hits more than one network digest check
  • NO_DNS_FOR_FROM = Envelope sender has no MX or A DNS records
  • GMD_PDF_HORIZ = Contains pdf 100-240 (high) x 450-800 (wide)
  • GMD_PDF_SQUARE = Contains pdf 180-360 (high) x 180-360 (wide)
  • GMD_PDF_VERT = Contains pdf 450-800 (high) x 100-240 (wide)
  • GMD_PRODUCER_GPL = PDF producer was GPL Ghostscript
  • GMD_PRODUCER_POWERPDF = PDF producer was PowerPDF
  • GMD_PRODUCER_EASYPDF = PDF producer was BCL easyPDF
  • GMD_PDF_ENCRYPTED = Attached PDF is encrypted
  • GMD_PDF_EMPTY_BODY = Attached PDF with empty message body
  • REMOVE_BEFORE_LINK = Removal phrase right before a link
  • GUARANTEED_100_PERCENT = One hundred percent guaranteed
  • DEAR_FRIEND = Dear Friend? That's not very dear!
  • DEAR_SOMETHING = Contains 'Dear (something)'
  • BILLION_DOLLARS = Talks about lots of money
  • EXCUSE_4 = Claims you can be removed from the list
  • EXCUSE_REMOVE = Talks about how to be removed from mailings
  • STRONG_BUY = Tells you about a strong buy
  • STOCK_ALERT = Offers a alert about a stock
  • NOT_ADVISOR = Not registered investment advisor
  • PREST_NON_ACCREDITED = 'Prestigious Non-Accredited Universities'
  • BODY_ENHANCEMENT = Information on growing body parts
  • BODY_ENHANCEMENT2 = Information on getting larger body parts
  • IMPOTENCE = Impotence cure
  • URG_BIZ = Contains urgent matter
  • MONEY_BACK = Money back guarantee
  • FREE_QUOTE_INSTANT = Free express or no-obligation quote
  • BAD_CREDIT = Eliminate Bad Credit
  • REFINANCE_YOUR_HOME = Home refinancing
  • REFINANCE_NOW = Home refinancing
  • NO_MEDICAL = No Medical Exams
  • DIET_1 = Lose Weight Spam
  • FIN_FREE = Freedom of a financial nature
  • FORWARD_LOOKING = Stock Disclaimer Statement
  • ONE_TIME = One Time Rip Off
  • JOIN_MILLIONS = Join Millions of Americans
  • MARKETING_PARTNERS = Claims you registered with a partner
  • LOW_PRICE = Lowest Price
  • UNCLAIMED_MONEY = People just leave money laying around
  • OBSCURED_EMAIL = Message seems to contain rot13ed address
  • BANG_OPRAH = Talks about Oprah with an exclamation!
  • ACT_NOW_CAPS = Talks about 'acting now' with capitals
  • MORE_SEX = Talks about a bigger drive for sex
  • BANG_GUAR = Something is emphatically guaranteed
  • RUDE_HTML = Spammer message says you need an HTML mailer
  • INVESTMENT_ADVICE = Message mentions investment advice
  • MALE_ENHANCE = Message talks about enhancing men
  • PRICES_ARE_AFFORDABLE = Message says that prices aren't too expensive
  • REPLICA_WATCH = Message talks about a replica watch
  • EM_ROLEX = Message puts emphasis on the watch manufacturer
  • FREE_PORN = Possible porn - Free Porn
  • CUM_SHOT = Possible porn - Cum Shot
  • LIVE_PORN = Possible porn - Live Porn
  • SUBJECT_SEXUAL = Subject indicates sexually-explicit content
  • RATWARE_EGROUPS = Bulk email fingerprint (eGroups) found
  • RATWARE_OE_MALFORMED = X-Mailer has malformed Outlook Express version
  • RATWARE_MOZ_MALFORMED = Bulk email fingerprint (Mozilla malformed) found
  • RATWARE_MPOP_WEBMAIL = Bulk email fingerprint (mPOP Web-Mail)
  • FORGED_MUA_IMS = Forged mail pretending to be from IMS
  • FORGED_MUA_OUTLOOK = Forged mail pretending to be from MS Outlook
  • FORGED_MUA_OIMO = Forged mail pretending to be from MS Outlook IMO
  • FORGED_MUA_EUDORA = Forged mail pretending to be from Eudora
  • FORGED_MUA_THEBAT_CS = Mail pretending to be from The Bat! (charset)
  • FORGED_MUA_THEBAT_BOUN = Mail pretending to be from The Bat! (boundary)
  • FORGED_OUTLOOK_HTML = Outlook can't send HTML message only
  • FORGED_IMS_HTML = IMS can't send HTML message only
  • FORGED_THEBAT_HTML = The Bat! can't send HTML message only
  • REPTO_QUOTE_AOL = AOL doesn't do quoting like this
  • REPTO_QUOTE_IMS = IMS doesn't do quoting like this
  • REPTO_QUOTE_MSN = MSN doesn't do quoting like this
  • REPTO_QUOTE_QUALCOMM = Qualcomm/Eudora doesn't do quoting like this
  • REPTO_QUOTE_YAHOO = Yahoo! doesn't do quoting like this
  • FORGED_QUALCOMM_TAGS = QUALCOMM mailers can't send HTML in this format
  • FORGED_IMS_TAGS = IMS mailers can't send HTML in this format
  • FORGED_OUTLOOK_TAGS = Outlook can't send HTML in this format
  • RATWARE_HASH_DASH = Contains a hashbuster in Send-Safe format
  • RATWARE_ZERO_TZ = Bulk email fingerprint (+0000) found
  • X_MESSAGE_INFO = Bulk email fingerprint (X-Message-Info) found
  • HEADER_SPAM = Bulk email fingerprint (header-based) found
  • RATWARE_RCVD_PF = Bulk email fingerprint (Received PF) found
  • RATWARE_RCVD_AT = Bulk email fingerprint (Received @) found
  • RATWARE_OUTLOOK_NONAME = Bulk email fingerprint (Outlook no name) found
  • RATWARE_MS_HASH = Bulk email fingerprint (msgid ms hash) found
  • RATWARE_NAME_ID = Bulk email fingerprint (msgid from) found
  • RATWARE_EFROM = Bulk email fingerprint (envfrom) found
  • NUMERIC_HTTP_ADDR = Uses a numeric IP address in URL
  • HTTP_ESCAPED_HOST = Uses %-escapes inside a URL's hostname
  • HTTP_EXCESSIVE_ESCAPES = Completely unnecessary %-escapes inside a URL
  • IP_LINK_PLUS = Dotted-decimal IP address followed by CGI
  • WEIRD_PORT = Uses non-standard port number for HTTP
  • YAHOO_RD_REDIR = Has Yahoo Redirect URI
  • YAHOO_DRS_REDIR = Has Yahoo Redirect URI
  • HTTP_77 = Contains an URL-encoded hostname (HTTP77)
  • SPOOF_COM2OTH = URI contains ".com" in middle
  • SPOOF_COM2COM = URI contains ".com" in middle and end
  • SPOOF_NET2COM = URI contains ".net" or ".org", then ".com"
  • URI_HEX = URI hostname has long hexadecimal sequence
  • URI_NOVOWEL = URI hostname has long non-vowel sequence
  • URI_UNSUBSCRIBE = URI contains suspicious unsubscribe link
  • URI_NO_WWW_INFO_CGI = CGI in .info TLD other than third-level "www"
  • URI_NO_WWW_BIZ_CGI = CGI in .biz TLD other than third-level "www"
  • NORMAL_HTTP_TO_IP = URI host has a public dotted-decimal IPv4 address
  • BOUNCE_MESSAGE = MTA bounce message
  • CHALLENGE_RESPONSE = Challenge-Response message for mail you sent
  • CRBOUNCE_MESSAGE = Challenge-Response bounce message
  • VBOUNCE_MESSAGE = Virus-scanner bounce message
  • ANY_BOUNCE_MESSAGE = Message is some kind of bounce message
  • ACCESSDB = Message would have been caught by accessdb
  • MICROSOFT_EXECUTABLE = Message includes Microsoft executable program
  • MIME_SUSPECT_NAME = MIME filename does not match content
  • DCC_CHECK = Detected as bulk mail by DCC (dcc-servers.net)
  • DCC_REPUT_00_12 = DCC reputation between 0 and 12 % (mostly ham)
  • DCC_REPUT_70_89 = DCC reputation between 70 and 89 %
  • DCC_REPUT_90_94 = DCC reputation between 90 and 94 %
  • DCC_REPUT_95_98 = DCC reputation between 95 and 98 % (mostly spam)
  • DCC_REPUT_99_100 = DCC reputation between 99 % or higher (spam)
  • DKIM_SIGNED = Message has a DKIM or DK signature, not necessarily valid
  • DKIM_VALID = Message has at least one valid DKIM or DK signature
  • DKIM_VALID_AU = Message has a valid DKIM or DK signature from author's domain
  • DKIM_ADSP_NXDOMAIN = No valid author signature and domain not in DNS
  • DKIM_ADSP_DISCARD = No valid author signature, domain signs all mail and suggests discarding the rest
  • DKIM_ADSP_ALL = No valid author signature, domain signs all mail
  • DKIM_ADSP_CUSTOM_LOW = No valid author signature, adsp_override is CUSTOM_LOW
  • DKIM_ADSP_CUSTOM_MED = No valid author signature, adsp_override is CUSTOM_MED
  • DKIM_ADSP_CUSTOM_HIGH = No valid author signature, adsp_override is CUSTOM_HIGH
  • NML_ADSP_CUSTOM_LOW = ADSP custom_low hit, and not from a mailing list
  • NML_ADSP_CUSTOM_MED = ADSP custom_med hit, and not from a mailing list
  • NML_ADSP_CUSTOM_HIGH = ADSP custom_high hit, and not from a mailing list
  • HASHCASH_20 = Contains valid Hashcash token (20 bits)
  • HASHCASH_21 = Contains valid Hashcash token (21 bits)
  • HASHCASH_22 = Contains valid Hashcash token (22 bits)
  • HASHCASH_23 = Contains valid Hashcash token (23 bits)
  • HASHCASH_24 = Contains valid Hashcash token (24 bits)
  • HASHCASH_25 = Contains valid Hashcash token (25 bits)
  • HASHCASH_HIGH = Contains valid Hashcash token (>25 bits)
  • HASHCASH_2SPEND = Hashcash token already spent in another mail
  • SUBJECT_FUZZY_MEDS = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_VPILL = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_CHEAP = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_PENIS = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_TION = Attempt to obfuscate words in Subject:
  • FUZZY_AFFORDABLE = Attempt to obfuscate words in spam
  • FUZZY_AMBIEN = Attempt to obfuscate words in spam
  • FUZZY_BILLION = Attempt to obfuscate words in spam
  • FUZZY_CPILL = Attempt to obfuscate words in spam
  • FUZZY_CREDIT = Attempt to obfuscate words in spam
  • FUZZY_ERECT = Attempt to obfuscate words in spam
  • FUZZY_GUARANTEE = Attempt to obfuscate words in spam
  • FUZZY_MEDICATION = Attempt to obfuscate words in spam
  • FUZZY_MILLION = Attempt to obfuscate words in spam
  • FUZZY_MONEY = Attempt to obfuscate words in spam
  • FUZZY_MORTGAGE = Attempt to obfuscate words in spam
  • FUZZY_OBLIGATION = Attempt to obfuscate words in spam
  • FUZZY_OFFERS = Attempt to obfuscate words in spam
  • FUZZY_PHARMACY = Attempt to obfuscate words in spam
  • FUZZY_PHENT = Attempt to obfuscate words in spam
  • FUZZY_PRESCRIPT = Attempt to obfuscate words in spam
  • FUZZY_PRICES = Attempt to obfuscate words in spam
  • FUZZY_REFINANCE = Attempt to obfuscate words in spam
  • FUZZY_REMOVE = Attempt to obfuscate words in spam
  • FUZZY_ROLEX = Attempt to obfuscate words in spam
  • FUZZY_SOFTWARE = Attempt to obfuscate words in spam
  • FUZZY_THOUSANDS = Attempt to obfuscate words in spam
  • FUZZY_VLIUM = Attempt to obfuscate words in spam
  • FUZZY_VIOXX = Attempt to obfuscate words in spam
  • FUZZY_VPILL = Attempt to obfuscate words in spam
  • FUZZY_XPILL = Attempt to obfuscate words in spam
  • SPF_PASS = SPF: sender matches SPF record
  • SPF_NEUTRAL = SPF: sender does not match SPF record (neutral)
  • SPF_FAIL = SPF: sender does not match SPF record (fail)
  • SPF_SOFTFAIL = SPF: sender does not match SPF record (softfail)
  • SPF_HELO_PASS = SPF: HELO matches SPF record
  • SPF_HELO_NEUTRAL = SPF: HELO does not match SPF record (neutral)
  • SPF_HELO_FAIL = SPF: HELO does not match SPF record (fail)
  • SPF_HELO_SOFTFAIL = SPF: HELO does not match SPF record (softfail)
  • SPF_NONE = SPF: sender does not publish an SPF Record
  • SPF_HELO_NONE = SPF: HELO does not publish an SPF Record
  • UNWANTED_LANGUAGE_BODY = Message written in an undesired language
  • BODY_8BITS = Body includes 8 consecutive 8-bit characters
  • URIBL_SBL = Contains an URL's NS IP listed in the SBL blocklist
  • URIBL_DBL_SPAM = Contains a spam URL listed in the DBL blocklist
  • URIBL_DBL_PHISH = Contains a Phishing URL listed in the DBL blocklist
  • URIBL_DBL_MALWARE = Contains a malware URL listed in the DBL blocklist
  • URIBL_DBL_BOTNETCC = Contains a botned C&C URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_SPAM = Contains an abused spamvertized URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_REDIR = Contains an abused redirector URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_PHISH = Contains an abused phishing URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_MALW = Contains an abused malware URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_BOTCC = Contains an abused botnet C&C URL listed in the DBL blocklist
  • URIBL_DBL_ERROR = Error: queried the DBL blocklist for an IP
  • URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist
  • URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist
  • URIBL_MW_SURBL = Contains a URL listed in the MW SURBL blocklist
  • URIBL_CR_SURBL = Contains an URL listed in the CR SURBL blocklist
  • URIBL_ABUSE_SURBL = Contains an URL listed in the ABUSE SURBL blocklist
  • SURBL_BLOCKED = ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
  • URIBL_BLACK = Contains an URL listed in the URIBL blacklist
  • URIBL_GREY = Contains an URL listed in the URIBL greylist
  • URIBL_RED = Contains an URL listed in the URIBL redlist
  • URIBL_BLOCKED = ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
  • AWL = Adjusted score from AWL reputation of From: address
  • SHORTCIRCUIT = Not all rules were run, due to a shortcircuited rule
  • TXREP = Score normalizing based on sender's reputation
  • USER_IN_BLACKLIST = From: address is in the user's black-list
  • USER_IN_WHITELIST = From: address is in the user's white-list
  • USER_IN_DEF_WHITELIST = From: address is in the default white-list
  • USER_IN_BLACKLIST_TO = User is listed in 'blacklist_to'
  • USER_IN_WHITELIST_TO = User is listed in 'whitelist_to'
  • USER_IN_MORE_SPAM_TO = User is listed in 'more_spam_to'
  • USER_IN_ALL_SPAM_TO = User is listed in 'all_spam_to'
  • URI_HOST_IN_BLACKLIST = host or domain listed in the URI black-list
  • URI_HOST_IN_WHITELIST = host or domain listed in the URI white-list
  • HEADER_HOST_IN_BLACKLIST = Blacklisted header host or domain
  • HEADER_HOST_IN_WHITELIST = Whitelisted header host or domain
  • USER_IN_DKIM_WHITELIST = From: address is in the user's DKIM whitelist
  • USER_IN_DEF_DKIM_WL = From: address is in the default DKIM white-list
  • USER_IN_SPF_WHITELIST = From: address is in the user's SPF whitelist
  • USER_IN_DEF_SPF_WL = From: address is in the default SPF white-list
  • ENV_AND_HDR_SPF_MATCH = Env and Hdr From used in default SPF WL Match
  • SUBJECT_IN_WHITELIST = Subject: contains string in the user's white-list
  • SUBJECT_IN_BLACKLIST = Subject: contains string in the user's black-list
  • AC_BR_BONANZA = Too many newlines in a row... spammy template
  • AC_DIV_BONANZA = Too many divs in a row... spammy template
  • AC_HTML_NONSENSE_TAGS = Many consecutive multi-letter HTML tags, likely nonsense/spam
  • AC_SPAMMY_URI_PATTERNS1 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS10 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS11 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS12 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS2 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS3 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS4 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS8 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS9 = link combos match highly spammy template
  • ADMAIL = "admail" and variants
  • ADMITS_SPAM = Admits this is an ad
  • ADVANCE_FEE_2_NEW_FORM = Advance Fee fraud and a form
  • ADVANCE_FEE_2_NEW_MONEY = Advance Fee fraud and lots of money
  • ADVANCE_FEE_3_NEW = Appears to be advance fee fraud (Nigerian 419)
  • ADVANCE_FEE_3_NEW_FORM = Advance Fee fraud and a form
  • ADVANCE_FEE_3_NEW_MONEY = Advance Fee fraud and lots of money
  • ADVANCE_FEE_4_NEW = Appears to be advance fee fraud (Nigerian 419)
  • ADVANCE_FEE_4_NEW_MONEY = Advance Fee fraud and lots of money
  • ADVANCE_FEE_5_NEW_FRM_MNY = Advance Fee fraud form and lots of money
  • ADVANCE_FEE_5_NEW_MONEY = Advance Fee fraud and lots of money
  • AD_PREFS = Advertising preferences
  • APOSTROPHE_FROM = From address contains an apostrophe
  • AXB_XMAILER_MIMEOLE_OL_024C2 = Yet another X header trait
  • AXB_XMAILER_MIMEOLE_OL_1ECD5 = Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5
  • AXB_X_FF_SEZ_S = Forefront sez this is spam
  • BANKING_LAWS = Talks about banking laws
  • BASE64_LENGTH_79_INF = base64 encoded email part uses line length of 78 or 79 characters
  • BASE64_LENGTH_79_INF = base64 encoded email part uses line length greater than 79 characters
  • BODY_SINGLE_URI = Message body is only a URI
  • BODY_SINGLE_WORD = Message body is only one word (no spaces)
  • BODY_URI_ONLY = Message body is only a URI in one line of text or for an image
  • BOGUS_MSM_HDRS = Apparently bogus Microsoft email headers
  • CANT_SEE_AD = You really want to see our spam.
  • CK_HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using suspicious hostname (Split IP)
  • CK_HELO_GENERIC = Relay used name indicative of a Dynamic Pool or Generic rPTR
  • CN_B2B_SPAMMER = Chinese company introducing itself
  • COMMENT_GIBBERISH = Nonsense in long HTML comment
  • COMPENSATION = "Compensation"
  • CORRUPT_FROM_LINE_IN_HDRS = Informational: message is corrupt, with a From line in its headers
  • CTYPE_8SPACE_GIF = Stock spam image part 'Content-Type' found (8 spc)
  • DATE_IN_FUTURE_96_Q = Date: is 4 days to 4 months after Received: date
  • DEAR_BENEFICIARY = Dear Beneficiary:
  • DEAR_WINNER = Spam with generic salutation of "dear winner"
  • DOS_ANAL_SPAM_MAILER = X-mailer pattern common to anal porn site spam
  • DOS_FIX_MY_URI = Looks like a "fix my obfu'd URI please" spam
  • DOS_HIGH_BAT_TO_MX = The Bat! Direct to MX with High Bits
  • DOS_LET_GO_JOB = Let go from their job and now makes lots of dough!
  • DOS_OE_TO_MX = Delivered direct to MX with OE headers
  • DOS_OE_TO_MX_IMAGE = Direct to MX with OE headers and an image
  • DOS_OUTLOOK_TO_MX = Delivered direct to MX with Outlook headers
  • DOS_RCVD_IP_TWICE_C = Received from the same IP twice in a row (only one external relay; empty or IP helo)
  • DOS_STOCK_BAT = Probable pump and dump stock spam
  • DOS_URI_ASTERISK = Found an asterisk in a URI
  • DOS_YOUR_PLACE = Russian dating spam
  • DRUGS_HDIA = Subject mentions "hoodia"
  • DRUGS_STOCK_MIMEOLE = Stock-spam forged headers found (5510)
  • DX_TEXT_01 = "message status"
  • DX_TEXT_02 = "change your message stat"
  • DX_TEXT_03 = "XXX Media Group"
  • DYN_RDNS_AND_INLINE_IMAGE = Contains image, and was sent by dynamic rDNS
  • DYN_RDNS_SHORT_HELO_HTML = Sent by dynamic rDNS, short HELO, and HTML
  • DYN_RDNS_SHORT_HELO_IMAGE = Short HELO string, dynamic rDNS, inline image
  • ENCRYPTED_MESSAGE = Message is encrypted, not likely to be spam
  • EXCUSE_24 = Claims you wanted this ad
  • FBI_MONEY = The FBI wants to give you lots of money?
  • FBI_SPOOF = Claims to be FBI, but not from FBI domain
  • FORM_FRAUD = Fill a form and a fraud phrase
  • FORM_FRAUD_3 = Fill a form and several fraud phrases
  • FORM_FRAUD_5 = Fill a form and many fraud phrases
  • FORM_LOW_CONTRAST = Fill in a form with hidden text
  • FOUND_YOU = I found you...
  • FROM_IN_TO_AND_SUBJ = From address is in To and Subject
  • FROM_MISSPACED = From: missing whitespace
  • FROM_MISSP_MSFT = From misspaced + supposed Microsoft tool
  • FROM_MISSP_REPLYTO = From misspaced, has Reply-To
  • FROM_MISSP_TO_UNDISC = From misspaced, To undisclosed
  • FROM_MISSP_USER = From misspaced, from "User"
  • FROM_MISSP_XPRIO = Misspaced FROM + X-Priority
  • FROM_WORDY = From address looks like a sentence
  • FROM_WORDY_SHORT = From address looks like a sentence + short message
  • FROM_WSP_TRAIL = Trailing whitespace before '>' in From header field
  • FSL_CTYPE_WIN1251 = Content-Type only seen in 419 spam
  • FSL_NEW_HELO_USER = Spam's using Helo and User
  • FUZZY_MERIDIA = Obfuscation of the word "meridia"
  • GOOGLE_DOCS_PHISH = Possible phishing via a Google Docs form
  • GOOGLE_DOCS_PHISH_MANY = Phishing via a Google Docs form
  • GOOG_MALWARE_DNLD = File download via Google - Malware?
  • GOOG_REDIR_SHORT = Google redirect to obscure spamvertised website + short message
  • HDRS_LCASE = Odd capitalization of message header
  • HDRS_MISSP = Misspaced headers
  • HDR_ORDER_FTSDMCXX_001C = Header order similar to spam (FTSDMCXX/MID variant)
  • HDR_ORDER_FTSDMCXX_BAT = Header order similar to spam (FTSDMCXX/boundary variant)
  • HEADER_COUNT_SUBJECT = Multiple Subject headers found
  • HELO_MISC_IP = Looking for more Dynamic IP Relays
  • HEXHASH_WORD = Multiple instances of word + hexadecimal hash
  • HK_NAME_DRUGS = From name contains drugs
  • HK_RANDOM_ENVFROM = Envelope sender username looks random
  • HTML_OFF_PAGE = HTML element rendered well off the displayed page
  • KHOP_DYNAMIC = Relay looks like a dynamic address
  • LIST_PARTIAL_SHORT_MSG = Incomplete mailing list headers + short message
  • LIST_PRTL_PUMPDUMP = Incomplete List-* headers and stock pump-and-dump
  • LIST_PRTL_SAME_USER = Incomplete List-* headers and from+to user the same
  • LONG_HEX_URI = Very long purely hexadecimal URI
  • LONG_IMG_URI = Image URI with very long path component - web bug?
  • LOOPHOLE_1 = A loop hole in the banking laws?
  • LOTTO_AGENT = Claims Agent
  • LUCRATIVE = Make lots of money!
  • MANY_HDRS_LCASE = Odd capitalization of multiple message headers
  • MANY_SPAN_IN_TEXT = Many <SPAN> tags embedded within text
  • MILLION_USD = Talks about millions of dollars
  • MIMEOLE_DIRECT_TO_MX = MIMEOLE + direct-to-MX
  • MONEY_ATM_CARD = Lots of money on an ATM card
  • MONEY_FRAUD_3 = Lots of money and several fraud phrases
  • MONEY_FRAUD_5 = Lots of money and many fraud phrases
  • MONEY_FRAUD_8 = Lots of money and very many fraud phrases
  • MONEY_FROM_41 = Lots of money from Africa
  • MONEY_FROM_MISSP = Lots of money and misspaced From
  • MSGID_MULTIPLE_AT = Message-ID contains multiple '@' characters
  • MSGID_NOFQDN1 = Message-ID with no domain name
  • MSM_PRIO_REPTO = MSMail priority header + Reply-to + short subject
  • NSL_RCVD_FROM_USER = Received from User
  • NSL_RCVD_HELO_USER = Received from HELO User
  • NULL_IN_BODY = Message has NUL (ASCII 0) byte in message
  • OBFU_JVSCR_ESC = Injects content using obfuscated javascript
  • PART_CID_STOCK = Has a spammy image attachment (by Content-ID)
  • PART_CID_STOCK_LESS = Has a spammy image attachment (by Content-ID, more specific)
  • PHP_NOVER_MUA = Mail from PHP with no version number
  • PHP_ORIG_SCRIPT = Sent by bot & other signs
  • PHP_SCRIPT_MUA = Sent by PHP script, no version number
  • PUMPDUMP = Pump-and-dump stock scam phrase
  • PUMPDUMP_MULTI = Pump-and-dump stock scam phrases
  • PUMPDUMP_TIP = Pump-and-dump stock tip
  • RAND_HEADER_MANY = Many random gibberish message headers
  • RCVD_BAD_ID = Received header contains id field with bad characters
  • RCVD_DBL_DQ = Malformatted message header
  • RCVD_FORGED_WROTE = Forged 'Received' header found ('wrote:' spam)
  • RCVD_IN_DNSWL_BLOCKED = ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
  • RCVD_IN_DNSWL_HI = Sender listed at http://www.dnswl.org/, high trust
  • RCVD_IN_DNSWL_LOW = Sender listed at http://www.dnswl.org/, low trust
  • RCVD_IN_DNSWL_MED = Sender listed at http://www.dnswl.org/, medium trust
  • RCVD_IN_DNSWL_NONE = Sender listed at http://www.dnswl.org/, no trust
  • RCVD_IN_IADB_DK = IADB: Sender publishes Domain Keys record
  • RCVD_IN_IADB_DOPTIN = IADB: All mailing list mail is confirmed opt-in
  • RCVD_IN_IADB_DOPTIN_GT50 = IADB: Confirmed opt-in used more than 50% of the time
  • RCVD_IN_IADB_DOPTIN_LT50 = IADB: Confirmed opt-in used less than 50% of the time
  • RCVD_IN_IADB_EDDB = IADB: Participates in Email Deliverability Database
  • RCVD_IN_IADB_EPIA = IADB: Member of Email Processing Industry Alliance
  • RCVD_IN_IADB_GOODMAIL = IADB: Sender has been certified by GoodMail
  • RCVD_IN_IADB_LISTED = Participates in the IADB system
  • RCVD_IN_IADB_LOOSE = IADB: Adds relationship addrs w/out opt-in
  • RCVD_IN_IADB_MI_CPEAR = IADB: Complies with Michigan's CPEAR law
  • RCVD_IN_IADB_MI_CPR_30 = IADB: Checked lists against Michigan's CPR within 30 days
  • RCVD_IN_IADB_MI_CPR_MAT = IADB: Sends no material under Michigan's CPR
  • RCVD_IN_IADB_ML_DOPTIN = IADB: Mailing list email only, confirmed opt-in
  • RCVD_IN_IADB_NOCONTROL = IADB: Has absolutely no mailing controls in place
  • RCVD_IN_IADB_OOO = IADB: One-to-one/transactional email only
  • RCVD_IN_IADB_OPTIN = IADB: All mailing list mail is opt-in
  • RCVD_IN_IADB_OPTIN_GT50 = IADB: Opt-in used more than 50% of the time
  • RCVD_IN_IADB_OPTIN_LT50 = IADB: Opt-in used less than 50% of the time
  • RCVD_IN_IADB_OPTOUTONLY = IADB: Scrapes addresses, pure opt-out only
  • RCVD_IN_IADB_RDNS = IADB: Sender has reverse DNS record
  • RCVD_IN_IADB_SENDERID = IADB: Sender publishes Sender ID record
  • RCVD_IN_IADB_SPF = IADB: Sender publishes SPF record
  • RCVD_IN_IADB_UNVERIFIED_1 = IADB: Accepts unverified sign-ups
  • RCVD_IN_IADB_UNVERIFIED_2 = IADB: Accepts unverified sign-ups, gives chance to opt out
  • RCVD_IN_IADB_UT_CPEAR = IADB: Complies with Utah's CPEAR law
  • RCVD_IN_IADB_UT_CPR_30 = IADB: Checked lists against Utah's CPR within 30 days
  • RCVD_IN_IADB_UT_CPR_MAT = IADB: Sends no material under Utah's CPR
  • RCVD_IN_PSBL = Received via a relay in PSBL
  • RCVD_MAIL_COM = Forged Received header (contains post.com or mail.com)
  • RDNS_LOCALHOST = Sender's public rDNS is "localhost"
  • RISK_FREE = No risk!
  • SERGIO_SUBJECT_VIAGRA01 = Viagra garbled subject
  • SHORT_HELO_AND_INLINE_IMAGE = Short HELO string, with inline image
  • SINGLETS_LOW_CONTRAST = Single-letter formatted HTML + hidden text
  • SPAMMY_XMAILER = X-Mailer string is common in spam and not in ham
  • SPOOFED_FREEM_REPTO = Forged freemail sender with freemail reply-to
  • SPOOFED_FREEM_REPTO_CHN = Forged freemail sender with Chinese freemail reply-to
  • STATIC_XPRIO_OLE = Static RDNS + X-Priority + MIMEOLE
  • STOCK_IMG_CTYPE = Stock spam image part, with distinctive Content-Type header
  • STOCK_IMG_HDR_FROM = Stock spam image part, with distinctive From line
  • STOCK_IMG_HTML = Stock spam image part, with distinctive HTML
  • STOCK_IMG_OUTLOOK = Stock spam image part, with Outlook-like features
  • STOCK_LOW_CONTRAST = Stocks + hidden text
  • STOCK_TIP = Stock tips
  • STYLE_GIBBERISH = Nonsense in HTML <STYLE> tag
  • SUBJECT_NEEDS_ENCODING = Subject is encoded but does not specify the encoding
  • SYSADMIN = Supposedly from your IT department
  • TBIRD_SUSP_MIME_BDRY = Unlikely Thunderbird MIME boundary
  • TEQF_USR_IMAGE = To and from user nearly same + image
  • TEQF_USR_MSGID_HEX = To and from user nearly same + unusual message ID
  • TEQF_USR_MSGID_MALF = To and from user nearly same + malformed message ID
  • THIS_AD = "This ad" and variants
  • TO_IN_SUBJ = To address is in Subject
  • TO_NO_BRKTS_DYNIP = To: lacks brackets and dynamic rDNS
  • TO_NO_BRKTS_FROM_MSSP = Multiple header formatting problems
  • TO_NO_BRKTS_HTML_IMG = To: lacks brackets and HTML and one image
  • TO_NO_BRKTS_HTML_ONLY = To: lacks brackets and HTML only
  • TO_NO_BRKTS_MSFT = To: lacks brackets and supposed Microsoft tool
  • TO_NO_BRKTS_NORDNS_HTML = To: lacks brackets and no rDNS and HTML only
  • TO_NO_BRKTS_PCNT = To: lacks brackets + percentage
  • TT_MSGID_TRUNC = Scora: Message-Id ends after left-bracket + digits
  • TT_OBSCURED_VALIUM = Scora: obscured "VALIUM" in subject
  • TT_OBSCURED_VIAGRA = Scora: obscured "VIAGRA" in subject
  • TVD_ACT_193 = Message refers to an act passed in the 1930s
  • TVD_APPROVED = Body states that the recipient has been approved
  • TVD_DEAR_HOMEOWNER = Spam with generic salutation of "dear homeowner"
  • TVD_ENVFROM_APOST = Envelope From contains single-quote
  • TVD_FLOAT_GENERAL = Message uses CSS float style
  • TVD_FUZZY_DEGREE = Obfuscation of the word "degree"
  • TVD_FUZZY_FINANCE = Obfuscation of the word "finance"
  • TVD_FUZZY_FIXED_RATE = Obfuscation of the phrase "fixed rate"
  • TVD_FUZZY_MICROCAP = Obfuscation of the word "micro-cap"
  • TVD_FUZZY_PHARMACEUTICAL = Obfuscation of the word "pharmaceutical"
  • TVD_FUZZY_SYMBOL = Obfuscation of the word "symbol"
  • TVD_FW_GRAPHIC_NAME_LONG = Long image attachment name
  • TVD_FW_GRAPHIC_NAME_MID = Medium sized image attachment name
  • TVD_INCREASE_SIZE = Advertising for penis enlargement
  • TVD_LINK_SAVE = Spam with the text "link to save"
  • TVD_PH_BODY_ACCOUNTS_PRE = The body matches phrases such as "accounts suspended", "account credited", "account verification"
  • TVD_PH_REC = Message includes a phrase commonly used in phishing mails
  • TVD_PH_SEC = Message includes a phrase commonly used in phishing mails
  • TVD_QUAL_MEDS = The body matches phrases such as "quality meds" or "quality medication"
  • TVD_RATWARE_CB = Content-Type header that is commonly indicative of ratware
  • TVD_RATWARE_CB_2 = Content-Type header that is commonly indicative of ratware
  • TVD_RATWARE_MSGID_02 = Ratware with a Message-ID header that is entirely lower-case
  • TVD_RCVD_IP = Message was received from an IP address
  • TVD_RCVD_IP4 = Message was received from an IPv4 address
  • TVD_RCVD_SINGLE = Message was received from localhost
  • TVD_SECTION = References to specific legal codes
  • TVD_SILLY_URI_OBFU = URI obfuscation that can fool a URIBL or a uri rule
  • TVD_SPACED_SUBJECT_WORD3 = Entire subject is "UPPERlowerUPPER" with no whitespace
  • TVD_SPACE_ENCODED = Space ratio & encoded subject
  • TVD_SPACE_ENC_FM_MIME = Space ratio & encoded subject & MIME needed
  • TVD_SPACE_RATIO_MINFP = Space ratio
  • TVD_STOCK1 = Spam related to stock trading
  • TVD_SUBJ_ACC_NUM = Subject has spammy looking monetary reference
  • TVD_SUBJ_FINGER_03 = Entire subject is enclosed in asterisks "* like so *"
  • TVD_SUBJ_OWE = Subject line states that the recipieint is in debt
  • TVD_SUBJ_WIPE_DEBT = Spam advertising a way to eliminate debt
  • TVD_VISIT_PHARMA = Body mentions online pharmacy
  • TVD_VIS_HIDDEN = Invisible textarea HTML tags
  • TW_GIBBERISH_MANY = Lots of gibberish text to spoof pattern matching filters
  • T_DATE_IN_FUTURE_Q_PLUS = Date: is over 4 months after Received: date
  • T_DOS_OUTLOOK_TO_MX_IMAGE = Direct to MX with Outlook headers and an image
  • T_EMRCP = "Excess Maximum Return Capital Profit" scam
  • T_END_FUTURE_EMAILS = Spammy unsubscribe
  • T_LOTTO_AGENT_FM = Claims Agent
  • T_LOTTO_AGENT_RPLY = Claims Agent
  • T_LOTTO_URI = Claims Department URL
  • T_RP_MATCHES_RCVD = Envelope sender domain matches handover relay domain
  • T_SHARE_50_50 = Share the money 50/50
  • UC_GIBBERISH_OBFU = Multiple instances of "word VERYLONGGIBBERISH word"
  • URIBL_RHS_DOB = Contains an URI of a new domain (Day Old Bread)
  • URI_DATA = "data:" URI - possible malware or phish
  • URI_DQ_UNSUB = IP-address unsubscribe URI
  • URI_GOOGLE_PROXY = Accessing a blacklisted URI or obscuring source of phish via Google proxy?
  • URI_ONLY_MSGID_MALF = URI only + malformed message ID
  • URI_OPTOUT_3LD = Opt-out URI, suspicious hostname
  • URI_OPTOUT_USME = Opt-out URI, unusual TLD
  • URI_PHISH = Phishing using web form
  • URI_TRY_3LD = "Try it" URI, suspicious hostname
  • URI_TRY_USME = "Try it" URI, unusual TLD
  • URI_WPADMIN = WordPress login/admin URI, possible phishing
  • URI_WP_DIRINDEX = URI for compromised WordPress site, possible malware
  • URI_WP_HACKED = URI for compromised WordPress site, possible malware
  • URI_WP_HACKED_2 = URI for compromised WordPress site, possible malware
  • XM_PHPMAILER_FORGED = Apparently forged header
  • XPRIO = Has X-Priority header
  • XPRIO_SHORT_SUBJ = Has X-Priority header + short subject
  • URIBL_SC_SURBL = Contains an URL listed in the SC SURBL blocklist
  • URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist
  • URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist
  • URIBL_MW_SURBL = Contains a Malware Domain or IP listed in the MW SURBL blocklist
  • URIBL_AB_SURBL = Contains an URL listed in the AB SURBL blocklist
  • URIBL_JP_SURBL = Contains an URL listed in the JP SURBL blocklist


