Home / Tips / Web and Server / How spam filters generally work

How spam filters generally work

AREA TESTEDLOCALEDESCRIPTION OF TESTTEST NAMEDEFAULT SCORES
(local, net, with bayes, with bayes+net)
MORE INFO
(additional wiki docs)
bodyGeneric Test for Unsolicited Bulk EmailGTUBE1000.000
fullListed in Razor2 (http://razor.sf.net/)RAZOR2_CHECK0 0.150 0 1.511
bodyRazor2 gives confidence level above 50%RAZOR2_CF_RANGE_51_1000 1.485 0 0.056
fullListed in DCC (http://rhyolite.com/anti-spam/dcc/)DCC_CHECK0 1.373 0 2.169
fullListed in Pyzor (http://pyzor.sf.net/)PYZOR_CHECK0 2.041 0 3.451
bodyIncorporates a tracking ID numberTRACKER_ID1.825 1.064 1.818 0.555
bodyWeird repeated double-quotation marksWEIRD_QUOTING1.353 1.966 1.774 2.000
rawbodyExtra blank lines in base64 encodingMIME_BASE64_BLANKS0.693 0.819 1.391 1.469
rawbodybase64 attachment does not have a file nameMIME_BASE64_NO_NAME0.022 0 0.017 0.000
rawbodyMessage text disguised using base64 encodingMIME_BASE64_TEXT1.780 0.110 1.403 0.298
rawbodyMIME section missing boundaryMIME_MISSING_BOUNDARY0 0.247 0.224 0
bodyMultipart message mostly text/html MIMEMIME_HTML_MOSTLY1.540 0.285 0.713 1.023
bodyMessage only has text/html MIME partsMIME_HTML_ONLY1.204 1.158 1.156 0.177
rawbodyQuoted-printable line longer than 76 charsMIME_QP_LONG_LINE0 0.000 0.105 0.039
rawbodyMIME filename does not match contentMIME_SUSPECT_NAME0.100
bodyHTML and text parts are differentMPART_ALT_DIFF1.837 1.505 1.823 0.066
bodyCharacter set indicates a foreign languageCHARSET_FARAWAY3.200
bodyMessage written in an undesired languageUNWANTED_LANGUAGE_BODY2.800
bodyBody includes 8 consecutive 8-bit charactersBODY_8BITS1.500
bodyBody contains a ROT13-encoded email addressEMAIL_ROT132.720 1.474 2.934 3.105
bodyMessage body has 70-80% blank linesBLANK_LINES_70_801.668 1.127 0.745 1.515
bodyMessage body has 80-90% blank linesBLANK_LINES_80_900.046 0 0.216 0
bodyMessage body has 90-100% blank linesBLANK_LINES_90_1001.490 1.750 1.877 1.996
bodyMessage body has many words used only onceUNIQUE_WORDS3.109 2.549 1.639 2.273
bodyMessage body mentions many internet domainsDOMAIN_RATIO2.552 1.360 2.534 3.176
headerDid not pass through any untrusted hostsALL_TRUSTED-2.400 -2.820 -2.867 -3.300
headerNJABL: sender is confirmed open relayRCVD_IN_NJABL_RELAY0 0.934 0 1.397
headerNJABL: dialup sender did non-local SMTPRCVD_IN_NJABL_DUL0 1.655 0 0.088
headerNJABL: sender is confirmed spam sourceRCVD_IN_NJABL_SPAM0 1.051 0 1.841
headerNJABL: sent through multi-stage open relayRCVD_IN_NJABL_MULTI1
headerNJABL: sender is an open formmailRCVD_IN_NJABL_CGI1
headerNJABL: sender is an open proxyRCVD_IN_NJABL_PROXY0 1.026 0 0.438
headerSORBS: sender is open HTTP proxy serverRCVD_IN_SORBS_HTTP0 0 0 0.043
headerSORBS: sender is open proxy serverRCVD_IN_SORBS_MISC0 0 0 0.338
headerSORBS: sender is open SMTP relayRCVD_IN_SORBS_SMTP0 1.597 0 2.493
headerSORBS: sender is open SOCKS proxy serverRCVD_IN_SORBS_SOCKS0 1.847 0 2.054
headerSORBS: sender is a abuseable web serverRCVD_IN_SORBS_WEB0 0 0 0.007
headerSORBS: sender demands to never be testedRCVD_IN_SORBS_BLOCK1
headerSORBS: sender is on a hijacked networkRCVD_IN_SORBS_ZOMBIE0 0.819 0 0
headerSORBS: sent directly from dynamic IP addressRCVD_IN_SORBS_DUL0 0.137 0 1.987
headerReceived via a relay in Spamhaus SBLRCVD_IN_SBL0 1.050 0 0.107
headerReceived via a relay in Spamhaus XBLRCVD_IN_XBL0 2.511 0 3.076
headerEnvelope sender in dsn.rfc-ignorant.orgDNS_FROM_RFC_DSN1
headerEnvelope sender in postmaster.rfc-ignorant.orgDNS_FROM_RFC_POST0 1.376 0 1.614
headerEnvelope sender in abuse.rfc-ignorant.orgDNS_FROM_RFC_ABUSE0 0.374 0 0
headerEnvelope sender in whois.rfc-ignorant.orgDNS_FROM_RFC_WHOIS0 0.492 0 0.296
headerEnvelope sender in bogusmx.rfc-ignorant.orgDNS_FROM_RFC_BOGUSMX0 1.463 0 2.630
headerReceived via a relay in list.dsbl.orgRCVD_IN_DSBL0 2.765 0 3.805
headerFrom: sender listed in dnsbl.ahbl.orgDNS_FROM_AHBL_RHSBL0 0.070 0 0.295
headerHas Habeas warrant mark and on Infringer ListHABEAS_INFRINGER0 16.0 0 16.0
headerHas Habeas warrant mark and on User ListHABEAS_USER0 -8.0 0 -8.0
headerSender is in Bonded Sender Program (trusted relay)RCVD_IN_BSP_TRUSTED0 -4.3 0 -4.3
headerSender is in Bonded Sender Program (other relay)RCVD_IN_BSP_OTHER0 -0.1 0 -0.1
headerSender domain is new and very high volumeSB_NEW_BULK1
headerSender IP hosted at NSP has a volume spikeSB_NSP_VOLUME_SPIKE1
headerReceived via a relay in bl.spamcop.netRCVD_IN_BL_SPAMCOP_NET0 1.832 0 1.216
headerReceived via a relay in RSLRCVD_IN_RSL0 0.677 0 1.720
headerRelay in RBL, http://www.mail-abuse.org/rbl/RCVD_IN_MAPS_RBL1
headerRelay in DUL, http://www.mail-abuse.org/dul/RCVD_IN_MAPS_DUL1
headerRelay in RSS, http://www.mail-abuse.org/rss/RCVD_IN_MAPS_RSS1
headerRelay in NML, http://www.mail-abuse.org/nml/RCVD_IN_MAPS_NML1
headerEnvelope sender has no MX or A DNS recordsNO_DNS_FOR_FROM0 1.1 0 1.6
headerSubject contains a gappy version of ‘cialis’SUBJECT_DRUG_GAP_C1.993 1.917 2.501 1.325
headerSubject contains a gappy version of ‘levitra’SUBJECT_DRUG_GAP_L2.117 2.726 2.181 2.456
headerSubject contains a gappy version of ‘phentermine’SUBJECT_DRUG_GAP_P0.621 0.765 0.698 1.425
headerSubject contains a gappy version of ‘soma’SUBJECT_DRUG_GAP_S2.005 0.277 2.920 2.041
headerSubject contains a gappy version of ‘valium’SUBJECT_DRUG_GAP_VA2.005 1.922 2.934 3.680
headerSubject contains a gappy version of ‘viagra’SUBJECT_DRUG_GAP_VIA2.659 1.770 3.158 0.253
headerSubject contains a gappy version of ‘vicodin’SUBJECT_DRUG_GAP_VIC2.560 2.961 2.691 2.868
headerSubject contains a gappy version of ‘xanax’SUBJECT_DRUG_GAP_X2.538 2.282 2.945 2.512
