SpamAssassin Rules

ALL IN ONE PLACE, EXPLAINED

SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.

SpamAssassin works by “scoring” each e-mail message against a range of tests designed to identify if that message is spam or not. A wide number of tests are provided, including checks to see if the sender and recipient address are valid, if the message dates are valid, if the body contains any of a list of forbidden words, if any of the sending servers are blacklisted, and so on. Each test adds to a message’s overall spam score; messages over a certain user-defined threshold are treated as spam and can be either trashed or marked with a special spam header. Go to the list of SpamAssassin’s rules.

In addition to these tests, SpamAssassin comes with a Bayes algorithm which “learns” to recognize new spam on the basis of old spam messages. This makes it possible for the software to automatically adapt and identify spam even in the absence of specific header or body tests. A white list system makes it easy to list e-mail addresses that you know are valid; messages from these senders are exempted from filtering and get routed directly to your mailbox. 

In true open source spirit, it is possible to add your own custom tests, or modify the scoring rules to your own specific requirements.

How to read the SpamAssassin Rules Table

This page is meant to serve as a “Cheat Sheet” to help You troubleshooting a campaign impacted by the SpamAssassin’s filter.

Over 2,000 SpamAssassin Rules (AKA Tests) were collected along with a short description, detailed explanation and category

You can use the search bar to filter them out, sort by the different columns independently, define how many rules to display at the same time and of course browse between pages freely by using the navigation arrows on the bottom.

How Reliable is this Data?

Data was collected from the official SpamAssassin documentation (up to v3.4.6) and enriched with additional information from Industry mailing-lists, forums, personal knowledge and practical experience. In fact, if you find a mistake or something that is missing, feel free to let us know and we’ll be happy to update this page.

Please Note: SpamAssassin is highly customizable. Default values can be changed, custom rules can be created. Given the frequency of its updates, some of the provided data might be obsolete with the most recent version of the Software. However, this is the most comprehensive collection of SpamAssassin Rules you will find on the Internet.

For additional and more up-to-date details, we strongly recommend to visit the official SpamAssassin documentation on Confluence here.

SpamAssassin Rule Types ("Area Tested")

  • Header – checks a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones
  • Body – searches the body of the message with a regular expression and if it matches, the corresponding score is assigned. Body rules also include the Subject as the first line of the body content
  • Rawbody – Searches the body of the email without certain kinds of preprocessing that SA normally does before trying body rules. In particular HTML tags won’t be stripped and line breaks will still be present
  • Uri – matches text in the URI’s contained in plain text and HTML sections of mail
  • Meta – Boolean or arithmetic combinations of other rules (for example, it’s possible to create a meta rule which fires off when both a header and a body rule are true at the same time)
  • Full – Checks the entire message

Detailed description of SpamAssassin Rules

SPAMASSASSIN RULESHORT DESCRIPTIONDETAILED DESCRIPTIONAREA TESTED
__ALIBABA_IMG_NOT_RCVD_ALIAlibaba hosted image but message not from Alibaba__URI_IMG_ALICDN && !__HDR_RCVD_ALIBABAmeta
__ANY_QUALCOMM_MUAQUALCOMMX-Mailer =~ /\bQUALCOMM\b/header
__BIGNUM_EMAILSLots of email addresses/leads, free email account/\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]+k?|k))\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail(?:\saddresses|s?)|fax
numbers|leads|names)\b/i
body
__BIGNUM_EMAILS_FREEMLots of email addresses/leads, free email account__BIGNUM_EMAILS && !BIGNUM_EMAILS_MANYmeta
__BITCOIN_IMGURBitcoin + hosted image__IMGUR_IMG && __BITCOINmeta
__BITCOIN_OBFU_SUBJBitcoin + obfuscated subject__BITCOIN && __SUBJ_OBFU_PUNCTmeta
__BITCOIN_SPAM_02BitCoin spam pattern 02__BITCOIN_ID && __BOTH_INR_AND_REFmeta
__BITCOIN_SPAM_05BitCoin spam pattern 05__BITCOIN_ID && __SPOOFED_FREEMAILmeta
__BITCOIN_SPAM_07BitCoin spam pattern 07__BITCOIN_ID && __TO_EQ_FROMmeta
__BITCOIN_WFH_01Work-from-Home + bitcoin__BITCOIN && __WFH_01meta
__BITCOIN_XPRIOBitcoin + priority__XPRIO && (__BITCOIN || __BITCOIN_ID)meta
__BOGUS_MSM_HDRSApparently bogus Microsoft email headers__HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXXmeta
__CHALLENGE_RESPONSEChallenge-Response message for mail you sent__CRBOUNCE_UOL || __CRBOUNCE_VERIF || __CRBOUNCE_RP || __CRBOUNCE_VANQ || __CRBOUNCE_HEADER || __CRBOUNCE_QURB || __CRBOUNCE_0SPAM || __CRBOUNCE_GETRESP || __CRBOUNCE_TMDA || __CRBOUNCE_ASK || __CRBOUNCE_EXI || __CRBOUNCE_PREC_SPAM || __CRBOUNCE_SZ || __CRBOUNCE_SPAMLION || __CRBOUNCE_MIB || __CRBOUNCE_SI || __CRBOUNCE_UNVERIF || __CRBOUNCE_RP_2 || __CRBOUNCE_BLOCKED || __CRBOUNCE_SPAMARRESTmeta
__CONTENT_AFTER_HTMLMore content after HTML close tag/<\/html>\s*[a-z0-9]/irawbody
__DC_GIF_MULTI_LARGOMessage has 2+ inline gif covering lots of area( __GIF_ATTACH_2P && __GIF_AREA_180K )meta
__DC_IMG_HTML_RATIOLow rawbody to pixel area ratioeval:image_to_text_ratio('all', '0.000', '0.015')rawbody
__DC_IMG_TEXT_RATIOLow body to pixel area ratioeval:image_to_text_ratio('all', '0.000', '0.008')body
__DC_PNG_MULTI_LARGOMessage has 2+ inline png covering lots of area( __PNG_ATTACH_2P && __PNG_AREA_180K )meta
__DESTROY_YOUDestroy You/\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/ibody
__DKIM_DEPENDABLEA validation failure not attributable to truncationheader
__DKIMWL_WL_HIDKIMwl.org - Whitelisted High sender_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/meta
__DKIMWL_WL_MEDDKIMwl.org - Whitelisted Medium sender_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/meta
__DKIMWL_WL_MEDHIDKIMwl.org - Whitelisted Medium/High sender_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/meta
__DOTGOV_IMAGE.gov URI + hosted image__URI_DOTGOV && __REMOTE_IMAGEmeta
__DRUGS_ANXIETY_VALvalium/valium/ibody
__DRUGS_ANXIETY_XANxanax/xan[ae]x/ibody
__DRUGS_ANXIETY1xanax (second a sometimes done as e)/(?:\b|\s)[_\W]{0,3}x?x[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}n[_\W]{0,3}[ea4\xE1\xE2\xE3@][_\W]{0,3}xx?_{0,3}\b/ibody
__DRUGS_ANXIETY2alprazolam/\bAlprazolam\b/ibody
__DRUGS_ANXIETY3valium/(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l|][_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}m\b/ibody
__DRUGS_ANXIETY4diazepam, generic of valium/\b_{0,3}D[_\W]?[i1!|l\xEC-\xEF][_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[ea3\xE9\xEA\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/ibody
__DRUGS_ANXIETY5ativan/(?:\b|\s)[a4\xE0-\xE6@][_\W]?t[_\W]?[i1!|l\xEC-\xEF][_\W]?v[_\W]?[a4\xE0-\xE6@][_\W]?n_{0,3}\b/ibody
__DRUGS_ANXIETY6lorazepam - generic of ativan, uncommon in spam/\b_{0,3}l[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[e3\xE8-\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/ibody
__DRUGS_ANXIETY7clonazepam, generic./\b_{0,3}c[_\W]?l[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?e[_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m\b/ibody
__DRUGS_ANXIETY8klonopin, brand of clonazepam, uncommon in spam/\bklonopin\b/ibody
__DRUGS_ANXIETY9rivotril, brand of clonazepam, uncommon in spam/\brivotril\b/ibody
__END_FUTURE_EMAILSSpammy unsubscribe/\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/ibody
__ENV_AND_HDR_FROM_MATCHEnv and Hdr From used in default SPF WL Matcheval:check_for_matching_env_and_hdr_from()header
__ENVFROM_GOOG_TRIXFrom suspicious Google subdomainEnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/header
__FBI_BODY_SHOUT_1mentions FBI/^FEDERAL BUREAU OF INVESTIGATIONS?\b/body
__FBI_BODY_SHOUT_2mentions FBI/^FEDERAL BUREAU OF INVESTIGATIONS?\b/mrawbody
__FBI_FM_DOMFBI from addressFrom:addr =~ /\bfbi\.gov$/header
__FBI_FM_NAMEFBI from nameFrom:name =~ /federal\sbureau\sof\sinvestigation/iheader
__FBI_RCVD_DOMFBI relayX-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /header
__FBI_SPOOFClaims to be FBI, but not from FBI domain(__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __REPLYTO_EXISTSmeta
__FH_HAS_XPRIORITYHas X-Priority headerexists:X-Priorityheader
__FORGED_TBIRD_IMGPossibly forged Thunderbird image spam__MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0Dmeta
__FREEM_FRNUM_UNICD_EMPTYNumeric freemail From address, unicode From name and Subject, empty bodyFREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODYmeta
__freemail_mailreplytoHas unusual reply-to headereval:check_freemail_header('Mail-Reply-To')header
__FROM_41_FREEMAILSent from Africa + freemail providermeta
__FROM_ADDRLIST_SUSPNTLDFrom abused NTLDeval:check_from_in_list('SUSP_NTLD')header
__FROM_FMBLA_NDBLOCKEDlisted on FMB.LA_AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/header
__GB_BITCOIN_CP_DEGerman Bitcoin scambody
__GB_BITCOIN_CP_ENEnglish Bitcoin scambody
__GB_BITCOIN_CP_ESSpanish Bitcoin scambody
__GB_BITCOIN_CP_FRFrench Bitcoin scambody
__GB_BITCOIN_CP_ITItalian Bitcoin scambody
__GB_BITCOIN_CP_NLDutch Bitcoin scambody
__GB_BITCOIN_CP_SESwedish Bitcoin scambody
__GIF_ATTACH_1counting the number of images (all or by image type)eval:image_count('gif','1','1')body
__GIF_ATTACH_2Pcounting the number of images (all or by image type)eval:image_count('gif','2')body
__HAS_HREFHas an anchor tag with a href attribute in non-quoted line/^[^>].*?body
__HAS_HREF_ONECASEHas an anchor tag with a href attribute in non-quoted line with consistent caserawbody
__HAS_IMG_SRCHas an img tag on a non-quoted line/^[^>].*?rawbody
__HAS_IMG_SRC_ONECASEHas an img tag on a non-quoted line with consistent case/^[^>].*?<(img src|IMG SRC)=/mrawbody
__HDR_RCVD_WALMARTfrom WalmartX-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/header
__hk_bigmoney/(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/ibody
__hk_win_0/\byour? e-?mail just w[oi]n/ibody
__hk_win_2/\battn.{0,10}winner/ibody
__hk_win_3/\bhappily aa?nnounce/ibody
__hk_win_4/\bpleas(?:ure|ed) to inform/ibody
__hk_win_5/\b(?:notice the|your) winning/ibody
__hk_win_7/\bcongratulations? to your/ibody
__hk_win_8/\bunexpected luck/ibody
__hk_win_9/\blucky (?:nl )number/ibody
__hk_win_a/\bwinning (?:e-?mail|numbers|information)/ibody
__hk_win_b/\byour e-?mail (?:address )?(?:has )?w[io]n/ibody
__hk_win_c/\bune adresse e-?mail sur internet/ibody
__hk_win_d/\bcategory (?:\S{0,5} )?winner of our/ibody
__hk_win_i/\bfunds? transfer/ibody
__hk_win_j/\b(?:winning|ready for|sum) pay ?out/ibody
__hk_win_l/\b(?:make|file) (?:for )?your claim/ibody
__hk_win_m/\br.clamation de votre prix/ibody
__hk_win_n/\bcollect your prize/ibody
__hk_win_o/\bclarification and procedure/ibody
__JAPANESE_UCE_BODYBody contains Japanese UCE tag/(?:L\$>5Bz|EE;R%a!<%k)(?:8x|9-)9p/body
__JPEG_ATTACH_1counting the number of images (all or by image type)eval:image_count('jpeg',1,1)body
__JPEG_ATTACH_2Pcounting the number of images (all or by image type)eval:image_count('jpeg',2)body
__JS_DOCWRITEJavascript/document\.write/rawbody
__JS_FROMCHARCODEJavascript/String\.fromCharCode\s*\(\s*\S+\s*\[\s*\S+\s*\]\s*\^/rawbody
__KAM_BODY_LENGTH_LT_1024The length of the body of the email is less than 1024 bytes.body
__KAM_BODY_LENGTH_LT_128The length of the body of the email is less than 128 bytes.body
__KAM_BODY_LENGTH_LT_256The length of the body of the email is less than 256 bytes.body
__KAM_BODY_LENGTH_LT_512The length of the body of the email is less than 512 bytes.body
__MIME_BASE64Includes a base64 attachmenteval:check_for_mime('mime_base64_count')rawbody
__MIME_QPIncludes a quoted-printable attachmenteval:check_for_mime('mime_qp_count')rawbody
__ML_TURNS_SP_TO_TABA mailing list changing a space to a TABheader
__ML1Mail from a mailing listPrecedence =~ m{\b(list|bulk)\b}iheader
__ML2Mail from a mailing listexists:List-Idheader
__ML3Mail from a mailing listexists:List-Postheader
__ML4Mail from a mailing listexists:Mailing-Listheader
__ML5Mail from a mailing listReturn-Path:addr =~ m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}miheader
__NONEMPTY_BODYMessage appears to have no textual parts/\S/body
__NSL_ORIG_FROM_41Originates from 41.0.0.0/8header
__NSL_RCVD_FROM_41Received from 41.0.0.0/8header
__OBFU_UNSUB_ULObfuscated unsubscribe text/(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/body
__OBFUSCATING_COMMENT_AObfuscated text/\w(?:]*>)+\w/rawbody
__OBFUSCATING_COMMENT_BObfuscated text/[^\s>](?:]*>)+[^\s<]/rawbody
__PAXFUL/\bp-?a+-?x+-?f-?u+-?l\b/ibody
__PDS_OFFER_ONLY_AMERICAOffer only available to US/This offer (is )?(only )?for (United States|USA)/ibody
__PNG_ATTACH_1counting the number of images (all or by image type)eval:image_count('png','1','1')body
__PNG_ATTACH_2Pcounting the number of images (all or by image type)eval:image_count('png','2')body
__RCVD_IN_MSPIKEMAILSPIKE: sender is listed in MAILSPIKEeval:check_rbl('mspike-lastexternal', 'bl.mailspike.net.')header
__RCVD_IN_MSPIKE_ZSpam wave participanteval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.2$')header
__RCVD_IN_SORBSSORBS: sender is listed in SORBSheader
__RCVD_IN_ZENReceived via a relay in Spamhaus Zenheader
__RDNS_DYNAMIC_ADELPHIARelay HELO'd using suspicious hostname (Adelphia)header
__RDNS_DYNAMIC_ATTBIRelay HELO'd using suspicious hostname (ATTBI.com)header
__RDNS_DYNAMIC_CHELLO_NLRelay HELO'd using suspicious hostname (Chello.nl)header
__RDNS_DYNAMIC_CHELLO_NORelay HELO'd using suspicious hostname (Chello.no)header
__RDNS_DYNAMIC_COMCASTRelay HELO'd using suspicious hostname (Comcast)header
__RDNS_DYNAMIC_DHCPRelay HELO'd using suspicious hostname (DHCP)header
__RDNS_DYNAMIC_DIALINRelay HELO'd using suspicious hostname (T-Dialin)header
__RDNS_DYNAMIC_HCCRelay HELO'd using suspicious hostname (HCC)header
__RDNS_DYNAMIC_HEXIPRelay HELO'd using suspicious hostname (Hex IP)header
__RDNS_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1)header
__RDNS_DYNAMIC_NTLRelay HELO'd using suspicious hostname (NTL)header
__RDNS_DYNAMIC_OOLRelay HELO'd using suspicious hostname (OptOnline)header
__RDNS_DYNAMIC_ROGERSRelay HELO'd using suspicious hostname (Rogers)header
__RDNS_DYNAMIC_RR2Relay HELO'd using suspicious hostname (RR 2)header
__RDNS_DYNAMIC_SPLIT_IPRelay HELO'd using suspicious hostname (Split IP)header
__RDNS_DYNAMIC_TELIARelay HELO'd using suspicious hostname (Telia)header
__RDNS_DYNAMIC_VELOXRelay HELO'd using suspicious hostname (Veloxzone)header
__RDNS_DYNAMIC_VTRRelay HELO'd using suspicious hostname (VTR)header
__RDNS_DYNAMIC_YAHOOBBRelay HELO'd using suspicious hostname (YahooBB)header
__RESIGNER1Mail through a popular signing remailereval:check_dkim_valid('linkedin.com')full
__RESIGNER2Mail through a popular signing remailereval:check_dkim_valid('googlegroups.com','yahoogroups.com','yahoogroups.de')full
__SCREEN_1024x768using exact size match to identify things like screenshotseval:image_size_exact('all',1024,768)body
__SCREEN_1280x1024using exact size match to identify things like screenshotseval:image_size_exact('all',1280,1024)body
__SCREEN_640x480using exact size match to identify things like screenshotseval:image_size_exact('all',800,600)body
__SCREEN_800x600using exact size match to identify things like screenshotseval:image_size_exact('all',800,600)body
__SUB_END_NUMSCOMUnicode subjectSubject =~ /[0-9]{6,}c[0o]m$/iheader
__SUBJ_ADMINSubject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/iheader
__SUBJ_BRKN_WORDNUMS__SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFUmeta
__SUBJ_BROKEN_WORDSubject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/header
__SUBJ_DOM_ADMIN__SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAINmeta
__SUBJ_HAS_FROM_1ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ismheader
__SUBJ_HAS_TO_1ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ismheader
__SUBJ_HAS_TO_2ALL =~ /\nReceived:[^\n]{0,200} for ;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ismheader
__SUBJ_HAS_TO_3ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ismheader
__SUBJ_NOT_SHORTSubject =~ /^.{16}/header
__SUBJ_OBFU_PUNCTSubject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/iheader
__SUBJ_RESubject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/header
__SUBJ_SHORTSubject =~ /^.{0,8}$/header
__SUBJ_UNNEEDED_HTMLSubject =~ /%[0-9a-f][0-9a-f]/iheader
__SUBJ_USB_DRIVESSubject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/header
__SUBJECT_EMPTYSubject:raw =~ /^\s*$/header
__SUBJECT_PRESENT_EMPTY__HAS_SUBJECT && __SUBJECT_EMPTYmeta
__SUBSCRIPTION_INFO/\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/ibody
__SUM_OF_FUND/\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/ibody
__SURVEY/\bsurvey\b/ibody
__SURVIVORS/\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/ibody
__SUSPICION_LOGIN/\bsuspicion login\b/ibody
__SYSADMIN/\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/ibody
__T_PDS_MSG_512(__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)meta
__TB_MIME_BDRY_NO_ZContent-Type =~ /boundary="-{8,}(?:[1-9]){16}/header
__TENWORD_GIBBERISH/^\s*(?:[a-z]+\s+){10}\.$/mrawbody
__THEY_INHERIT/\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/ibody
__THIS_AD"This ad" and variants/(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/ibody
__THREAD_INDEX_GOODThread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,header
__THREADED(!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)meta
__TO___LOWERALL =~ /to:\s\S{5}/header
__TO_ALL_NUMSTo:addr =~ /^\d+@/header
__TO_EQ_FM_DIRECT_MX__TO_EQ_FROM && __DOS_DIRECT_TO_MXmeta
__TO_EQ_FM_DOM_HTML_IMG__TO_EQ_FROM_DOM && __HTML_LINK_IMAGEmeta
__TO_EQ_FM_DOM_HTML_ONLY__TO_EQ_FROM_DOM && MIME_HTML_ONLYmeta
__TO_EQ_FM_DOM_SPF_FAIL__TO_EQ_FROM_DOM && SPF_FAILmeta
__TO_EQ_FM_HTML_DIRECT__TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLYmeta
__TO_EQ_FM_HTML_ONLY__TO_EQ_FROM && MIME_HTML_ONLYmeta
__TO_EQ_FM_SPF_FAIL__TO_EQ_FROM && SPF_FAILmeta
__TO_EQ_FROMTo: same as From:(__TO_EQ_FROM_1 || __TO_EQ_FROM_2)meta
__TO_EQ_FROM_1ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ismheader
__TO_EQ_FROM_2ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ismheader
__TO_EQ_FROM_DOMTo: domain same as From: domain(__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)meta
__TO_EQ_FROM_DOM_1ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ismheader
__TO_EQ_FROM_DOM_2ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ismheader
__TO_EQ_FROM_USRTo: username same as From: username(__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)meta
__TO_EQ_FROM_USR_1ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ismheader
__TO_EQ_FROM_USR_2ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ismheader
__TO_EQ_FROM_USR_NNTo: username same as From: username sans trailing nums(__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)meta
__TO_EQ_FROM_USR_NN_1ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ismheader
__TO_EQ_FROM_USR_NN_2ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ismheader
__TO_EQ_FROM_USR_NN_MINFP__TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADEDmeta
__TO_IN_SUBJ(__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)meta
__TO_NO_ARROWS_RTo !~ /(?:>$|>,)/header
__TO_NO_BRKTS_FREEMAIL__TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)meta
__TO_NO_BRKTS_FROM_RUNON__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNONmeta
__TO_NO_BRKTS_HTML_IMG__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMGmeta
__TO_NO_BRKTS_HTML_ONLY__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLYmeta
__TO_NO_BRKTS_MSFT__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)meta
__TO_NO_BRKTS_NORDNS_HTML__TO_NO_BRKTS_HTML_ONLY && RDNS_NONEmeta
__TO_NO_BRKTS_PCNT__TO_NO_ARROWS_R && __FB_NUM_PERCNTmeta
__TO_TOO_MANY_WFH_01__TO_WAY_TOO_MANY && __WFH_01meta
__TO_UNDISCLOSEDTo =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/iheader
__TO_WAY_TOO_MANYToCc =~ /(?:,[^,]{1,90}){50}/header
__TO_YOUR_ACCT/\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/ibody
__TO_YOUR_ORG/\b(?:to|for) your organi[sz]ation\b/ibody
__TRANSFORM_LIFE/\b(transform|change) your (?:daily )?life(?:style)?\b/ibody
__TRAVEL_AGENT/\btravel\sagen(?:t|cy)\b/ibody
__TRAVEL_BUSINESS/\bbusiness\stravel\b/ibody
__TRAVEL_ITINERARY/(?:travel|ticketed|your|current) itinerary/ibody
__TRAVEL_MANY(__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2meta
__TRAVEL_PROFILE/\btravel+er\sprofile\b/ibody
__TRAVEL_RESERV/\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/ibody
__TRTMT_DEFILED/\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/ibody
__TRUNK_BOX/\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/ibody
__TRUSTED_CHECK/\b(?:cashier'?s?|certified)\sche(?:ck|que)/ibody
__TT_BROKEN_VALIUMSubject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/iheader
__TT_BROKEN_VIAGRASubject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/iheader
__TT_OBSCURED_VALIUMSubject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/header
__TT_OBSCURED_VIAGRASubject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/header
__TT_VALIUMSubject =~ /VALIUM/iheader
__TT_VIAGRASubject =~ /VIAGRA/iheader
__TVD_FW_GRAPHIC_ID1Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/mimeheader
__TVD_MIME_ATT_AOPDFContent-Type =~ /^application\/octet-stream.*\.pdf/imimeheader
__TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/imimeheader
__TVD_MIME_ATT_TPContent-Type =~ /^text\/plain/imimeheader
__TVD_OUTLOOK_IMGContent-Id =~ /mimeheader
__TVD_PH_BODY_01/\baccount .{0,20}placed? [io]n restricted status/ibody
__TVD_PH_BODY_02/\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/ibody
__TVD_PH_BODY_03/\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/ibody
__TVD_PH_BODY_04/\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/ibody
__TVD_PH_BODY_05/\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/ibody
__TVD_PH_BODY_06/Dear [a-z]+ bank (?:member|customer)/ibody
__TVD_PH_BODY_07/\bguarantee the safety of your (?:[a-z_,-]+ )*?account/ibody
__TVD_PH_BODY_08/\bmultiple password failures/ibody
__TVD_PH_BODY_ACCOUNTS_POST/\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/ibody
__TVD_PH_BODY_ACCOUNTS_PRE/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/ibody
__TVD_PH_BODY_META__TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08meta
__TVD_PH_SUBJ_00Subject =~ /\brewards? survey\b/iheader
__TVD_PH_SUBJ_02Subject =~ /\byour payment has been sent\b/iheader
__TVD_PH_SUBJ_04Subject =~ /\baccounts? profile\b/iheader
__TVD_PH_SUBJ_15Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/iheader
__TVD_PH_SUBJ_17Subject =~ /\bremove limitations?\b/iheader
__TVD_PH_SUBJ_18Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/iheader
__TVD_PH_SUBJ_19Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/iheader
__TVD_PH_SUBJ_29Subject =~ /^notice(?::|[\s\W]*$)/iheader
__TVD_PH_SUBJ_31Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/iheader
__TVD_PH_SUBJ_36Subject =~ /\bconsumer notice\b/iheader
__TVD_PH_SUBJ_37Subject =~ /\bvalued member[a-z]*\b/iheader
__TVD_PH_SUBJ_38Subject =~ /\bonline bank[a-z]*\b/iheader
__TVD_PH_SUBJ_39Subject =~ /\bonline department\b/iheader
__TVD_PH_SUBJ_41Subject =~ /\bunusual activity\b/iheader
__TVD_PH_SUBJ_52Subject =~ /\b(?:account|online) profile\b/iheader
__TVD_PH_SUBJ_54Subject =~ /\bun-?authorized access(?:es)?\b/iheader
__TVD_PH_SUBJ_56Subject =~ /\brespond now\b/iheader
__TVD_PH_SUBJ_58Subject =~ /\bbilling service\b/iheader
__TVD_PH_SUBJ_59Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/iheader
__TVD_PH_SUBJ_ACCESS_POSTSubject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/iheader
__TVD_PH_SUBJ_META__TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POSTmeta
__TVD_SPACE_ENCODEDSpace ratio & encoded subject(__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)meta
__TVD_SUBJ_NUM_OBFUSubject =~ /[a-z]{3,}\d+[a-z]{2,}/iheader
__UA_GNUSUser-Agent =~ /^Gnus/header
__UA_KMAILUser-Agent =~ /^KMail/header
__UA_KNODEUser-Agent =~ /^KNode/header
__UA_MOZ5User-Agent =~ /^Mozilla\/5/header
__UA_MSOEMACUser-Agent =~ /^Microsoft-Outlook-Express-Mac/header
__UA_MSOMACUser-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/header
__UA_MUTTUser-Agent =~ /^Mutt/header
__UA_OPERA7User-Agent =~ /^Opera7/header
__UA_PANUser-Agent =~ /^Pan/header
__UA_XNEWSUser-Agent =~ /^Xnews/header
__UC_GIBB_OBFU/\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/body
__UN/\bunited\snations?\b/ibody
__UNDISC_FREEM__TO_UNDISCLOSED && __freemail_replytometa
__UNDISC_MONEY__TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)meta
__UNICODE_OBFU_ASC/[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/ibody
__UNICODE_OBFU_ASC_MANY__UNICODE_OBFU_ASC > 9meta
__UNICODE_OBFU_ZW/[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/ibody
__UNICODE_OBFU_ZW_10__UNICODE_OBFU_ZW > 9meta
__UNICODE_OBFU_ZW_2__UNICODE_OBFU_ZW > 1meta
__UNICODE_OBFU_ZW_3__UNICODE_OBFU_ZW > 2meta
__UNICODE_OBFU_ZW_5__UNICODE_OBFU_ZW > 4meta
__UNSUB_EMAIL/\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/ibody
__UNSUB_LINK/\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/iuri
__UPGR_MAILBOX/\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/ibody
__UPPERCASE_URI/^[^:A-Z]+[A-Z]/uri
__URI_12LTRDOMm,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,iuri
__URI_ADOBESPARKm,https?://branchlink\.adobespark\.com/,iuri
__URI_AZURE_CLOUDAPPm,://(?:[^./]+\.)+cloudapp\.azure\.com/,uri
__URI_DASHGOVEDUm,://[^/]*-(?:gov|edu)\.com/,iuri
__URI_DATA/^data:(?!image\/)[a-z]/iuri
__URI_DBL_DOMm,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,iuri
__URI_DOM_DOTDOTm,://[^/]+\.\.,uri
__URI_DOTEDUm;^https?://(?:[^./]+\.)+edu/;iuri
__URI_DOTEDU_ENTITY__URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAWmeta
__URI_DOTGOVm;^https?://(?:[^./]+\.)+gov/;iuri
__URI_DOTTY_HEX/(?:\.[0-9a-f]{2}){30}/uri
__URI_DQ_UNSUBm;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;iuri
__URI_FIREBASEAPPm,://[^./]+\.firebaseapp\.com/,uri
__URI_GOOG_STO_HTMLm,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),iuri
__URI_GOOG_STO_IMGm,^https?://storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,iuri
__URI_GOOGLE_DOCm,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),iuri
__URI_GOOGLE_DRVm,^https?://(?:drive\.google|googledrive)\.com/,iuri
__URI_GOOGLE_PROXYm;^https?://[^.]+\.googleusercontent\.com/proxy/;iuri
__URI_HEX_IPm;://0x[0-9A-F]{8,}[:/];iuri
__URI_IMG_ALICDNm,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),iuri
__URI_IMG_AMAZONm,://[^/?]+\.(?:ssl-)?images-amazon\.com/,iuri
__URI_IMG_CHANNYPICm,://www\.channypicture\.com/pic/,iuri
__URI_IMG_EBAYm,://[^/?]+\.ebayimg\.com/,iuri
__URI_IMG_JOOMCDNm,://img\.joomcdn\.net/,iuri
__URI_IMG_NEWEGGm,://[^/?]+\.neweggimages\.com/,iuri
__URI_IMG_SHOPIFYm,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),iuri
__URI_IMG_STATICBGm,://imgaz\.staticbg\.com/images/,iuri
__URI_IMG_WALMARTWalmart hosted imagem,://[^/?]+\.walmartimages\.com/,iuri
__URI_IMG_WISHm,://contestimg\.wish\.com/,iuri
__URI_IMG_WP_REDIRm;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;iuri
__URI_IMG_YTIMGm,://[^/?]+\.ytimg\.com/,iuri
__URI_MAILTO/^mailto:/iuri
__URI_MONERO/buy-monero/iuri
__URI_MYSP_ACm;://mysp\.ac/;iuri
__URI_ONLY_MSGID_MALF__BODY_URI_ONLY && __MSGID_NOFQDN2meta
__URI_PHISH__HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)meta
__URI_PHP_REDIRm;/redirect\.php\?;iuri
__URI_TRY_USMEm,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,iuri
__URI_WEBAPPm,://[^./]+\.web\.app/,uri
__URI_WPADMINm,/wp-admin/\w+/,iuri
__URI_WPCONTENTm,/wp-content/.*\.(?:php|html?)\b,iuri
__URI_WPDIRINDEXURI for compromised WordPress site, possible malwarem,/wp-(?:content|includes)/.*/$,iuri
__URI_WPINCLUDESm,/wp-includes/.*\.(?:php|html?)\b,iuri
__URL_BTC_IDm;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);uri
__URL_LTC_IDm;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);uri
__URL_SHORTENER/^https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}\/?/uri
__USING_VERP1Return-Path =~ /[+-].*=/header
__VACATIONSubject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/iheader
__VALIDATE_MAILBOX/\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails))\b/ibody
__VALIDATE_MBOX_SE/(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/ibody
__VERIFY_ACCOUNT/(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/ibody
__VFY_ACCT_NORDNS__VERIFY_ACCOUNT && __RDNS_NONEmeta
__VIA_MLMail from a mailing list__ML1 || __ML2 || __ML3 || __ML4 || __ML5meta
__VIA_RESIGNERMail through a popular signing remailer__RESIGNER1 || __RESIGNER2meta
__VPSNUMBERONLY_TLDFrom:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/iheader
__WALMART_IMG_NOT_RCVD_WALWalmart hosted image but message not from Walmart__URI_IMG_WALMART && !__HDR_RCVD_WALMARTmeta
__WE_PAID/\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/ibody
__WEBMAIL_ACCT/\byour web ?mail account/ibody
__WIDOW/\b(?:widow(?:e[rd])'?s?|veuve)\b/ibody
__WILL_LEGAL/\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/ibody
__WIRE_XFR/\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/ibody
__WITHOUT_EFFORT/\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/ibody
__WORD_INVIS/<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}rawbody
__WORD_INVIS_2__WORD_INVIS > 1meta
__WORD_INVIS_5__WORD_INVIS > 5meta
__WORD_INVIS_MINFP__WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUIDmeta
__XEROXWORKCTR_MUAX-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/header
__XFER_LOTSA_MONEY__XFER_MONEY && LOTS_OF_MONEYmeta
__XFER_MONEY(__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)meta
__XM_APPLEMAILX-Mailer =~ /^Apple Mail/header
__XM_BALSAX-Mailer =~ /^Balsa \d/header
__XM_CALYPSOX-Mailer =~ /^Calypso/header
__XM_DIGITS_ONLYX-Mailer malformedX-Mailer =~ /^\s*\d+\s*$/header
__XM_FORTEX-Mailer =~ /^Forte Agent \d/header
__XM_GNUSX-Mailer =~ /^Gnus v/header
__XM_IPHONEMAILX-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/header
__XM_LIGHT_HEAVYX-Mailer =~ /\b(?:light|(?header
__XM_MHEX-Mailer =~ /^mh-e \d/header
__XM_MOZ4X-Mailer =~ /^Mozilla 4/header
__XM_MS_IN_GENERALX-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/header
__XM_MSOE5X-Mailer =~ /^Microsoft Outlook Express 5/header
__XM_MSOE6X-Mailer =~ /^Microsoft Outlook Express 6/header
__XM_OL_10_0_4115X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/header
__XM_OL_28001441X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/header
__XM_OL_28004682X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/header
__XM_OL_4_72_2106_4X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/header
__XM_OL_48072300X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/header
__XM_OUTLOOK_EXPRESSX-Mailer =~ /^Microsoft Outlook Express \d/header
__XM_PHPMAILER_FORGEDX-Mailer =~ /PHPMailer\s.*version\D+$/header
__XM_RANDOMX-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/iheader
__XM_SKYRIX-Mailer =~ /^SKYRiXgreen/header
__XM_SQRLMAILX-Mailer =~ /^SquirrelMail/header
__XM_SYLPHEEDX-Mailer =~ /^Sylpheed/header
__XM_UC_ONLYX-Mailer =~ /^[^a-z]+$/header
__XM_VMX-Mailer =~ /^VM \d/header
__XM_WWWMAILX-Mailer =~ /^WWW-Mail \d/header
__XM_XIMEVOLX-Mailer =~ /^Ximian Evolution/header
__XPRIOHas X-Priority headerexists:X-Priorityheader
__XPRIO_MINFP__XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITSmeta
__XPRIO_SHORT_SUBJ__XPRIO_MINFP && __SUBJ_SHORTmeta
__YOU_ASSIST/\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/ibody
__YOU_INHERITDiscussing your inheritance/\byour\s[a-z\s]{0,30}inherit+ance\b/ibody
__YOU_WON__YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))meta
__YOU_WON_01/\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/ibody
__YOU_WON_02/\bw[io]n\s(?:(?:for|by)\s)?your?\b/ibody
__YOU_WON_03/\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/ibody
__YOU_WON_04/\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/ibody
__YOU_WON_05/\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/ibody
__YOUR_BANK/\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/ibody
__YOUR_CONSIGNMENT/\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/ibody
__YOUR_FUND/\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/ibody
__YOUR_ONAN/\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/ibody
__YOUR_PASSWORD/\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/ibody
__YOUR_PERM/\byour\spermission\b/ibody
__YOUR_PERSONAL/\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/ibody
__YOUR_PROFIT/\byour?\sprofit/ibody
__YOUR_WEBCAM/\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/ibody
__ZIP_ATTACH_MTContent-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,imimeheader
__ZIP_ATTACH_NOFNContent-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,imimeheader
AC_BR_BONANZAToo many newlines in a row... spammy template/(?:
\s*){30}/i
rawbody
AC_DIV_BONANZAToo many divs in a row... spammy template/(?:
(?:\s*<\/div>)?\s*){10}/i
rawbody
AC_FROM_MANY_DOTSMultiple periods in From user nameFrom =~ /<(?:\w+\.){2,}\w+@/header
AC_HTML_NONSENSE_TAGSMany consecutive multi-letter HTML tags, likely nonsense/spam/(?:<[A-Za-z0-9]{4,}>\s*){10}/rawbody
AC_POST_EXTRASSuspicious URL__AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_IDmeta
AC_SPAMMY_URI_PATTERNS1link combos match highly spammy template__AC_OUTL_URI && __AC_OUTI_URImeta
AC_SPAMMY_URI_PATTERNS10link combos match highly spammy template__AC_PUNCTNUMS_URImeta
AC_SPAMMY_URI_PATTERNS11link combos match highly spammy template__AC_NDOMLONGNASPX_URImeta
AC_SPAMMY_URI_PATTERNS12link combos match highly spammy template__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URImeta
AC_SPAMMY_URI_PATTERNS2link combos match highly spammy template__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URImeta
AC_SPAMMY_URI_PATTERNS3link combos match highly spammy template__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URImeta
AC_SPAMMY_URI_PATTERNS4link combos match highly spammy template__AC_NUMS_URImeta
AC_SPAMMY_URI_PATTERNS8link combos match highly spammy template__AC_LONGSEQ_URImeta
AC_SPAMMY_URI_PATTERNS9link combos match highly spammy templatemeta
ACCESSDBMessage would have been caught by accessdbMany MTAs support access databases, such as Sendmail, Postfix, etc. This plugin does similar checks to see whether a message would have been flagged.