SARE Rulesets

  • SARE_ADLTSUB1 = Contains OBFU and "strong" adult words
  • SARE_ADLTSUB2 = Contains possible adult words
  • SARE_ADLTSUB3 = Apparent spam seems to contain porn subject
  • SARE_ADLTSUB4 = Apparent spam seems to contain porn subject
  • SARE_ADLTSUB5 = Apparent spam seems to contain porn subject
  • SARE_ADLTSUB6 = Apparent spam seems to contain porn subject
  • SARE_ADLTSUB7 = Apparent spam seems to contain porn subject
  • SARE_ADLTSUB8 = Apparent spam seems to contain porn subject
  • LW_PORN_HELLO = Standard 'hot chicks' line
  • SARE_ADULT1 = Contains adult material
  • SARE_ADULT2 = Contains adult material
  • SARE_BETTERORG = Talks about getting better orgasms
  • SARE_ENLRGYOUR = Talks about "enlarging" something
  • SARE_LRGPNS = Talks about a "bigger" appendage
  • SARE_PNSSIZE = Talks about the size of male body part
  • SARE_SXLIFE = Talks about your sex life
  • SARE_BEASTUD = common spammer phrasing
  • SARE_BIGRMEMBER = mentions bigger body part
  • SARE_INLENGTH = common spammer phrasing
  • SARE_NOEMBARRASS = Wow, I won't be embarrassed anymore!
  • SARE_PLEASEPARTNR = common spammer phrasing
  • SARE_SUPERVIAGRA = mentions drug which is often subject of spam
  • SARE_ADLTDATING = Contains phrasing used by spammers
  • SARE_ADLTPRSNLS = Contains phrasing used by spammers
  • SARE_CHILDPRN1 = contains reference to child porn
  • SARE_TOWRITE = Contains phrasing used by spammers
  • SARE_GETFCK = Contains phrasing used by spammers
  • SARE_BADGIRLS = Contains phrasing used by spammers
  • SARE_QLTYSINGLES = Contains phrasing seen in spam
  • SARE_STILLSINGLE = Contains phrasing used by spammers
  • SARE_HOUSEWIVES = Mentions housewives, as in porn or in-home biz
  • SARE_SCHLGRL = mentions schoolgirls, as in porn
  • SARE_ADLTOBFU = Contains OBFU adult material
  • SARE_OBFUENLARGE = masked spam word(s)
  • SARE_OBFUFCK2 = Apparent spam seems to contain porn subject
  • SARE_OBFUSEXUAL = masked spam word(s)
  • SARE_OBFUTESTO = masked spam word(s)
  • SARE_RPTLETTERS = Contains mis-spelled adult phrase(s)
  • SARE_SEXDRIVE = Talks about sex drive
  • SARE_BETTERSEX = Spammer phrasing in body of email
  • SARE_SEXENHANCER = mentions spam topic
  • SARE_BAYES_5x7 = Bayes poison 5x7
  • SARE_BAYES_5x8 = Bayes poison 5x8
  • SARE_BAYES_6x6 = Bayes poison 6x6
  • SARE_BAYES_6x7 = Bayes poison 6x7
  • SARE_BAYES_6x8 = Bayes poison 6x8
  • SARE_BAYES_7x5 = Bayes poison 7x5
  • SARE_BAYES_7x6 = Bayes poison 7x6
  • SARE_BAYES_7x7 = Bayes poison 7x7
  • SARE_BAYES_7x8 = Bayes poison 7x8
  • SARE_BAYES_8x5 = Bayes poison 8x5
  • SARE_BAYES_9x5 = Bayes poison 9+x5
  • SARE_EN_A_1XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_1XX_2 = Phone number or address pulled from spam
  • SARE_EN_A_2XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_3XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_4XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_5XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_6XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_7XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_8XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_9XX_1 = Phone number or address pulled from spam
  • SARE_EN_A_BOX_1 = Phone number or address pulled from spam
  • SARE_EN_A_INT_1 = Phone number or address pulled from spam
  • SARE_EN_N_X31_1 = Phone number or address pulled from spam
  • SARE_EN_N_2XX_1 = Phone number or address pulled from spam
  • SARE_EN_N_203_1 = Phone number or address pulled from spam
  • SARE_EN_N_212_1 = Phone number or address pulled from spam
  • SARE_EN_N_4XX_1 = Phone number or address pulled from spam
  • SARE_EN_N_5XX_1 = Phone number or address pulled from spam
  • SARE_EN_N_7XX_1 = Phone number or address pulled from spam
  • SARE_EN_N_800_1 = Phone number or address pulled from spam
  • SARE_EN_N_800_2_1 = Phone number or address pulled from spam
  • SARE_EN_N_800_3_1 = Phone number or address pulled from spam
  • SARE_EN_N_800_5_1 = Phone number or address pulled from spam
  • SARE_EN_N_800_8_1 = Phone number or address pulled from spam
  • SARE_EN_N_800_9_1 = Phone number or address pulled from spam
  • SARE_EN_N_866_1 = Phone number or address pulled from spam
  • SARE_EN_N_877_1 = Phone number or address pulled from spam
  • SARE_EN_N_888_1 = Phone number or address pulled from spam
  • SARE_EN_N_9XX_1 = Phone number or address pulled from spam
  • SARE_EN_N_X1X_1 = Phone number or address pulled from spam
  • SARE_SUB_FREE_PPV = Spammer subject - black market or scam
  • SARE_SUB_INC_ONLINE2 = Subject contains apparent spammer phrasing
  • SARE_SUB_NAME_STAR = Spammer subject - black market or scam
  • SARE_SUB_REPRESENT_REQ = Possible phishing subject
  • SARE_SUB_SINCERE = Spam topic found in subject
  • SARE_SUB_NEW_CREDIT = Spammer subject - credit or money
  • SARE_SUB_WIPE_CLEAN = Subject will wipe something clean
  • SARE_SUB_CASINO_BONUS = Spammer subject - casinos
  • SARE_SUB_TERM_LIFE = Spammer subject - insurance
  • SARE_SUB_INCOME = Subject contains common spammer phrasing
  • SARE_SUB_OEMS = Spammer subject - multiple software vendors
  • SARE_SUB_24HOUR_SALE = Common spammer subject header -- sales
  • SARE_SUB_BUY_MEDS = Spammer subject - medical
  • SARE_SUB_FORGET_DOC = Spammer subject - medical
  • SARE_SUB_FREE_PRES = subject has likely spammer phrase or word
  • SARE_SUB_GIVE_SMILE = Common spammer subject
  • SARE_SUB_MALE_MUSCLE = Spammer subject - medical
  • SARE_SUB_MEDS_LEO = obfuscated subject header
  • SARE_SUB_NO_RX = no prescription needed
  • SARE_SUB_NUM_PILLS = Common spammer subject header -- medical
  • SARE_SUB_ONLINE_DRUG = Common spammer subject
  • SARE_SUB_PHARM_LEO = obfuscated subject header
  • SARE_SUB_PHARM_LEO2 = obfuscated subject header
  • SARE_SUB_REFILL_RX = Common spammer subject - medical
  • SARE_SUB_RENEW_VITAL = Common spammer subject
  • SARE_SUB_CHEAP = Subject matches common spam pattern
  • SARE_SUB_LIKE_YOU = subject has likely spammer phrase or word
  • SARE_SUB_PAYMENT = Subject matches common spam pattern
  • SARE_HEAD_HDR_CONVER = Message headers used which identify spam
  • SARE_HEAD_HDR_DISPNOP = Message headers used which identify spam
  • SARE_HEAD_HDR_LANG = Message headers used which identify spam
  • SARE_HEAD_HDR_NLETRID = Message headers used which identify spam
  • SARE_HEAD_HDR_PID = Message headers used which identify spam
  • SARE_HEAD_HDR_PREVNDR = Message headers used which identify spam
  • SARE_HEAD_HDR_XBNCETR = Message headers used which identify spam
  • SARE_HEAD_HDR_XCAMPIDZ = Message headers used which identify spam
  • SARE_HEAD_HDR_XCLIHST = Message headers used which identify spam
  • SARE_HEAD_HDR_XE = Message headers used which identify spam
  • SARE_HEAD_HDR_XCSIP = Message headers used which identify spam
  • SARE_HEAD_HDR_XEMAIL = Message headers used which identify spam
  • SARE_HEAD_HDR_XENCVER = Message headers used which identify spam
  • SARE_HEAD_HDR_XFIND = Message headers used which identify spam
  • SARE_HEAD_HDR_XGMAILA = Message headers used which identify spam
  • SARE_HEAD_HDR_XGMXAV = Message headers used which identify spam
  • SARE_HEAD_HDR_XIDSRVR = Message headers used which identify spam
  • SARE_HEAD_HDR_XRMDTXT = Message headers used which identify spam
  • SARE_HEAD_HDR_XRMVADR = Message headers used which identify spam
  • SARE_HEAD_HDR_XRSPCID = Message headers used which identify spam
  • SARE_HEAD_HDR_XRSPRID = Message headers used which identify spam
  • SARE_HEAD_HDR_XRSPUSR = Message headers used which identify spam
  • SARE_HEAD_HDR_XSPAMTST = Message headers used which identify spam
  • SARE_HEAD_HDR_XSPTRID = Message headers used which identify spam
  • SARE_HEAD_HDR_XUOLSRV = Message headers used which identify spam
  • SARE_HEAD_HDR_XWCMID = Message headers used which identify spam
  • SARE_HEAD_HDR_XWEBMTM = Message headers used which identify spam
  • SARE_BOUNDARY_02 = Too many ~'s in the boundary.
  • SARE_BOUNDARY_03 = Content type boundary used in spam or virus
  • SARE_BOUNDARY_10 = Possible spam flag
  • SARE_BOUNDARY_11 = Possible spam flag
  • SARE_BOUNDARY_12 = Possible spam flag
  • SARE_BOUNDARY_13 = Possible spam flag
  • SARE_BOUNDARY_D9 = Content type boundary used in spam or virus
  • SARE_BOUNDARY_D11 = Content type boundary used in spam or virus
  • SARE_BOUNDARY_D12 = Content type boundary used in spam or virus
  • SARE_BOUNDARY_ANYDIG = Content type boundary used in spam and viruses
  • SARE_BOUNDARY_QZSOFT = Identifies spam from specific spamware Marks Bad AOL Addresses
  • SARE_FROM_BADAOL = From an Invalid AOL Email Address
  • SARE_FROM_DRUGS = From a drug
  • SARE_FROM_HOODIA = From who do ya say?
  • SARE_FROM_PAYPAL_INV = From invalid address at PayPal
  • SARE_FROM_SPAM_NAME2 = From address suggests this is spam
  • SARE_FREE_WEBM_COMWALL = Maybe spammer with free email
  • SARE_FREE_WEBM_Dora = Sender used free email account - may be spammer
  • SARE_FROM_WEBM_ERESMAS = Probable spammer
  • SARE_FREE_WEBM_EsTerra = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Kero = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_LATINML = Maybe spammer with free email
  • SARE_FREE_WEBM_OwnEm1 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_OwnEm2 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Uymail = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Zwallet = Sender used free email account - may be spammer
  • SARE_MSGID_1Z1Z = Message-ID has ratware pattern (1zXXXX@1z)
  • SARE_MSGID_HEX30 = Message-ID has ratware pattern (HEXHEXHEX$9x9@)
  • SARE_HELO_MAILUSER = Received header has possible spamsign
  • SARE_RECV_LOCALHOST = fingerprint
  • SARE_RECV_SUSP_2 = Spammer sign in headers
  • SARE_RECV_TRADVALUES = From or passed through spammer/unreliable domain
  • SARE_RECV_VIPLIST = Email comes from known spammer system
  • SARE_RECV_XACTRIX = From/through probable spammer system
  • SARE_RECV_IP_004078 = Spam passed through possible spammer relay
  • SARE_RECV_IP_038112147 = Spam passed through possible spammer relay
  • SARE_RECV_IP_061052 = Spam passed through possible spammer relay
  • SARE_RECV_IP_061172 = Spam passed through possible spammer relay
  • SARE_RECV_IP_063106130 = Spam passed through possible spammer relay
  • SARE_RECV_IP_064069032 = Spam passed through possible spammer relay
  • SARE_RECV_IP_064192082 = Spam passed through possible spammer relay
  • SARE_RECV_IP_066059094 = Spam passed through possible spammer relay
  • SARE_RECV_IP_066063 = Passed through possible spammer relay or source
  • SARE_RECV_IP_066114a = Spam passed through possible spammer relay
  • SARE_RECV_IP_066159017 = Spam passed through possible spammer relay
  • SARE_RECV_IP_069060122 = Spam passed through possible spammer relay
  • SARE_RECV_IP_070096177 = Spam passed through possible spammer relay
  • SARE_RECV_IP_071004200 = Spam passed through possible spammer relay
  • SARE_RECV_IP_072034096 = Spam passed through possible spammer relay
  • SARE_RECV_IP_204010039 = Spam passed through possible spammer relay
  • SARE_RECV_IP_206081080 = Spam passed through possible spammer relay
  • SARE_RECV_IP_207182 = Passed through possible spammer relay or source
  • SARE_RECV_IP_208048182 = Spam passed through possible spammer relay
  • SARE_RECV_IP_208053011 = Spam passed through possible spammer relay
  • SARE_RECV_IP_216055133 = Spam passed through possible spammer relay
  • SARE_RECV_IP_218011 = Spam passed through Chinese CNCGROUP-HE system
  • SARE_RECV_IP_218062 = Passed through possible spammer relay or source
  • SARE_RECV_IP_218071 = Spam passed through possible spammer relay
  • SARE_RECV_IP_218085 = Passed through possible spammer relay or source
  • SARE_RECV_IP_219159 = Spam passed through possible spammer relay
  • SARE_RECV_IP_219248 = Passed through possible spammer relay or source
  • SARE_RECV_IP_220168 = Passed through possible spammer relay or source
  • SARE_RECV_IP_220189 = Passed through possible spammer relay or source
  • SARE_RECV_IP_221000 = Passed through possible spammer relay or source
  • SARE_RECV_IP_222032 = Spam passed through possible spammer relay
  • SARE_REPLY_XACTRIX = Reply-To email addr to spammer
  • SARE_TOCC_MULT_BIGFT5 = Sent to multiple bigfoot addresses
  • SARE_TOCC_MULT_BIGFT6 = Sent to multiple bigfoot addresses
  • SARE_TOCC_MULT_BIGFT7 = Sent to multiple bigfoot addresses
  • SARE_TOCC_MULT_BIGFT8 = Sent to multiple bigfoot addresses
  • SARE_TOCC_MULT_BIGFT9 = Sent to multiple bigfoot addresses
  • SARE_USERAG_2 = Strange user-agent header implying spam
  • SARE_USERAG_3 = Strange user-agent header implying spam
  • SARE_USERAG_BAT = Spamware pretending to be 'The Bat!'
  • SARE_USERAG_SPAM0 = Was sent by a SPAM User Agent
  • SARE_XMAIL_DIRUNIV = Apparently uses spam/bulk mailer
  • SARE_XMAIL_DYNAMAILER = Bulk email fingerprint (DynaMailer) found
  • SARE_XMAIL_FNORD = Recognized spam sign in xmail header
  • SARE_XMAIL_INTERMED = possible spamware
  • SARE_XMAIL_LEO = Spamsign in x-mailer header
  • SARE_XMAIL_PHPBulkEmai = Apparently uses spam/bulk mailer
  • SARE_XMAIL_RANDMAILER = only 1-3 lowercase words in X-mailer field
  • SARE_XMAIL_TTBOARD = X-Mailer used by spammer
  • SARE_HEAD_DATE46 = Date header suggests this is spam
  • SARE_HEAD_LOC_INV1 = Improper location
  • SARE_HEAD_MIME_INVALID = Invalid mime version
  • SARE_HEAD_MIME_PROD = Ratware MIME Version
  • SARE_HEAD_THRD_ALNUM = Spam fingerprint in thread index
  • SARE_HEAD_XMF_AUTHSNDR = Headers contains spam sign
  • SARE_HEAD_XM4 = Contains spamsign header
  • SARE_HEAD_XMIMEO_MS = Ratware-misspelled header
  • SARE_HEAD_BDY_BOUNCES = Message header suggesting spam in body
  • SARE_HEAD_BAT_WEB = Webmail message ID, but The Bat! X-Mailer
  • SARE_MULT_BMASTGR = Directed to/from invalid address
  • SARE_MULT_FROM = Many from lines
  • SARE_MULT_SEXCLUB = Adult invitation spam
  • SARE_MULT_SUBJ = Many subject lines
  • SARE_HEAD_HDR_ALTREC = Message headers used which identify spam
  • SARE_HEAD_HDR_APPROV = Message headers used which identify spam
  • SARE_HEAD_HDR_AUTSUBD = Message headers used which identify spam
  • SARE_HEAD_HDR_DISCREC = Message headers used which identify spam
  • SARE_HEAD_HDR_MSGTYPE = Message headers used which identify spam
  • SARE_HEAD_HDR_X400RCV = Message headers used which identify spam
  • SARE_HEAD_HDR_XBBOUNC = Message headers used which identify spam
  • SARE_HEAD_HDR_XCNDINF = Message headers used which identify spam
  • SARE_HEAD_HDR_XENC = Message headers used which identify spam
  • SARE_HEAD_HDR_XIDKEY = Apparent spam sign in headers
  • SARE_HEAD_HDR_XLEGAL1 = Message headers used which identify spam
  • SARE_HEAD_HDR_XLEGAL2 = Message headers used which identify spam
  • SARE_HEAD_HDR_XLEGAL3 = Message headers used which identify spam
  • SARE_HEAD_HDR_XLEGAL4 = Message headers used which might identify spam
  • SARE_HEAD_HDR_XLISTAD = Message headers used which identify spam
  • SARE_HEAD_HDR_XMAILID = Message headers used which identify spam
  • SARE_HEAD_HDR_XMEBDOM = Message headers used which identify spam
  • SARE_HEAD_HDR_XMLRSRV = Message headers used which identify spam
  • SARE_HEAD_HDR_XRESPID = Message headers used which identify spam
  • SARE_HEAD_HDR_XRIPE = Message headers used which identify spam
  • SARE_HEAD_HDR_XSAFMMI = Message headers used which identify spam
  • SARE_HEAD_HDR_XSIDPRA = fingerprint
  • SARE_HEAD_HDR_XSIDRES = fingerprint
  • SARE_HEAD_HDR_XTID = Message headers used which identify spam
  • SARE_HEAD_HDR_XWTID = Message headers used which identify spam
  • SARE_HEAD_HDR_XWTVERS = Message headers used which identify spam
  • SARE_HEAD_ORIG_RECIP = Message header used which suggests spam
  • SARE_BOUNDARY_05 = Content type boundary used in spam
  • SARE_BOUNDARY_06 = Content type boundary used in spam
  • SARE_BOUNDARY_08 = Improbable MIME boundary format
  • SARE_BOUNDARY_D10 = Content type boundary used in spam or virus
  • SARE_BOUNDARY_LC = Content type boundary used in spam
  • SARE_BOUNDARY_NP2 = Content type boundary used in spam and viruses
  • SARE_FROM_AST = Invalid character in email address
  • SARE_FROM_CAPS_MSN = Ratware all-caps MSN from address
  • SARE_FROM_DRUGS2 = From a drug
  • SARE_FROM_DVDCOPY = From DVD abuse address
  • SARE_FROM_SPAM_DOMN0 = From address suggests this is spam
  • SARE_FROM_SPAM_DOMN0Y = From address suggests this is spam
  • SARE_FROM_SPAM_MONEY = From address suggests this is spam
  • SARE_FROM_SPAM_MONEY2 = From address suggests this is spam
  • SARE_FROM_SPAM_NAME0 = From address suggests this is spam
  • SARE_FROM_SPAM_PL1 = A lot of spam comes from here
  • SARE_FROM_SPAM_WORD2 = From address suggests this is spam
  • SARE_FREE_WEBM_BIGMAIL = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_FrVoila = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Jpop = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_MailD = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Mailexc = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_NETCITY = Maybe spammer with free email
  • SARE_FREE_WEBM_NetFs = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_NetSafe = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Netster = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_PlTenbi = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom05 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Whoever = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_WOWMAIL = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom01 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom02 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom03 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom03B = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom04 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom06 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZCom07 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_ZZa001 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_SERV = Sent from Webmail server
  • SARE_MSGID_D1D1D2D16 = Message-ID has ratware pattern (9.9.99.9999999hex@
  • SARE_MSGID_D5D7 = Message-ID has ratware pattern (99999.9999999@)
  • SARE_MSGID_DDDASH = Message-ID has ratware pattern (9-, 9$, 99-)
  • SARE_MSGID_LONG50 = Exceedingly long message id
  • SARE_MSGID_QMAIL1 = Contains spoofing message id
  • SARE_MSGID_RATWARE2 = Message-Id is $lt;digits.digits@letters$gt;
  • SARE_MSGID_SHORT = Message ID is too short to be valid.
  • SARE_HELO_YAHOO = Received header has spamsign
  • SARE_HEAD_8BIT_RECV = High-ascii characters found in strange header
  • SARE_RECV_FEP5 = Message contains known spam format
  • SARE_RECV_FREESERVE = spam passed through system used by spammers
  • SARE_RECV_MDNETCOMBR = Came through/fromsite used by spammer
  • SARE_RECV_PATMEDIA = Passed through possible spammer relay or source
