Table of Contents

About

SpamTitan utilizes a number of first-party and third party rulesets for capturing Spam. When viewing the Spam Tests that trigger on a mail, it can often be confusing what the Spam Test is actually doing. Here is a compilation of the descriptions of the rules utilized in SpamTitan. This includes our most common third party rulesets as well (such as KAM).


Not all SpamTests listed on this page are utilized in every SpamTitan install. A subset of these rules come out of the box, and the rest must be enabled. This is due to some of them being considerably more aggressive. This helps the spam catch rate, however it can also cause false positives, which is why they aren't enabled by default.


Any rule not found in this list may be from a third party ruleset that we don't maintain. See the last section on this page.


Built-in Rules

  • GTUBE = Generic Test for Unsolicited Bulk Email
  • TRACKER_ID = Incorporates a tracking ID number
  • WEIRD_QUOTING = Weird repeated double-quotation marks
  • MIME_HTML_ONLY_MULTI = Multipart message only has text/html MIME parts
  • MIME_CHARSET_FARAWAY = MIME character set indicates foreign language
  • EMAIL_ROT13 = Body contains a ROT13-encoded email address
  • LONGWORDS = Long string of long words
  • MPART_ALT_DIFF = HTML and text parts are different
  • MPART_ALT_DIFF_COUNT = HTML and text parts are different
  • BLANK_LINES_80_90 = Message body has 80-90% blank lines
  • CHARSET_FARAWAY = Character set indicates a foreign language
  • MIME_BASE64_BLANKS = Extra blank lines in base64 encoding
  • MIME_BASE64_TEXT = Message text disguised using base64 encoding
  • MISSING_MIME_HB_SEP = Missing blank line between MIME header and body
  • MIME_HTML_MOSTLY = Multipart message mostly text/html MIME
  • MIME_HTML_ONLY = Message only has text/html MIME parts
  • MIME_QP_LONG_LINE = Quoted-printable line longer than 76 chars
  • MIME_BAD_ISO_CHARSET = MIME character set is an unknown ISO charset
  • HTTPS_IP_MISMATCH = IP to HTTPS link found in HTML
  • URI_TRUNCATED = Message contained a URI which was truncated
  • NO_RECEIVED = Informational: message has no Received headers
  • ALL_TRUSTED = Passed through trusted hosts only via SMTP
  • NO_RELAYS = Informational: message was not relayed via SMTP
  • RCVD_IN_SORBS_HTTP = SORBS: sender is open HTTP proxy server
  • RCVD_IN_SORBS_SOCKS = SORBS: sender is open SOCKS proxy server
  • RCVD_IN_SORBS_MISC = SORBS: sender is open proxy server
  • RCVD_IN_SORBS_SMTP = SORBS: sender is open SMTP relay
  • RCVD_IN_SORBS_WEB = SORBS: sender is an abusable web server
  • RCVD_IN_SORBS_BLOCK = SORBS: sender demands to never be tested
  • RCVD_IN_SORBS_ZOMBIE = SORBS: sender is on a hijacked network
  • RCVD_IN_SORBS_DUL = SORBS: sent directly from dynamic IP address
  • RCVD_IN_SBL = Received via a relay in Spamhaus SBL
  • RCVD_IN_XBL = Received via a relay in Spamhaus XBL
  • RCVD_IN_PBL = Received via a relay in Spamhaus PBL
  • RCVD_IN_SBL_CSS = Received via a relay in Spamhaus SBL-CSS
  • RCVD_IN_BL_SPAMCOP_NET = Received via a relay in bl.spamcop.net
  • RCVD_IN_MAPS_RBL = Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html
  • RCVD_IN_MAPS_DUL = Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html
  • RCVD_IN_MAPS_RSS = Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html
  • RCVD_IN_MAPS_OPS = Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html
  • RCVD_IN_MAPS_NML = Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html
  • RCVD_IN_IADB_VOUCHED = ISIPP IADB lists as vouched-for sender
  • RCVD_IN_RP_CERTIFIED = Sender in ReturnPath Certified - Contact cert-sa@returnpath.net
  • RCVD_IN_RP_SAFE = Sender in ReturnPath Safe - Contact safe-sa@returnpath.net
  • RCVD_IN_RP_RNBL = Relay in RNBL, https://senderscore.org/blacklistlookup/
  • DKIMDOMAIN_IN_DWL = Signing domain listed in Spamhaus DWL
  • DKIMDOMAIN_IN_DWL_UNKNOWN = Unrecognized response from Spamhaus DWL
  • SUBJECT_DRUG_GAP_C = Subject contains a gappy version of 'cialis'
  • SUBJECT_DRUG_GAP_L = Subject contains a gappy version of 'levitra'
  • SUBJECT_DRUG_GAP_S = Subject contains a gappy version of 'soma'
  • SUBJECT_DRUG_GAP_VA = Subject contains a gappy version of 'valium'
  • SUBJECT_DRUG_GAP_X = Subject contains a gappy version of 'xanax'
  • DRUG_DOSAGE = Talks about price per dose
  • DRUG_ED_CAPS = Mentions an E.D. drug
  • DRUG_ED_SILD = Talks about an E.D. drug using its chemical name
  • DRUG_ED_GENERIC = Mentions Generic Viagra
  • DRUG_ED_ONLINE = Fast Viagra Delivery
  • ONLINE_PHARMACY = Online Pharmacy
  • NO_PRESCRIPTION = No prescription needed
  • VIA_GAP_GRA = Attempts to disguise the word 'viagra'
  • DRUGS_ERECTILE = Refers to an erectile drug
  • DRUGS_ERECTILE_OBFU = Obfuscated reference to an erectile drug
  • DRUGS_DIET = Refers to a diet drug
  • DRUGS_DIET_OBFU = Obfuscated reference to a diet drug
  • DRUGS_MUSCLE = Refers to a muscle relaxant
  • DRUGS_ANXIETY = Refers to an anxiety control drug
  • DRUGS_ANXIETY_OBFU = Obfuscated reference to an anxiety control drug
  • DRUGS_SMEAR1 = Two or more drugs crammed together into one word
  • DRUGS_ANXIETY_EREC = Refers to both an erectile and an anxiety drug
  • DRUGS_SLEEP_EREC = Refers to both an erectile and a sleep aid drug
  • DRUGS_MANYKINDS = Refers to at least four kinds of drugs
  • RDNS_DYNAMIC = Delivered to internal network by host with dynamic-looking rDNS
  • RDNS_NONE = Delivered to internal network by a host with no rDNS