The rule returns false if an entry isn't found, or the entry has a RHS of OK or SKIP.

The rule returns true if an entry exists and has a RHS of REJECT, ERROR, or DISCARD.

Note: only the first word (split on non-word characters) of the RHS is checked, so error:5.7.1:... means ERROR.
header
ACCT_PHISHINGPossible phishing for account information(__ACCT_PHISH || __EMAIL_PHISH) && !ACCT_PHISHING_MANY && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MTA_MESSY && !__STY_INVIS_MANYmeta
ACCT_PHISHING_MANYPhishing for account information(__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANYmeta
ACT_NOW_CAPSTalks about 'acting now' with capitalsbody
AD_PREFSAdvertising preferences/(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/ibody
ADMAIL"admail" and variants__ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTSmeta
ADMITS_SPAMAdmits this is an ad__ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVDmeta
ADULT_DATING_COMPANYNo description providedmeta
ADVANCE_FEE_2Standard description: Appears to be advance fee fraud (Nigerian 419)

A phrase in the email body has been found that is commonly found in advance fee fraud spam.body
ADVANCE_FEE_2_NEW_FORMAdvance Fee fraud and a form(__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__COMMENT_EXISTS && !__THREADED && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_2_NEW_FRM_MNYAdvance Fee fraud form and lots of money(__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_2_NEW_MONEYAdvance Fee fraud and lots of money(__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_CENTER && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__NAME_EQ_EMAIL && !__URI_MAILTO_MANY && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_3_NEWAppears to be advance fee fraud (Nigerian 419)(__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__UNSUB_LINK && !__UPPERCASE_URI && !__SURVEY && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORGmeta
ADVANCE_FEE_3_NEW_FORMAdvance Fee fraud and a form(__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_3_NEW_FRM_MNYAdvance Fee fraud form and lots of money(__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_3_NEW_MONEYAdvance Fee fraud and lots of money(__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__UNSUB_LINK && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_4_NEWAppears to be advance fee fraud (Nigerian 419)(__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__DOS_HAS_LIST_UNSUBmeta
ADVANCE_FEE_4_NEW_FORMAdvance Fee fraud and a formmeta
ADVANCE_FEE_4_NEW_FRM_MNYAdvance Fee fraud form and lots of money__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNYmeta
ADVANCE_FEE_4_NEW_MONEYAdvance Fee fraud and lots of money(__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__HAS_X_LOOPmeta
ADVANCE_FEE_5_NEWAppears to be advance fee fraud (Nigerian 419)__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEYmeta
ADVANCE_FEE_5_NEW_FORMAdvance Fee fraud and a form__ADVANCE_FEE_5_NEW_FORMmeta
ADVANCE_FEE_5_NEW_FRM_MNYAdvance Fee fraud form and lots of money__ADVANCE_FEE_5_NEW_FRM_MNYmeta
ADVANCE_FEE_5_NEW_MONEYAdvance Fee fraud and lots of money__ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPEmeta
ALIBABA_IMG_NOT_RCVD_ALIAlibaba hosted image but message not from Alibaba__ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASEmeta
ALL_TRUSTEDPassed through trusted hosts only via SMTP"Trusted" does not mean "trusted to not send spam." It means "trusted to not forge Received: headers."


If your message hits on the ALL_TRUSTED rule, it means that all of the Received: headers in the message were inserted by SMTP relays you have indicated are "TrustedRelays" and the "from" part of the Received: header is also from one of your "TrustedRelays"; consequently, no tests of the source of the message (for example, tests against DNSBlocklists) will be performed.


If that message is obviously spam, and you think it should have been caught by DNS tests, then your trust path is configured incorrectly.
header
AMAZON_IMG_NOT_RCVD_AMZNAmazon hosted image but message not from Amazon__AMAZON_IMG_NOT_RCVD_AMZN && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LISTmeta
ANY_BOUNCE_MESSAGEMessage is some kind of bounce message(CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE)meta
ANY_PILL_PRICEPrices for pillsmeta
APOSTROPHE_FROMFrom address contains an apostropheThe apostrophe character "'" appears in the address part of the From: header.


e.g. john.o'groats@example.com




Note that, while the email address specification (RFC5322) allows for apostrophes to be included in the local-part of an address, use of apostrophes has been historically discouraged for security and interoperability reasons. As such addresses containing them use may be considered unusual.
header
APP_DEVELOPMENT_FREEMApp development pitch, freemail or CHN replytometa
APP_DEVELOPMENT_NORDNSApp development pitch, no rDNSmeta
AWLFrom: address is in the auto white-listThe auto white-list (AWL) keeps track of the scores associated with known senders and pushes the total score for the mail toward the average for the sender. Thus a mail from a previous sender that's otherwise scored higher than average may receive a negative score; a mail scored lower than average may receive a positive score.header
AXB_HELO_HOME_UNHELO from home - untrustedX-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\w+\.(lan|home) /iheader
AXB_X_AOL_SEZ_SAOL said this is S*x-aol-global-disposition =~ /^S$/header
AXB_X_FF_SEZ_SForefront sez this is spamX-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/header
AXB_XM_FORGED_OL2600Forged OE v. 6.2600__AXB_XM_OL_2600 && !__AXB_MO_OL_2600meta
AXB_XM_SENDMAIL_NOTNebbiolo fingerprintheader
AXB_XMAILER_MIMEOLE_OL_024C2Yet another X header trait__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2meta
AXB_XMAILER_MIMEOLE_OL_1ECD5Yet another X header trait__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5meta
AXB_XMID_1212Barbera Fingerprintheader
AXB_XMID_1510Brunello Fingerprintheader
AXB_XMID_OEGOESNULLAmarone Fingerprintheader
AXB_XR_STULDAPReceived =~ /\(8\.12\.3 da nor stuldap\/8\.12\.3\)/Potentially abused Open Relay
(8.12.3 da nor stuldap/8.12.3)
header
BAD_CREDITEliminate Bad Creditbody
BAD_ENC_HEADERMessage has bad MIME encoding in the headerheader
BANG_GUARSomething is emphatically guaranteedbody
BANG_OPRAHTalks about Oprah with an exclamation!body
BANKING_LAWSTalks about banking laws/banking laws/ibody
BASE64_LENGTH_78_79base64 encoded email part uses line length of 78 or 79 charactersAccording to http://en.wikipedia.org/wiki/Base64 , base 64 should only be 76 chars long, so these are out of format.body
BASE64_LENGTH_79_INFbase64 encoded email part uses line length greater than 79 charactersAccording to http://en.wikipedia.org/wiki/Base64 , base 64 should only be 76 chars long, so these are out of format.body
BAYES_00Bayes spam probability is 0 to 1%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_05Bayes spam probability is 1 to 5%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_20Bayes spam probability is 5 to 20%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_40Bayes spam probability is 20 to 40%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_50Bayes spam probability is 40 to 60%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_60Bayes spam probability is 60 to 80%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_80Bayes spam probability is 80 to 95%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_95Bayes spam probability is 95 to 99%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_95Bayes spam probability is 95 to 99%body
BAYES_99Bayes spam probability is 99 to 100%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_99Bayes spam probability is 99 to 100%body
BAYES_999Bayes spam probability is 99.9 to 100%SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience.

Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.
body
BAYES_999Bayes spam probability is 99.9 to 100%body
BEBEE_IMG_NOT_RCVD_BBBebee hosted image but message not from Bebeemeta
BIGNUM_EMAILS_FREEMLots of email addresses/leads, free email account__BIGNUM_EMAILS_FREEMmeta
BIGNUM_EMAILS_FREEMLots of email addresses/leads, free email accountmeta
BIGNUM_EMAILS_MANYLots of email addresses/leads, over and overmeta
BILLION_DOLLARSTalks about lots of moneybody
BITCOIN_BOMBBitCoin + bomb__BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01meta
BITCOIN_DEADLINEBitCoin with a deadline__BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01meta
BITCOIN_EXTORT_01Extortion spam, pay via BitCoin(__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )meta
BITCOIN_EXTORT_02Extortion spam, pay via BitCoin__OBFU_BITCOIN_NOID && __EXTORT_MANYmeta
BITCOIN_IMGURBitcoin + hosted image__BITCOIN_IMGURmeta
BITCOIN_MALF_HTMLBitcoin + malformed HTMLHTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)meta
BITCOIN_MALWAREBitCoin + malware bragging__BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFEDmeta
BITCOIN_OBFU_SUBJBitcoin + obfuscated subject__BITCOIN_OBFU_SUBJ && !__128_ALNUM_URImeta
BITCOIN_ONANBitCoin + [censored]__BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01meta
BITCOIN_PAY_MEPay me via BitCoin__BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01meta
BITCOIN_SPAM_01BitCoin spam pattern 01__BITCOIN_ID && HTML_MIME_NO_HTML_TAGmeta
BITCOIN_SPAM_02BitCoin spam pattern 02__BITCOIN_SPAM_02 && !__URL_BTC_IDmeta
BITCOIN_SPAM_03BitCoin spam pattern 03__BITCOIN_ID && __SINGLE_WORD_SUBJmeta
BITCOIN_SPAM_04BitCoin spam pattern 04__BITCOIN_ID && __freemail_hdr_replytometa
BITCOIN_SPAM_05BitCoin spam pattern 05__BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TOmeta
BITCOIN_SPAM_06BitCoin spam pattern 06__BITCOIN_ID && TVD_RCVD_SPACE_BRACKETmeta
BITCOIN_SPAM_07BitCoin spam pattern 07__BITCOIN_SPAM_07 && !__DKIM_EXISTSmeta
BITCOIN_SPAM_08BitCoin spam pattern 08__BITCOIN_ID && __TO_IN_SUBJmeta
BITCOIN_SPAM_09BitCoin spam pattern 09__BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )meta
BITCOIN_SPAM_10BitCoin spam pattern 10__BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )meta
BITCOIN_SPAM_11BitCoin spam pattern 11__BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFUmeta
BITCOIN_SPAM_12BitCoin spam pattern 12__BITCOIN_ID && __BOGUS_MIME_HDR_MANYmeta
BITCOIN_SPF_ONLYALLBitcoin from a domain specifically set to pass +all SPF__PDS_SPF_ONLYALL && __BITCOIN_IDmeta
BITCOIN_WFH_01Work-from-Home + bitcoin__BITCOIN_WFH_01meta
BITCOIN_XPRIOBitcoin + priority__BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSYmeta
BITCOIN_YOUR_INFOBitCoin with your personal info__BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01meta
BLANK_LINES_70_80Message body has 70-80% blank linesThis suggests that the sender is trying to hide content "below the page fold", that the recipient may not scroll down to see. This may include nonsense characters or random text taken from the Web, intended to thwart pattern-matching filters by sending slightly different messages to each recipient.body
BLANK_LINES_80_90Message body has 80-90% blank linesThis suggests that the sender is trying to hide content "below the page fold", that the recipient may not scroll down to see. This may include nonsense characters or random text taken from the Web, intended to thwart pattern-matching filters by sending slightly different messages to each recipient.body
BLANK_LINES_90_100Message body has 90-100% blank linesThis suggests that the sender is trying to hide content "below the page fold", that the recipient may not scroll down to see. This may include nonsense characters or random text taken from the Web, intended to thwart pattern-matching filters by sending slightly different messages to each recipient.body
BODY_8BITSBody includes 8 consecutive 8-bit charactersbody
BODY_ENHANCEMENTInformation on growing body parts/\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b).{0,50}\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer))/ibody
BODY_ENHANCEMENT2Information on getting larger body parts/\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer)).{0,50}\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b|size)/ibody
BODY_SINGLE_URIMessage body is only a URI(__BODY_SINGLE_WORD && __HAS_ANY_URI) && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTPmeta
BODY_SINGLE_WORDMessage body is only one word (no spaces)__BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTPmeta
BODY_URI_ONLYMessage body is only a URI in one line of text or for an image__BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENVmeta
BOGUS_MIME_VERSIONMime version header is bogus__BOGUS_MIME_VER_02 || __MALF_MIME_VERmeta
BOGUS_MSM_HDRSApparently bogus Microsoft email headers__BOGUS_MSM_HDRSmeta
BOMB_FREEMBomb + freemail__EXPLOSIVE_DEVICE && __freemail_hdr_replytometa
BOMB_MONEYBomb + money: bomb threat?__EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )meta
BOUNCE_MESSAGEMTA bounce message__HAVE_BOUNCE_RELAYS && (!__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_OOO_2 || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_OOO_H1 || __BOUNCE_OOO_H2 || __BOUNCE_OOO_H3 || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_OOO_3 || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY))meta
BTC_ORGBitcoin wallet ID + unusual header(__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNEDmeta
BUG6152_INVALID_DATE_TZ_ABSURDDate =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/Wrong/absurd date.header
BULK_RE_SUSP_NTLDPrecedence bulk and RE: from a suspicious TLD__SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLDmeta
CANT_SEE_ADYou really want to see our spam.__CANT_SEE_AD_1 || __CANT_SEE_AD_2meta
CHALLENGE_RESPONSEChallenge-Response message for mail you sent__MY_SERVERS_FOUND && __CHALLENGE_RESPONSEmeta
CHARSET_FARAWAYCharacter set indicates a foreign languageThe content of the mail is in a character set not permitted by the value of the ok_locales configuration setting.