  • SARE_RECV_PORTHELO_1 = Apparent Spamsign in Received header
  • SARE_RECV_PORTHELO_2 = Apparent Spamsign in Received header
  • SARE_RECV_PORTHELO_3 = Apparent Spamsign in Received header
  • SARE_RECV_RND_DATE = Spam passed through iswest.net relay
  • SARE_RECV_SKANOVA = From or passed through spammer/unreliable domain
  • SARE_RECV_SPAM_DOMN02 = Email passed through apparent spammer domain
  • SARE_RECV_SPAM_DOMN04 = Email passed through apparent spammer domain
  • SARE_RECV_SPAM_DOMN06 = Passed through possible spammer relay or source
  • SARE_RECV_SPAM_DOMN0a = Email passed through apparent spammer domain
  • SARE_RECV_SPAM_DOMN0b = Email passed through apparent spammer domain
  • SARE_RECV_SPEEDY_AR = Email passed through apparent spammer domain
  • SARE_RECV_UK2NET2 = Passed through possible spammer relay or source
  • SARE_RECV_VIRTUACOMBR = Came through/fromsite used by spammer
  • SARE_RECV_BEZEQINT_B = Came through/fromsite used by spammer
  • SARE_RECV_IP_FROMIP1 = Received line is IP address from IP address
  • SARE_RECV_IP_FROMIP3 = Received line is IP address from IP address
  • SARE_RECV_IP_061050 = Spam passed through possible spammer relay
  • SARE_RECV_IP_061072 = Passed through possible spammer relay or source
  • SARE_RECV_IP_061187 = Passed through possible spammer relay or source
  • SARE_RECV_IP_061190 = Spam passed through possible spammer relay
  • SARE_RECV_IP_061228 = Spam passed through possible spammer relay
  • SARE_RECV_IP_062023 = Passed through possible spammer relay or source
  • SARE_RECV_IP_065205157 = Spam passed through possible spammer relay
  • SARE_RECV_IP_064034 = Spam passed through possible spammer relay
  • SARE_RECV_IP_066017 = Passed through possible spammer relay or source
  • SARE_RECV_IP_066165224 = Spam passed through possible spammer relay
  • SARE_RECV_IP_066248154 = Spam passed through possible spammer relay
  • SARE_RECV_IP_069050210 = Spam passed through possible spammer relay
  • SARE_RECV_IP_069060096 = Spam passed through possible spammer relay
  • SARE_RECV_IP_082080 = Spam passed through possible spammer relay
  • SARE_RECV_IP_082102 = Spam passed through possible spammer relay
  • SARE_RECV_IP_082154 = Passed through possible spammer relay or source
  • SARE_RECV_IP_083028 = Passed through possible spammer relay or source
  • SARE_RECV_IP_140117 = Passed through possible spammer relay or source
  • SARE_RECV_IP_163125 = Spam passed through possible spammer relay
  • SARE_RECV_IP_192116 = Passed through possible spammer relay or source
  • SARE_RECV_IP_195229 = Passed through possible spammer relay or source
  • SARE_RECV_IP_200150 = Spam passed through possible spammer relay
  • SARE_RECV_IP_203210128 = Spam passed through possible spammer relay
  • SARE_RECV_IP_203177 = Passed through possible spammer relay or source
  • SARE_RECV_IP_206131 = Spam passed through possible spammer relay
  • SARE_RECV_IP_206248152 = Spam passed through possible spammer relay
  • SARE_RECV_IP_209051 = Spam passed through possible spammer relay
  • SARE_RECV_IP_209190 = Spam passed through possible spammer relay
  • SARE_RECV_IP_216118120 = Spam passed through possible spammer relay
  • SARE_RECV_IP_211216 = Passed through possible spammer relay or source
  • SARE_RECV_IP_212068 = Spam passed through possible spammer relay
  • SARE_RECV_IP_216022 = Spam passed through possible spammer relay
  • SARE_RECV_IP_218070 = Spam passed through possible spammer relay
  • SARE_RECV_IP_218072 = Spam passed through possible spammer relay
  • SARE_RECV_IP_218078 = Passed through possible spammer relay or source
  • SARE_RECV_IP_218088 = Passed through possible spammer relay or source
  • SARE_RECV_IP_218216 = Passed through possible spammer relay or source
  • SARE_RECV_IP_219128 = Passed through possible spammer relay or source
  • SARE_RECV_IP_220116 = Passed through possible spammer relay or source
  • SARE_RECV_IP_221124 = Spam passed through possible spammer relay
  • SARE_RECV_IP_222000 = Passed through possible spammer relay or source
  • SARE_RECV_IP_222064 = Spam passed through possible spammer relay
  • SARE_TO_EMPTY = To address is set to empty
  • SARE_XMAIL_GDI = Ratware mailer
  • SARE_XMAIL_GOMAIL = Apparently uses spam/bulk mailer
  • SARE_XMAIL_PSSMAILER = Apparently uses bulk mailer
  • SARE_XMAIL_RLSP = Uses Bulk Mailer used by spammers
  • SARE_XMAIL_TOLMAIL = X-Mailer used by spammer
  • SARE_HEAD_DATE_5L = Date header ends in 5+ letters
  • SARE_HEAD_DATE_RNDDATE = Spam passed through iswest.net relay
  • SARE_HEAD_MSMPR_RNDSTR = Spam passed through iswest.net relay
  • SARE_HEAD_ORG_PREFIXW = Spam sign in Organization header
  • SARE_HEAD_XLIB_INDY1 = Uses S/W version which has only been seen in spam
  • SARE_HEAD_XLIB_INDY2 = Uses S/W version which has only been seen in spam
  • SARE_HEAD_XUNSENT = Found spamsign header
  • SARE_HEAD_XWORD = Spam tool
  • SARE_HEAD_8BIT_DATE = High-ascii characters found in strange header
  • SARE_MULT_VIA_CITIZNET = header references apparent spam source
  • SARE_HEAD_HDR_CONVWLS = Message headers used which identify spam
  • SARE_HEAD_HDR_EPATH = Message headers used which identify spam
  • SARE_HEAD_HDR_JLH = Message headers used which identify spam
  • SARE_HEAD_HDR_REDIRTO = Message headers used which identify spam
  • SARE_HEAD_HDR_ROT = Message headers used which identify spam
  • SARE_HEAD_HDR_RTNPATH = Message headers used which identify spam
  • SARE_HEAD_HDR_WCMSGID = Message headers used which identify spam
  • SARE_HEAD_HDR_X400MTI = Message headers used which identify spam
  • SARE_HEAD_HDR_XAR = Message headers used which identify spam
  • SARE_HEAD_HDR_XAUTGEN = Message headers used which identify spam
  • SARE_HEAD_HDR_XCROSS = Message headers used which identify spam
  • SARE_HEAD_HDR_XEMGBMS = Message headers used which identify spam
  • SARE_HEAD_HDR_XLC = Message headers used which identify spam
  • SARE_HEAD_HDR_XLIDCOD = Message headers used which identify spam
  • SARE_HEAD_HDR_XMISCID = Message headers used which identify spam
  • SARE_HEAD_HDR_XMLCIPH = Message headers used which identify spam
  • SARE_HEAD_HDR_XMLMSGI = Message headers used which identify spam
  • SARE_HEAD_HDR_XMAGDID = Message headers used which identify spam
  • SARE_HEAD_HDR_XMPM = Message headers used which identify spam
  • SARE_HEAD_HDR_XMS = Message headers used which identify spam
  • SARE_HEAD_HDR_XNOSPAM = Message headers used which identify spam
  • SARE_HEAD_HDR_XNTC = Message headers used which identify spam
  • SARE_HEAD_HDR_XPOPB4S = Message headers used which identify spam
  • SARE_HEAD_HDR_XPOPFLK = Message headers used which identify spam
  • SARE_HEAD_HDR_XPRIOMS = Message headers used which identify spam
  • SARE_HEAD_HDR_XPRIOMF = Message headers used which identify spam
  • SARE_HEAD_HDR_XPRIOMI = Message headers used which identify spam
  • SARE_HEAD_HDR_XPIROMC = Message headers used which identify spam
  • SARE_HEAD_HDR_XRBLTST = Message headers used which identify spam
  • SARE_HEAD_HDR_XREC = Message headers used which identify spam
  • SARE_HEAD_HDR_XSPAMSC = Message headers used which identify spam
  • SARE_HEAD_HDR_XSRK = Message headers used which identify spam
  • SARE_HEAD_HDR_XSUBID = Message headers used which identify spam
  • SARE_HEAD_HDR_XTRANS = Message headers used which identify spam
  • SARE_HEAD_HDR_XTXTCLS = Message headers used which identify spam
  • SARE_HEAD_HDR_XVIG = Message headers used which identify spam
  • SARE_HEAD_HDR_XYD = Message headers used which identify spam
  • SARE_HEAD_HDR_XI = Message headers used which identify spam
  • SARE_HEAD_HDR_XIM = Message headers used which identify spam
  • SARE_CONTENT_BITBITNUM = Unlikely content encoding
  • SARE_FROM_AMERICA = From user address is used by spammer
  • SARE_FROM_SPAM_DOMN2 = From address suggests this is spam
  • SARE_FROM_VIRUS1 = From address suggests this is a virus
  • SARE_FREE_WEBM_Iamfi = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_USACOPS = Maybe spammer with free email
  • SARE_MSGID_06D6 = Message-ID has ratware pattern (000009999$9)
  • SARE_MSGID_ALL_CAPHM = Ratware all-caps message-id
  • SARE_MSGID_ALL_CAPMS = Ratware all-caps message-id
  • SARE_MSGID_H7H4H4 = Message-ID has ratware pattern (7hex$4hex$4hex@)
  • SARE_MSGID_SPAM_DOMN0 = Message ID implies possible spammer relay
  • SARE_MSGID_SUSP2 = Message-Id is $lt;LETTERS-digits@letters$gt;
  • SARE_HELO_AOLID = Spam passed through apparent spammer relay
  • SARE_RECV_ADDR2 = Received header missing a FQDN, IP only.
  • SARE_RECV_ADDR3 = Received header contains an empty Recieved IP.
  • SARE_RECV_ADDR4 = Received contains unknown FQDN with possible HELO.
  • SARE_RECV_ADDR5 = RCVD header has no FQDN and a HELO.
  • SARE_RECV_CHAR_DSHDT = Strange dashes and dots in received line
  • SARE_RECV_ESMTP = Received header has forged lowercase 'esmtp' relay
  • SARE_RECV_RANDOM = Spam contains random string in received header
  • SARE_RECV_RND_NUMBER = Spam passed through iswest.net relay
  • SARE_RECV_WITH_X2 = Spam identified by typo in received header
  • SARE_RECV_IP_063111025 = Spam passed through possible spammer relay
  • SARE_RECV_IP_064095 = Spam passed through probable spammer relay
  • SARE_RECV_IP_064192191 = Passed through possible spammer relay or source
  • SARE_RECV_IP_081019 = Passed through possible spammer relay or source
  • SARE_RECV_IP_081095 = Spam passed through possible spammer relay
  • SARE_RECV_IP_142046 = Passed through possible spammer relay or source
  • SARE_RECV_IP_200203050 = Spam passed through possible spammer relay
  • SARE_RECV_IP_202064 = Spam passed through possible spammer relay
  • SARE_RECV_IP_211049 = Spam passed through possible spammer relay
  • SARE_RECV_IP_212164 = Spam passed through possible spammer relay
  • SARE_TOCC_MAILDOMN = Destination identifies this as a virus bounce
  • SARE_TOCC_SPAMWORD0 = Addressed to bogus email address
  • SARE_XMAIL_BULK2 = Uses bulk mailer used by spammers
  • SARE_XMAIL_BULK4 = Uses bulk mailer name forged by viruses
  • SARE_BOUNDARY_01 = Spam tool pattern in MIME boundary
  • SARE_MULT_RATW_03 = Spammer sign in headers
  • SARE_HEAD_CONT_RNDCONT = Spam passed through iswest.net relay
  • SARE_HEAD_SUBJ_RAND = Subject is possibly random words
  • SARE_HEAD_TOCC_DEFHNDL = Spam passed through iswest.net relay
  • SARE_HEAD_XCANIT1 = Message headers used which identify spam
  • SARE_HEAD_XCANIT2 = Incomplete anti-spam headers signifying spam
  • SARE_HEAD_XORIP_IP = header points to probable spammer
  • SARE_HEAD_XPRI_RNDNUM = Spam passed through iswest.net relay
  • SARE_HEAD_HDR_XKRNL = fingerprint
  • SARE_HEAD_HDR_XSEQ = Rarely abused email header
  • SARE_HEAD_HDR_XCCDIAG = Message headers used which identify spam
  • SARE_HEAD_HDR_XCNTRY = Message headers used which identify spam
  • SARE_HEAD_HDR_XKASPAV = Message headers used which identify spam
  • SARE_HEAD_HDR_XMAILTH = Message headers used which identify spam
  • SARE_HEAD_HDR_XMSGID = Message headers used which identify spam
  • SARE_HEAD_HDR_XRETURN = Message headers used which identify spam
  • SARE_HEAD_HDR_XSMTPSV = Message headers used which identify spam
  • SARE_HEAD_HDR_XSYSTEM = Message headers used which identify spam
  • SARE_HEAD_HDR_XUMAIL = Message headers used which identify spam
  • SARE_HEAD_HDR_XUNOLOOK = Unique X-header found in email
  • SARE_HEAD_HDR_XUNSUB = Message headers used which identify spam
  • SARE_BOUNDARY_MULTB = Content type boundary used in spam and viruses
  • SARE_FROM_DEBT = From debt spammer
  • SARE_FROM_DLL = Via a digit-letter-letter domain
  • SARE_FROM_MULTI_DASH = From domain has multiple consecutive hyphens
  • SARE_FROM_NONAME = from has no name on purpose
  • SARE_FROM_NUM_HOTML = Apparent spammer email address pattern
  • SARE_FROM_PHRASE = Sender name appears to be phrase rather than name
  • SARE_FROM_PRINTER = From user address seems to contain spam topic
  • SARE_FROM_QUOTE = From name/address has "quote" as part of it
  • SARE_FROM_SPAM_CHAR0a = Sender name has unexpected or invalid characters
  • SARE_FROM_SPAM_CHAR0b = Sender name has unexpected or invalid characters
  • SARE_FROM_SPAM_CHAR5 = Sender name has unlikely character string
  • SARE_FROM_SUPPORT_DIG = From user address is used by spammer
  • SARE_FREE_WEBM_123 = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_CZSEZNA = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_LAPOSTE = Maybe spammer with free email
  • SARE_FREE_WEBM_Purin = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_RuMail = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_Smapxsm = Sender used free email account - may be spammer
  • SARE_FREE_WEBM_SURIML = Sender used free email account - may be spammer
  • SARE_MSGID_LONG = Message ID is too long.
  • SARE_MSGID_LONG40 = Message ID has suspicious length
  • SARE_MSGID_LONG45 = Message ID has suspicious length
  • SARE_HELO_SENDER = Received header has possible spamsign
  • SARE_HELO_SERVER = Received header has possible spamsign
  • SARE_RECV_CHAR_CARAT = Received header has apparently invalid character
  • SARE_RECV_INFOSAT = Email passed through apparent spammer domain
  • SARE_RECV_SPAM_DOMN03 = Email passed through apparent spammer domain
  • SARE_RECV_SPAM_DOMN07 = Spam passed through noos.fr relay
  • SARE_RECV_SPAM_NAME1 = Email passed through probable spammer relay
  • SARE_RECV_SPAM_NAME2 = Spam passed through netvigator.com system
  • SARE_RECV_IP_066111 = Passed through possible spammer relay or source
  • SARE_RECV_IP_069194 = Spam passed through possible spammer relay
  • SARE_RECV_IP_080032 = Spam passed through possible spammer relay
  • SARE_RECV_IP_080040 = Spam passed through possible spammer relay
  • SARE_RECV_IP_080178 = Spam passed through possible spammer relay
  • SARE_RECV_IP_222126 = Passed through possible spammer relay or source
  • SARE_REPLY_SPAMWORD2 = Reply-To email addr incl spam indicator word
  • SARE_XMAIL_BULK3a = Uses bulk mailer used by spammers
  • SARE_XMAIL_BULK5 = Uses ham mailer, sometimes abused
  • SARE_XMAIL_LCDD = Ratware mailer
  • SARE_XMAIL_SUSP3 = Contains a suspicious X-Mailer header
  • SARE_HEAD_DATE39 = Date header suggests this is spam
  • SARE_HEAD_DATE_ADDED = Original email had no date - added by later system
  • SARE_HEAD_DATE_LONG1 = Date header has interesting length
  • SARE_HEAD_XCOM_RFCMIN = AT&T Maillennium does not like this email
  • SARE_HEAD_8BIT_NOSPM = Header with 8-bit char suggests spam
  • SARE_HEAD_8BIT_SPAM = High-ascii characters found in strange header
  • SARE_HEAD_8BIT_SPAM = High-ascii characters found in subject header
  • SARE_HTML_A_INV = HTML has malformed anchor/href tag
  • SARE_HTML_LINKWARN = Possible spam sign in HTML
  • SARE_HTML_FONT_LWORD = unusual document format
  • SARE_HTML_FONT_SPLIT = HTML bright font color tag split by blank lines
  • SARE_HTML_IMG_CID2 = table spam image
  • SARE_HTML_FLOAT1 = Contains HTML formatting used in spam
  • SARE_HTML_ORIG_MSG = Fake replied message?
  • SARE_HTML_SPANNER = spammer is a SARE_HTML_SPANNER
  • SARE_HTML_CALL_ME = spammer sign in text
  • SARE_PHISH_HTML_02 = numeric href with https description
  • SARE_PHISH_HTML_03 = numeric href with https description
  • SARE_HTML_HTML_QUOT = Message body has very strange HTML sequence
  • SARE_HTML_HTML_TBL = Message body has very strange HTML sequence
  • SARE_HTML_TITLE_1WD = strange document title
  • SARE_HTML_TITLE_2WD = strange document title
  • SARE_HTML_TITLE_DAY = HTML contains day of week in title
  • SARE_HTML_TITLE_LWORD = HTML Title contains looong word
  • SARE_HTML_A_BODY = Message body has very strange HTML sequence
  • SARE_HTML_FONT_EBEF = Message body has very strange HTML sequence
  • SARE_HTML_FONT_SPL = Message uses suspicious font size and/or color
  • SARE_HTML_URI_ESCWWW = URI with obfuscated destination
  • SARE_HTML_URI_LHOST30 = Long unbroken string within URI
  • SARE_HTML_URI_LHOST31 = Long unbroken string within URI
  • SARE_HTML_URI_NOMORE = URI to page name which suggests spammer's page
  • SARE_HTML_URI_OUTPHP = text uri to unsubscribe link
  • SARE_HTML_URI_PARTID = Partner Id in URL
  • SARE_HTML_CMT_CNTR = Message has a center followed by a comment
  • SARE_HTML_IMG_2AT = strange internal image link
  • SARE_HTML_IMG_ONLY = Short HTML msg, IMG and A HREF, maybe naught else
  • SARE_HTML_JVS_FLASH = Tries to load flash animation
  • SARE_HTML_INV_TAG = Message contains invalid HTML tag
  • SARE_HTML_CNTR_TBL = Contains centred table
  • SARE_HTML_SINGLETS = spam pattern in HTML email
  • SARE_HTML_USL_FONT = Another spam attempt
  • SARE_HTML_USL_OBFU = Message body has very strange HTML sequence
  • SARE_HTML_EHTML_OBFU = Phoney tag
  • SARE_HTML_POB1200 = Used by POB1200 Orangestad spammer
  • SARE_HTML_NOFRAMES = Body appears to hide anti-anti-spam text in frame
  • SARE_HTML_URI_GBYE = text has URL to spammer's unsubscribe link
  • SARE_HTML_URI_HIDADD = URI with obfuscated destination
  • SARE_HTML_URI_HIDE1 = URI attempts to hide destination domain
  • SARE_HTML_URI_LOGOGEN = Uses some logo generation software
  • SARE_HTML_URI_OC = Possible spammer sign in URL
  • SARE_HTML_URI_OFF = URI to page name which suggests spammer's page
  • SARE_HTML_HEAD_AFFIL = Affiliate in BOLD
  • SARE_HTML_ONE_LINE2 = standard spam formatting
  • SARE_HTML_ONE_LINE3 = Another single-line centered HTML message
  • SARE_HTML_LEAKTHRU1 = Another image-only spam
  • SARE_HTML_LEAKTHRU2 = Another image-only spam
  • SARE_HTML_USL_B7 = Multiple $lt;b$gt;$lt;/b$gt; (7-8)
  • SARE_HTML_USL_B9 = Multiple $lt;b$gt;$lt;/b$gt; (9-10)
  • SARE_HTML_CMT_MONEY = HTML Comment seems to mention money
  • SARE_HTML_GIF_NUM = HTML contains tracking numbers after .gif
  • SARE_HTML_BR_MANY = Too many sequential identical HTML tags
  • SARE_HTML_MANY_BR05 = Tooo many $lt;br$gt;'s!
  • SARE_HTML_JVS_POPUP = Bad HTML form. Tries to load a javascript pop up.
  • SARE_PHISH_HTML_01 = Hiding actual site with fake secure site!
  • SARE_HTML_EMPTY = Email is HTML format, but common tags not found
  • SARE_HTML_BODY_END2 = Double $lt;/body$gt;
  • SARE_HTML_HTML_DBL = Message body has very strange HTML sequence
  • SARE_HTML_TITLE_MNY = HTML Title implies this may be spam
  • SARE_HTML_LANG_PTBR = Odd language
  • SARE_HTML_URI_DEFASP = URI to page name which suggests spammer's page
  • SARE_HTML_P_MANY3 = Too many empty paragraph tags in a row
  • SARE_HTML_USL_1CHAR = Invalid and empty 1-char tag - /tag combination
  • SARE_HTML_BODY_2SP = HTML tag is strangely formed
  • SARE_HTML_TD_BR = Multiple line breaks in spammer pattern
  • SARE_SPEC_SPAMARREST = probable invalid spam bounce
  • SARE_SPEC_ROLEX = Rolex watch spam
  • SARE_SPEC_ROLEX_REP = Rolex Replica
  • SARE_SPEC_ROLEX_SEL = Large selection of Rolex