  • HELO_STATIC_HOST = Relay HELO'd using static hostname
  • HELO_DYNAMIC_IPADDR = Relay HELO'd using suspicious hostname (IP addr 1)
  • HELO_DYNAMIC_DHCP = Relay HELO'd using suspicious hostname (DHCP)
  • HELO_DYNAMIC_HCC = Relay HELO'd using suspicious hostname (HCC)
  • HELO_DYNAMIC_ROGERS = Relay HELO'd using suspicious hostname (Rogers)
  • HELO_DYNAMIC_DIALIN = Relay HELO'd using suspicious hostname (T-Dialin)
  • HELO_DYNAMIC_HEXIP = Relay HELO'd using suspicious hostname (Hex IP)
  • HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using suspicious hostname (Split IP)
  • HELO_DYNAMIC_IPADDR2 = Relay HELO'd using suspicious hostname (IP addr 2)
  • HELO_DYNAMIC_CHELLO_NL = Relay HELO'd using suspicious hostname (Chello.nl)
  • HELO_DYNAMIC_HOME_NL = Relay HELO'd using suspicious hostname (Home.nl)
  • FREEMAIL_REPLYTO = Reply-To/From or Reply-To/body contain different freemails
  • FREEMAIL_REPLY = From and body contain different freemails
  • FREEMAIL_FROM = Sender email is commonly abused enduser mail provider
  • FREEMAIL_ENVFROM_END_DIGIT = Envelope-from freemail username ends in digit
  • FREEMAIL_REPLYTO_END_DIGIT = Reply-To freemail username ends in digit
  • FREEMAIL_FORGED_REPLYTO = Freemail in Reply-To, but not From
  • FRAGMENTED_MESSAGE = Partial message
  • FROM_BLANK_NAME = From: contains empty name
  • FROM_STARTS_WITH_NUMS = From: starts with several numbers
  • FROM_OFFERS = From address is "at something-offers"
  • FROM_NO_USER = From: has no local-part before @ sign
  • PLING_QUERY = Subject has exclamation mark and question mark
  • MSGID_SPAM_CAPS = Spam tool Message-Id: (caps variant)
  • MSGID_SPAM_LETTERS = Spam tool Message-Id: (letters variant)
  • MSGID_RANDY = Message-Id has pattern used in spam
  • MSGID_YAHOO_CAPS = Message-ID has ALLCAPS@yahoo.com
  • FORGED_MSGID_AOL = Message-ID is forged, (aol.com)
  • FORGED_MSGID_EXCITE = Message-ID is forged, (excite.com)
  • FORGED_MSGID_HOTMAIL = Message-ID is forged, (hotmail.com)
  • FORGED_MSGID_MSN = Message-ID is forged, (msn.com)
  • FORGED_MSGID_YAHOO = Message-ID is forged, (yahoo.com)
  • MSGID_FROM_MTA_HEADER = Message-Id was added by a relay
  • MSGID_SHORT = Message-ID is unusually short
  • DATE_SPAMWARE_Y2K = Date header uses unusual Y2K formatting
  • INVALID_DATE = Invalid Date: header (not RFC 2822)
  • INVALID_DATE_TZ_ABSURD = Invalid Date: header (timezone does not exist)
  • INVALID_TZ_CST = Invalid date in header (wrong CST timezone)
  • INVALID_TZ_EST = Invalid date in header (wrong EST timezone)
  • FROM_EXCESS_BASE64 = From: base64 encoded unnecessarily
  • ENGLISH_UCE_SUBJECT = Subject contains an English UCE tag
  • JAPANESE_UCE_SUBJECT = Subject contains a Japanese UCE tag
  • JAPANESE_UCE_BODY = Body contains Japanese UCE tag
  • KOREAN_UCE_SUBJECT = Subject: contains Korean unsolicited email tag
  • RCVD_DOUBLE_IP_SPAM = Bulk email fingerprint (double IP) found
  • RCVD_DOUBLE_IP_LOOSE = Received: by and from look like IP addresses
  • FORGED_TELESP_RCVD = Contains forged hostname for a DSL IP in Brazil
  • CONFIRMED_FORGED = Received headers are forged
  • MULTI_FORGED = Received headers indicate multiple forgeries
  • NONEXISTENT_CHARSET = Character set doesn't exist
  • MISSING_MID = Missing Message-Id: header
  • MISSING_DATE = Missing Date: header
  • MISSING_SUBJECT = Missing Subject: header
  • MISSING_FROM = Missing From: header
  • GAPPY_SUBJECT = Subject: contains G.a.p.p.y-T.e.x.t
  • PREVENT_NONDELIVERY = Message has Prevent-NonDelivery-Report header
  • X_IP = Message has X-IP header
  • MISSING_MIMEOLE = Message has X-MSMail-Priority, but no X-MimeOLE
  • SUBJ_AS_SEEN = Subject contains "As Seen"
  • SUBJ_DOLLARS = Subject starts with dollar amount
  • SUBJ_YOUR_FAMILY = Subject contains "Your Family"
  • RCVD_FAKE_HELO_DOTCOM = Received contains a faked HELO hostname
  • SUBJECT_DIET = Subject talks about losing pounds
  • MIME_BOUND_DD_DIGITS = Spam tool pattern in MIME boundary
  • MIME_BOUND_DIGITS_15 = Spam tool pattern in MIME boundary
  • MIME_BOUND_MANY_HEX = Spam tool pattern in MIME boundary
  • TO_MALFORMED = To: has a malformed address
  • MIME_HEADER_CTYPE_ONLY = 'Content-Type' found without required MIME headers
  • WITH_LC_SMTP = Received line contains spam-sign (lowercase smtp)
  • SUBJ_BUY = Subject line starts with Buy or Buying
  • RCVD_AM_PM = Received headers forged (AM/PM)
  • FAKE_OUTBLAZE_RCVD = Received header contains faked 'mr.outblaze.com'
  • UNCLOSED_BRACKET = Headers contain an unclosed bracket
  • FROM_DOMAIN_NOVOWEL = From: domain has series of non-vowel letters
  • FROM_LOCAL_NOVOWEL = From: localpart has series of non-vowel letters
  • FROM_LOCAL_HEX = From: localpart has long hexadecimal sequence
  • FROM_LOCAL_DIGITS = From: localpart has long digit sequence
  • X_PRIORITY_CC = Cc: after X-Priority: (bulk email fingerprint)
  • BAD_ENC_HEADER = Message has bad MIME encoding in the header
  • RCVD_ILLEGAL_IP = Received: contains illegal IP address
  • CHARSET_FARAWAY_HEADER = A foreign language charset used in headers
  • SUBJ_ILLEGAL_CHARS = Subject: has too many raw illegal characters
  • FROM_ILLEGAL_CHARS = From: has too many raw illegal characters
  • HEAD_ILLEGAL_CHARS = Headers have too many raw illegal characters
  • FORGED_HOTMAIL_RCVD2 = hotmail.com 'From' address, but no 'Received:'
  • FORGED_YAHOO_RCVD = 'From' yahoo.com does not match 'Received' headers
  • SORTED_RECIPS = Recipient list is sorted by address