The default value of ok_locales is "all", so this rule will only trigger if the value has been locally specified.
body
CHARSET_FARAWAY_HEADERA foreign language charset used in headersThe character set used in the Subject or other headers does not match that of the message body. This may indicate an attempt to avoid English-language text filters.header
CK_HELO_DYNAMIC_SPLIT_IPRelay HELO'd using suspicious hostname (Split IP)X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?!(?:\d+\.){4})\d+[^\d\s]+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/iheader
CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or Generic rPTRX-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /iheader
CN_B2B_SPAMMERChinese company introducing itself/\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/ibody
COMMENT_GIBBERISHNonsense in long HTML comment__COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOTmeta
COMPENSATIONCompensationmeta
CONFIRMED_FORGEDReceived headers are forged(__FORGED_RCVD_TRAIL && (__FORGED_AOL_RCVD || __FORGED_HOTMAIL_RCVD || __FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || __FORGED_JUNO_RCVD || FORGED_GMAIL_RCVD))meta
CONTENT_AFTER_HTMLMore content after HTML close tag__CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOVmeta
CORRUPT_FROM_LINE_IN_HDRSInformational: message is corrupt, with a From line in its headersMISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYSmeta
CRBOUNCE_MESSAGEChallenge-Response bounce message!__MY_SERVERS_FOUND && __CHALLENGE_RESPONSEmeta
CTE_8BIT_MISMATCHHeader says 7bits but body disagrees(__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)meta
CTYPE_001C_BContent-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/header
CTYPE_8SPACE_GIFStock spam image part 'Content-Type' found (8 spc)Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/smimeheader
CTYPE_NULLMalformed Content-Type headermeta
CUM_SHOTPossible porn - Cum Shotbody
CURR_PRICE/\bCurrent Price:/body
CURR_PRICENo description providedbody
DATE_IN_FUTURE_03_06Date: is 3 to 6 hours after Received: dateThe Date header is normally set to the date that a message was created. In this case, this date is 3 to 6 hours later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is wrong.header
DATE_IN_FUTURE_06_12Date: is 6 to 12 hours after Received: dateThe Date header is normally set to the date that a message was created. In this case, this date is 6 to 12 hours later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is wrong.header
DATE_IN_FUTURE_12_24Date: is 12 to 24 hours after Received: dateThe Date header is normally set to the date that a message was created. In this case, this date is 12 to 24 hours later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.header
DATE_IN_FUTURE_24_48Date: is 24 to 48 hours after Received: dateThe Date header is normally set to the date that a message was created. In this case, this date is 1 to 2 days later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.header
DATE_IN_FUTURE_48_96Date: is 48 to 96 hours after Received: dateThe Date header is normally set to the date that a message was created. In this case, this date is 2 to 4 days later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.header
DATE_IN_FUTURE_96_QDate: is 4 days to 4 months after Received: dateeval:check_for_shifted_date('96', '2920')header
DATE_IN_FUTURE_96_XXDate: is 96 hours or more after Received: dateThe Date header is normally set to the date that a message was created. In this case, this date is more than 4 days later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.header
DATE_IN_PAST_03_06Date: is 3 to 6 hours before Received: dateThe Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 3 to 6 hours before being received by one of the relays.header
DATE_IN_PAST_06_12Date: is 6 to 12 hours before Received: dateThe Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 6 to 12 hours before being received by one of the relays. This is unlikely in a normal mail client.header
DATE_IN_PAST_12_24Date: is 12 to 24 hours before Received: dateThe Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 12 to 24 hours before being received by one of the relays. This is unlikely with a normal mail client.header
DATE_IN_PAST_24_48Date: is 24 to 48 hours before Received: dateThe Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 1 to 2 days before being received by one of the relays. This is unlikely in a normal mail client.header
DATE_IN_PAST_96_XXDate: is 96 hours or more before Received: dateThe Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 4 days or more before being received by one of the relays. This is unlikely in a normal mail client.header
DATE_SPAMWARE_Y2KDate header uses unusual Y2K formattingDate =~ /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/header
DAY_I_EARNEDWork-at-home spammeta
DC_GIF_264_127Found 264x127 pixel gif, possible pillzeval:image_size_exact('gif','264','127')body
DC_GIF_300Contains a 300x300 pixels gif or largereval:image_size_range('gif',300,300)body
DC_GIF_HTML_RATIOLow rawbody to GIF pixel area ratioeval:image_to_text_ratio('gif',0.000, 0.008)rawbody
DC_GIF_TEXT_RATIOLow body to GIF pixel area ratioeval:image_to_text_ratio('gif',0.000, 0.008)body
DC_GIF_UNO_LARGOMessage contains a single large gif image( __GIF_ATTACH_1 && __GIF_AREA_180K )meta
DC_IMAGE_SPAM_HTMLPossible Image-only spam( ( __HTML_IMG_ONLY || __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO ))meta
DC_IMAGE_SPAM_TEXTPossible Image-only spam with little text( __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO || DC_PNG_UNO_LARGO || __DC_GIF_MULTI_LARGO || __DC_PNG_MULTI_LARGO ))meta
DC_IMAGE001_GIFContains image named image001.gifeval:image_named('image001.gif')body
DC_JPEG_200_300Contains jpeg 200-250 (high) x 300-350 (wide)eval:image_size_range('gif', 200, 300, 250, 350)body
DC_JPEG_MULTI_LARGOMessage has 2+ inline jpeg covering lots of area( __JPEG_ATTACH_2P && __JPEG_AREA_180K )meta
DC_JPEG_UNO_LARGOMessage hash single large inline jpeg( __JPEG_ATTACH_1 && __JPEG_AREA_180K )meta
DC_PNG_UNO_LARGOMessage contains a single large png image( __PNG_ATTACH_1 && __PNG_AREA_180K )meta
DC_SCREENSHOT_JPGContains inline image matching common screen resolution( __SCREEN_640x480 || __SCREEN_800x600 || __SCREEN_1024x768 || __SCREEN_1280x1024 )meta
DCC_CHECKDetected as bulk mail by DCC ( https://www.rhyolite.com/dcc/ ; dcc-servers.net )The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DCC_REPUT_00_12DCC reputation between 0 and 12 % (mostly ham)The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DCC_REPUT_13_19DCC reputation between 13 and 19 %The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DCC_REPUT_70_89DCC reputation between 70 and 89 %The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DCC_REPUT_90_94DCC reputation between 90 and 94 %The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DCC_REPUT_90_94DCC reputation between 90 and 94 %full
DCC_REPUT_95_98DCC reputation between 95 and 98 % (mostly spam)The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DCC_REPUT_95_98DCC reputation between 95 and 98 % (mostly spam)full
DCC_REPUT_99_100DCC reputation between 99 % or higher (spam)The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.

Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.

Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details.

See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.
full
DEAR_BENEFICIARYDear Beneficiary:body
DEAR_EMAILMessage contains Dear email addressbody
DEAR_EMAIL_USERDear Email User:/^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/ibody
DEAR_FRIENDDear Friend? That's not very dear!body
DEAR_SOMETHINGContains 'Dear (something)'body
DEAR_WINNERSpam with generic salutation of "dear winner"/\bdear.{1,20}winner/ibody
DIET_1Lose Weight SpamThe message contains a phrase common to spam promoting weight loss, such as "lose 10lbs".body
DIGEST_MULTIPLEMessage hits more than one network digest checkRAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1meta
DKIM_ADSP_ALLNo valid author signature, domain signs all mailThe sender's domain says that it uses DKIM (http://www.dkim.org/) on all email, but no valid signature was found.

That suggests that the message might not have originated with the purported sender.
header
DKIM_ADSP_CUSTOM_HIGHNo valid author signature, adsp_override is CUSTOM_HIGHThe presence of this test indicates that DKIM support is enabled on the server.

The mail does not contain a valid DKIM signature and the domain of the sending address has been matched by an override setting (adsp_override).

For frequently seen domains that either do not publish an ADSP (Author Domain Signing Practices) records, or where a stronger (or weaker) policy is desired, the values can be specified in the configuration, saving the need for a DNS lookup.

The current default custom_med overrides in 60_adsp_override_dkim.cf include entries for youtube.com.

One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.
header
DKIM_ADSP_CUSTOM_LOWNo valid author signature, adsp_override is CUSTOM_LOWThe presence of this test indicates that DKIM support is enabled on the server.

The mail does not contain a valid DKIM signature and the domain of the sending address has been matched by an override setting (adsp_override).

For frequently seen domains that either do not publish an ADSP (Author Domain Signing Practices) records, or where a stronger (or weaker) policy is desired, the values can be specified in the configuration, saving the need for a DNS lookup.

One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.
header
DKIM_ADSP_CUSTOM_MEDNo valid author signature, adsp_override is CUSTOM_MEDThe presence of this test indicates that DKIM support is enabled on the server.

The mail does not contain a valid DKIM signature and the domain of the sending address has been matched by an override setting (adsp_override).

For frequently seen domains that either do not publish an ADSP (Author Domain Signing Practices) records, or where a stronger (or weaker) policy is desired, the values can be specified in the configuration, saving the need for a DNS lookup.

The current default custom_med overrides in 60_adsp_override_dkim.cf include entries for Yahoo and Google domains.

One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.
header
DKIM_ADSP_DISCARDNo valid author signature, domain signs all mail and suggests discarding the restThe sender's domain says that it uses DKIM (http://www.dkim.org/) on all email, but no valid signature was found. The sender's domain policy suggests discarding this message.

That suggests that the message might not have originated with the purported sender.
header
DKIM_ADSP_NXDOMAINNo valid author signature and domain not in DNSThe presence of this test indicates that DKIM support is enabled on the server.

The mail does not contain a valid DKIM signature and the domain of the sending address is not in the DNS

One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.
header
DKIM_INVALIDDKIM or DK signature exists, but is not validDKIM_SIGNED && !DKIM_VALIDmeta
DKIM_POLICY_SIGNALLeval:check_dkim_signall()The sender's domain says that it uses DKIM (http://www.dkim.org/) on all email, but no valid signature was found.

That suggests that the message did not in fact originate with the purported sender.
header
DKIM_POLICY_SIGNSOMEeval:check_dkim_signsome()The sender's domain says that it uses DKIM (http://www.dkim.org/) on some email, but no valid signature was found.

That suggests that the message might not have originated with the purported sender.
header
DKIM_POLICY_TESTINGeval:check_dkim_testing()The sender's domain says that it is testing DKIM (http://www.dkim.org/)header
DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily validThe message is signed using DKIM (http://www.dkim.org/)full
DKIM_VALIDMessage has at least one valid DKIM or DK signatureeval:check_dkim_valid()full
DKIM_VALID_AUMessage has a valid DKIM or DK signature from author's domaineval:check_dkim_valid_author_sig()full
DKIM_VALID_AUMessage has a valid DKIM or DK signature from author's domainfull
DKIM_VALID_EFMessage has a valid DKIM or DK signature from envelope-from domaineval:check_dkim_valid_envelopefrom()full
DKIM_VERIFIEDeval:check_dkim_valid()The message is signed using DKIM (http://www.dkim.org/) and the signature was verifiedfull
DKIMDOMAIN_IN_DWLNo description provided???
DKIMDOMAIN_IN_DWL_UNKNOWNNo description provided???
DKIMWL_BLDKIMwl.org - Blocked sender_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/meta
DKIMWL_BLOCKEDADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.meta
DKIMWL_WL_HIGHDKIMwl.org - High trust sender__DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO)meta
DKIMWL_WL_MEDDKIMwl.org - Medium trust sender__DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO)meta
DKIMWL_WL_MEDHIDKIMwl.org - Medium-high trust sender__DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)meta
DNS_FROM_AHBL_RHSBLEnvelope sender listed in dnsbl.ahbl.orgeval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')header
DNS_FROM_RFC_BOGUSMXEnvelope sender in bogusmx.rfc-ignorant.orgThe domain of the envelope sender is listed in the DNSBL [WWW] bogusmx.rfc-ignorant.org.

The criteria for listing is that the domain's MX records are not in compliance with current RFC guidelines.
header
DNS_FROM_RFC_DSNEnvelope sender in dsn.rfc-ignorant.orgThe domain of the envelope sender is listed in the DNSBL [WWW] dsn.rfc-ignorant.org.

The criteria for listing is that the servers listed in the domain's MX records must accept messages with the empty sender address (MAIL FROM:<>) so that Delivery Status Notification (DSN) messages can be delivered.
header
DOS_ANAL_SPAM_MAILERX-mailer pattern common to anal porn site spamX-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/header
DOS_FIX_MY_URILooks like a "fix my obfu'd URI please" spam__MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINKmeta
DOS_HIGH_BAT_TO_MXThe Bat! Direct to MX with High Bits__DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUAmeta
DOS_LET_GO_JOBLet go from their job and now makes lots of dough!__DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOMEmeta
DOS_OE_TO_MXDelivered direct to MX with OE headers__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGEmeta
DOS_OE_TO_MX_IMAGEDirect to MX with OE headers and an image__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACHmeta
DOS_OUTLOOK_TO_MXDelivered direct to MX with Outlook headers__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGEmeta
DOS_OUTLOOK_TO_MX_IMAGEDirect to MX with Outlook headers and an image__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACHmeta
DOS_RCVD_IP_TWICE_CReceived from the same IP twice in a row (only one external relay; empty or IP helo)header
DOS_STOCK_BATProbable pump and dump stock spam__THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)meta
DOS_STOCK_BAT2Probable pump and dump stock spamDOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)meta
DOS_URI_ASTERISKFound an asterisk in a URIuri
DOS_YOUR_PLACERussian dating spam(__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))meta
DOTGOV_IMAGE.gov URI + hosted image__DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYSmeta
DRUG_DOSAGETalks about price per dosebody
DRUG_ED_CAPSMentions an E.D. drugbody
DRUG_ED_GENERICMentions Generic Viagrabody
DRUG_ED_ONLINEFast Viagra Deliverybody
DRUG_ED_SILDTalks about an E.D. drug using its chemical namebody
DRUGS_ANXIETYRefers to an anxiety control drug(__DRUGS_ANXIETY1 || __DRUGS_ANXIETY2 || __DRUGS_ANXIETY3 || __DRUGS_ANXIETY4 ||__DRUGS_ANXIETY5 ||__DRUGS_ANXIETY6 ||__DRUGS_ANXIETY7 ||__DRUGS_ANXIETY8 || __DRUGS_ANXIETY9 )meta
DRUGS_ANXIETY_ERECRefers to both an erectile and an anxiety drug(DRUGS_ERECTILE && DRUGS_ANXIETY)meta
DRUGS_ANXIETY_OBFUObfuscated reference to an anxiety control drug( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) || (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL))meta
DRUGS_DIETRefers to a diet drug(__DRUGS_DIET1 || __DRUGS_DIET2 || __DRUGS_DIET3 || __DRUGS_DIET4 ||__DRUGS_DIET5 ||__DRUGS_DIET6 ||__DRUGS_DIET7 ||__DRUGS_DIET8 || __DRUGS_DIET9 || __DRUGS_DIET10 )meta
DRUGS_DIET_OBFUObfuscated reference to a diet drug(__DRUGS_DIET1 && !__DRUGS_DIET_PHEN)meta
DRUGS_ERECTILERefers to an erectile drug(__DRUGS_ERECTILE1 || __DRUGS_ERECTILE2 || __DRUGS_ERECTILE3 || __DRUGS_ERECTILE4 || __DRUGS_ERECTILE5 || __DRUGS_ERECTILE6 || __DRUGS_ERECTILE8 || __DRUGS_ERECTILE10 || __DRUGS_ERECTILE11 )meta
DRUGS_ERECTILE_OBFUObfuscated reference to an erectile drug( (__DRUGS_ERECTILE1 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE3 && !__DRUGS_ERECTILE_C) ||__DRUGS_ERECTILE2 || (__DRUGS_ERECTILE10 &&!__DRUGS_ERECTILE_V) || (__DRUGS_ERECTILE6 &&!__DRUGS_ERECTILE_L))meta
DRUGS_HDIASubject mentions "hoodia"Subject =~ /\bhoodia\b/iheader
DRUGS_MANYKINDSRefers to at least four kinds of drugs(DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3)meta
DRUGS_MUSCLERefers to a muscle relaxant(__DRUGS_MUSCLE1 || __DRUGS_MUSCLE2 || __DRUGS_MUSCLE3 || __DRUGS_MUSCLE4 ||__DRUGS_MUSCLE5 )meta
DRUGS_SLEEP_ERECRefers to both an erectile and a sleep aid drug(DRUGS_ERECTILE && __DRUGS_SLEEP)meta
DRUGS_SMEAR1Two or more drugs crammed together into one word/(?:Viagra|Valium|Xanax|Soma|Cialis){2}/ibody
DRUGS_STOCK_MIMEOLEStock-spam forged headers found (5510)__MIMEOLE_1106 && __MAILER_OL_5510meta
DSN_NO_MIMEVERSIONReturn-Path <> and no MIME-Version: header__BOUNCE_RPATH_NULL && !__MIME_VERSIONmeta
DUP_SUSP_HDRDuplicate suspicious message headers__DUP_SUSP_HDRmeta
DX_TEXT_02"change your message stat"/\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/ibody
DX_TEXT_03"XXX Media Group"/\b[A-Z]{3} Media (?:Group|Relations)\b/body
DX_TEXT_05HTML snobbery/o text only message available for this email\./ibody
DYN_RDNS_AND_INLINE_IMAGEContains image, and was sent by dynamic rDNSRDNS_DYNAMIC && __ANY_IMAGE_ATTACHmeta
DYN_RDNS_SHORT_HELO_HTMLSent by dynamic rDNS, short HELO, and HTML__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGEmeta
DYN_RDNS_SHORT_HELO_IMAGEShort HELO string, dynamic rDNS, inline image__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACHmeta
DYNAMIC_IMGURdynamic IP + hosted image__DYNAMIC_IMGURmeta
EBAY_IMG_NOT_RCVD_EBAYE-bay hosted image but message not from E-bay__EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTSmeta
EM_ROLEXMessage puts emphasis on the watch manufacturerbody
EMAIL_ROT13Body contains a ROT13-encoded email addressROT13 is defined as: The simple Caesar-cypher encryption that replaces each English letter with the one 13 places forward or back along the alphabet, so that "The butler did it!" becomes "Gur ohgyre qvq vg!" This test indicated an e-mail address was encoded using ROT13. This is normally done to hide the identity of the recipient used for list washing.body
EMPTY_MESSAGEMessage appears to have no textual parts and no Subject: text!__MIME_ATTACHMENT && !__NONEMPTY_BODYmeta
EMRCP"Excess Maximum Return Capital Profit" scam/\bExcess Maximum Return Capital Profit\b/ibody
ENCRYPTED_MESSAGEMessage is encrypted, not likely to be spam__CT_ENCRYPTEDmeta
END_FUTURE_EMAILSSpammy unsubscribeEND_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64meta
ENGLISH_UCE_SUBJECTSubject contains an English UCE tagheader
ENV_AND_HDR_SPF_MATCHEnv and Hdr From used in default SPF WL Match(USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH)meta
ENVFROM_GOOG_TRIXFrom suspicious Google subdomain__ENVFROM_GOOG_TRIX_SPAMMYmeta
EXCUSE_24Claims you wanted this adbody
EXCUSE_4Claims you can be removed from the listbody
EXCUSE_REMOVETalks about how to be removed from mailingsbody
EXTRA_MPART_TYPEHeader has extraneous Content-type:...type= entryMessage may be Multipart/Related as per RFC 2387, which is over-complicated for normal emailheader
FACEBOOK_IMG_NOT_RCVD_FBFacebook hosted image but message not from Facebookmeta
FAKE_HELO_MAIL_COM_DOMRelay HELO'd with suspicious hostname (mail.com)header
FAKE_OUTBLAZE_RCVDReceived header contains faked 'mr.outblaze.com'header
FAKE_REPLY_CNo description providedmeta
FB_ADD_INCHESAdd / Gain inchesbody
FB_ALMOST_SEXIt's almost sex, but not!body
FB_ANA_TRIMBroken AnaTrim phrase.body
FB_ANUIPhrase: A_U_N_Ibody
FB_BILLI0NPhrase: [BM]Illi0nbody
FB_C0MPANYPhrase: C0mpanybody
FB_CAN_LONGERPhrase: can last longerbody
FB_CIALIS_LEO3Uses a mis-spelled version of cialis.body
FB_DOUBLE_0WORDSLooks like double 0 wordsbody
FB_EMAIL_HIERPhrase: email hierbody
FB_EXTRA_INCHESPhrase: extra inchesbody
FB_FAKE_NUMBERSLooks like numbers with O's insted of 0'sbody
FB_FAKE_NUMS4Looks like fake numbers (4)body
FB_FHARMACYPhrase: Farmacybody
FB_FORWARD_LOOKPhrase: forward look with 0'sbody
FB_GAPPY_ADDRESSToo much spacing in Address"Gappy" means, the email message body contains some words that were written spaced, for example F o o b a r instead of Foobar.body
FB_GET_MEDSLooks like trying to sell medsbody
FB_GVRLooks like generic viagrabody
FB_HEY_BRO_COMMAPhrase hey bro,body
FB_HG_H_CAPPhrase: HGHbody
FB_HOMELOANPhrase (dollar) x home loanbody
FB_IMPRESS_GIRLPhrase: impress ... girlbody
FB_INCREASE_YOURPhrase: Increase your energybody
FB_INDEPEND_RWDPhrase: independent rewardbody
FB_L0ANPhrase: L0anbody
FB_LETTERS_21BSpecial people leave special signs!body
FB_LOSE_WEIGHT_CAPPhrase: LOSE WEIGHTbody
FB_LOWER_PAYMPhrase: lower your monthly paymentsbody
FB_MORE_SIZEPhrase: more sizebody
FB_NO_SCRIP_NEEDEDPhrase: no prescription needed.body
FB_NOT_PHONE_NUM1Looks like a fake phone number (1)body
FB_NOT_PHONE_NUM3Looks like a fake phone number (3)body
FB_NOT_SCHOOLLooks like school but it's not!body
FB_NUMYOSpeaks of teenager.body
FB_NUMYO2Speaks of 20+ year old.body
FB_ODD_SPACED_MONEYLooks like money but has odd spacing.body
FB_ONIINEMis-spelled onlinebody
FB_P1LLPhrase: p1llbody
FB_PENIS_GROWTHPhrase: penis growthbody
FB_PIPE_ILLIONLooks like illion, but it's notbody
FB_PIPEDOLLARPhrase: Dollar, with pipes or 0's.body
FB_PROLONGED_HARDTalks about prolonged hardnessbody
FB_QUALITY_REPLICAPhrase: quality replicabody
FB_RE_FILooks like refi.body
FB_REF_CODE_SPACERefcode with spacingbody
FB_REPLIC_CAPPhrase: REPLICAbody
FB_REPLICA_ROLEXPhrase: Replica Rolexbody
FB_ROLLER_IS_TPhrase: Roller is thbody
FB_ROLXPhrase: rolxbody
FB_SAVE_PERSCPhrase: save ... prescription.body
FB_SOFTTABSPhrase: Softabsbody
FB_SPACED_FREEPhrase: F R E Ebody
FB_SPACED_PHN_3BPhone number with -- spacing. (B)body
FB_SPACEY_ZIPLooks like a s p a c e d zipcode.body
FB_SPUR_MPhrase: SPUR-Mbody
FB_SSEXPhrase: ssexmatches /\bssex\b/ This matches the word "ssex".

Doesn't match words like "Sussex" or "Essex" because \b means "word boundary".

It has also been disabled for years, with a score of 0. Please upgrade your spamassassin install, and run sa-update from cron daily.
body
FB_STOCK_EXPLODELooks like stocks exploding.body
FB_SYMBLOMis-spelled symbol.body
FB_THIS_ADVERTPhrase: this advertiserbody
FB_THOUS_PERSONALPhrase: thousand personalbody
FB_TO_STOP_DISTROPhrase: to stop further distributionbody
FB_ULTRA_ALLUREPhrase: Ultra Allurebody
FB_UNLOCK_YOUR_GPhrase: lock to your girlfriendbody
FB_UNRESOLV_PROVPattern Replacement PROV_Dbody
FB_YOUR_REFIPhrase: Your refibody
FB_YOURSELF_MASTERPhrase: yourself masterbody
FBI_MONEYThe FBI wants to give you lots of money?__FBI_SPOOF && LOTS_OF_MONEYmeta
FBI_SPOOFClaims to be FBI, but not from FBI domain__FBI_SPOOFmeta
FH_BAD_OEV1441Bad X-Mailer versionheader
FH_DATE_IS_19XXThe date is not 19xx.header
FH_FAKE_RCVD_LINERCVD line looks faked (A)header
FH_FAKE_RCVD_LINE_BRCVD line looks faked (B)header
FH_FROM_CASHFrom name has"cash"header
FH_FROM_GET_NAMEFrom name says Getheader
FH_FROM_GIVEAWAYFrom name is giveaway.header
FH_FROM_HOODIAFrom has Hoodia!!?header
FH_FROMEML_NOTLDE-mail address doesn't have TLD (.com, etc.)The sender's address does not have a full Internet domain. The mail may have arrived from a misconfigured local machine that only used its local name (e.g. bilbo@hobbit), or else it is an attempt to disguise the real sender.header
FH_HAS_XAIMCHas X-AIMC-AUTH headerheader
FH_HAS_XIDHas X-IDheader
FH_HELO_ALMOST_IPHelo is almost an IP addr.An untrusted relay used a hostname (FQDN) as a HELO argument during a SMTP transaction that contains a series of numbers that might represent an IPv4 address.

One likely reason for this is that the hostname is taken from the reverse DNS entry used to indicate a dynamically allocated address
header
FH_HELO_ENDS_DOTHelo ends with a dot.header
FH_HELO_EQ_610HEXHelo is 6-10 hex chr's.header
FH_HELO_EQ_CHARTERHelo is d-d-d-d charter.comheader
FH_HELO_EQ_D_D_D_DHelo is d-d-d-dThis rule checks the HELO identifier of the last untrusted relay and matches if the HELO argument contains four numbers (1 to three digits in length) separated by dashes. This is a common method for encoding IPv4 addresses into reverse DNS entries for dynamically allocated address ranges.

