SpamAssassin Rules

ALL IN ONE PLACE, EXPLAINED

Top Deliverability > SpamAssassin Rules

SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.

SpamAssassin works by “scoring” each e-mail message against a range of tests designed to identify if that message is spam or not. A wide number of tests are provided, including checks to see if the sender and recipient address are valid, if the message dates are valid, if the body contains any of a list of forbidden words, if any of the sending servers are blacklisted, and so on. Each test adds to a message’s overall spam score; messages over a certain user-defined threshold are treated as spam and can be either trashed or marked with a special spam header. Go to the list of SpamAssassin’s rules.

In addition to these tests, SpamAssassin comes with a Bayes algorithm which “learns” to recognize new spam on the basis of old spam messages. This makes it possible for the software to automatically adapt and identify spam even in the absence of specific header or body tests. A white list system makes it easy to list e-mail addresses that you know are valid; messages from these senders are exempted from filtering and get routed directly to your mailbox.

In true open source spirit, it is possible to add your own custom tests, or modify the scoring rules to your own specific requirements.

How to read the SpamAssassin Rules Table

This page is meant to serve as a “Cheat Sheet” to help You troubleshooting a campaign impacted by the SpamAssassin’s filter.

Over 2,000 SpamAssassin Rules (AKA Tests) were collected along with a short description, detailed explanation and category.

You can use the search bar to filter them out, sort by the different columns independently, define how many rules to display at the same time and of course browse between pages freely by using the navigation arrows on the bottom.

How Reliable is this Data?

Data was collected from the official SpamAssassin documentation (up to v3.4.6) and enriched with additional information from Industry mailing-lists, forums, personal knowledge and practical experience. In fact, if you find a mistake or something that is missing, feel free to let us know and we’ll be happy to update this page.

Please Note: SpamAssassin is highly customizable. Default values can be changed, custom rules can be created. Given the frequency of its updates, some of the provided data might be obsolete with the most recent version of the Software. However, this is the most comprehensive collection of SpamAssassin Rules you will find on the Internet.

For additional and more up-to-date details, we strongly recommend to visit the official SpamAssassin documentation on Confluence here.

SpamAssassin Rule Types ("Area Tested")

Header – checks a message header for a string. Most commonly these rules check the Subject, From, or To, but they can be written to check any message header, including non-standard ones
Body – searches the body of the message with a regular expression and if it matches, the corresponding score is assigned. Body rules also include the Subject as the first line of the body content
Rawbody – Searches the body of the email without certain kinds of preprocessing that SA normally does before trying body rules. In particular HTML tags won’t be stripped and line breaks will still be present
Uri – matches text in the URI’s contained in plain text and HTML sections of mail
Meta – Boolean or arithmetic combinations of other rules (for example, it’s possible to create a meta rule which fires off when both a header and a body rule are true at the same time)
Full – Checks the entire message