  • SUSPICIOUS_RECIPS = Similar addresses in recipient list
  • MISSING_HEADERS = Missing To: header
  • DATE_IN_PAST_03_06 = Date: is 3 to 6 hours before Received: date
  • DATE_IN_PAST_06_12 = Date: is 6 to 12 hours before Received: date
  • DATE_IN_PAST_12_24 = Date: is 12 to 24 hours before Received: date
  • DATE_IN_PAST_24_48 = Date: is 24 to 48 hours before Received: date
  • DATE_IN_PAST_96_XX = Date: is 96 hours or more before Received: date
  • DATE_IN_FUTURE_03_06 = Date: is 3 to 6 hours after Received: date
  • DATE_IN_FUTURE_06_12 = Date: is 6 to 12 hours after Received: date
  • DATE_IN_FUTURE_12_24 = Date: is 12 to 24 hours after Received: date
  • DATE_IN_FUTURE_24_48 = Date: is 24 to 48 hours after Received: date
  • DATE_IN_FUTURE_48_96 = Date: is 48 to 96 hours after Received: date
  • DATE_IN_FUTURE_96_XX = Date: is 96 hours or more after Received: date
  • UNRESOLVED_TEMPLATE = Headers contain an unresolved template
  • SUBJ_ALL_CAPS = Subject is all capitals
  • LOCALPART_IN_SUBJECT = Local part of To: address appears in Subject
  • MSGID_OUTLOOK_INVALID = Message-Id is fake (in Outlook Express format)
  • HEADER_COUNT_CTYPE = Multiple Content-Type headers found
  • HEAD_LONG = Message headers are very long
  • MISSING_HB_SEP = Missing blank line between message header and body
  • UNPARSEABLE_RELAY = Informational: message has unparseable relay lines
  • RCVD_HELO_IP_MISMATCH = Received: HELO and IP do not match, but should
  • RCVD_NUMERIC_HELO = Received: contains an IP address used for HELO
  • NO_RDNS_DOTCOM_HELO = Host HELO'd as a big ISP, but had no rDNS
  • HTML_SHORT_LINK_IMG_1 = HTML is very short with a linked image
  • HTML_SHORT_LINK_IMG_2 = HTML is very short with a linked image
  • HTML_SHORT_LINK_IMG_3 = HTML is very short with a linked image
  • HTML_SHORT_CENTER = HTML is very short with CENTER tag
  • HTML_CHARSET_FARAWAY = A foreign language charset used in HTML markup
  • HTML_MIME_NO_HTML_TAG = HTML-only message, but there is no HTML tag
  • HTML_MISSING_CTYPE = Message is HTML without HTML Content-Type
  • HIDE_WIN_STATUS = Javascript to hide URLs in browser
  • OBFUSCATING_COMMENT = HTML comments which obfuscate text
  • JS_FROMCHARCODE = Document is built from a Javascript charcode array
  • HTML_MESSAGE = HTML included in message
  • HTML_COMMENT_SHORT = HTML comment is very short
  • HTML_COMMENT_SAVED_URL = HTML message is a saved web page
  • HTML_EMBEDS = HTML with embedded plugin object
  • HTML_EXTRA_CLOSE = HTML contains far too many close tags
  • HTML_FONT_SIZE_LARGE = HTML font size is large
  • HTML_FONT_SIZE_HUGE = HTML font size is huge
  • HTML_FONT_LOW_CONTRAST = HTML font color similar or identical to background
  • HTML_FONT_FACE_BAD = HTML font face is not a word
  • HTML_FORMACTION_MAILTO = HTML includes a form which sends mail
  • HTML_IMAGE_ONLY_04 = HTML: images with 0-400 bytes of words
  • HTML_IMAGE_ONLY_08 = HTML: images with 400-800 bytes of words
  • HTML_IMAGE_ONLY_12 = HTML: images with 800-1200 bytes of words
  • HTML_IMAGE_ONLY_16 = HTML: images with 1200-1600 bytes of words
  • HTML_IMAGE_ONLY_20 = HTML: images with 1600-2000 bytes of words
  • HTML_IMAGE_ONLY_24 = HTML: images with 2000-2400 bytes of words
  • HTML_IMAGE_ONLY_28 = HTML: images with 2400-2800 bytes of words
  • HTML_IMAGE_ONLY_32 = HTML: images with 2800-3200 bytes of words
  • HTML_IMAGE_RATIO_02 = HTML has a low ratio of text to image area
  • HTML_IMAGE_RATIO_04 = HTML has a low ratio of text to image area
  • HTML_IMAGE_RATIO_06 = HTML has a low ratio of text to image area
  • HTML_IMAGE_RATIO_08 = HTML has a low ratio of text to image area
  • HTML_OBFUSCATE_05_10 = Message is 5% to 10% HTML obfuscation
  • HTML_OBFUSCATE_10_20 = Message is 10% to 20% HTML obfuscation
  • HTML_OBFUSCATE_20_30 = Message is 20% to 30% HTML obfuscation
  • HTML_OBFUSCATE_30_40 = Message is 30% to 40% HTML obfuscation
  • HTML_OBFUSCATE_50_60 = Message is 50% to 60% HTML obfuscation
  • HTML_OBFUSCATE_70_80 = Message is 70% to 80% HTML obfuscation
  • HTML_OBFUSCATE_90_100 = Message is 90% to 100% HTML obfuscation
  • HTML_TAG_BALANCE_BODY = HTML has unbalanced "body" tags
  • HTML_TAG_BALANCE_HEAD = HTML has unbalanced "head" tags
  • HTML_TAG_EXIST_BGSOUND = HTML has "bgsound" tag
  • HTML_BADTAG_40_50 = HTML message is 40% to 50% bad tags
  • HTML_BADTAG_50_60 = HTML message is 50% to 60% bad tags
  • HTML_BADTAG_60_70 = HTML message is 60% to 70% bad tags
  • HTML_BADTAG_90_100 = HTML message is 90% to 100% bad tags
  • HTML_NONELEMENT_30_40 = 30% to 40% of HTML elements are non-standard
  • HTML_NONELEMENT_40_50 = 40% to 50% of HTML elements are non-standard
  • HTML_NONELEMENT_60_70 = 60% to 70% of HTML elements are non-standard
  • HTML_NONELEMENT_80_90 = 80% to 90% of HTML elements are non-standard
  • HTML_IFRAME_SRC = Message has HTML IFRAME tag with SRC URI
  • DC_GIF_UNO_LARGO = Message contains a single large gif image
  • DC_PNG_UNO_LARGO = Message contains a single large png image
  • DC_IMAGE_SPAM_TEXT = Possible Image-only spam with little text
  • DC_IMAGE_SPAM_HTML = Possible Image-only spam
  • RCVD_IN_MSPIKE_L5 = Very bad reputation (-5)
  • RCVD_IN_MSPIKE_L4 = Bad reputation (-4)
  • RCVD_IN_MSPIKE_L3 = Low reputation (-3)
  • RCVD_IN_MSPIKE_L2 = Suspicious reputation (-2)
  • RCVD_IN_MSPIKE_H5 = Excellent reputation (+5)
  • RCVD_IN_MSPIKE_H4 = Very Good reputation (+4)
  • RCVD_IN_MSPIKE_H3 = Good reputation (+3)
  • RCVD_IN_MSPIKE_H2 = Average reputation (+2)
