Home / Tips / Web and Server / How spam filters generally work

How spam filters generally work

AREA TESTEDLOCALEDESCRIPTION OF TESTTEST NAMEDEFAULT SCORES
(local, net, with bayes, with bayes+net)
MORE INFO
(additional wiki docs)
bodyGeneric Test for Unsolicited Bulk EmailGTUBE1000.000
fullListed in Razor2 (http://razor.sf.net/)RAZOR2_CHECK0 0.150 0 1.511
bodyRazor2 gives confidence level above 50%RAZOR2_CF_RANGE_51_1000 1.485 0 0.056
fullListed in DCC (http://rhyolite.com/anti-spam/dcc/)DCC_CHECK0 1.373 0 2.169
fullListed in Pyzor (http://pyzor.sf.net/)PYZOR_CHECK0 2.041 0 3.451
bodyIncorporates a tracking ID numberTRACKER_ID1.825 1.064 1.818 0.555
bodyWeird repeated double-quotation marksWEIRD_QUOTING1.353 1.966 1.774 2.000
rawbodyExtra blank lines in base64 encodingMIME_BASE64_BLANKS0.693 0.819 1.391 1.469
rawbodybase64 attachment does not have a file nameMIME_BASE64_NO_NAME0.022 0 0.017 0.000
rawbodyMessage text disguised using base64 encodingMIME_BASE64_TEXT1.780 0.110 1.403 0.298
rawbodyMIME section missing boundaryMIME_MISSING_BOUNDARY0 0.247 0.224 0
bodyMultipart message mostly text/html MIMEMIME_HTML_MOSTLY1.540 0.285 0.713 1.023
bodyMessage only has text/html MIME partsMIME_HTML_ONLY1.204 1.158 1.156 0.177
rawbodyQuoted-printable line longer than 76 charsMIME_QP_LONG_LINE0 0.000 0.105 0.039
rawbodyMIME filename does not match contentMIME_SUSPECT_NAME0.100
bodyHTML and text parts are differentMPART_ALT_DIFF1.837 1.505 1.823 0.066
bodyCharacter set indicates a foreign languageCHARSET_FARAWAY3.200
bodyMessage written in an undesired languageUNWANTED_LANGUAGE_BODY2.800
bodyBody includes 8 consecutive 8-bit charactersBODY_8BITS1.500
bodyBody contains a ROT13-encoded email addressEMAIL_ROT132.720 1.474 2.934 3.105
bodyMessage body has 70-80% blank linesBLANK_LINES_70_801.668 1.127 0.745 1.515
bodyMessage body has 80-90% blank linesBLANK_LINES_80_900.046 0 0.216 0
bodyMessage body has 90-100% blank linesBLANK_LINES_90_1001.490 1.750 1.877 1.996
bodyMessage body has many words used only onceUNIQUE_WORDS3.109 2.549 1.639 2.273
bodyMessage body mentions many internet domainsDOMAIN_RATIO2.552 1.360 2.534 3.176
headerDid not pass through any untrusted hostsALL_TRUSTED-2.400 -2.820 -2.867 -3.300
headerNJABL: sender is confirmed open relayRCVD_IN_NJABL_RELAY0 0.934 0 1.397
headerNJABL: dialup sender did non-local SMTPRCVD_IN_NJABL_DUL0 1.655 0 0.088
headerNJABL: sender is confirmed spam sourceRCVD_IN_NJABL_SPAM0 1.051 0 1.841
headerNJABL: sent through multi-stage open relayRCVD_IN_NJABL_MULTI1
headerNJABL: sender is an open formmailRCVD_IN_NJABL_CGI1
headerNJABL: sender is an open proxyRCVD_IN_NJABL_PROXY0 1.026 0 0.438
headerSORBS: sender is open HTTP proxy serverRCVD_IN_SORBS_HTTP0 0 0 0.043
headerSORBS: sender is open proxy serverRCVD_IN_SORBS_MISC0 0 0 0.338
headerSORBS: sender is open SMTP relayRCVD_IN_SORBS_SMTP0 1.597 0 2.493
headerSORBS: sender is open SOCKS proxy serverRCVD_IN_SORBS_SOCKS0 1.847 0 2.054
headerSORBS: sender is a abuseable web serverRCVD_IN_SORBS_WEB0 0 0 0.007
headerSORBS: sender demands to never be testedRCVD_IN_SORBS_BLOCK1
headerSORBS: sender is on a hijacked networkRCVD_IN_SORBS_ZOMBIE0 0.819 0 0
headerSORBS: sent directly from dynamic IP addressRCVD_IN_SORBS_DUL0 0.137 0 1.987
headerReceived via a relay in Spamhaus SBLRCVD_IN_SBL0 1.050 0 0.107
headerReceived via a relay in Spamhaus XBLRCVD_IN_XBL0 2.511 0 3.076
headerEnvelope sender in dsn.rfc-ignorant.orgDNS_FROM_RFC_DSN1
headerEnvelope sender in postmaster.rfc-ignorant.orgDNS_FROM_RFC_POST0 1.376 0 1.614
headerEnvelope sender in abuse.rfc-ignorant.orgDNS_FROM_RFC_ABUSE0 0.374 0 0
headerEnvelope sender in whois.rfc-ignorant.orgDNS_FROM_RFC_WHOIS0 0.492 0 0.296
headerEnvelope sender in bogusmx.rfc-ignorant.orgDNS_FROM_RFC_BOGUSMX0 1.463 0 2.630
headerReceived via a relay in list.dsbl.orgRCVD_IN_DSBL0 2.765 0 3.805
headerFrom: sender listed in dnsbl.ahbl.orgDNS_FROM_AHBL_RHSBL0 0.070 0 0.295
headerHas Habeas warrant mark and on Infringer ListHABEAS_INFRINGER0 16.0 0 16.0
headerHas Habeas warrant mark and on User ListHABEAS_USER0 -8.0 0 -8.0
headerSender is in Bonded Sender Program (trusted relay)RCVD_IN_BSP_TRUSTED0 -4.3 0 -4.3
headerSender is in Bonded Sender Program (other relay)RCVD_IN_BSP_OTHER0 -0.1 0 -0.1
headerSender domain is new and very high volumeSB_NEW_BULK1
headerSender IP hosted at NSP has a volume spikeSB_NSP_VOLUME_SPIKE1
headerReceived via a relay in bl.spamcop.netRCVD_IN_BL_SPAMCOP_NET0 1.832 0 1.216
headerReceived via a relay in RSLRCVD_IN_RSL0 0.677 0 1.720
headerRelay in RBL, http://www.mail-abuse.org/rbl/RCVD_IN_MAPS_RBL1
headerRelay in DUL, http://www.mail-abuse.org/dul/RCVD_IN_MAPS_DUL1
headerRelay in RSS, http://www.mail-abuse.org/rss/RCVD_IN_MAPS_RSS1
headerRelay in NML, http://www.mail-abuse.org/nml/RCVD_IN_MAPS_NML1
headerEnvelope sender has no MX or A DNS recordsNO_DNS_FOR_FROM0 1.1 0 1.6
headerSubject contains a gappy version of ‘cialis’SUBJECT_DRUG_GAP_C1.993 1.917 2.501 1.325
headerSubject contains a gappy version of ‘levitra’SUBJECT_DRUG_GAP_L2.117 2.726 2.181 2.456
headerSubject contains a gappy version of ‘phentermine’SUBJECT_DRUG_GAP_P0.621 0.765 0.698 1.425
headerSubject contains a gappy version of ‘soma’SUBJECT_DRUG_GAP_S2.005 0.277 2.920 2.041
headerSubject contains a gappy version of ‘valium’SUBJECT_DRUG_GAP_VA2.005 1.922 2.934 3.680
headerSubject contains a gappy version of ‘viagra’SUBJECT_DRUG_GAP_VIA2.659 1.770 3.158 0.253
headerSubject contains a gappy version of ‘vicodin’SUBJECT_DRUG_GAP_VIC2.560 2.961 2.691 2.868
headerSubject contains a gappy version of ‘xanax’SUBJECT_DRUG_GAP_X2.538 2.282 2.945 2.512