Detailed description of SpamAssassin Rules

SPAMASSASSIN RULE	SHORT DESCRIPTION	DETAILED DESCRIPTION	AREA TESTED
__ALIBABA_IMG_NOT_RCVD_ALI	Alibaba hosted image but message not from Alibaba	__URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA	meta
__ANY_QUALCOMM_MUA	QUALCOMM	X-Mailer =~ /\bQUALCOMM\b/	header
__BIGNUM_EMAILS	Lots of email addresses/leads, free email account	/\b(?:thousand\|million\|\d[,1-9]{0,6}(?:[,0]+k?\|k))\s(?:(?!and\|or\|your\|place\|baby)\w+\s)?(?:e-?mail(?:\saddresses\|s?)\|fax numbers\|leads\|names)\b/i	body
__BIGNUM_EMAILS_FREEM	Lots of email addresses/leads, free email account	__BIGNUM_EMAILS && !BIGNUM_EMAILS_MANY	meta
__BITCOIN_IMGUR	Bitcoin + hosted image	__IMGUR_IMG && __BITCOIN	meta
__BITCOIN_OBFU_SUBJ	Bitcoin + obfuscated subject	__BITCOIN && __SUBJ_OBFU_PUNCT	meta
__BITCOIN_SPAM_02	BitCoin spam pattern 02	__BITCOIN_ID && __BOTH_INR_AND_REF	meta
__BITCOIN_SPAM_05	BitCoin spam pattern 05	__BITCOIN_ID && __SPOOFED_FREEMAIL	meta
__BITCOIN_SPAM_07	BitCoin spam pattern 07	__BITCOIN_ID && __TO_EQ_FROM	meta
__BITCOIN_WFH_01	Work-from-Home + bitcoin	__BITCOIN && __WFH_01	meta
__BITCOIN_XPRIO	Bitcoin + priority	__XPRIO && (__BITCOIN \|\| __BITCOIN_ID)	meta
__BOGUS_MSM_HDRS	Apparently bogus Microsoft email headers	__HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX	meta
__CHALLENGE_RESPONSE	Challenge-Response message for mail you sent	__CRBOUNCE_UOL \|\| __CRBOUNCE_VERIF \|\| __CRBOUNCE_RP \|\| __CRBOUNCE_VANQ \|\| __CRBOUNCE_HEADER \|\| __CRBOUNCE_QURB \|\| __CRBOUNCE_0SPAM \|\| __CRBOUNCE_GETRESP \|\| __CRBOUNCE_TMDA \|\| __CRBOUNCE_ASK \|\| __CRBOUNCE_EXI \|\| __CRBOUNCE_PREC_SPAM \|\| __CRBOUNCE_SZ \|\| __CRBOUNCE_SPAMLION \|\| __CRBOUNCE_MIB \|\| __CRBOUNCE_SI \|\| __CRBOUNCE_UNVERIF \|\| __CRBOUNCE_RP_2 \|\| __CRBOUNCE_BLOCKED \|\| __CRBOUNCE_SPAMARREST	meta
__CONTENT_AFTER_HTML	More content after HTML close tag	/<\/html>\s*[a-z0-9]/i	rawbody
__DC_GIF_MULTI_LARGO	Message has 2+ inline gif covering lots of area	( __GIF_ATTACH_2P && __GIF_AREA_180K )	meta
__DC_IMG_HTML_RATIO	Low rawbody to pixel area ratio	eval:image_to_text_ratio('all', '0.000', '0.015')	rawbody
__DC_IMG_TEXT_RATIO	Low body to pixel area ratio	eval:image_to_text_ratio('all', '0.000', '0.008')	body
__DC_PNG_MULTI_LARGO	Message has 2+ inline png covering lots of area	( __PNG_ATTACH_2P && __PNG_AREA_180K )	meta
__DESTROY_YOU	Destroy You	/\b(?:destroy\syou\|deine Zukunft zerst\S{1,3}ren)/i	body
__DKIM_DEPENDABLE	A validation failure not attributable to truncation		header
__DKIMWL_WL_HI	DKIMwl.org - Whitelisted High sender	_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/	meta
__DKIMWL_WL_MED	DKIMwl.org - Whitelisted Medium sender	_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/	meta
__DKIMWL_WL_MEDHI	DKIMwl.org - Whitelisted Medium/High sender	_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/	meta
__DOTGOV_IMAGE	.gov URI + hosted image	__URI_DOTGOV && __REMOTE_IMAGE	meta
__DRUGS_ANXIETY_VAL	valium	/valium/i	body
__DRUGS_ANXIETY_XAN	xanax	/xan[ae]x/i	body
__DRUGS_ANXIETY1	xanax (second a sometimes done as e)	/(?:\b\|\s)[_\W]{0,3}x?x[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}n[_\W]{0,3}[ea4\xE1\xE2\xE3@][_\W]{0,3}xx?_{0,3}\b/i	body
__DRUGS_ANXIETY2	alprazolam	/\bAlprazolam\b/i	body
__DRUGS_ANXIETY3	valium	/(?:\b\|\s)[_\W]{0,3}(?:\\\/\|V)[_\W]{0,3}[a4\xE0-\xE6@][_\W]{0,3}[l\|][_\W]{0,3}[i1!\|l\xEC-\xEF][_\W]{0,3}[u\xB5\xF9-\xFC][_\W]{0,3}m\b/i	body
__DRUGS_ANXIETY4	diazepam, generic of valium	/\b_{0,3}D[_\W]?[i1!\|l\xEC-\xEF][_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[ea3\xE9\xEA\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i	body
__DRUGS_ANXIETY5	ativan	/(?:\b\|\s)[a4\xE0-\xE6@][_\W]?t[_\W]?[i1!\|l\xEC-\xEF][_\W]?v[_\W]?[a4\xE0-\xE6@][_\W]?n_{0,3}\b/i	body
__DRUGS_ANXIETY6	lorazepam - generic of ativan, uncommon in spam	/\b_{0,3}l[_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?[e3\xE8-\xEB][_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m_{0,3}\b/i	body
__DRUGS_ANXIETY7	clonazepam, generic.	/\b_{0,3}c[_\W]?l[_\W]?[o0\xF2-\xF6][_\W]?n[_\W]?[a4\xE0-\xE6@][_\W]?z[_\W]?e[_\W]?p[_\W]?[a4\xE0-\xE6@][_\W]?m\b/i	body
__DRUGS_ANXIETY8	klonopin, brand of clonazepam, uncommon in spam	/\bklonopin\b/i	body
__DRUGS_ANXIETY9	rivotril, brand of clonazepam, uncommon in spam	/\brivotril\b/i	body
__END_FUTURE_EMAILS	Spammy unsubscribe	/\b(?:end\|stop(?! receiving these (?:alerts\|emails))\|cease\|discontinue\|removed?\|(?:do(?! not wish to receive [\w\s]{0,20}emails)\|would\|you(?:'d)?) (?:not (?:wish\|want\|like\|desire)\|(?:prefer\|wish\|want\|like\|desire) not) to\|exclude yourself\|fore?go)[- ](?:get \|receiv(?:ing\|e) \|or \|(?:a-z{1,30} ){0,4}from )?(?:these\|our\|(?:any )?(?:future\|further)) (?:(?:e\|ad)?-?m(?:ail(?:ing)?\|es+[age]{3})\|alert\|PSA\|marketing\|notice)[- ]?(?:ad\|update)?s?\b/i	body
__ENV_AND_HDR_FROM_MATCH	Env and Hdr From used in default SPF WL Match	eval:check_for_matching_env_and_hdr_from()	header
__ENVFROM_GOOG_TRIX	From suspicious Google subdomain	EnvelopeFrom =~ /(?:@\|=)trix\.bounces\.google\.com(?:$\|=)/	header
__FBI_BODY_SHOUT_1	mentions FBI	/^FEDERAL BUREAU OF INVESTIGATIONS?\b/	body
__FBI_BODY_SHOUT_2	mentions FBI	/^FEDERAL BUREAU OF INVESTIGATIONS?\b/m	rawbody
__FBI_FM_DOM	FBI from address	From:addr =~ /\bfbi\.gov$/	header
__FBI_FM_NAME	FBI from name	From:name =~ /federal\sbureau\sof\sinvestigation/i	header
__FBI_RCVD_DOM	FBI relay	X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /	header
__FBI_SPOOF	Claims to be FBI, but not from FBI domain	(__FBI_FM_NAME \|\| __FBI_FM_DOM \|\| __FBI_BODY_SHOUT_1 \|\| __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __REPLYTO_EXISTS	meta
__FH_HAS_XPRIORITY	Has X-Priority header	exists:X-Priority	header
__FORGED_TBIRD_IMG	Possibly forged Thunderbird image spam	__MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D	meta
__FREEM_FRNUM_UNICD_EMPTY	Numeric freemail From address, unicode From name and Subject, empty body	FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY	meta
__freemail_mailreplyto	Has unusual reply-to header	eval:check_freemail_header('Mail-Reply-To')	header
__FROM_41_FREEMAIL	Sent from Africa + freemail provider		meta
__FROM_ADDRLIST_SUSPNTLD	From abused NTLD	eval:check_from_in_list('SUSP_NTLD')	header
__FROM_FMBLA_NDBLOCKED	listed on FMB.LA	_AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/	header
__GB_BITCOIN_CP_DE	German Bitcoin scam		body
__GB_BITCOIN_CP_EN	English Bitcoin scam		body
__GB_BITCOIN_CP_ES	Spanish Bitcoin scam		body
__GB_BITCOIN_CP_FR	French Bitcoin scam		body
__GB_BITCOIN_CP_IT	Italian Bitcoin scam		body
__GB_BITCOIN_CP_NL	Dutch Bitcoin scam		body
__GB_BITCOIN_CP_SE	Swedish Bitcoin scam		body
__GIF_ATTACH_1	counting the number of images (all or by image type)	eval:image_count('gif','1','1')	body
__GIF_ATTACH_2P	counting the number of images (all or by image type)	eval:image_count('gif','2')	body
__HAS_HREF	Has an anchor tag with a href attribute in non-quoted line	/^[^>].*?	body
__HAS_HREF_ONECASE	Has an anchor tag with a href attribute in non-quoted line with consistent case		rawbody
__HAS_IMG_SRC	Has an img tag on a non-quoted line	/^[^>].*?	rawbody
__HAS_IMG_SRC_ONECASE	Has an img tag on a non-quoted line with consistent case	/^[^>].*?<(img src\|IMG SRC)=/m	rawbody
__HDR_RCVD_WALMART	from Walmart	X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/	header
__hk_bigmoney		/(?:EURO?\|USD?\|GBP\|CFA\|\&\#163;\|[\xa3\xa4]\|\$\|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}\|[0-9.,]{1,4}(?: ?M\b\| ?(?:de )?Mil))/i	body
__hk_win_0		/\byour? e-?mail just w[oi]n/i	body
__hk_win_2		/\battn.