  • RCVD_IN_MSPIKE_BL = Mailspike blacklisted
  • RCVD_IN_MSPIKE_WL = Mailspike good senders
  • UPPERCASE_50_75 = message body is 50-75% uppercase
  • UPPERCASE_75_100 = message body is 75-100% uppercase
  • INVALID_MSGID = Message-Id is not valid, according to RFC 2822
  • FORGED_MUA_MOZILLA = Forged mail pretending to be from Mozilla
  • PERCENT_RANDOM = Message has a random macro in it
  • EMPTY_MESSAGE = Message appears to have no textual parts and no Subject: text
  • NO_HEADERS_MESSAGE = Message appears to be missing most RFC-822 headers
  • DIGEST_MULTIPLE = Message hits more than one network digest check
  • NO_DNS_FOR_FROM = Envelope sender has no MX or A DNS records
  • GMD_PDF_HORIZ = Contains pdf 100-240 (high) x 450-800 (wide)
  • GMD_PDF_SQUARE = Contains pdf 180-360 (high) x 180-360 (wide)
  • GMD_PDF_VERT = Contains pdf 450-800 (high) x 100-240 (wide)
  • GMD_PRODUCER_GPL = PDF producer was GPL Ghostscript
  • GMD_PRODUCER_POWERPDF = PDF producer was PowerPDF
  • GMD_PRODUCER_EASYPDF = PDF producer was BCL easyPDF
  • GMD_PDF_ENCRYPTED = Attached PDF is encrypted
  • GMD_PDF_EMPTY_BODY = Attached PDF with empty message body
  • REMOVE_BEFORE_LINK = Removal phrase right before a link
  • GUARANTEED_100_PERCENT = One hundred percent guaranteed
  • DEAR_FRIEND = Dear Friend? That's not very dear!
  • DEAR_SOMETHING = Contains 'Dear (something)'
  • BILLION_DOLLARS = Talks about lots of money
  • EXCUSE_4 = Claims you can be removed from the list
  • EXCUSE_REMOVE = Talks about how to be removed from mailings
  • STRONG_BUY = Tells you about a strong buy
  • STOCK_ALERT = Offers a alert about a stock
  • NOT_ADVISOR = Not registered investment advisor
  • PREST_NON_ACCREDITED = 'Prestigious Non-Accredited Universities'
  • BODY_ENHANCEMENT = Information on growing body parts
  • BODY_ENHANCEMENT2 = Information on getting larger body parts
  • IMPOTENCE = Impotence cure
  • URG_BIZ = Contains urgent matter
  • MONEY_BACK = Money back guarantee
  • FREE_QUOTE_INSTANT = Free express or no-obligation quote
  • BAD_CREDIT = Eliminate Bad Credit
  • REFINANCE_YOUR_HOME = Home refinancing
  • REFINANCE_NOW = Home refinancing
  • NO_MEDICAL = No Medical Exams
  • DIET_1 = Lose Weight Spam
  • FIN_FREE = Freedom of a financial nature
  • FORWARD_LOOKING = Stock Disclaimer Statement
  • ONE_TIME = One Time Rip Off
  • JOIN_MILLIONS = Join Millions of Americans
  • MARKETING_PARTNERS = Claims you registered with a partner
  • LOW_PRICE = Lowest Price
  • UNCLAIMED_MONEY = People just leave money laying around
  • OBSCURED_EMAIL = Message seems to contain rot13ed address
  • BANG_OPRAH = Talks about Oprah with an exclamation!
  • ACT_NOW_CAPS = Talks about 'acting now' with capitals
  • MORE_SEX = Talks about a bigger drive for sex
  • BANG_GUAR = Something is emphatically guaranteed
  • RUDE_HTML = Spammer message says you need an HTML mailer
  • INVESTMENT_ADVICE = Message mentions investment advice
  • MALE_ENHANCE = Message talks about enhancing men
  • PRICES_ARE_AFFORDABLE = Message says that prices aren't too expensive
  • REPLICA_WATCH = Message talks about a replica watch
  • EM_ROLEX = Message puts emphasis on the watch manufacturer
  • FREE_PORN = Possible porn - Free Porn
  • CUM_SHOT = Possible porn - Cum Shot
  • LIVE_PORN = Possible porn - Live Porn
  • SUBJECT_SEXUAL = Subject indicates sexually-explicit content
  • RATWARE_EGROUPS = Bulk email fingerprint (eGroups) found
  • RATWARE_OE_MALFORMED = X-Mailer has malformed Outlook Express version
  • RATWARE_MOZ_MALFORMED = Bulk email fingerprint (Mozilla malformed) found
  • RATWARE_MPOP_WEBMAIL = Bulk email fingerprint (mPOP Web-Mail)
  • FORGED_MUA_IMS = Forged mail pretending to be from IMS
  • FORGED_MUA_OUTLOOK = Forged mail pretending to be from MS Outlook
  • FORGED_MUA_OIMO = Forged mail pretending to be from MS Outlook IMO
  • FORGED_MUA_EUDORA = Forged mail pretending to be from Eudora
  • FORGED_MUA_THEBAT_CS = Mail pretending to be from The Bat! (charset)
  • FORGED_MUA_THEBAT_BOUN = Mail pretending to be from The Bat! (boundary)
  • FORGED_OUTLOOK_HTML = Outlook can't send HTML message only
  • FORGED_IMS_HTML = IMS can't send HTML message only
  • FORGED_THEBAT_HTML = The Bat! can't send HTML message only
  • REPTO_QUOTE_AOL = AOL doesn't do quoting like this
  • REPTO_QUOTE_IMS = IMS doesn't do quoting like this
  • REPTO_QUOTE_MSN = MSN doesn't do quoting like this
  • REPTO_QUOTE_QUALCOMM = Qualcomm/Eudora doesn't do quoting like this
  • REPTO_QUOTE_YAHOO = Yahoo! doesn't do quoting like this
  • FORGED_QUALCOMM_TAGS = QUALCOMM mailers can't send HTML in this format
  • FORGED_IMS_TAGS = IMS mailers can't send HTML in this format
  • FORGED_OUTLOOK_TAGS = Outlook can't send HTML in this format
  • RATWARE_HASH_DASH = Contains a hashbuster in Send-Safe format
  • RATWARE_ZERO_TZ = Bulk email fingerprint (+0000) found
  • X_MESSAGE_INFO = Bulk email fingerprint (X-Message-Info) found
  • HEADER_SPAM = Bulk email fingerprint (header-based) found
  • RATWARE_RCVD_PF = Bulk email fingerprint (Received PF) found
  • RATWARE_RCVD_AT = Bulk email fingerprint (Received @) found
  • RATWARE_OUTLOOK_NONAME = Bulk email fingerprint (Outlook no name) found
  • RATWARE_MS_HASH = Bulk email fingerprint (msgid ms hash) found
  • RATWARE_NAME_ID = Bulk email fingerprint (msgid from) found
  • RATWARE_EFROM = Bulk email fingerprint (envfrom) found
  • NUMERIC_HTTP_ADDR = Uses a numeric IP address in URL