bodyTalks about price per doseDRUG_DOSAGE0.342 0.608 0.405 0.862
bodyMentions an E.D. drugDRUG_ED_CAPS0.122 1.535 0 0.185
bodyViagra and other drugsDRUG_ED_COMBO1.000 0.183 1.415 1.636
bodyTalks about an E.D. drug using its chemical nameDRUG_ED_SILD1.856 0.421 1.597 1.666
bodyMentions Generic ViagraDRUG_ED_GENERIC1.933 1.181 0 1.128
bodyFast Viagra DeliveryDRUG_ED_ONLINE0.553 1.820 1.097 2.300
bodyDeep discount medicationsDEEP_DISC_MEDS2.480 1.211 2.573 2.626
bodyOnline PharmacyONLINE_PHARMACY2.730 0 2.895 0.000
bodyAttempts to disguise the word ‘viagra’VIA_GAP_GRA2.800 3.171 2.886 3.005
bodyTwo or more drugs crammed together into one wordDRUGS_SMEAR10.515 1.522 0.475 2.351
headerHost HELO did not match rDNS: msn.comFAKE_HELO_MSN1.773 1.456 2.069 2.645
headerHost HELO did not match rDNS: mail.comFAKE_HELO_MAIL_COM1.303 1.972 0.111 0.000
headerHost HELO did not match rDNS: email.comFAKE_HELO_EMAIL_COM0 0 0 1.537
headerHost HELO did not match rDNS: eudoramail.comFAKE_HELO_EUDORAMAIL1.520 0.907 0 0
headerHost HELO did not match rDNS: excite.comFAKE_HELO_EXCITE1.840 2.127 2.127 2.074
headerHost HELO did not match rDNS: lycos.comFAKE_HELO_LYCOS1.410 1.645 0 0.988
headerHost HELO did not match rDNS: yahoo.caFAKE_HELO_YAHOO_CA1.166 0 0.171 1.116
headerRelay HELO’d with suspicious hostname (mail.com)FAKE_HELO_MAIL_COM_DOM1.920 2.173 2.312 2.108
headerRelay HELO’d using suspicious hostname (IP addr 1)HELO_DYNAMIC_IPADDR3.520 2.754 4.070 4.400
headerRelay HELO’d using suspicious hostname (DHCP)HELO_DYNAMIC_DHCP2.791 0.087 0.958 1.248
headerRelay HELO’d using suspicious hostname (HCC)HELO_DYNAMIC_HCC3.360 1.540 2.451 3.741
headerRelay HELO’d using suspicious hostname (ATTBI.com)HELO_DYNAMIC_ATTBI3.200 3.662 2.760 3.147
headerRelay HELO’d using suspicious hostname (Rogers)HELO_DYNAMIC_ROGERS1.677 0.793 1.888 2.094
headerRelay HELO’d using suspicious hostname (Adelphia)HELO_DYNAMIC_ADELPHIA2.320 1.829 2.389 2.199
headerRelay HELO’d using suspicious hostname (T-Dialin)HELO_DYNAMIC_DIALIN2.320 0.443 2.429 1.755
headerRelay HELO’d using suspicious hostname (Hex IP)HELO_DYNAMIC_HEXIP1.826 1.320 1.453 1.522
headerRelay HELO’d using suspicious hostname (Split IP)HELO_DYNAMIC_SPLIT_IP2.869 0.887 0.992 0.775
headerRelay HELO’d using suspicious hostname (YahooBB)HELO_DYNAMIC_YAHOOBB2.800 2.776 2.572 3.000
headerRelay HELO’d using suspicious hostname (OptOnline)HELO_DYNAMIC_OOL3.120 2.508 3.065 3.182
headerRelay HELO’d using suspicious hostname (IP addr 2)HELO_DYNAMIC_IPADDR23.271 0.805 2.554 3.496
headerRelay HELO’d using suspicious hostname (RR 2)HELO_DYNAMIC_RR22.080 1.015 1.678 2.200
headerRelay HELO’d using suspicious hostname (Comcast)HELO_DYNAMIC_COMCAST3.040 3.533 3.217 3.700
headerRelay HELO’d using suspicious hostname (Telia)HELO_DYNAMIC_TELIA0 0 1.216 1.515
headerRelay HELO’d using suspicious hostname (VTR)HELO_DYNAMIC_VTR1.916 0.805 2.013 1.960
headerRelay HELO’d using suspicious hostname (Chello.no)HELO_DYNAMIC_CHELLO_NO1.388 0.226 1.409 1.570
headerRelay HELO’d using suspicious hostname (Chello.nl)HELO_DYNAMIC_CHELLO_NL1.762 0 0.542 0.244
headerRelay HELO’d using suspicious hostname (Veloxzone)HELO_DYNAMIC_VELOX1.680 1.877 1.803 2.003
headerRelay HELO’d using suspicious hostname (NTL)HELO_DYNAMIC_NTL1.340 0.187 1.445 1.732
headerRelay HELO’d using suspicious hostname (Home.nl)HELO_DYNAMIC_HOME_NL1.737 0.635 1.660 1.878
headerMessage headers are very longHEAD_LONG2.5
headerFrom: does not include a real nameNO_REAL_NAME0.124 0.178 0.336 0.007
headerFrom: ends in numbersFROM_ENDS_IN_NUMS0.177 0.516 0.517 0.000
headerFrom: starts with numsFROM_STARTS_WITH_NUMS1.218 1.492 1.441 0.300
headerFrom: contains numbers mixed in with lettersFROM_HAS_MIXED_NUMS0.107 0.298 0.024 0.000
headerFrom: contains numbers mixed in with lettersFROM_HAS_MIXED_NUMS31.132 1.113 1.513 1.614
headerUses an address with lots of numbers, at a big ISPADDR_NUMS_AT_BIGSITE0.072 0.748 0.112 0.081
headerFrom address is “at something-offers”FROM_OFFERS1.822 0.861 2.243 1.491
headerFrom: has no local-part before @ signFROM_NO_USER1.358 0.344 1.460 0.983
headerTo: has no local-part before @ signTO_NO_USER0.332 0.116 1.615 0.128
headerTo: is emptyTO_EMPTY0 0 0.164 0.097
headerReply-To: is emptyREPLY_TO_EMPTY1.274 1.410 1.568 1.643
headerTo: repeats address as real nameTO_ADDRESS_EQ_REAL0 0.470 0.131 0.026
headerValid-looking To “undisclosed-recipients”UNDISC_RECIPS0.966 1.391 1.295 1.302
headerFaked To “Undisclosed-Recipients”FAKED_UNDISC_RECIPS1.287 0.565 1.431 1.602
headerSubject has exclamation mark and question markPLING_QUERY0.201 0.857 0.906 0.368
headerSubject contains a unique IDSUBJ_HAS_UNIQ_ID0.899 1.122 0.809 1.339
headerSubject contains lots of white spaceSUBJ_HAS_SPACES2.240 0.637 1.899 1.175
headerSubject is all capitalsSUBJ_ALL_CAPS0.763 0.365 0.257 0.665
headerSpam tool Message-Id: (99x9xx99 variant)MSGID_SPAM_99X9XX990.500 0.864 1.576 1.442
headerSpam tool Message-Id: (alpha-numeric variant)MSGID_SPAM_ALPHA_NUM2.640 3.004 3.330 3.228
headerSpam tool Message-Id: (caps variant)MSGID_SPAM_CAPS3.500 3.221 3.545 3.791
headerSpam tool Message-Id: (letters variant)MSGID_SPAM_LETTERS2.960 3.151 3.052 2.709
headerSpam tool Message-Id: (12-zeroes variant)MSGID_SPAM_ZEROES1.584 1.763 1.783 1.859
headerMessage-Id has no hostnameMSGID_NO_HOST0.087 0 0.816 0.140
headerMessage-Id is fake (in Outlook Express format)MSGID_OUTLOOK_INVALID2.000 2.290 2.498 2.700
headerMessage-ID has [email protected]MSGID_YAHOO_CAPS2.425 0.702 2.442 3.800
headerMessage-Id for external message added locallyMSGID_FROM_MTA_ID1.440 1.704 1.756 1.723