{0,10}winner/i	body
__hk_win_3		/\bhappily aa?nnounce/i	body
__hk_win_4		/\bpleas(?:ure\|ed) to inform/i	body
__hk_win_5		/\b(?:notice the\|your) winning/i	body
__hk_win_7		/\bcongratulations? to your/i	body
__hk_win_8		/\bunexpected luck/i	body
__hk_win_9		/\blucky (?:nl )number/i	body
__hk_win_a		/\bwinning (?:e-?mail\|numbers\|information)/i	body
__hk_win_b		/\byour e-?mail (?:address )?(?:has )?w[io]n/i	body
__hk_win_c		/\bune adresse e-?mail sur internet/i	body
__hk_win_d		/\bcategory (?:\S{0,5} )?winner of our/i	body
__hk_win_i		/\bfunds? transfer/i	body
__hk_win_j		/\b(?:winning\|ready for\|sum) pay ?out/i	body
__hk_win_l		/\b(?:make\|file) (?:for )?your claim/i	body
__hk_win_m		/\br.clamation de votre prix/i	body
__hk_win_n		/\bcollect your prize/i	body
__hk_win_o		/\bclarification and procedure/i	body
__JAPANESE_UCE_BODY	Body contains Japanese UCE tag	/(?:L\$>5Bz\|EE;R%a!<%k)(?:8x\|9-)9p/	body
__JPEG_ATTACH_1	counting the number of images (all or by image type)	eval:image_count('jpeg',1,1)	body
__JPEG_ATTACH_2P	counting the number of images (all or by image type)	eval:image_count('jpeg',2)	body
__JS_DOCWRITE	Javascript	/document\.write/	rawbody
__JS_FROMCHARCODE	Javascript	/String\.fromCharCode\s\(\s\S+\s\[\s\S+\s\]\s\^/	rawbody
__KAM_BODY_LENGTH_LT_1024	The length of the body of the email is less than 1024 bytes.		body
__KAM_BODY_LENGTH_LT_128	The length of the body of the email is less than 128 bytes.		body
__KAM_BODY_LENGTH_LT_256	The length of the body of the email is less than 256 bytes.		body
__KAM_BODY_LENGTH_LT_512	The length of the body of the email is less than 512 bytes.		body
__MIME_BASE64	Includes a base64 attachment	eval:check_for_mime('mime_base64_count')	rawbody
__MIME_QP	Includes a quoted-printable attachment	eval:check_for_mime('mime_qp_count')	rawbody
__ML_TURNS_SP_TO_TAB	A mailing list changing a space to a TAB		header
__ML1	Mail from a mailing list	Precedence =~ m{\b(list\|bulk)\b}i	header
__ML2	Mail from a mailing list	exists:List-Id	header
__ML3	Mail from a mailing list	exists:List-Post	header
__ML4	Mail from a mailing list	exists:Mailing-List	header
__ML5	Mail from a mailing list	Return-Path:addr =~ m{^([^\@]+-(request\|bounces\|admin\|owner)\|owner-[^\@]+)(\@\|\z)}mi	header
__NONEMPTY_BODY	Message appears to have no textual parts	/\S/	body
__NSL_ORIG_FROM_41	Originates from 41.0.0.0/8		header
__NSL_RCVD_FROM_41	Received from 41.0.0.0/8		header
__OBFU_UNSUB_UL	Obfuscated unsubscribe text	/(?:click_here\|remove_your\|our_e?mail\|this_list\|to_unsubscribe\|future_e?mail\|our_list)/	body
__OBFUSCATING_COMMENT_A	Obfuscated text	/\w(?:]*>)+\w/	rawbody
__OBFUSCATING_COMMENT_B	Obfuscated text	/[^\s>](?:]*>)+[^\s<]/	rawbody
__PAXFUL		/\bp-?a+-?x+-?f-?u+-?l\b/i	body
__PDS_OFFER_ONLY_AMERICA	Offer only available to US	/This offer (is )?(only )?for (United States\|USA)/i	body
__PNG_ATTACH_1	counting the number of images (all or by image type)	eval:image_count('png','1','1')	body
__PNG_ATTACH_2P	counting the number of images (all or by image type)	eval:image_count('png','2')	body
__RCVD_IN_MSPIKE	MAILSPIKE: sender is listed in MAILSPIKE	eval:check_rbl('mspike-lastexternal', 'bl.mailspike.net.')	header
__RCVD_IN_MSPIKE_Z	Spam wave participant	eval:check_rbl_sub('mspike-lastexternal', '^127\.0\.0\.2$')	header
__RCVD_IN_SORBS	SORBS: sender is listed in SORBS		header
__RCVD_IN_ZEN	Received via a relay in Spamhaus Zen		header
__RDNS_DYNAMIC_ADELPHIA	Relay HELO'd using suspicious hostname (Adelphia)		header
__RDNS_DYNAMIC_ATTBI	Relay HELO'd using suspicious hostname (ATTBI.com)		header
__RDNS_DYNAMIC_CHELLO_NL	Relay HELO'd using suspicious hostname (Chello.nl)		header
__RDNS_DYNAMIC_CHELLO_NO	Relay HELO'd using suspicious hostname (Chello.no)		header
__RDNS_DYNAMIC_COMCAST	Relay HELO'd using suspicious hostname (Comcast)		header
__RDNS_DYNAMIC_DHCP	Relay HELO'd using suspicious hostname (DHCP)		header
__RDNS_DYNAMIC_DIALIN	Relay HELO'd using suspicious hostname (T-Dialin)		header
__RDNS_DYNAMIC_HCC	Relay HELO'd using suspicious hostname (HCC)		header
__RDNS_DYNAMIC_HEXIP	Relay HELO'd using suspicious hostname (Hex IP)		header
__RDNS_DYNAMIC_IPADDR	Relay HELO'd using suspicious hostname (IP addr 1)		header
__RDNS_DYNAMIC_NTL	Relay HELO'd using suspicious hostname (NTL)		header
__RDNS_DYNAMIC_OOL	Relay HELO'd using suspicious hostname (OptOnline)		header
__RDNS_DYNAMIC_ROGERS	Relay HELO'd using suspicious hostname (Rogers)		header
__RDNS_DYNAMIC_RR2	Relay HELO'd using suspicious hostname (RR 2)		header
__RDNS_DYNAMIC_SPLIT_IP	Relay HELO'd using suspicious hostname (Split IP)		header
__RDNS_DYNAMIC_TELIA	Relay HELO'd using suspicious hostname (Telia)		header
__RDNS_DYNAMIC_VELOX	Relay HELO'd using suspicious hostname (Veloxzone)		header
__RDNS_DYNAMIC_VTR	Relay HELO'd using suspicious hostname (VTR)		header
__RDNS_DYNAMIC_YAHOOBB	Relay HELO'd using suspicious hostname (YahooBB)		header
__RESIGNER1	Mail through a popular signing remailer	eval:check_dkim_valid('linkedin.com')	full
__RESIGNER2	Mail through a popular signing remailer	eval:check_dkim_valid('googlegroups.com','yahoogroups.com','yahoogroups.de')	full
__SCREEN_1024x768	using exact size match to identify things like screenshots	eval:image_size_exact('all',1024,768)	body
__SCREEN_1280x1024	using exact size match to identify things like screenshots	eval:image_size_exact('all',1280,1024)	body
__SCREEN_640x480	using exact size match to identify things like screenshots	eval:image_size_exact('all',800,600)	body
__SCREEN_800x600	using exact size match to identify things like screenshots	eval:image_size_exact('all',800,600)	body
__SUB_END_NUMSCOM	Unicode subject	Subject =~ /[0-9]{6,}c[0o]m$/i	header
__SUBJ_ADMIN		Subject =~ /\b(?:(?:sys)?admin(?:istrator)?\|server\|service\|support)\b/i	header
__SUBJ_BRKN_WORDNUMS		__SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU	meta
__SUBJ_BROKEN_WORD		Subject =~ /\s(?!i[PTM][aoh][bcdou]\|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/	header
__SUBJ_DOM_ADMIN		__SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN	meta
__SUBJ_HAS_FROM_1		ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism	header
__SUBJ_HAS_TO_1		ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism	header
__SUBJ_HAS_TO_2		ALL =~ /\nReceived:[^\n]{0,200} for ;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism	header
__SUBJ_HAS_TO_3		ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism	header
__SUBJ_NOT_SHORT		Subject =~ /^.{16}/	header
__SUBJ_OBFU_PUNCT		Subject =~ /(?:[-~`"!@\#$%^&()_+={}\|\\\/?<>,.:;][a-z][-~`"!@\#$%^&()_+={}\|\\\/?<>,.:;\s]\|(?:[a-z][~`"!@\#$%^&*()_+={}\|\\?<>,.:;][a-z](?![a-z])))/i	header
__SUBJ_RE		Subject =~ /^(?:R[eE]\|S[vV]\|V[sS]\|A[wW]):/	header
__SUBJ_SHORT		Subject =~ /^.{0,8}$/	header
__SUBJ_UNNEEDED_HTML		Subject =~ /%[0-9a-f][0-9a-f]/i	header
__SUBJ_USB_DRIVES		Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/	header
__SUBJECT_EMPTY		Subject:raw =~ /^\s*$/	header
__SUBJECT_PRESENT_EMPTY		__HAS_SUBJECT && __SUBJECT_EMPTY	meta
__SUBSCRIPTION_INFO		/\b(?:e?newsletters?\|(?:un)?(?:subscrib\|register)\|you(?:r\| are) subscri(?:b\|ption)\|opt(?:.\|ing)?out\b\|further info\|you do ?n[o']t w(?:ish\|ant)\|remov\w{1,3}.{1,9}\blists?\b\|to your white.?list)/i	body
__SUM_OF_FUND		/\b(?:sum\|release\|freigabe)\s(?:of\|der)\s(?:amount\|fund\|investment\|mittel)\b/i	body
__SURVEY		/\bsurvey\b/i	body
__SURVIVORS		/\b(?:widow\|son\|daughter\|husband\|wife\|brother\|sister\|attorney\|vi(?:=FA\|[\xfa]\|[\xc3][\xba])va\|esposa\|veuve)\s(?:of\|to\|do\|de)\s(?:the\s)?(?:late\|falecido\|finales\|feu\|d(?:e\|=E9\|[\xe9]\|[\xc3][\xa9])funt\|mr\.?)\s\w+\b/i	body
__SUSPICION_LOGIN		/\bsuspicion login\b/i	body
__SYSADMIN		/\b(?:help?[- ]?desk\|(?:(?:web ?)?mail ?