  • HTTP_ESCAPED_HOST = Uses %-escapes inside a URL's hostname
  • HTTP_EXCESSIVE_ESCAPES = Completely unnecessary %-escapes inside a URL
  • IP_LINK_PLUS = Dotted-decimal IP address followed by CGI
  • WEIRD_PORT = Uses non-standard port number for HTTP
  • YAHOO_RD_REDIR = Has Yahoo Redirect URI
  • YAHOO_DRS_REDIR = Has Yahoo Redirect URI
  • HTTP_77 = Contains an URL-encoded hostname (HTTP77)
  • SPOOF_COM2OTH = URI contains ".com" in middle
  • SPOOF_COM2COM = URI contains ".com" in middle and end
  • SPOOF_NET2COM = URI contains ".net" or ".org", then ".com"
  • URI_HEX = URI hostname has long hexadecimal sequence
  • URI_NOVOWEL = URI hostname has long non-vowel sequence
  • URI_UNSUBSCRIBE = URI contains suspicious unsubscribe link
  • URI_NO_WWW_INFO_CGI = CGI in .info TLD other than third-level "www"
  • URI_NO_WWW_BIZ_CGI = CGI in .biz TLD other than third-level "www"
  • NORMAL_HTTP_TO_IP = URI host has a public dotted-decimal IPv4 address
  • BOUNCE_MESSAGE = MTA bounce message
  • CHALLENGE_RESPONSE = Challenge-Response message for mail you sent
  • CRBOUNCE_MESSAGE = Challenge-Response bounce message
  • VBOUNCE_MESSAGE = Virus-scanner bounce message
  • ANY_BOUNCE_MESSAGE = Message is some kind of bounce message
  • ACCESSDB = Message would have been caught by accessdb
  • MICROSOFT_EXECUTABLE = Message includes Microsoft executable program
  • MIME_SUSPECT_NAME = MIME filename does not match content
  • DCC_CHECK = Detected as bulk mail by DCC (dcc-servers.net)
  • DCC_REPUT_00_12 = DCC reputation between 0 and 12 % (mostly ham)
  • DCC_REPUT_70_89 = DCC reputation between 70 and 89 %
  • DCC_REPUT_90_94 = DCC reputation between 90 and 94 %
  • DCC_REPUT_95_98 = DCC reputation between 95 and 98 % (mostly spam)
  • DCC_REPUT_99_100 = DCC reputation between 99 % or higher (spam)
  • DKIM_SIGNED = Message has a DKIM or DK signature, not necessarily valid
  • DKIM_VALID = Message has at least one valid DKIM or DK signature
  • DKIM_VALID_AU = Message has a valid DKIM or DK signature from author's domain
  • DKIM_ADSP_NXDOMAIN = No valid author signature and domain not in DNS
  • DKIM_ADSP_DISCARD = No valid author signature, domain signs all mail and suggests discarding the rest
  • DKIM_ADSP_ALL = No valid author signature, domain signs all mail
  • DKIM_ADSP_CUSTOM_LOW = No valid author signature, adsp_override is CUSTOM_LOW
  • DKIM_ADSP_CUSTOM_MED = No valid author signature, adsp_override is CUSTOM_MED
  • DKIM_ADSP_CUSTOM_HIGH = No valid author signature, adsp_override is CUSTOM_HIGH
  • NML_ADSP_CUSTOM_LOW = ADSP custom_low hit, and not from a mailing list
  • NML_ADSP_CUSTOM_MED = ADSP custom_med hit, and not from a mailing list
  • NML_ADSP_CUSTOM_HIGH = ADSP custom_high hit, and not from a mailing list
  • HASHCASH_20 = Contains valid Hashcash token (20 bits)
  • HASHCASH_21 = Contains valid Hashcash token (21 bits)
  • HASHCASH_22 = Contains valid Hashcash token (22 bits)
  • HASHCASH_23 = Contains valid Hashcash token (23 bits)
  • HASHCASH_24 = Contains valid Hashcash token (24 bits)
  • HASHCASH_25 = Contains valid Hashcash token (25 bits)
  • HASHCASH_HIGH = Contains valid Hashcash token (>25 bits)
  • HASHCASH_2SPEND = Hashcash token already spent in another mail
  • SUBJECT_FUZZY_MEDS = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_VPILL = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_CHEAP = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_PENIS = Attempt to obfuscate words in Subject:
  • SUBJECT_FUZZY_TION = Attempt to obfuscate words in Subject:
  • FUZZY_AFFORDABLE = Attempt to obfuscate words in spam
  • FUZZY_AMBIEN = Attempt to obfuscate words in spam
  • FUZZY_BILLION = Attempt to obfuscate words in spam
  • FUZZY_CPILL = Attempt to obfuscate words in spam
  • FUZZY_CREDIT = Attempt to obfuscate words in spam
  • FUZZY_ERECT = Attempt to obfuscate words in spam
  • FUZZY_GUARANTEE = Attempt to obfuscate words in spam
  • FUZZY_MEDICATION = Attempt to obfuscate words in spam
  • FUZZY_MILLION = Attempt to obfuscate words in spam
  • FUZZY_MONEY = Attempt to obfuscate words in spam
  • FUZZY_MORTGAGE = Attempt to obfuscate words in spam
  • FUZZY_OBLIGATION = Attempt to obfuscate words in spam
  • FUZZY_OFFERS = Attempt to obfuscate words in spam
  • FUZZY_PHARMACY = Attempt to obfuscate words in spam
  • FUZZY_PHENT = Attempt to obfuscate words in spam
  • FUZZY_PRESCRIPT = Attempt to obfuscate words in spam
  • FUZZY_PRICES = Attempt to obfuscate words in spam
  • FUZZY_REFINANCE = Attempt to obfuscate words in spam
  • FUZZY_REMOVE = Attempt to obfuscate words in spam
  • FUZZY_ROLEX = Attempt to obfuscate words in spam
  • FUZZY_SOFTWARE = Attempt to obfuscate words in spam
  • FUZZY_THOUSANDS = Attempt to obfuscate words in spam
  • FUZZY_VLIUM = Attempt to obfuscate words in spam
  • FUZZY_VIOXX = Attempt to obfuscate words in spam
  • FUZZY_VPILL = Attempt to obfuscate words in spam
  • FUZZY_XPILL = Attempt to obfuscate words in spam
  • SPF_PASS = SPF: sender matches SPF record
  • SPF_NEUTRAL = SPF: sender does not match SPF record (neutral)
  • SPF_FAIL = SPF: sender does not match SPF record (fail)
  • SPF_SOFTFAIL = SPF: sender does not match SPF record (softfail)
  • SPF_HELO_PASS = SPF: HELO matches SPF record
  • SPF_HELO_NEUTRAL = SPF: HELO does not match SPF record (neutral)
  • SPF_HELO_FAIL = SPF: HELO does not match SPF record (fail)
  • SPF_HELO_SOFTFAIL = SPF: HELO does not match SPF record (softfail)