  • SARE_SPEC_ROLEX_ORD = Order rolex
  • SARE_SPEC_ROLEX_ITAL = Italian Crafted Rolex
  • SARE_SPEC_ROLEX_PRICE = Rolex for only...
  • SARE_SPEC_ROLEX_BUY = Buy rolex
  • SARE_SPEC_ROLEX_GENREP = Genuine Replica Rolex!
  • SARE_SPEC_ROLEX_CHEAP = Cheap Rolex!
  • SARE_SPEC_REPLICA_OBFU = Rolex with obfuscated replica
  • SARE_SPEC_ROLEX_AFFRD = Can you afford a rolex?
  • SARE_SPEC_ROLEX_BRANDS = Spammer subject - multiple brands
  • SARE_SPEC_ROLEX_BRAND2 = Spammer subject - multiple brands
  • SARE_SPEC_ROLEX_HIQLT = replica watch spam sign
  • SARE_SPEC_ROLEX_NOV5A = replica watch spam sign
  • SARE_SPEC_ROLEX_NOV5B = replica watch spam sign
  • SARE_SPEC_ROLEX_NOV5D = replica watch spam sign
  • SARE_SPEC_ROLEX_NOV5E = replica watch spam sign
  • SARE_SPEC_ROLEX_NOV5F = replica watch spam sign
  • SARE_LOTTO_SPAM = Lottery Spam
  • SARE_LOTTO_SPAM2 = Lottery Spam
  • SARE_BODY_URI_STOCK = Signature of stock market spammer
  • SARE_SPEC_BODY_NONEED = No need to spam us!
  • SARE_SPEC_DIPLOMA = educational spam subject
  • SARE_SPEC_ANTIDOTE = Antidote spammer
  • SARE_SPEC_SPAMIS_FROM = Possibly from or via spammer system
  • SARE_SPEC_SPAMIS_RECV = Possibly from or via spammer system
  • SARE_SPEC_SPAMIS_BDY1 = Possibly from or via spammer system
  • SARE_SPEC_SPAMIS_BDY2 = Possibly from or via spammer system
  • SARE_SPEC_LEO_DOLLARS = Leo table drug spam
  • SARE_SPEC_LEO_DOLLARSa = Leo table drug spam
  • SARE_SPEC_LEO_COST = Table drug cost
  • SARE_SPEC_LEO_COSTa = Table drug cost
  • SARE_SPEC_LRD_COST_M1 = LEO drug pricing variations
  • SARE_SPEC_PROLEO_M1 = Leo drug spam signs
  • SARE_SPEC_PROLEO_M2 = Leo drug spam signs
  • SARE_SPEC_PROLEO_M2a = Leo drug spam signs
  • SARE_SPEC_LRD_COST_M2 = LEO drug pricing variations
  • SARE_SPEC_LEO_DRUGS = Vertical table drug spam
  • SARE_SPEC_LEO_MEDS = obfuscated subject body
  • SARE_SPEC_LEO_PHARM = obfuscated subject body
  • SARE_SPEC_LEO_PHARM2 = obfuscated subject body
  • SARE_SPEC_LEO_CHEM = obfuscated subject body
  • SARE_SPEC_LEO_LINE02 = common Leo body text
  • SARE_SPEC_LEO_LINE03a = common Leo body text
  • SARE_SPEC_LEO_LINE03b = common Leo body text
  • SARE_SPEC_LEO_LINE03e = common Leo body text
  • SARE_SPEC_LEO_LINE03f = common Leo body text
  • SARE_SPEC_LEO_LINE04 = common Leo body text
  • SARE_SPEC_LEO_LINE04d = common Leo body text
  • SARE_SPEC_LEO_PIE2 = pseudo-table-format spam
  • SARE_SPEC_REALLY_WORKS = spamsign for specific drug spammer
  • SARE_SPEC_REALLY_WORK2 = spamsign for specific drug spammer
  • SARE_SPEC_REALLY_WORK3 = spamsign for specific drug spammer
  • SARE_SPEC_REALLY_WORK4 = spamsign for specific drug spammer
  • SARE_SPEC_XXGEOCITIES2 = spamsign pointing to free webhost spam site
  • SARE_SPEC_XXGEOCITIES3 = spamsign pointing to free webhost spam site
  • SARE_SPEC_XXGEOCITIE5 = spamsign pointing to free webhost spam site
  • SARE_LEGIT_PAYPAL = Has signs it's from paypal, from, headers, uri
  • SARE_FORGED_PAYPAL = Message appears to be forged, (paypal.com)
  • SARE_FORGED_EBAY = Message appears to be forged, (ebay.com)
  • SARE_FORGED_SUNTRUST = Message appears to be forged, (suntrust.com)
  • SARE_FORGED_CHASE = Message appears to be forged, (chase.com)
  • SARE_FORGED_CITI = Message appears to be forged, (citibank.com)
  • SARE_FORGED_PAYPAL_C = Has Paypal from, no Paypal received header.
  • SARE_FORGED_ABOUT = Message appears to be forged, (about.com)
  • SARE_SPOOF_OURI = URL has items in odd places
  • SARE_MLH_Stock1 = Subject mentions stock or stock related words
  • SARE_MLH_Stock2 = Subject mentions microcap
  • SARE_MLB_Stock5 = Mentions stock symbol, tickers, or OTC.
  • SARE_MLB_Stock6 = ML obfuscated ticker symbols
  • SARE_MLH_Stock7 = Various common stock subjects
  • SARE_MLH_Stock8 = Platinum !!
  • SARE_MLH_Stock9 = Do I have your attention?
  • SARE_MLH_Stock10 = Yup, it's bull alright.
  • SARE_MLB_Stock11 = GOOD LUCK & TRADE OUT THE TOP
  • SARE_STOCK_MSG_ID2 = Msg ID 'thebat.net'
  • SARE_LW1933 = Reference to Securities Act
  • SARE_LWACT_QUICKLY = Spammer thinks you should hurry.
  • LW_STOCK_SPAM4 = Yup, its a spam!
  • SARE_PROLOSTOCK_SYM1 = Last week's hot stock scam
  • SARE_PROLOSTOCK_SYM2 = Last week's hot stock scam
  • SARE_PROLOSTOCK_SYM3 = Last week's hot stock scam
  • SARE_PROLOSTOCK_SYM4 = Last week's hot stock scam
  • SARE_GIF_ATTACH = Email has a inline gif
  • SARE_GIF_STOX = Inline Gif with little HTML
  • SARE_CSBIG = Only Spicy food gives me an Explosive Gain.
  • SARE_CSNUMTAG = Spamsign in header
  • SARE_CSTRADE5 = STOCK Attachments.
  • SARE_CSSM = Smart Money Equities
  • MY_CID_AND_ARIAL2 = SARE CID and Arial2
  • MY_CID_AND_CLOSING = SARE cid and closing
  • MY_CID_AND_STYLE = SARE cid and style
  • MY_CID_FONT = SARE cid and empty font
  • MY_CID_ARIAL2_CLOSING = SARE cid arial2 closing
  • MY_CID_ARIAL_STYLE = SARE cid arial2 style
  • SARE_ALC = Some header matches /improve your/i
  • SARE_SUBLRNMR = Learn more in Subject
  • SARE_SUBRATES = The Subject line talks about low rates
  • SARE_SUBSTOCK = Stock Market Spam
  • SARE_FWDLOOK = Forward looking statements about stocks
  • SARE_XPNDMRKT = Talks about expanding your market
  • SARE_SELLYOUR = SELL * YOUR in caps
  • SARE_URGBIZ = Contains urgent matter
  • SARE_ONDEAL = Phrase, On this deal
  • SARE_NETPROD = Phrase, Internet Product.
  • SARE_GENUINEOP = Genuine oppurtunity
  • SARE_WEOFFER = Offers Something
  • SARE_LOANOFF = No one needs Loan officers anymore
  • SARE_DIPLOMA2 = Talks about online degrees or diplomas
  • SARE_FINCLOP = Talks about financial or internet opportunity.
  • SARE_MILLIONSOF = Millions of something.
  • SARE_MONEYTERMS = Talks about money in some way.
  • SARE_VALOFFR = Talks about valuable offers.
  • SARE_FASTAPPRV = Talks about quick approval
  • SARE_HOMELOAN = Home mortgage stuff
  • SARE_PRODUCT = Talks about product offerings.
  • SARE_NTWKMRKT = Network marketing, pyramid scheme.
  • SARE_BIZOP = Biz op could be legit, but often isn't.
  • SARE_UNQBIZ = Talks about unique business
  • SARE_DEGREETALK = Yaps about "legitimate" college degrees
  • SARE_SNAPSHUT = An open-and-shut case of Spam!
  • SARE_OBFUMONEY2 = masked spam word(s)
  • SARE_NONACCRED = Talks about a non-accredited something
  • SARE_COLLEGE_SCAM = Tries to sell you a "degree"
  • SARE_SNAPPYLOGOS = Get your free logos here! Only $49.95 each!!
  • SARE_RD_AOL = Has AOL Redirect URI
  • SARE_RD_YAHOO = Uses unsecure Yahoo redirect
  • SARE_RD_GOOGLE = Trying to hide real URL through Google redirect
  • SARE_RD_MSN = Uses msn token redirect service
  • SARE_RD_HOTBOT = Uses hotbot redirect script
  • SARE_RD_GEN_A = Generic redirect spam uri
  • SARE_RD_GEN_B = Generic redirect spam uri
  • SARE_RD_TO_BAD_TLD = Redirect to bad TLD
  • SARE_RD_FROM_IP = Redirect from IP address
  • SARE_RD_TO_IP = Redirect to IP address
  • SARE_URI_EQUALS = Trying to hide the real URL with IE parsing bug
  • SARE_HEXOCTDWORD = Uses an encoded IP address
  • SARE_RD_SAFE_MKSHRT = SAFE Uses MakeAShorterLink redirector
  • SARE_RD_SAFE_GT = SAFE Uses google translator
  • SARE_RD_SAFE_TINY = SAFE Uses tinyURL redirector
  • SARE_RD_SAFE = Uses a safe redirector
  • SARE_FRAUD_X3 = Matches 3+ phrases commonly used in fraud spam
  • SARE_FRAUD_X4 = Matches 4+ phrases commonly used in fraud spam
  • SARE_FRAUD_X5 = Matches 5+ phrases commonly used in fraud spam
  • SARE_FRAUD_X6 = Matches 6+ phrases commonly used in fraud spam
  • VIRUS_WARNING1 = Unhelpful 'virus warning' (1)
  • VIRUS_WARNING2 = Unhelpful NAI Webshield 'virus warning' (2)
  • VIRUS_WARNING3 = Unhelpful Mail Marshal 'virus warning' (3)
  • VIRUS_WARNING4 = Unhelpful 'virus warning' (4)
  • VIRUS_WARNING4A = Unhelpful MailSweeper 'virus warning' (4A)
  • VIRUS_WARNING5 = Unhelpful 'virus warning' (5)
  • VIRUS_WARNING6 = Unhelpful InterScan 'virus warning' (6)
  • VIRUS_WARNING7 = Unhelpful 'virus warning' (7)
  • VIRUS_WARNING8 = Unhelpful 'virus warning' (8)
  • VIRUS_WARNING10 = Unhelpful Netpilot VPN 'virus warning' (10)
  • VIRUS_WARNING11 = Unhelpful MDaemon 'virus warning' (11)
  • VIRUS_WARNING12 = Unhelpful F-Secure 'virus warning' (12)
  • VIRUS_WARNING13 = Unhelpful Exim system_filter 'virus warning'? (13)
  • VIRUS_WARNING14 = Looks like Exim system_filter 'virus warning' (14)
  • VIRUS_WARNING_EXIM = Unhelpful Exim system_filter 'virus warning'
  • VIRUS_WARNING15 = Unhelpful MailScanner 'virus warning' (15)
  • VIRUS_WARNING16 = Unhelpful ScanMail/Exch 'virus warning' (16)
  • VIRUS_WARNING17 = Unhelpful Cisco 'virus warning' (17)
  • VIRUS_WARNING18 = Unhelpful 'virus warning' (18)
  • VIRUS_WARNING19 = Unhelpful Norton AntiVirus 'virus warning' (19)
  • VIRUS_WARNING21 = Unhelpful Antigen 'virus warning' (21)
  • VIRUS_WARNING22 = Unhelpful Panda Antivirus 'virus warning' (22)
  • VIRUS_WARNING23 = Unhelpful Panda Antivirus 'virus warning'? (23)
  • VIRUS_WARNING24 = Unhelpful AOL 'virus warning' (24)
  • VIRUS_WARNING25 = Unhelpful Network Associates 'virus warning' (25)
  • VIRUS_WARNING26 = Unhelpful 'virus warning' (26)
  • VIRUS_WARNING27 = Unhelpful amavisd 'virus warning' (27)
  • VIRUS_WARNING28 = Unhelpful MailScanner 'virus warning' (28)
  • VIRUS_WARNING29 = Unhelpful Hungarian 'virus warning' (29)
  • VIRUS_WARNING30 = Unhelpful 'virus warning' (30)
  • VIRUS_WARNING31 = Unhelpful Declude Virus software warning (31)
  • VIRUS_WARNING32 = Unhelpful qmail-plugin virus warning (32)
  • VIRUS_WARNING33 = Unhelpful MailScanner virus warning (33)
  • VIRUS_WARNING34 = Unhelpful Symantec virus warning (34)
  • VIRUS_WARNING35 = Unhelpful BorderWare MXtreme virus warning (35)
  • VIRUS_WARNING36 = Unhelpful 'virus warning' (36)
  • VIRUS_WARNING37 = Unhelpful 'virus warning' (37)
  • VIRUS_WARNING39 = Unhelpful ScanMail 'virus warning' (39)
  • VIRUS_WARNING40 = Unhelpful 'virus warning' (40)
  • VIRUS_WARNING41 = Unhelpful 'virus warning' (41)
  • VIRUS_WARNING42 = Unhelpful RAV 'virus warning' (42)
  • VIRUS_WARNING44 = Unhelpful 'virus warning' (44)
  • VIRUS_WARNING45 = Unhelpful 'virus warning' (45)
  • VIRUS_WARNING46 = Unhelpful 'virus warning' (46)
  • VIRUS_WARNING47 = Unhelpful GroupShield/Exch 'virus warning' (47)
  • VIRUS_WARNING48 = Unhelpful McAfee 'virus warning' (48)
  • VIRUS_WARNING49 = Unhelpful 'virus warning' (49)
  • VIRUS_WARNING50 = Unhelpful 'virus warning' (50)
  • VIRUS_WARNING51 = Unhelpful 'virus warning' (51)
  • VIRUS_WARNING52 = Unhelpful 'virus warning' (52)
  • VIRUS_WARNING53 = Unhelpful 'virus warning' (53)
  • VIRUS_WARNING54 = Unhelpful 'virus warning' (54)
  • VIRUS_WARNING55 = Unhelpful SAV 'virus warning' (55)
  • VIRUS_WARNING56 = Unhelpful MailMarshal 'virus warning' (56)
  • VIRUS_WARNING57 = Unhelpful 'virus warning' (57)
  • VIRUS_WARNING58 = Unhelpful 'virus warning' (58)
  • VIRUS_WARNING59 = Unhelpful 'virus warning' (59)
  • VIRUS_WARNING60 = Unhelpful 'virus warning' (60)
  • VIRUS_WARNING61 = Unhelpful 'virus warning' (61)
  • VIRUS_WARNING62 = 'From' indicates unhelpful 'virus warning' (62)
  • VIRUS_WARNING62A = 'From' contains 'amavis'; 'virus warning'? (62A)
  • VIRUS_WARNING63 = 'From' strongly indicates 'virus warning' (63)
  • VIRUS_WARNING63A = 'From' strongly indicates 'virus warning' (63A)
  • VIRUS_WARNING63B = Unhelpful 'virus warning' (blacklisted) (63B)
  • VIRUS_WARNING65 = Unhelpful 'virus warning' (65)
  • VIRUS_WARNING66 = Unhelpful 'virus warning' (66)
  • VIRUS_WARNING67 = Unhelpful 'virus warning' (67)
  • VIRUS_WARNING68 = Unhelpful 'virus warning' (68)
  • VIRUS_WARNING70 = Unhelpful 'virus warning' (70)
  • VIRUS_WARNING71 = Unhelpful InterScan 'virus warning' (71)
  • VIRUS_WARNING72 = Unhelpful InterScan 'virus warning' (72)
  • VIRUS_WARNING73 = Unhelpful Mirapoint 'virus warning' (73)
  • VIRUS_WARNING74 = Unhelpful 'virus warning' (74)
  • VIRUS_WARNING75 = Unhelpful 'virus warning' (75)
  • VIRUS_WARNING76 = Unhelpful ScanMail 'virus warning' (76)
  • VIRUS_WARNING77 = Unhelpful 'virus warning' (77)
  • VIRUS_WARNING78 = Could be a bogus virus warning (78)
  • VIRUS_WARNING79 = Could be a bogus virus warning (79)
  • VIRUS_WARNING80 = Likely to be a bogus virus warning (80)
  • VIRUS_WARNING83 = Unhelpful ScanMail 'virus warning' (83)
  • VIRUS_WARNING87 = Unhelpful RAV 'virus warning' (87)
  • VIRUS_WARNING88 = Unhelpful McAfee 'virus warning' (88)
  • VIRUS_WARNING89 = Unhelpful 'virus warning' (89)
  • VIRUS_WARNING90 = Looks like unhelpful ScanMail 'virus warning' (90)
  • VIRUS_WARNING91 = Looks like unhelpful ScanMail 'virus warning' (91)
  • VIRUS_WARNING107 = Looks like an unhelpful 'virus warning' (107)
  • VIRUS_WARNING108 = Unhelpful WebShield 'virus warning' (108)
  • VIRUS_WARNING110 = Unhelpful MIMEsweeper 'virus warning'? (110)
  • VIRUS_WARNING111 = Unhelpful MIMEsweeper 'virus warning'? (111)
  • VIRUS_WARNING112 = Unhelpful Norton Antivirus 'virus warning' (112)
  • VIRUS_WARNING113 = Unhelpful Mydoom virus warning (113)
  • VIRUS_WARNING114 = Unhelpful RAV plugin 'virus warning' (114)
  • VIRUS_WARNING115 = Qmail bounce of unhelpful virus warning (115)
  • VIRUS_WARNING116 = Unhelpful Panda virus warning (116)
  • VIRUS_WARNING117 = Looks like MIMEDefang 'virus warning' (117)
  • VIRUS_WARNING117A = MIMEDefang modified message (117A)
  • VIRUS_WARNING117B = Unhelpful MIMEDefang 'virus warning' (117B)
  • VIRUS_WARNING_DEFANG = Unhelpful MIMEDefang 'virus warning'
  • VIRUS_WARNING118 = Unhelpful 'virus warning' (118)
  • VIRUS_WARNING119 = Unhelpful 'virus warning' (119)
  • VIRUS_WARNING120 = Unhelpful 'virus warning' (120)
  • VIRUS_WARNING121 = Unhelpful 'virus warning' (121)
  • VIRUS_WARNING122 = Unhelpful 'virus warning' (122)
  • VIRUS_WARNING123 = Unhelpful 'virus warning/ (123)
  • VIRUS_WARNING124 = Unhelpful Antigen 'virus warning' (124)
  • VIRUS_WARNING125 = Unhelpful 'virus warning' (125)
  • VIRUS_WARNING127 = Unhelpful Inflex 'virus warning' (127)
  • VIRUS_WARNING136 = Unhelpful amavisd-new 'virus warning' [DE] (136)
  • VIRUS_WARNING138 = Unhelpful WorldSecure 'virus warning' (138)
  • VIRUS_WARNING142 = Unhelpful 'virus warning'
  • VIRUS_WARNING143 = Unhelpful BorderWare 'virus warning' (143)
  • VIRUS_WARNING144 = Unhelpful BorderWare 'virus warning'? (144)
  • VIRUS_WARNING145 = Unhelpful MailScanner 'virus warning' (145)
  • VIRUS_WARNING146 = Unhelpful 'virus warning' - HBOS/Halifax? (146)
  • VIRUS_WARNING148 = Unhelpful 'virus warning'- HBOS plc/Halifax (148)
  • VIRUS_WARNING149 = Unhelpful 'virus warning' (149)
  • VIRUS_WARNING150 = Probably a virus bounce (club-internet.fr) (150)
  • VIRUS_WARNING151 = McAfee/CommuniGate Pro 'virus warning' (151)
  • VIRUS_WARNING152 = Unhelpful McAfee plugin 'virus warning' (152)
  • VIRUS_WARNING153 = Unhelpful McAfee plugin 'virus warning'? (153)
  • VIRUS_WARNING154 = Unhelpful 'virus warning' (154)
  • VIRUS_WARNING155 = Unhelpful 'virus warning' (155)
  • VIRUS_WARNING156 = Unhelpful SurfControl 'virus warning' (156)
  • VIRUS_WARNING157 = Unhelpful SurfControl 'virus warning' (157)
  • VIRUS_WARNING158 = Unhelpful Declude 'virus warning' (158)
  • VIRUS_WARNING159 = Unhelpful eSafe 'virus warning' (159)
  • VIRUS_WARNING160 = Unhelpful eSafe 'virus warning' (160)
  • VIRUS_WARNING161 = Unhelpful 'virus warning' (161)
  • VIRUS_WARNING162 = Looks like unhelpful 'virus warning' (162)
  • VIRUS_WARNING162A = Looks like unhelpful 'virus warning' (162A)
  • VIRUS_WARNING163 = Unhelpful 'virus warning'? (163)
  • VIRUS_WARNING164 = Unhelpful Viruswall 'virus warning' (164)
  • VIRUS_WARNING165 = Unhelpful Viruswall 'virus warning'? (165)
  • VIRUS_WARNING166 = Unhelpful Viruswall 'virus warning'? (166)
  • VIRUS_WARNING167 = Unhelpful NAV 'virus warning' (167)
  • VIRUS_WARNING168 = Unhelpful NAV 'virus warning' (168)
  • VIRUS_WARNING169 = Unhelpful NAV 'virus warning' (169)
  • VIRUS_WARNING170 = Unhelpful Webshield 'attachment warning' (170)
  • VIRUS_WARNING171 = Unhelpful Webshield 'attachment warning' (171)
  • VIRUS_WARNING172 = Unhelpful MailMonitor 'virus warning' (172)
  • VIRUS_WARNING173 = Unhelpful Firstnet AV 'virus warning' (173)
  • VIRUS_WARNING174 = Unhelpful qmail-scanner 'virus warning' (174)
  • VIRUS_WARNING175 = Unhelpful Panda Antivirus 'virus warning' (175)
  • VIRUS_WARNING176 = Unhelpful Panda Antivirus 'virus warning' (176)
  • VIRUS_WARNING177 = Unhelpful Symantec for Domino 'virus warning'(177)
  • VIRUS_WARNING178 = Unhelpful Eclipse Internet 'virus warning' (178)
  • VIRUS_WARNING179 = Could be a bogus 'virus warning' (179)
  • VIRUS_WARNING180 = Unhelpful Norton AV Gateway 'virus warning' (180)
  • VIRUS_WARNING181 = Unhelpful 'virus warning' (181)
  • VIRUS_WARNING182 = Unhelpful 'virus warning'? (182)
  • VIRUS_WARNING183 = Unhelpful 'virus warning' (WebShield?) (183)
  • VIRUS_WARNING184 = Unhelpful ArmourPlate 'virus warning' (184)
  • VIRUS_WARNING185 = Unhelpful ArmourPlate 'virus warning' spam (185)
  • VIRUS_WARNING186 = Unhelpful WebShield 'virus warning' (186)
  • VIRUS_WARNING187 = Unhelpful WebShield 'virus warning' (187)
  • VIRUS_WARNING188 = Looks like unhelpful 'virus warning' (188)
  • VIRUS_WARNING189 = Unhelpful 'virus warning' (189)
  • VIRUS_WARNING190 = Unhelpful 'virus warning' (190)
  • VIRUS_WARNING191 = Unhelpful Wharf T&T 'virus warning' (191)
  • VIRUS_WARNING192 = Unhelpful 'virus warning' (192)
  • VIRUS_WARNING193 = Looks like unhelpful 'virus warning' (193)
  • VIRUS_WARNING194 = Looks like unhelpful 'virus warning' (194)
  • VIRUS_WARNING195 = Could be unhelpful 'virus warning' (195)
  • VIRUS_WARNING196 = Unhelpful 'virus warning' (196)
  • VIRUS_WARNING197 = Unhelpful 'virus warning' (197)
  • VIRUS_WARNING198 = Unhelpful qmail-scanner 'virus warning' (198)
  • VIRUS_WARNING199 = Unhelpful qmail-scanner 'virus warning' (199)
  • VIRUS_WARNING200 = Unhelpful 'virus warning' (200)
  • VIRUS_WARNING201 = Unhelpful 'virus warning' (201)
  • VIRUS_WARNING201A = Unhelpful 'virus warning' (201A)
  • VIRUS_WARNING202 = Unhelpful 'virus warning' (202)
  • VIRUS_WARNING203 = Unhelpful 'virus warning' (203)
  • VIRUS_WARNING203A = Unhelpful 'virus warning' (203A)
  • VIRUS_WARNING204 = Unhelpful 'virus warning' (204)
  • VIRUS_WARNING205 = Unhelpful 'virus warning' (205)
  • VIRUS_WARNING206 = Unhelpful 'virus warning' (206)
  • VIRUS_WARNING207 = Unhelpful RAV 'virus warning' (207)
  • VIRUS_WARNING208 = Unhelpful Kerio Mailserver 'virus warning' (208)
  • VIRUS_WARNING209 = Unhelpful Kerio Mailserver 'virus warning' (209)
  • VIRUS_WARNING210 = Unhelpful 'virus warning' (210)
  • VIRUS_WARNING211 = Unhelpful IcoMailServer 'virus warning' (211)
  • VIRUS_WARNING212 = Unhelpful IcoMailServer 'virus warning' (212)
  • VIRUS_WARNING213 = Unhelpful 'virus warning'
  • VIRUS_WARNING214 = Unhelpful NAVMSE 'virus warning' (214)
  • VIRUS_WARNING215 = Unhelpful NAV 'virus warning' (215)