\|sys(?:tem )?)admin(?:istrator)\|local[- ]host\|(?:support\|upgrade\|management\|security\|admin(?:istrat(?:or\|ion))?) (?:team\|center)\|message from administrator\|university mail server copyright\|suporte t(?:=E9\|[\xe9]\|[\xc3][\xa9])cnico\|administrador do sistema)\b/i	body
__T_PDS_MSG_512		(__KAM_BODY_LENGTH_LT_512 \|\| __HTML_LENGTH_512 \|\| __PDS_QP_512)	meta
__TB_MIME_BDRY_NO_Z		Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/	header
__TENWORD_GIBBERISH		/^\s*(?:[a-z]+\s+){10}\.$/m	rawbody
__THEY_INHERIT		/\b(?:inherit\sth(?:e\|is)\smoney\|herede\sest[ea]\sdinero)\b/i	body
__THIS_AD	"This ad" and variants	/(?:\b\|_)this[- _]+(?:ad(?:vert[i1l]sement)?\|promo(?:tion)?)s?(?:\b\|_)/i	body
__THREAD_INDEX_GOOD		Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==\|[A-Za-z0-9+/]{7}\|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,	header
__THREADED		(!__MISSING_REPLY && !__NO_INR_YES_REF) \|\| (__MISSING_REPLY && !__MISSING_REF)	meta
__TO___LOWER		ALL =~ /to:\s\S{5}/	header
__TO_ALL_NUMS		To:addr =~ /^\d+@/	header
__TO_EQ_FM_DIRECT_MX		__TO_EQ_FROM && __DOS_DIRECT_TO_MX	meta
__TO_EQ_FM_DOM_HTML_IMG		__TO_EQ_FROM_DOM && __HTML_LINK_IMAGE	meta
__TO_EQ_FM_DOM_HTML_ONLY		__TO_EQ_FROM_DOM && MIME_HTML_ONLY	meta
__TO_EQ_FM_DOM_SPF_FAIL		__TO_EQ_FROM_DOM && SPF_FAIL	meta
__TO_EQ_FM_HTML_DIRECT		__TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY	meta
__TO_EQ_FM_HTML_ONLY		__TO_EQ_FROM && MIME_HTML_ONLY	meta
__TO_EQ_FM_SPF_FAIL		__TO_EQ_FROM && SPF_FAIL	meta
__TO_EQ_FROM	To: same as From:	(__TO_EQ_FROM_1 \|\| __TO_EQ_FROM_2)	meta
__TO_EQ_FROM_1		ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism	header
__TO_EQ_FROM_2		ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism	header
__TO_EQ_FROM_DOM	To: domain same as From: domain	(__TO_EQ_FROM_DOM_1 \|\| __TO_EQ_FROM_DOM_2)	meta
__TO_EQ_FROM_DOM_1		ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism	header
__TO_EQ_FROM_DOM_2		ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism	header
__TO_EQ_FROM_USR	To: username same as From: username	(__TO_EQ_FROM_USR_1 \|\| __TO_EQ_FROM_USR_2) && !(__FROM_DNS \|\| __FROM_INFO \|\| __SENDER_BOT)	meta
__TO_EQ_FROM_USR_1		ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism	header
__TO_EQ_FROM_USR_2		ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism	header
__TO_EQ_FROM_USR_NN	To: username same as From: username sans trailing nums	(__TO_EQ_FROM_USR_NN_1 \|\| __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS \|\| __FROM_INFO \|\| __SENDER_BOT)	meta
__TO_EQ_FROM_USR_NN_1		ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism	header
__TO_EQ_FROM_USR_NN_2		ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism	header
__TO_EQ_FROM_USR_NN_MINFP		__TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED	meta
__TO_IN_SUBJ		(__SUBJ_HAS_TO_1 \|\| __SUBJ_HAS_TO_2 \|\| __SUBJ_HAS_TO_3)	meta
__TO_NO_ARROWS_R		To !~ /(?:>$\|>,)/	header
__TO_NO_BRKTS_FREEMAIL		__TO_NO_ARROWS_R && (FREEMAIL_FROM \|\| FREEMAIL_REPLYTO)	meta
__TO_NO_BRKTS_FROM_RUNON		__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON	meta
__TO_NO_BRKTS_HTML_IMG		__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG	meta
__TO_NO_BRKTS_HTML_ONLY		__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY	meta
__TO_NO_BRKTS_MSFT		__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA \|\| __MIMEOLE_MS)	meta
__TO_NO_BRKTS_NORDNS_HTML		__TO_NO_BRKTS_HTML_ONLY && RDNS_NONE	meta
__TO_NO_BRKTS_PCNT		__TO_NO_ARROWS_R && __FB_NUM_PERCNT	meta
__TO_TOO_MANY_WFH_01		__TO_WAY_TOO_MANY && __WFH_01	meta
__TO_UNDISCLOSED		To =~ /\b(?:undisclosed[-\s]recipients\|destinataires inconnus\|destinatari nascosti)\b/i	header
__TO_WAY_TOO_MANY		ToCc =~ /(?:,[^,]{1,90}){50}/	header
__TO_YOUR_ACCT		/\b(?:(?:f[uo]nds\|money\|f[uo]ndo\|dinheiro\|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?\|transferido\|sont)\|\d+)\s(?:to\|para\|en)\s(?:your?\|sua\|votre)\s(?:account\|conta\|pos+es+ion)/i	body
__TO_YOUR_ORG		/\b(?:to\|for) your organi[sz]ation\b/i	body
__TRANSFORM_LIFE		/\b(transform\|change) your (?:daily )?life(?:style)?\b/i	body
__TRAVEL_AGENT		/\btravel\sagen(?:t\|cy)\b/i	body
__TRAVEL_BUSINESS		/\bbusiness\stravel\b/i	body
__TRAVEL_ITINERARY		/(?:travel\|ticketed\|your\|current) itinerary/i	body
__TRAVEL_MANY		(__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2	meta
__TRAVEL_PROFILE		/\btravel+er\sprofile\b/i	body
__TRAVEL_RESERV		/\b(?:reservation\s(?:confirmed\|number)\|travel\sreservations?)\b/i	body
__TRTMT_DEFILED		/\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i	body
__TRUNK_BOX		/\b(?:(?:trunk\|metallic\|proof\|security\|consignment)\sbox(?:es)?\|sealed\ssafe\|une mallette m(?:e\|=E9\|[\xe9]\|[\xc3][\xa9])tallique)\b/i	body
__TRUSTED_CHECK		/\b(?:cashier'?s?\|certified)\sche(?:ck\|que)/i	body
__TT_BROKEN_VALIUM		Subject =~ /V[:^."%()\[\\]?A[:^."%()\[\\]?L[:^."%()\[\\]?I[:^."%()\[\\]?U[:^."%()*\[\\]?M/i	header
__TT_BROKEN_VIAGRA		Subject =~ /V[:^."%()\[\\]?I[:^."%()\[\\]?A[:^."%()\[\\]?G[:^."%()\[\\]?R[:^."%()*\[\\]?A/i	header
__TT_OBSCURED_VALIUM		Subject =~ /(v\|V\|\\\/)(a\|A\|$a$\|4\|@)(l\|L\|\\|)(i\|I\|1\|\xef\|\\|)(u\|U\|$u$)(m\|M)/	header
__TT_OBSCURED_VIAGRA		Subject =~ /(v\|V\|\\\/)(i\|I\|1\|\xef\|\\|)(a\|A\|$a$\|4\|@)(g\|G)(r\|R)(a\|A\|$a$\|4\|@)/	header
__TT_VALIUM		Subject =~ /VALIUM/i	header
__TT_VIAGRA		Subject =~ /VIAGRA/i	header
__TVD_FW_GRAPHIC_ID1		Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/	mimeheader
__TVD_MIME_ATT_AOPDF		Content-Type =~ /^application\/octet-stream.*\.pdf/i	mimeheader
__TVD_MIME_ATT_AP		Content-Type =~ /^application\/pdf/i	mimeheader
__TVD_MIME_ATT_TP		Content-Type =~ /^text\/plain/i	mimeheader
__TVD_OUTLOOK_IMG		Content-Id =~ /	mimeheader
__TVD_PH_BODY_01		/\baccount .{0,20}placed? [io]n restricted status/i	body
__TVD_PH_BODY_02		/\brecords (?:[a-z_,-]+ )+?(?:feature\|(?:a\|re)ward)/i	body
__TVD_PH_BODY_03		/\byou(?:'ve\| have) been (?:[a-z_,-]+ )+?payment/i	body
__TVD_PH_BODY_04		/\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i	body
__TVD_PH_BODY_05		/\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i	body
__TVD_PH_BODY_06		/Dear [a-z]+ bank (?:member\|customer)/i	body
__TVD_PH_BODY_07		/\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i	body
__TVD_PH_BODY_08		/\bmultiple password failures/i	body
__TVD_PH_BODY_ACCOUNTS_POST		/\b(?:(?:[dr]e-?)?activat[a-z]*\|(?:re-?)?validate\|secure\|restore\|confirm\|update\|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i	body
__TVD_PH_BODY_ACCOUNTS_PRE		/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*\|suspen[a-z]+\|notif(?:y\|ication)\|updated\|verifications?\|credited)\b/i	body
__TVD_PH_BODY_META		__TVD_PH_BODY_01 \|\| __TVD_PH_BODY_02 \|\| __TVD_PH_BODY_03 \|\| __TVD_PH_BODY_04 \|\| __TVD_PH_BODY_05 \|\| __TVD_PH_BODY_06 \|\| __TVD_PH_BODY_07 \|\| __TVD_PH_BODY_08	meta
__TVD_PH_SUBJ_00		Subject =~ /\brewards? survey\b/i	header
__TVD_PH_SUBJ_02		Subject =~ /\byour payment has been sent\b/i	header
__TVD_PH_SUBJ_04		Subject =~ /\baccounts? profile\b/i	header
__TVD_PH_SUBJ_15		Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow\|day)\b/i	header
__TVD_PH_SUBJ_17		Subject =~ /\bremove limitations?\b/i	header
__TVD_PH_SUBJ_18		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i	header
__TVD_PH_SUBJ_19		Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i	header
__TVD_PH_SUBJ_29		Subject =~ /^notice(?::\|[\s\W]*$)/i	header
__TVD_PH_SUBJ_31		Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i	header
__TVD_PH_SUBJ_36		Subject =~ /\bconsumer notice\b/i	header
__TVD_PH_SUBJ_37		Subject =~ /\bvalued member[a-z]*\b/i	header
__TVD_PH_SUBJ_38		Subject =~ /\bonline bank[a-z]*\b/i	header
__TVD_PH_SUBJ_39		Subject =~ /\bonline department\b/i	header
__TVD_PH_SUBJ_41		Subject =~ /\bunusual activity\b/i	header
__TVD_PH_SUBJ_52		Subject =~ /\b(?:account\|online) profile\b/i	header
__TVD_PH_SUBJ_54		Subject =~ /\bun-?authorized access(?:es)?