bodyTalks about price per doseDRUG_DOSAGE0.342 0.608 0.405 0.862
bodyMentions an E.D. drugDRUG_ED_CAPS0.122 1.535 0 0.185
bodyViagra and other drugsDRUG_ED_COMBO1.000 0.183 1.415 1.636
bodyTalks about an E.D. drug using its chemical nameDRUG_ED_SILD1.856 0.421 1.597 1.666
bodyMentions Generic ViagraDRUG_ED_GENERIC1.933 1.181 0 1.128
bodyFast Viagra DeliveryDRUG_ED_ONLINE0.553 1.820 1.097 2.300
bodyDeep discount medicationsDEEP_DISC_MEDS2.480 1.211 2.573 2.626
bodyOnline PharmacyONLINE_PHARMACY2.730 0 2.895 0.000
bodyAttempts to disguise the word ‘viagra’VIA_GAP_GRA2.800 3.171 2.886 3.005
bodyTwo or more drugs crammed together into one wordDRUGS_SMEAR10.515 1.522 0.475 2.351
headerHost HELO did not match rDNS: msn.comFAKE_HELO_MSN1.773 1.456 2.069 2.645
headerHost HELO did not match rDNS: mail.comFAKE_HELO_MAIL_COM1.303 1.972 0.111 0.000
headerHost HELO did not match rDNS: email.comFAKE_HELO_EMAIL_COM0 0 0 1.537
headerHost HELO did not match rDNS: eudoramail.comFAKE_HELO_EUDORAMAIL1.520 0.907 0 0
headerHost HELO did not match rDNS: excite.comFAKE_HELO_EXCITE1.840 2.127 2.127 2.074
headerHost HELO did not match rDNS: lycos.comFAKE_HELO_LYCOS1.410 1.645 0 0.988
headerHost HELO did not match rDNS: yahoo.caFAKE_HELO_YAHOO_CA1.166 0 0.171 1.116
headerRelay HELO’d with suspicious hostname (mail.com)FAKE_HELO_MAIL_COM_DOM1.920 2.173 2.312 2.108
headerRelay HELO’d using suspicious hostname (IP addr 1)HELO_DYNAMIC_IPADDR3.520 2.754 4.070 4.400
headerRelay HELO’d using suspicious hostname (DHCP)HELO_DYNAMIC_DHCP2.791 0.087 0.958 1.248
headerRelay HELO’d using suspicious hostname (HCC)HELO_DYNAMIC_HCC3.360 1.540 2.451 3.741
headerRelay HELO’d using suspicious hostname (ATTBI.com)HELO_DYNAMIC_ATTBI3.200 3.662 2.760 3.147
headerRelay HELO’d using suspicious hostname (Rogers)HELO_DYNAMIC_ROGERS1.677 0.793 1.888 2.094
headerRelay HELO’d using suspicious hostname (Adelphia)HELO_DYNAMIC_ADELPHIA2.320 1.829 2.389 2.199
headerRelay HELO’d using suspicious hostname (T-Dialin)HELO_DYNAMIC_DIALIN2.320 0.443 2.429 1.755
headerRelay HELO’d using suspicious hostname (Hex IP)HELO_DYNAMIC_HEXIP1.826 1.320 1.453 1.522
headerRelay HELO’d using suspicious hostname (Split IP)HELO_DYNAMIC_SPLIT_IP2.869 0.887 0.992 0.775
headerRelay HELO’d using suspicious hostname (YahooBB)HELO_DYNAMIC_YAHOOBB2.800 2.776 2.572 3.000
headerRelay HELO’d using suspicious hostname (OptOnline)HELO_DYNAMIC_OOL3.120 2.508 3.065 3.182
headerRelay HELO’d using suspicious hostname (IP addr 2)HELO_DYNAMIC_IPADDR23.271 0.805 2.554 3.496
headerRelay HELO’d using suspicious hostname (RR 2)HELO_DYNAMIC_RR22.080 1.015 1.678 2.200
headerRelay HELO’d using suspicious hostname (Comcast)HELO_DYNAMIC_COMCAST3.040 3.533 3.217 3.700
headerRelay HELO’d using suspicious hostname (Telia)HELO_DYNAMIC_TELIA0 0 1.216 1.515
headerRelay HELO’d using suspicious hostname (VTR)HELO_DYNAMIC_VTR1.916 0.805 2.013 1.960
headerRelay HELO’d using suspicious hostname (Chello.no)HELO_DYNAMIC_CHELLO_NO1.388 0.226 1.409 1.570
headerRelay HELO’d using suspicious hostname (Chello.nl)HELO_DYNAMIC_CHELLO_NL1.762 0 0.542 0.244
headerRelay HELO’d using suspicious hostname (Veloxzone)HELO_DYNAMIC_VELOX1.680 1.877 1.803 2.003
headerRelay HELO’d using suspicious hostname (NTL)HELO_DYNAMIC_NTL1.340 0.187 1.445 1.732
headerRelay HELO’d using suspicious hostname (Home.nl)HELO_DYNAMIC_HOME_NL1.737 0.635 1.660 1.878
headerMessage headers are very longHEAD_LONG2.5
headerFrom: does not include a real nameNO_REAL_NAME0.124 0.178 0.336 0.007
headerFrom: ends in numbersFROM_ENDS_IN_NUMS0.177 0.516 0.517 0.000
headerFrom: starts with numsFROM_STARTS_WITH_NUMS1.218 1.492 1.441 0.300
headerFrom: contains numbers mixed in with lettersFROM_HAS_MIXED_NUMS0.107 0.298 0.024 0.000
headerFrom: contains numbers mixed in with lettersFROM_HAS_MIXED_NUMS31.132 1.113 1.513 1.614
headerUses an address with lots of numbers, at a big ISPADDR_NUMS_AT_BIGSITE0.072 0.748 0.112 0.081
headerFrom address is “at something-offers”FROM_OFFERS1.822 0.861 2.243 1.491
headerFrom: has no local-part before @ signFROM_NO_USER1.358 0.344 1.460 0.983
headerTo: has no local-part before @ signTO_NO_USER0.332 0.116 1.615 0.128
headerTo: is emptyTO_EMPTY0 0 0.164 0.097
headerReply-To: is emptyREPLY_TO_EMPTY1.274 1.410 1.568 1.643
headerTo: repeats address as real nameTO_ADDRESS_EQ_REAL0 0.470 0.131 0.026
headerValid-looking To “undisclosed-recipients”UNDISC_RECIPS0.966 1.391 1.295 1.302
headerFaked To “Undisclosed-Recipients”FAKED_UNDISC_RECIPS1.287 0.565 1.431 1.602
headerSubject has exclamation mark and question markPLING_QUERY0.201 0.857 0.906 0.368
headerSubject contains a unique IDSUBJ_HAS_UNIQ_ID0.899 1.122 0.809 1.339
headerSubject contains lots of white spaceSUBJ_HAS_SPACES2.240 0.637 1.899 1.175
headerSubject is all capitalsSUBJ_ALL_CAPS0.763 0.365 0.257 0.665
headerSpam tool Message-Id: (99x9xx99 variant)MSGID_SPAM_99X9XX990.500 0.864 1.576 1.442
headerSpam tool Message-Id: (alpha-numeric variant)MSGID_SPAM_ALPHA_NUM2.640 3.004 3.330 3.228
headerSpam tool Message-Id: (caps variant)MSGID_SPAM_CAPS3.500 3.221 3.545 3.791
headerSpam tool Message-Id: (letters variant)MSGID_SPAM_LETTERS2.960 3.151 3.052 2.709
headerSpam tool Message-Id: (12-zeroes variant)MSGID_SPAM_ZEROES1.584 1.763 1.783 1.859
headerMessage-Id has no hostnameMSGID_NO_HOST0.087 0 0.816 0.140
headerMessage-Id is fake (in Outlook Express format)MSGID_OUTLOOK_INVALID2.000 2.290 2.498 2.700
headerMessage-ID has ALLCAPS@yahoo.comMSGID_YAHOO_CAPS2.425 0.702 2.442 3.800
headerMessage-Id for external message added locallyMSGID_FROM_MTA_ID1.440 1.704 1.756 1.723