headerMessage-Id was added by a hotmail.com relayMSGID_FROM_MTA_HOTMAIL1.600 1.858 1.987 2.144
headerDate header uses unusual Y2K formattingDATE_SPAMWARE_Y2K2.958 2.888 3.384 3.911
headerInvalid Date: header (not RFC 2822)INVALID_DATE0.011 0.235 0 0.236
headerInvalid Date: header (timezone does not exist)INVALID_DATE_TZ_ABSURD0 0 0.664 0.960
headerInvalid date in header (wrong CST timezone)INVALID_TZ_CST2.044 0.066 0.598 2.873
headerInvalid date in header (wrong EST timezone)INVALID_TZ_EST1.492 2.326 1.672 3.582
headerInvalid date in header (wrong GMT/UTC timezone)INVALID_TZ_GMT1.708 0.636 1.549 0.198
headerDate: is 3 to 6 hours before Received: dateDATE_IN_PAST_03_060.025 0 0.127 0
headerDate: is 6 to 12 hours before Received: dateDATE_IN_PAST_06_120.301 0.211 0.918 0
headerDate: is 12 to 24 hours before Received: dateDATE_IN_PAST_12_240.374 0 0.571 0.703
headerDate: is 24 to 48 hours before Received: dateDATE_IN_PAST_24_480 0.302 0.133 0.089
headerDate: is 48 to 96 hours before Received: dateDATE_IN_PAST_48_960.034 0.257 0.222 0
headerDate: is 96 hours or more before Received: dateDATE_IN_PAST_96_XX0.505 1.082 0.979 1.360
headerDate: is 3 to 6 hours after Received: dateDATE_IN_FUTURE_03_061.288 0.072 2.052 0.847
headerDate: is 6 to 12 hours after Received: dateDATE_IN_FUTURE_06_121.040 1.202 1.153 1.300
headerDate: is 12 to 24 hours after Received: dateDATE_IN_FUTURE_12_242.118 2.329 2.863 3.031
headerDate: is 24 to 48 hours after Received: dateDATE_IN_FUTURE_24_482.023 2.046 2.301 2.314
headerDate: is 48 to 96 hours after Received: dateDATE_IN_FUTURE_48_962.080 2.296 2.498 2.689
headerDate: is 96 hours or more after Received: dateDATE_IN_FUTURE_96_XX1.393 1.428 1.930 1.962
headerHeaders contain an unresolved templateUNRESOLVED_TEMPLATE1.324 0.618 1.369 2.866
headerSubject contains too many raw illegal charactersSUBJ_ILLEGAL_CHARS2.880 2.854 3.459 2.854
headerFrom contains too many raw illegal charactersFROM_ILLEGAL_CHARS0.861 0.046 0 0.008
headerHeader contains too many raw illegal charactersHEAD_ILLEGAL_CHARS0.539 2.018 0.961 2.125
headerSubject contains an English UCE tagENGLISH_UCE_SUBJECT2.080 0.336 2.127 0.110
headerSubject contains a Japanese UCE tagJAPANESE_UCE_SUBJECT0 0 1.665 1.800
headerSubject: contains Korean unsolicited email tagKOREAN_UCE_SUBJECT2.400 2.703 2.469 3.081
headerFrom and To are the same, but not exactlyFROM_AND_TO_SAME0 0.198 0 0
headerReceived: contains a forged HELOFORGED_RCVD_HELO0 0.050 0.266 0.000
headerReceived: HELO and IP do not match, but shouldRCVD_HELO_IP_MISMATCH2.799 0.618 1.647 2.178
headerReceived: contains an IP address used for HELORCVD_NUMERIC_HELO0.636 1.531 1.348 1.248
headerReceived: contains illegal IP addressRCVD_ILLEGAL_IP1.335 1.370 1.588 0.944
headerReceived by mail server with no nameRCVD_BY_IP0 0.024 0.051 0.067
headerReceived forged, contains fake AOL relaysFORGED_AOL_RCVD0 0 1.451 0
headerContains forged hostname for a DSL IP in BrazilFORGED_TELESP_RCVD1.595 0.669 1.468 1.532
headerForged hotmail.com ‘Received:’ header foundFORGED_HOTMAIL_RCVD2.614 2.132 2.150 2.536
headerhotmail.com ‘From’ address, but no ‘Received:’FORGED_HOTMAIL_RCVD20.787 1.079 1.415 1.177
headerForged eudoramail.com ‘Received:’ header foundFORGED_EUDORAMAIL_RCVD1.657 0.653 1.130 0.290
header‘From’ yahoo.com does not match ‘Received’ headersFORGED_YAHOO_RCVD1.668 2.174 2.095 2.700
header‘From’ juno.com does not match ‘Received’ headersFORGED_JUNO_RCVD1.644 1.722 2.018 0.792
headerForged ‘by gw05’ ‘Received:’ header foundFORGED_GW05_RCVD0 0 1.495 1.697
headerCharacter set doesn’t existNONEXISTENT_CHARSET0 0 1.411 1.418
headerA foreign language charset used in headersCHARSET_FARAWAY_HEADER3.200
headerSent with ‘X-Priority’ set to highX_PRIORITY_HIGH0.125 0.093 0.077 0.000
headerSent with ‘X-Msmail-Priority’ set to highX_MSMAIL_PRIORITY_HIGH0 0.267 0.021 0.000
headerReceived: says mail sent around the world (HELO)ROUND_THE_WORLD_LOCAL1.347 0.464 2.351 0.213
headerReceived: says mail sent around the world (DNS)ROUND_THE_WORLD0 1.741 0 1.958
headerMissing Date: headerMISSING_DATE0 0.019 0.647 0.000
headerMissing To: headerMISSING_HEADERS0 0 0.087 0.119
headerSimilar addresses in recipient listSUSPICIOUS_RECIPS1.473 1.459 0.820 1.915
headerRecipient list is sorted by addressSORTED_RECIPS0.879 1.155 1.759 0.887
headerSubject: contains G.a.p.p.y-T.e.x.tGAPPY_SUBJECT1.365 1.319 2.084 1.343
headerMessage has X-Library headerX_LIBRARY2.105 1.369 1.863 2.755
headerSubject contains “As Seen”SUBJ_AS_SEEN0.995 1.691 1.214 0.000
headerSubject starts with dollar amountSUBJ_DOLLARS2.449 0.973 1.935 0.054
headerSubject contains “For Only”SUBJ_FOR_ONLY0.646 1.100 1.726 0.044
headerSubject contains “FREE” in CAPSSUBJ_FREE_CAP0.011 0 0.146 0.000
headerSubject starts with “Free”SUB_FREE_OFFER0.055 0.034 0.103 0.000
headerSubject GUARANTEEDSUBJ_GUARANTEED1.749 1.302 0.081 0.452
headerSubject starts with “Hello”SUB_HELLO1.405 1.358 0.954 0.007
headerSubject includes “life insurance”SUBJ_LIFE_INSURANCE1.840 2.068 2.184 2.020
headerSubject contains “Your Bills” or similarSUBJ_YOUR_DEBT1.760 2.068 2.035 1.261
headerSubject contains “Your Family”SUBJ_YOUR_FAMILY1.647 0 2.033 0.011
headerSubject contains “Your Own”SUBJ_YOUR_OWN0.872 1.294 1.371 0.000
headerReceived contains a faked HELO hostnameRCVD_FAKE_HELO_DOTCOM0.899 0.034 0.969 0.424
headerTo: address appears in SubjectADDRESS_IN_SUBJECT1.296 1.409 1.866 1.804
headerSubject talks about losing poundsSUBJECT_DIET1.355 0.723 0.059 0.266
headerHeader has extraneous Content-type:…type= entryEXTRA_MPART_TYPE0 0.222 0 0