\b/i	header
__TVD_PH_SUBJ_56		Subject =~ /\brespond now\b/i	header
__TVD_PH_SUBJ_58		Subject =~ /\bbilling service\b/i	header
__TVD_PH_SUBJ_59		Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i	header
__TVD_PH_SUBJ_ACCESS_POST		Subject =~ /\b(?:(?:re-?)?activat[a-z]\|secure\|verify\|restore\|flagged\|limited\|unusual\|report\|notif(?:y\|ication)\|suspen(?:d\|ded\|sion)) (?:[a-z_,-]+ )?access\b/i	header
__TVD_PH_SUBJ_META		__TVD_PH_SUBJ_00 \|\| __TVD_PH_SUBJ_02 \|\| __TVD_PH_SUBJ_04 \|\| __TVD_PH_SUBJ_15 \|\| __TVD_PH_SUBJ_17 \|\| __TVD_PH_SUBJ_18 \|\| __TVD_PH_SUBJ_19 \|\| __TVD_PH_SUBJ_29 \|\| __TVD_PH_SUBJ_31 \|\| __TVD_PH_SUBJ_36 \|\| __TVD_PH_SUBJ_37 \|\| __TVD_PH_SUBJ_38 \|\| __TVD_PH_SUBJ_39 \|\| __TVD_PH_SUBJ_41 \|\| __TVD_PH_SUBJ_52 \|\| __TVD_PH_SUBJ_54 \|\| __TVD_PH_SUBJ_56 \|\| __TVD_PH_SUBJ_58 \|\| __TVD_PH_SUBJ_59 \|\| __TVD_PH_SUBJ_ACCESS_POST	meta
__TVD_SPACE_ENCODED	Space ratio & encoded subject	(__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)	meta
__TVD_SUBJ_NUM_OBFU		Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i	header
__UA_GNUS		User-Agent =~ /^Gnus/	header
__UA_KMAIL		User-Agent =~ /^KMail/	header
__UA_KNODE		User-Agent =~ /^KNode/	header
__UA_MOZ5		User-Agent =~ /^Mozilla\/5/	header
__UA_MSOEMAC		User-Agent =~ /^Microsoft-Outlook-Express-Mac/	header
__UA_MSOMAC		User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/	header
__UA_MUTT		User-Agent =~ /^Mutt/	header
__UA_OPERA7		User-Agent =~ /^Opera7/	header
__UA_PAN		User-Agent =~ /^Pan/	header
__UA_XNEWS		User-Agent =~ /^Xnews/	header
__UC_GIBB_OBFU		/\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/	body
__UN		/\bunited\snations?\b/i	body
__UNDISC_FREEM		__TO_UNDISCLOSED && __freemail_replyto	meta
__UNDISC_MONEY		__TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW \|\| LOTS_OF_MONEY)	meta
__UNICODE_OBFU_ASC		/[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]\|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]\|\xd1[\x80\x81])+[a-z0-9\s]/i	body
__UNICODE_OBFU_ASC_MANY		__UNICODE_OBFU_ASC > 9	meta
__UNICODE_OBFU_ZW		/[a-z0-9\s](?:\x9d\|\xe2\x80[\x8b\x8c\x8d]\|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d\|\xe2\x80[\x8b\x8c\x8d]\|\xef\xbb\xbf)+[a-z0-9\s]/i	body
__UNICODE_OBFU_ZW_10		__UNICODE_OBFU_ZW > 9	meta
__UNICODE_OBFU_ZW_2		__UNICODE_OBFU_ZW > 1	meta
__UNICODE_OBFU_ZW_3		__UNICODE_OBFU_ZW > 2	meta
__UNICODE_OBFU_ZW_5		__UNICODE_OBFU_ZW > 4	meta
__UNSUB_EMAIL		/\b(?:(?:un)?subscri(?:ber?\|ptions?)\|abuses?\|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]\|$)/i	body
__UNSUB_LINK		/\b(?:(?:un)?subscri(?:ber?\|ptions?)\|abuses?\|opt(?:ing)?.?out)\b/i	uri
__UPGR_MAILBOX		/\b(?:up(?:g[ra]+d(?:e\|ing)\|date) (?:(?:[hw]as\|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box\|(?:web ?\|e-?)mail)\|(?:web ?\|e-?)mail Upgrade cuenta\|atualiz(?:e\|ar) (?:a\|sua) caixa de correio\|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?\|below)(?: link)? to (?:(?:complete\|finish\|increase) )?(?:(?:the\|this\|your)\s)?(?:up(?:date\|grade)\|(?:web ?\|e-?)?mail(?:\s?box)? (?:size\|quota\|limit))\|utrzymania aktywnego konta\|request (?:for )additional storage\|you (?:have )?(?:failed\|refused) to up(?:date\|grade))\b/i	body
__UPPERCASE_URI		/^[^:A-Z]+[A-Z]/	uri
__URI_12LTRDOM		m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i	uri
__URI_ADOBESPARK		m,https?://branchlink\.adobespark\.com/,i	uri
__URI_AZURE_CLOUDAPP		m,://(?:[^./]+\.)+cloudapp\.azure\.com/,	uri
__URI_DASHGOVEDU		m,://[^/]*-(?:gov\|edu)\.com/,i	uri
__URI_DATA		/^data:(?!image\/)[a-z]/i	uri
__URI_DBL_DOM		m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i	uri
__URI_DOM_DOTDOT		m,://[^/]+\.\.,	uri
__URI_DOTEDU		m;^https?://(?:[^./]+\.)+edu/;i	uri
__URI_DOTEDU_ENTITY		__URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW	meta
__URI_DOTGOV		m;^https?://(?:[^./]+\.)+gov/;i	uri
__URI_DOTTY_HEX		/(?:\.[0-9a-f]{2}){30}/	uri
__URI_DQ_UNSUB		m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i	uri
__URI_FIREBASEAPP		m,://[^./]+\.firebaseapp\.com/,	uri
__URI_GOOG_STO_HTML		m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$\|\?),i	uri
__URI_GOOG_STO_IMG		m,^https?://storage\.googleapis\.com/.*\.(?:png\|jpe?g\|gif)$,i	uri
__URI_GOOGLE_DOC		m,^https?://docs\.google\.com/(?:[^/]+/)(?:view(?:form)?\?(?:[^&]+&)(?:id\|formkey\|usp)=\|document/),i	uri
__URI_GOOGLE_DRV		m,^https?://(?:drive\.google\|googledrive)\.com/,i	uri
__URI_GOOGLE_PROXY		m;^https?://[^.]+\.googleusercontent\.com/proxy/;i	uri
__URI_HEX_IP		m;://0x[0-9A-F]{8,}[:/];i	uri
__URI_IMG_ALICDN		m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g\|gif\|png),i	uri
__URI_IMG_AMAZON		m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i	uri
__URI_IMG_CHANNYPIC		m,://www\.channypicture\.com/pic/,i	uri
__URI_IMG_EBAY		m,://[^/?]+\.ebayimg\.com/,i	uri
__URI_IMG_JOOMCDN		m,://img\.joomcdn\.net/,i	uri
__URI_IMG_NEWEGG		m,://[^/?]+\.neweggimages\.com/,i	uri
__URI_IMG_SHOPIFY		m,://cdn\.shopify\.com/.+\.(?:jpe?g\|gif\|png),i	uri
__URI_IMG_STATICBG		m,://imgaz\.staticbg\.com/images/,i	uri
__URI_IMG_WALMART	Walmart hosted image	m,://[^/?]+\.walmartimages\.com/,i	uri
__URI_IMG_WISH		m,://contestimg\.wish\.com/,i	uri
__URI_IMG_WP_REDIR		m;://i[02]\.wp\.com/.*\.(?:jpe?g\|gif\|png)$;i	uri
__URI_IMG_YTIMG		m,://[^/?]+\.ytimg\.com/,i	uri
__URI_MAILTO		/^mailto:/i	uri
__URI_MONERO		/buy-monero/i	uri
__URI_MYSP_AC		m;://mysp\.ac/;i	uri
__URI_ONLY_MSGID_MALF		__BODY_URI_ONLY && __MSGID_NOFQDN2	meta
__URI_PHISH		__HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH \|\| __ACCT_PHISH)	meta
__URI_PHP_REDIR		m;/redirect\.php\?;i	uri
__URI_TRY_USME		m,^https?://(?:try\|start\|get\|save\|check\|act\|compare\|join\|learn\|request\|visit\|my)[^.]*\.[^/]+\.(?:us\|me\|mobi\|club)\b,i	uri
__URI_WEBAPP		m,://[^./]+\.web\.app/,	uri
__URI_WPADMIN		m,/wp-admin/\w+/,i	uri
__URI_WPCONTENT		m,/wp-content/.*\.(?:php\|html?)\b,i	uri
__URI_WPDIRINDEX	URI for compromised WordPress site, possible malware	m,/wp-(?:content\|includes)/.*/$,i	uri
__URI_WPINCLUDES		m,/wp-includes/.*\.(?:php\|html?)\b,i	uri
__URL_BTC_ID		m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}\|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/\|$);	uri
__URL_LTC_ID		m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/\|$);	uri
__URL_SHORTENER		/^https?:\/\/(?:bit\.ly\|bit\.do\|buff\.ly\|tinyurl\.com\|ow\.ly\|owl\.li\|is\.gd\|tumblr\.com\|mysp\.ac\|formspring\.me\|ff\.im\|youtu\.be\|tl\.gd\|plurk\.com\|migre\.me\|j\.mp\|cli\.gs\|goo\.gl\|goo\.io\|yfrog\.com\|lnk\.ms\|su\.pr\|fb\.me\|alturl\.com\|wp\.me\|ping\.fm\|chatter\.com\|post\.ly\|twurl\.nl\|tiny\.cc\|4sq\.com\|ustre\.am\|short\.to\|u\.nu\|flic\.kr\|budurl\.com\|digg\.com\|twitvid\.com\|gowal\.la\|om\.ly\|justin\.tv\|icio\.us\|p\.gs\|loopt\.us\|tcrn\.ch\|xrl\.us\|wpo\.st\|bkite\.com\|t\.cn\|t\.co\|x\.co\|hop\.kz\|urla\.ru\|fw\.to\|back\.ly\|ecs\.page\.link\|cc\.uz\|smarturl\.it\|s\.apache\.org)\/[^\/]{3}\/?/	uri
__USING_VERP1		Return-Path =~ /[+-].*=/	header
__VACATION		Subject =~ /\b(?:vacatio\|away\|out.of.offic\|auto.?re\|confirm)/i	header
__VALIDATE_MAILBOX		/\b(?:(?:re-?)?(?:valida(?:te\|r)\|confirm\|set)(?:\S?(?:increase\|raise))? (?:your\|(?:a )?sua) (?:mail\s?box\|(?:e-?)?mail quota\|caixa)\|confirmar (?:que )?a sua conta (?:de e-?mail\|ainda est(?:=E1\|[\xe1]\|[\xc3][\xa1]) ativa)\|wprowadz dane konta ponizej\|utrzymania aktywnego konta e-?mail\|weryfikacji konta\|you (?:have )?(?:failed\|refused) to (?:verify\|validate)\|(?:e-?mail\|confirm) verification\|verify k?now\|logs?in below to (\S+\s){0,10}(?:download\|release\|retrieve) your (?:messages\|e?-?mails))\b/i	body
__VALIDATE_MBOX_SE		/(?:\b=E5\|[\xe5]\|[\xc3][\xa5])terst(?:=E4\|\xe4\|[\xc3][\xa4])lla ditt konto\b/i	body
__VERIFY_ACCOUNT		/(?:confirm\|updated?