headerMessage-Id was added by a hotmail.com relayMSGID_FROM_MTA_HOTMAIL1.600 1.858 1.987 2.144
headerDate header uses unusual Y2K formattingDATE_SPAMWARE_Y2K2.958 2.888 3.384 3.911
headerInvalid Date: header (not RFC 2822)INVALID_DATE0.011 0.235 0 0.236
headerInvalid Date: header (timezone does not exist)INVALID_DATE_TZ_ABSURD0 0 0.664 0.960
headerInvalid date in header (wrong CST timezone)INVALID_TZ_CST2.044 0.066 0.598 2.873
headerInvalid date in header (wrong EST timezone)INVALID_TZ_EST1.492 2.326 1.672 3.582
headerInvalid date in header (wrong GMT/UTC timezone)INVALID_TZ_GMT1.708 0.636 1.549 0.198
headerDate: is 3 to 6 hours before Received: dateDATE_IN_PAST_03_060.025 0 0.127 0
headerDate: is 6 to 12 hours before Received: dateDATE_IN_PAST_06_120.301 0.211 0.918 0
headerDate: is 12 to 24 hours before Received: dateDATE_IN_PAST_12_240.374 0 0.571 0.703
headerDate: is 24 to 48 hours before Received: dateDATE_IN_PAST_24_480 0.302 0.133 0.089
headerDate: is 48 to 96 hours before Received: dateDATE_IN_PAST_48_960.034 0.257 0.222 0
headerDate: is 96 hours or more before Received: dateDATE_IN_PAST_96_XX0.505 1.082 0.979 1.360
headerDate: is 3 to 6 hours after Received: dateDATE_IN_FUTURE_03_061.288 0.072 2.052 0.847
headerDate: is 6 to 12 hours after Received: dateDATE_IN_FUTURE_06_121.040 1.202 1.153 1.300
headerDate: is 12 to 24 hours after Received: dateDATE_IN_FUTURE_12_242.118 2.329 2.863 3.031
headerDate: is 24 to 48 hours after Received: dateDATE_IN_FUTURE_24_482.023 2.046 2.301 2.314
headerDate: is 48 to 96 hours after Received: dateDATE_IN_FUTURE_48_962.080 2.296 2.498 2.689
headerDate: is 96 hours or more after Received: dateDATE_IN_FUTURE_96_XX1.393 1.428 1.930 1.962
headerHeaders contain an unresolved templateUNRESOLVED_TEMPLATE1.324 0.618 1.369 2.866
headerSubject contains too many raw illegal charactersSUBJ_ILLEGAL_CHARS2.880 2.854 3.459 2.854
headerFrom contains too many raw illegal charactersFROM_ILLEGAL_CHARS0.861 0.046 0 0.008
headerHeader contains too many raw illegal charactersHEAD_ILLEGAL_CHARS0.539 2.018 0.961 2.125
headerSubject contains an English UCE tagENGLISH_UCE_SUBJECT2.080 0.336 2.127 0.110
headerSubject contains a Japanese UCE tagJAPANESE_UCE_SUBJECT0 0 1.665 1.800
headerSubject: contains Korean unsolicited email tagKOREAN_UCE_SUBJECT2.400 2.703 2.469 3.081
headerFrom and To are the same, but not exactlyFROM_AND_TO_SAME0 0.198 0 0
headerReceived: contains a forged HELOFORGED_RCVD_HELO0 0.050 0.266 0.000
headerReceived: HELO and IP do not match, but shouldRCVD_HELO_IP_MISMATCH2.799 0.618 1.647 2.178
headerReceived: contains an IP address used for HELORCVD_NUMERIC_HELO0.636 1.531 1.348 1.248
headerReceived: contains illegal IP addressRCVD_ILLEGAL_IP1.335 1.370 1.588 0.944
headerReceived by mail server with no nameRCVD_BY_IP0 0.024 0.051 0.067
headerReceived forged, contains fake AOL relaysFORGED_AOL_RCVD0 0 1.451 0
headerContains forged hostname for a DSL IP in BrazilFORGED_TELESP_RCVD1.595 0.669 1.468 1.532
headerForged hotmail.com ‘Received:’ header foundFORGED_HOTMAIL_RCVD2.614 2.132 2.150 2.536
headerhotmail.com ‘From’ address, but no ‘Received:’FORGED_HOTMAIL_RCVD20.787 1.079 1.415 1.177
headerForged eudoramail.com ‘Received:’ header foundFORGED_EUDORAMAIL_RCVD1.657 0.653 1.130 0.290
header‘From’ yahoo.com does not match ‘Received’ headersFORGED_YAHOO_RCVD1.668 2.174 2.095 2.700
header‘From’ juno.com does not match ‘Received’ headersFORGED_JUNO_RCVD1.644 1.722 2.018 0.792
headerForged ‘by gw05’ ‘Received:’ header foundFORGED_GW05_RCVD0 0 1.495 1.697
headerCharacter set doesn’t existNONEXISTENT_CHARSET0 0 1.411 1.418
headerA foreign language charset used in headersCHARSET_FARAWAY_HEADER3.200
headerSent with ‘X-Priority’ set to highX_PRIORITY_HIGH0.125 0.093 0.077 0.000
headerSent with ‘X-Msmail-Priority’ set to highX_MSMAIL_PRIORITY_HIGH0 0.267 0.021 0.000
headerReceived: says mail sent around the world (HELO)ROUND_THE_WORLD_LOCAL1.347 0.464 2.351 0.213
headerReceived: says mail sent around the world (DNS)ROUND_THE_WORLD0 1.741 0 1.958
headerMissing Date: headerMISSING_DATE0 0.019 0.647 0.000
headerMissing To: headerMISSING_HEADERS0 0 0.087 0.119
headerSimilar addresses in recipient listSUSPICIOUS_RECIPS1.473 1.459 0.820 1.915
headerRecipient list is sorted by addressSORTED_RECIPS0.879 1.155 1.759 0.887
headerSubject: contains G.a.p.p.y-T.e.x.tGAPPY_SUBJECT1.365 1.319 2.084 1.343
headerMessage has X-Library headerX_LIBRARY2.105 1.369 1.863 2.755
headerSubject contains “As Seen”SUBJ_AS_SEEN0.995 1.691 1.214 0.000
headerSubject starts with dollar amountSUBJ_DOLLARS2.449 0.973 1.935 0.054
headerSubject contains “For Only”SUBJ_FOR_ONLY0.646 1.100 1.726 0.044
headerSubject contains “FREE” in CAPSSUBJ_FREE_CAP0.011 0 0.146 0.000
headerSubject starts with “Free”SUB_FREE_OFFER0.055 0.034 0.103 0.000
headerSubject GUARANTEEDSUBJ_GUARANTEED1.749 1.302 0.081 0.452
headerSubject starts with “Hello”SUB_HELLO1.405 1.358 0.954 0.007
headerSubject includes “life insurance”SUBJ_LIFE_INSURANCE1.840 2.068 2.184 2.020
headerSubject contains “Your Bills” or similarSUBJ_YOUR_DEBT1.760 2.068 2.035 1.261
headerSubject contains “Your Family”SUBJ_YOUR_FAMILY1.647 0 2.033 0.011
headerSubject contains “Your Own”SUBJ_YOUR_OWN0.872 1.294 1.371 0.000
headerReceived contains a faked HELO hostnameRCVD_FAKE_HELO_DOTCOM0.899 0.034 0.969 0.424
headerTo: address appears in SubjectADDRESS_IN_SUBJECT1.296 1.409 1.866 1.804
headerSubject talks about losing poundsSUBJECT_DIET1.355 0.723 0.059 0.266
headerHeader has extraneous Content-type:…type= entryEXTRA_MPART_TYPE0 0.222 0 0