  • SPF_NONE = SPF: sender does not publish an SPF Record
  • SPF_HELO_NONE = SPF: HELO does not publish an SPF Record
  • UNWANTED_LANGUAGE_BODY = Message written in an undesired language
  • BODY_8BITS = Body includes 8 consecutive 8-bit characters
  • URIBL_SBL = Contains an URL's NS IP listed in the SBL blocklist
  • URIBL_DBL_SPAM = Contains a spam URL listed in the DBL blocklist
  • URIBL_DBL_PHISH = Contains a Phishing URL listed in the DBL blocklist
  • URIBL_DBL_MALWARE = Contains a malware URL listed in the DBL blocklist
  • URIBL_DBL_BOTNETCC = Contains a botned C&C URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_SPAM = Contains an abused spamvertized URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_REDIR = Contains an abused redirector URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_PHISH = Contains an abused phishing URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_MALW = Contains an abused malware URL listed in the DBL blocklist
  • URIBL_DBL_ABUSE_BOTCC = Contains an abused botnet C&C URL listed in the DBL blocklist
  • URIBL_DBL_ERROR = Error: queried the DBL blocklist for an IP
  • URIBL_WS_SURBL = Contains an URL listed in the WS SURBL blocklist
  • URIBL_PH_SURBL = Contains an URL listed in the PH SURBL blocklist
  • URIBL_MW_SURBL = Contains a URL listed in the MW SURBL blocklist
  • URIBL_CR_SURBL = Contains an URL listed in the CR SURBL blocklist
  • URIBL_ABUSE_SURBL = Contains an URL listed in the ABUSE SURBL blocklist
  • SURBL_BLOCKED = ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
  • URIBL_BLACK = Contains an URL listed in the URIBL blacklist
  • URIBL_GREY = Contains an URL listed in the URIBL greylist
  • URIBL_RED = Contains an URL listed in the URIBL redlist
  • URIBL_BLOCKED = ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
  • AWL = Adjusted score from AWL reputation of From: address
  • SHORTCIRCUIT = Not all rules were run, due to a shortcircuited rule
  • TXREP = Score normalizing based on sender's reputation
  • USER_IN_BLACKLIST = From: address is in the user's black-list
  • USER_IN_WHITELIST = From: address is in the user's white-list
  • USER_IN_DEF_WHITELIST = From: address is in the default white-list
  • USER_IN_BLACKLIST_TO = User is listed in 'blacklist_to'
  • USER_IN_WHITELIST_TO = User is listed in 'whitelist_to'
  • USER_IN_MORE_SPAM_TO = User is listed in 'more_spam_to'
  • USER_IN_ALL_SPAM_TO = User is listed in 'all_spam_to'
  • URI_HOST_IN_BLACKLIST = host or domain listed in the URI black-list
  • URI_HOST_IN_WHITELIST = host or domain listed in the URI white-list
  • HEADER_HOST_IN_BLACKLIST = Blacklisted header host or domain
  • HEADER_HOST_IN_WHITELIST = Whitelisted header host or domain
  • USER_IN_DKIM_WHITELIST = From: address is in the user's DKIM whitelist
  • USER_IN_DEF_DKIM_WL = From: address is in the default DKIM white-list
  • USER_IN_SPF_WHITELIST = From: address is in the user's SPF whitelist
  • USER_IN_DEF_SPF_WL = From: address is in the default SPF white-list
  • ENV_AND_HDR_SPF_MATCH = Env and Hdr From used in default SPF WL Match
  • SUBJECT_IN_WHITELIST = Subject: contains string in the user's white-list
  • SUBJECT_IN_BLACKLIST = Subject: contains string in the user's black-list
  • AC_BR_BONANZA = Too many newlines in a row... spammy template
  • AC_DIV_BONANZA = Too many divs in a row... spammy template
  • AC_HTML_NONSENSE_TAGS = Many consecutive multi-letter HTML tags, likely nonsense/spam
  • AC_SPAMMY_URI_PATTERNS1 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS10 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS11 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS12 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS2 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS3 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS4 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS8 = link combos match highly spammy template
  • AC_SPAMMY_URI_PATTERNS9 = link combos match highly spammy template
  • ADMAIL = "admail" and variants
  • ADMITS_SPAM = Admits this is an ad
  • ADVANCE_FEE_2_NEW_FORM = Advance Fee fraud and a form
  • ADVANCE_FEE_2_NEW_MONEY = Advance Fee fraud and lots of money
  • ADVANCE_FEE_3_NEW = Appears to be advance fee fraud (Nigerian 419)
  • ADVANCE_FEE_3_NEW_FORM = Advance Fee fraud and a form
  • ADVANCE_FEE_3_NEW_MONEY = Advance Fee fraud and lots of money
  • ADVANCE_FEE_4_NEW = Appears to be advance fee fraud (Nigerian 419)
  • ADVANCE_FEE_4_NEW_MONEY = Advance Fee fraud and lots of money
  • ADVANCE_FEE_5_NEW_FRM_MNY = Advance Fee fraud form and lots of money
  • ADVANCE_FEE_5_NEW_MONEY = Advance Fee fraud and lots of money
  • AD_PREFS = Advertising preferences
  • APOSTROPHE_FROM = From address contains an apostrophe
  • AXB_XMAILER_MIMEOLE_OL_024C2 = Yet another X header trait
  • AXB_XMAILER_MIMEOLE_OL_1ECD5 = Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5
  • AXB_X_FF_SEZ_S = Forefront sez this is spam
  • BANKING_LAWS = Talks about banking laws
  • BASE64_LENGTH_79_INF = base64 encoded email part uses line length of 78 or 79 characters
  • BASE64_LENGTH_79_INF = base64 encoded email part uses line length greater than 79 characters
  • BODY_SINGLE_URI = Message body is only a URI
  • BODY_SINGLE_WORD = Message body is only one word (no spaces)
  • BODY_URI_ONLY = Message body is only a URI in one line of text or for an image
  • BOGUS_MSM_HDRS = Apparently bogus Microsoft email headers
  • CANT_SEE_AD = You really want to see our spam.