headerTo header contains ‘recipient’ markerTO_RECIP_MARKER0 0 1.370 1.539
headerSpam tool pattern in MIME boundaryMIME_BOUND_DD_DIGITS3.600 4.230 4.162 4.139
headerSpam tool pattern in MIME boundaryMIME_BOUND_DIGITS_70 0 1.460 0.893
headerSpam tool pattern in MIME boundaryMIME_BOUND_DIGITS_152.674 3.286 3.120 3.400
headerSpam tool pattern in MIME boundaryMIME_BOUND_MANY_HEX1.920 2.255 2.590 2.700
headerSpam tool pattern in MIME boundary (rfkindy)MIME_BOUND_RKFINDY2.080 2.347 2.590 2.671
headerTo: has a malformed addressTO_MALFORMED0.895 2.253 0.455 2.187
headerFrom address is webmail, but starts with a numberFROM_NUM_AT_WEBMAIL1.389 0.258 1.901 1.617
headerFrom webmail service and address ends in numbersFROM_WEBMAIL_END_NUMS60.178 0.046 0.389 0.000
headerFrom Address contains FREEADDR_FREE0.194 0.078 1.038 1.832
headerSent to a text fileTO_TXT0 0 1.362 1.580
headerInvolves ‘china.com’CHINA_HEADER1.840 1.911 2.312 2.386
headerReceived line contains spam-sign (lowercase smtp)WITH_LC_SMTP1.600 0.235 1.862 2.200
headerFrom address has no lower-case charactersFROM_NO_LOWER1.010 1.307 1.650 0.377
headerSubject line starts with Buy or BuyingSUBJ_BUY0.565 0.490 0.414 0.000
headerSubject is indicative of a Nigerian spamNIGERIAN_SUBJECT10 0 0.270 0
headerSubject is indicative of a Nigerian spamNIGERIAN_SUBJECT21.235 1.765 1.935 2.090
headerMessage would have been caught by accessdbACCESSDB1
headerReceived headers forged (AM/PM)RCVD_AM_PM1.558 0.091 1.802 1.927
headerMultiple Content-Type headers foundHEADER_COUNT_CTYPE1.198 1.676 1.482 1.771
headerHost HELO’d as a big ISP, but had no rDNSNO_RDNS_DOTCOM_HELO0.025 0.024 0.601 0.016
headerX-Originating-IP doesn’t look like IPv4 addressX_ORIG_IP_NOT_IPV40 1.006 0.081 2.582
headerX-Authentication-Warning header looks fakedX_AUTH_WARN_FAKED2.094 2.599 1.654 3.105
headerReceived header contains faked ‘mr.outblaze.com’FAKE_OUTBLAZE_RCVD2.400 2.726 2.867 3.100
headerMessage is from domain that never sends emailFROM_NONSENDING_DOMAIN1.486 0.308 1.678 0.000
headerSubject contains common spam sign (2 numbers)SUBJ_2_NUM_PARENS1.472 0.276 1.672 2.102
bodyHTML included in messageHTML_MESSAGE0.001
bodyMessage is 0% to 10% HTMLHTML_00_100.985 0.138 1.070 1.068
bodyMessage is 10% to 20% HTMLHTML_10_201.050 0.295 1.350 0.246
bodyMessage is 20% to 30% HTMLHTML_20_301.241 0.504 0.567 0.226
bodyMessage is 30% to 40% HTMLHTML_30_400.879 0.056 0.437 0.021
bodyMessage is 40% to 50% HTMLHTML_40_500.527 0.086 0.052 0.035
bodyMessage is 50% to 60% HTMLHTML_50_601.053 0.095 0.539 0.087
bodyMessage is 60% to 70% HTMLHTML_60_700.516 0.027 0 0
bodyMessage is 70% to 80% HTMLHTML_70_800.151 0 0.039 0
bodyMessage is 80% to 90% HTMLHTML_80_900.027 0 0.036 0.146
bodyMessage is 90% to 100% HTMLHTML_90_1000.346 0.189 0.043 0.022
bodyHTML has very strong “shouting” markupHTML_SHOUTING30.266 0 0.012 0.019
bodyHTML has very strong “shouting” markupHTML_SHOUTING40.076 0 0.052 0
bodyHTML has very strong “shouting” markupHTML_SHOUTING50.026 0 0.030 0.019
bodyHTML has very strong “shouting” markupHTML_SHOUTING60 0.004 0 0.000
bodyHTML has very strong “shouting” markupHTML_SHOUTING70.450 0.472 0 0.646
bodyHTML contains text after HTML close tagHTML_TEXT_AFTER_HTML0.312 0.205 0.032 0.031
bodyHTML contains text after BODY close tagHTML_TEXT_AFTER_BODY0.263 0.151 0.752 0.061
bodyHTML comment is very shortHTML_COMMENT_SHORT0.014 0.625 0 0.000
bodyHTML message is a saved web pageHTML_COMMENT_SAVED_URL0.528 0.130 0.470 0.146
bodyHTML conversion tool used by spamHTML_CONVERTED0 1.204 0.402 1.605
bodyHTML with embedded plugin objectHTML_EMBEDS0 0.084 0.108 0.207
bodyHTML contains unsafe auto-executing codeHTML_EVENT_UNSAFE0 0 0.022 0.515
bodyHTML font size is tinyHTML_FONT_SIZE_TINY0 0.419 0 0.533
bodyHTML font size is negativeHTML_FONT_SIZE_NONE0 0.455 1.119 0.033
bodyHTML font size is largeHTML_FONT_SIZE_LARGE1.387 0.712 0.496 0.153
bodyHTML font size is hugeHTML_FONT_SIZE_HUGE1.796 1.278 2.265 2.594
bodyHTML tag for a big font sizeHTML_FONT_BIG0 0.232 0 0.142
bodyHTML tag for a tiny font sizeHTML_FONT_TINY2.141 0.471 0.521 0.964
bodyHTML font color is same as backgroundHTML_FONT_INVISIBLE0 0.065 0 0.036
bodyHTML font color similar to backgroundHTML_FONT_LOW_CONTRAST1.011 0.955 1.017 0.788
bodyHTML font face is not a wordHTML_FONT_FACE_BAD0 0 0.044 0.037
bodyHTML font face has excess capital charactersHTML_FONT_FACE_CAPS0 0.804 0.281 0.247
bodyHTML includes a form which sends mailHTML_FORMACTION_MAILTO1.840 2.162 1.907 2.353
bodyHTML: images with 0-400 bytes of wordsHTML_IMAGE_ONLY_043.120 3.094 3.482 3.304
bodyHTML: images with 400-800 bytes of wordsHTML_IMAGE_ONLY_082.881 1.970 2.730 3.036
bodyHTML: images with 800-1200 bytes of wordsHTML_IMAGE_ONLY_122.360 1.473 2.741 2.942
bodyHTML: images with 1200-1600 bytes of wordsHTML_IMAGE_ONLY_161.352 1.279 1.990 1.047
bodyHTML: images with 1600-2000 bytes of wordsHTML_IMAGE_ONLY_201.567 0.843 1.023 0.446
bodyHTML: images with 2000-2400 bytes of wordsHTML_IMAGE_ONLY_241.088 1.003 0.787 0.502
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_021.729 0 1.125 0.018
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_041.038 0.184 0.515 0.105
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_060.072 0 0.342 0.131
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_080 0.000 0 0.032
bodyHTML link text says “push here” or similarHTML_LINK_PUSH_HERE1.627 0.409 1.843 0.873
bodyMessage is 5% to 10% HTML obfuscationHTML_OBFUSCATE_05_100.428 0.483 0.563 0.257
bodyMessage is 10% to 20% HTML obfuscationHTML_OBFUSCATE_10_200.931 0.732 0.796 0.865