headerTo header contains ‘recipient’ markerTO_RECIP_MARKER0 0 1.370 1.539
headerSpam tool pattern in MIME boundaryMIME_BOUND_DD_DIGITS3.600 4.230 4.162 4.139
headerSpam tool pattern in MIME boundaryMIME_BOUND_DIGITS_70 0 1.460 0.893
headerSpam tool pattern in MIME boundaryMIME_BOUND_DIGITS_152.674 3.286 3.120 3.400
headerSpam tool pattern in MIME boundaryMIME_BOUND_MANY_HEX1.920 2.255 2.590 2.700
headerSpam tool pattern in MIME boundary (rfkindy)MIME_BOUND_RKFINDY2.080 2.347 2.590 2.671
headerTo: has a malformed addressTO_MALFORMED0.895 2.253 0.455 2.187
headerFrom address is webmail, but starts with a numberFROM_NUM_AT_WEBMAIL1.389 0.258 1.901 1.617
headerFrom webmail service and address ends in numbersFROM_WEBMAIL_END_NUMS60.178 0.046 0.389 0.000
headerFrom Address contains FREEADDR_FREE0.194 0.078 1.038 1.832
headerSent to a text fileTO_TXT0 0 1.362 1.580
headerInvolves ‘china.com’CHINA_HEADER1.840 1.911 2.312 2.386
headerReceived line contains spam-sign (lowercase smtp)WITH_LC_SMTP1.600 0.235 1.862 2.200
headerFrom address has no lower-case charactersFROM_NO_LOWER1.010 1.307 1.650 0.377
headerSubject line starts with Buy or BuyingSUBJ_BUY0.565 0.490 0.414 0.000
headerSubject is indicative of a Nigerian spamNIGERIAN_SUBJECT10 0 0.270 0
headerSubject is indicative of a Nigerian spamNIGERIAN_SUBJECT21.235 1.765 1.935 2.090
headerMessage would have been caught by accessdbACCESSDB1
headerReceived headers forged (AM/PM)RCVD_AM_PM1.558 0.091 1.802 1.927
headerMultiple Content-Type headers foundHEADER_COUNT_CTYPE1.198 1.676 1.482 1.771
headerHost HELO’d as a big ISP, but had no rDNSNO_RDNS_DOTCOM_HELO0.025 0.024 0.601 0.016
headerX-Originating-IP doesn’t look like IPv4 addressX_ORIG_IP_NOT_IPV40 1.006 0.081 2.582
headerX-Authentication-Warning header looks fakedX_AUTH_WARN_FAKED2.094 2.599 1.654 3.105
headerReceived header contains faked ‘mr.outblaze.com’FAKE_OUTBLAZE_RCVD2.400 2.726 2.867 3.100
headerMessage is from domain that never sends emailFROM_NONSENDING_DOMAIN1.486 0.308 1.678 0.000
headerSubject contains common spam sign (2 numbers)SUBJ_2_NUM_PARENS1.472 0.276 1.672 2.102
bodyHTML included in messageHTML_MESSAGE0.001
bodyMessage is 0% to 10% HTMLHTML_00_100.985 0.138 1.070 1.068
bodyMessage is 10% to 20% HTMLHTML_10_201.050 0.295 1.350 0.246
bodyMessage is 20% to 30% HTMLHTML_20_301.241 0.504 0.567 0.226
bodyMessage is 30% to 40% HTMLHTML_30_400.879 0.056 0.437 0.021
bodyMessage is 40% to 50% HTMLHTML_40_500.527 0.086 0.052 0.035
bodyMessage is 50% to 60% HTMLHTML_50_601.053 0.095 0.539 0.087
bodyMessage is 60% to 70% HTMLHTML_60_700.516 0.027 0 0
bodyMessage is 70% to 80% HTMLHTML_70_800.151 0 0.039 0
bodyMessage is 80% to 90% HTMLHTML_80_900.027 0 0.036 0.146
bodyMessage is 90% to 100% HTMLHTML_90_1000.346 0.189 0.043 0.022
bodyHTML has very strong “shouting” markupHTML_SHOUTING30.266 0 0.012 0.019
bodyHTML has very strong “shouting” markupHTML_SHOUTING40.076 0 0.052 0
bodyHTML has very strong “shouting” markupHTML_SHOUTING50.026 0 0.030 0.019
bodyHTML has very strong “shouting” markupHTML_SHOUTING60 0.004 0 0.000
bodyHTML has very strong “shouting” markupHTML_SHOUTING70.450 0.472 0 0.646
bodyHTML contains text after HTML close tagHTML_TEXT_AFTER_HTML0.312 0.205 0.032 0.031
bodyHTML contains text after BODY close tagHTML_TEXT_AFTER_BODY0.263 0.151 0.752 0.061
bodyHTML comment is very shortHTML_COMMENT_SHORT0.014 0.625 0 0.000
bodyHTML message is a saved web pageHTML_COMMENT_SAVED_URL0.528 0.130 0.470 0.146
bodyHTML conversion tool used by spamHTML_CONVERTED0 1.204 0.402 1.605
bodyHTML with embedded plugin objectHTML_EMBEDS0 0.084 0.108 0.207
bodyHTML contains unsafe auto-executing codeHTML_EVENT_UNSAFE0 0 0.022 0.515
bodyHTML font size is tinyHTML_FONT_SIZE_TINY0 0.419 0 0.533
bodyHTML font size is negativeHTML_FONT_SIZE_NONE0 0.455 1.119 0.033
bodyHTML font size is largeHTML_FONT_SIZE_LARGE1.387 0.712 0.496 0.153
bodyHTML font size is hugeHTML_FONT_SIZE_HUGE1.796 1.278 2.265 2.594
bodyHTML tag for a big font sizeHTML_FONT_BIG0 0.232 0 0.142
bodyHTML tag for a tiny font sizeHTML_FONT_TINY2.141 0.471 0.521 0.964
bodyHTML font color is same as backgroundHTML_FONT_INVISIBLE0 0.065 0 0.036
bodyHTML font color similar to backgroundHTML_FONT_LOW_CONTRAST1.011 0.955 1.017 0.788
bodyHTML font face is not a wordHTML_FONT_FACE_BAD0 0 0.044 0.037
bodyHTML font face has excess capital charactersHTML_FONT_FACE_CAPS0 0.804 0.281 0.247
bodyHTML includes a form which sends mailHTML_FORMACTION_MAILTO1.840 2.162 1.907 2.353
bodyHTML: images with 0-400 bytes of wordsHTML_IMAGE_ONLY_043.120 3.094 3.482 3.304
bodyHTML: images with 400-800 bytes of wordsHTML_IMAGE_ONLY_082.881 1.970 2.730 3.036
bodyHTML: images with 800-1200 bytes of wordsHTML_IMAGE_ONLY_122.360 1.473 2.741 2.942
bodyHTML: images with 1200-1600 bytes of wordsHTML_IMAGE_ONLY_161.352 1.279 1.990 1.047
bodyHTML: images with 1600-2000 bytes of wordsHTML_IMAGE_ONLY_201.567 0.843 1.023 0.446
bodyHTML: images with 2000-2400 bytes of wordsHTML_IMAGE_ONLY_241.088 1.003 0.787 0.502
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_021.729 0 1.125 0.018
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_041.038 0.184 0.515 0.105
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_060.072 0 0.342 0.131
bodyHTML has a low ratio of text to image areaHTML_IMAGE_RATIO_080 0.000 0 0.032
bodyHTML link text says “push here” or similarHTML_LINK_PUSH_HERE1.627 0.409 1.843 0.873
bodyMessage is 5% to 10% HTML obfuscationHTML_OBFUSCATE_05_100.428 0.483 0.563 0.257
bodyMessage is 10% to 20% HTML obfuscationHTML_OBFUSCATE_10_200.931 0.732 0.796 0.865