Since it is not usually expected that servers are given canonical hostnames that encode their IPv4 addresses, the means that the mailer process is probably using information from reverse DNS for its configuration. This indicates that it is not a normally configured mail server, and may well be a bot running on a hijacked PC.
header
FH_HELO_GMAILSMTPFaked helo of gmail-smtp-inheader
FH_HOST_EQ_DYNAMICIPHost is dynamicipheader
FH_HOST_EQ_PACBELL_DHost is pacbell.net dslheader
FH_HOST_EQ_VERIZON_PHost is pool-.+verizon.netheader
FH_HOST_IN_ADDRARPAHOST dns says"in-addr.arpa"header
FH_MSGID_000000Special MSGIDheader
FH_MSGID_01C67Special MSGIDheader
FH_MSGID_01C70XXXMESSAGE ID seen often!!!header
FH_MSGID_REPLACEBroken Replace Templateheader
FH_MSGID_XXBLAHCommon sign in msg-id's 12/21/2006header
FH_MSGID_XXXMessage-Id = @xxxheader
FH_RE_NEW_DDDSubject is Re: new \d\d\dheader
FH_XMAIL_REPLACEBroken Replace Templateheader
FILL_THIS_FORMFill in a form with personal informationmeta
FILL_THIS_FORM_FRAUD_PHISHNo description provided???
FILL_THIS_FORM_LOANNo description provided???
FILL_THIS_FORM_LONGFill in a form with personal informationmeta
FIN_FREEFreedom of a financial naturebody
FM_XMAIL_F_OUTLooks like Fake Outlook?header
FONT_INVIS_DIRECTInvisible text + direct-to-MXmeta
FONT_INVIS_DOTGOVInvisible text + .gov URImeta
FONT_INVIS_HTML_NOHTMLInvisible text + malformed HTMLmeta
FONT_INVIS_LONG_LINEInvisible text + long linesmeta
FONT_INVIS_MSGIDInvisible text + suspicious message IDmeta
FONT_INVIS_NORDNSInvisible text + no rDNSmeta
FONT_INVIS_POSTEXTRASInvisible text + suspicious URImeta
FORGED_GMAIL_RCVD'From' gmail.com does not match 'Received' headerseval:check_for_forged_gmail_received_headers()header
FORGED_GMAIL_RCVDFrom' gmail.com does not match 'Received' headersheader
FORGED_HOTMAIL_RCVD2hotmail.com 'From' address, but no 'Received:'header
FORGED_IMS_HTMLIMS can't send HTML message only(__IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD))meta
FORGED_IMS_TAGSIMS mailers can't send HTML in this format(!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))meta
FORGED_MSGID_AOLMessage-ID is forged, (aol.com)(__AT_AOL_MSGID && !__FROM_AOL_COM)meta
FORGED_MSGID_EXCITEMessage-ID is forged, (excite.com)(__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)meta
FORGED_MSGID_HOTMAILMessage-ID is forged, (hotmail.com)(__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))meta
FORGED_MSGID_MSNMessage-ID is forged, (msn.com)(__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))meta
FORGED_MSGID_YAHOOMessage-ID is forged, (yahoo.com)(__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)meta
FORGED_MUA_EUDORAForged mail pretending to be from Eudora(__EUDORA_MUA && !__EUDORA_MSGID && !__UNUSABLE_MSGID && !__HAS_X_LOOP && !__HAS_X_MAILING_LIST)meta
FORGED_MUA_IMSForged mail pretending to be from IMS(__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID)meta
FORGED_MUA_MOZILLAForged mail pretending to be from Mozilla(__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)meta
FORGED_MUA_OIMOForged mail pretending to be from MS Outlook IMO(__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID)meta
FORGED_MUA_OUTLOOKForged mail pretending to be from MS Outlook(__FORGED_OE || __FORGED_OUTLOOK_DOLLARS)meta
FORGED_MUA_THEBAT_BOUNMail pretending to be from The Bat! (boundary)(__THEBAT_MUA_V1 && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21)meta
FORGED_MUA_THEBAT_CSMail pretending to be from The Bat! (charset)(__THEBAT_MUA && __CTYPE_CHARSET_QUOTED)meta
FORGED_OUTLOOK_HTMLOutlook can't send HTML message only(!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY)meta
FORGED_OUTLOOK_TAGSOutlook can't send HTML in this format(!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))meta
FORGED_QUALCOMM_TAGSQUALCOMM mailers can't send HTML in this format(__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML)meta
FORGED_RELAY_MUA_TO_MXX-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10| 127| 169\.254| 172\.(?:1[6-9]| 2[0-9]| 3[01])| 192\.168)\.)| )[^\[]+(dollar) /header
FORGED_TELESP_RCVDContains forged hostname for a DSL IP in Brazilheader
FORGED_THEBAT_HTMLThe Bat! can't send HTML message only(__THEBAT_MUA_V1 && MIME_HTML_ONLY)meta
FORGED_YAHOO_RCVD'From' yahoo.com does not match 'Received' headerseval:check_for_forged_yahoo_received_headers()header
FORGED_YAHOO_RCVDFrom' yahoo.com does not match 'Received' headersThe address in the From: header contains a Yahoo address, but the Received headers do not show the mail originating from yahoo.com servers.header
FORM_FRAUDFill a form and a fraud phrase(FILL_THIS_FORM || FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AFR_UNION + __AGREED_RATIO + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __COMPENSATION + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FEES + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + LOTTO_DEPT + __LOTTO_RELATED + LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRUNK_BOX + __UN + __UNCLAIMED + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + LOTTO_YOU_WON + LOTTO_AGENT_FM + LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)meta
FORM_FRAUD_3Fill a form and several fraud phrasesmeta
FORM_FRAUD_5Fill a form and many fraud phrasesmeta
FORM_LOW_CONTRASTFill in a form with hidden text__FORM_LOW_CONTRAST && !__BUGGED_IMG &&
!__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
meta
FORWARD_LOOKINGStock Disclaimer Statementbody
FOUND_YOUI found you...meta
FR_3TAG_3TAGLooks like 3 small tags.rawbody
FR_ALMOST_VIAG2Almost looks like viagra.rawbody
FR_CANTSEETEXTPhrase class=cantseetextrawbody
FR_MIDERSign often seen in spamsrawbody
FR_TITLE_NUMSHTML Title is only numbersrawbody
FRAGMENTED_MESSAGEPartial messageheader
FREE_PORNPossible porn - Free Pornbody
FREE_QUOTE_INSTANTFree express or no-obligation quotebody
FREEM_FRNUM_UNICD_EMPTYNumeric freemail From address, unicode From name and Subject, empty body__FREEM_FRNUM_UNICD_EMPTYmeta
FREEMAIL_ENVFROM_END_DIGITEnvelope-from freemail username ends in digitheader
FREEMAIL_FORGED_FROMDOMAIN2nd level domains in From and EnvelopeFrom freemail headers are differentmeta
FREEMAIL_FORGED_REPLYTOFreemail in Reply-To, but not Frommeta
FREEMAIL_FROMSender email is freemailThis test indicates the FreeMail plugin is active in the local configuration.

The domain of the sender has been identified as that of a free email provider. (e.g. gmail.com or hotmail.com)

The default list of known freemail domains is distributed in 20_freemail_domains.cf.

Local configuration can be modified to add or whitelist domains.
header
FREEMAIL_REPLYFrom and body contain different freemailsmeta
FREEMAIL_REPLYTOReply-To/From or Reply-To/body contain different freemailsmeta
FREEMAIL_REPLYTO_END_DIGITReply-To freemail username ends in digitheader
FREEMAIL_WFH_01Work-from-Home + freemail(FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01meta
FRNAME_IN_MSG_XPRIO_NO_SUBFrom name in message + X-Priority + short or no subject(__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTEDmeta
FROM_2_EMAILS_SHORTShort body and From looks like 2 different emailsFROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)meta
FROM_ADDR_WSMalformed From address__FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAILmeta
FROM_BANK_NOAUTHFrom Bank domain but no SPF or DKIM__FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)meta
FROM_BLANK_NAMEFrom: contains empty nameThe "From:" header contains a blank name, matching this regular expression: /(?:\s|^)"" <\S+>/i . For example:

From: ""

This is legal, but rare and pointless.
header
FROM_DOMAIN_NOVOWELFrom: domain has series of non-vowel lettersheader
FROM_EXCESS_BASE64From: base64 encoded unnecessarily__FROM_ENCODED_B64 && !__FROM_NEEDS_MIMEmeta
FROM_FMBLA_NDBLOCKEDADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.__FROM_FMBLA_NDBLOCKEDmeta
FROM_FMBLA_NEWDOMFrom domain was registered in last 7 days__FROM_FMBLA_NEWDOMmeta
FROM_FMBLA_NEWDOM14From domain was registered in last 7-14 days__FROM_FMBLA_NEWDOM14meta
FROM_FMBLA_NEWDOM28From domain was registered in last 14-28 days__FROM_FMBLA_NEWDOM28meta
FROM_GOV_DKIM_AUFrom Government address and DKIM signedDKIM_VALID_AU && __FROM_ADDRLIST_GOVmeta
FROM_GOV_REPLYTO_FREEMAILFrom Government domain but ReplyTo is FREEMAILFREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AUmeta
FROM_GOV_SPOOFFrom Government domain but matches SPOOFED!__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)meta
FROM_ILLEGAL_CHARSFrom: has too many raw illegal charactersThe From header contains 8-bit and other illegal characters that should be MIME encoded, as described in RFC 2045

This suggests that the sender is using badly-written mailout software, rather than a regular email program.
header
FROM_IN_TO_AND_SUBJFrom address is in To and Subject(__TO_EQ_FROM && __SUBJ_HAS_FROM_1)meta
FROM_LOCAL_DIGITSFrom: localpart has long digit sequenceheader
FROM_LOCAL_HEXFrom: localpart has long hexadecimal sequenceheader
FROM_LOCAL_NOVOWELFrom: localpart has series of non-vowel lettersThe localpart (left of the "@") contains a row of 7 non-vowel characters. This is a good indication that this isn't a valid personal email address being used.header
FROM_MISSP_DYNIPFrom misspaced + dynamic rDNS__FROM_RUNON && RDNS_DYNAMICmeta
FROM_MISSP_EH_MATCHFrom misspaced, matches envelope__FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUAmeta
FROM_MISSP_FREEMAILFrom misspaced + freemail providermeta
FROM_MISSP_MSFTFrom misspaced + supposed Microsoft tool__FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)meta
FROM_MISSP_PHISHMalformed, claims to be from financial organization - possible phish__FROM_MISSP_PHISHmeta
FROM_MISSP_REPLYTOFrom misspaced, has Reply-Tometa
FROM_MISSP_SPF_FAILNo description providedmeta
FROM_MISSP_TO_UNDISCFrom misspaced, To undisclosed(__FROM_RUNON && __TO_UNDISCLOSED)meta
FROM_MISSP_USERFrom misspaced, from "User"(__FROM_RUNON && NSL_RCVD_FROM_USER)meta
FROM_MISSP_XPRIOMisspaced FROM + X-Prioritymeta
FROM_MISSPACEDFrom: missing whitespace__XPRIO && __FROM_MISSPACEDmeta
FROM_MULTI_NORDNSMultiple From addresses + no rDNSmeta
FROM_NEWDOM_BTCNewdomain with Bitcoin ID
FROM_NO_USERFrom: has no local-part before @ signheader
FROM_NTLD_LINKBAITFrom abused NTLD with little more than a URImeta
FROM_NTLD_REPLY_FREEMAILFrom abused NTLD and Reply-To is FREEMAILmeta
FROM_NUMBERO_NEWDOMAINFingerprint and new domainmeta
FROM_NUMERIC_TLDFrom: address has numeric TLDheader
FROM_OFFERSFrom address is "at something-offers"header
FROM_PAYPAL_SPOOFFrom PayPal domain but matches SPOOFEDmeta
FROM_STARTS_WITH_NUMSFrom: starts with several numbersheader
FROM_SUSPICIOUS_NTLDFrom abused NTLD__FROM_ADDRLIST_SUSPNTLDmeta
FROM_SUSPICIOUS_NTLD_FPFrom abused NTLD__FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LISTmeta
FROM_UNBAL2From with unbalanced angle brackets, '<' missing
FROM_WSP_LEADLeading whitespace after '<' in From header field
FROM_WSP_TRAILTrailing whitespace before '>' in From header fieldheader
FROMSPACEIdiosyncratic "From" header formatheader
FRT_ADOBE2ReplaceTags: Adobebody
FRT_APPROVReplaceTags: Approvebody
FRT_BIGGERMEM1ReplaceTags: Bigger / Larger, Penis / Memberbody
FRT_DIPLOMAReplaceTags: Diplomabody
FRT_DISCOUNTReplaceTags: Discountbody
FRT_DOLLARReplaceTags: Dollarbody
FRT_ESTABLISH2ReplaceTags: Establish (2)body
FRT_FUCK2ReplaceTags: Fuck (2)body
FRT_GUARANTEE1ReplaceTags: Guarantee (1)body
FRT_INVESTORReplaceTags: Investorbody
FRT_LEVITRAReplaceTags: Levitrabody
FRT_MEETINGReplaceTags: Meetingbody
FRT_OFFER2ReplaceTags: Offer (2)body
FRT_OPPORTUN2ReplaceTags: Oppertun (2)body
FRT_PENIS1ReplaceTags: PenisMessage body contains obfuscated variant on the word Penis. Exempt variants are "pen is", "penis", "penny's", "penny s", but not "penny.s".body
FRT_PHARMACReplaceTags: Pharmacbody
FRT_PRICEReplaceTags: Pricebody
FRT_REFINANCE1ReplaceTags: Refinance (1)body
FRT_ROLEXReplaceTags: Rolexbody
FRT_SEXUALReplaceTags: Sexualbody
FRT_SOMAReplaceTags: Somabody
FRT_SOMA2ReplaceTags: Soma (2)body
FRT_STRONG1ReplaceTags: Strong (1)body
FRT_STRONG2ReplaceTags: Strong (2)body
FRT_SYMBOLReplaceTags: Symbolbody
FRT_TODAY2ReplaceTags: Today (2)body
FRT_VALIUM1ReplaceTags: Valiumbody
FRT_VALIUM2ReplaceTags: Valium (2)body
FRT_WEIGHT2ReplaceTags: Weight (2)body
FRT_XANAX1ReplaceTags: Xanax (1)body
FRT_XANAX2ReplaceTags: Xanax (2)body
FS_ABIGGERSubject has"a bigger"header
FS_APPROVE_YOUSubject says approve youheader
FS_AT_NO_COSTSubject says"At No Cost"header
FS_CHEAP_CAPPhrase: Cheap in Caps in Subject.header
FS_DOLLAR_BONUSSubject talks about money bonus!header
FS_EJACULAPhrase: ejaculation in subject.header
FS_ERECTIONPhrase: erection in subject.header
FS_HUGECOCKPhrase: Huge Cockheader
FS_LARGE_PERCENT2Larger than 100% in subj.header
FS_LOW_RATESSubject says low ratesheader
FS_NEW_SOFT_UPLOADSubj starts with New software uploadedheader
FS_NEW_XXXSubject looks like Fharmacy spams.The subject header field matches the regexp /^Re: news? [a-z]{1,5}$/


e.g: Subject: Re: new pill
header
FS_NO_SCRIPSubject almost says No prescriptionheader
FS_NUDESubject says Nudeheader
FS_OBFU_PRMCYwhat could this word be?header
FS_PERSCRIPTIONSubject mis-spelled prescriptionheader
FS_PHARMASUB2Looks like Phramacy subject.header
FS_RAMRODSubject says Ramrodheader
FS_RE_APPROVPhrase: re approvedheader
FS_REPLICASubject says"replica"header
FS_REPLICAWATCHSubject says Replica watchheader
FS_START_DOYOU2Subject starts with Do you dream,have,want,love, etc.As per the description, the Subject: header line begins with "Do you like" or similar.header
FS_START_LOSESubject starts with Loseheader
FS_TEEN_BADSubject says something bad about teensheader
FS_TIP_DDDPhrase: subject = tip dddheader
FS_WEIGHT_LOSSSubject says Weight Lossheader
FS_WILL_HELPSubject says will helpheader
FS_WITH_SMALLSubject says With ... smallheader
FSL_BULK_SIGBulk signature with no Unsubscribemeta
FSL_CTYPE_WIN1251Content-Type only seen in 419 spamheader
FSL_FAKE_GMAIL_RCVDX-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/header
FSL_FAKE_HOTMAIL_RVCDX-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/header
FSL_GEO_ABUSE/\/geocities\.com\/\S+(dollar) /uri
FSL_HELO_BARE_IP_1X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /iheader
FSL_HELO_DEVICEX-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device| speedtouch)\.lan\b/iheader
FSL_HELO_FAKENo description providedheader
FSL_HELO_NON_FQDN_1X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /iheader
FSL_HELO_SETUPX-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/iheader
FSL_INTERIA_ABUSE/\/\S+\.(?:w| eu| fm)\.interia\.pl/uri
FSL_LSPACES_ABUSE/cid\-\S+\.spaces\.live\.com/uri
FSL_NEW_HELO_USERSpam's using Helo and Usermeta
FSL_YG_ABUSE/\/groups\.yahoo\.com\/group\/\S+\/message\/1(dollar) /uri
FU_COMMON_SUBS2Sub-dir seen often in spam (2).uri
FU_END_ETET Phone Home?uri
FU_ENDS_NUMS_DOTS_CLKEnds with clk/d+.d+.d+uri
FU_HOODIAURL has hoodia in it.uri
FU_LONG_QUERY3URL has a long file name with .aspx extension.uri
FU_MIDERURL has /gal/uri
FU_UKGEOCITIESURL with [a-z]{2}.geocities.comuri
FU_URI_TRACKER_TURI style tracker (T)uri
FUZZY_AFFORDABLEAttempt to obfuscate words in spambody
FUZZY_AMAZONObfuscated "amazon"body
FUZZY_AMBIENAttempt to obfuscate words in spambody
FUZZY_ANDROIDObfuscated "android"body
FUZZY_APPLEObfuscated "apple"body
FUZZY_BILLIONAttempt to obfuscate words in spambody
FUZZY_BITCOINObfuscated "Bitcoin"body
FUZZY_BROWSERObfuscated "browser"body
FUZZY_BTC_WALLETHeavily obfuscated "bitcoin wallet"meta
FUZZY_CLICK_HEREObfuscated "click here"body
FUZZY_CPILLAttempt to obfuscate words in spamThis rule matches what appears to be an attempt to obfuscate the word "Cialis" - a brand-name for Tadalafil, a drug used for treating erectile disfunction.body
FUZZY_CREDITAttempt to obfuscate words in spambody
FUZZY_DR_OZObfuscated Doctor Ozmeta
FUZZY_ERECTAttempt to obfuscate words in spambody
FUZZY_FACEBOOKObfuscated "facebook"body
FUZZY_GUARANTEEAttempt to obfuscate words in spambody
FUZZY_IMPORTANTObfuscated "important"body
FUZZY_MEDICATIONAttempt to obfuscate words in spambody
FUZZY_MERIDIAObfuscation of the word "meridia"/\b(?!meridia)\b/ibody
FUZZY_MICROSOFTObfuscated "microsoft"body
FUZZY_MILLIONAttempt to obfuscate words in spambody
FUZZY_MONEROObfuscated "Monero"meta
FUZZY_MONEYAttempt to obfuscate words in spambody
FUZZY_MORTGAGEAttempt to obfuscate words in spambody
FUZZY_NORTONObfuscated "norton"body
FUZZY_OBLIGATIONAttempt to obfuscate words in spambody
FUZZY_OFFERSAttempt to obfuscate words in spambody
FUZZY_OVERSTOCKObfuscated "overstock"body
FUZZY_PAYPALObfuscated "paypal"body
FUZZY_PHARMACYAttempt to obfuscate words in spambody
FUZZY_PHENTAttempt to obfuscate words in spambody
FUZZY_PORNObfuscated "Pornography" or "Pornographic"meta
FUZZY_PRESCRIPTAttempt to obfuscate words in spambody
FUZZY_PRICESAttempt to obfuscate words in spambody
FUZZY_PRIVACYObfuscated "privacy"body
FUZZY_PROMOTIONObfuscated "promotion"body
FUZZY_REFINANCEAttempt to obfuscate words in spambody
FUZZY_REMOVEAttempt to obfuscate words in spambody
FUZZY_ROLEXAttempt to obfuscate words in spambody
FUZZY_SAVINGSObfuscated "savings"body
FUZZY_SECURITYObfuscated "security"body
FUZZY_SOFTWAREAttempt to obfuscate words in spambody
FUZZY_THOUSANDSAttempt to obfuscate words in spambody
FUZZY_UNSUBSCRIBEObfuscated "unsubscribe"body
FUZZY_VIOXXAttempt to obfuscate words in spambody
FUZZY_VLIUMAttempt to obfuscate words in spambody
FUZZY_VPILLAttempt to obfuscate words in spambody
FUZZY_WALLETObfuscated "Wallet"body
FUZZY_XPILLAttempt to obfuscate words in spamMessage contains the name of a pharmaceutical product written to avoid keyword filtering.body
GAPPY_LOW_CONTRASTGappy subject + hidden textmeta
GAPPY_SALES_LEADS_FREEMObfuscated marketing text, freemail or CHN replytometa
GAPPY_SUBJECTSubject: contains G.a.p.p.y-T.e.x.tmeta
GB_BITCOIN_CPLocalized Bitcoin scam
GB_FAKE_RF_SHORTFake reply or forward with url shortenermeta
GB_FORGED_MUA_POSTFIXForged Postfix mua headersmeta
GB_FREEMAIL_DISPTODisposition-Notification-To/From or Disposition-Notification-To/body contain different freemailsmeta
GB_FREEMAIL_DISPTO_NOTFREEMDisposition-Notification-To/From contain different freemails but mailfrom is not a freemailmeta
GB_GOOG_IMG_NOT_RCVD_GOOGGoogle hosted image but message not from Googlemeta
GB_GOOGLE_OBFURObfuscate url through Google redirecturi
GEO_QUERY_STRING/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/iuri
GMD_PDF_EMPTY_BODYAttached PDF with empty message bodybody
GMD_PDF_ENCRYPTEDAttached PDF is encryptedbody
GMD_PDF_HORIZContains pdf 100-240 (high) x 450-800 (wide)body
GMD_PDF_SQUAREContains pdf 180-360 (high) x 180-360 (wide)body
GMD_PDF_VERTContains pdf 450-800 (high) x 100-240 (wide)body
GMD_PRODUCER_EASYPDFPDF producer was BCL easyPDFbody
GMD_PRODUCER_GPLPDF producer was GPL Ghostscriptbody
GMD_PRODUCER_POWERPDFPDF producer was PowerPDFbody
GOOG_MALWARE_DNLDFile download via Google - Malware?meta
GOOG_REDIR_DOCUSIGNIndirect docusign link, probable phishinguri
GOOG_REDIR_HTML_ONLYGoogle redirect to obscure spamvertised website + HTML only
GOOG_REDIR_NORDNSGoogle redirect to obscure spamvertised website + no rDNSmeta
GOOG_REDIR_SHORTGoogle redirect to obscure spamvertised website + short messagemeta
GOOG_STO_EMAIL_PHISHPossible phishing with google hosted content URI having email addressmeta
GOOG_STO_HTML_PHISHPossible phishing with google content hosting to avoid URIBLmeta
GOOG_STO_HTML_PHISH_MANYPhishing with google content hosting to avoid URIBLmeta
GOOG_STO_IMG_HTMLApparently using google content hosting to avoid URIBLmeta
GOOG_STO_IMG_NOHTMLApparently using google content hosting to avoid URIBLmeta
GOOG_STO_NOIMG_HTMLApparently using google content hosting to avoid URIBLmeta
GOOGLE_DOC_SUSPSuspicious use of Google Docsmeta
GOOGLE_DOCS_PHISHPossible phishing via a Google Docs formmeta
GOOGLE_DOCS_PHISH_MANYPhishing via a Google Docs formmeta
GOOGLE_DRIVE_REPLY_BAD_NTLDFrom Google Drive and Reply-To is from a suspicious TLDmeta
GTUBEGeneric Test for Unsolicited Bulk EmailThis rule is used to test spam detection machinery. Presence of the GTUBE marker in email should always trigger spam detection.
more info
body
GUARANTEED_100_PERCENTOne hundred percent guaranteedbody
HAS_X_NO_RELAYHas spammy headermeta
HAS_X_OUTGOING_SPAM_STATHas header claiming outbound spam scan - why trust the results?meta
HASHCASH_20Contains valid Hashcash token (20 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HASHCASH_21Contains valid Hashcash token (21 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HASHCASH_22Contains valid Hashcash token (22 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HASHCASH_23Contains valid Hashcash token (23 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HASHCASH_24Contains valid Hashcash token (24 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HASHCASH_25Contains valid Hashcash token (25 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HASHCASH_2SPENDHashcash token already spent in another mailThe sender added an unexpired Hashcash token to the message which has been marked as already spent. This may indicate that the message is spam.header
HASHCASH_HIGHContains valid Hashcash token (>25 bits)The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk emailheader
HDR_ORDER_FTSDMCXX_001CHeader order similar to spam (FTSDMCXX/MID variant)
HDR_ORDER_FTSDMCXX_BATHeader order similar to spam (FTSDMCXX/boundary variant)
HDR_ORDER_FTSDMCXX_DIRECTHeader order similar to spam (FTSDMCXX/boundary variant) + direct-to-MXmeta
HDR_ORDER_FTSDMCXX_NORDNSHeader order similar to spam (FTSDMCXX/boundary variant) + no rDNSmeta
HDRS_LCASEOdd capitalization of message headermeta
HDRS_LCASE_IMGONLYOdd capitalization of message headers + image-only HTMLmeta
HDRS_MISSPMisspaced headersheader
HDRS_MISSPMisspaced headersmeta
HEAD_ILLEGAL_CHARSHeaders have too many raw illegal charactersheader
HEAD_LONGMessage headers are very longheader
HEADER_COUNT_CTYPEMultiple Content-Type headers foundheader
HEADER_COUNT_SUBJECTMultiple Subject headers foundheader
HEADER_FROM_DIFFERENT_DOMAINSFrom and EnvelopeFrom 2nd level mail domains are differentheader
HEADER_SPAMBulk email fingerprint (header-based) foundheader
HELO_DYNAMIC_CHELLO_NLRelay HELO'd using suspicious hostname (Chello.nl)header
HELO_DYNAMIC_DHCPRelay HELO'd using suspicious hostname (DHCP)An untrusted relay used a hostname (FQDN) as a HELO argument during a SMTP transaction that appears to suggest a dynamically allocated hostname. For example "dhcp192-0-2-32.example.com".

This style of hostname is commonly found in the reverse DNS records for dynamically allocated addresses. It's possible that a spam-engine on a hijacked PC will use a reverse DNS lookup of its own address to formulate a valid HELO argument.