  • CK_HELO_DYNAMIC_SPLIT_IP = Relay HELO'd using suspicious hostname (Split IP)
  • CK_HELO_GENERIC = Relay used name indicative of a Dynamic Pool or Generic rPTR
  • CN_B2B_SPAMMER = Chinese company introducing itself
  • COMMENT_GIBBERISH = Nonsense in long HTML comment
  • COMPENSATION = "Compensation"
  • CORRUPT_FROM_LINE_IN_HDRS = Informational: message is corrupt, with a From line in its headers
  • CTYPE_8SPACE_GIF = Stock spam image part 'Content-Type' found (8 spc)
  • DATE_IN_FUTURE_96_Q = Date: is 4 days to 4 months after Received: date
  • DEAR_BENEFICIARY = Dear Beneficiary:
  • DEAR_WINNER = Spam with generic salutation of "dear winner"
  • DOS_ANAL_SPAM_MAILER = X-mailer pattern common to anal porn site spam
  • DOS_FIX_MY_URI = Looks like a "fix my obfu'd URI please" spam
  • DOS_HIGH_BAT_TO_MX = The Bat! Direct to MX with High Bits
  • DOS_LET_GO_JOB = Let go from their job and now makes lots of dough!
  • DOS_OE_TO_MX = Delivered direct to MX with OE headers
  • DOS_OE_TO_MX_IMAGE = Direct to MX with OE headers and an image
  • DOS_OUTLOOK_TO_MX = Delivered direct to MX with Outlook headers
  • DOS_RCVD_IP_TWICE_C = Received from the same IP twice in a row (only one external relay; empty or IP helo)
  • DOS_STOCK_BAT = Probable pump and dump stock spam
  • DOS_URI_ASTERISK = Found an asterisk in a URI
  • DOS_YOUR_PLACE = Russian dating spam
  • DRUGS_HDIA = Subject mentions "hoodia"
  • DRUGS_STOCK_MIMEOLE = Stock-spam forged headers found (5510)
  • DX_TEXT_01 = "message status"
  • DX_TEXT_02 = "change your message stat"
  • DX_TEXT_03 = "XXX Media Group"
  • DYN_RDNS_AND_INLINE_IMAGE = Contains image, and was sent by dynamic rDNS
  • DYN_RDNS_SHORT_HELO_HTML = Sent by dynamic rDNS, short HELO, and HTML
  • DYN_RDNS_SHORT_HELO_IMAGE = Short HELO string, dynamic rDNS, inline image
  • ENCRYPTED_MESSAGE = Message is encrypted, not likely to be spam
  • EXCUSE_24 = Claims you wanted this ad
  • FBI_MONEY = The FBI wants to give you lots of money?
  • FBI_SPOOF = Claims to be FBI, but not from FBI domain
  • FORM_FRAUD = Fill a form and a fraud phrase
  • FORM_FRAUD_3 = Fill a form and several fraud phrases
  • FORM_FRAUD_5 = Fill a form and many fraud phrases
  • FORM_LOW_CONTRAST = Fill in a form with hidden text
  • FOUND_YOU = I found you...
  • FROM_IN_TO_AND_SUBJ = From address is in To and Subject
  • FROM_MISSPACED = From: missing whitespace
  • FROM_MISSP_MSFT = From misspaced + supposed Microsoft tool
  • FROM_MISSP_REPLYTO = From misspaced, has Reply-To
  • FROM_MISSP_TO_UNDISC = From misspaced, To undisclosed
  • FROM_MISSP_USER = From misspaced, from "User"
  • FROM_MISSP_XPRIO = Misspaced FROM + X-Priority
  • FROM_WORDY = From address looks like a sentence
  • FROM_WORDY_SHORT = From address looks like a sentence + short message
  • FROM_WSP_TRAIL = Trailing whitespace before '>' in From header field
  • FSL_CTYPE_WIN1251 = Content-Type only seen in 419 spam
  • FSL_NEW_HELO_USER = Spam's using Helo and User
  • FUZZY_MERIDIA = Obfuscation of the word "meridia"
  • GOOGLE_DOCS_PHISH = Possible phishing via a Google Docs form
  • GOOGLE_DOCS_PHISH_MANY = Phishing via a Google Docs form
  • GOOG_MALWARE_DNLD = File download via Google - Malware?
  • GOOG_REDIR_SHORT = Google redirect to obscure spamvertised website + short message
  • HDRS_LCASE = Odd capitalization of message header
  • HDRS_MISSP = Misspaced headers
  • HDR_ORDER_FTSDMCXX_001C = Header order similar to spam (FTSDMCXX/MID variant)
  • HDR_ORDER_FTSDMCXX_BAT = Header order similar to spam (FTSDMCXX/boundary variant)
  • HEADER_COUNT_SUBJECT = Multiple Subject headers found
  • HELO_MISC_IP = Looking for more Dynamic IP Relays
  • HEXHASH_WORD = Multiple instances of word + hexadecimal hash
  • HK_NAME_DRUGS = From name contains drugs
  • HK_RANDOM_ENVFROM = Envelope sender username looks random
  • HTML_OFF_PAGE = HTML element rendered well off the displayed page
  • KHOP_DYNAMIC = Relay looks like a dynamic address
  • LIST_PARTIAL_SHORT_MSG = Incomplete mailing list headers + short message
  • LIST_PRTL_PUMPDUMP = Incomplete List-* headers and stock pump-and-dump
  • LIST_PRTL_SAME_USER = Incomplete List-* headers and from+to user the same
  • LONG_HEX_URI = Very long purely hexadecimal URI
  • LONG_IMG_URI = Image URI with very long path component - web bug?
  • LOOPHOLE_1 = A loop hole in the banking laws?
  • LOTTO_AGENT = Claims Agent
  • LUCRATIVE = Make lots of money!