bodyMessage is 20% to 30% HTML obfuscationHTML_OBFUSCATE_20_300.997 0.597 0.014 0.000
bodyMessage is 30% to 40% HTML obfuscationHTML_OBFUSCATE_30_402.517 1.933 3.005 3.445
bodyMessage is 40% to 50% HTML obfuscationHTML_OBFUSCATE_40_502.641 1.746 2.739 3.089
bodyMessage is 50% to 60% HTML obfuscationHTML_OBFUSCATE_50_602.635 1.339 2.882 3.325
bodyMessage is 60% to 70% HTML obfuscationHTML_OBFUSCATE_60_702.257 0.971 2.432 2.805
bodyMessage is 70% to 80% HTML obfuscationHTML_OBFUSCATE_70_802.308 1.334 2.256 2.689
bodyMessage is 80% to 90% HTML obfuscationHTML_OBFUSCATE_80_901.600 0.489 1.656 1.939
bodyMessage is 90% to 100% HTML obfuscationHTML_OBFUSCATE_90_1001.405 0.203 1.657 1.775
bodyHTML tags used to obfuscate wordsHTML_BACKHAIR_20.144 0 0.032 0
bodyHTML tags used to obfuscate wordsHTML_BACKHAIR_40 0 0.138 0.058
bodyHTML tags used to obfuscate wordsHTML_BACKHAIR_81.075 0.569 1.137 0.727
bodyHTML has many bad attributes in tagsHTML_ATTR_BAD0 0.101 0.609 2.354
bodyHTML appears to have random attributes in tagsHTML_ATTR_UNIQUE0.441 1.165 1.097 0.000
bodyImage tag intended to identify youHTML_WEB_BUGS0.166 0.013 0.311 0.035
bodyHTML has unbalanced “body” tagsHTML_TAG_BALANCE_BODY0.043 0.389 0.096 0.000
bodyHTML has unbalanced “head” tagsHTML_TAG_BALANCE_HEAD0.061 0.860 0.033 0.000
bodyHTML has “marquee” tagHTML_TAG_EXIST_MARQUEE2.160 1.758 1.840 2.034
bodyHTML has “tbody” tagHTML_TAG_EXIST_TBODY1.014 0.233 0.079 0.114
bodyHTML message is 0% to 10% bad tagsHTML_BADTAG_00_100 0 0.001 0.000
bodyHTML message is 10% to 20% bad tagsHTML_BADTAG_10_200.236 0 0 0
bodyHTML message is 20% to 30% bad tagsHTML_BADTAG_20_300 0.169 0.035 0
bodyHTML message is 30% to 40% bad tagsHTML_BADTAG_30_400 0.103 0.017 0
bodyHTML message is 40% to 50% bad tagsHTML_BADTAG_40_500.002 0 0.000 0.010
bodyHTML message is 50% to 60% bad tagsHTML_BADTAG_50_600.864 0.430 1.035 0.153
bodyHTML message is 60% to 70% bad tagsHTML_BADTAG_60_701.726 1.127 2.314 1.356
bodyHTML message is 70% to 80% bad tagsHTML_BADTAG_70_801.657 0.075 2.087 2.280
bodyHTML message is 80% to 90% bad tagsHTML_BADTAG_80_901.861 1.309 1.831 1.911
bodyHTML message is 90% to 100% bad tagsHTML_BADTAG_90_1000.746 1.192 2.688 2.804
body0% to 10% of HTML elements are non-standardHTML_NONELEMENT_00_100 0 0.001 0.001
body10% to 20% of HTML elements are non-standardHTML_NONELEMENT_10_200.045 0 0.000 0.000
body20% to 30% of HTML elements are non-standardHTML_NONELEMENT_20_300.346 0.070 0 0
body30% to 40% of HTML elements are non-standardHTML_NONELEMENT_30_400 0.012 0.010 0.000
body40% to 50% of HTML elements are non-standardHTML_NONELEMENT_40_500.000
body50% to 60% of HTML elements are non-standardHTML_NONELEMENT_50_601
body60% to 70% of HTML elements are non-standardHTML_NONELEMENT_60_700.237 1.138 0.083 0.001
body70% to 80% of HTML elements are non-standardHTML_NONELEMENT_70_800.488 0.803 1.169 0.000
body80% to 90% of HTML elements are non-standardHTML_NONELEMENT_80_900.016 0.492 0.023 0.000
body90% to 100% of HTML elements are non-standardHTML_NONELEMENT_90_1000.011 1.582 0 2.963
bodyHTML is extremely shortHTML_SHORT_LENGTH0.601 0.713 0.068 0.389
bodyHTML title contains no textHTML_TITLE_EMPTY0.022 0.045 0.036 0.004
bodyHTML title contains “Untitled”HTML_TITLE_UNTITLED0.222 0.259 0.792 0.000
rawbodyJavascript to hide URLs in browserHIDE_WIN_STATUS0.032 0 0 0.063
rawbodyHTML contains needlessly encoded charactersENTITY_DEC_ALPHANUM0.012 0 2.686 2.716
bodyList removal informationMULTI_REMOVAL_1WORD1.005 0 0.916 0.802
bodySend real mail to be unsubscribedREMOVE_POSTAL1.520 1.362 1.757 1.900
bodyAsks you to click below (in capital letters)CLICK_BELOW_CAPS0.135 0 0 0.112
bodyClick to be removedCLICK_TO_REMOVE_10.050 0 0.192 0.791
bodyClaims compliance with spam regulationsSENT_IN_COMPLIANCE1.520 1.786 1.850 2.000
bodyPossible mention of bill 1618 (anti-spam bill)BILL_16180.994 1.692 1.798 1.895
bodyDoesn’t ask any questionsNO_QS_ASKED0 1.196 0 0.000
bodyOffers a full refundFULL_REFUND0.853 1.114 0.079 1.272
bodyNo such thing as a free lunch (2)COMPLETELY_FREE0.086 0 0.840 0.026
bodyNo such thing as a free lunch (3)NO_COST0.078 0 0.335 0.000
bodyOne hundred percent guaranteedGUARANTEED_100_PERCENT0.615 0.435 0.669 0.000
bodyDear Friend? That’s not very dear!DEAR_FRIEND0.542 0.766 1.288 0.070
bodyContains ‘Dear (something)’DEAR_SOMETHING1.059 0.803 1.577 1.578
bodyTalks about lots of moneyBILLION_DOLLARS0.193 1.185 0.407 0.134
bodyTalks about opting out (lowercase version)OPTING_OUT0.157 0.494 0.030 0.479
bodyTalks about opting out (capitalized version)OPTING_OUT_CAPS0.067 0.026 0.483 0.000
bodyGet a million email addressesMILLION_EMAIL0.093 0.417 0.937 0.000
bodyGives a lame excuse about why spam was sentEXCUSE_10 0 0.074 0.132
bodyClaims you can be removed from the listEXCUSE_30 0.098 0.015 0.116
bodyClaims you can be removed from the listEXCUSE_41.145 1.775 1.443 1.119
bodyClaims you can be removed from the listEXCUSE_61.444 0.734 1.782 1.696
bodyClaims you can be removed from the listEXCUSE_70 0.152 0.010 0.018
body“if you do not wish to receive any more”EXCUSE_100.071 0.380 0.039 0.024
bodyNobody’s perfectEXCUSE_120.153 0 0.354 0.197
bodyClaims you opted-in or registeredEXCUSE_190.056 0.357 0.021 0.000
bodyClaims you have provided permissionEXCUSE_231.840 2.088 2.312 2.400
bodyClaims you wanted this adEXCUSE_241.440 1.272 1.874 2.080
bodyTalks about how to be removed from mailingsEXCUSE_REMOVE0.043 0 0.513 0.310
bodyTargeted Traffic / Email AddressesTARGETED0 0.692 1.471 0.480
bodyTells you about a strong buySTRONG_BUY2.880 3.384 3.018 3.117