See also Rules/HELO_DYNAMIC_IPADDR

The IETF's dnsop working group has a draft memo regarding a suggested naming scheme for reverse DNS:
http://tools.ietf.org/html/draft-msullivan-dnsop-generic-naming-schemes-00
header
HELO_DYNAMIC_DIALINRelay HELO'd using suspicious hostname (T-Dialin)header
HELO_DYNAMIC_HCCRelay HELO'd using suspicious hostname (HCC)meta
HELO_DYNAMIC_HEXIPRelay HELO'd using suspicious hostname (Hex IP)header
HELO_DYNAMIC_HOME_NLRelay HELO'd using suspicious hostname (Home.nl)header
HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1)The sender was identified by an upstream relay as using a numeric HELO address. It is probably not a regular email client using an authorized relay.header
HELO_DYNAMIC_IPADDR2Relay HELO'd using suspicious hostname (IP addr 2)The sender was identified by an upstream relay as using a numeric HELO address. It is probably not a regular email client using an authorized relay.header
HELO_DYNAMIC_ROGERSRelay HELO'd using suspicious hostname (Rogers)header
HELO_DYNAMIC_SPLIT_IPRelay HELO'd using suspicious hostname (Split IP)header
HELO_FRIENDX-Spam-Relays-External =~ /^[^\]]+ helo=friend /iheader
HELO_LH_HOMEX-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home| lan) /iheader
HELO_LH_LDX-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /iOne of the untrusted mail relays identified itself as localhost.localdomain in the SMTP session. This indicates a poorly configured server, possibly one not intended for sending mail.header
HELO_LOCALHOSTX-Spam-Relays-External =~ /^[^\]]+ helo=localhost /iheader
HELO_NO_DOMAINRelay reports its domain incorrectlymeta
HELO_OEMX-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc| oem\S*) /iheader
HELO_STATIC_HOSTRelay HELO'd using static hostnamemeta
HEXHASH_WORDMultiple instances of word + hexadecimal hashmeta
HIDE_WIN_STATUSJavascript to hide URLs in browserrawbody
HIGH_CODEPAGE_URI/^https?:\/\/[^\/]*\&\#(?:\d{4,}| [3456789]\d\d);/iuri
HK_CTE_RAWNo description providedmimeheader
HK_LOTTONo description providedmeta
HK_NAME_DRUGSFrom name contains drugsheader
HK_NAME_FREEFrom name mentions free stuffheader
HK_NAME_MR_MRSNo description providedmeta
HK_RANDOM_ENVFROMEnvelope sender username looks randomheader
HK_RANDOM_FROMFrom username looks randomheader
HK_RANDOM_REPLYTOReply-To username looks randomheader
HK_RCVD_IP_MULTICASTNo description providedheader
HK_SCAMNo description providedmeta
HK_SCAM_N2/\bnext of kin\b/ibody
HK_SPAMMY_FILENAMENo description providedmeta
HK_WINNo description providedmeta
HOSTED_IMG_DIRECT_MXImage hosted at large ecomm, CDN or hosting site, message direct-to-mxmeta
HOSTED_IMG_DQ_UNSUBImage hosted at large ecomm site, IP addr unsub linkmeta
HOSTED_IMG_FREEMImage hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-tometa
HOSTED_IMG_MULTIMultiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirectedmeta
HOSTED_IMG_MULTI_PUB_01Multiple hosted images at public sitemeta
HS_BOBAX_MID_2Bobax? Message-Id: <0IX000EJXVWDA000@example.com>header
HS_BODY_UPLOADED_SOFTWARESomebody has uploaded some new software for youbody
HS_DRUG_DOLLAR_1Contains a drug and price-like pattern.body
HS_DRUG_DOLLAR_2Contains a drug and price-like pattern.body
HS_DRUG_DOLLAR_3Contains a drug and price-like pattern.body
HS_GETMEOFFLinks to common unsubscribe script: 'getmeoff.php'uri
HS_INDEX_PARAMLink contains a common tracker pattern.The mail contains a URL which includes a query parameter, such as [WWW] http://example.com/?12345 . These URLs are often used in mass mailouts to track individual responses.uri
HS_MEETUP_FOR_SEXTalks about meeting up for sex.body
HS_SUBJ_NEW_SOFTWARESubject starts with 'New software uploaded by'header
HS_SUBJ_ONLINE_PHARMACEUTICALSubject contains the phrase 'Online pharmaceutical'header
HS_VPXLContains VPXL, yet the recommended dose is only 2 tablets.body
HTML_BADTAG_40_50HTML message is 40% to 50% bad tagsbody
HTML_BADTAG_50_60HTML message is 50% to 60% bad tagsbody
HTML_BADTAG_60_70HTML message is 60% to 70% bad tagsbody
HTML_BADTAG_90_100HTML message is 90% to 100% bad tagsbody
HTML_CHARSET_FARAWAYA foreign language charset used in HTML markupmeta
HTML_COMMENT_SAVED_URLHTML message is a saved web pagebody
HTML_COMMENT_SHORTHTML comment is very shortbody
HTML_EMBEDSHTML with embedded plugin objectbody
HTML_ENTITY_ASCIIObfuscated ASCIImeta
HTML_ENTITY_ASCII_TINYObfuscated ASCII + tiny fontsmeta
HTML_EXTRA_CLOSEHTML contains far too many close tagsThe message contains unbalanced HTML. This suggests that it was not generated by a normal email client or HTML editor, but by some mailout software that is trying to hide hashbusting text or otherwise avoid filters.body
HTML_FONT_FACE_BADHTML font face is not a wordbody
HTML_FONT_LOW_CONTRASTHTML font color similar or identical to backgroundAttempts to hide message (probably scored nicely by bayes )

For example light gray on white or dark gray on black...

bgcolor="#f7f7f7" color:"#ffffff"
body
HTML_FONT_SIZE_HUGEHTML font size is hugeMessage is HTML with some text in an unnaturally large font sizebody
HTML_FONT_SIZE_LARGEHTML font size is largeMessage is HTML with some text in an unnaturally large font sizebody
HTML_FONT_TINY_NORDNSFont too small to read, no rDNSmeta
HTML_FORMACTION_MAILTOHTML includes a form which sends mailbody
HTML_IFRAME_SRCMessage has HTML IFRAME tag with SRC URIbody
HTML_IMAGE_ONLY_04HTML: images with 0-400 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_08HTML: images with 400-800 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_12HTML: images with 800-1200 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_16HTML: images with 1200-1600 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_20HTML: images with 1600-2000 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_24HTML: images with 2000-2400 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_28HTML: images with 2400-2800 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_ONLY_32HTML: images with 2800-3200 bytes of wordsThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_RATIO_02HTML has a low ratio of text to image areaThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_RATIO_04HTML has a low ratio of text to image areaThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_RATIO_06HTML has a low ratio of text to image areaThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_IMAGE_RATIO_08HTML has a low ratio of text to image areaThis may indicate a message using an image instead of words in order to sidestep text-based filtering.body
HTML_MESSAGEHTML included in messageHTML messages are more visually attractive than plain text.body
HTML_MIME_NO_HTML_TAGHTML-only message, but there is no HTML tagmeta
HTML_MISSING_CTYPEMessage is HTML without HTML Content-Type
HTML_NONELEMENT_30_4030% to 40% of HTML elements are non-standardbody
HTML_NONELEMENT_40_5040% to 50% of HTML elements are non-standardbody
HTML_NONELEMENT_60_7060% to 70% of HTML elements are non-standardbody
HTML_NONELEMENT_80_9080% to 90% of HTML elements are non-standardbody
HTML_OBFUSCATE_05_10Message is 5% to 10% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OBFUSCATE_10_20Message is 10% to 20% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OBFUSCATE_20_30Message is 20% to 30% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OBFUSCATE_30_40Message is 30% to 40% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OBFUSCATE_50_60Message is 50% to 60% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OBFUSCATE_70_80Message is 70% to 80% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OBFUSCATE_90_100Message is 90% to 100% HTML obfuscationThe message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filtersbody
HTML_OFF_PAGEHTML element rendered well off the displayed pagemeta
HTML_SHORT_CENTERHTML is very short with CENTER tagmeta
HTML_SHORT_LINK_IMG_1HTML is very short with a linked imagemeta
HTML_SHORT_LINK_IMG_2HTML is very short with a linked imagemeta
HTML_SHORT_LINK_IMG_3HTML is very short with a linked imagemeta
HTML_SHRT_CMNT_OBFU_MANYObfuscation with many short HTML commentsmeta
HTML_SINGLET_MANYMany single-letter HTML format blocksmeta
HTML_TAG_BALANCE_BODYHTML has unbalanced "body" tagsHTML tags within the body tag aren't correctly nested. Usually, tags are opened but not closed.body
HTML_TAG_BALANCE_CENTERMalformatted HTMLmeta
HTML_TAG_BALANCE_HEADHTML has unbalanced "head" tagsHTML tags within the head tag aren't correctly nested. Usually, tags are opened but not closed.body
HTML_TAG_BALANCE_HTMLHTML has unbalanced"html"tagsHTML tags within the email aren't correctly nested. Usually, tags are opened but not closed.body
HTML_TAG_EXIST_BGSOUNDHTML has "bgsound" tagbody
HTML_TEXT_INVISIBLE_FONTHTML hidden text - word obfuscation?meta
HTML_TEXT_INVISIBLE_STYLEHTML hidden text + other spam signsmeta
HTML_TITLE_SUBJ_DIFFNo description providedmeta
HTTP_77Contains an URL-encoded hostname (HTTP77)uri
HTTP_ESCAPED_HOSTUses %-escapes inside a URL's hostnameThe message includes HTML with an obfuscated URL. This is probably an attempt to avoid text-based filtersuri
HTTP_EXCESSIVE_ESCAPESCompletely unnecessary %-escapes inside a URLContains a URL with letters replaces by hex codes e.g. %55 for "U". This indicates an attempt to avoid domain or text-based filtering, and indicates the message is probably spam.uri
HTTPS_HTTP_MISMATCHeval:check_https_http_mismatch('1','10')body
HTTPS_IP_MISMATCHIP to HTTPS link found in HTMLhttps://www.paypal.com/

Often found in phishing attempts, seldom seen in legitimate e-mail.
body
IMG_ONLY_FM_DOM_INFOHTML image-only message from .info domain__HTML_IMG_ONLY && __FROM_DOM_INFOmeta
IMPOTENCEImpotence cure/\b(?:impotence (?:problem|cure|solution)|Premature Ejaculation|erectile dysfunction)/ibody
INVALID_DATEInvalid Date: header (not RFC 2822)The Date header in the message is not compliant with RFC 2822 Sec. 3.3

This suggests the sender is using a badly-written mailout program rather than a regular email client.
header
INVALID_DATE_TZ_ABSURDInvalid Date: header (timezone does not exist)The Date header includes an impossible UTC offset, e.g. more than +/- 13 hours This suggests the message was generated by badly-written mailout software.header
INVALID_MSGIDMessage-Id is not valid, according to RFC 2822Matches Message-ID headers that exist but do not meet a lenient definition of valid syntax. Exempts cases of embedded comments in Message ID'sheader
INVALID_TZ_CSTInvalid date in header (wrong CST timezone)The Date header includes a UTC offset which is not valid for CST (Central Standard Time). This suggests the message was generated by badly-written mailout software.header
INVALID_TZ_ESTInvalid date in header (wrong EST timezone)The Date header includes a UTC offset which is not valid for EST (Eastern Standard Time). This suggests the message was generated by badly-written mailout software.header
INVESTMENT_ADVICEMessage mentions investment advice/\binvestment advice/ibody
IP_LINK_PLUSDotted-decimal IP address followed by CGIm{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id=)}iuri
JAPANESE_UCE_BODYBody contains Japanese UCE tag(__ISO_2022_JP_DELIM && __JAPANESE_UCE_BODY)meta
JAPANESE_UCE_SUBJECTSubject contains a Japanese UCE tagheader
JH_SPAMMY_HEADERSHas unusual message header(s) seen primarily in spam__HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGIDmeta
JH_SPAMMY_PATTERN01Unusual pattern seen in spam campaignm;.{0,200}blankbody
JH_SPAMMY_PATTERN02Unusual pattern seen in spam campaignm;]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}body
JM_I_FEEL_LUCKY/(?:\&| \?)btnI=ec(?:(dollar) | \&)/uri
JM_RCVD_QMAILV1Received =~ /by \S+ \(Qmailv1\) with ESMTP/header
JOIN_MILLIONSJoin Millions of Americansbody
JS_FROMCHARCODEDocument is built from a Javascript charcode array(__JS_FROMCHARCODE && __JS_DOCWRITE)meta
KB_DATE_CONTAINS_TABDate:raw =~ /^\t/header
KB_FAKED_THE_BATNo description providedmeta
KB_RATWARE_MSGIDNo description providedmeta
KB_RATWARE_OUTLOOK_08ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\./msiheader
KB_RATWARE_OUTLOOK_12ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msiheader
KB_RATWARE_OUTLOOK_16ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msiheader
KB_RATWARE_OUTLOOK_MIDALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msiheader
KB_RATWARE_OUTLOOK_MIDNo description providedheader
KHOP_FAKE_EBAYSender falsely claims to be from eBaymeta
KHOP_HELO_FCRDNSRelay HELO differs from its IP's reverse DNS__HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED)meta
KOREAN_UCE_SUBJECTSubject: contains Korean unsolicited email tagheader
L_SPAM_TOOL_13Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /header
LINKEDIN_IMG_NOT_RCVD_LNKNLinkedin hosted image but message not from Linkedinmeta
LIST_PARTIAL_SHORT_MSGIncomplete mailing list headers + short message
LIST_PRTL_PUMPDUMPIncomplete List-* headers and stock pump-and-dumpmeta
LIST_PRTL_SAME_USERIncomplete List-* headers and from+to user the samemeta
LIVE_PORNPossible porn - Live Pornbody
LIVEFILESTOREm~livefilestore.com/~uri
LOCALPART_IN_SUBJECTLocal part of To: address appears in Subjectheader
LONG_HEX_URIVery long purely hexadecimal URImeta
LONG_IMG_URIImage URI with very long path component - web bug?meta
LONG_INVISIBLE_TEXTLong block of hidden text - bayes poison?meta
LONG_TERM_PRICE/long\W+term\W+(target| projected)(\W+price)?/ibody
LONGLN_LOW_CONTRASTExcessively long line + hidden textmeta
LONGWORDSLong string of long wordsmeta
LOOPHOLE_1A loop hole in the banking laws?body
LOTS_OF_MONEYHuge... sums of moneymeta
LOTTERY_1No description providedmeta
LOTTERY_PH_004470No description providedmeta
LOTTO_AGENTClaims Agentmeta
LOTTO_DEPTClaims Departmentmeta
LOW_PRICELowest Pricebody
LUCRATIVEMake lots of money!meta
MAILING_LIST_MULTIMultiple indicators imply a widely-seen list managermeta
MALE_ENHANCEMessage talks about enhancing menbody
MALF_HTML_B64Malformatted base64-encoded HTML contentmeta
MALW_ATTACHAttachment filename suspicious, probable malware exploitmeta
MALWARE_NORDNSMalware bragging + no rDNSmeta
MALWARE_PASSWORDMalware bragging + "password"meta
MANY_HDRS_LCASEOdd capitalization of multiple message headersmeta
MANY_SPAN_IN_TEXTMany tags embedded within textmeta
MARKETING_PARTNERSClaims you registered with a partnerbody
MAY_BE_FORGEDRelay IP's reverse DNS does not resolve to IPmeta
MICROSOFT_EXECUTABLEMessage includes Microsoft executable programbody
MID_DEGREESMessage-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /header
MILLION_HUNDREDMillion "One to Nine" Hundredbody
MILLION_USDTalks about millions of dollarsbody
MIME_BAD_ISO_CHARSETMIME character set is an unknown ISO charsetThe charset attribute of the MIME Content-Type: header is checked. A flag is raised if it is an ISO character set not recognised by the test.

This rule checks the value of "mime_bad_iso_charset" set by [WWW] MIMEEval.pm .

MIME headers are defined in [WWW] RFC 2045

Valid charsets are registered with IANA:
http://www.iana.org/assignments/character-sets
body
MIME_BASE64_BLANKSExtra blank lines in base64 encodingLooking for extra blank lines to appear in the BASE64 encoding. Built into EvalTests.pmrawbody
MIME_BASE64_NO_NAMEbase64 attachment does not have a file nameNormally base64 encoded attachments have some sort of file name, this indicates one is missing.

header
MIME_BASE64_TEXTMessage text disguised using base64 encodingThe message contains text that has been encoded using Base64 content transfer encoding but does not use a character set known to require it. This does not apply to text in the UTF-8 or big5 character sets.

This technique is assumed to be used by spammers as a form of obfuscation, presumably to bypass filters that are not MIME-aware.

For details on Base64 encoding see [WWW] RFC 2045 sec 6.8

This rule is known to trigger false positives in some circumstances.
rawbody
MIME_BOUND_DD_DIGITSSpam tool pattern in MIME boundaryheader
MIME_BOUND_DIGITS_15Spam tool pattern in MIME boundaryheader
MIME_BOUND_EQ_RELContent-Type =~ /boundary="=====================_\d+==\.REL"/sheader
MIME_BOUND_MANY_HEXSpam tool pattern in MIME boundaryheader
MIME_CHARSET_FARAWAYMIME character set indicates foreign languagemeta
MIME_HEADER_CTYPE_ONLYContent-Type' found without required MIME headersmeta
MIME_HTML_MOSTLYMultipart message mostly text/html MIMELooks to see if the message is mostly HTML content versus normally having plain text parts of nearly equal size.body
MIME_HTML_ONLYMessage only has text/html MIME partsIndicates the message lacks the plain text alternative part.body
MIME_HTML_ONLY_MULTIMultipart message only has text/html MIME partsmeta
MIME_NO_TEXTNo (properly identified) text body partsmeta
MIME_PHP_NO_TEXTNo text body parts, X-Mailer: PHPmeta
MIME_QP_LONG_LINEQuoted-printable line longer than 76 charsThe Quoted-Printable encoding REQUIRES that encoded lines be no more than 76 characters long. See RFC 2045.

Although the Quoted-Printable specification requires lines be no more than 76 characters, many implementations ignore this and use a suggested line limit from RFC 5322 of 78 characters. Therefore it is not unusual to see this rule triggered by non-spam. See Bug 5491.
rawbody
MIME_SUSPECT_NAMEMIME filename does not match contentbody
MIMEOLE_DIRECT_TO_MXMIMEOLE + direct-to-MXmeta
MIMEPART_LIMIT_EXCEEDEDMessage has too many MIME partsbody
MISSING_DATEMissing Date: headermeta
MISSING_FROMMissing From: headermeta
MISSING_HB_SEPMissing blank line between message header and bodyheader
MISSING_HEADERSMissing To: headerThe mail header does not contain a To: line.

The To: header is described in RFC2822 sec 3.6.3 - note that it is not a mandatory field, but it is considered unusual for MUA software not to add it.
header
MISSING_MIDMissing Message-Id: headermeta
MISSING_MIME_HB_SEPMissing blank line between MIME header and bodyThe format for e-mail requires a blank line between the headers and the body of a message, the lack of one causes this rule to fire.body
MISSING_MIMEOLEMessage has X-MSMail-Priority, but no X-MimeOLEmeta
MISSING_SUBJECTMissing Subject: headermeta
MIXED_AREA_CASEHas area tag in mixed casemeta
MIXED_CENTER_CASEHas center tag in mixed casemeta
MIXED_ESToo many es are not esmeta
MIXED_FONT_CASEHas font tag in mixed casemeta
MIXED_HREF_CASEHas href in mixed casemeta
MIXED_IMG_CASEHas img tag in mixed casemeta
MONERO_DEADLINEMonero cryptocurrency with a deadlinemeta
MONERO_EXTORT_01Extortion spam, pay via Monero cryptocurrencymeta
MONERO_MALWAREMonero cryptocurrency + malware braggingmeta
MONERO_PAY_MEPay me via Monero cryptocurrencymeta
MONEY_ATM_CARDLots of money on an ATM cardmeta
MONEY_BACKMoney back guaranteebody
MONEY_FORMLots of money if you fill out a form
MONEY_FORM_SHORTLots of money if you fill out a short formmeta
MONEY_FRAUD_3Lots of money and several fraud phrasesmeta
MONEY_FRAUD_5Lots of money and many fraud phrasesmeta
MONEY_FRAUD_8Lots of money and very many fraud phrasesmeta
MONEY_FREEMAIL_REPTOLots of money from someone using free email?meta
MONEY_FROM_41Lots of money from Africameta
MONEY_FROM_MISSPLots of money and misspaced Frommeta
MONEY_NOHTMLLots of money in plain text
MORE_SEXTalks about a bigger drive for sex/increased?.{0,9}(?:sex|stamina)/ibody
MPART_ALT_DIFFHTML and text parts are differentThe mail contains the content in both HTML and plain text format, but their content is (very probably) different. This suggests that the sender is not using a normal mail client, and is attempting to evade filtering by using a message which looks different to humans and mail filters.body
MPART_ALT_DIFF_COUNTHTML and text parts are differentThe mail contains the content in both HTML and plain text format, but their content is (very probably) different - the number of words is significantly different in the two versions. This suggests that the sender is not using a normal mail client, and is attempting to evade filtering by using a message which looks different to humans and mail filters.body
MSGID_DOLLARS_URI_IMGSuspicious Message-ID and imagemeta
MSGID_FROM_MTA_HEADERMessage-Id was added by a relaymeta
MSGID_HDR_MALFHas invalid message ID headermeta
MSGID_MULTIPLE_ATMessage-ID contains multiple '@' charactersThe Message-Id: header contains more than one "@" characters, rendering it invalid. Invalid Message-Id headers have been seen generated by some types of spamming software.

The syntax for the Message-Id field is defined in RFC 2822 sec 3.6.4, as well as recommended algorithms.

Bug #5707 suggests that Microsoft Office Outlook 12.0 (a.k.a Office Outlook 2007) generates invalid Message-Id fields, triggering this rule.

Note: Since dot-atom-text does not include the @ symbol, multiple instances usually indicate an invalid Message-Id. However it is possible for a syntactically valid (per RFC2822) Message-Id field to contain multiple "@" symbols under the circumstances that the id-left component consists of a double-quoted string (where qtext can contain %d64, although this format is now marked as obsolete by RFC5322) or inside id-right as part of a literal address string. For example:

{{{Message-Id: <"12345@example.org"@host.example.com>

Message-Id: <12345@[123@456]> Message-Id: <"12345@example.org"@[123@456]>}}} This particular usage, however, is not currently covered by this rule and is not known to be in the wild.
header
MSGID_NOFQDN1Message-ID with no domain namemeta
MSGID_OUTLOOK_INVALIDMessage-Id is fake (in Outlook Express format)The Message-Id header has the format of one generated by Microsoft Outlook Express, which is based on the date, but the inferred date is inconsistent with other date headers.header
MSGID_RANDYMessage-Id has pattern used in spammeta
MSGID_SHORTMessage-ID is unusually shortheader
MSGID_SPAM_CAPSSpam tool Message-Id: (caps variant)MSGID or message-id is unique identifier in the email header. The same message ID may not be reused during the lifetime of any email with the same message ID. (It is recommended that no message ID be reused for at least two years.) In order to conform to RFC 822, the Message-ID must have the format