  • MANY_HDRS_LCASE = Odd capitalization of multiple message headers
  • MANY_SPAN_IN_TEXT = Many tags embedded within text
  • MILLION_USD = Talks about millions of dollars
  • MIMEOLE_DIRECT_TO_MX = MIMEOLE + direct-to-MX
  • MONEY_ATM_CARD = Lots of money on an ATM card
  • MONEY_FRAUD_3 = Lots of money and several fraud phrases
  • MONEY_FRAUD_5 = Lots of money and many fraud phrases
  • MONEY_FRAUD_8 = Lots of money and very many fraud phrases
  • MONEY_FROM_41 = Lots of money from Africa
  • MONEY_FROM_MISSP = Lots of money and misspaced From
  • MSGID_MULTIPLE_AT = Message-ID contains multiple '@' characters
  • MSGID_NOFQDN1 = Message-ID with no domain name
  • MSM_PRIO_REPTO = MSMail priority header + Reply-to + short subject
  • NSL_RCVD_FROM_USER = Received from User
  • NSL_RCVD_HELO_USER = Received from HELO User
  • NULL_IN_BODY = Message has NUL (ASCII 0) byte in message
  • OBFU_JVSCR_ESC = Injects content using obfuscated javascript
  • PART_CID_STOCK = Has a spammy image attachment (by Content-ID)
  • PART_CID_STOCK_LESS = Has a spammy image attachment (by Content-ID, more specific)
  • PHP_NOVER_MUA = Mail from PHP with no version number
  • PHP_ORIG_SCRIPT = Sent by bot & other signs
  • PHP_SCRIPT_MUA = Sent by PHP script, no version number
  • PUMPDUMP = Pump-and-dump stock scam phrase
  • PUMPDUMP_MULTI = Pump-and-dump stock scam phrases
  • PUMPDUMP_TIP = Pump-and-dump stock tip
  • RAND_HEADER_MANY = Many random gibberish message headers
  • RCVD_BAD_ID = Received header contains id field with bad characters
  • RCVD_DBL_DQ = Malformatted message header
  • RCVD_FORGED_WROTE = Forged 'Received' header found ('wrote:' spam)
  • RCVD_IN_DNSWL_BLOCKED = ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
  • RCVD_IN_DNSWL_HI = Sender listed at http://www.dnswl.org/, high trust
  • RCVD_IN_DNSWL_LOW = Sender listed at http://www.dnswl.org/, low trust
  • RCVD_IN_DNSWL_MED = Sender listed at http://www.dnswl.org/, medium trust
  • RCVD_IN_DNSWL_NONE = Sender listed at http://www.dnswl.org/, no trust
  • RCVD_IN_IADB_DK = IADB: Sender publishes Domain Keys record
  • RCVD_IN_IADB_DOPTIN = IADB: All mailing list mail is confirmed opt-in
  • RCVD_IN_IADB_DOPTIN_GT50 = IADB: Confirmed opt-in used more than 50% of the time
  • RCVD_IN_IADB_DOPTIN_LT50 = IADB: Confirmed opt-in used less than 50% of the time
  • RCVD_IN_IADB_EDDB = IADB: Participates in Email Deliverability Database
  • RCVD_IN_IADB_EPIA = IADB: Member of Email Processing Industry Alliance
  • RCVD_IN_IADB_GOODMAIL = IADB: Sender has been certified by GoodMail
  • RCVD_IN_IADB_LISTED = Participates in the IADB system
  • RCVD_IN_IADB_LOOSE = IADB: Adds relationship addrs w/out opt-in
  • RCVD_IN_IADB_MI_CPEAR = IADB: Complies with Michigan's CPEAR law
  • RCVD_IN_IADB_MI_CPR_30 = IADB: Checked lists against Michigan's CPR within 30 days
  • RCVD_IN_IADB_MI_CPR_MAT = IADB: Sends no material under Michigan's CPR
  • RCVD_IN_IADB_ML_DOPTIN = IADB: Mailing list email only, confirmed opt-in
  • RCVD_IN_IADB_NOCONTROL = IADB: Has absolutely no mailing controls in place
  • RCVD_IN_IADB_OOO = IADB: One-to-one/transactional email only
  • RCVD_IN_IADB_OPTIN = IADB: All mailing list mail is opt-in
  • RCVD_IN_IADB_OPTIN_GT50 = IADB: Opt-in used more than 50% of the time
  • RCVD_IN_IADB_OPTIN_LT50 = IADB: Opt-in used less than 50% of the time
  • RCVD_IN_IADB_OPTOUTONLY = IADB: Scrapes addresses, pure opt-out only
  • RCVD_IN_IADB_RDNS = IADB: Sender has reverse DNS record
  • RCVD_IN_IADB_SENDERID = IADB: Sender publishes Sender ID record
  • RCVD_IN_IADB_SPF = IADB: Sender publishes SPF record
  • RCVD_IN_IADB_UNVERIFIED_1 = IADB: Accepts unverified sign-ups
  • RCVD_IN_IADB_UNVERIFIED_2 = IADB: Accepts unverified sign-ups, gives chance to opt out
  • RCVD_IN_IADB_UT_CPEAR = IADB: Complies with Utah's CPEAR law
  • RCVD_IN_IADB_UT_CPR_30 = IADB: Checked lists against Utah's CPR within 30 days
  • RCVD_IN_IADB_UT_CPR_MAT = IADB: Sends no material under Utah's CPR
  • RCVD_IN_PSBL = Received via a relay in PSBL
  • RCVD_MAIL_COM = Forged Received header (contains post.com or mail.com)
  • RDNS_LOCALHOST = Sender's public rDNS is "localhost"
  • RISK_FREE = No risk!
  • SERGIO_SUBJECT_VIAGRA01 = Viagra garbled subject
  • SHORT_HELO_AND_INLINE_IMAGE = Short HELO string, with inline image
  • SINGLETS_LOW_CONTRAST = Single-letter formatted HTML + hidden text
  • SPAMMY_XMAILER = X-Mailer string is common in spam and not in ham
  • SPOOFED_FREEM_REPTO = Forged freemail sender with freemail reply-to
  • SPOOFED_FREEM_REPTO_CHN = Forged freemail sender with Chinese freemail reply-to
  • STATIC_XPRIO_OLE = Static RDNS + X-Priority + MIMEOLE
  • STOCK_IMG_CTYPE = Stock spam image part, with distinctive Content-Type header
  • STOCK_IMG_HDR_FROM = Stock spam image part, with distinctive From line
  • STOCK_IMG_HTML = Stock spam image part, with distinctive HTML
  • STOCK_IMG_OUTLOOK = Stock spam image part, with Outlook-like features
  • STOCK_LOW_CONTRAST = Stocks + hidden text
  • STOCK_TIP = Stock tips
  • STYLE_GIBBERISH = Nonsense in HTML