bodyClaims to honor removal requestsWE_HONOR_ALL2.063 2.365 1.789 2.029
bodyOffers a picked stockSTOCK_PICK0.106 0.150 0.041 1.470
bodyOffers a alert about a stockSTOCK_ALERT2.362 1.782 2.378 2.385
bodySEC-mandated penny-stock warningMICRO_CAP_WARNING1.440 0.760 1.803 1.828
bodyNot registered investment advisorNOT_ADVISOR2.160 2.444 2.590 2.700
bodyDescribes some sort of breakthroughSOME_BREAKTHROUGH0.232 1.921 0.907 1.610
bodyThey have selected you for somethingSELECTED_YOU1.485 1.865 1.841 1.897
bodyContains mail-in order formMAIL_IN_ORDER_FORM1.440 0.351 0 0
bodyUniversity DiplomasUNIVERSITY_DIPLOMAS2.242 0.523 0 0
body‘Prestigious Non-Accredited Universities’PREST_NON_ACCREDITED1.520 1.394 1.607 1.901
bodyClaims “cannot be considered spam”CANNOT_BE_SPAM0 0 1.546 1.769
bodyInformation on growing body partsBODY_ENHANCEMENT0.151 0.481 0.070 0
bodyInformation on getting larger body partsBODY_ENHANCEMENT20.814 0.845 0.109 0
bodyImpotence cureIMPOTENCE0.095 0.751 0 0.094
bodyInformation on how to work at home (1)WORK_AT_HOME0 0 0.325 0.030
bodyInformation on mortgagesMORTGAGE_BEST0.948 0.923 0 0.144
bodyLooks like mortgage pitchMORTGAGE_PITCH0.297 0 0.065 0
bodyInformation on mortgage ratesMORTGAGE_RATES0 0.689 0.174 0.202
bodyOrder a report from someoneORDER_REPORT0 0 1.230 0
rawbodymailto URI includes removal textMAILTO_SUBJ_REMOVE1.023 0 2.064 0.542
bodyIncludes a link for AOL users to clickAOL_USERS_LINK0 0 0.034 0.109
bodyTalks about a million North American dollarsNA_DOLLARS2.078 2.193 2.485 2.611
bodyMentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)US_DOLLARS_30.331 0.411 0.010 0.354
bodyTalks about millions of dollarsMILLION_USD1.594 1.290 1.535 2.796
rawbodyFrontpage used to create the messageFRONTPAGE0.510 0.529 0.595 2.080
bodyContains “My wife, Jody” testimonialJODY0 0 1.326 0
bodyDoing something with my incomeYOUR_INCOME0.674 0.892 0.372 1.092
bodyResistance to this spam is futileRESISTANCE_IS_FUTILE1.520 1.786 1.850 0
bodyContains ‘subject to credit approval’SUBJ_2_CREDIT0 0.500 0 0.076
bodyContains urgent matterURG_BIZ0.288 0.030 1.064 1.808
bodyContains ‘earn (dollar) something per week’EARN_PER_WEEK1.360 0.856 1.757 1.896
bodySpam is 100% natural?!ALL_NATURAL2.640 1.828 2.246 1.061
bodyMoney back guaranteeMONEY_BACK2.051 0.037 0.217 0.095
bodyThere is no catchNO_CATCH0 0 0.127 0
bodyThere is no obligationNO_OBLIGATION0.905 0.565 1.157 0.830
bodyYou won’t be “disappointed”NO_DISAPPOINTMENT0 1.498 1.609 0.410
bodySerious Enquiries OnlySERIOUS_ONLY0 0 1.664 1.748
bodyRisk free. Suuurreeee….RISK_FREE0.036 0.247 0.135 0.230
bodyAs seen on national TV!AS_SEEN_ON0.393 0.320 0.613 0.020
bodyCommon pyramid scheme phrase (1)COPY_ACCURATELY0 0 1.324 0
bodyOff Shore ScamsOFFSHORE_SCAM0 0.337 0.127 0.144
bodyWhy Pay More?WHY_PAY_MORE1.249 0 1.713 1.978
bodyCongratulations – you’ve been scammed?CONGRATULATIONS0 0 0.486 0.272
bodyTalks about free mobile phonesCELL_PHONE_FREE1.280 1.476 1.571 0.922
bodyTalks about cell-phone signal improvementCELL_PHONE_IMPROVE0.771 0.812 1.655 1.031
bodyReceive a special offerRECEIVE_OFFER1.125 0.955 1.446 0.793
bodyFree express or no-obligation quoteFREE_QUOTE_INSTANT0.211 1.736 0.051 0.001
bodyFree MembershipFREE_MEMBERSHIP0.492 1.182 1.587 0.873
bodyCredit Card OffersCREDIT_CARD0.030 0.896 0.032 0.310
bodyWithout a credit checkNO_CREDIT_CHECK0 0 1.990 0.037
bodyAvoiding bankruptcyBANKRUPTCY0.249 1.088 1.112 0.489
bodyAccepting credit cardsACCEPT_CREDIT_CARDS0.360 0 1.332 0.399
bodyEliminate Bad CreditBAD_CREDIT1.161 0.252 0.817 0
bodyNon-secured Credit/DebtNONSECURED_CREDIT0 0 1.074 0
bodyConsolidate debt, credit, or billsCONSOLIDATE_DEBT0.886 0.653 0 0.245
bodyHome refinancingREFINANCE_YOUR_HOME1.321 0.394 0.917 0.340
bodyHome refinancingREFINANCE_NOW1.611 0 1.191 0.029
bodyNo Purchase NecessaryNO_PURCHASE0 0 0.107 0
bodyNo Medical ExamsNO_MEDICAL1.440 1.656 1.665 0
bodyNo Claim FormsNO_FORMS1.622 0.973 0.912 0.011
bodyRequires Initial InvestmentINITIAL_INVEST0.433 0.450 1.026 1.230
bodyBuy DirectBUY_DIRECT1.502 1.779 1.757 1.663
bodyDo it TodayDO_IT_TODAY0.036 0.047 0 0
bodyWhat are you waiting forWHY_WAIT2.240 2.060 0.796 0.764
bodyYou can search for anyoneYOU_CAN_SEARCH1.370 0.444 1.246 1.630
bodyScore with babes!SEDUCTION1.560 1.356 1.415 1.054
bodyInvaluable marketing informationINVALUABLE_MARKETING0 0 1.201 0
bodyGuaranteed StuffGUARANTEED_STUFF0.100 0.238 0.403 0.000
bodyPotential EarningsEARNINGS0 0 1.642 1.675
bodyThe best RatesTHE_BEST_RATE0 0.550 0 0.000
bodyAmazing StuffAMAZING_STUFF0.949 1.269 0.069 0.102
bodyLose Weight SpamDIET_10.671 0.365 0.274 0
bodyDescribes weight lossDIET_20.545 0 1.034 0.316
bodyDescribes body fat lossDIET_31.794 1.061 1.835 2.073
bodyReverses AgingREVERSE_AGING1.919 1.403 2.057 2.150
bodyCures BaldnessHAIR_LOSS1.381 2.371 1.428 1.738
bodyRemoves WrinklesWRINKLES1.730 2.097 1.917 2.091
bodyWhile you SleepWHILE_YOU_SLEEP0.858 0.605 1.786 0.000
bodyIf only it were that easyRICH0 0.451 0 0.000
bodyWho really wins?YOU_WON0.144 0.269 0 0.579
bodyTalks about Hidden ChargesHIDDEN_CHARGES0.046 0.961 0 0.000
bodyFreedom of a financial natureFIN_FREE1.365 0.015 1.865 0.788
bodyStock Disclaimer StatementFORWARD_LOOKING1.840 2.162 2.120 2.200
bodyMail guarantees satisfactionSATIS_GUAR0.884 0 0.825 0.081
bodyOffers Extra CashEXTRA_CASH0.117 0.987 0.629 0.447
bodyGet PaidGET_PAID1.390 1.764 1.466 0.862
bodyHave you been turned down?BEEN_TURNED_DOWN1.336 1.266 1.682 1.890
bodyOne Time Rip OffONE_TIME0.044 0 0.036 0.619
bodyCompete for your businessCOMPETE1.600 1.791 1.804 2.050
bodyMeet SinglesMEET_SINGLES1.600 0 1.076 1.172