bodyMessage is 20% to 30% HTML obfuscationHTML_OBFUSCATE_20_300.997 0.597 0.014 0.000
bodyMessage is 30% to 40% HTML obfuscationHTML_OBFUSCATE_30_402.517 1.933 3.005 3.445
bodyMessage is 40% to 50% HTML obfuscationHTML_OBFUSCATE_40_502.641 1.746 2.739 3.089
bodyMessage is 50% to 60% HTML obfuscationHTML_OBFUSCATE_50_602.635 1.339 2.882 3.325
bodyMessage is 60% to 70% HTML obfuscationHTML_OBFUSCATE_60_702.257 0.971 2.432 2.805
bodyMessage is 70% to 80% HTML obfuscationHTML_OBFUSCATE_70_802.308 1.334 2.256 2.689
bodyMessage is 80% to 90% HTML obfuscationHTML_OBFUSCATE_80_901.600 0.489 1.656 1.939
bodyMessage is 90% to 100% HTML obfuscationHTML_OBFUSCATE_90_1001.405 0.203 1.657 1.775
bodyHTML tags used to obfuscate wordsHTML_BACKHAIR_20.144 0 0.032 0
bodyHTML tags used to obfuscate wordsHTML_BACKHAIR_40 0 0.138 0.058
bodyHTML tags used to obfuscate wordsHTML_BACKHAIR_81.075 0.569 1.137 0.727
bodyHTML has many bad attributes in tagsHTML_ATTR_BAD0 0.101 0.609 2.354
bodyHTML appears to have random attributes in tagsHTML_ATTR_UNIQUE0.441 1.165 1.097 0.000
bodyImage tag intended to identify youHTML_WEB_BUGS0.166 0.013 0.311 0.035
bodyHTML has unbalanced “body” tagsHTML_TAG_BALANCE_BODY0.043 0.389 0.096 0.000
bodyHTML has unbalanced “head” tagsHTML_TAG_BALANCE_HEAD0.061 0.860 0.033 0.000
bodyHTML has “marquee” tagHTML_TAG_EXIST_MARQUEE2.160 1.758 1.840 2.034
bodyHTML has “tbody” tagHTML_TAG_EXIST_TBODY1.014 0.233 0.079 0.114
bodyHTML message is 0% to 10% bad tagsHTML_BADTAG_00_100 0 0.001 0.000
bodyHTML message is 10% to 20% bad tagsHTML_BADTAG_10_200.236 0 0 0
bodyHTML message is 20% to 30% bad tagsHTML_BADTAG_20_300 0.169 0.035 0
bodyHTML message is 30% to 40% bad tagsHTML_BADTAG_30_400 0.103 0.017 0
bodyHTML message is 40% to 50% bad tagsHTML_BADTAG_40_500.002 0 0.000 0.010
bodyHTML message is 50% to 60% bad tagsHTML_BADTAG_50_600.864 0.430 1.035 0.153
bodyHTML message is 60% to 70% bad tagsHTML_BADTAG_60_701.726 1.127 2.314 1.356
bodyHTML message is 70% to 80% bad tagsHTML_BADTAG_70_801.657 0.075 2.087 2.280
bodyHTML message is 80% to 90% bad tagsHTML_BADTAG_80_901.861 1.309 1.831 1.911
bodyHTML message is 90% to 100% bad tagsHTML_BADTAG_90_1000.746 1.192 2.688 2.804
body0% to 10% of HTML elements are non-standardHTML_NONELEMENT_00_100 0 0.001 0.001
body10% to 20% of HTML elements are non-standardHTML_NONELEMENT_10_200.045 0 0.000 0.000
body20% to 30% of HTML elements are non-standardHTML_NONELEMENT_20_300.346 0.070 0 0
body30% to 40% of HTML elements are non-standardHTML_NONELEMENT_30_400 0.012 0.010 0.000
body40% to 50% of HTML elements are non-standardHTML_NONELEMENT_40_500.000
body50% to 60% of HTML elements are non-standardHTML_NONELEMENT_50_601
body60% to 70% of HTML elements are non-standardHTML_NONELEMENT_60_700.237 1.138 0.083 0.001
body70% to 80% of HTML elements are non-standardHTML_NONELEMENT_70_800.488 0.803 1.169 0.000
body80% to 90% of HTML elements are non-standardHTML_NONELEMENT_80_900.016 0.492 0.023 0.000
body90% to 100% of HTML elements are non-standardHTML_NONELEMENT_90_1000.011 1.582 0 2.963
bodyHTML is extremely shortHTML_SHORT_LENGTH0.601 0.713 0.068 0.389
bodyHTML title contains no textHTML_TITLE_EMPTY0.022 0.045 0.036 0.004
bodyHTML title contains “Untitled”HTML_TITLE_UNTITLED0.222 0.259 0.792 0.000
rawbodyJavascript to hide URLs in browserHIDE_WIN_STATUS0.032 0 0 0.063
rawbodyHTML contains needlessly encoded charactersENTITY_DEC_ALPHANUM0.012 0 2.686 2.716
bodyList removal informationMULTI_REMOVAL_1WORD1.005 0 0.916 0.802
bodySend real mail to be unsubscribedREMOVE_POSTAL1.520 1.362 1.757 1.900
bodyAsks you to click below (in capital letters)CLICK_BELOW_CAPS0.135 0 0 0.112
bodyClick to be removedCLICK_TO_REMOVE_10.050 0 0.192 0.791
bodyClaims compliance with spam regulationsSENT_IN_COMPLIANCE1.520 1.786 1.850 2.000
bodyPossible mention of bill 1618 (anti-spam bill)BILL_16180.994 1.692 1.798 1.895
bodyDoesn’t ask any questionsNO_QS_ASKED0 1.196 0 0.000
bodyOffers a full refundFULL_REFUND0.853 1.114 0.079 1.272
bodyNo such thing as a free lunch (2)COMPLETELY_FREE0.086 0 0.840 0.026
bodyNo such thing as a free lunch (3)NO_COST0.078 0 0.335 0.000
bodyOne hundred percent guaranteedGUARANTEED_100_PERCENT0.615 0.435 0.669 0.000
bodyDear Friend? That’s not very dear!DEAR_FRIEND0.542 0.766 1.288 0.070
bodyContains ‘Dear (something)’DEAR_SOMETHING1.059 0.803 1.577 1.578
bodyTalks about lots of moneyBILLION_DOLLARS0.193 1.185 0.407 0.134
bodyTalks about opting out (lowercase version)OPTING_OUT0.157 0.494 0.030 0.479
bodyTalks about opting out (capitalized version)OPTING_OUT_CAPS0.067 0.026 0.483 0.000
bodyGet a million email addressesMILLION_EMAIL0.093 0.417 0.937 0.000
bodyGives a lame excuse about why spam was sentEXCUSE_10 0 0.074 0.132
bodyClaims you can be removed from the listEXCUSE_30 0.098 0.015 0.116
bodyClaims you can be removed from the listEXCUSE_41.145 1.775 1.443 1.119
bodyClaims you can be removed from the listEXCUSE_61.444 0.734 1.782 1.696
bodyClaims you can be removed from the listEXCUSE_70 0.152 0.010 0.018
body“if you do not wish to receive any more”EXCUSE_100.071 0.380 0.039 0.024
bodyNobody’s perfectEXCUSE_120.153 0 0.354 0.197
bodyClaims you opted-in or registeredEXCUSE_190.056 0.357 0.021 0.000
bodyClaims you have provided permissionEXCUSE_231.840 2.088 2.312 2.400
bodyClaims you wanted this adEXCUSE_241.440 1.272 1.874 2.080
bodyTalks about how to be removed from mailingsEXCUSE_REMOVE0.043 0 0.513 0.310
bodyTargeted Traffic / Email AddressesTARGETED0 0.692 1.471 0.480
bodyTells you about a strong buySTRONG_BUY2.880 3.384 3.018 3.117