"<" "unique" "@" "full domain name" ">"

this rule activates when "unique" is all in capitals.
header
MSGID_SPAM_LETTERSSpam tool Message-Id: (letters variant)header
MSGID_YAHOO_CAPSMessage-ID has ALLCAPS@yahoo.comheader
MSM_PRIO_REPTOMSMail priority header + Reply-to + short subjectmeta
MSMAIL_PRI_ABNORMALEmail priority often abusedmeta
MSOE_MID_WRONG_CASENo description providedmeta
MULTI_FORGEDReceived headers indicate multiple forgeries
MULTIPART_ALT_NON_TEXTeval:check_ma_non_text()body
NA_DOLLARSTalks about a million North American dollarsThe body of the mail makes reference to millions of US or Canadian dollars, a common signature that can help identify scam emails.body
NAME_EMAIL_DIFFSender NAME is an unrelated email addressmeta
NEW_PRODUCTSNo description providedmeta
NEWEGG_IMG_NOT_RCVD_NEGGNewegg hosted image but message not from Neweggmeta
NICE_REPLY_ALooks like a legit reply (A)meta
NML_ADSP_CUSTOM_HIGHADSP custom_high hit, and not from a mailing listmeta
NML_ADSP_CUSTOM_LOWADSP custom_low hit, and not from a mailing listmeta
NML_ADSP_CUSTOM_MEDADSP custom_med hit, and not from a mailing listmeta
NO_DNS_FOR_FROMEnvelope sender has no MX or A DNS recordsThe return address is fake. The sender has no interest in knowing whether the message was delivered or not, and does not wish anyone to receive a large number of delivery failed reports.header
NO_FM_NAME_IP_HOSTNNo From name + hostname using IP addressmeta
NO_HEADERS_MESSAGEMessage appears to be missing most RFC-822 headersmeta
NO_MEDICALNo Medical Examsbody
NO_PRESCRIPTIONNo prescription neededbody
NO_RDNS_DOTCOM_HELOHost HELO'd as a big ISP, but had no rDNSheader
NO_RECEIVEDInformational: message has no Received headersmeta
NO_RELAYSInformational: message was not relayed via SMTPThis indicates no "Received" headers in the mail.header
NONEXISTENT_CHARSETCharacter set doesn't existheader
NORDNS_LOW_CONTRASTNo rDNS + hidden textmeta
NORMAL_HTTP_TO_IPUses a dotted-decimal IP address in URLURI host has a public dotted-decimal IPv4 addressuri
NOT_ADVISORNot registered investment advisorbody
NOT_SPAMI'm not spam! Really! I'm not, I'm not, I'm not!body
NSL_RCVD_FROM_USERReceived from Userheader
NSL_RCVD_HELO_USERReceived from HELO Userheader
NULL_IN_BODYMessage has NUL (ASCII 0) byte in messagefull
NUMBEREND_LINKBAITDomain ends in a large number and very short body with link
NUMERIC_HTTP_ADDRUses a numeric IP address in URLContains a URL with a numeric address, such as http://192.168.36.67 This may indicate a webserver set up quickly without a DNS entry, or an attempt to avoid domain-based filtering. This indicates the message may be spam or phishing.uri
OBFU_BITCOINObfuscated BitCoin references__OBFU_BITCOINmeta
OBFU_JVSCR_ESCInjects content using obfuscated javascript/document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/irawbody
OBFU_TEXT_ATTACHText attachment with non-text MIME typemimeheader
OBFU_UNSUB_ULObfuscated unsubscribe text__OBFU_UNSUB_UL && !MAILING_LIST_MULTImeta
OBFUSCATING_COMMENTHTML comments which obfuscate text((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIMmeta
OBSCURED_EMAILMessage seems to contain rot13ed addressbody
ODD_FREEM_REPTOHas unusual reply-to headermeta
OFFER_ONLY_AMERICAOffer only available to US__FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICAmeta
ONE_TIMEOne Time Rip Offbody
ONLINE_MKTG_CNSLTNo description providedbody
ONLINE_PHARMACYOnline Pharmacybody
OOOBOUNCE_MESSAGEOut Of Office bounce message__BOUNCE_OOO_ARHDR && (__BOUNCE_OOO_SUBJECT || __BOUNCE_OOO_BODY || __BOUNCE_OOO_SUBJBODY)meta
PART_CID_STOCKHas a spammy image attachment (by Content-ID)meta
PART_CID_STOCK_LESSHas a spammy image attachment (by Content-ID, more specific)meta
PDS_BAD_THREAD_QP_64Bad thread header - short QP
PDS_BTC_IDFP reduced Bitcoin IDmeta
PDS_BTC_MSGIDBitcoin ID with T_MSGID_NOFQDN2meta
PDS_BTC_NTLDBitcoin suspect NTLD
PDS_CPANEL_PORT_SPOOFEDURLURL using a cPanel port in text but not the hrefmeta
PDS_DBL_URL_TNB_RUNONDouble-url and To no arrows, from runonmeta
PDS_EMPTYSUBJ_URISHRTEmpty subject with little more than URI shortener
PDS_FRNOM_TODOM_DBL_URLFrom Name to domain, double URLmeta
PDS_FRNOM_TODOM_NAKED_TONaked to From name equals to Domainmeta
PDS_FROM_NAME_TO_DOMAINFrom:name looks like To:domainmeta
PDS_HELO_SPF_FAILHigh profile HELO that fails SPFmeta
PDS_NAKED_TO_NUMERONaked-to, numberonly domain
PDS_NO_FULL_NAME_SPOOFED_URLHTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
PDS_OTHER_BAD_TLDUntrustworthy TLDsheader
PDS_PHP_EVALPHP header shows eval'd codemeta
PDS_PHP_RUNTIME_FUNCPHP header shows runtime-created function
PDS_RDNS_DYNAMIC_FPRDNS_DYNAMIC with FP stepsmeta
PDS_SHORT_SPOOFED_URLHTML message short and T_SPOOFED_URL (S_U_FP)
PDS_SHORTFWD_URISHRT_QPApparently a short fwd/re with URI shortener
PDS_TINYSUBJ_URISHRTShort subject with URL shortener
PDS_TO_EQ_FROM_NAMEFrom: name same as To: addressmeta
PDS_TONAME_EQ_TOLOCAL_FREEM_FORGEForged replyto and __PDS_TONAME_EQ_TOLOCALmeta
PDS_TONAME_EQ_TOLOCAL_HDRS_LCASETo: name matches everything in local email - LCASE headersmeta
PDS_TONAME_EQ_TOLOCAL_VSHORTVery short body and From looks like 2 different emails
PERCENT_RANDOMMessage has a random macro in itmeta
PHISH_ATTACHAttachment filename suspicious, probable phishingmeta
PHISH_AZURE_CLOUDAPPLink to known phishing web applicationuri
PHISH_FBASEAPPProbable phishing via hosted web appmeta
PHISHING_FREEMAILSend your login credentials to some random freemail account(__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTOmeta
PHOTO_EDITING_DIRECTImage editing service, direct to MXmeta
PHOTO_EDITING_FREEMImage editing service, freemail or CHN replytometa
PHP_NOVER_MUAMail from PHP with no version numbermeta
PHP_ORIG_SCRIPTSent by bot & other signsmeta
PHP_ORIG_SCRIPT_EVALFrom suspicious PHP sourcemeta
PHP_SCRIPTSent by PHP scriptmeta
PHP_SCRIPT_MUASent by PHP script, no version numbermeta
PLING_QUERYSubject has exclamation mark and question markmeta
POSSIBLE_AMAZON_PHISH_02No description providedmeta
POSSIBLE_APPLE_PHISH_02Claims to be from apple but not processed by any apple MTAmeta
POSSIBLE_EBAY_PHISH_02Claims to be from ebay but not processed by any ebay MTAmeta
POSSIBLE_PAYPAL_PHISH_01Claims to be from paypal but has non-paypal from email addressmeta
POSSIBLE_PAYPAL_PHISH_02Claims to be from paypal but not processed by any paypal MTAmeta
PP_MIME_FAKE_ASCII_TEXTMIME text/plain claims to be ASCII but isn'tbody
PP_TOO_MUCH_UNICODE02Is text/plain but has many unicode escapesbody
PP_TOO_MUCH_UNICODE05Is text/plain but has many unicode escapesbody
PREST_NON_ACCREDITED'Prestigious Non-Accredited Universities'body
PREVENT_NONDELIVERYMessage has Prevent-NonDelivery-Report headerheader
PRICES_ARE_AFFORDABLEMessage says that prices aren't too expensivebody
PUMPDUMPPump-and-dump stock scam phrasemeta
PUMPDUMP_MULTIPump-and-dump stock scam phrasesmeta
PUMPDUMP_TIPPump-and-dump stock tipmeta
PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/ ; https://pyzor.readthedocs.io/en/latest/ )Pyzor is a collaborative, networked system to detect and block spam using digests of messages. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.

Pyzor initially started out to be merely a Python implementation of Razor, but due to the protocol and the fact that Razor's server is not Open Source or software libre, Frank Tobin decided to implement Pyzor with a new protocol and release the entire system as Open Source and software libre.
full
RAND_HEADER_LIST_SPOOFRandom gibberish message header(s) + pretending to be a mailing listmeta
RAND_HEADER_MANYMultiple random gibberish message headersmeta
RAND_MKTG_HEADERHas partially-randomized marketing/tracking header(s)meta
RATWARE_EFROMBulk email fingerprint (envfrom) foundheader
RATWARE_EGROUPSBulk email fingerprint (eGroups) foundheader
RATWARE_GECKO_BUILDBulk email fingerprint (Gecko faked) foundheader
RATWARE_HASH_DASHContains a hashbuster in Send-Safe formatrawbody
RATWARE_MOZ_MALFORMEDBulk email fingerprint (Mozilla malformed) foundheader
RATWARE_MPOP_WEBMAILBulk email fingerprint (mPOP Web-Mail)header
RATWARE_MS_HASHBulk email fingerprint (msgid ms hash) foundmeta
RATWARE_NAME_IDBulk email fingerprint (msgid from) foundmeta
RATWARE_NO_RDNSSuspicious MsgID and MIME boundary + no rDNSmeta
RATWARE_OE_MALFORMEDX-Mailer has malformed Outlook Express versionheader
RATWARE_OUTLOOK_NONAMEBulk email fingerprint (Outlook no name) foundmeta
RATWARE_RCVD_ATBulk email fingerprint (Received @) foundheader
RATWARE_RCVD_PFBulk email fingerprint (Received PF) foundheader
RATWARE_ZERO_TZBulk email fingerprint (+0000) foundmeta
RAZOR2_CF_RANGE_51_100Razor2 gives confidence level above 50%Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.full
RAZOR2_CF_RANGE_E4_51_100Razor2 gives engine 4 confidence level above 50%Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.full
RAZOR2_CF_RANGE_E8_51_100Razor2 gives engine 8 confidence level above 50%Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.full
RAZOR2_CHECKListed in Razor2 (http://razor.sf.net/)Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.full
RCVD_AM_PMReceived headers forged (AM/PM)header
RCVD_BAD_IDOne of the trace fields (Received: headers) contains an unusually formatted ID parameter.

Note: matching this rule does not necessarily infer that the Received: header is invalid or non-standard, only unusual.

The format of the Received: header is defined in [WWW] RFC 2821 sec 4.4 (which references atext defined in [WWW] RFC 2822 ) and allows for characters beyond the ASCII alpha/digit/underscore/minus usually seen in IDs.
Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar) \%&'()*:<=>?\@\[\]^\`{| }~]| ;\S)/header
RCVD_DBL_DQMalformatted message headerheader
RCVD_DOTEDU_SHORTVia .edu MTA + short messagemeta
RCVD_DOTEDU_SUSP_URIVia .edu MTA + suspicious URImeta
RCVD_DOUBLE_IP_LOOSEReceived: by and from look like IP addressesmeta
RCVD_DOUBLE_IP_SPAMBulk email fingerprint (double IP) foundmeta
RCVD_FAKE_HELO_DOTCOMReceived contains a faked HELO hostnameheader
RCVD_FORGED_WROTEForged 'Received' header found ('wrote:' spam)header
RCVD_FORGED_WROTE2Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/sheader
RCVD_HELO_IP_MISMATCHReceived: HELO and IP do not match, but shouldChecks if a HELO string is an IP, and if it is, that it matches the actual IP (or is in the same /24). (It doesn't fire if the HELO string is a hostname or private (RFC 1918) or trusted IP.)header
RCVD_ILLEGAL_IPReceived: contains illegal IP addressA check is made of the IP addresses listed in the Received lines in the mail header using RelayEval.pm. This test identifies IPv4 addresses that are invalid according the the allowable address space, as well as addresses that should never be seen as a source of mail.


The valid, but unusable, address ranges are as follows:

  • 0/8 Reserved

  • 1/8 Unallocated

  • 2/8 Unallocated

  • 5/8 Unallocated

  • 7/8 Live allocation - US DoD

  • 127/8 Loopback range (excepting localhost 127.0.0/24)

  • 223/8 Unallocated

  • 224/4 Multicast





Note that ranges currently marked "Unallocated" will probably be allocated by IANA at some point in the future.



See also:

http://www.iana.org/assignments/ipv4-address-space/


http://tools.ietf.org/html/rfc3330




7.0.0.0/8 is allocated to the US Department of Defense. It was previously listed by IANA as 'Reserved' causing it to be added to "network bogon" lists. For its current use, it is not expected that traffic originating from this range will routed outside of this range. However, it's not clear that legitimate mail headers wouldn't contain IP addresses from this range.
header
RCVD_IN_BL_SPAMCOP_NETReceived via a relay in bl.spamcop.netA relay in the message's Received headers was listed in the Spamcop DNSBL; see [WWW] http://spamcop.net/ .



For the SpamCop URI block list see Rules/URIBL_SC_SURBL .
header
RCVD_IN_BRBL_LASTEXTeval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')The last external relay in the Received chain was listed in the DNSBL Barracuda Reputation Block List (BRBL).

The Barracuda Reputation Block List (BRBL) is based on the Barracuda Reputation System and operates collaboratively to fight spam. The BRBL provides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL.

See: http://www.barracudacentral.org/rbl/removal-request for details on requesting removal from this list.
header
RCVD_IN_CSSReceived via a relay in Spamhaus CSSheader
RCVD_IN_DNSWL_BLOCKEDADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.header
RCVD_IN_DNSWL_HISender listed at https://www.dnswl.org/, high trustdnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels.

The policy says for trust level "hi": High Never sends spam.


Wrongly listed IP addressed should be reported to [MAILTO] admins@dnswl.org or via the online form at [WWW] http://www.dnswl.org/request.pl. Please note that e.g. the trust level "none" means "Legitimate mail server, may also send spam".
header
RCVD_IN_DNSWL_LOWSender listed at https://www.dnswl.org/, low trustdnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels.

The policy says for trust level "low": Low Occasional spam occurrences, actively corrected but less promptly.


Wrongly listed IP addressed should be reported to [MAILTO] admins@dnswl.org or via the online form at [WWW] http://www.dnswl.org/request.pl. Please note that e.g. the trust level "none" means "Legitimate mail server, may also send spam".
header
RCVD_IN_DNSWL_MEDSender listed at https://www.dnswl.org/, medium trustdnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels.

The policy says for trust level "med": Medium Extremely rare spam occurrences, corrected promptly.



Wrongly listed IP addressed should be reported to [MAILTO] admins@dnswl.org or via the online form at [WWW] http://www.dnswl.org/request.pl. Please note that e.g. the trust level "none" means "Legitimate mail server, may also send spam".
header
RCVD_IN_DNSWL_NONESender listed at https://www.dnswl.org/, no trustdnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels.

The policy says for trust level "None":

Legitimate mail server, may also send spam. This is the default for some categories (eg Email Marketing Provider)

Report Problems
IPs sending spam are expected to hit this rule, but if you get so many emails sending spam, and none sending non-spam, that you think it shouldn't be listed, you can report them here: http://www.dnswl.org/registerreporter.pl

As with many SpamAssassin network rules, it is important to make sure you have your trusted_networks / internal_networks (TrustPath) configured correctly to ensure that the test is run against the correct IP.

IPs that are not listed which should be can be reported here: http://www.dnswl.org/request.pl

You can also contact the maintainers of this data at admins@dnswl.org
header
RCVD_IN_IADB_DKIADB: Sender publishes Domain Keys recordheader
RCVD_IN_IADB_DOPTINIADB: All mailing list mail is confirmed opt-inheader
RCVD_IN_IADB_DOPTIN_GT50IADB: Confirmed opt-in used more than 50% of the timeheader
RCVD_IN_IADB_DOPTIN_LT50IADB: Confirmed opt-in used less than 50% of the timeheader
RCVD_IN_IADB_EDDBIADB: Participates in Email Deliverability Databaseheader
RCVD_IN_IADB_EPIAIADB: Member of Email Processing Industry Allianceheader
RCVD_IN_IADB_GOODMAILIADB: Sender has been certified by GoodMailheader
RCVD_IN_IADB_LISTEDParticipates in the IADB systemheader
RCVD_IN_IADB_LOOSEIADB: Adds relationship addrs w/out opt-inheader
RCVD_IN_IADB_MI_CPEARIADB: Complies with Michigan's CPEAR lawheader
RCVD_IN_IADB_MI_CPR_30IADB: Checked lists against Michigan's CPR within 30 daysheader
RCVD_IN_IADB_MI_CPR_MATIADB: Sends no material under Michigan's CPRheader
RCVD_IN_IADB_ML_DOPTINIADB: Mailing list email only, confirmed opt-inheader
RCVD_IN_IADB_NOCONTROLIADB: Has absolutely no mailing controls in placeheader
RCVD_IN_IADB_OOOIADB: One-to-one/transactional email onlyheader
RCVD_IN_IADB_OPTINIADB: All mailing list mail is opt-inheader
RCVD_IN_IADB_OPTIN_GT50IADB: Opt-in used more than 50% of the timeheader
RCVD_IN_IADB_OPTIN_LT50IADB: Opt-in used less than 50% of the timeheader
RCVD_IN_IADB_OPTOUTONLYIADB: Scrapes addresses, pure opt-out onlyheader
RCVD_IN_IADB_RDNSIADB: Sender has reverse DNS recordheader
RCVD_IN_IADB_SENDERIDIADB: Sender publishes Sender ID recordheader
RCVD_IN_IADB_SPFIADB: Sender publishes SPF recordheader
RCVD_IN_IADB_UNVERIFIED_1IADB: Accepts unverified sign-upsheader
RCVD_IN_IADB_UNVERIFIED_2IADB: Accepts unverified sign-ups, gives chance to opt outheader
RCVD_IN_IADB_UT_CPEARIADB: Complies with Utah's CPEAR lawheader
RCVD_IN_IADB_UT_CPR_30IADB: Checked lists against Utah's CPR within 30 daysheader
RCVD_IN_IADB_UT_CPR_MATIADB: Sends no material under Utah's CPRheader
RCVD_IN_IADB_VOUCHEDISIPP IADB lists as vouched-for senderThe sending host in the first trusted Received: header is a "Vouched listing" in the Institute for Social Internet Public Policy (ISIPP) Accreditation Database (a DNS Whitelist).

Sites sending spam from IADB vouched IP addresses can be reported to abuse@suretymail.com.
header
RCVD_IN_MAPS_DULRelay in DUL, http://www.mail-abuse.com/enduserinfo_dul.htmlThe message was received via a relay listed in the DNSBL dialups.mail-abuse.org.

The criteria for listing is that the relay address appears to be dynamically allocated, indicating that it is probably a customers computer and not a properly configured mail relay

Since 2005, mail-abuse.org is operated by Trend Micro
header
RCVD_IN_MAPS_NMLRelay in NML, http://www.mail-abuse.com/enduserinfo_nml.htmlThe message was received via a relay listed in the DNSBL nonconfirm.mail-abuse.org. This DNSBL is no longer documented.

Since 2005, mail-abuse.org is operated by Trend Micro
header
RCVD_IN_MAPS_OPSRelay in OPS, http://www.mail-abuse.com/enduserinfo_ops.htmlheader
RCVD_IN_MAPS_RBLRelay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.htmlThe message was received via a relay listed in the DNSBL blackholes.mail-abuse.org.

The criteria for listing is that the relay address may be a multi-hop (multiple IP) open relay, a spam source, or a spam support service

Since 2005, mail-abuse.org is operated by Trend Micro
header
RCVD_IN_MAPS_RSSRelay in RSS, http://www.mail-abuse.com/enduserinfo_rss.htmlThe message was received via a relay listed in the DNSBL relays.mail-abuse.org.

The criteria for listing is that the relay address appears to be that of an "open relay" that will relay email from unauthenticated and untrusted users.

Since 2005, mail-abuse.org is operated by Trend Micro
header
RCVD_IN_MSPIKE_BLMailspike blacklistedmeta
RCVD_IN_MSPIKE_H2Average reputation (+2)header
RCVD_IN_MSPIKE_H3Good reputation (+3)header
RCVD_IN_MSPIKE_H4Very Good reputation (+4)header
RCVD_IN_MSPIKE_H5Excellent reputation (+5)header
RCVD_IN_MSPIKE_L2Suspicious reputation (-2)header
RCVD_IN_MSPIKE_L3Low reputation (-3)header
RCVD_IN_MSPIKE_L4Bad reputation (-4)header
RCVD_IN_MSPIKE_L5Very bad reputation (-5)header
RCVD_IN_MSPIKE_WLMailspike good sendersmeta
RCVD_IN_MSPIKE_ZBINo description providedmeta
RCVD_IN_NJABL_CGINJABL: sender is an open formmailSee: [WWW] http://www.njabl.org/header
RCVD_IN_NJABL_MULTINJABL: sent through multi-stage open relaySee: [WWW] http://www.njabl.org/header
RCVD_IN_NJABL_PROXYNJABL: sender is an open proxySee: [WWW] http://www.njabl.org/header
RCVD_IN_NJABL_RELAYNJABL: sender is confirmed open relaySee: [WWW] http://www.njabl.org/header
RCVD_IN_NJABL_SPAMNJABL: sender is confirmed spam sourceSee: [WWW] http://www.njabl.org/header
RCVD_IN_PBLReceived via a relay in Spamhaus PBLThe PBL official page and description is [WWW] here and that page can also be used to look up an IP in the PBL.



The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server, except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.



In other words, it lists IP addresses that are not expected to host a normal mail server, and the PBL has Self-Service removal and IP owner management mechanisms.
header
RCVD_IN_PSBLReceived via a relay in PSBLThe last external relay in the Received chain was listed in the DNSBL The Passive Spam Blocklist (PSBL).

The Passive Spam Block List, or PSBL, uses the Spamikaze software, which works in a really simple way. If one of my spamtraps receives email from a certain IP address, then that IP address gets listed. After a certain time the IP address times out and is automatically dropped from the list.

See: http://www.psbl.org for details on removing addresses from this list.
header
RCVD_IN_RP_CERTIFIEDSender is in Return Path Certified (trusted relay)header
RCVD_IN_RP_RNBLRelay in RNBL, https://senderscore.org/blacklistlookup/The last external relay in the Received chain was listed in the DNSBL Return Path Reputation Network Blacklist (RNBL).

Reputation Network Blacklist is based on real time data compiled through our cooperative Reputation Network.

See: https://senderscore.org/rtbl/ for details on requesting removal from this list.
header
RCVD_IN_RP_SAFESender is in Return Path Safe (trusted relay)header
RCVD_IN_SBLReceived via a relay in Spamhaus SBLThe headers indicate the mail was sent via a server listed on the [WWW] Spamhaus Block List (DNSBL).


The Spamhaus Block List (SBL) is a realtime database of IP addresses of spam-sources, including known spammers, spam gangs, spam operations and spam support services. SBL listings are made according to policies outlined in [WWW] SBL Policy & Listing Criteria.


For the body URI check see URIBL_SBL, and for other Spamhaus.org RBL listings see RCVD_IN_XBL RCVD_IN_PBL.
header
RCVD_IN_SBL_CSSReceived via a relay in Spamhaus SBL-CSSheader
RCVD_IN_SORBS_BLOCKSORBS: sender demands to never be testedThis check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS.

ref

A listing indicates that the administrator of the mail relay has demanded that they never be tested by SORBS.
header
RCVD_IN_SORBS_DULSORBS: sent directly from dynamic IP addressThe last external relay in the Received chain was listed in the [WWW] SORBS "DUL" list, which lists dynamic IP addresses that should not be emitting SMTP traffic directly.header
RCVD_IN_SORBS_HTTPSORBS: sender is open HTTP proxy serverThis check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS.

ref

A listing indicates that email may be sent through a webserver proxy by an unauthorized and unauthenticated user.
header
RCVD_IN_SORBS_MISCSORBS: sender is open proxy serverheader
RCVD_IN_SORBS_SMTPSORBS: sender is open SMTP relayThis check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS.

ref

A listing indicates that email may be sent through a SMTP proxy by an unauthorized and unauthenticated user.
header
RCVD_IN_SORBS_SOCKSSORBS: sender is open SOCKS proxy serverThis check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS.

ref

A listing indicates that email may be sent through a SOCKS proxy by an unauthorized and unauthenticated user.
header
RCVD_IN_SORBS_WEBSORBS: sender is an abusable web serverThis check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS.


web.dnsbl.sorbs.net
List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities.
header
RCVD_IN_SORBS_ZOMBIESORBS: sender is on a hijacked networkThis check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS.

ref

This is a list of networks hijacked from their original owners, some of which have already used for spamming.
header
RCVD_IN_VALIDITY_CERTIFIEDSender in Validity Certification - Contact certification@validity.comheader
RCVD_IN_VALIDITY_RPBLRelay in Validity RPBL, https://senderscore.org/blocklistlookup/header
RCVD_IN_VALIDITY_SAFESender in Validity Safe - Contact certification@validity.comheader
RCVD_IN_XBLReceived via a relay in Spamhaus XBLThe mail was received from a server listed in the [WWW] Spamhaus Exploits Block List DNSBL, which lists hijacked PCs infected by illegal 3rd party exploits.



The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are:


the CBL (Composite Block List) from [WWW] cbl.abuseat.org


the NJABL Open Proxy IPs list from [WWW] www.njabl.org.
header
RCVD_IN_ZEN_BLOCKEDADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/header
RCVD_IN_ZEN_BLOCKED_OPENDNSADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/header
RCVD_MAIL_COMForged Received header (contains post.com or mail.com)header
RCVD_NUMERIC_HELOReceived: contains an IP address used for HELOIn an SMTP session the argument to the first command a client sends (EHLO or HELO) should be the client identifier. RFC2821 specifies the fully-qualified domain name of the SMTP client, the older standard RFC821 refers to the host name.

In situations that the client does not have a meaningful domain name the client SHOULD send an address literal (an IP address enclosed by square brackets).