bodyJoin Millions of AmericansJOIN_MILLIONS0.036 0.640 0.999 0.448
bodyBe your own bossBE_BOSS1.512 0.145 1.847 1.648
bodyMulti Level Marketing mentionedML_MARKETING0.049 0 0.103 0
bodyClaims to be LegalITS_LEGAL0.186 1.109 0.432 0.264
bodyConfidentiality on all ordersCONFIDENTIAL_ORDER1.920 1.196 1.889 1.266
bodySave big moneySAVE_THOUSANDS0.929 1.889 0.717 0.031
bodyClaims you registered with a partnerMARKETING_PARTNERS2.025 0.718 2.405 1.401
bodyFree PreviewFREE_PREVIEW1.612 0.376 1.887 1.851
bodyDomain name containing a “4u” variantDOMAIN_4U21.508 1.783 1.935 1.588
bodyContains ‘free access’ with capitalsFREE_ACCESS0 0 0.253 0
bodyContains ‘free sample’ with capitalsFREE_SAMPLE0.089 0.168 0.223 0.941
bodyLowest PriceLOW_PRICE0.885 0 0.206 0
bodyPeople just leave money laying aroundUNCLAIMED_MONEY1.263 1.703 1.945 1.584
bodyMessage seems to contain rot13ed addressOBSCURED_EMAIL2.720 3.194 3.186 3.132
bodyMentions their affiliate partnersOUR_AFFILIATE_PARTNERS0 0 0.041 1.443
bodyTalks about exercise with an exclamation!BANG_EXERCISE1.450 1.993 1.662 1.442
bodyTalks about more with an exclamation!BANG_MORE0.287 0 0.294 0
bodyTalks about Oprah with an exclamation!BANG_OPRAH0.666 0.212 1.717 1.975
bodyTalks about quotes with an exclamation!BANG_QUOTE1.680 1.880 1.942 1.964
bodyTalks about ‘acting now’ with capitalsACT_NOW_CAPS0.222 0 0.426 0.093
bodyTalks about ‘starting now’ with capitalsSTART_NOW_CAPS1.280 1.499 1.124 0.857
bodyTalks about a bigger drive for sexMORE_SEX2.240 1.762 2.287 2.422
bodySomething is emphatically guaranteedBANG_GUAR0.297 0 0.254 0
bodySee for yourselfSEE_FOR_YOURSELF0.544 0.381 0.591 0.044
bodyPossible porn – Free PornFREE_PORN0.794 0.023 1.937 0.000
bodyPossible porn – Cum ShotCUM_SHOT0.355 1.732 0.943 0
bodyPossible porn – Pay SitePAY_SITE0 0 1.850 1.900
bodyPossible porn – Live PornLIVE_PORN0.040 0.360 0.019 0.000
bodyPossible porn – Hardcore PornHARDCORE_PORN1.520 0.665 1.850 0.684
bodyPossible porn – Hot, Nasty, Wild, YoungHOT_NASTY0.765 0.586 0.967 0.088
bodyPossible porn – Best, Largest, Most PornBEST_PORN0.566 0.263 0.044 0
bodyPossible porn – Nasty GirlsNASTY_GIRLS0.350 0.439 0.022 2.196
bodyPossible porn – Amateur PornAMATEUR_PORN1.397 0.769 1.615 1.744
bodyPossible porn – Celebrity PornPORN_CELEBRITY0.675 1.569 0.319 0.038
bodyPossible porn – Adult Web SitesSOMETHING_FOR_ADULTS1.433 1.513 1.614 0.006
bodyPossible porn – various types of felinePORN_151.680 1.974 2.035 2.168
bodyPossible porn – nasty, dirty, little etc.PORN_160.907 0.462 1.305 0.017
bodyThousands or millions of pictures, movies, etc.LOTS_OF_STUFF0.839 0.029 0 0.000
bodyAttempts to disguise porn wordsDISGUISE_PORN1.490 1.835 0.798 0.030
uriURL uses words/phrases which indicate porn (sex)PORN_URL_SEX1.865 1.427 1.817 0.011
uriURL uses words/phrases which indicate porn (slut)PORN_URL_SLUT0.941 1.022 0.194 0.094
uriURL uses words/phrases which indicate porn (misc)PORN_URL_MISC1.728 0.573 1.767 1.620
headerSubject indicates sexually-explicit contentSUBJECT_SEXUAL2.160 2.538 2.775 2.900
headerBulk email fingerprint (eGroups) foundRATWARE_EGROUPS2.180 2.701 2.552 2.805
headerBulk email fingerprint (hash 2) foundRATWARE_HASH_20.039 0 0.085 0.037
headerBulk email fingerprint (hash 2 v2) foundRATWARE_HASH_2_V21.798 1.319 1.767 0.980
headerBulk email fingerprint (jpfree) foundRATWARE_JPFREE0 0 1.942 2.100
uriBulk email fingerprint (StormPost) foundRATWARE_STORM_URI1.920 1.518 2.405 2.295
headerX-Mailer has malformed Outlook Express versionRATWARE_OE_MALFORMED2.160 2.407 2.522 2.588
headerBulk email fingerprint (‘esmtp’ Received) foundRATWARE_RCVD_LC_ESMTP1.745 1.474 2.122 2.083
headerBulk email fingerprint (Mozilla malformed) foundRATWARE_MOZ_MALFORMED1.594 0.990 1.752 0.558
rawbodyContains a hashbuster in Send-Safe formatRATWARE_HASH_DASH1.133 0.947 1.500 1.646
headerBulk email fingerprint (netIP) foundRATWARE_NETIP0.439 1.033 2.312 2.286
headerBulk email fingerprint (Gecko faked) foundRATWARE_GECKO_BUILD0 0.826 0.784 1.385
headerHeaders are in order found in spam (MTSRIX)HDR_ORDER_MTSRIX0.417 0.391 0.192 1.057
headerHeaders are in order found in spam (TRIMRS)HDR_ORDER_TRIMRS2.320 2.674 2.220 2.199
headerBulk email fingerprint (bonus space) foundRCVD_BONUS_SPC_DATE1.371 0.904 1.575 1.872
headerBulk email fingerprint (X-Message-Info) foundX_MESSAGE_INFO3.600 4.187 4.162 4.244
headerBulk email fingerprint (Received PF) foundRATWARE_RCVD_PF2.880 3.384 3.608 3.867
headerBulk email fingerprint (Received @) foundRATWARE_RCVD_AT2.550 1.011 2.691 3.415
uriUses a numeric IP address in URLNUMERIC_HTTP_ADDR1.565 1.572 1.872 2.135
uriUses a dotted-decimal IP address in URLNORMAL_HTTP_TO_IP0.104 0.080 0.830 0.028
uriUses %-escapes inside a URL’s hostnameHTTP_ESCAPED_HOST0.034 0.094 0 0.477
uriUses control sequences inside a URL hostnameHTTP_CTRL_CHARS_HOST1.440 1.670 1.757 1.900
uriCompletely unnecessary %-escapes inside a URLHTTP_EXCESSIVE_ESCAPES0 0.645 0 0.151
uriDotted-decimal IP address followed by CGIIP_LINK_PLUS0.211 0.024 0.192 0.232
uriURL of page called “remove”REMOVE_PAGE0.081 0.604 0 0.191
uriIncludes a link to a likely spammer emailMAILTO_TO_SPAM_ADDR0 0 0.106 0
uriIncludes a ‘remove’ email addressMAILTO_TO_REMOVE0.886 0 0.065 0.116
uriUses non-standard port number for HTTPWEIRD_PORT0 0.507 0.228 0.109
uriURL contains username and (optional) passwordUSERPASS0.429 0.561 1.319 0.268
uriFilename is just a ‘\#’; probably a JS trickURI_IS_POUND0 0.333 0 0
uriIncludes a link to a likely spammer domainBARGAIN_URL1.503 1.520 1.686 1.833
uriContains an URL in the BIZ top-level domainBIZ_TLD2.167 0.527 2.434 2.288