  • VIRUS_WARNING216 = Unhelpful NAV 'virus warning' (216)
  • VIRUS_WARNING217 = Unhelpful NAV 'virus warning' (217)
  • VIRUS_WARNING218 = Unhelpful GroupShield 'virus warning'? (218)
  • VIRUS_WARNING218B = Definitely GroupShield 'virus warning' (218B)
  • VIRUS_WARNING219 = Unhelpful 'virus warning' (219)
  • VIRUS_WARNING220 = Unhelpful Kaspersky 'virus warning' (220)
  • VIRUS_WARNING221 = Could be unhelpful Kaspersky 'virus warning' (221)
  • VIRUS_WARNING222 = Could be unhelpful NAI 'virus warning' (222)
  • VIRUS_WARNING223 = Unhelpful eManager 'virus warning' (223)
  • VIRUS_WARNING224 = Unhelpful eManager 'virus warning'? (224)
  • VIRUS_WARNING225 = Unhelpful MAILsweeper 'virus warning' (225)
  • VIRUS_WARNING226 = Unhelpful MailScanner 'virus warning' (226)
  • VIRUS_WARNING227 = Unhelpful BT 'virus warning' (227)
  • VIRUS_WARNING228 = Unhelpful 'virus warning' (228)
  • VIRUS_WARNING229 = Unhelpful 'virus warning' (229)
  • VIRUS_WARNING229A = Don't double-count 228/229
  • VIRUS_WARNING230 = Unhelpful Dr. Web 'virus warning' (230)
  • VIRUS_WARNING231 = Looks like Dr. Web notification (231)
  • VIRUS_WARNING232 = Unhelpful 'virus warning' (232)
  • VIRUS_WARNING233 = Looks like unhelpful 'virus warning' (233)
  • VIRUS_WARNING234 = Looks like unhelpful 'virus warning' (234)
  • VIRUS_WARNING235 = Could be unhelpful 'virus warning' (235)
  • VIRUS_WARNING236 = Unhelpful 'virus warning' (236)
  • VIRUS_WARNING237 = Unhelpful BitDefender 'virus warning' (237)
  • VIRUS_WARNING238 = Unhelpful 'virus warning' (238)
  • VIRUS_WARNING239 = Unhelpful 'virus warning' (239)
  • VIRUS_WARNING240 = Unhelpful 'virus warning' (240)
  • VIRUS_WARNING241 = Unhelpful Interscan 'virus warning'? (241)
  • VIRUS_WARNING242 = Unhelpful ScanMail 'virus warning' (242)
  • VIRUS_WARNING243 = Unhelpful ScanMail 'virus warning' (243)
  • VIRUS_WARNING244 = Could be an unhelpful 'virus warning' (244)
  • VIRUS_WARNING245 = Unhelpful 'virus warning' (245)
  • VIRUS_WARNING246 = Unhelpful 'virus warning' (246)
  • VIRUS_WARNING247 = Unhelpful 'virus warning' (247)
  • VIRUS_WARNING248 = Unhelpful 'virus warning' (248)
  • VIRUS_WARNING249 = Unhelpful 'virus warning' (249)
  • VIRUS_WARNING250 = Some kind of MailScanner notification? (250)
  • VIRUS_WARNING251 = Unhelpful GroupShield/Exch 'virus warning' (251)
  • VIRUS_WARNING252 = Unhelpful GroupShield/Exch 'virus warning' (252)
  • VIRUS_WARNING253 = Asks you to check for viruses (253)
  • VIRUS_WARNING254 = Unhelpful 'virus warning' (254)
  • VIRUS_WARNING255 = Looks like unhelpful 'virus warning' (255)
  • VIRUS_WARNING256 = Could be unhelpful 'virus warning' (256)
  • VIRUS_WARNING257 = Unhelpful 'virus warning' (257)
  • VIRUS_WARNING258 = Unhelpful 'virus warning' (258)
  • VIRUS_WARNING259 = Unhelpful MailMarshal 'virus warning' (259)
  • VIRUS_WARNING260 = Unhelpful ScanMail/Exch 'virus warning' (260)
  • VIRUS_WARNING261 = Unhelpful 'virus warning' (261)
  • VIRUS_WARNING262 = Unhelpful 'virus warning'? (262)
  • VIRUS_WARNING263 = Unhelpful 'virus warning' (263)
  • VIRUS_WARNING264 = Unhelpful 'virus warning' (264)
  • VIRUS_WARNING265 = Unhelpful AOL bounce fake aol.com HELO (265)
  • VIRUS_WARNING265A = Looks like unhelpful AOL virus bounce (265A)
  • VIRUS_WARNING265B = AOL accept faked aol.com HELO (no PTR) (265B)
  • VIRUS_WARNING266 = Unhelpful Telenor 'virus warning' (266)
  • VIRUS_WARNING267 = Unhelpful Via Networks 'virus warning' (267)
  • VIRUS_WARNING268E = Looks like an unhelpful 'virus warning' (268E)
  • VIRUS_WARNING268H = Could be unhelpful 'virus warning' (268H)
  • VIRUS_WARNING269 = Unhelpful 'virus warning' (269)
  • VIRUS_WARNING270 = Unhelpful 'virus warning' (270)
  • VIRUS_WARNING271 = Unhelpful 'virus warning' (271)
  • VIRUS_WARNING272 = Unhelpful 'virus warning' (272)
  • VIRUS_WARNING273 = Unhelpful MailMonitor/Exch 'virus warning' (273)
  • VIRUS_WARNING274 = Unhelpful MIMEsweeper 'virus warning' (274)
  • VIRUS_WARNING275 = Unhelpful (MIMESweeper?) 'virus warning'? (275)
  • VIRUS_WARNING276 = Unhelpful MIMEsweeper 'virus warning'? (276)
  • VIRUS_WARNING277 = Unhelpful (MIMESweeper?) 'virus warning'? (277)
  • VIRUS_WARNING278 = Unhelpful Sophos/MIMEswp 'virus warning'? (277)
  • VIRUS_WARNING279 = Unhelpful 'virus warning' (279)
  • VIRUS_WARNING280 = Unhelpful eTrust/Domino 'virus warning' (280)
  • VIRUS_WARNING281 = Unhelpful 'virus warning' (281)
  • VIRUS_WARNING282 = Unhelpful 'virus warning' (282)
  • VIRUS_WARNING283 = Unhelpful Symantec 'virus warning' (283)
  • VIRUS_WARNING284 = Unhelpful 'virus warning' (284)
  • VIRUS_WARNING285 = Unhelpful 'virus warning' (285)
  • VIRUS_WARNING286 = Unhelpful 'virus warning' (286)
  • VIRUS_WARNING287 = Unhelpful 'virus warning' (287)
  • VIRUS_WARNING288 = Looks like unhelpful 'virus warning' (288)
  • VIRUS_WARNING289 = Unhelpful 'virus warning' (289)
  • VIRUS_WARNING290 = Unhelpful MailScan 'virus warning' (290)
  • VIRUS_WARNING291 = Unhelpful MailScan 'virus warning' (291)
  • VIRUS_WARNING292 = Unhelpful InterScan 'virus warning' (292)
  • VIRUS_WARNING293 = Unhelpful MAILsweeper 'virus warning' (293)
  • VIRUS_WARNING294 = Unhelpful SonicWALL 'virus warning' (294)
  • VIRUS_WARNING295 = Unhelpful 'virus warning' (295)
  • VIRUS_WARNING296 = Unhelpful 'virus warning' (296)
  • VIRUS_WARNING297 = Unhelpful 'virus warning' (297)
  • VIRUS_WARNING298 = Unhelpful Magic OnLine 'virus warning' (296)
  • VIRUS_WARNING299 = Unhelpful Norton Antivirus 'virus warning' (299)
  • VIRUS_WARNING300 = Unhelpful MailScanner 'virus warning' (300)
  • VIRUS_WARNING301 = Unhelpful GateLock 'virus warning' (301)
  • VIRUS_WARNING302 = Unhelpful Watchdog 'virus warning' (302)
  • VIRUS_WARNING303 = Unhelpful StormMail 'virus warning' (303)
  • VIRUS_WARNING304 = Unhelpful StormMail 'virus warning'? (304)
  • VIRUS_WARNING305 = Unhelpful 'virus warning' (305)
  • VIRUS_WARNING306 = Unhelpful 'virus warning' (306)
  • VIRUS_WARNING307 = Unhelpful 'virus warning' (307)
  • VIRUS_WARNING308 = Unhelpful Avast/Exch 'virus warning' (308)
  • VIRUS_WARNING309 = Unhelpful Avast/Exch 'virus warning' (309)
  • VIRUS_WARNING310 = Unhelpful 'virus warning' (310)
  • VIRUS_WARNING311 = Unhelpful 'virus warning' (311)
  • VIRUS_WARNING312 = Unhelpful Novell GroupWise 'virus warning' (312)
  • VIRUS_WARNING313 = Unhelpful eManager 'virus warning' (313)
  • VIRUS_WARNING314 = Unhelpful Kingsoft 'virus warning' (314)
  • VIRUS_WARNING315 = Could be an unhelpful 'virus warning' (315)
  • VIRUS_WARNING316 = Unhelpful 'virus warning' (316)
  • VIRUS_WARNING317 = Unhelpful 'virus warning' (317)
  • VIRUS_WARNING318 = Unhelpful 'virus warning' (318)
  • VIRUS_WARNING319 = Unhelpful 'virus warning' (319)
  • VIRUS_WARNING320 = Unhelpful TBS Virus Scan 'virus warning' (320)
  • VIRUS_WARNING321 = Unhelpful TBS Virus Scan 'virus warning' (321)
  • VIRUS_WARNING322A = Looks like unhelpful XWall 'virus warning' (322A)
  • VIRUS_WARNING322 = Unhelpful XWall 'virus warning' (322)
  • VIRUS_WARNING323 = Unhelpful 'virus warning' (323)
  • VIRUS_WARNING324 = Unhelpful 'virus warning' (324)
  • VIRUS_WARNING325 = Unhelpful 'virus warning' (325)
  • VIRUS_WARNING326 = Unhelpful MailScanner 'virus warning'? (326)
  • VIRUS_WARNING327 = Unhelpful MIMEDefang 'virus warning' (327)
  • VIRUS_WARNING328 = Unhelpful 'virus warning' (328)
  • VIRUS_WARNING329 = Unhelpful 'virus warning' (329)
  • VIRUS_WARNING330 = Unhelpful 'virus warning' (330)
  • VIRUS_WARNING331 = Unhelpful 'virus warning' (331)
  • VIRUS_WARNING332 = Unhelpful 'virus warning' (332)
  • VIRUS_WARNING333 = Unhelpful 'virus warning' (333)
  • VIRUS_WARNING334 = Unhelpful 'virus warning' (334)
  • VIRUS_WARNING335 = Unhelpful 'virus warning' (335)
  • VIRUS_WARNING336 = Could be unhelpful KAV 'virus warning' (336)
  • VIRUS_WARNING337 = Unhelpful Guinevere AV 'virus warning' (337)
  • VIRUS_WARNING338 = Unhelpful 'virus warning' (338)
  • VIRUS_WARNING339 = Unhelpful MailScanner 'virus warning' (339)
  • VIRUS_WARNING340 = Unhelpful MailScanner 'virus warning' (340)
  • VIRUS_WARNING341 = Unhelpful eTrust 'virus warning' (341)
  • VIRUS_WARNING342 = Unhelpful 'virus warning' (342)
  • VIRUS_WARNING343 = Unhelpful InterScan 'virus warning' (343)
  • VIRUS_WARNING344 = Unhelpful 'virus warning' (344)
  • VIRUS_WARNING345 = Unhelpful Guinevere 'virus warning' (345)
  • VIRUS_WARNING345A = Uhelpful Guinevere 'virus warning'? (345A)
  • VIRUS_WARNING345B = Unhelpful Guinevere 'virus warning' (345B)
  • VIRUS_WARNING346 = Unhelpful Guinevere 'virus warning' (346)
  • VIRUS_WARNING347 = Unhelpful KAV 'virus warning' (347)
  • VIRUS_WARNING348 = Unhelpful KAV 'virus warning'? (348)
  • VIRUS_WARNING349 = Unhelpful Panda Antivirus 'virus warning' (349)
  • VIRUS_WARNING350 = Unhelpful Panda Antivirus 'virus warning' (350)
  • VIRUS_WARNING351 = Unhelpful 'virus warning' (351)
  • VIRUS_WARNING352 = Unhelpful 'virus warning' (352)
  • VIRUS_WARNING353 = Unhelpful 'virus warning' (353)
  • VIRUS_WARNING354 = Unhelpful 'virus warning' (354)
  • VIRUS_WARNING355 = Unhelpful Lotus Notes 'virus warning' (355)
  • VIRUS_WARNING356 = Unhelpful 'virus warning' (356)
  • VIRUS_WARNING357 = Unhelpful 'virus warning' (357)
  • VIRUS_WARNING358 = Unhelpful 'virus warning' (358)
  • VIRUS_WARNING359 = Unhelpful 'virus warning' (359)
  • VIRUS_WARNING360 = Unhelpful 'virus warning' (360)
  • VIRUS_WARNING361 = Unhelpful 'virus warning' (361)
  • VIRUS_WARNING362 = Unhelpful 'virus warning' (361)
  • VIRUS_WARNING363 = Unhelpful AVAS 'virus warning' (363)
  • VIRUS_WARNING365 = Unhelpful 'virus warning' (365)
  • VIRUS_WARNING366 = Unhelpful 'virus warning' (366)
  • VIRUS_WARNING367 = Unhelpful 'virus warning' (367)
  • VIRUS_WARNING368 = Unhelpful 'virus warning' (368)
  • VIRUS_WARNING369 = Unhelpful 'virus warning' (369)
  • VIRUS_WARNING370 = Unhelpful ProScan 'virus warning' (370)
  • VIRUS_WARNING371 = Unhelpful 'virus warning' (371)
  • VIRUS_WARNING372 = Unhelpful 'virus warning' (372)
  • VIRUS_WARNING373 = Unhelpful 'virus warning' (373)
  • VIRUS_WARNING374 = Unhelpful 'virus warning' (374)
  • VIRUS_WARNING375 = Unhelpful 'virus warning' (375)
  • VIRUS_WARNING376 = Unhelpful 'virus warning' (376)
  • VIRUS_WARNING377 = Unhelpful 'virus warning' (377)
  • VIRUS_WARNING378 = Unhelpful 'virus warning' (378)
  • VIRUS_WARNING379 = Could be unhelpful 'virus warning' (379)
  • VIRUS_WARNING380 = Unhelpful 'virus warning' (380)
  • VIRUS_WARNING381 = Unhelpful 'virus warning' (381)
  • VIRUS_WARNING382 = Unhelpful HMV 'virus warning' (382)
  • VIRUS_WARNING383 = Unhelpful 'virus warning' (383)
  • VIRUS_WARNING384 = Unhelpful 'virus warning' (384)
  • VIRUS_WARNING385 = Unhelpful 'virus warning' (385)
  • VIRUS_WARNING386 = Unhelpful Mirapoint 'virus warning' (386)
  • VIRUS_WARNING387 = Unhelpful 'virus warning' (387)
  • VIRUS_WARNING388 = Unhelpful 'virus warning' (388)
  • VIRUS_WARNING389 = Unhelpful 'virus warning' (389)
  • VIRUS_WARNING390 = Unhelpful 'virus warning' (390)
  • VIRUS_WARNING391 = Unhelpful OdeiaVir 'virus warning' (391)
  • VIRUS_WARNING392 = Unhelpful 'virus warning' (392)
  • VIRUS_WARNING393 = Unhelpful 'virus warning' (393)
  • VIRUS_WARNING394 = Unhelpful 'virus warning' (394)
  • VIRUS_WARNING395 = MailMarshal bogus 'virus warning'? (395)
  • VIRUS_WARNING396 = Unhelpful McAfee 'virus warning' (396)
  • VIRUS_WARNING397 = Unhelpful 'virus warning' (397)
  • VIRUS_WARNING398 = Unhelpful 'virus warning' (398)
  • VIRUS_WARNING399 = Unhelpful 'virus warning' (399)
  • VIRUS_WARNING400 = Looks like unhelpful 'virus warning' (400)
  • VIRUS_WARNING401 = Unhelpful 'virus warning' (401)
  • VIRUS_WARNING402A = Looks like unhelpful 'virus warning' (402A)
  • VIRUS_WARNING402B = Looks like unhelpful 'virus warning' (402B)
  • VIRUS_WARNING402C = Looks a lot like unhelpful 'virus warning' (402C)
  • VIRUS_WARNING403 = Unhelpful 'virus warning' (403)
  • VIRUS_WARNING404 = Unhelpful 'virus warning' (404)
  • VIRUS_WARNING405 = Unhelpful WinProxy 'virus warning' (405)
  • VIRUS_WARNING406 = Unhelpful NOD32 'virus warning' (406)
  • VIRUS_WARNING407 = Unhelpful NOD32 'virus warning' (407)
  • VIRUS_WARNING408 = Unhelpful 'virus warning' (408)
  • VIRUS_WARNING409 = Unhelpful MDaemon 'virus warning' (409)
  • VIRUS_WARNING410 = Unhelpful MDaemon 'virus warning' (410)
  • VIRUS_WARNING411 = Unhelpful 'virus warning' (411)
  • VIRUS_WARNING412 = Unhelpful 'virus warning' (412)
  • VIRUS_WARNING413 = Unhelpful InterScan 'virus warning' (413)
  • VIRUS_WARNING414 = Unhelpful 'virus warning' (414)
  • VIRUS_WARNING415 = Unhelpful 'virus warning'? (415)
  • VIRUS_WARNING416 = Unhelpful 'virus warning' (416)
  • VIRUS_WARNING417 = Unhelpful 'virus warning'? (417)
  • VIRUS_WARNING418 = Unhelpful 'virus warning' (418)
  • VIRUS_WARNING419 = Unhelpful 'virus warning' (419)
  • VIRUS_WARNING420 = Unhelpful 'virus warning' (420)
  • VIRUS_WARNING421 = Unhelpful 'virus warning' (421)
  • VIRUS_WARNING422 = Unhelpful 'virus warning'? (422)
  • VIRUS_WARNING423 = Unhelpful 'virus warning'? (423)
  • VIRUS_WARNING424 = Unhelpful 'virus warning' (424)
  • VIRUS_WARNING425 = Unhelpful 'virus warning' (425)
  • VIRUS_WARNING426 = Unhelpful 'virus warning' (426)
  • VIRUS_WARNING427 = Unhelpful 'virus warning' (427)
  • VIRUS_WARNING428 = Unhelpful InteProtectNow! 'virus warning' (428)
  • VIRUS_WARNING429 = Unhelpful 'virus warning' (429)
  • VIRUS_WARNING430 = Unhelpful Iflex 'virus warning' (430)
  • VIRUS_WARNING431 = Unhelpful Norton 'virus warning' (431)
  • VIRUS_WARNING432 = Unhelpful Symantec 'virus warning' (432)
  • VIRUS_WARNING433 = Unhelpful 'virus warning'? (433)
  • VIRUS_WARNING434 = Unhelpful 'virus warning' (434)
  • VIRUS_WARNING435 = Unhelpful 'virus warning' (435)
  • VIRUS_WARNING436 = Unhelpful AntiVir MailGate 'virus warning' (436)
  • VIRUS_WARNING436a = Unhelpful 'virus warning' (436)
  • VIRUS_WARNING437 = Unhelpful Symantec 'virus warning' (437)
  • VIRUS_WARNING438 = Unhelpful 'virus warning' (438)
  • VIRUS_WARNING439 = Unhelpful Trend 'virus warning' (439)
  • VIRUS_WARNING440 = Unhelpful 'virus warning' (440)
  • VIRUS_WARNING441 = Unhelpful 'virus warning' (441)
  • VIRUS_WARNING442 = Unhelpful 'virus warning' (442)
  • VIRUS_WARNING443 = Unhelpful 'virus warning' (443)
  • VIRUS_WARNING444 = Unhelpful 'virus warning' (444)
  • VIRUS_WARNING445 = Unhelpful Norton 'virus warning' (445)
  • VIRUS_WARNING446 = Unhelpful 'virus warning' (446)
  • VIRUS_WARNING447 = Unhelpful Guinevere 'virus warning' (447)
  • VIRUS_WARNING448 = Unhelpful 'virus warning' (448)
  • VIRUS_WARNING449 = Unhelpful 'virus warning'? (449)
  • VIRUS_WARNING450 = Unhelpful 'virus warning' (450)
  • VIRUS_WARNING451 = Unhelpful 'virus warning'? (451)
  • VIRUS_WARNING452 = Unhelpful 'virus warning'? (452)
  • VIRUS_WARNING453 = Unhelpful virus warning (453)
  • VIRUS_WARNING454 = Unhelpful virus warning (454)
  • VIRUS_WARNING455 = Unhelpful virus warning (455)
  • VIRUS_WARNING456 = Unhelpful virus warning (456)
  • VIRUS_WARNING457 = Unhelpful virus warning (457)
  • VIRUS_WARNING458 = Unhelpful virus warning? (458)
  • VIRUS_WARNING459 = Unhelpful virus warning (459)
  • VIRUS_WARNING460 = Unhelpful virus warning (460)
  • VIRUS_WARNING461 = Unhelpful virus warning (461)
  • VIRUS_WARNING462 = Unhelpful virus warning (462)
  • VIRUS_WARNING463 = Unhelpful virus warning? (463)
  • VIRUS_WARNING464 = Unhelpful virus warning (464)
  • VIRUS_WARNING465 = Unhelpful virus warning (465)
  • VIRUS_WARNING466 = Unhelpful eScan virus warning (466)
  • VIRUS_WARNING467 = Unhelpful Panda virus warning (467)
  • VIRUS_WARNING468 = Unhelpful Juno virus warning (468)
  • VIRUS_WARNING469 = Unhelpful virus warning (468)
  • VIRUS_WARNING_EXE1 = Message appears to contain a Windows executable
  • VIRUS_WARNING_EXE2 = Message contains a UUencoded Windows executable
  • VIRUS_WARNING_SOBER = Looks like Sober virus or bounce thereof
  • VIRUS_WARNING_XXX1 = Unidentified virus or bounce thereof (2)
  • VIRUS_WARNING_NOVARG1 = Looks like Novarg virus
  • VIRUS_WARNING_NOVARG2 = Looks like Novarg virus bounce
  • VIRUS_WARNING_BAGLE1 = Could be a Bagle.B bounce
  • VIRUS_WARNING_BAGLE2 = Could be a Bagle.B bounce
  • VIRUS_WARNING_BAGLE3 = Looks like Bagle.Q/R virus/bounce
  • VIRUS_WARNING_NETSKY4 = Netsky virus bounce (subject matched)
  • VIRUS_WARNING_NETSKY4 = Looks like Netsky bounce (body attached password)
  • VIRUS_WARNING_NETSKY5A = Looks like Netsky/P bounce (5A)
  • VIRUS_WARNING_NETSKY5B = Looks like Netsky/P bounce (5B)
  • VIRUS_WARNING_NETSKY5 = Looks like Netsky/P bounce (5)
  • VIRUS_WARNING_MYDOOM1 = Body contains Mydoom text
  • VIRUS_WARNING_MYDOOM2 = Body contains Mydoom text
  • VIRUS_WARNING_MYDOOM3 = Body contains Mydoom text
  • TJ_EMPTY_SUBJECT = Empty subject. Could be a MyDoom bounce.
  • VIRUS_WARNING_MYDOOM5 = Body contains possible Mydoom attachment
  • VIRUS_WARNING_DOOM_BNC = Looks like a Mydoom bounce
  • VIRUS_CLEANED_SOBIG_F1 = Failed/cleaned Sobig/F infection? (1)
  • VIRUS_CLEANED_SOBIG_F2 = Failed/cleaned Sobig/F infection? (2)
  • VIRUS_CLEANED_1 = Failed/cleaned Sobig/F or Netsky/K infection? (1)
  • OLPD48H_Stockv3 = Talks rubbish stocks
  • BODY_BAD_WORDS = Impolite Words in Body
  • BODY_BAD_WORDS2 = Impolite TWO Words in Body
  • BODY_BAD_WORDS3 = Impolite THREE Words in Body
  • GERSP1 = Possible Stock Spam1
  • GERSP2 = Possible Stock Spam2
  • GERSP3 = Possible Stock Spam3
  • GERSP4 = Possible Stock Spam4
  • GERSP5 = Possible Stock Spam5
  • GERSPAM = New German Stock Example
  • WORK_HOME = People work at home
  • OLPD48H_Stockv3 = Talks rubbish stocks
  • BODY_BAD_WORDS = Impolite Words in Body
  • BODY_BAD_WORDS2 = Impolite TWO Words in Body
  • BODY_BAD_WORDS3 = Impolite THREE Words in Body
  • GERSP1 = Possible Stock Spam1
  • GERSP2 = Possible Stock Spam2
  • GERSP3 = Possible Stock Spam3
  • GERSP4 = Possible Stock Spam4
  • GERSP5 = Possible Stock Spam5
  • GERSPAM = New German Stock Example
  • WORK_HOME = People work at home
  • SOBER_P_SPAM = Spam from the Sober.P virus
  • FRANCHISE_JERRY = Jerry's Franchise Application or Request
  • SOMETLD_ARE_BAD_TLD = .PW & .LINK TLD Abuse
  • JMQ_REALESTATE = Real estate spam
  • JMQ_IPINFROM = Spam with IP in the from address
  • JMQ_PAYPAL2 = PayPal spam of the day
  • JMQ_RESUME3 = Yet more resume spam
  • JMQ_SPF_NEUTRAL_ALL = SPF set to ?all!
  • JMQ_IMPORTANT = Spam that thinks it is important
  • JMQ_TRACKER = Message uses image-based tracker
  • JMQ_WIRE = Attempt to steal money via wire transfer
  • JMQ_HEARINGLOSS = Spam for hearing loss solutions
  • JMQ_TRACKR = Spam for TrackR
  • JMQ_CONGRAT = Open attachment to claim your free spam
  • JMQ_PICKUP = spam that wants your number
  • JMQ_DROPBOX = Spam from what appears to be compromised dropbox accounts
  • JMQ_RESUME = Spam for bad attached resumes