bodyClaims to honor removal requestsWE_HONOR_ALL2.063 2.365 1.789 2.029
bodyOffers a picked stockSTOCK_PICK0.106 0.150 0.041 1.470
bodyOffers a alert about a stockSTOCK_ALERT2.362 1.782 2.378 2.385
bodySEC-mandated penny-stock warningMICRO_CAP_WARNING1.440 0.760 1.803 1.828
bodyNot registered investment advisorNOT_ADVISOR2.160 2.444 2.590 2.700
bodyDescribes some sort of breakthroughSOME_BREAKTHROUGH0.232 1.921 0.907 1.610
bodyThey have selected you for somethingSELECTED_YOU1.485 1.865 1.841 1.897
bodyContains mail-in order formMAIL_IN_ORDER_FORM1.440 0.351 0 0
bodyUniversity DiplomasUNIVERSITY_DIPLOMAS2.242 0.523 0 0
body‘Prestigious Non-Accredited Universities’PREST_NON_ACCREDITED1.520 1.394 1.607 1.901
bodyClaims “cannot be considered spam”CANNOT_BE_SPAM0 0 1.546 1.769
bodyInformation on growing body partsBODY_ENHANCEMENT0.151 0.481 0.070 0
bodyInformation on getting larger body partsBODY_ENHANCEMENT20.814 0.845 0.109 0
bodyImpotence cureIMPOTENCE0.095 0.751 0 0.094
bodyInformation on how to work at home (1)WORK_AT_HOME0 0 0.325 0.030
bodyInformation on mortgagesMORTGAGE_BEST0.948 0.923 0 0.144
bodyLooks like mortgage pitchMORTGAGE_PITCH0.297 0 0.065 0
bodyInformation on mortgage ratesMORTGAGE_RATES0 0.689 0.174 0.202
bodyOrder a report from someoneORDER_REPORT0 0 1.230 0
rawbodymailto URI includes removal textMAILTO_SUBJ_REMOVE1.023 0 2.064 0.542
bodyIncludes a link for AOL users to clickAOL_USERS_LINK0 0 0.034 0.109
bodyTalks about a million North American dollarsNA_DOLLARS2.078 2.193 2.485 2.611
bodyMentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)US_DOLLARS_30.331 0.411 0.010 0.354
bodyTalks about millions of dollarsMILLION_USD1.594 1.290 1.535 2.796
rawbodyFrontpage used to create the messageFRONTPAGE0.510 0.529 0.595 2.080
bodyContains “My wife, Jody” testimonialJODY0 0 1.326 0
bodyDoing something with my incomeYOUR_INCOME0.674 0.892 0.372 1.092
bodyResistance to this spam is futileRESISTANCE_IS_FUTILE1.520 1.786 1.850 0
bodyContains ‘subject to credit approval’SUBJ_2_CREDIT0 0.500 0 0.076
bodyContains urgent matterURG_BIZ0.288 0.030 1.064 1.808
bodyContains ‘earn (dollar) something per week’EARN_PER_WEEK1.360 0.856 1.757 1.896
bodySpam is 100% natural?!ALL_NATURAL2.640 1.828 2.246 1.061
bodyMoney back guaranteeMONEY_BACK2.051 0.037 0.217 0.095
bodyThere is no catchNO_CATCH0 0 0.127 0
bodyThere is no obligationNO_OBLIGATION0.905 0.565 1.157 0.830
bodyYou won’t be “disappointed”NO_DISAPPOINTMENT0 1.498 1.609 0.410
bodySerious Enquiries OnlySERIOUS_ONLY0 0 1.664 1.748
bodyRisk free. Suuurreeee….RISK_FREE0.036 0.247 0.135 0.230
bodyAs seen on national TV!AS_SEEN_ON0.393 0.320 0.613 0.020
bodyCommon pyramid scheme phrase (1)COPY_ACCURATELY0 0 1.324 0
bodyOff Shore ScamsOFFSHORE_SCAM0 0.337 0.127 0.144
bodyWhy Pay More?WHY_PAY_MORE1.249 0 1.713 1.978
bodyCongratulations – you’ve been scammed?CONGRATULATIONS0 0 0.486 0.272
bodyTalks about free mobile phonesCELL_PHONE_FREE1.280 1.476 1.571 0.922
bodyTalks about cell-phone signal improvementCELL_PHONE_IMPROVE0.771 0.812 1.655 1.031
bodyReceive a special offerRECEIVE_OFFER1.125 0.955 1.446 0.793
bodyFree express or no-obligation quoteFREE_QUOTE_INSTANT0.211 1.736 0.051 0.001
bodyFree MembershipFREE_MEMBERSHIP0.492 1.182 1.587 0.873
bodyCredit Card OffersCREDIT_CARD0.030 0.896 0.032 0.310
bodyWithout a credit checkNO_CREDIT_CHECK0 0 1.990 0.037
bodyAvoiding bankruptcyBANKRUPTCY0.249 1.088 1.112 0.489
bodyAccepting credit cardsACCEPT_CREDIT_CARDS0.360 0 1.332 0.399
bodyEliminate Bad CreditBAD_CREDIT1.161 0.252 0.817 0
bodyNon-secured Credit/DebtNONSECURED_CREDIT0 0 1.074 0
bodyConsolidate debt, credit, or billsCONSOLIDATE_DEBT0.886 0.653 0 0.245
bodyHome refinancingREFINANCE_YOUR_HOME1.321 0.394 0.917 0.340
bodyHome refinancingREFINANCE_NOW1.611 0 1.191 0.029
bodyNo Purchase NecessaryNO_PURCHASE0 0 0.107 0
bodyNo Medical ExamsNO_MEDICAL1.440 1.656 1.665 0
bodyNo Claim FormsNO_FORMS1.622 0.973 0.912 0.011
bodyRequires Initial InvestmentINITIAL_INVEST0.433 0.450 1.026 1.230
bodyBuy DirectBUY_DIRECT1.502 1.779 1.757 1.663
bodyDo it TodayDO_IT_TODAY0.036 0.047 0 0
bodyWhat are you waiting forWHY_WAIT2.240 2.060 0.796 0.764
bodyYou can search for anyoneYOU_CAN_SEARCH1.370 0.444 1.246 1.630
bodyScore with babes!SEDUCTION1.560 1.356 1.415 1.054
bodyInvaluable marketing informationINVALUABLE_MARKETING0 0 1.201 0
bodyGuaranteed StuffGUARANTEED_STUFF0.100 0.238 0.403 0.000
bodyPotential EarningsEARNINGS0 0 1.642 1.675
bodyThe best RatesTHE_BEST_RATE0 0.550 0 0.000
bodyAmazing StuffAMAZING_STUFF0.949 1.269 0.069 0.102
bodyLose Weight SpamDIET_10.671 0.365 0.274 0
bodyDescribes weight lossDIET_20.545 0 1.034 0.316
bodyDescribes body fat lossDIET_31.794 1.061 1.835 2.073
bodyReverses AgingREVERSE_AGING1.919 1.403 2.057 2.150
bodyCures BaldnessHAIR_LOSS1.381 2.371 1.428 1.738
bodyRemoves WrinklesWRINKLES1.730 2.097 1.917 2.091
bodyWhile you SleepWHILE_YOU_SLEEP0.858 0.605 1.786 0.000
bodyIf only it were that easyRICH0 0.451 0 0.000
bodyWho really wins?YOU_WON0.144 0.269 0 0.579
bodyTalks about Hidden ChargesHIDDEN_CHARGES0.046 0.961 0 0.000
bodyFreedom of a financial natureFIN_FREE1.365 0.015 1.865 0.788
bodyStock Disclaimer StatementFORWARD_LOOKING1.840 2.162 2.120 2.200
bodyMail guarantees satisfactionSATIS_GUAR0.884 0 0.825 0.081
bodyOffers Extra CashEXTRA_CASH0.117 0.987 0.629 0.447
bodyGet PaidGET_PAID1.390 1.764 1.466 0.862
bodyHave you been turned down?BEEN_TURNED_DOWN1.336 1.266 1.682 1.890
bodyOne Time Rip OffONE_TIME0.044 0 0.036 0.619
bodyCompete for your businessCOMPETE1.600 1.791 1.804 2.050
bodyMeet SinglesMEET_SINGLES1.600 0 1.076 1.172