\|verif(?:y\|ied)) (?:your\|the) (?:(?:account\|current\|billing\|personal\|online)? ?(?:records?\|information\|account\|identity\|access\|data\|login)\|"?[^\@\s]+\@\S+"? (?:account\|mail ?box)\|confirm verification\|verify k?now\|Ihre Angaben .berpr.ft und best.tigt)/i	body
__VFY_ACCT_NORDNS		__VERIFY_ACCOUNT && __RDNS_NONE	meta
__VIA_ML	Mail from a mailing list	__ML1 \|\| __ML2 \|\| __ML3 \|\| __ML4 \|\| __ML5	meta
__VIA_RESIGNER	Mail through a popular signing remailer	__RESIGNER1 \|\| __RESIGNER2	meta
__VPSNUMBERONLY_TLD		From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i	header
__WALMART_IMG_NOT_RCVD_WAL	Walmart hosted image but message not from Walmart	__URI_IMG_WALMART && !__HDR_RCVD_WALMART	meta
__WE_PAID		/\bwe have (?:already )?(?:paid\|sent\|remitted\|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users\|subscribers\|members\|clients\|affiliates\|partners)\b/i	body
__WEBMAIL_ACCT		/\byour web ?mail account/i	body
__WIDOW		/\b(?:widow(?:e[rd])'?s?\|veuve)\b/i	body
__WILL_LEGAL		/\b(?:codicil\|last\stestament\|probate\|executor\|intestate\|bequest\|mandamus)\b/i	body
__WIRE_XFR		/\b(?:wire\|telegraph(?:ic)?\|bank)\s?transfer/i	body
__WITHOUT_EFFORT		/\bwith(?:out(?: a(?:ny)?\| the)?\| no)(?: great\| special\| extra)? effort\b/i	body
__WORD_INVIS		/<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s:\s(?:0[01](?:\.\d+)?(?:px\|pt\|Q\|vw\|vh\|vmin)\|0+(?:\.\d+)?(?:cm\|mm\|in\|pc\|em\|ex\|ch\|rem\|lh\|vmax))\s[;'a-z]\|['"\s;]color\s:\stransparent\s*[;'])[^>]{0,80}>\w{1,20}	rawbody
__WORD_INVIS_2		__WORD_INVIS > 1	meta
__WORD_INVIS_5		__WORD_INVIS > 5	meta
__WORD_INVIS_MINFP		__WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID	meta
__XEROXWORKCTR_MUA		X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/	header
__XFER_LOTSA_MONEY		__XFER_MONEY && LOTS_OF_MONEY	meta
__XFER_MONEY		(__WIRE_XFR \|\| __TRUSTED_CHECK \|\| __BANK_DRAFT \|\| __MOVE_MONEY \|\| __TO_YOUR_ACCT \|\| __PAY_YOU \|\| __GIVE_MONEY)	meta
__XM_APPLEMAIL		X-Mailer =~ /^Apple Mail/	header
__XM_BALSA		X-Mailer =~ /^Balsa \d/	header
__XM_CALYPSO		X-Mailer =~ /^Calypso/	header
__XM_DIGITS_ONLY	X-Mailer malformed	X-Mailer =~ /^\s\d+\s$/	header
__XM_FORTE		X-Mailer =~ /^Forte Agent \d/	header
__XM_GNUS		X-Mailer =~ /^Gnus v/	header
__XM_IPHONEMAIL		X-Mailer =~ /^iPhone Mail $[0-9A-F]{4,8}$/	header
__XM_LIGHT_HEAVY		X-Mailer =~ /\b(?:light\|(?	header
__XM_MHE		X-Mailer =~ /^mh-e \d/	header
__XM_MOZ4		X-Mailer =~ /^Mozilla 4/	header
__XM_MS_IN_GENERAL		X-Mailer =~ /\bMSCRM\b\|Microsoft (?:CDO\|Outlook\|Office Outlook)\b/	header
__XM_MSOE5		X-Mailer =~ /^Microsoft Outlook Express 5/	header
__XM_MSOE6		X-Mailer =~ /^Microsoft Outlook Express 6/	header
__XM_OL_10_0_4115		X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/	header
__XM_OL_28001441		X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/	header
__XM_OL_28004682		X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/	header
__XM_OL_4_72_2106_4		X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/	header
__XM_OL_48072300		X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/	header
__XM_OUTLOOK_EXPRESS		X-Mailer =~ /^Microsoft Outlook Express \d/	header
__XM_PHPMAILER_FORGED		X-Mailer =~ /PHPMailer\s.*version\D+$/	header
__XM_RANDOM		X-Mailer =~ /q(?!q?mail\|boxmail\|\d\|[-\w]*=+;)[^u]/i	header
__XM_SKYRI		X-Mailer =~ /^SKYRiXgreen/	header
__XM_SQRLMAIL		X-Mailer =~ /^SquirrelMail/	header
__XM_SYLPHEED		X-Mailer =~ /^Sylpheed/	header
__XM_UC_ONLY		X-Mailer =~ /^[^a-z]+$/	header
__XM_VM		X-Mailer =~ /^VM \d/	header
__XM_WWWMAIL		X-Mailer =~ /^WWW-Mail \d/	header
__XM_XIMEVOL		X-Mailer =~ /^Ximian Evolution/	header
__XPRIO	Has X-Priority header	exists:X-Priority	header
__XPRIO_MINFP		__XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS	meta
__XPRIO_SHORT_SUBJ		__XPRIO_MINFP && __SUBJ_SHORT	meta
__YOU_ASSIST		/\b(?:your\sas+istan(?:ce\|t)\|votre\s(?:as+istance\|aide))\b/i	body
__YOU_INHERIT	Discussing your inheritance	/\byour\s[a-z\s]{0,30}inherit+ance\b/i	body
__YOU_WON		__YOU_WON_01 \|\| __YOU_WON_02 \|\| __YOU_WON_03 \|\| __YOU_WON_04 \|\| __HAS_WON_01 \|\| (__YOU_WON_05 && (__MOVE_MONEY \|\| __GIVE_MONEY))	meta
__YOU_WON_01		/\byou(?:r\|'re\|'ve\|'ll\|\shave\|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er\|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i	body
__YOU_WON_02		/\bw[io]n\s(?:(?:for\|by)\s)?your?\b/i	body
__YOU_WON_03		/\b(?:your?\|win+ing\|win+ers?\|beneficiaries\|participants?\|individuals?\|address(?:es)?\|accounts?\|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere\|as)\|ha(?:ve\|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly\|raffly)\s(?:selected\|cho+sen\|cho+sing\|picked)\|(?:selected\|cho+sen\|cho+sing\|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?\|online\|lottery\|computer\s(?:ballot\|wahlgang))\|(?:selected\|cho+sen\|cho+sing\|picked)(?:\sas?\|\sthe){0,3}\swin+er)/i	body
__YOU_WON_04		/\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]\|=C3=AA\|[\xea]\|e)tes\s?gagnant\|en\scons(?:e\|=E9\|[\xe9]\|[\xc3][\xa9])quence\sgagne)\b/i	body
__YOU_WON_05		/\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i	body
__YOUR_BANK		/\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i	body
__YOUR_CONSIGNMENT		/\b(?:received?\|pa(?:y\|id)\|sen[dt]\|h[oe]ld\|delay(?:ed)?\|impound(?:ed)?\|released?\|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i	body
__YOUR_FUND		/\b(?:your\|ihr)\s(?:unpaid\s\|win+ing\s\|ap+roved\s\|foreign\s\|overdue\s\|outstanding\s\|contract\s\|inheritance\s\|nicht\sausbezahlten\s){0,3}(?:fund\|f\su\sn\sd\|payment\|geld)\b/i	body
__YOUR_ONAN		/\b(?:your?\|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion\|ing\|e)(?:svideo)?\|onanism\|solitary\ssex\|hand\sfucking\|Selbstbefriedigung\|(?:pleasur(?:e\|ing)\|satisfy(?:ing)?)\syourself)\b/i	body
__YOUR_PASSWORD		/\b(?:your\|(?:change\|modify\|update\|reset\|alter\|fix)\sthe)\s(?:account\s\|e-?mail\s)?(?:pass[-\s_]?word\|pswd)\b/i	body
__YOUR_PERM		/\byour\spermission\b/i	body
__YOUR_PERSONAL		/\b(?:your\s(?:personal\|private\|social\scontact\|address\|friends)\s(?:info(?:rmation)?\|data\|details\|book\|secrets)\|all\s(?:of\s)?your\s(?:files\|contacts\|secrets\|correspondence))\b/i	body
__YOUR_PROFIT		/\byour?\sprofit/i	body
__YOUR_WEBCAM		/\b(?:from\|your\|with\|and\|on)\s(?:(?:screen\|desktop\|microphone)\sand\s\|own\s)?(?:web[-\s]?\|front[-\s]?\|network\s\|your\s)camer+a/i	body
__ZIP_ATTACH_MT		Content-Type =~ m,\bapplication/(?:zip\|x-(?:zip-)?compress(?:ed)?)\b,i	mimeheader
__ZIP_ATTACH_NOFN		Content-Type =~ m,\bapplication/(?:zip\|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i	mimeheader
AC_BR_BONANZA	Too many newlines in a row... spammy template	/(?: \s*){30}/i	rawbody
AC_DIV_BONANZA	Too many divs in a row... spammy template	/(?: (?:\s<\/div>)?\s){10}/i	rawbody
AC_FROM_MANY_DOTS	Multiple periods in From user name	From =~ /<(?:\w+\.){2,}\w+@/	header
AC_HTML_NONSENSE_TAGS	Many consecutive multi-letter HTML tags, likely nonsense/spam	/(?:<[A-Za-z0-9]{4,}>\s*){10}/	rawbody
AC_POST_EXTRAS	Suspicious URL	__AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID	meta
AC_SPAMMY_URI_PATTERNS1	link combos match highly spammy template	__AC_OUTL_URI && __AC_OUTI_URI	meta
AC_SPAMMY_URI_PATTERNS10	link combos match highly spammy template	__AC_PUNCTNUMS_URI	meta
AC_SPAMMY_URI_PATTERNS11	link combos match highly spammy template	__AC_NDOMLONGNASPX_URI	meta
AC_SPAMMY_URI_PATTERNS12	link combos match highly spammy template	__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI	meta
AC_SPAMMY_URI_PATTERNS2	link combos match highly spammy template	__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI	meta