If a Received: header is parsed that indicates the EHLO/HELO identifier was given as an IP address, but not enclosed by square brackets, this is in violation of the RFC.
header
RDNS_DYNAMICDelivered to internal network by host with dynamic-looking rDNSmeta
RDNS_LOCALHOSTSender's public rDNS is "localhost"header
RDNS_NONEDelivered to internal network by a host with no rDNSmeta
RDNS_NUM_TLD_ATCHNXRelay rDNS has numeric TLD + suspicious attachmentmeta
RDNS_NUM_TLD_XMRelay rDNS has numeric TLD + suspicious headersmeta
REFINANCE_NOWHome refinancingbody
REFINANCE_YOUR_HOMEHome refinancingbody
REMOVE_BEFORE_LINKRemoval phrase right before a linkA phrase such as "unsubscribe here", "no thanks", or "not interested" appears in the message body no more than five characters before a URL.body
REPLICA_WATCHMessage talks about a replica watchbody
REPLYTO_EMPTYReply-To undeliverableheader
REPLYTO_WITHOUT_TO_CCNo description providedmeta
REPTO_419_FRAUDReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_AOLReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_AOL_LOOSEEnds-in-digits Reply-To is similar to known advance fee fraud collector mailboxmeta
REPTO_419_FRAUD_CNSReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_GMReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_GM_LOOSEEnds-in-digits Reply-To is similar to known advance fee fraud collector mailboxmeta
REPTO_419_FRAUD_HMReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_OLReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_PMReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_QQReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_YHReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_YH_LOOSEEnds-in-digits Reply-To is similar to known advance fee fraud collector mailboxmeta
REPTO_419_FRAUD_YJReply-To is known advance fee fraud collector mailboxheader
REPTO_419_FRAUD_YNReply-To is known advance fee fraud collector mailboxheader
REPTO_QUOTE_AOLAOL doesn't do quoting like this
REPTO_QUOTE_IMSIMS doesn't do quoting like this
REPTO_QUOTE_MSNMSN doesn't do quoting like this
REPTO_QUOTE_QUALCOMMQualcomm/Eudora doesn't do quoting like this
REPTO_QUOTE_YAHOOYahoo! doesn't do quoting like thismeta
RISK_FREENo risk!/\b(?:risk free|no risk)/ibody
RP_MATCHES_RCVDNo description provided???
RUDE_HTMLSpammer message says you need an HTML mailer__RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4meta
SANE_04e8bf28eb445199a7f11b943c44d209Email.Spam.Gen3177.Sanesecurity.08051611body
SANE_1c4f3286fa4aed6424ced88bfaf8b09cEmail.Spam.Gen3234.Sanesecurity.08052309body
SANE_2b173a7fb7518c75ac8a2d294d773fd8Email.Spam.Sanesecurity.Url_2496body
SANE_3b92eda751c992f230f215fb7eb36844Email.Spam.Gen158.Sanesecurity.07012700body
SANE_4ef8302546bf270a19baf98508afacc4Email.Spam.Gen1941.Sanesecurity.07112519body
SANE_7429530a7398f43f1f1b795f9420714eEmail.Spam.Gen2507.Sanesecurity.08021303body
SANE_91eb43f705d25c804374a746d7519660Email.Malware.Sanesecurity.07011300body
SANE_d0d2b0f6373bf91253d66dd74c594b87Email.Spam.Sanesecurity.Url_2499body
SB_GIF_AND_NO_URISNo description providedmeta
SCRIPT_GIBBERISHNonsense in HTML "SCRIPT" tagmeta
SENDGRID_REDIRRedirect URI via Sendgrid__SENDGRID_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSIONmeta
SENDGRID_REDIR_PHISHRedirect URI via Sendgrid + phishing signs__SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )meta
SEO_SUSP_NTLDSEO offer from suspicious TLD__FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)meta
SERGIO_SUBJECT_PORN002Pictures garbled subjectSubject =~ /p[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}c[^a-zA-Z0-9]{0,3}t[^a-zA-Z0-9]{0,3}u[^a-zA-Z0-9]{1,3}r[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}s/iheader
SERGIO_SUBJECT_PORN003Videos garbled subjectSubject =~ /v[^a-zA-Z0-9]{1,3}[i1l][^a-zA-Z0-9]{0,3}d[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{0,3}s/iheader
SERGIO_SUBJECT_PORN004Adult garbled subjectSubject =~ /a[^a-zA-Z0-9]{1,3}d[^a-zA-Z0-9]{1,3}[uv][^a-zA-Z0-9]{1,3}[l1\|][^a-zA-Z0-9]{1,3}t/iheader
SERGIO_SUBJECT_PORN005Porn garbled subjectSubject =~ /\bp[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{1,3}r[^a-zA-Z0-9]{0,3}n/iheader
SERGIO_SUBJECT_PORN006B\*\*\* J\*\* garbled subjectSubject =~ /b[^a-zA-Z0-9]{0,3}l[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{0,3}w[^a-zA-Z0-9]{0,3}j[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{0,3}b/iheader
SERGIO_SUBJECT_PORN007Film garbled subjectSubject =~ /bf[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{1,3}[i1l][^a-zA-Z0-9]{0,3}m/iheader
SERGIO_SUBJECT_PORN008Mature garbled subjectSubject =~ /m[^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9]{0,3}t[^a-zA-Z0-9]{0,3}[uv][^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}e/iheader
SERGIO_SUBJECT_PORN009Undress garbled subjectSubject =~ /u[^a-zA-Z0-9]{0,3}n[^a-zA-Z0-9]{0,3}d[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}s[^a-zA-Z0-9]{0,3}s/iheader
SERGIO_SUBJECT_PORN010Movies garbled subjectSubject =~ /m[^a-zA-Z0-9]{1,3}o[^a-zA-Z0-9]{1,3}v[^a-zA-Z0-9]{1,3}i[^a-zA-Z0-9]{1,3}e/iheader
SERGIO_SUBJECT_PORN011Sex garbled subjectSubject =~ /s[^a-zA-Z0-9]{1,4}e[^a-zA-Z0-9]{1,4}x/iheader
SERGIO_SUBJECT_PORN012School garbled subjectSubject =~ /s[^a-zA-Z0-9]{1,4}c[^a-zA-Z0-9]{0,4}h[^a-zA-Z0-9]{0,4}[o0][^a-zA-Z0-9]{0,4}[o0][^a-zA-Z0-9]{0,4}[1l|]/iheader
SERGIO_SUBJECT_PORN013Girls garbled subjectSubject =~ /g[^a-zA-Z0-9]{1,3}[i1l][^a-zA-Z0-9]{1,3}r[^a-zA-Z0-9]{1,3}[1l\|]/iheader
SERGIO_SUBJECT_PORN014F\*\*\* garbled subjectSubject =~ /f[^a-zA-Z0-9]{0,3}[uv][^a-zA-Z0-9]{0,3}c[^a-zA-Z0-9]{0,3}k/iheader
SERGIO_SUBJECT_PORN015Lesbian garbled subjectSubject =~ /l[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}s[^a-zA-Z0-9]{0,3}b[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9]{0,3}n/iheader
SERGIO_SUBJECT_VIAGRA01Viagra garbled subjectSubject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/iheader
SHARE_50_50Share the money 50/50(__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTYmeta
SHOPIFY_IMG_NOT_RCVD_SFYShopify hosted image but message not from Shopify__SHOPIFY_IMG_NOT_RCVD_SFY && !__HAS_CAMPAIGN && !MIME_QP_LONG_LINE && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDERmeta
SHORT_HELO_AND_INLINE_IMAGEShort HELO string, with inline image(__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)meta
SHORT_IMG_SUSP_NTLDShort HTML + image + suspicious TLD__LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLDmeta
SHORT_SHORTNERShort body with little more than a link to a shortener__KAM_BODY_LENGTH_LT_512 && (__PDS_URISHORTENER || __URL_SHORTENER)meta
SHORT_TERM_PRICE/short\W+term\W+(target| projected)(\W+price)?/ibody
SHORTCIRCUITNot all rules were run, due to a shortcircuited ruleheader
SHORTENED_URL_SRCNo description providedrawbody
SHORTENER_SHORT_IMGShort HTML + image + URL shortener__URL_SHORTENER && HTML_SHORT_LINK_IMG_1meta
SHORTENER_SHORT_SUBJURL shortener (avoiding URIBL?) + short subject__SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIOmeta
SINGLETS_LOW_CONTRASTSingle-letter formatted HTML + hidden text__HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFPmeta
SORTED_RECIPSRecipient list is sorted by addressheader
SPAMMY_XMAILERX-Mailer string is common in spam and not in ham(__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)meta
SPF_FAILSPF: sender does not match SPF record (fail)A "Fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. The checking software can choose to mark the mail based on this or to reject the mail outright.

From RFC 4408
header
SPF_HELO_FAILSPF: HELO does not match SPF record (fail)A "Fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. The checking software can choose to mark the mail based on this or to reject the mail outright.

If the checking software chooses to reject the mail during the SMTP transaction, then it SHOULD use an SMTP reply code of 550 (see RFC 2821) and, if supported, the 5.7.1 Delivery Status Notification (DSN) code (see RFC 3464), in addition to an appropriate reply text. The check_host() function may return either a default explanation string or one from the domain that published the SPF records (see Section 6.2). If the information does not originate with the checking software, it should be made clear that the text is provided by the sender's domain. For example:

From RFC 4408
header
SPF_HELO_NEUTRALSPF: HELO does not match SPF record (neutral)The domain owner has explicitly stated that he cannot or does not want to assert whether or not the IP address is authorized. A "Neutral" result MUST be treated exactly like the "None" result; the distinction exists only for informational purposes. Treating "Neutral" more harshly than "None" would discourage domain owners from testing the use of SPF records (see Section 9.1).

From RFC 4408
header
SPF_HELO_NONESPF: HELO does not publish an SPF Recordeval:check_for_spf_helo_none()header
SPF_HELO_PASSSPF: HELO matches SPF recordA "Pass" result means that the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity.

From RFC 4408
header
SPF_HELO_SOFTFAILSPF: HELO does not match SPF record (softfail)A "SoftFail" result should be treated as somewhere between a "Fail" and a "Neutral". The domain believes the host is not authorized but is not willing to make that strong of a statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.

The domain owner wants to discourage the use of this host and thus desires limited feedback when a "SoftFail" result occurs. For example, the recipient's Mail User Agent (MUA) could highlight the "SoftFail" status, or the receiving MTA could give the sender a message using a technique called "greylisting" whereby the MTA can issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the first time the message is received, but accept it the second time.

From RFC 4408
header
SPF_NEUTRALSPF: sender does not match SPF record (neutral)The domain owner has explicitly stated that he cannot or does not want to assert whether or not the IP address is authorized. A "Neutral" result MUST be treated exactly like the "None" result; the distinction exists only for informational purposes. Treating "Neutral" more harshly than "None" would discourage domain owners from testing the use of SPF records (see Section 9.1).

From RFC 4408
header
SPF_NONESPF: sender does not publish an SPF Recordeval:check_for_spf_none()header
SPF_PASSSPF: sender matches SPF recordA "Pass" result means that the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity.

From RFC 4408
header
SPF_SOFTFAILSPF: sender does not match SPF record (softfail)between a "Fail" and a "Neutral". The domain believes the host is not authorized but is not willing to make that strong of a statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.

The domain owner wants to discourage the use of this host and thus desires limited feedback when a "SoftFail" result occurs. For example, the recipient's Mail User Agent (MUA) could highlight the "SoftFail" status, or the receiving MTA could give the sender a message using a technique called "greylisting" whereby the MTA can issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the first time the message is received, but accept it the second time.

From [WWW] http://www.openspf.org/RFC_4408#op-result-softfail
header
SPOOF_COM2COMURI contains ".com" in middle and endmeta
SPOOF_COM2OTHURI contains ".com" in middleuri
SPOOF_GMAIL_MIDFrom Gmail but it doesn't seem to be...SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MIDmeta
SPOOF_NET2COMURI contains ".net" or ".org", then ".com"uri
SPOOFED_FREEM_REPTOForged freemail sender with freemail reply-to__SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEXmeta
SPOOFED_FREEM_REPTO_CHNForged freemail sender with Chinese freemail reply-to(__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEMmeta
SPOOFED_FREEM_REPTO_RUSForged freemail sender with Russian freemail reply-to(__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEMmeta
SPOOFED_FREEMAILNo description providedmeta
SPOOFED_FREEMAIL_NO_RDNSFrom SPOOFED_FREEMAIL and no rDNS__SPOOFED_FREEMAIL && __RDNS_NONEmeta
STATIC_XPRIO_OLEStatic RDNS + X-Priority + MIMEOLE__STATIC_XPRIO_OLEmeta
STOCK_ALERTOffers a alert about a stockbody
STOCK_IMG_CTYPEStock spam image part, with distinctive Content-Type header(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)meta
STOCK_IMG_HDR_FROMStock spam image part, with distinctive From line(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&T_TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)meta
STOCK_IMG_HTMLStock spam image part, with distinctive HTML(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)meta
STOCK_IMG_OUTLOOKStock spam image part, with Outlook-like features(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)meta
STOCK_LOW_CONTRASTStocks + hidden text(__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMGmeta
STOCK_TIPStock tips__STOCK_TIP && !__DKIM_EXISTSmeta
STOX_BOUND_090909_BNo description providedheader
STOX_REPLY_TYPEContent-Type =~ /text\/plain; .* reply-type=original/The mail's content type is "text/plain" and has the "reply-type=original" attribute.

There is no IANA registration for the MIME "text/plain" Media Type ( http://www.iana.org/assignments/media-types/text/ ) sub-parameter "reply-type" at this time. This is a non-standard and undefined parameter.

However this parameter does appear to be used in Microsoft software such as Outlook Express ( http://support.microsoft.com/kb/887797 ).
header
STOX_REPLY_TYPE_WITHOUT_QUOTESNo description providedmeta
STRONG_BUYTells you about a strong buybody
SUBJ_ALL_CAPSSubject is all capitalsThe Subject: line in the mail header contains all capital letters. This test is only applied to multi-word subject lines over a certain length containing letters in an ASCII-based character-set.header
SUBJ_AS_SEENSubject contains"As Seen"header
SUBJ_ATTENTIONATTENTION in Subject__SUBJ_ATTENTION && !ALL_TRUSTEDmeta
SUBJ_BRKN_WORDNUMSSubject contains odd word breaks and numbersmeta
SUBJ_BUYSubject line starts with Buy or Buyingheader
SUBJ_DOLLARSSubject starts with dollar amountheader
SUBJ_ILLEGAL_CHARSSubject: has too many raw illegal characters(__SUBJ_ILLEGAL_CHARS && !__FROM_YAHOO_COM)meta
SUBJ_UNNEEDED_HTMLUnneeded HTML formatting in Subject:meta
SUBJ_YOUR_DEBTSubject contains"Your Bills"or similarheader
SUBJ_YOUR_FAMILYSubject contains "Your Family"header
SUBJECT_DIETSubject talks about losing poundsheader
SUBJECT_DRUG_GAP_CSubject contains a gappy version of 'cialis'header
SUBJECT_DRUG_GAP_LSubject contains a gappy version of 'levitra'header
SUBJECT_DRUG_GAP_SSubject contains a gappy version of 'soma'header
SUBJECT_DRUG_GAP_VASubject contains a gappy version of 'valium'header
SUBJECT_DRUG_GAP_XSubject contains a gappy version of 'xanax'header
SUBJECT_FUZZY_CHEAPAttempt to obfuscate words in Subject:header
SUBJECT_FUZZY_MEDSAttempt to obfuscate words in Subject:header
SUBJECT_FUZZY_PENISAttempt to obfuscate words in Subject:header
SUBJECT_FUZZY_TIONAttempt to obfuscate words in Subject:The message subject seems to contain an attempt to obscure "tion" - commonly used as a suffix to create a noun from a verb.

This test uses the ReplaceTags plugin.
header
SUBJECT_FUZZY_VPILLAttempt to obfuscate words in Subject:__SUBJECT_FUZZY_VPILL && !FUZZY_VPILLmeta
SUBJECT_IN_BLACKLISTSubject: contains string in the user's black-listThis test is for an optional plugin that allows the user to define subjects that are blacklisted.header
SUBJECT_IN_WHITELISTSubject: contains string in the user's white-listheader
SUBJECT_NEEDS_ENCODINGSubject is encoded but does not specify the encoding(!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIMEmeta
SUBJECT_SEXUALSubject indicates sexually-explicit contentheader
SURBL_BLOCKEDADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.eval:check_uridnsbl('SURBL_BLOCKED')body
SUSP_UTF8_WORD_FROMWord in From name using only suspicious UTF-8 characters__4BYTE_UTF8_WORD_FROMmeta
SUSP_UTF8_WORD_SUBJWord in Subject using only suspicious UTF-8 characters__4BYTE_UTF8_WORD_SUBJmeta
SUSPICIOUS_RECIPSSimilar addresses in recipient listThe recipients listed in the To: Cc: and Bcc: header fields are checked. If there are more than a specific number of addresses present (5 or more) the addresses are compared to look for similarities.header
SUSPNTLD_EXPIRATION_EXTORTSusp NTLD with an expiration notice and lotsa moneyLOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLDmeta
SYSADMINSupposedly from your IT department__SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITSmeta
T_ACH_CANCELLED_EXEACH cancelled probable malwaremeta
T_CDISP_SZ_MANYSuspicious MIME headermimeheader
T_COMPENSATION"Compensation"
T_DATE_IN_FUTURE_96_QDate: is 4 days to 4 months after Received: dateheader
T_DATE_IN_FUTURE_Q_PLUSDate: is over 4 months after Received: dateheader
T_DOC_ATTACH_NO_EXTDocument attachment with suspicious namemeta
T_DOS_OUTLOOK_TO_MX_IMAGEDirect to MX with Outlook headers and an imagemeta
T_DOS_ZIP_HARDCOREhardcore.zip file attached; quite certainly a virusmimeheader
T_DRUGS_ERECTILE_SHORT_SHORTNERShort erectile drugs advert with T_URL_SHORTENERmeta
T_FILL_THIS_FORM_FRAUD_PHISHAnswer suspicious question(s)meta
T_FILL_THIS_FORM_LOANAnswer loan question(s)meta
T_FILL_THIS_FORM_SHORTFill in a short form with personal informationmeta
T_FORGED_TBIRD_IMG_SIZELikely forged Thunderbird image spammeta
T_FREEMAIL_DOC_PDFMS document or PDF attachment, from freemailmeta
T_FREEMAIL_DOC_PDF_BCCMS document or PDF attachment, from freemail, all recipients hiddenmeta
T_FREEMAIL_RVW_ATTCHPlease review attached document, from freemailmeta
T_FROM_MULTI_SHORT_IMGMultiple From addresses + short message with imagemeta
T_FROMNAME_EQUALS_TOFrom:name matches To:meta
T_FROMNAME_SPOOFED_EMAILFrom:name looks like a spoofed emailmeta
T_FUZZY_OPTOUTObfuscated opt-out textbody
T_FUZZY_WELLSFARGOObfuscated "Wells Fargo"meta
T_GB_FREEM_FROM_NOT_REPLYFrom: and Reply-To: have different freemail domainsmeta
T_GB_FROMNAME_SPOOFED_EMAIL_IPFrom:name looks like a spoofed email from a spoofed ipmeta
T_GB_HASHBL_BTCMessage contains BTC address found on BTCBLbody
T_GB_WEBFORMWebform with url shortenermeta
T_HTML_ATTACHHTML attachment to bypass scanning?meta
T_ISO_ATTACHISO attachment - possible malware deliverymeta
T_KAM_HTML_FONT_INVALIDTest for Invalidly Named or Formatted Colors in HTMLmeta
T_LARGE_PCT_AFTER_MANYMany large percentages after...meta
T_LOTTO_AGENT_FMClaims AgentFrom =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/iheader
T_LOTTO_AGENT_RPLYClaims AgentReply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/iheader
T_LOTTO_URIClaims Department URL/(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/iuri
T_MANY_HDRS_LCASEOdd capitalization of multiple message headers
T_MANY_PILL_PRICEPrices for many pillsmeta
T_MIME_MALFMalformed MIME: headers in bodymeta
T_MONEY_PERCENTX% of a lot of money for youmeta
T_OBFU_ATTACH_MISSPObfuscated attachment type and misspaced Frommeta
T_OBFU_DOC_ATTACHMS Document attachment with generic MIME typemimeheader
T_OBFU_GIF_ATTACHGIF attachment with generic MIME typemimeheader
T_OBFU_HTML_ATT_MALWHTML attachment with incorrect MIME type - possible malwaremeta
T_OBFU_HTML_ATTACHHTML attachment with non-text MIME typemimeheader
T_OBFU_JPG_ATTACHJPG attachment with generic MIME typemimeheader
T_OBFU_PDF_ATTACHPDF attachment with generic MIME typemimeheader
T_PDS_BTC_AHACKERBitcoin Hackermeta
T_PDS_BTC_HACKERBitcoin Hackermeta
T_PDS_BTC_NTLDBitcoin suspect NTLDmeta
T_PDS_EMPTYSUBJ_URISHRTEmpty subject with little more than URI shortenermeta
T_PDS_FREEMAIL_REPLYTO_URISHRTFreemail replyto with URI shortenermeta
T_PDS_FROM_2_EMAILSFrom header has multiple different addressesmeta
T_PDS_FROM_2_EMAILS_SHRTNERFrom 2 emails short email with little more than a URI shortenermeta
T_PDS_LTC_AHACKERLitecoin Hackermeta
T_PDS_LTC_HACKERLitecoin Hackermeta
T_PDS_NO_FULL_NAME_SPOOFED_URLHTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAMEmeta
T_PDS_PRO_TLD.pro TLDheader
T_PDS_SHORT_SPOOFED_URLHTML message short and T_SPOOFED_URL (S_U_FP)meta
T_PDS_SHORTFWD_URISHRTThreaded email with URI shortenermeta
T_PDS_SHORTFWD_URISHRT_FPApparently a short fwd/re with URI shortenermeta
T_PDS_SHORTFWD_URISHRT_QPApparently a short fwd/re with URI shortenermeta
T_PDS_TINYSUBJ_URISHRTShort subject with URL shortenermeta
T_PDS_URISHRT_LOCALPART_SUBJLocalpart of To in subjectmeta
T_REMOTE_IMAGEMessage contains an external imagemeta
T_SENT_TO_EMAIL_ADDREmail was sent to email addressmeta
T_SHARE_50_50Share the money 50/50meta
T_SPF_HELO_PERMERRORSPF: test of HELO record failed (permerror)eval:check_for_spf_helo_permerror()header
T_SPF_HELO_TEMPERRORSPF: test of HELO record failed (temperror)eval:check_for_spf_helo_temperror()header
T_SPF_PERMERRORSPF: test of record failed (permerror)eval:check_for_spf_permerror()header
T_SPF_TEMPERRORSPF: test of record failed (temperror)eval:check_for_spf_temperror()header
T_STY_INVIS_DIRECTHTML hidden text + direct-to-MXmeta
T_SUSPNTLD_EXPIRATION_EXTORTSusp NTLD with an expiration notice and lotsa moneymeta
T_TONOM_EQ_TOLOC_SHRT_PSHRTNERShort subject with potential shortener and To:name eq To:local__PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORTmeta
T_TONOM_EQ_TOLOC_SHRT_SHRTNERShort email with shortener and To:name eq To:localmeta
T_WON_MONEY_ATTACHYou won lots of money! See attachment.meta
T_WON_NBDY_ATTACHYou won lots of money! See attachment.meta
T_XPRIO_URL_SHORTNERX-Priority header and short URLmeta
T_ZW_OBFU_BITCOINObfuscated text + bitcoin ID - possible extortionmeta
T_ZW_OBFU_FREEMObfuscated text + freemailmeta
T_ZW_OBFU_FROMTOSUBJObfuscated text + from in to and subjectmeta
TAB_IN_FROMFrom starts with a tabheader
TAGSTAT_IMG_NOT_RCVD_TGSTTagstat hosted image but message not from Tagstatmeta
TARINGANET_IMG_NOT_RCVD_TNmedia.taringa.net hosted image but message not from taringa.netmeta
TBIRD_SUSP_MIME_BDRYUnlikely Thunderbird MIME boundary__MUA_TBIRD && __TB_MIME_BDRY_NO_Zmeta
TEQF_USR_IMAGETo and from user nearly same + image__TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACHmeta
TEQF_USR_MSGID_HEXTo and from user nearly same + unusual message ID__TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2meta
TEQF_USR_MSGID_MALFTo and from user nearly same + malformed message ID__TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2meta
THEBAT_UNREGX-Mailer =~ /^The Bat! .{0,20} UNREG(dollar) /header
THIS_AD"This ad" and variants__THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVDmeta
THIS_IS_ADV_SUSP_NTLDThis is an advertisement from a suspicious TLD__FROM_ADDRLIST_SUSPNTLD && __PDS_THIS_IS_ADVmeta
TO_EQ_FM_DIRECT_MXTo == From and direct-to-MX__TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXEDmeta
TO_EQ_FM_DOM_HTML_IMGTo domain == From domain and HTML image link__TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVDmeta
TO_EQ_FM_DOM_HTML_ONLYTo domain == From domain and HTML only__TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEXmeta
TO_EQ_FM_DOM_SPF_FAILTo domain == From domain and external SPF failedmeta
TO_EQ_FM_HTML_ONLYTo == From and HTML only__TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTERmeta
TO_EQ_FM_SPF_FAILTo == From and external SPF failedmeta
TO_IN_SUBJTo address is in Subject__TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FWmeta
TO_MALFORMEDTo: has a malformed addressheader
TO_NAME_SUBJ_NO_RDNSRecipient username in subject + no rDNSLOCALPART_IN_SUBJECT && __RDNS_NONEmeta
TO_NO_BRKTS_DYNIPTo: lacks brackets and dynamic rDNSmeta
TO_NO_BRKTS_FROM_MSSPMultiple header formatting problems__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && FROM_MISSPACEDmeta
TO_NO_BRKTS_HTML_IMGTo: lacks brackets and HTML and one image__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMGmeta
TO_NO_BRKTS_HTML_ONLYTo: lacks brackets and HTML only__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLYmeta
TO_NO_BRKTS_MSFTTo: lacks brackets and supposed Microsoft tool__TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD && !__SUBJECT_UTF8_B_ENCODEDmeta
TO_NO_BRKTS_NORDNS_HTMLTo: lacks brackets and no rDNS and HTML only__TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__BUGGED_IMG && !__TAG_EXISTS_CENTER && !__SUBSCRIPTION_INFO && !__TAG_EXISTS_STYLEmeta
TO_NO_BRKTS_PCNTTo: lacks brackets + percentage__TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTSmeta
TO_TOO_MANY_WFH_01Work-from-Home + many recipients__TO_TOO_MANY_WFH_01meta
TONLINE_FAKE_DKIMt-online.de doesn't do DKIM__HDR_RCVD_TONLINEDE && __DKIM_EXISTSmeta
TONOM_EQ_TOLOC_SHRT_SHRTNERShort email with shortener and To:name eq To:local__PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_HTML_LENGTH_1024meta
TRACKER_IDIncorporates a tracking ID numberLooks for a tracking number usually found near the end of the message. Notes in rule file indicate it was added around Jul 5th, 2002.body
TRANSFORM_LIFETransform your life!__TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_MLmeta
TT_MSGID_TRUNCScora: Message-Id ends after left-bracket + digitsheader
TT_OBSCURED_VALIUMScora: obscured "VALIUM" in subject( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUMmeta
TT_OBSCURED_VIAGRAScora: obscured "VIAGRA" in subject( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRAmeta
TUMBLR_IMG_NOT_RCVD_TUMBTumblr hosted image but message not from Tumblrmeta
TVD_ACT_193/\bact of (?:193| nineteen thirty)/iFor some reason, many spam messages have referred to the "Smoot-Hawley Tariff Act" from the 1930's.

Read more here:
http://en.wikipedia.org/wiki/Smoot%E2%80%93Hawley_Tariff_Act

body
TVD_APPROVED/you.{1,2}re .{0,20}approved/iThe body of the mail contains a phrase similar to "you're approved".body
TVD_DEAR_HOMEOWNERSpam with generic salutation of "dear homeowner"/^dear homeowner/ibody
TVD_ENVFROM_APOSTEnvelope From contains single-quoteEnvelopeFrom =~ /\'/header
TVD_FINGER_02Content-Type =~ /^text\/plain(?:; (?:format=flowed| charset="Windows-1252"| reply-type=original)){3}/iThis rule matches the Content-Type headers of the type "text/plain" that also have all three of the following properties

format=flowed

charset="Windows-1252"

reply-type=original

Apparently a known spam signature.