Tripwire Rules

  • TW_AJ = Odd Letter Triples with AJ
  • TW_AQ = Odd Letter Triples with AQ
  • TW_AV = Odd Letter Triples with AV
  • TW_AZ = Odd Letter Triples with AZ
  • TW_BD = Odd Letter Triples with BD
  • TW_BF = Odd Letter Triples with BF
  • TW_BG = Odd Letter Triples with BG
  • TW_BH = Odd Letter Triples with BH
  • TW_BJ = Odd Letter Triples with BJ
  • TW_BK = Odd Letter Triples with BK
  • TW_BL = Odd Letter Triples with BL
  • TW_BM = Odd Letter Triples with BM
  • TW_BN = Odd Letter Triples with BN
  • TW_BP = Odd Letter Triples with BP
  • TW_BQ = Odd Letter Triples with BQ
  • TW_BT = Odd Letter Triples with BT
  • TW_BV = Odd Letter Triples with BV
  • TW_BW = Odd Letter Triples with BW
  • TW_BX = Odd Letter Triples with BX
  • TW_BZ = Odd Letter Triples with BZ
  • TW_CB = Odd Letter Triples with CB
  • TW_CC = Odd Letter Triples with CC
  • TW_CD = Odd Letter Triples with CD
  • TW_CF = Odd Letter Triples with CF
  • TW_CG = Odd Letter Triples with CG
  • TW_CL = Odd Letter Triples with CL
  • TW_CM = Odd Letter Triples with CM
  • TW_CN = Odd Letter Triples with CN
  • TW_CP = Odd Letter Triples with CP
  • TW_CQ = Odd Letter Triples with CQ
  • TW_CR = Odd Letter Triples with CR
  • TW_CS = Odd Letter Triples with CS
  • TW_CV = Odd Letter Triples with CV
  • TW_CX = Odd Letter Triples with CX
  • TW_CY = Odd Letter Triples with CY
  • TW_CZ = Odd Letter Triples with CZ
  • TW_DB = Odd Letter Triples with DB
  • TW_DC = Odd Letter Triples with DC
  • TW_DD = Odd Letter Triples with DD
  • TW_DF = Odd Letter Triples with DF
  • TW_DG = Odd Letter Triples with DG
  • TW_DH = Odd Letter Triples with DH
  • TW_DJ = Odd Letter Triples with DJ
  • TW_DK = Odd Letter Triples with DK
  • TW_DL = Odd Letter Triples with DL
  • TW_DM = Odd Letter Triples with DM
  • TW_DN = Odd Letter Triples with DN
  • TW_DP = Odd Letter Triples with DP
  • TW_DQ = Odd Letter Triples with DQ
  • TW_DR = Odd Letter Triples with DR
  • TW_DT = Odd Letter Triples with DT
  • TW_DV = Odd Letter Triples with DV
  • TW_DW = Odd Letter Triples with DW
  • TW_DX = Odd Letter Triples with DX
  • TW_DY = Odd Letter Triples with DY
  • TW_DZ = Odd Letter Triples with DX
  • TW_EB = Odd Letter Triples with EB
  • TW_EG = Odd Letter Triples with EG
  • TW_EH = Odd Letter Triples with EH
  • TW_EJ = Odd Letter Triples with EJ
  • TW_EK = Odd Letter Triples with EK
  • TW_EP = Odd Letter Triples with EP
  • TW_EQ = Odd Letter Triples with EQ
  • TW_EV = Odd Letter Triples with EV
  • TW_FC = Odd Letter Triples with FC
  • TW_FD = Odd Letter Triples with FD
  • TW_FG = Odd Letter Triples with FG
  • TW_FH = Odd Letter Triples with FH
  • TW_FJ = Odd Letter Triples with FJ
  • TW_FK = Odd Letter Triples with FK
  • TW_FL = Odd Letter Triples with FL
  • TW_FM = Odd Letter Triples with FM
  • TW_FN = Odd Letter Triples with FN
  • TW_FP = Odd Letter Triples with FP
  • TW_FQ = Odd Letter Triples with FQ
  • TW_FR = Odd Letter Triples with FR
  • TW_FS = Odd Letter Triples with FS
  • TW_FT = Odd Letter Triples with FT
  • TW_FV = Odd Letter Triples with FV
  • TW_FW = Odd Letter Triples with FW
  • TW_FX = Odd Letter Triples with FX
  • TW_FY = Odd Letter Triples with FY
  • TW_FZ = Odd Letter Triples with FZ
  • TW_GB = Odd Letter Triples with GB
  • TW_GC = Odd Letter Triples with GC
  • TW_GD = Odd Letter Triples with GD
  • TW_GF = Odd Letter Triples with GF
  • TW_GG = Odd Letter Triples with GG
  • TW_GJ = Odd Letter Triples with GJ
  • TW_GK = Odd Letter Triples with GK
  • TW_GL = Odd Letter Triples with GL
  • TW_GM = Odd Letter Triples with GM
  • TW_GN = Odd Letter Triples with GN
  • TW_GP = Odd Letter Triples with GP
  • TW_GQ = Odd Letter Triples with GQ
  • TW_GR = Odd Letter Triples with GR
  • TW_GT = Odd Letter Triples with GT
  • TW_GU = Odd Letter Triples with GU
  • TW_GV = Odd Letter Triples with GV
  • TW_GW = Odd Letter Triples with GW
  • TW_GX = Odd Letter Triples with GX
  • TW_GY = Odd Letter Triples with GY
  • TW_GZ = Odd Letter Triples with GZ
  • TW_HB = Odd Letter Triples with HB
  • TW_HC = Odd Letter Triples with HC
  • TW_HD = Odd Letter Triples with HD
  • TW_HF = Odd Letter Triples with HF
  • TW_HG = Odd Letter Triples with HG
  • TW_HH = Odd Letter Triples with HH
  • TW_HJ = Odd Letter Triples with HJ
  • TW_HK = Odd Letter Triples with HK
  • TW_HL = Odd Letter Triples with HL
  • TW_HM = Odd Letter Triples with HM
  • TW_HN = Odd Letter Triples with HN
  • TW_HP = Odd Letter Triples with HP
  • TW_HQ = Odd Letter Triples with HQ
  • TW_HR = Odd Letter Triples with HR
  • TW_HS = Odd Letter Triples with HS
  • TW_HV = Odd Letter Triples with HV
  • TW_HW = Odd Letter Triples with HW
  • TW_HX = Odd Letter Triples with HX
  • TW_HZ = Odd Letter Triples with HZ
  • TW_IB = Odd Letter Triples with IB
  • TW_IF = Odd Letter Triples with IF
  • TW_IH = Odd Letter Triples with IH
  • TW_II = Odd Letter Triples with II
  • TW_IJ = Odd Letter Triples with IJ
  • TW_IK = Odd Letter Triples with IK
  • TW_IQ = Odd Letter Triples with IQ
  • TW_IU = Odd Letter Triples with IU
  • TW_IV = Odd Letter Triples with IV
  • TW_IW = Odd Letter Triples with IW
  • TW_IX = Odd Letter Triples with IX
  • TW_IY = Odd Letter Triples with IY
  • TW_JB = Odd Letter Triples with JB
  • TW_JC = Odd Letter Triples with JC
  • TW_JD = Odd Letter Triples with JD
  • TW_JF = Odd Letter Triples with JF
  • TW_JG = Odd Letter Triples with JG
  • TW_JH = Odd Letter Triples with JH
  • TW_JJ = Odd Letter Triples with JJ
  • TW_JK = Odd Letter Triples with JK
  • TW_JL = Odd Letter Triples with JL
  • TW_JM = Odd Letter Triples with JM
  • TW_JN = Odd Letter Triples with JN
  • TW_JP = Odd Letter Triples with JP
  • TW_JQ = Odd Letter Triples with JQ
  • TW_JR = Odd Letter Triples with JR
  • TW_JS = Odd Letter Triples with JS
  • TW_JT = Odd Letter Triples with JT
  • TW_JV = Odd Letter Triples with JV
  • TW_JW = Odd Letter Triples with JW
  • TW_JX = Odd Letter Triples with JX
  • TW_JY = Odd Letter Triples with JY
  • TW_JZ = Odd Letter Triples with JZ
  • TW_KB = Odd Letter Triples with KB
  • TW_KC = Odd Letter Triples with KC
  • TW_KD = Odd Letter Triples with KD
  • TW_KF = Odd Letter Triples with KF
  • TW_KG = Odd Letter Triples with KG
  • TW_KH = Odd Letter Triples with KH
  • TW_KJ = Odd Letter Triples with KJ
  • TW_KK = Odd Letter Triples with KK
  • TW_KL = Odd Letter Triples with KL
  • TW_KM = Odd Letter Triples with KM
  • TW_KN = Odd Letter Triples with KN
  • TW_KP = Odd Letter Triples with KP
  • TW_KQ = Odd Letter Triples with KQ
  • TW_KR = Odd Letter Triples with KR
  • TW_KS = Odd Letter Triples with KS
  • TW_KT = Odd Letter Triples with KT
  • TW_KU = Odd Letter Triples with KU
  • TW_KV = Odd Letter Triples with KV
  • TW_KW = Odd Letter Triples with KW
  • TW_KX = Odd Letter Triples with KX
  • TW_KY = Odd Letter Triples with KY
  • TW_KZ = Odd Letter Triples with KZ
  • TW_LB = Odd Letter Triples with LB
  • TW_LC = Odd Letter Triples with LC
  • TW_LG = Odd Letter Triples with LG
  • TW_LH = Odd Letter Triples with LH
  • TW_LK = Odd Letter Triples with LK
  • TW_LN = Odd Letter Triples with LN
  • TW_LP = Odd Letter Triples with LP
  • TW_LQ = Odd Letter Triples with LQ
  • TW_LR = Odd Letter Triples with LR
  • TW_LV = Odd Letter Triples with LV
  • TW_LW = Odd Letter Triples with LW
  • TW_LX = Odd Letter Triples with LX
  • TW_LZ = Odd Letter Triples with LZ
  • TW_MB = Odd Letter Triples with MB
  • TW_MD = Odd Letter Triples with MD
  • TW_MF = Odd Letter Triples with MF
  • TW_MG = Odd Letter Triples with MG
  • TW_MH = Odd Letter Triples with MH
  • TW_MJ = Odd Letter Triples with MJ
  • TW_MK = Odd Letter Triples with MK
  • TW_ML = Odd Letter Triples with ML
  • TW_MM = Odd Letter Triples with MM
  • TW_MN = Odd Letter Triples with MN
  • TW_MQ = Odd Letter Triples with MQ
  • TW_MR = Odd Letter Triples with MR
  • TW_MT = Odd Letter Triples with MT
  • TW_MV = Odd Letter Triples with MV
  • TW_MW = Odd Letter Triples with MW
  • TW_MX = Odd Letter Triples with MX
  • TW_MZ = Odd Letter Triples with MZ
  • TW_NB = Odd Letter Triples with NB
  • TW_NF = Odd Letter Triples with NF
  • TW_NH = Odd Letter Triples with NH
  • TW_NK = Odd Letter Triples with NK
  • TW_NL = Odd Letter Triples with NL
  • TW_NM = Odd Letter Triples with NM
  • TW_NP = Odd Letter Triples with NP
  • TW_NQ = Odd Letter Triples with NQ
  • TW_NR = Odd Letter Triples with NR
  • TW_NV = Odd Letter Triples with NV
  • TW_NW = Odd Letter Triples with NW
  • TW_NX = Odd Letter Triples with NX
  • TW_NZ = Odd Letter Triples with NZ
  • TW_OC = Odd Letter Triples with OC
  • TW_OG = Odd Letter Triples with OG
  • TW_OH = Odd Letter Triples with OH
  • TW_OJ = Odd Letter Triples with OJ
  • TW_OK = Odd Letter Triples with OK
  • TW_OQ = Odd Letter Triples with OQ
  • TW_OV = Odd Letter Triples with OV
  • TW_OY = Odd Letter Triples with OY
  • TW_OZ = Odd Letter Triples with OZ
  • TW_PB = Odd Letter Triples with PB
  • TW_PC = Odd Letter Triples with PC
  • TW_PD = Odd Letter Triples with PD
  • TW_PF = Odd Letter Triples with PF
  • TW_PG = Odd Letter Triples with PG
  • TW_PH = Odd Letter Triples with PH
  • TW_PK = Odd Letter Triples with PK
  • TW_PL = Odd Letter Triples with PL
  • TW_PM = Odd Letter Triples with PM
  • TW_PN = Odd Letter Triples with PN
  • TW_PP = Odd Letter Triples with PP
  • TW_PQ = Odd Letter Triples with PQ
  • TW_PR = Odd Letter Triples with PR
  • TW_PT = Odd Letter Triples with PT
  • TW_PV = Odd Letter Triples with PV
  • TW_PW = Odd Letter Triples with PW
  • TW_PX = Odd Letter Triples with PX
  • TW_PZ = Odd Letter Triples with PZ
  • TW_QA = Odd Letter Triples with QA
  • TW_QB = Odd Letter Triples with QB
  • TW_QC = Odd Letter Triples with QC
  • TW_QD = Odd Letter Triples with QD
  • TW_QE = Odd Letter Triples with QE
  • TW_QF = Odd Letter Triples with QF
  • TW_QG = Odd Letter Triples with QG
  • TW_QH = Odd Letter Triples with QH
  • TW_QI = Odd Letter Triples with QI
  • TW_QJ = Odd Letter Triples with QJ
  • TW_QK = Odd Letter Triples with QK
  • TW_QL = Odd Letter Triples with QL
  • TW_QM = Odd Letter Triples with QM
  • TW_QN = Odd Letter Triples with QN
  • TW_QO = Odd Letter Triples with QO
  • TW_QP = Odd Letter Triples with QP
  • TW_QQ = Odd Letter Triples with QQ
  • TW_QR = Odd Letter Triples with QR
  • TW_QS = Odd Letter Triples with QS
  • TW_QT = Odd Letter Triples with QT
  • TW_QU = Odd Letter Triples with QU
  • TW_QV = Odd Letter Triples with QV
  • TW_QW = Odd Letter Triples with QW
  • TW_QX = Odd Letter Triples with QX
  • TW_QY = Odd Letter Triples with QY
  • TW_QZ = Odd Letter Triples with QZ
  • TW_RB = Odd Letter Triples with RB
  • TW_RG = Odd Letter Triples with RG
  • TW_RH = Odd Letter Triples with RH
  • TW_RJ = Odd Letter Triples with RJ
  • TW_RK = Odd Letter Triples with RK
  • TW_RL = Odd Letter Triples with RL
  • TW_RP = Odd Letter Triples with RP
  • TW_RQ = Odd Letter Triples with RQ
  • TW_RR = Odd Letter Triples with RR
  • TW_RV = Odd Letter Triples with RV
  • TW_RW = Odd Letter Triples with RW
  • TW_RX = Odd Letter Triples with RX
  • TW_RZ = Odd Letter Triples with RZ
  • TW_SB = Odd Letter Triples with SB
  • TW_SD = Odd Letter Triples with SD
  • TW_SF = Odd Letter Triples with SF
  • TW_SG = Odd Letter Triples with SG
  • TW_SJ = Odd Letter Triples with SJ
  • TW_SK = Odd Letter Triples with SK
  • TW_SL = Odd Letter Triples with SL
  • TW_SM = Odd Letter Triples with SM
  • TW_SN = Odd Letter Triples with SN
  • TW_SQ = Odd Letter Triples with SQ
  • TW_SR = Odd Letter Triples with SR
  • TW_SV = Odd Letter Triples with SV
  • TW_SW = Odd Letter Triples with SW
  • TW_SX = Odd Letter Triples with SX
  • TW_SY = Odd Letter Triples with SY
  • TW_SZ = Odd Letter Triples with SZ
  • TW_TB = Odd Letter Triples with TB
  • TW_TC = Odd Letter Triples with TC
  • TW_TD = Odd Letter Triples with TD
  • TW_TF = Odd Letter Triples with TF
  • TW_TG = Odd Letter Triples with TG
  • TW_TJ = Odd Letter Triples with TJ
  • TW_TK = Odd Letter Triples with TK
  • TW_TL = Odd Letter Triples with TL
  • TW_TM = Odd Letter Triples with TM
  • TW_TN = Odd Letter Triples with TN
  • TW_TP = Odd Letter Triples with TP
  • TW_TQ = Odd Letter Triples with TQ
  • TW_TR = Odd Letter Triples with TR
  • TW_TV = Odd Letter Triples with TV
  • TW_TW = Odd Letter Triples with TW
  • TW_TX = Odd Letter Triples with TX
  • TW_TZ = Odd Letter Triples with TZ
  • TW_UC = Odd Letter Triples with UC
  • TW_UF = Odd Letter Triples with UF
  • TW_UG = Odd Letter Triples with UG
  • TW_UH = Odd Letter Triples with UH
  • TW_UJ = Odd Letter Triples with UJ
  • TW_UK = Odd Letter Triples with UK
  • TW_UQ = Odd Letter Triples with UQ
  • TW_UU = Odd Letter Triples with UU
  • TW_UV = Odd Letter Triples with UV
  • TW_UW = Odd Letter Triples with UW
  • TW_UX = Odd Letter Triples with UX
  • TW_UY = Odd Letter Triples with UY
  • TW_UZ = Odd Letter Triples with UZ
  • TW_VB = Odd Letter Triples with VB
  • TW_VC = Odd Letter Triples with VC
  • TW_VD = Odd Letter Triples with VD
  • TW_VF = Odd Letter Triples with VF
  • TW_VG = Odd Letter Triples with VG
  • TW_VH = Odd Letter Triples with VH
  • TW_VJ = Odd Letter Triples with VJ
  • TW_VK = Odd Letter Triples with VK
  • TW_VL = Odd Letter Triples with VL
  • TW_VM = Odd Letter Triples with VM
  • TW_VN = Odd Letter Triples with VN
  • TW_VP = Odd Letter Triples with VP
  • TW_VQ = Odd Letter Triples with VQ
  • TW_VR = Odd Letter Triples with VR
  • TW_VS = Odd Letter Triples with VS
  • TW_VT = Odd Letter Triples with VT
  • TW_VU = Odd Letter Triples with VU
  • TW_VV = Odd Letter Triples with VV
  • TW_VW = Odd Letter Triples with VW
  • TW_VX = Odd Letter Triples with VX
  • TW_VY = Odd Letter Triples with VY
  • TW_VZ = Odd Letter Triples with VZ
  • TW_WB = Odd Letter Triples with WB
  • TW_WC = Odd Letter Triples with WC
  • TW_WD = Odd Letter Triples with WD
  • TW_WF = Odd Letter Triples with WF
  • TW_WG = Odd Letter Triples with WG
  • TW_WH = Odd Letter Triples with WH
  • TW_WJ = Odd Letter Triples with WJ
  • TW_WK = Odd Letter Triples with WK
  • TW_WL = Odd Letter Triples with WL
  • TW_WM = Odd Letter Triples with WM
  • TW_WP = Odd Letter Triples with WP
  • TW_WQ = Odd Letter Triples with WQ
  • TW_WR = Odd Letter Triples with WR
  • TW_WT = Odd Letter Triples with WT
  • TW_WU = Odd Letter Triples with WU
  • TW_WV = Odd Letter Triples with WV
  • TW_WW = Odd Letter Triples with WW
  • TW_WX = Odd Letter Triples with WX
  • TW_WY = Odd Letter Triples with WY
  • TW_WZ = Odd Letter Triples with WZ
  • TW_XA = Odd Letter Triples with XA
  • TW_XB = Odd Letter Triples with XB
  • TW_XC = Odd Letter Triples with XC
  • TW_XD = Odd Letter Triples with XD
  • TW_XF = Odd Letter Triples with XF
  • TW_XG = Odd Letter Triples with XG
  • TW_XH = Odd Letter Triples with XH
  • TW_XI = Odd Letter Triples with XI
  • TW_XJ = Odd Letter Triples with XJ
  • TW_XK = Odd Letter Triples with XK
  • TW_XL = Odd Letter Triples with XL
  • TW_XM = Odd Letter Triples with XM
  • TW_XN = Odd Letter Triples with XN
  • TW_XP = Odd Letter Triples with XP
  • TW_XQ = Odd Letter Triples with XQ
  • TW_XR = Odd Letter Triples with XR
  • TW_XS = Odd Letter Triples with XS
  • TW_XT = Odd Letter Triples with XT
  • TW_XU = Odd Letter Triples with XU
  • TW_XV = Odd Letter Triples with XV
  • TW_XW = Odd Letter Triples with XW
  • TW_XX = Odd Letter Triples with XX
  • TW_XY = Odd Letter Triples with XY
  • TW_XZ = Odd Letter Triples with XZ
  • TW_YB = Odd Letter Triples with YB
  • TW_YC = Odd Letter Triples with YC
  • TW_YD = Odd Letter Triples with YD
  • TW_YF = Odd Letter Triples with YF
  • TW_YG = Odd Letter Triples with YG
  • TW_YH = Odd Letter Triples with YH
  • TW_YI = Odd Letter Triples with YI
  • TW_YJ = Odd Letter Triples with YJ
  • TW_YK = Odd Letter Triples with YK
  • TW_YM = Odd Letter Triples with YM
  • TW_YP = Odd Letter Triples with YP
  • TW_YQ = Odd Letter Triples with YQ
  • TW_YR = Odd Letter Triples with YR
  • TW_YT = Odd Letter Triples with YT
  • TW_YV = Odd Letter Triples with YV
  • TW_YW = Odd Letter Triples with YW
  • TW_YX = Odd Letter Triples with YX
  • TW_YY = Odd Letter Triples with YY
  • TW_YZ = Odd Letter Triples with YZ
  • TW_ZB = Odd Letter Triples with ZB
  • TW_ZC = Odd Letter Triples with ZC
  • TW_ZD = Odd Letter Triples with ZD
  • TW_ZF = Odd Letter Triples with ZF
  • TW_ZG = Odd Letter Triples with ZG
  • TW_ZH = Odd Letter Triples with ZH
  • TW_ZJ = Odd Letter Triples with ZJ
  • TW_ZK = Odd Letter Triples with ZK
  • TW_ZL = Odd Letter Triples with ZL
  • TW_ZM = Odd Letter Triples with ZM
  • TW_ZN = Odd Letter Triples with ZN
  • TW_ZP = Odd Letter Triples with ZP
  • TW_ZQ = Odd Letter Triples with ZQ
  • TW_ZR = Odd Letter Triples with ZR
  • TW_ZS = Odd Letter Triples with ZS
  • TW_ZT = Odd Letter Triples with ZT
  • TW_ZU = Odd Letter Triples with ZU
  • TW_ZV = Odd Letter Triples with ZV
  • TW_ZW = Odd Letter Triples with ZW
  • TW_ZX = Odd Letter Triples with ZX
  • TW_ZY = Odd Letter Triples with ZY
  • TW_ZZ = Odd Letter Triples with ZZ