AC_SPAMMY_URI_PATTERNS3	link combos match highly spammy template	__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI	meta
AC_SPAMMY_URI_PATTERNS4	link combos match highly spammy template	__AC_NUMS_URI	meta
AC_SPAMMY_URI_PATTERNS8	link combos match highly spammy template	__AC_LONGSEQ_URI	meta
AC_SPAMMY_URI_PATTERNS9	link combos match highly spammy template		meta
ACCESSDB	Message would have been caught by accessdb	Many MTAs support access databases, such as Sendmail, Postfix, etc. This plugin does similar checks to see whether a message would have been flagged. The rule returns false if an entry isn't found, or the entry has a RHS of OK or SKIP. The rule returns true if an entry exists and has a RHS of REJECT, ERROR, or DISCARD. Note: only the first word (split on non-word characters) of the RHS is checked, so error:5.7.1:... means ERROR.	header
ACCT_PHISHING	Possible phishing for account information	(__ACCT_PHISH \|\| __EMAIL_PHISH) && !ACCT_PHISHING_MANY && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MTA_MESSY && !__STY_INVIS_MANY	meta
ACCT_PHISHING_MANY	Phishing for account information	(__ACCT_PHISH_MANY \|\| __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY	meta
ACT_NOW_CAPS	Talks about 'acting now' with capitals		body
AD_PREFS	Advertising preferences	/(?:\b\|_)(?:ad(?:vert[i1l]s[i1l]ng)?\|promo(?:tion)?\|marketing)[- _](?:pref(?:s\|erences)\|settings)(?:\b\|_)/i	body
ADMAIL	"admail" and variants	__ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS	meta
ADMITS_SPAM	Admits this is an ad	__ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVD	meta
ADULT_DATING_COMPANY	No description provided		meta
ADVANCE_FEE_2	Standard description: Appears to be advance fee fraud (Nigerian 419)	A phrase in the email body has been found that is commonly found in advance fee fraud spam.	body
ADVANCE_FEE_2_NEW_FORM	Advance Fee fraud and a form	(__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__COMMENT_EXISTS && !__THREADED && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_2_NEW_FRM_MNY	Advance Fee fraud form and lots of money	(__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_2_NEW_MONEY	Advance Fee fraud and lots of money	(__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_CENTER && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__HDRS_LCASE && !__NAME_EQ_EMAIL && !__URI_MAILTO_MANY && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_3_NEW	Appears to be advance fee fraud (Nigerian 419)	(__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__UNSUB_LINK && !__UPPERCASE_URI && !__SURVEY && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG	meta
ADVANCE_FEE_3_NEW_FORM	Advance Fee fraud and a form	(__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_3_NEW_FRM_MNY	Advance Fee fraud form and lots of money	(__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HTML_LINK_IMAGE && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_3_NEW_MONEY	Advance Fee fraud and lots of money	(__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__UNSUB_LINK && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_4_NEW	Appears to be advance fee fraud (Nigerian 419)	(__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__DOS_HAS_LIST_UNSUB	meta
ADVANCE_FEE_4_NEW_FORM	Advance Fee fraud and a form		meta
ADVANCE_FEE_4_NEW_FRM_MNY	Advance Fee fraud form and lots of money	__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY	meta
ADVANCE_FEE_4_NEW_MONEY	Advance Fee fraud and lots of money	(__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__HTML_LINK_IMAGE && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__HAS_X_LOOP	meta
ADVANCE_FEE_5_NEW	Appears to be advance fee fraud (Nigerian 419)	__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY	meta
ADVANCE_FEE_5_NEW_FORM	Advance Fee fraud and a form	__ADVANCE_FEE_5_NEW_FORM	meta
ADVANCE_FEE_5_NEW_FRM_MNY	Advance Fee fraud form and lots of money	__ADVANCE_FEE_5_NEW_FRM_MNY	meta
ADVANCE_FEE_5_NEW_MONEY	Advance Fee fraud and lots of money	__ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE	meta
ALIBABA_IMG_NOT_RCVD_ALI	Alibaba hosted image but message not from Alibaba	__ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE	meta
ALL_TRUSTED	Passed through trusted hosts only via SMTP	"Trusted" does not mean "trusted to not send spam." It means "trusted to not forge Received: headers." If your message hits on the ALL_TRUSTED rule, it means that all of the Received: headers in the message were inserted by SMTP relays you have indicated are "TrustedRelays" and the "from" part of the Received: header is also from one of your "TrustedRelays"; consequently, no tests of the source of the message (for example, tests against DNSBlocklists) will be performed. If that message is obviously spam, and you think it should have been caught by DNS tests, then your trust path is configured incorrectly.	header
AMAZON_IMG_NOT_RCVD_AMZN	Amazon hosted image but message not from Amazon	__AMAZON_IMG_NOT_RCVD_AMZN && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST	meta
ANY_BOUNCE_MESSAGE	Message is some kind of bounce message	(CRBOUNCE_MESSAGE\|\|BOUNCE_MESSAGE\|\|VBOUNCE_MESSAGE)	meta
ANY_PILL_PRICE	Prices for pills		meta
APOSTROPHE_FROM	From address contains an apostrophe	The apostrophe character "'" appears in the address part of the From: header. e.g. john.o'groats@example.com Note that, while the email address specification (RFC5322) allows for apostrophes to be included in the local-part of an address, use of apostrophes has been historically discouraged for security and interoperability reasons. As such addresses containing them use may be considered unusual.	header
APP_DEVELOPMENT_FREEM	App development pitch, freemail or CHN replyto		meta
APP_DEVELOPMENT_NORDNS	App development pitch, no rDNS		meta
AWL	From: address is in the auto white-list	The auto white-list (AWL) keeps track of the scores associated with known senders and pushes the total score for the mail toward the average for the sender. Thus a mail from a previous sender that's otherwise scored higher than average may receive a negative score; a mail scored lower than average may receive a positive score.	header
AXB_HELO_HOME_UN	HELO from home - untrusted	X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\w+\.(lan\|home) /i	header
AXB_X_AOL_SEZ_S	AOL said this is S*	x-aol-global-disposition =~ /^S$/	header
AXB_X_FF_SEZ_S	Forefront sez this is spam	X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/	header
AXB_XM_FORGED_OL2600	Forged OE v. 6.2600	__AXB_XM_OL_2600 && !__AXB_MO_OL_2600	meta
AXB_XM_SENDMAIL_NOT	Nebbiolo fingerprint		header
AXB_XMAILER_MIMEOLE_OL_024C2	Yet another X header trait	__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2	meta
AXB_XMAILER_MIMEOLE_OL_1ECD5	Yet another X header trait	__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5	meta
AXB_XMID_1212	Barbera Fingerprint		header
AXB_XMID_1510	Brunello Fingerprint		header
AXB_XMID_OEGOESNULL	Amarone Fingerprint		header
AXB_XR_STULDAP	Received =~ /$8\.12\.3 da nor stuldap\/8\.12\.3$/	Potentially abused Open Relay (8.12.3 da nor stuldap/8.12.3)	header
BAD_CREDIT	Eliminate Bad Credit		body
BAD_ENC_HEADER	Message has bad MIME encoding in the header		header
BANG_GUAR	Something is emphatically guaranteed		body
BANG_OPRAH	Talks about Oprah with an exclamation!		body
BANKING_LAWS	Talks about banking laws	/banking laws/i	body
BASE64_LENGTH_78_79	base64 encoded email part uses line length of 78 or 79 characters	According to http://en.wikipedia.org/wiki/Base64 , base 64 should only be 76 chars long, so these are out of format.	body
BASE64_LENGTH_79_INF	base64 encoded email part uses line length greater than 79 characters	According to http://en.wikipedia.org/wiki/Base64 , base 64 should only be 76 chars long, so these are out of format.	body