bodyJoin Millions of AmericansJOIN_MILLIONS0.036 0.640 0.999 0.448
bodyBe your own bossBE_BOSS1.512 0.145 1.847 1.648
bodyMulti Level Marketing mentionedML_MARKETING0.049 0 0.103 0
bodyClaims to be LegalITS_LEGAL0.186 1.109 0.432 0.264
bodyConfidentiality on all ordersCONFIDENTIAL_ORDER1.920 1.196 1.889 1.266
bodySave big moneySAVE_THOUSANDS0.929 1.889 0.717 0.031
bodyClaims you registered with a partnerMARKETING_PARTNERS2.025 0.718 2.405 1.401
bodyFree PreviewFREE_PREVIEW1.612 0.376 1.887 1.851
bodyDomain name containing a “4u” variantDOMAIN_4U21.508 1.783 1.935 1.588
bodyContains ‘free access’ with capitalsFREE_ACCESS0 0 0.253 0
bodyContains ‘free sample’ with capitalsFREE_SAMPLE0.089 0.168 0.223 0.941
bodyLowest PriceLOW_PRICE0.885 0 0.206 0
bodyPeople just leave money laying aroundUNCLAIMED_MONEY1.263 1.703 1.945 1.584
bodyMessage seems to contain rot13ed addressOBSCURED_EMAIL2.720 3.194 3.186 3.132
bodyMentions their affiliate partnersOUR_AFFILIATE_PARTNERS0 0 0.041 1.443
bodyTalks about exercise with an exclamation!BANG_EXERCISE1.450 1.993 1.662 1.442
bodyTalks about more with an exclamation!BANG_MORE0.287 0 0.294 0
bodyTalks about Oprah with an exclamation!BANG_OPRAH0.666 0.212 1.717 1.975
bodyTalks about quotes with an exclamation!BANG_QUOTE1.680 1.880 1.942 1.964
bodyTalks about ‘acting now’ with capitalsACT_NOW_CAPS0.222 0 0.426 0.093
bodyTalks about ‘starting now’ with capitalsSTART_NOW_CAPS1.280 1.499 1.124 0.857
bodyTalks about a bigger drive for sexMORE_SEX2.240 1.762 2.287 2.422
bodySomething is emphatically guaranteedBANG_GUAR0.297 0 0.254 0
bodySee for yourselfSEE_FOR_YOURSELF0.544 0.381 0.591 0.044
bodyPossible porn – Free PornFREE_PORN0.794 0.023 1.937 0.000
bodyPossible porn – Cum ShotCUM_SHOT0.355 1.732 0.943 0
bodyPossible porn – Pay SitePAY_SITE0 0 1.850 1.900
bodyPossible porn – Live PornLIVE_PORN0.040 0.360 0.019 0.000
bodyPossible porn – Hardcore PornHARDCORE_PORN1.520 0.665 1.850 0.684
bodyPossible porn – Hot, Nasty, Wild, YoungHOT_NASTY0.765 0.586 0.967 0.088
bodyPossible porn – Best, Largest, Most PornBEST_PORN0.566 0.263 0.044 0
bodyPossible porn – Nasty GirlsNASTY_GIRLS0.350 0.439 0.022 2.196
bodyPossible porn – Amateur PornAMATEUR_PORN1.397 0.769 1.615 1.744
bodyPossible porn – Celebrity PornPORN_CELEBRITY0.675 1.569 0.319 0.038
bodyPossible porn – Adult Web SitesSOMETHING_FOR_ADULTS1.433 1.513 1.614 0.006
bodyPossible porn – various types of felinePORN_151.680 1.974 2.035 2.168
bodyPossible porn – nasty, dirty, little etc.PORN_160.907 0.462 1.305 0.017
bodyThousands or millions of pictures, movies, etc.LOTS_OF_STUFF0.839 0.029 0 0.000
bodyAttempts to disguise porn wordsDISGUISE_PORN1.490 1.835 0.798 0.030
uriURL uses words/phrases which indicate porn (sex)PORN_URL_SEX1.865 1.427 1.817 0.011
uriURL uses words/phrases which indicate porn (slut)PORN_URL_SLUT0.941 1.022 0.194 0.094
uriURL uses words/phrases which indicate porn (misc)PORN_URL_MISC1.728 0.573 1.767 1.620
headerSubject indicates sexually-explicit contentSUBJECT_SEXUAL2.160 2.538 2.775 2.900
headerBulk email fingerprint (eGroups) foundRATWARE_EGROUPS2.180 2.701 2.552 2.805
headerBulk email fingerprint (hash 2) foundRATWARE_HASH_20.039 0 0.085 0.037
headerBulk email fingerprint (hash 2 v2) foundRATWARE_HASH_2_V21.798 1.319 1.767 0.980
headerBulk email fingerprint (jpfree) foundRATWARE_JPFREE0 0 1.942 2.100
uriBulk email fingerprint (StormPost) foundRATWARE_STORM_URI1.920 1.518 2.405 2.295
headerX-Mailer has malformed Outlook Express versionRATWARE_OE_MALFORMED2.160 2.407 2.522 2.588
headerBulk email fingerprint (‘esmtp’ Received) foundRATWARE_RCVD_LC_ESMTP1.745 1.474 2.122 2.083
headerBulk email fingerprint (Mozilla malformed) foundRATWARE_MOZ_MALFORMED1.594 0.990 1.752 0.558
rawbodyContains a hashbuster in Send-Safe formatRATWARE_HASH_DASH1.133 0.947 1.500 1.646
headerBulk email fingerprint (netIP) foundRATWARE_NETIP0.439 1.033 2.312 2.286
headerBulk email fingerprint (Gecko faked) foundRATWARE_GECKO_BUILD0 0.826 0.784 1.385
headerHeaders are in order found in spam (MTSRIX)HDR_ORDER_MTSRIX0.417 0.391 0.192 1.057
headerHeaders are in order found in spam (TRIMRS)HDR_ORDER_TRIMRS2.320 2.674 2.220 2.199
headerBulk email fingerprint (bonus space) foundRCVD_BONUS_SPC_DATE1.371 0.904 1.575 1.872
headerBulk email fingerprint (X-Message-Info) foundX_MESSAGE_INFO3.600 4.187 4.162 4.244
headerBulk email fingerprint (Received PF) foundRATWARE_RCVD_PF2.880 3.384 3.608 3.867
headerBulk email fingerprint (Received @) foundRATWARE_RCVD_AT2.550 1.011 2.691 3.415
uriUses a numeric IP address in URLNUMERIC_HTTP_ADDR1.565 1.572 1.872 2.135
uriUses a dotted-decimal IP address in URLNORMAL_HTTP_TO_IP0.104 0.080 0.830 0.028
uriUses %-escapes inside a URL’s hostnameHTTP_ESCAPED_HOST0.034 0.094 0 0.477
uriUses control sequences inside a URL hostnameHTTP_CTRL_CHARS_HOST1.440 1.670 1.757 1.900
uriCompletely unnecessary %-escapes inside a URLHTTP_EXCESSIVE_ESCAPES0 0.645 0 0.151
uriDotted-decimal IP address followed by CGIIP_LINK_PLUS0.211 0.024 0.192 0.232
uriURL of page called “remove”REMOVE_PAGE0.081 0.604 0 0.191
uriIncludes a link to a likely spammer emailMAILTO_TO_SPAM_ADDR0 0 0.106 0
uriIncludes a ‘remove’ email addressMAILTO_TO_REMOVE0.886 0 0.065 0.116
uriUses non-standard port number for HTTPWEIRD_PORT0 0.507 0.228 0.109
uriURL contains username and (optional) passwordUSERPASS0.429 0.561 1.319 0.268
uriFilename is just a ‘\#’; probably a JS trickURI_IS_POUND0 0.333 0 0
uriIncludes a link to a likely spammer domainBARGAIN_URL1.503 1.520 1.686 1.833
uriContains an URL in the BIZ top-level domainBIZ_TLD2.167 0.527 2.434 2.288