KAM Ruleset

  • KAM_MM_FOREX = Polish-language spam from the Forex botnet
  • KAM_PHISH1 = Test for PHISH that changes the cursor
  • KAM_PHISH4 = Another phishing attempt
  • KAM_REAL = Real Estate or Re-Finance Spam
  • KAM_REFI = Real Estate / Re-Finance Spam
  • KAM_REFI2 = Real Estate / Re-Finance Spam
  • KAM_DEBT = Debt eradication spams
  • KAM_DEBT2 = Likely Debt eradication spams
  • KAM_SILD = Simple rule to block one more enhancement message
  • KAM_NUMBER = Silly Number Emails
  • KAM_OVERPAY = Common Medicinal Ad Trick
  • KAM_VIAGRA1 = Common Viagra and Medicinal Table Trick
  • KAM_VIAGRA2 = Common Viagra and Medicinal Table Trick
  • KAM_VIAGRA4 = Common Viagra and Medicinal Table Trick
  • KAM_VIAGRA5 = Viagra Obfuscation Technique SPAM
  • KAM_VIAGRA6 = Viagra Obfuscation Technique SPAM
  • KAM_VIAGRA7 = Viagra Obfuscation Technique SPAM
  • KAM_VIAGRA8 = Viagra Obfuscation Technique SPAM
  • KAM_VIAGRA9 = Viagra Obfuscation Technique SPAM
  • KAM_VIAGRA10 = Male enhancement spam with no content
  • KAM_NITROXIN1 = Another variant of Viagra spam
  • KAM_RE_PLUS = Bad Subject and Image Only rule hit == SPAM!
  • KAM_HOODIA = Hoodia / Weight Loss Product Promotion Spam
  • KAM_STOCKTIP = Email Contains Pump & Dump Stock Tip
  • KAM_STOCKGEN = Email Contains Generic Pump & Dump Stock Tip
  • KAM_STOCK2 = Another Round of Pump & Dump Stock Scams
  • KAM_JUDGE = Email Contains Judicial Judgment Solicitation
  • KAM_MED = Economizing your meds spam
  • KAM_MED2 = More Medical SPAM
  • KAM_TIME = Pssss. Hey Buddy, wanna buy a watch?
  • KAM_TIMEGEO = Email references geocities & wrist watch sales
  • KAM_HOME = Mortage & Refinance Spam Rule
  • KAM_UNIV = Diploma Mill Rule
  • KAM_URUNIT = Recent penile and body enhancement spams
  • KAM_URZEST = Recent penile and body enhancement spams
  • KAM_JOB = People let go, work at home, earn billions!
  • KAM_PERPARK = Obfuscated address appearing in SPAM Feb 06
  • KAM_HOLLY = Obfuscated address appearing in SPAM Jun 06
  • KAM_STOCKG = Graphical Pump and Dump Scams
  • KAM_CEP = CEP Diploma Mill Rule
  • KAM_BLANK01 = Blank emails
  • KAM_BLANK02 = Blank emails with MTA Headers
  • KAM_GEO_STRING2 = Use of geocities/yahoo very likely spam as of Dec 2005
  • KAM_GOOGLE_STRING = Use of Google redir appearing in spam July 2006
  • KAM_MSNBR_REDIR = Use of MSN Brasil Redirector for Spam seen in 2011
  • KAM_MSN_STRING = spaces.msn.com likely spam (Mar 2006) + spaces.live.com (Mar 2010)
  • KAM_LIVE = blogspot.com & livejournal.com likely spam (Apr 2010)
  • KAM_PAGE = Page.TL likely spam (Nov 2011)
  • KAM_URIPARSE = Attempted use of URI bug-high probability of fraud
  • KAM_COMBO_BADAOL = Invalid AOL Email Address-High probability of spam
  • KAM_ADV_EMAIL = Marks adv@$lt;domain.com$gt; Addresses as likely SPAM
  • KAM_SEX_EXPLICIT = Subject or body indicates Sexually Explicit material
  • KAM_SEX_AFFAIR = Subject or body soliciting an affair
  • KAM_TELEWORK = Stupid telework and training scams
  • T_KAM_HTML_FONT_INVALID = Test for Invalidly Named or Formatted Colors in HTML
  • KAM_LOCAL_TEST1 = This is a unique phrase to trigger a + score
  • KAM_RPTR_FAILED = Failed Mail Relay Reverse DNS Test
  • KAM_RPTR_SUSPECT = Suspected Dynamic IP/Bad TLD/Spammy TLD from Mail Relay Reverse DNS Test
  • KAM_RPTR_PASSED = Passed Mail Relay Reverse DNS Test
  • KAM_RPTR_MISSING = Mail Relay Reverse DNS Entry Missing!
  • KAM_RPTR_BADHOST = Very Spammy Hosting Company Identified
  • KAM_INVALID_FROM = From header missing host portion
  • KAM_RAPTOR = PCCC Raptor altered the email
  • KAM_RPTR_MISSING = Mail Relay Reverse DNS Entry Missing!
  • KAM_RPTR_MISSING = Mail Relay Reverse DNS Entry Missing!
  • KAM_RPTR_MISSING = Mail Relay Reverse DNS Entry Missing!
  • KAM_BADATTACH = Mail contains a bad attachment
  • KAM_6C822ECF = $6c822ecf@ VERY prevalent message-ID header in SPAMs
  • KAM_MUSTREAD = Subject indicative of a SPAM message
  • KAM_DRILL = Oil Drilling SPAM
  • KAM_IFRAME = Email contained Iframe, Object or Script tags
  • KAM_IFRAME2 = Email contains phrase instructing javascript use
  • KAM_IFRAME3 = Likely email exploit - Email shouldn't require javascript in an email attachment
  • KAM_XEROX = Likely Fake Xerox Attachment
  • KAM_STAR = Stupid Obfuscated Link SPAMs
  • KAM_SPAMKING = SPAM using throw-away domains and addresses. SpamKing's Heir!
  • KAM_COMBOJDR = Spam Test for Rules Combined with KAM_SPAMJDR
  • KAM_LOTTO1 = Likely to be an e-Lotto Scam Email
  • KAM_LOTTO2 = Highly Likely to be an e-Lotto Scam Email
  • KAM_LOTTO3 = Almost certain to be an e-Lotto Scam Email
  • KAM_ABOUT = Email Scam Hawking Anti-Spyware
  • KAM_ADVERT = Mailing List Scammers Hawking Their Lists / Services
  • KAM_ADVERT3 = Traffic / Expiring Domain List Spam
  • KAM_ADVERT2 = This is probably an unwanted commercial email...
  • KAM_1LINE = One liner SPAMs
  • KAM_CANSPAM = SPAM = Lack of Consent (not a Legal Definition)
  • KAM_GIFT = Gift Card Scams
  • KAM_GIFT2 = Gift Card Scams
  • KAM_SHOP = Mystery Shopper Scams
  • KAM_FAST = Get Rich Quick, Make Money Fast Schemes
  • KAM_BIZ = Free Business Card Emails
  • KAM_FDA = Carries a not evaluated by the FDA warning or recall warning
  • KAM_ANA = Likely Weight-loss / Medical Spam
  • KAM_ANA2 = Higher probability of Weight-loss / Medical Spam
  • KAM_REPLACE = Spams that use obfuscated URLs with instructions
  • KAM_NIGERIAN = Nigerian Scam and Variants
  • KAM_LIKE = I like your website link exchange spam
  • KAM_PUBLIC = Obtained from Public List != to Consent == SPAM!
  • KAM_SEX = Sexually Explicit SPAM / Penis Enlargement Scam
  • KAM_PIC = Share Pictures and Chat SPAM
  • KAM_LIST = Mailing List Database SPAM
  • KAM_DRUG = More Viagra, Medicine, et al Scams
  • KAM_BADIPHTTP = Due to the Storm Bot Network, IPs in emails is bad
  • KAM_HIDDEN_URI = URI obfuscation techniques
  • KAM_INFOUSMEBIZ = Prevalent use of .info|.us|.me|.me.uk|.biz domains in spam/malware
  • KAM_OTHER_BAD_TLD = Other untrustworthy TLDs
  • KAM_CARD = Trojan or Virus Payload from fake ecard notice
  • KAM_INSURE = Life, Health, Auto, etc. Insurance SPAMs
  • KAM_INSURE2 = Higher Probability of Life, Health, Auto, etc. Insurance SPAMs
  • KAM_HEALTH = Health/Life Insurance Spam Emails
  • KAM_HEALTH2 = Health Insurance Spam Emails
  • KAM_HEALTH3 = Term Life Insurance Spam
  • KAM_REAL2 = Real-estate investment scams
  • KAM_BADPDF = Prevalent Junk PDF SPAMs - BAD SUBJECT
  • KAM_BADPDF1 = Prevalent Junk PDF SPAMs - EMPTY BODY & ENCRYPTED
  • KAM_BADPDF2 = Prevalent Junk PDF SPAMs - 3 STRIKES
  • KAM_FAKEPDF = Fake PDF Reader / Writer
  • KAM_PHISH2 = Prevalent Phishing Scam emails
  • KAM_HEX = Crazy Empty Hex Messages
  • KAM_THEBAT = Abused X-Mailer Header for The Bat! MUA
  • KAM_MAILER = Automated Mailer Tag Left in Email
  • KAM_CHECK = Another Nigerian Bank Draft Scam
  • KAM_BODY = Odd Erectile Dysfunction Messages with Poor Formatting
  • KAM_TV = Free TV/Cable/etc. Scams
  • KAM_TV2 = Higher probability of Free TV/Cable/etc. Spams
  • KAM_CAREER = Spam for Career/Diploma Mills
  • KAM_NURSE = Spam for Career/Diploma Mills
  • KAM_PILLS = Spam for scam pharmacy
  • KAM_PILLS2 = Male enhancement spams
  • KAM_ALT = Requests use of an alternate email which may indicate spam
  • KAM_POLITICS = Unsolicited Political E-Mails
  • KAM_COMPANY1 = Egregious spammers that should also be on RBLs (and might be)
  • KAM_COMPANY2 = Egregious spammers that should also be on RBLs (and might be)
  • KAM_VERY_BLACK_DBL = Email that hits both URIBL Black and Spamhaus DBL
  • KAM_MX2 = Spammers and MX Rule
  • KAM_MX3 = Odd prevalence of MX records for non-identified Spammers
  • KAM_MX4 = MX Record and dot info domains associated with FAKERBL Spammers
  • KAM_ADDRESS = Addresses and Companies prevalent in spams
  • KAM_GRASS = Spammers hawking lawn products
  • KAM_SKIN = Spammers hawking skin/medical/foot products
  • KAM_SKIN2 = Spammers hawking skin/medical/foot products
  • KAM_CAR = Spammers hawking new car, insurance or warranties
  • KAM_AUTO = Spam for new cars
  • KAM_WARRANTY = Spammers hawking home warranties
  • KAM_WARRANTY2 = Spammers pushing home warranties
  • KAM_WARRANTY3 = Spammers hawking home warranties
  • KAM_AUGER = Spammers hawking Awesome Augers?!?
  • KAM_MOVIE = Spammers hawking Movie Extra positions
  • KAM_COLLECT = Spammers hawking debt collection
  • KAM_SEARCH = Spammers hawking SEO
  • KAM_SEO = Spammers hawking SEO
  • KAM_LINGERIE = Sexually Explicity Lingerie Spam
  • KAM_WEB = Web design spams
  • KAM_DOMAIN = Domain Selling Spams
  • KAM_MEDTOUR = Medical Tourism Spam
  • KAM_ACNE = Spammers hawking Acne products
  • KAM_SOFTWARE = Spammers hawking Software products
  • KAM_NIGERIAN2 = Yet more Nigerian scams. Some even explaining the scam.
  • KAM_MEDICAL = Misc medical spam
  • KAM_TINNI = Another Medical Scam
  • KAM_GIVE = Free stuff "giveaway" scam
  • KAM_GOVT = Your tax dollars at work scam...
  • KAM_RBL = Higher scores for hitting multiple trusted RBLs
  • KAM_CNN = CNN Daily Top 10 Link Obfuscation spams
  • KAM_SHAM = More product scams...
  • KAM_SANTA = Ho Ho Holy smokes Batman another Santa Letter spam...
  • KAM_GOOGLE = Google Pyramid Scams
  • KAM_ALARM = Security and Alarm Company Spams
  • KAM_ALARM2 = High Probability of Security and Alarm Company Spams
  • KAM_SELL = Selling Cards Marketing Scams
  • KAM_WHITEN = Teeth Whitening Scams
  • KAM_URONLINE = Chat Scams
  • KAM_TIMESHARE = Timeshare Scams
  • KAM_AQUA = Spams of yet another product du jour
  • KAM_GEVALIA = Spams of yet another product du jour
  • KAM_INK = Spams of yet another product du jour
  • KAM_INK2 = Spams for Ink refills
  • KAM_PEEL = Spams of yet another product du jour
  • KAM_RAT1 = Variable Replacements Indicative of RatWare/Mass Mailing
  • KAM_RAT2 = Another ratware mistake, uninterpolated text
  • KAM_EGG = Spams of yet another product du jour
  • KAM_USB = USB Promotion Spammer
  • KAM_GRANT = Government Grant Scams
  • KAM_SEX04 = Sexually Explicit SPAM
  • KAM_SEX04_2 = Likely Sexually Explicit SPAM
  • KAM_SEX05 = Sexually Explicit SPAM
  • KAM_FOOTBALL = Spammy Football Club
  • KAM_DISH = Dish Network Spams
  • KAM_DISH2 = Dish Network Spams
  • KAM_IDENTNET = Identity Network Spams
  • KAM_DUCHESS = Spammer sending emails using a variety of domains and linked images
  • KAM_UPS = UPS doesn't send invoices with delivery problem notes
  • KAM_SKYPE = Skype/Voip scams likely to spread malware
  • KAM_OWAPHISH1 = Rash of OWA setting change emails for phishing
  • KAM_DRUG2 = More online Drug Scams
  • KAM_DRUG2_2 = Higher Certainty of Drug Scam
  • KAM_SEXSUBJECT = Sexually Explicit Subject
  • KAM_WIFE = Mail order bride scams
  • KAM_PRODUCT = Product scams often used with MSN/Live URIs
  • KAM_LIVEURI2 = More online Scams + Known URI
  • KAM_WEBS = webs.com links used in Spams
  • KAM_BADSWF = SWF embedded links in Email Scams
  • KAM_EXEURI = EXE embedded link
  • KAM_SETTING = Phishing scams w/Setting Files or Webmail
  • KAM_SETTING2 = Phishing scams w/Setting Files or Webmail + Bad File link
  • KAM_FARM = Farming related Spams
  • KAM_MXURI = URI begins with a mail exchange prefix, i.e. mx.[...]
  • KAM_FLASH = Fake Flash Player Phishing Scam
  • KAM_ADWORD = Fake Adword Campaign notices
  • KAM_DON = Work at Home Scams
  • KAM_DON2 = Egregious Work at Home Scams
  • KAM_GINA = Employment Poster Marketing Spams
  • KAM_TAX = Tax Filing Scams
  • KAM_TAX2 = Higher Probability of Tax Filing Scams
  • KAM_SEX06 = Sexual Stimulant Spam
  • KAM_BARK = Dog Product Scam
  • KAM_CASINO = Online Casino Spam
  • KAM_TWIT = Twitter bogus phishing emails
  • KAM_FACE = Facebook bogus phishing emails
  • KAM_PHISH3 = Phishing emails for account notification
  • KAM_DIRECT = DirectBuy Spam
  • KAM_SWIPE = SwipeBid Spam / Penny Auction Spams
  • KAM_SWIPE2 = SwipeBid Spam / Penny Auction Spams
  • KAM_WTA = Ridiculous campaign by unapologetic spammers purposefully using throwaway domains
  • KAM_SMOKE = Smokeless cigarette and quitting spam
  • KAM_SMOKE2 = Higher probability of spam
  • KAM_OBFURL = Obfuscated URL
  • KAM_SHARP = Ceramic Blade Spam
  • KAM_HIP = Hip Replacement Recall Spam
  • KAM_WORKHOME = Work at Home Spam
  • KAM_WORKHOME2 = Work at Home Spam
  • KAM_HSR = High Speed Rail Spam
  • KAM_SELLPHONE = Used Equipment Spam
  • KAM_MAILBOX = Mailbox Quota Phishing Scams
  • KAM_POWER = Motorized Chair Spams
  • KAM_GUN = Gun Alert Spams
  • KAM_RICH = Get Rich Quick Schemes
  • KAM_INVFROM = Invalid From Header containing mismatched $lt;$gt;'s
  • KAM_UAH_YAHOOGROUP_SENDER = Sender appears to be a legit Yahoo! Group Mail
  • KAM_GALLERY = Exploited Gallery with Porn
  • KAM_GALLERY2 = Higher Likelihood of Exploited Gallery with Porn
  • KAM_CHANGELOG = Phishing Email
  • KAM_BUS = Yet another Nigerian Scam/Phishing Variant
  • KAM_PRIV = Private Messages using Exploits in attached HTML files
  • KAM_DIV = Use of divs to hide Medical Spams
  • KAM_CREDIT = Credit Score Spams
  • KAM_CREDIT2 = Credit Score Spams
  • KAM_OBFURI = Obfuscated URI trick
  • KAM_ADVANCE = Advance Spams
  • KAM_PAYPAL1 = rampant paypal phishing scams
  • KAM_PAYPAL2 = Malware disguised as a paypal email
  • KAM_PAYPAL3 = Phish disguised as a paypal email
  • KAM_COMPROMISED = Compromised Accounts Sending Spam
  • KAM_LIST2 = Known Bad Groups
  • KAM_QUOTA = Limited Access / Quota Phishing Scam
  • KAM_BACK = Background Check SPAM
  • KAM_ARREST = Arrest Record Scams
  • KAM_DIET2 = Diet Scams
  • KAM_CIGAR = Cigar Scam Emails
  • KAM_TK = Abuse of .tk domain registrar which offers free domains
  • KAM_LASIK = Lasik Treatment Spams
  • KAM_NOTIFY = Fake Notifications
  • KAM_NOTIFY2 = Higher likelihood of fake notification
  • KAM_LANG = Language Method Spams
  • KAM_TRACK = Fake Tracking Emails
  • KAM_SCHOOL = School Spams
  • KAM_MEMBER = Dating Scams
  • KAM_MEDICARE = Medicare Scams
  • KAM_BILLS = Bill Pay Spams
  • KAM_HOSE = Garden Hose Spams
  • KAM_AV = Anti-Virus Spams
  • KAM_MASCARA = Make-up Spams
  • KAM_COLLEGE = Online Degree/Aid Spams
  • KAM_SURVEY = Online Survey Spams
  • KAM_SNORE = Snoring Aid Spams
  • KAM_VACATION = Vacation Spams
  • KAM_BLOOD = Blood Pressure Spams
  • KAM_SCOOTER = Blood Pressure Spams
  • KAM_ANATA = Drug Spam
  • KAM_BBB = Better Business Bureau Phishing
  • KAM_MARK = Email arrived marked as Spam
  • KAM_H1QNUM = H1 Qnum indicator
  • KAM_H1QNUM2 = H1 Qnum higher spamminess indicators
  • KAM_AP = American Publishing Spam
  • KAM_COUK = Scoring .co.uk emails higher due to poor registry security.
  • KAM_FACEBOOKMAIL = Fake or Abused Facebook Mail
  • KAM_FAKE_DELIVER = Fake delivery notifications
  • KAM_REALLY_FAKE_DELIVER = Definitely fake delivery notifications
  • KAM_SOLAR = Solar Power Spams
  • KAM_SOLAR2 = Definite Solar Power Spams
  • KAM_ASIAN = Asian Bride Spams
  • KAM_STUDENT = Student Loan Forgiveness Spams
  • KAM_TIP = Beauty Tip Spams
  • KAM_WHATS = WhatsApp Spams
  • KAM_QTJARS = QTJars Spams
  • KAM_GOOGLEPHISH = Google Login Phishing Scam
  • KAM_POLY = Political Spams
  • KAM_MAID = Maid Service Spams
  • KAM_TUB = Tub Spams
  • KAM_OBF = Obfuscated Porn Spams
  • KAM_OBF = Obfuscated Porn Spams
  • KAM_HAIR = Hair Loss / Removal Spams
  • KAM_UNSUB = Completely ridiculous unsubscribe text found
  • KAM_EMAILPHISH = Email Phishing Scams
  • KAM_MASSERROR = Error in usage of a mass mailing software
  • KAM_CARDEAL = Car Deal Spams
  • KAM_HOMESALE = Home Sale Spams
  • KAM_LOAN = Payday and other loan spams
  • KAM_HANGOVER = Hangover Patch Spams
  • KAM_RXPLAN = Rx Plan Spams
  • KAM_SOCKET = Product Spam du Jour
  • KAM_TESTOSTERONE = Product Spam du Jour
  • KAM_FLEXHOSE = Product Spam du Jour
  • KAM_PET = Insurance and other pet-related spam
  • KAM_PET2 = Even more likely insurance and other pet-related spam
  • KAM_COBRA = Cobra Insurance Spam
  • KAM_DISCAIR = Discount Airfare Spam
  • KAM_PEST = Spam for Pest Control
  • KAM_PROPHET = Spam for Prophecy
  • KAM_HEART = Spam for Heart Attack prevention
  • KAM_JOINT = Joint relief Spam
  • KAM_REHAB = Rehab Spam
  • KAM_HAIRTRANS = Spam for Hair Restoration
  • KAM_HAIRTRANS2 = Higher probability of spam for Hair Restoration
  • KAM_GIFTCERT = Gift Certificate Spams
  • KAM_TIRES = Spam for Tires
  • KAM_SLICEOMATIC = Spam for Kitchen Tools
  • KAM_WINDOWS = Spam for House Windows
  • KAM_EMMAPP_WEB_COM = Spam from emmapp.web.com
  • KAM_NEW_CREDITCARD = Spam for new credit cards
  • KAM_GERMAN_BUSINESS_CONTACTS = Weird German business contact info spam
  • KAM_SENIOR_DATING = Senior dating spam
  • KAM_NEWS = Forged Emails with NEWS!
  • KAM_CHOSEN = Spam claiming the recipient has been chosen for something
  • KAM_JURY = Spam claiming the recipient must serve jury duty
  • KAM_BITCOIN = Spam related to investing in bitcoin and other cryptocurrency
  • KAM_RELIGION = Generic religious spam
  • KAM_BUSINESSPHONE = Advertising for business phone systems
  • KAM_NUMEROLOGY = Pseudo-scientific spam
  • KAM_VOICEMAIL = Common malware that tricks the user into opening a fake VOIP voicemail
  • KAM_SPAMFORSPAM = Spam advertising spam services
  • KAM_NEUROLOGICAL = Variant of medical spam targeting neurological ailments
  • KAM_LOTSOFHASH = Emails with lots of hash-like gibberish
  • KAM_GRABBAG1 = A combination of tricks that when combined indicate spam
  • KAM_TVDOCTOR = Spam for TV doctor stuff
  • KAM_DENTIST = Spam for 1-800-DENTIST
  • KAM_JEWELRY = Spam for Gold and Diamond Jewelry
  • KAM_MARIJUANA = Spam pertaining to marijuana
  • KAM_MARIJUANA2 = Definitely spam for marijuana
  • KAM_EVICTION = Malware disguised as eviction notice
  • KAM_WALKINTUB = Ads for walk-in tubs
  • KAM_EMAILQUESTION = Subjects beginning with an email address and followed by a spammy subject
  • KAM_SUPERHUMAN = Male enhancement of the day
  • KAM_VALENTINE = Spam for valentine gifts and other holiday stuff
  • KAM_MOTHER = Spam for mother's day
  • KAM_WHOSWHO = Ads for network of important people
  • KAM_WHOSWHO2 = Definitely ads for network of important people
  • KAM_GARAGE = Garage floor coating product of the day
  • KAM_GARAGE2 = More likely garage floor coating spam
  • KAM_PAINT = Paint Spams
  • KAM_MOP = Hurricane mop product of the day
  • KAM_DATINGTIPS = Tips for dating
  • KAM_CANDY = Ads for candy
  • KAM_WEIRDTRICK1 = Huge family of spam that uses the word weird to grab attention
  • KAM_WEIRDTRICK2 = Huge family of spam that uses the word weird to grab attention
  • KAM_WEIRDTRICK3 = Weird/Strange Trick
  • KAM_MATCH = Match Maker Spams
  • KAM_CARINSURE = Car Insurance Spams
  • KAM_MMS = Fake MMS Spam
  • KAM_LEARN = Learn More Spam
  • KAM_UNSUB1 = Unsubscription Spams
  • KAM_UNSUB2 = Improperly configured spam engines that leave placeholder domains in the body
  • KAM_DUTCHGLOW = Woodworking spam
  • KAM_FUNERAL = Likely Fake funeral notices
  • KAM_FUNERAL2 = Fake funeral notices
  • KAM_WEB_OBFUSCATION = Obfuscated web view links
  • KAM_TUPPERWARE = Ads for tupperware
  • KAM_PATRIOT = conspiracy spam
  • KAM_PATRIOT2 = Likely conspiracy spam
  • KAM_PAYMENT_LOWERED = Spam that says your insurance payment has already been lowered
  • KAM_PAYMENT_LOWERED = Higher probability of lowered payment spam
  • KAM_NEWNOTICE = New Notice Spam
  • KAM_NEWNOTICE2 = Higher Probability of New Notice Spam
  • KAM_REFINEW = New Refi/Credit Notice spam
  • KAM_REFINEW2 = Higher Probability Refi Spam
  • KAM_AUTONEW = New Auto insurance spam
  • KAM_AUTONEW2 = Higher Probability Insurance Spam
  • KAM_STATLER = Mike Statler Spams
  • KAM_WRITING = Spam for writing lessons
  • KAM_EU = Prevalent use of .eu in spam/malware
  • KAM_GRABBAG2 = Grabbag of Spams hitting EU domains and other indicators
  • KAM_DIABETES = End Diabetes Spam
  • KAM_SPY = Spy cameras and similar products
  • KAM_HARP = HARP Refinance Spams
  • KAM_LUNAR = Sleeping aid spam
  • KAM_LUNAR2 = Definitely sleeping aid spam
  • KAM_OCEANSBOUNTY = More medical spam
  • KAM_ANDROGEL = More medical spam
  • KAM_CELL = Ads for cell phones
  • KAM_FOUNTAINOFYOUTH = Anti-aging ad
  • KAM_HERPES = Ads for herpes medication
  • KAM_FAKEVOUCHER = Fake voucher/reward email
  • KAM_ATTORNEY = Ads for legal services
  • KAM_RECALL = Spam for product recall notices
  • KAM_HUGEIMGSRC = Message contains many image tags with huge http urls
  • KAM_REALLYHUGEIMGSRC = Spam with image tags with ridiculously huge http urls
  • KAM_TRACKIMAGE = Message has a remote image explicitly meant for tracking
  • KAM_GRABBAG3 = Grab bag of spam that employs multiple tricks that indicate tracking of recipients
  • KAM_EMPTYLINK = Many empty a tags with href all in a row
  • KAM_INVESTCOUNTRY = Spam for investing in your country
  • KAM_FLAG = Spam that sells flags
  • KAM_GRABBAG4 = Another spam engine that displays unique quirks
  • KAM_KORS = Spam for Michael Kors
  • KAM_HOLIDAY = Generic holiday deals
  • KAM_MANYTO = Email has more than one To Header
  • KAM_GRABBAG5 = Forged Yahoo emails that are sent to lots of recipients
  • KAM_MILLIONAIRE = Internet millionaire guarantees money
  • KAM_OILCHANGE = Spam for oil changes
  • KAM_ADHD = Spam for ADD and ADHD treatment
  • KAM_REPAIR1 = Spam for auto repair services
  • KAM_REPAIR2 = Spam for home repair services
  • KAM_CLOUD = Spam for cloud services
  • KAM_PAPERLESS = Paperless spam for the paperless office
  • KAM_PASSWORD = Message tries to phish for password
  • KAM_WEBINAR = Spam for webinars
  • KAM_WEBINAR2 = Spam for webinars
  • KAM_CONTACTME = Spam that wants you to reply
  • KAM_MESH = Spam for surgical mesh
  • KAM_ALERT = Spam for medical alerts
  • KAM_SECURITY = Spam related to online security
  • KAM_JESUS = Christian spam
  • KAM_CLAIMS = Spam for claims processing
  • KAM_VISION = Spam for vision improvement
  • KAM_TRUTHINESS = Spam that wants you to learn "The TRUTH"
  • KAM_KITCHEN = Spam for kitchen improvement
  • KAM_GENERICHEALTH = Matches generic health-related advert/blurbs
  • KAM_SALE = Spam for things on sale
  • KAM_SALEA = A very persistent ipad spam campaign
  • KAM_ASCII_DIVIDERS = Spam that uses ascii formatting tricks
  • KAM_HTMLNOISE = Spam containing useless HTML padding
  • KAM_CHICKEN = Spam for chicken coops
  • KAM_LINEPADDING = Spam that tries to get past blank line filters
  • KAM_DRAPES = Spam for drapes
  • KAM_NUWAVE = Spam for cooking tools
  • KAM_MANYCOMMENTS = Spam engine that uses large html noise comments
  • KAM_HIRE = Spam for hiring services
  • KAM_DEALS = Generic advertising for deals
  • KAM_CONTRACT = Spam that will buy your service contract
  • KAM_TOLL = Spam for road tolls
  • KAM_AMAZON = Fake Amazon email with malware
  • KAM_LANDSCAPING = Spam for landscaping
  • KAM_SINGING = Spam for singing lessons
  • KAM_ADVERTISE = Spam that wants you to advertise for them
  • KAM_LAZY_DOMAIN_SECURITY = Sending domain does not have any anti-forgery methods
  • KAM_FORGED_ATTACHED = Forged email with a malware attachment
  • KAM_MANYDOTS = Spam with lots of periods in subject
  • KAM_SUBJECTNOTICE = Spam notices
  • KAM_BACKUP = Spam for backup services
  • KAM_FROMNUM = Spam with large numbers in the from header
  • KAM_LINKBAIT = Short messages containing little more than a link, from a domain with no security in place
  • KAM_LINKBAIT2 = Linkbait that points to wordpress - usually means a compromised site
  • KAM_LINKBAIT3 = Freemail linkbait with a url shortener
  • KAM_PHISHY_DOLLARS = Emails with malware and large dollar amounts
  • KAM_GRABBAG6 = Ratware with multiple from headers and subject beginning with whitespace
  • KAM_GENERICHELLO = Spam with generic greetings in the subject
  • KAM_GOOGLE2 = Fake Google spam
  • KAM_NIGERIAN2 = Nigerian scam variant
  • KAM_FINGERHUT = Spam for fingerhut
  • KAM_FRIEND = Friend request spam
  • KAM_VERY_MALWARE = A message with malware that is definitely unwanted
  • KAM_MERCHANT = Spam for merchant processing
  • KAM_ZERODAY2 = Another obvious zero-day malware
  • KAM_ZERODAY3 = Another obvious zero-day malware
  • KAM_ANCESTOR = Spam for family trees
  • KAM_REMEMBERWHEN = Reminder of something that never happened
  • KAM_NOISE1 = Pattern of noise words at the end of an email
  • KAM_PIZZA = Spam for free pizza
  • KAM_ENGINEER = Spam for engineering contact information
  • KAM_SUNGLASSES = Spam for sunglasses
  • KAM_INVOICE = Spam for invoices
  • KAM_GRIPPY = Spam for sticky grip products
  • KAM_ACCOUNTPHISH = Spam that tries to get account information
  • KAM_PROPERTY = Spam for buying property
  • KAM_FAKEAMEX = A rash of spam that is phishing for American Express information
  • KAM_HUGESUBJECT = Email with a subject longer than any mail client would let you enter
  • KAM_HOOKUP = Spam for Local Hookup Service
  • KAM_PSYCHIC = Current Psychic Product Spam du Jour
  • KAM_BADUNSUB = Bad Unsubscribe Messages
  • KAM_GRABBAG7 = Spam pattern with bad HTML message
  • KAM_TINYURL = Spammy urls that hide behind a link shortener
  • KAM_DROPBOX = Fake Dropbox emails
  • KAM_YAHOO_MISTAKE = Reversing score for some idiotic Yahoo received headers
  • KAM_GRABBAG9 = Garbage email from a garbage freemail account
  • KAM_AQUARUG = Spam for aqua rug product
  • KAM_ITC = Fake email from International Trade Council
  • KAM_SEENTHIS = Have you seen this spam?
  • KAM_DETOX = Spam for trendy detox stuff
  • KAM_DEATHINSURE = Spam for death insurance
  • KAM_REACHBASE = Marketing email pretending to be business info
  • KAM_DIGITALWALLET = Spam for digital wallet services
  • KAM_BADPHP = Questionable PHP mailer headers
  • KAM_TINNITUS = Tinnitus spam
  • KAM_KIWIBANK = Account phish for Kiwibank
  • KAM_HAPPYTALK = Weirdly happy spam
  • KAM_SETTLEMENT = Spam offering lawsuit settlement
  • KAM_CAD = Spam for CAD services
  • KAM_VBMACRO = Message contains attachment with VB macro
  • KAM_DYNIP = Message contains Dynamic IP Address Indicator
  • KAM_REVIEW = Spam for review sites
  • KAM_TOURS = Spam for tours and events
  • KAM_NOMORE = Another predictable spam engine
  • KAM_NOCONFIDENCE = Confidential information sent with no security
  • KAM_ASSASSIN = Assassination spam
  • KAM_DRIVE = Spam for ordering office equipment
  • KAM_BAD_DNSWL = Removing HostKarma and DNSWL HI Scoring for Emails in various RBL
  • KAM_BAD_REVIEW = Online reputation spammers
  • KAM_GOOGLE_AWARD = Fake Google Awards
  • KAM_OBFU_LOANS = Obfuscated Loan Verbiage
  • KAM_WORKFROMHOME = Work from Home Spams
  • KAM_STUDENTLOAN = Student Loan Scam
  • KAM_LED = Solar LED Lighting Spams
  • KAM_ORDER = Fraudulent Order Emails
  • KAM_SHOCK = Spams with energy drinks
  • KAM_BEAUTY = Youth and Beauty Product Scams
  • KAM_WEED = Legal Weed and related investment scams
  • KAM_LOGO = Logo Spam
  • KAM_TRUMPCOIN = Trump Coin Spam
  • KAM_WATER = Water Poison Scam
  • KAM_RUIN = Bank Phishing Scam
  • KAM_WEIGHT2 = Weight loss process du jour
  • KAM_LENS = Amazing Lens Scam
  • KAM_HONOR = Professional Network Scam
  • KAM_BAD_UTF8 = Bad Content Type and Transfer Encoding that attempts to evade ST scanning
  • KAM_DEATH = Supplement Scam
  • KAM_REWARD = Coupon Scam
  • KAM_PACKAGE = Sexual Enhancement Scam
  • KAM_NUMSUBJECT = Subject ends in numbers
  • KAM_MGCS = Boundary Content Indicative of Ratware
  • KAM_NW = Spam Indicator