uriContains an URL in the INFO top-level domainINFO_TLD1.717 0.481 1.686 0.000
uriHas Yahoo Redirect URIYAHOO_RD_REDIR1.237 1.083 1.366 1.642
uriHas Yahoo Redirect URIYAHOO_DRS_REDIR1.911 0.911 1.956 0.984
uriMessage has link to company offersURI_OFFERS1.328 0.252 1.460 0.770
uriMessage has URI 4youURI_4YOU1.027 1.812 0.898 1.966
uriContains URI to a document hosted at ‘terra.es’TERRA_ES1.367 0.816 1.746 2.612
uriContains an URL-encoded hostname (HTTP77)HTTP_771.514 0.605 1.812 1.981
uriContains a URI with an affiliate ID codeURI_AFFILIATE2.243 0 1.808 2.052
headerMessage has HTTP redirector URIURI_REDIRECTOR0 0 0.031 0.011
bodyBayesian spam probability is 0 to 1%BAYES_000 0 -1.665 -2.599
bodyBayesian spam probability is 1 to 5%BAYES_050 0 -0.925 -0.413
bodyBayesian spam probability is 5 to 20%BAYES_200 0 -0.730 -1.951
bodyBayesian spam probability is 20 to 40%BAYES_400 0 -0.276 -1.096
bodyBayesian spam probability is 40 to 60%BAYES_500 0 1.567 0.001
bodyBayesian spam probability is 60 to 80%BAYES_600 0 3.515 1.0
bodyBayesian spam probability is 80 to 95%BAYES_800 0 3.608 2.0
bodyBayesian spam probability is 95 to 99%BAYES_950 0 3.514 3.0
bodyBayesian spam probability is 99 to 100%BAYES_990 0 4.070 3.5
bodyesClaims you can be removed in SpanishREMOVE_ES_011
bodyesClaims you can be removed in SpanishREMOVE_ES_021
bodyesClaims you can be removed in SpanishREMOVE_ES_031
bodyesClaims you can be removed in SpanishREMOVE_ES_041
bodyesIf you send an email you will be OptOutREMOVE_ES_051
bodyesClaims you can opt-outREMOVE_ES_061
bodyesClaims you can opt-outREMOVE_ES_071
bodyesClaims you can opt-outREMOVE_ES_081
bodyesIf you want to subscribe…SUBSCRIBE_ES_011
bodyesClaims not to be spam in SpanishEXCUSE_ES_011
bodyesSomeone fell free to send you a message in SpanishEXCUSE_ES_021
bodyesSomeone requested an spammer to spam you in SpanishEXCUSE_ES_031
bodyesEl correo como alternativa comercialEXCUSE_ES_051
bodyesMensaje enviado por errorEXCUSE_ES_061
bodyesNo se puede considerar spamEXCUSE_ES_071
bodyesPara dejar de fumarDEJAR_DE_FUMAR_ES1
bodyesNOS CHILLAN PARA DECIR QUE ES GRATISGRATIS_ES1.4
bodyesNos animan a contestar si estamos interesadosINTERESADO_ES1
bodyesDice cumplir con la leyLEY_ORGANICA_ES2.0
bodyesClama cumplir con la normativa SPAMNORMATIVA_SPAM_ES2.0
bodyesNo existe legislación en Chile contra el SPAMLEY_CHILE_ES_011
bodyesClama cumplir con la legislación chilenaLEY_CHILE_ES_021
bodyesInmigración legal (?) a los Estados UnidosTARJETA_VERDE_ES1
bodyesPromocion especial.PROMOCION_ES1
bodyesAlta en buscadores hispanos.ALTA_BUSCADORES_ES1
bodyesIMPERATIVOS/EXCLAMACIONES EN MAYUSCULAS.EXCLAMACION_ES1
bodyesPresentación de un nuevo producto.PRESENTAMOS_ES1
bodyesPago contra reembolso.CONTRA_REEMBOLSO_ES1
bodyesPara hacer su pedido.PEDIDO_ES1
bodyesHaga click aqui.CLICK_ES1
bodyesLos regalos no existen, salvo de nuestros amigos.REGALO_ES1
bodyesPueden ser ganadores.GANADORES_ES_011
bodyesHa sido ganador.GANADORES_ES_021
bodyesPorno gratis.PORNO_GRATIS_ES1
bodyesMas informacion.MAS_INFORMACION_ES1
bodyesInformacion y reservaINFORMACION_RESERVA_ES1
bodyesConviertete en Spammer.REENVIA_ES1
bodyesNo nos envían más spam… seguro que no.NO_MAS_MAIL_1_ES1
bodyesNo recibirá este spam otra vez… seguro que no.NO_MAS_MAIL_2_ES1
bodyesLas direcciones fueron obtenidas de internet.COLECTOR_DE_MAILS_ES1
headerContains valid Hashcash token (20 bits)HASHCASH_20-0.500
headerContains valid Hashcash token (21 bits)HASHCASH_21-0.700
headerContains valid Hashcash token (22 bits)HASHCASH_22-1.000
headerContains valid Hashcash token (23 bits)HASHCASH_23-2.000
headerContains valid Hashcash token (24 bits)HASHCASH_24-3.000
headerContains valid Hashcash token (25 bits)HASHCASH_25-4.000
headerContains valid Hashcash token (>25 bits)HASHCASH_HIGH-5.000
headerHashcash token already spent in another mailHASHCASH_2SPEND0.100
headerSPF: sender matches SPF recordSPF_PASS-0.001
headerSPF: sender does not match SPF record (fail)SPF_FAIL0 0.001 0 0.875
headerSPF: sender does not match SPF record (softfail)SPF_SOFTFAIL0.500 0.842 0.500 0.500
headerSPF: HELO matches SPF recordSPF_HELO_PASS-0.001
headerSPF: HELO does not match SPF record (fail)SPF_HELO_FAIL0 0.405 0 0.001
headerSPF: HELO does not match SPF record (softfail)SPF_HELO_SOFTFAIL0 1.002 0 3.140
bodyContains an URL listed in the SBL blocklistURIBL_SBL0 0.629 0 0.996
bodyContains an URL listed in the SC SURBL blocklistURIBL_SC_SURBL0 3.897 0 4.263
bodyContains an URL listed in the WS SURBL blocklistURIBL_WS_SURBL0 0.539 0 1.462
bodyContains an URL listed in the PH SURBL blocklistURIBL_PH_SURBL0 0.839 0 2.000
bodyContains an URL listed in the OB SURBL blocklistURIBL_OB_SURBL0 1.996 0 3.213
bodyContains an URL listed in the AB SURBL blocklistURIBL_AB_SURBL0 2.007 0 0.417
headerFrom: address is in the auto white-listAWL1
headerFrom: address is in the user’s black-listUSER_IN_BLACKLIST100.000
headerFrom: address is in the user’s white-listUSER_IN_WHITELIST-100.000
headerFrom: address is in the default white-listUSER_IN_DEF_WHITELIST-15.000
headerUser is listed in ‘blacklist_to’USER_IN_BLACKLIST_TO10.000
headerUser is listed in ‘whitelist_to’USER_IN_WHITELIST_TO-6.000
headerUser is listed in ‘more_spam_to’USER_IN_MORE_SPAM_TO-20.000
headerUser is listed in ‘all_spam_to’USER_IN_ALL_SPAM_TO-100.000

 

Like
Like Love Haha Wow Sad Angry

Check Also

openvz,kvm,xen

The differences and the advantages of OpenVZ, Xen, and KVM

Hi Netlyer?! Ever wondering This overview is intended to be just that, this is just …

Come on join the discussion

You can contribute by commenting

Notify of
avatar
wpDiscuz