uriContains an URL in the INFO top-level domainINFO_TLD1.717 0.481 1.686 0.000
uriHas Yahoo Redirect URIYAHOO_RD_REDIR1.237 1.083 1.366 1.642
uriHas Yahoo Redirect URIYAHOO_DRS_REDIR1.911 0.911 1.956 0.984
uriMessage has link to company offersURI_OFFERS1.328 0.252 1.460 0.770
uriMessage has URI 4youURI_4YOU1.027 1.812 0.898 1.966
uriContains URI to a document hosted at ‘terra.es’TERRA_ES1.367 0.816 1.746 2.612
uriContains an URL-encoded hostname (HTTP77)HTTP_771.514 0.605 1.812 1.981
uriContains a URI with an affiliate ID codeURI_AFFILIATE2.243 0 1.808 2.052
headerMessage has HTTP redirector URIURI_REDIRECTOR0 0 0.031 0.011
bodyBayesian spam probability is 0 to 1%BAYES_000 0 -1.665 -2.599
bodyBayesian spam probability is 1 to 5%BAYES_050 0 -0.925 -0.413
bodyBayesian spam probability is 5 to 20%BAYES_200 0 -0.730 -1.951
bodyBayesian spam probability is 20 to 40%BAYES_400 0 -0.276 -1.096
bodyBayesian spam probability is 40 to 60%BAYES_500 0 1.567 0.001
bodyBayesian spam probability is 60 to 80%BAYES_600 0 3.515 1.0
bodyBayesian spam probability is 80 to 95%BAYES_800 0 3.608 2.0
bodyBayesian spam probability is 95 to 99%BAYES_950 0 3.514 3.0
bodyBayesian spam probability is 99 to 100%BAYES_990 0 4.070 3.5
bodyesClaims you can be removed in SpanishREMOVE_ES_011
bodyesClaims you can be removed in SpanishREMOVE_ES_021
bodyesClaims you can be removed in SpanishREMOVE_ES_031
bodyesClaims you can be removed in SpanishREMOVE_ES_041
bodyesIf you send an email you will be OptOutREMOVE_ES_051
bodyesClaims you can opt-outREMOVE_ES_061
bodyesClaims you can opt-outREMOVE_ES_071
bodyesClaims you can opt-outREMOVE_ES_081
bodyesIf you want to subscribe…SUBSCRIBE_ES_011
bodyesClaims not to be spam in SpanishEXCUSE_ES_011
bodyesSomeone fell free to send you a message in SpanishEXCUSE_ES_021
bodyesSomeone requested an spammer to spam you in SpanishEXCUSE_ES_031
bodyesEl correo como alternativa comercialEXCUSE_ES_051
bodyesMensaje enviado por errorEXCUSE_ES_061
bodyesNo se puede considerar spamEXCUSE_ES_071
bodyesPara dejar de fumarDEJAR_DE_FUMAR_ES1
bodyesNOS CHILLAN PARA DECIR QUE ES GRATISGRATIS_ES1.4
bodyesNos animan a contestar si estamos interesadosINTERESADO_ES1
bodyesDice cumplir con la leyLEY_ORGANICA_ES2.0
bodyesClama cumplir con la normativa SPAMNORMATIVA_SPAM_ES2.0
bodyesNo existe legislación en Chile contra el SPAMLEY_CHILE_ES_011
bodyesClama cumplir con la legislación chilenaLEY_CHILE_ES_021
bodyesInmigración legal (?) a los Estados UnidosTARJETA_VERDE_ES1
bodyesPromocion especial.PROMOCION_ES1
bodyesAlta en buscadores hispanos.ALTA_BUSCADORES_ES1
bodyesIMPERATIVOS/EXCLAMACIONES EN MAYUSCULAS.EXCLAMACION_ES1
bodyesPresentación de un nuevo producto.PRESENTAMOS_ES1
bodyesPago contra reembolso.CONTRA_REEMBOLSO_ES1
bodyesPara hacer su pedido.PEDIDO_ES1
bodyesHaga click aqui.CLICK_ES1
bodyesLos regalos no existen, salvo de nuestros amigos.REGALO_ES1
bodyesPueden ser ganadores.GANADORES_ES_011
bodyesHa sido ganador.GANADORES_ES_021
bodyesPorno gratis.PORNO_GRATIS_ES1
bodyesMas informacion.MAS_INFORMACION_ES1
bodyesInformacion y reservaINFORMACION_RESERVA_ES1
bodyesConviertete en Spammer.REENVIA_ES1
bodyesNo nos envían más spam… seguro que no.NO_MAS_MAIL_1_ES1
bodyesNo recibirá este spam otra vez… seguro que no.NO_MAS_MAIL_2_ES1
bodyesLas direcciones fueron obtenidas de internet.COLECTOR_DE_MAILS_ES1
headerContains valid Hashcash token (20 bits)HASHCASH_20-0.500
headerContains valid Hashcash token (21 bits)HASHCASH_21-0.700
headerContains valid Hashcash token (22 bits)HASHCASH_22-1.000
headerContains valid Hashcash token (23 bits)HASHCASH_23-2.000
headerContains valid Hashcash token (24 bits)HASHCASH_24-3.000
headerContains valid Hashcash token (25 bits)HASHCASH_25-4.000
headerContains valid Hashcash token (>25 bits)HASHCASH_HIGH-5.000
headerHashcash token already spent in another mailHASHCASH_2SPEND0.100
headerSPF: sender matches SPF recordSPF_PASS-0.001
headerSPF: sender does not match SPF record (fail)SPF_FAIL0 0.001 0 0.875
headerSPF: sender does not match SPF record (softfail)SPF_SOFTFAIL0.500 0.842 0.500 0.500
headerSPF: HELO matches SPF recordSPF_HELO_PASS-0.001
headerSPF: HELO does not match SPF record (fail)SPF_HELO_FAIL0 0.405 0 0.001
headerSPF: HELO does not match SPF record (softfail)SPF_HELO_SOFTFAIL0 1.002 0 3.140
bodyContains an URL listed in the SBL blocklistURIBL_SBL0 0.629 0 0.996
bodyContains an URL listed in the SC SURBL blocklistURIBL_SC_SURBL0 3.897 0 4.263
bodyContains an URL listed in the WS SURBL blocklistURIBL_WS_SURBL0 0.539 0 1.462
bodyContains an URL listed in the PH SURBL blocklistURIBL_PH_SURBL0 0.839 0 2.000
bodyContains an URL listed in the OB SURBL blocklistURIBL_OB_SURBL0 1.996 0 3.213
bodyContains an URL listed in the AB SURBL blocklistURIBL_AB_SURBL0 2.007 0 0.417
headerFrom: address is in the auto white-listAWL1
headerFrom: address is in the user’s black-listUSER_IN_BLACKLIST100.000
headerFrom: address is in the user’s white-listUSER_IN_WHITELIST-100.000
headerFrom: address is in the default white-listUSER_IN_DEF_WHITELIST-15.000
headerUser is listed in ‘blacklist_to’USER_IN_BLACKLIST_TO10.000
headerUser is listed in ‘whitelist_to’USER_IN_WHITELIST_TO-6.000
headerUser is listed in ‘more_spam_to’USER_IN_MORE_SPAM_TO-20.000
headerUser is listed in ‘all_spam_to’USER_IN_ALL_SPAM_TO-100.000

 

Like
Like Love Haha Wow Sad Angry

Check Also

How to symlink a file in Linux?

To create a new symlink (will fail if symlink exists already): ln -s /path/to/file /path/to/symlink …

Come on join the discussion

You can contribute by commenting

Notify of
avatar
wpDiscuz