Plugin Modules

  • BOTNET = Relay might be a spambot or virusbot
  • PYZOR_CHECK = Listed in Pyzor (http://pyzor.sf.net/)
  • RAZOR2_CHECK = Listed in Razor2 (http://razor.sf.net/)
  • RAZOR2_CF_RANGE_51_100 = Razor2 gives confidence level above 50%
  • RAZOR2_CF_RANGE_E4_51_100 = Razor2 gives engine 4 confidence level above 50%
  • RAZOR2_CF_RANGE_E8_51_100 = Razor2 gives engine 8 confidence level above 50%
  • BAYES_00 = Bayes spam probability is 0 to 1%
  • BAYES_05 = Bayes spam probability is 1 to 5%
  • BAYES_20 = Bayes spam probability is 5 to 20%
  • BAYES_40 = Bayes spam probability is 20 to 40%
  • BAYES_50 = Bayes spam probability is 40 to 60%
  • BAYES_60 = Bayes spam probability is 60 to 80%
  • BAYES_80 = Bayes spam probability is 80 to 95%
  • BAYES_95 = Bayes spam probability is 95 to 99%
  • BAYES_99 = Bayes spam probability is 99 to 100%
  • BAYES_999 = Bayes spam probability is 99.9 to 100%


Copperfasten Mail Filtering Appliance Rulesets (Early SpamTitan Custom Rulesets)

  • CMFA_GEOCITIES = High amounts of spam from Geocities.
  • CMFA_GEOCITIES1 = High amounts of spam from Geocities.
  • CMFA_IMAGESHACK1 = Image Spam Squatter
  • CMFA_IMAGESHACK2 = Image Spam Squatter 2
  • CMFA_DRUG1 = Drug names in table of 1-letter columns
  • CMFA_YAHOOGEO = Email Contains a link to Geocities at yahoo
  • CMFA_EARLY1 = not listed yet
  • CMFA_BLOGS1 = Redirect to Spam Site
  • CMFA_GGROUPS1 = Use of Google redir appearing in spam July 2006
  • CMFA_GGROUPS2 = Use docs.google.com
  • CMFA_GGROUPS3 = Use of journals.aol.com
  • CMFA_GGROUPS4 = Use of yahoo groups
  • CMFA_GGROUPS5 = spaces.live.com
  • CMFA_GGROUPS6 = cid spaces.live.com
  • CMFA_GGROUPS7 = livejournal com
  • CMFA_GGROUPS8 = redirect polish site
  • CMFA_GGROUPS9 = Penalise google shortened URLS
  • CMFA_GGROUPS10 = Penalise godaddy shortened URLS
  • CMFA_GGROUPS11 = Penalise twitter shortened URLS
  • CMFA_GGROUPS12 = Penalise betaworks shortened URLS
  • CMFA_GGROUPS13 = Penalise Your Short shortened URLS
  • CMFA_GGROUPS14 = PAY PAL Phishing site
  • CMFA_AIB_PHISH = AIB Phising Mail
  • CMFA_AIB_PHISH4 = AIB Phising Mail
  • CMFA_AIB_PHISH5 = AIB Phising Mail
  • CMFA_YAHOOGEO = spam links
  • CMFA_GEOCITIES = High amounts of spam from Geocities.
  • CMFA_GEOCITIES1 = High amounts of spam from Geocities.
  • CMFA_IMAGESHACK1 = Image Spam Squatter
  • CMFA_IMAGESHACK2 = Image Spam Squatter 2
  • CMFA_DRUG1 = Drug names in table of 1-letter columns
  • CMFA_YAHOOGEO = Email Contains a link to Geocities at yahoo
  • CMFA_EARLY1 = not listed yet
  • CMFA_BLOGS1 = Redirect to Spam Site
  • CMFA_GGROUPS1 = Use of Google redir appearing in spam July 2006
  • CMFA_GGROUPS2 = Use docs.google.com
  • CMFA_GGROUPS3 = Use of journals.aol.com
  • CMFA_GGROUPS4 = Use of yahoo groups
  • CMFA_GGROUPS5 = spaces.live.com
  • CMFA_GGROUPS6 = cid spaces.live.com
  • CMFA_GGROUPS7 = livejournal com
  • CMFA_GGROUPS8 = redirect polish site
  • CMFA_GGROUPS9 = Penalise google shortened URLS
  • CMFA_GGROUPS10 = Penalise godaddy shortened URLS
  • CMFA_GGROUPS11 = Penalise twitter shortened URLS
  • CMFA_GGROUPS12 = Penalise betaworks shortened URLS
  • CMFA_GGROUPS13 = Penalise Your Short shortened URLS
  • CMFA_GGROUPS14 = PAY PAL Phishing site
  • CMFA_AIB_PHISH = AIB Phising Mail
  • CMFA_AIB_PHISH4 = AIB Phising Mail
  • CMFA_AIB_PHISH5 = AIB Phising Mail
  • CMFA_UME = Kill UME
  • CMFA_UME2 = Kill UME 2
  • CFMA_RMSTAR = Spam phrase - obfuscated url
  • CFMA_RMSTAR2 = Spam phrase - obfuscated url
  • CFMA_RMSTAR3 = Spam phrase - obfuscated url
  • CFMA_RMSTAR4 = Spam phrase - obfuscated url
  • CFMA_DRUGX = obfuscated viagra spam
  • CFMA_OBFURL = obfuscated url with star
  • CFMA_OBFURL2 = obfuscated url with bang
  • CFMA_OBFURL3 = obfuscated url with space
  • CFMA_OBFURL4 = obfuscated url with space
  • CFMA_RMSTAR = Spam phrase - obfuscated url
  • CFMA_RMSTAR2 = Spam phrase - obfuscated url
  • CFMA_RMSTAR3 = Spam phrase - obfuscated url
  • CFMA_RMSTAR4 = Spam phrase - obfuscated url
  • CFMA_DRUGX = obfuscated viagra spam
  • CFMA_OBFURL = obfuscated url with star
  • CFMA_OBFURL2 = obfuscated url with bang
  • CFMA_OBFURL3 = obfuscated url with space
  • CFMA_OBFURL4 = obfuscated url with space


New range of SpamTitan Custom Rules

  • ST_RCVD_IN_HOSTKARMA_W = Sender listed in HOSTKARMA-WHITE
  • ST_RCVD_IN_HOSTKARMA_BL = Sender listed in HOSTKARMA-BLACK
  • ST_RCVD_IN_HOSTKARMA_BR = Sender listed in HOSTKARMA-BROWN
  • ST_RCVD_IN_SEMBLACK = Received from an IP listed by SpamEatingMonkey BLACK
  • ST_RCVD_IN_NIX_SPAM = Listed in NIX-SPAM DNSBL (heise.de)
  • ST_RCVD_IN_MSPIKE_BL = Received via a relay with bad Mailspike Reputation
  • ST_RCVD_IN_SPAMRATS_DYNA = Sender listed in dyna.spamrats
  • ST_TRANSACTION1 = Catch virues with between 1 and three capital letters followed by keywords
  • ST_INFO_BADDOM = From info at new domain
  • ST_VIDEO_NASTY = Spam links to movies
  • ST_SEX = Sexually Explicit Spam
  • ST_CARBS = Diet spam
  • ST_VID1 = Weight loss video clips
  • ST_ANCHOR_VALIDATE = uri within Anchor tag ($lt;a href=...$gt;) is different than the internal text of the tax ($lt;a$gt;...$lt;/a$gt;)
  • ST_WTC_URIBL = URI is rejected by WebTitan Cloud
  • ST_WORD_WITHOUT_VOWELS = Long word without any vowels
  • ST_DIGITS_LETTERS = Mixed groups of letters followed by numbers
  • ST_SPF_SOFTFAIL_FREEMAIL = Escalate SPF Softfails for free mail services
  • ST_SPACED_URLS = Body contains urls that are space separated at the dots
  • ST_SPACED_EMAILS = Body contains email addresses that are space separated at the dots and/or the at symbol
  • ST_DEAR_EMAILS = Body contains "Dear user@domain.com"
  • ST_UNDISCLOSED_RECIPIENTS = To "undisclosed-recipients:;"
  • ST_SHORTENED_LINKS = punish link shortneners in emails
  • ST_INVALID_DOLLARS = A dollar amount should be separated by a period, not a comma, likely spam.
  • ST_APPLE_SPAM = Looks like an Apple Invoice, but isn't
  • ST_FROM_GOOGLE_NOT_GMAIL = Penalize Google Apps spamming accounts
  • ST_LONG_ENVELOPE_FROM = Envelope From is very long
  • ST_LOC_SHORT = Contains short body and URI
  • ST_TOO_MANY_NBSP = A large number of non-breaking space characters are used in a row, with spaces in between
  • ST_REPEAT_CHAR = The same character repeated too many times in a row in a header
  • ADULT_CONTENT_BODY = Meta test, testing for NSFW phrases and words in the rawbody
  • ADULT_CONTENT_HEADER = Meta test, testing for NSFW phrases and words in the Subject
  • IGNORE_BAYES_00_ADULT = Cancel out BAYES_00 test if triggered with the Adult Content Ruleset
  • ST_URIBL_RFC_CLUELESS_DSN = URI listed on dsn.rfc-clueless.org
  • ST_URIBL_RFC_CLUELESS_PMR = URI listed on postmaster.rfc-clueless.org
  • ST_URIBL_RFC_CLUELESS_ABS = URI listed on abuse.rfc-clueless.org
  • ST_URIBL_RFC_CLUELESS_WHO = URI listed on whois.rfc-clueless.org
  • ST_URIBL_RFC_CLUELESS_BMX = URI listed on bogusmx.rfc-clueless.org
  • ST_URIBL_RFC_CLUELESS_MULTI = URIs are listed on 4/5 rfc-clueless.org lists
  • ST_RCVD_IN_ANONMAILS_LASTEXT = Received via a relay listed in spam.dnsbl.anonmails.de
  • ST_RCVD_IN_INPS_DE_LASTEXT = Received via a relay listed in inps.de DNSBL
  • ST_RCVD_IN_SPAMCANNIBAL_LASTEXT = Received via a relay listed in bl.spamcannibal.org
  • ST_RCVD_IN_SPAMCANNIBAL = Passed through a relay listed in bl.spamcannibal.org
  • ST_RCVD_IN_BLOCKLIST_DE_LASTEXT = Received via a relay listed in bl.blocklist.de
  • ST_RCVD_IN_BLOCKLIST_DE = Passed through a relay listed in bl.blocklist.de
  • ST_RCVD_IN_LASHBACK_LASTEXT = Received via a relay listed in Lashback unsubscore.com
  • ST_RCVD_IN_LASHBACK = Passed through relay listed in Lashback unsubscore.com
  • ST_RCVD_IN_BACKSCATTERER_LASTEXT = Received via a relay listed in Backscatter RBL list
  • ST_RCVD_IN_BRBL = Passed through a relay listed in Barracuda RBL
  • ST_RCVD_IN_S5H_LASTEXT = Received via a relay listed in all.s5h.net
  • ST_RCVD_IN_FABEL_LASTEXT = Received via a relay listed in spamsources.fabel.dk
  • ST_URIBL_ZAPBL = Contains a domain listed in the ZapBL RHSBL blacklist
  • ST_RCVD_IN_ZAPBL_LASTEXT = Received via a relay listed in ZapBL
  • ST_RCVD_IN_ZAPBL = Passed through a relay listed in ZapBL
  • ST_RCVD_IN_DNSRBL_LASTEXT = Received via a relay listed in dnsrbl.org
  • ST_URIBL_SARBL = Contains an URL listed in the SARBL blocklist
  • ST_URIBL_FMBLA = Contains an URL listed in the fmb.la blocklist
  • ST_RCVD_IN_FMBLA_LASTEXT = Received via a relay listed in bl.fmb.la
  • ST_RCVD_IN_FMBLA = Passed through a relay listed in bl.fmb.la
  • ST_URIBL_ABUSE_RO_BLACK = Contains a blacklisted URL at uribl.abuse.ro
  • ST_RCVD_IN_ABUSE_RO_LASTEXT = Received via a relay listed in rbl.abuse.ro
  • ST_RCVD_IN_ABUSE_RO = Passed through a relay listed in rbl.abuse.ro
  • ST_ENVFROM_IN_ABUSE_RO = Envelope From: sender listed in dbl.abuse.ro
  • ST_RCVD_IN_MEGARBL_LASTEXT = Received via a relay listed in rbl.megarbl.net
  • ST_RCVD_IN_REALTIME_LASTEXT = Received via a relay listed in rbl.realtimeblacklist.com
  • ST_RCVD_IN_DRONEBL_LASTEXT = Received via a relay listed in dnsbl.dronebl.org
  • ST_RCVD_IN_DRONEBL = Passed through a relay listed in dnsbl.dronebl.org
  • ST_URIBL_SWINOG = Contains a blacklisted URL listed in uribl.swinog.ch.
  • ST_RCVD_IN_SENDERSCORE_90_100 = Senderscore.org score of 90 to 100
  • ST_RCVD_IN_SENDERSCORE_80_89 = Senderscore.org score of 80 to 89
  • ST_RCVD_IN_SENDERSCORE_70_79 = Senderscore.org score of 70 to 79
  • ST_RCVD_IN_SENDERSCORE_60_69 = Senderscore.org score of 60 to 69
  • ST_RCVD_IN_SENDERSCORE_50_59 = Senderscore.org score of 50 to 59
  • ST_RCVD_IN_SENDERSCORE_30_49 = Senderscore.org score of 30 to 49
  • ST_RCVD_IN_SENDERSCORE_0_29 = Senderscore.org score of 0 to 29
  • ST_RCVD_IN_UCEPROTECT1 = Listed in dnsbl-1.uceprotect.net
  • ST_RCVD_IN_UCEPROTECT2 = Listed in dnsbl-2.uceprotect.net
  • ST_RCVD_IN_UCEPROTECT3 = Listed in dnsbl-3.uceprotect.net
  • ST_URIBL_SEM = Contains a URI listed by SEM-URI
  • ST_URIBL_SEM_RED = Contains a URI listed by SEM-URIRED
  • ST_RCVD_IN_SEMBACKSCATTER = Received from an IP listed by SEM-BACKSCATTER
  • ST_RCVD_IN_SEMBLACK = Received from an IP listed by SEM-NETBLACK
  • ST_URIBL_SEM_FRESH = Contains a domain registered less than 5 days ago
  • ST_URIBL_SEM_FRESH10 = Contains a domain registered less than 10 days ago
  • ST_URIBL_SEM_FRESH15 = Contains a domain registered less than 15 days ago
  • ST_URIBL_SEM_FRESH30 = Contains a domain registered less than 30 days ago
  • ST_DMARC_FAIL_REJECT = DMARC validation failed and policy is to reject
  • ST_DMARC_FAIL_QUAR = DMARC validation failed and policy is quarantine
  • ST_DMARC_FAIL_NONE = DMARC validation failed and policy is none
  • ST_DMARC_PASS_REJECT = DMARC validation passed and policy is to reject
  • ST_DMARC_PASS_QUAR = DMARC validation passed and policy is quarantine
  • ST_DMARC_PASS_NONE = DMARC validation passed and policy is none


SpamTitan Cloud and Private Cloud Special Rules

  • T_URIBL_IVMURI = URI Listed in ivmURI found at invaluement.com
  • RCVD_IN_IVMSIP = Received header listed on ivmSIP found at invaluement.com
  • RCVD_IN_IVMSIP24 = Received header listed on ivmSIP/24 found at invaluement.com
  • URIBL_GOLD = Contains an URL listed in the URIBL goldlist
  • ST_URIBL_SBL = Contains an URL's NS IP listed in the SBL blocklist
  • ST_RCVD_IN_SBL = Received via a relay in Spamhaus SBL
  • ST_RCVD_IN_XBL = Received via a relay in Spamhaus XBL
  • ST_RCVD_IN_PBL = Received via a relay in Spamhaus PBL
  • ST_RCVD_IN_SBL_CSS = Received via a relay in Spamhaus SBL-CSS
  • ST_URIBL_DBL_SPAM = Contains a spam URL listed in the DBL blocklist
  • ST_URIBL_DBL_PHISH = Contains a Phishing URL listed in the DBL blocklist
  • ST_URIBL_DBL_MALWARE = Contains a malware URL listed in the DBL blocklist
  • ST_URIBL_DBL_BOTNETCC = Contains a botned C&C URL listed in the DBL blocklist
  • ST_URIBL_DBL_ABUSE_SPAM = Contains an abused spamvertized URL listed in the DBL blocklist
  • ST_URIBL_DBL_ABUSE_REDIR = Contains an abused redirector URL listed in the DBL blocklist
  • ST_URIBL_DBL_ABUSE_PHISH = Contains an abused phishing URL listed in the DBL blocklist
  • ST_URIBL_DBL_ABUSE_MALW = Contains an abused malware URL listed in the DBL blocklist
  • ST_URIBL_DBL_ABUSE_BOTCC = Contains an abused botnet C&C URL listed in the DBL blocklist queried the DBL blocklist for an IP
  • ST_RCVD_IN_THQ_WHITE = In TitanHQ White Reputation list
  • ST_RCVD_IN_THQ_W3 = In TitanHQ W3 Reputation list
  • ST_RCVD_IN_THQ_W2 = In TitanHQ W2 Reputation list
  • ST_RCVD_IN_THQ_W1 = In TitanHQ W1 Reputation list
  • ST_RCVD_IN_THQ_B1 = In TitanHQ B1 Reputation list
  • ST_RCVD_IN_THQ_B2 = In TitanHQ B2 Reputation list
  • ST_RCVD_IN_THQ_B3 = In TitanHQ B3 Reputation list
  • ST_RCVD_IN_THQ_BLACK = In TitanHQ Black Reputation list


Other Third Party Rulesets

Sometimes other third party rulesets aimed at a specific style of Spam are introduced to a SpamTitan system. These aren't developed or maintained by us, and we cannot offer direct explanation of the rules provided by these ruleset providers.