Mails matching this rule will also match STOX_REPLY_TYPE.
header
TVD_FLOAT_GENERALMessage uses CSS float style/\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*rawbody
TVD_FUZZY_DEGREEObfuscation of the word "degree"/\b(?!degree)\b/ibody
TVD_FUZZY_FINANCEObfuscation of the word "finance"/(?!finance)/ibody
TVD_FUZZY_FIXED_RATEObfuscation of the phrase "fixed rate"/(?!fixed rate)\s+/ibody
TVD_FUZZY_MICROCAPObfuscation of the word "micro-cap"/(?!microcap)(?!micro-cap)-?

/i

body
TVD_FUZZY_PHARMACEUTICALObfuscation of the word "pharmaceutical"/(?!pharmaceutical)

/i

body
TVD_FUZZY_SYMBOLObfuscation of the word "symbol"/(?!symbol)/ibody
TVD_FW_GRAPHIC_NAME_LONGLong image attachment nameContent-Type =~ /\bname="[a-z]{8,}\.gif/mimeheader
TVD_FW_GRAPHIC_NAME_MIDMedium sized image attachment nameContent-Type =~ /\bname="[a-z]{6,7}\.gif/mimeheader
TVD_INCREASE_SIZEAdvertising for penis enlargement/\bsize of .{1,20}(?:penis| dick| manhood)/ibody
TVD_LINK_SAVESpam with the text "link to save"/\blink to save\b/ibody
TVD_PCT_OFFSubject =~ /(?:Jan| Feb| Mar| Apr| May| Jun| Jul| Aug| Sep| Oct| Nov| Dec)\S* \d+% OFF/header
TVD_PH_BODY_ACCOUNTS_PREThe body matches phrases such as "accounts suspended", "account credited", "account verification"/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*| suspen[a-z]+| notif(?:y| ication)| updated| verifications?| credited)\b/ibody
TVD_PH_RECMessage includes a phrase commonly used in phishing mailsbody
TVD_PH_SUBJ_ACCOUNTS_POSTSubject =~ /\b(?:(?:re-?)?activat[a-z]*| secure| verify| restore| flagged| limited| unusual| update| report| notif(?:y| ication)| suspen(?:d| ded| sion)| co(?:n| m)firm[a-z]*) (?:[a-z_,-]+ )*?accounts?\b/iheader
TVD_PH_SUBJ_SEC_MEASURESSubject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/iheader
TVD_PH_SUBJ_URGENTSubject =~ /^urgent(?:[\s\W]*(dollar) | .{1,40}(?:alert| response| assistance| proposal| reply| warning| noti(?:ce| fication)| greeting| matter))/iheader
TVD_QUAL_MEDSThe body matches phrases such as "quality meds" or "quality medication"/\bquality med(?:ication)?s\b/ibody
TVD_RATWARE_CBContent-Type header that is commonly indicative of ratwareContent-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/iheader
TVD_RATWARE_CB_2Content-Type header that is commonly indicative of ratwareContent-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/header
TVD_RATWARE_MSGID_02Ratware with a Message-ID header that is entirely lower-caseMessage-ID =~ /^[^<]*<[a-z]+\@/header
TVD_RCVD_IPReceived =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/Checks if the most recently addded Recieved: header begins with "from " followed by a hostname that starts with four groups of digits separated by non-alphanumeric characters (e.g. "." or "-").

This is usually an indication that the hostname is derieved from a public or private IPv4 address scheme. Since these types of addresses are commonly distrubuted to end users rather than mail servers they are often seen in spam sent directly from end user hosts.

For example:

Received: from 212-98-43-121.static.adslpremium.ch ([212.98.43.121]:3607 helo=xtqq.adslpremium.ch)

Received: from 68.207.230.213.client.lchost.net ([213.230.207.68] helo=smtp.fifambeie.co.uk)

On servers that also act as smarthosts for machines usually matching this pattern, this rule should be switched off.

Note: this rule (and TVD_RCVD_IP4) will also match IPv4 addresses not enclosed in square brackets. This is an implementation error in your mail server software, as IP addresses should be enclosed in brackets. See RFC 5321 §4.1.2.
header
TVD_RCVD_IP4Received =~ /^from\s+(?:\d+\.){3}\d+\s/Received via an IPv4 relay which appears to neither have a reverse DNS entry, or identify itself with a HELO or EHLO command.

This suggests that the message is not coming from a legitimate email sender.
header
TVD_RCVD_SINGLEReceived =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/Based on my limited knowledge of Perl, it appears from this line "Received =~ /from\s+(?!localhost)[\s.a-z0-9-]+\s/" that the TVD_RCVD_SINGLE header is used when a "Received" line in the SMTP Transmission header contains "localhost" as a server name.header
TVD_RCVD_SPACE_BRACKETReceived =~ /\(\[(?!UNIX:)[^\[\]]*\s/header
TVD_SECTIONReferences to specific legal codes/\bSection (?:27A| 21B)/ibody
TVD_SILLY_URI_OBFUURI obfuscation that can fool a URIBL or a uri rulem!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s| (dollar) )!ibody
TVD_SPACE_ENCODEDSpace ratio & encoded subject__TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIMmeta
TVD_SPACE_RATIONo description providedmeta
TVD_SPACE_RATIO_MINFPSpace ratio (vertical text obfuscation?)meta
TVD_SPACED_SUBJECT_WORD3Entire subject is "UPPERlowerUPPER" with no whitespaceSubject =~ /^(?:(?:Re| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) /header
TVD_STOCK1Spam related to stock tradingeval:check_stock_info('2')body
TVD_SUBJ_ACC_NUMSubject has spammy looking monetary referenceheader
TVD_SUBJ_FINGER_03Entire subject is enclosed in asterisks "* like so *"Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*(dollar) /header
TVD_SUBJ_OWESubject line states that the recipieint is in debtSubject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe| indebted)\s+(?:\w+\s+)+an\s*other/iheader
TVD_SUBJ_WIPE_DEBTSpam advertising a way to eliminate debtSubject =~ /(?:wipe out| remove| get (?:rid| out) of| eradicate) .{0,20}(?:owe| debt| obligation)/iheader
TVD_VIS_HIDDENInvisible textarea HTML tags/]+style\s*=\s*"visibility:\s*hidden\b/irawbody
TVD_VISIT_PHARMABody mentions online pharmacy/Online Ph.rmacy/ibody
TW_GIBBERISH_MANYLots of gibberish text to spoof pattern matching filters__TENWORD_GIBBERISH > 20meta
TXREPScore normalizing based on sender's reputationeval:check_senders_reputation()header
UC_GIBBERISH_OBFUMultiple instances of "word VERYLONGGIBBERISH word"(__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTEDmeta
UNCLAIMED_MONEYPeople just leave money laying aroundbody
UNCLOSED_BRACKETHeaders contain an unclosed bracketheader
UNDISC_FREEMUndisclosed recipients + freemail reply-to__UNDISC_FREEMmeta
UNDISC_MONEYUndisclosed recipients + money/fraud signs__UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISHmeta
UNICODE_OBFU_ASCObfuscating text with unicodemeta
UNICODE_OBFU_ZWObfuscating text with hidden charactersmeta
UNPARSEABLE_RELAYInformational: message has unparseable relay linesThe Received: lines from the email are analyzed to determine the relay path. This rule matches mail that contains one or more Received: lines that cannot be parsed to extract this information.

Note that this is an "informational" rule -- in other words, it is not intended to differentiate spam from nonspam, and should not have a significant score.
header
UNRESOLVED_TEMPLATEHeaders contain an unresolved templateheader
UNWANTED_LANGUAGE_BODYMessage written in an undesired languageThe content of the mail appears to be in a language not permitted by the value of the ok_languages configuration setting.

The default value of ok_languages is "all", so this rule will only trigger if the value has been locally specified.
body
UPPERCASE_50_75message body is 50-75% uppercase(!__ISO_2022_JP_DELIM && __UPPERCASE_50_75)meta
UPPERCASE_75_100message body is 75-100% uppercase(!__ISO_2022_JP_DELIM && __UPPERCASE_75_100)meta
URG_BIZContains urgent matterThe body of the mail contains a phrase regarding some urgent matter, such as "urgent reply" or "urgent business proposal".body
URI_ADOBESPARKNo description providedmeta
URI_AZURE_CLOUDAPPLink to hosted azure web application, possible phishing__URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLEmeta
URI_DASHGOVEDUSuspicious domain name__URI_DASHGOVEDUmeta
URI_DATA"data:" URI - possible malware or phish__URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUBmeta
URI_DOTEDUHas .edu URI__URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINKmeta
URI_DOTEDU_ENTITYVia .edu MTA + suspicious HTML content__URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFOmeta
URI_DOTTY_HEXSuspicious URI format__URI_DOTTY_HEXmeta
URI_DQ_UNSUBIP-address unsubscribe URI__URI_DQ_UNSUBmeta
URI_FIREBASEAPPLink to hosted firebase web application, possible phishing__URI_FIREBASEAPP || __URI_WEBAPPmeta
URI_GOOG_STO_SPAMMYLink to spammy content hosted by google storagem;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:lliedtrust7|n(?:c77emen777|tidcfsdfzef)|ppempresa|tividade)|b(?:7772dcb|athdfgdfgdfh|cvncv7845|d(?:sgbsehtth|thdethydeth)|edvgervg|looodsugarerte|rtghrh)|c(?:art\-checkout|bdkfgdfg|dfeesde|jowa)|d(?:e(?:rma(?:hdth|thbsdrhg)|tranmultas)|giadikir784|irecting77|rtrebtgh747|zdzefef)|e(?:7co7verage|liminatorlower|ntrega)|f(?:dfdfdzezr78|habgfdgbfrtg|i(?:delty(?:gbdtrbr|tyhjudtyu)|ghttinnitusnow|xguca777)|latbelly|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|ungusfghgh)|g(?:fhfjgfhfg|rfgrgrg|u(?:mmzdfefzf|tterprotection7))|hdfghbrh|in(?:formedetranmulta|s7urance7net|vest777in)|li(?:berty77arran|fefiltrevdf)|m(?:ale77en|edicar123n|on(?:5g154g|tzdzsds))|p(?:o(?:rtableheater7|vsedfzef)|rintsvalentine|soidngf8147|ureplant7)|r(?:enewlaemailved|iverb1986srt4|oundupccancer)|s(?:dfgwsd74fg|teelprobite77|ughdetged|zdzdzdzd)|t(?:acflashlight72|heunbreakable|r(?:abalhos|ugreen30)|unnifgdege)|v(?:frgrerg|szdefzsfzef)|w(?:4enmedicra8|defgzegfze|e(?:bwhatsfotos|llgrove90))|xcbxcbopiaze|yusdgtduf777))/;iuri
URI_GOOGLE_PROXYAccessing a blacklisted URI or obscuring source of phish via Google proxy?__URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAILmeta
URI_HEXURI hostname has long hexadecimal sequenceuri
URI_HEX_IPURI with hex-encoded IP-address host__URI_HEX_IPmeta
URI_HOST_IN_BLACKLISTDEPRECATED: See URI_HOST_IN_BLOCKLISTmeta
URI_HOST_IN_BLOCKLISTHost or Domain is listed in the user's URI block-listbody
URI_HOST_IN_WELCOMELISTHost or Domain is listed in the user's URI welcome-listbody
URI_HOST_IN_WHITELISTDEPRECATED: See URI_HOST_IN_WELCOMELISTmeta
URI_IMG_WP_REDIRImage via WordPress "accelerator" proxy__URI_IMG_WP_REDIRmeta
URI_IN_URI_10Multiple URIs inside URIuri
URI_LONG_REPEATVery long identical host+domain__URI_LONG_REPEATmeta
URI_MALWARE_SCMSLink to malware exploit download (.SettingContent-ms file)/\.SettingContent-ms\b/iuri
URI_NO_WWW_BIZ_CGICGI in .biz TLD other than third-level "www".biz website having a third level domain (subdomain) different from www.uri
URI_NO_WWW_INFO_CGICGI in .info TLD other than third-level "www".info website having a third level domain (subdomain) different from www.uri
URI_NOVOWELURI hostname has long non-vowel sequenceuri
URI_OBFU_DOMURI pretending to be different domain__URI_OBFU_DOM && !__VIA_MLmeta
URI_OBFU_WWWObfuscated URIbody
URI_ONLY_MSGID_MALFURI only + malformed message ID__URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOWmeta
URI_OPTOUT_3LDOpt-out URI, suspicious hostnamem,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,iuri
URI_OPTOUT_USMEOpt-out URI, unusual TLDm,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,iuri
URI_PHISHPhishing using web formmeta
URI_PHP_REDIRPHP redirect to different URL (link obfuscation)__URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTAmeta
URI_TRUNCATEDMessage contained a URI which was truncatedbody
URI_TRY_3LD"Try it" URI, suspicious hostname__URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDUmeta
URI_TRY_USME"Try it" URI, unusual TLD__URI_TRY_USME && !__DKIM_EXISTSmeta
URI_UNSUBSCRIBEURI contains suspicious unsubscribe linkuri
URI_WP_DIRINDEXURI for compromised WordPress site, possible malware__URI_WPDIRINDEXmeta
URI_WP_HACKEDURI for compromised WordPress site, possible malwaremeta
URI_WP_HACKED_2URI for compromised WordPress site, possible malwaremeta
URI_WPADMINWordPress login/admin URI, possible phishingmeta
URIBL_AB_SURBLContains an URL listed in the AB SURBL blocklistThe mail body contains a URI containing a domain that has matched an entry on the DNSBL AbuseButler URI Blacklist (SURBL).

[WWW] AbuseButler is kindly providing its top 400 or so [WWW] Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the sc.surbl.org data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.

See: [WWW] http://www.surbl.org [WWW] http://www.abusebutler.com
body
URIBL_ABUSE_SURBLContains an URL listed in the ABUSE SURBL blocklistbody
URIBL_BLACKContains an URL listed in the URIBL blacklist"black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in SPAM. This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added."body
URIBL_BLOCKEDADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
URIBL_CR_SURBLContains an URL listed in the CR SURBL blocklistbody
URIBL_CSSContains an URL's NS IP listed in the Spamhaus CSS blocklistbody
URIBL_CSS_AContains URL's A record listed in the Spamhaus CSS blocklistbody
URIBL_DBL_ABUSE_BOTCCContains an abused botnet C&C URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_ABUSE_MALWContains an abused malware URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_ABUSE_PHISHContains an abused phishing URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_ABUSE_REDIRContains an abused redirector URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_ABUSE_SPAMContains an abused spamvertized URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_BLOCKEDADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/body
URIBL_DBL_BLOCKED_OPENDNSADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/body
URIBL_DBL_BOTNETCCContains a botned C&C URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_ERRORError: queried the Spamhaus DBL blocklist for an IPbody
URIBL_DBL_MALWAREContains a malware URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_PHISHContains a Phishing URL listed in the Spamhaus DBL blocklistbody
URIBL_DBL_SPAMContains a spam URL listed in the Spamhaus DBL blocklistbody
URIBL_GREYContains an URL listed in the URIBL greylist"grey.uribl.com - This lists contains domains found in UBE/UCE, and probably honour opt-out requests. This list can and probably will cause False Positives depending on your definition of SPAM. This zone rebuilds several times a day as necessary."body
URIBL_JP_SURBLContains an URL listed in the JP SURBL blocklistThe mail body contains a URI containing a domain that has matched an entry on the DNSBL jwSpamSpy + Prolocation data source URI Blacklist (SURBL).

Joe Wein's jwSpamSpy program forms the basis of the JP data, being used both by Joe's own systems and also Raymond Dijkxhoorn and his colleagues at Prolocation. Prolocation is processing more than 300,000 likely unsolicited messages per day using jwSpamSpy plus their own policies and adding them to Joe's data. The resulting list has a very good detection rate around 80% and a very low false positive rate around 0.01%.

See: [WWW] http://www.surbl.org [WWW] http://www.jwspamspy.net/
body
URIBL_MW_SURBLContains a URL listed in the MW SURBL blocklistbody
URIBL_OB_SURBLContains an URL listed in the OB SURBL blocklistThe mail body contains a URI containing a domain that has matched an entry on the DNSBL Outblaze URI Blacklist (SURBL).

Outblaze describes the data as coming from spam trap message body analysis and from user reports via a "this is spam" button. SURBL applies additional policies to its version of the Outblaze URI data that are published as ob.surbl.org. The user reports are also used, but not directly.

See: [WWW] http://www.surbl.org [WWW] http://www.outblaze.com
body
URIBL_PH_SURBLContains an URL listed in the PH SURBL blocklistbody
URIBL_REDContains an URL listed in the URIBL redlist"red.uribl.com - This list contains domains that are not listed on black and are either very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk."body
URIBL_RHS_DOBContains an URI of a new domain (Day Old Bread)The mail contains a URI containing a domain listed in the DNSBL [WWW] dob.sibl.support-intelligence.net - which lists domains registered in the last five days.body
URIBL_SBLContains an URL listed in the SBL blocklistThe mail body contains a URI containing a domain that has matched an entry on the [WWW] Spamhaus Block List (DNSBL).

The Spamhaus Block List (SBL) is a realtime database of IP addresses of spam-sources, including known spammers, spam gangs, spam operations and spam support services. SBL listings are made according to policies outlined in [WWW] SBL Policy & Listing Criteria.

For the Received header check see RCVD_IN_SBL, and for other Spamhaus.org RBL listings see RCVD_IN_XBL RCVD_IN_PBL.
body
URIBL_SBL_AContains URL's A record listed in the Spamhaus SBL blocklistbody
URIBL_SC_SURBLContains an URL listed in the SC SURBL blocklistThe mail body contains a URI containing a domain that has matched an entry on the DNSBL SpamCop URI Blacklist (SURBL).

sc.surbl.org contains domains and a few web site IP addresses processed from SpamCop URI reports, also known as "spamvertised" sites. The reports are not used directly, but are subject to extensive processing.

See: [WWW] http://www.surbl.org [WWW] http://www.spamcop.net

For the SpamCop relay block list see Rules/RCVD_IN_BL_SPAMCOP_NET .
body
URIBL_WS_SURBLContains an URL listed in the WS SURBL blocklistThe mail body contains a URI containing a domain that has matched an entry on the DNSBL Bill Stearns URI Blacklist (SURBL).

ws.surbl.org has records from Bill Stearns' former SpamAssassin ruleset sa-blacklist, plus some other manual lists.

[WWW] http://www.surbl.org [WWW] http://www.sa-blacklist.stearns.org/sa-blacklist/
body
URIBL_ZEN_BLOCKEDADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
URIBL_ZEN_BLOCKED_OPENDNSADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/body
US_DOLLARS_3Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)The default value of ok_languages is "all", so this rule will only trigger if the value has been locally specified.body
USB_DRIVESTrying to sell custom USB flash drives__SUBJ_USB_DRIVESmeta
USER_IN_ALL_SPAM_TOUser is listed in 'all_spam_to'header
USER_IN_BLACKLISTFrom: address is in the user's black-listheader
USER_IN_BLACKLIST_TOUser is listed in 'blacklist_to'header
USER_IN_BLOCKLISTFrom: user is listed in the block-listheader
USER_IN_BLOCKLIST_TOUser is listed in 'blocklist_to'header
USER_IN_DEF_DKIM_WLFrom: address is in the default DKIM welcome-listheader
USER_IN_DEF_SPF_WLFrom: address is in the default SPF white-listheader
USER_IN_DEF_WELCOMELISTFrom: user is listed in the default welcome-listheader
USER_IN_DEF_WHITELISTFrom: address is in the default white-listThe From: address was listed in the default whitelist. The whitelist contains a series of addresses and domains that are allowed to relay for that address.

From [WWW] 60_whitelist.cf
These should be addresses which send mail that is often
tagged (incorrectly) as spam; it also helps that they be addresses of big
companies with lots of lawyers, so if spammers impersonate them, they'll get
into big trouble, so it doesn't provide a shortcut around SpamAssassin.
header
USER_IN_DKIM_WELCOMELISTFrom: address is in the user's DKIM welcomelistheader
USER_IN_DKIM_WHITELISTFrom: address is in the user's DKIM whitelistheader
USER_IN_MORE_SPAM_TOUser is listed in 'more_spam_to'header
USER_IN_SPF_WHITELISTFrom: address is in the user's SPF whitelistheader
USER_IN_WELCOMELISTUser is listed in 'welcomelist_from'header
USER_IN_WELCOMELIST_TOUser is listed in 'welcomelist_to'header
USER_IN_WHITELISTFrom: address is in the user's white-listA user or site administrator has added the sender's address to a list of trusted addresses.

Use of this setting is not recommended, since it blindly trusts the message, which is routinely and easily forged by spammers and phish senders. The recommended solution is to instead use whitelist_auth or other authenticated whitelisting methods, or whitelist_from_rcvd.
header
USER_IN_WHITELIST_TOUser is listed in 'whitelist_to'If the given address appears as a recipient in the message headers (Resent-To, To, Cc, obvious envelope recipient, etc.) the mail will be whitelisted. Useful if you're deploying SpamAssassin system-wide, and don't want some users to have their mail filteredheader
VBOUNCE_MESSAGEVirus-scanner bounce message!MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS || __VBOUNCE_EXIM || __VBOUNCE_GUIN || __VBOUNCE_CISCO || __VBOUNCE_SMTP || __VBOUNCE_AOL || __VBOUNCE_DUTCH || __VBOUNCE_MAILMARSHAL || __VBOUNCE_MAILMARSHAL2 || __VBOUNCE_NAVFAIL || __VBOUNCE_REJECTED || __VBOUNCE_NAV || __VBOUNCE_MELDING || __VBOUNCE_VALERT || __VBOUNCE_REJ_FILT || __VBOUNCE_YOUSENT || __VBOUNCE_MAILSWEEP || __VBOUNCE_SCREENSAVER || __VBOUNCE_DISALLOWED || __VBOUNCE_FROMPT || __VBOUNCE_WARNING || __VBOUNCE_DETECTED || __VBOUNCE_AUTOMATIC || __VBOUNCE_INTERSCAN || __VBOUNCE_VIOLATION || __VBOUNCE_ALERT || __VBOUNCE_NAV2 || __VBOUNCE_NAV3 || __VBOUNCE_INTERSCAN2 || __VBOUNCE_INTERSCAN3 || __VBOUNCE_ANTIGEN || __VBOUNCE_LUTHER || __VBOUNCE_AMAVISD || __VBOUNCE_AMAVISD2 || __VBOUNCE_SCANMAIL || __VBOUNCE_DOMINO1 || __VBOUNCE_DOMINO2 || __VBOUNCE_RAV || __VBOUNCE_GSHIELD || __VBOUNCE_ATTACHMENT0 || __VBOUNCE_AVREPORT0 || __VBOUNCE_SENDER || __VBOUNCE_MAILSWEEP2 || __VBOUNCE_MAILSWEEP3 || __VBOUNCE_CLICKBANK || __VBOUNCE_FORBIDDEN || __VBOUNCE_MMS || __VBOUNCE_QUOTED_EXE || __VBOUNCE_MAJORDOMO_HELP || __VBOUNCE_AV_RESULTS || __VBOUNCE_EMVD || __VBOUNCE_UNDELIV || __VBOUNCE_BANNED_MAT || __VBOUNCE_NAV_DETECT || __VBOUNCE_DEL_WARN || __VBOUNCE_MIME_INFO || __VBOUNCE_EMAIL_REJ || __VBOUNCE_CONT_VIOL || __VBOUNCE_SYM_AVF || __VBOUNCE_SYM_EMP || __VBOUNCE_ATT_QUAR || __VBOUNCE_SECURIQ || __VBOUNCE_VIR_FOUND || __VBOUNCE_EMANAGER || __VBOUNCE_JMAIL || __VBOUNCE_GWAVA || __VBOUNCE_PT_BLOCKED || __VBOUNCE_INFLEX)
meta
VFY_ACCT_NORDNSVerify your account to a poorly-configured MTA - probable phishing__VFY_ACCT_NORDNS && !__STY_INVIS_MANYmeta
VIA_GAP_GRAAttempts to disguise the word 'viagra'body
VPS_NO_NTLDvps[0-9] domain at a suspiscious TLD__VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLDmeta
WALMART_IMG_NOT_RCVD_WALWalmart hosted image but message not from Walmart__WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTSmeta
WEIRD_PORTUses non-standard port number for HTTPThe mail contains an HTTP URI that uses an non-standard port (i.e. something other than 80, 8080, or 443).

Ports are considered standard if [WWW] registered with IANA:
http://www.iana.org/assignments/port-numbers
uri
WEIRD_QUOTINGWeird repeated double-quotation marksIt's looking for \042\223\224\262\263\271 to be repeated twice, followed by a non-space between 0-16 then another pair of \042\223\224\262\263\271body
WIKI_IMGImage from wikipediam,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),iuri
WITH_LC_SMTPReceived line contains spam-sign (lowercase smtp)header
WORD_INVISA hidden wordmeta
WORD_INVIS_MANYMultiple individual hidden wordsmeta
X_IPMessage has X-IP headerThe message contains an "X-Ip:" header. The rules [WWW] commit log describes it as a "not-quite-perfect-but-still-good header existence test". Presumably it is commonly used in spam for tracking purposes.header
X_MAILER_CME_6543_MSNNo description providedX-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*(dollar) /header
X_MESSAGE_INFOBulk email fingerprint (X-Message-Info) foundheader
X_PRIORITY_CCCc: after X-Priority: (bulk email fingerprint)header
XFER_LOTSA_MONEYTransfer a lot of money__XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFOmeta
XM_DIGITS_ONLYX-Mailer malformed__XM_DIGITS_ONLYmeta
XM_LIGHT_HEAVYSpecial edition of a MUA__XM_LIGHT_HEAVY && !__HAS_X_BEEN_THEREmeta
XM_PHPMAILER_FORGEDApparently forged header__XM_PHPMAILER_FORGEDmeta
XM_RANDOMX-Mailer apparently random__XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLYmeta
XM_RECPTIDHas spammy message header__HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTXmeta
XPRIOHas X-Priority headermeta
XPRIO_SHORT_SUBJHas X Priority header + short subject__XPRIO && __SUBJ_SHORTmeta
YAHOO_DRS_REDIRHas Yahoo Redirect URIuri
YAHOO_RD_REDIRHas Yahoo Redirect URIuri
YOU_INHERITDiscussing your inheritance__YOU_INHERITmeta

Found a mistake? Is something missing? Let us know!

This website uses cookies and asks your personal data to enhance your browsing experience.