BAYES_00	Bayes spam probability is 0 to 1%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_05	Bayes spam probability is 1 to 5%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_20	Bayes spam probability is 5 to 20%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_40	Bayes spam probability is 20 to 40%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_50	Bayes spam probability is 40 to 60%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_60	Bayes spam probability is 60 to 80%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_80	Bayes spam probability is 80 to 95%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_95	Bayes spam probability is 95 to 99%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_95	Bayes spam probability is 95 to 99%		body
BAYES_99	Bayes spam probability is 99 to 100%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_99	Bayes spam probability is 99 to 100%		body
BAYES_999	Bayes spam probability is 99.9 to 100%	SpamAssassin includes a Bayesian filter that assigns scores based on the user's previous email history. This can assign both positive and negative scores. For instance, a user may receive a particular spam message several times via a relay identified in a DNSBL, so that SpamAssassin correctly identifies it as spam. If the user receives the same message via a new unlisted relay, the Bayesian algorithm will assign a high score to it based on previous experience. Conversely, if a user receives a regular newsletter from a fitness club, and one issue makes reference to diet pills and weight loss (which would normally flage the message as spam), the Bayesian algorithm will assign a lower score to it.	body
BAYES_999	Bayes spam probability is 99.9 to 100%		body
BEBEE_IMG_NOT_RCVD_BB	Bebee hosted image but message not from Bebee		meta
BIGNUM_EMAILS_FREEM	Lots of email addresses/leads, free email account	__BIGNUM_EMAILS_FREEM	meta
BIGNUM_EMAILS_FREEM	Lots of email addresses/leads, free email account		meta
BIGNUM_EMAILS_MANY	Lots of email addresses/leads, over and over		meta
BILLION_DOLLARS	Talks about lots of money		body
BITCOIN_BOMB	BitCoin + bomb	__BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01	meta
BITCOIN_DEADLINE	BitCoin with a deadline	__BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01	meta
BITCOIN_EXTORT_01	Extortion spam, pay via BitCoin	(__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )	meta
BITCOIN_EXTORT_02	Extortion spam, pay via BitCoin	__OBFU_BITCOIN_NOID && __EXTORT_MANY	meta
BITCOIN_IMGUR	Bitcoin + hosted image	__BITCOIN_IMGUR	meta
BITCOIN_MALF_HTML	Bitcoin + malformed HTML	HTML_EXTRA_CLOSE && (__BITCOIN \|\| __BITCOIN_ID)	meta
BITCOIN_MALWARE	BitCoin + malware bragging	__BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED	meta
BITCOIN_OBFU_SUBJ	Bitcoin + obfuscated subject	__BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI	meta
BITCOIN_ONAN	BitCoin + [censored]	__BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01	meta
BITCOIN_PAY_ME	Pay me via BitCoin	__BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01	meta
BITCOIN_SPAM_01	BitCoin spam pattern 01	__BITCOIN_ID && HTML_MIME_NO_HTML_TAG	meta
BITCOIN_SPAM_02	BitCoin spam pattern 02	__BITCOIN_SPAM_02 && !__URL_BTC_ID	meta
BITCOIN_SPAM_03	BitCoin spam pattern 03	__BITCOIN_ID && __SINGLE_WORD_SUBJ	meta
BITCOIN_SPAM_04	BitCoin spam pattern 04	__BITCOIN_ID && __freemail_hdr_replyto	meta
BITCOIN_SPAM_05	BitCoin spam pattern 05	__BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO	meta
BITCOIN_SPAM_06	BitCoin spam pattern 06	__BITCOIN_ID && TVD_RCVD_SPACE_BRACKET	meta
BITCOIN_SPAM_07	BitCoin spam pattern 07	__BITCOIN_SPAM_07 && !__DKIM_EXISTS	meta
BITCOIN_SPAM_08	BitCoin spam pattern 08	__BITCOIN_ID && __TO_IN_SUBJ	meta
BITCOIN_SPAM_09	BitCoin spam pattern 09	__BITCOIN_ID && ( __DESTROY_ME \|\| __DESTROY_YOU )	meta
BITCOIN_SPAM_10	BitCoin spam pattern 10	__BITCOIN_ID && ( HTML_IMAGE_ONLY_04 \|\| HTML_IMAGE_ONLY_08 )	meta
BITCOIN_SPAM_11	BitCoin spam pattern 11	__BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU	meta
BITCOIN_SPAM_12	BitCoin spam pattern 12	__BITCOIN_ID && __BOGUS_MIME_HDR_MANY	meta
BITCOIN_SPF_ONLYALL	Bitcoin from a domain specifically set to pass +all SPF	__PDS_SPF_ONLYALL && __BITCOIN_ID	meta
BITCOIN_WFH_01	Work-from-Home + bitcoin	__BITCOIN_WFH_01	meta
BITCOIN_XPRIO	Bitcoin + priority	__BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY	meta
BITCOIN_YOUR_INFO	BitCoin with your personal info	__BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01	meta
BLANK_LINES_70_80	Message body has 70-80% blank lines	This suggests that the sender is trying to hide content "below the page fold", that the recipient may not scroll down to see. This may include nonsense characters or random text taken from the Web, intended to thwart pattern-matching filters by sending slightly different messages to each recipient.	body
BLANK_LINES_80_90	Message body has 80-90% blank lines	This suggests that the sender is trying to hide content "below the page fold", that the recipient may not scroll down to see. This may include nonsense characters or random text taken from the Web, intended to thwart pattern-matching filters by sending slightly different messages to each recipient.	body
BLANK_LINES_90_100	Message body has 90-100% blank lines	This suggests that the sender is trying to hide content "below the page fold", that the recipient may not scroll down to see. This may include nonsense characters or random text taken from the Web, intended to thwart pattern-matching filters by sending slightly different messages to each recipient.	body
BODY_8BITS	Body includes 8 consecutive 8-bit characters		body
BODY_ENHANCEMENT	Information on growing body parts	/\b(?:enlarge\|increase\|grow\|lengthen\|larger\b\|bigger\b\|longer\b\|thicker\b\|\binches\b).{0,50}\b(?:penis\|male organ\|pee[ -]?pee\|dick\|sc?hlong\|wh?anger\|breast(?!\s+cancer))/i	body
BODY_ENHANCEMENT2	Information on getting larger body parts	/\b(?:penis\|male organ\|pee[ -]?pee\|dick\|sc?hlong\|wh?anger\|breast(?!\s+cancer)).{0,50}\b(?:enlarge\|increase\|grow\|lengthen\|larger\b\|bigger\b\|longer\b\|thicker\b\|\binches\b\|size)/i	body
BODY_SINGLE_URI	Message body is only a URI	(__BODY_SINGLE_WORD && __HAS_ANY_URI) && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP	meta
BODY_SINGLE_WORD	Message body is only one word (no spaces)	__BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP	meta
BODY_URI_ONLY	Message body is only a URI in one line of text or for an image	__BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV	meta
BOGUS_MIME_VERSION	Mime version header is bogus	__BOGUS_MIME_VER_02 \|\| __MALF_MIME_VER	meta
BOGUS_MSM_HDRS	Apparently bogus Microsoft email headers	__BOGUS_MSM_HDRS	meta
BOMB_FREEM	Bomb + freemail	__EXPLOSIVE_DEVICE && __freemail_hdr_replyto	meta
BOMB_MONEY	Bomb + money: bomb threat?	__EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW \|\| __ADVANCE_FEE_4_NEW \|\| __ADVANCE_FEE_5_NEW )	meta
BOUNCE_MESSAGE	MTA bounce message	__HAVE_BOUNCE_RELAYS && (!__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON \|\| (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) \|\| __BOUNCE_RPATH_MD \|\| __BOUNCE_AUTO_GENERATED \|\| __BOUNCE_Y_AUTOGEN \|\| __BOUNCE_SYMANTEC \|\| __BOUNCE_X_ERR_STAT \|\| __BOUNCE_RETURNED \|\| __BOUNCE_MAILDELFAIL \|\| __BOUNCE_MSGDELFAIL \|\| __BOUNCE_ESMTP \|\| __BOUNCE_OOO_2 \|\| __BOUNCE_NEVER_SEE \|\| __BOUNCE_NONWORKING \|\| __BOUNCE_UNDELIVERABLE \|\| __BOUNCE_UNDELIVERABLE_ML \|\| __BOUNCE_NOTDEL \|\| __BOUNCE_CTYPE \|\| __BOUNCE_DEL_FAIL \|\| __BOUNCE_STAT_FAIL \|\| __BOUNCE_ADDR_ERR \|\| __BOUNCE_NO_VAL \|\| __BOUNCE_DATA_FORMAT \|\| __BOUNCE_COULD_NOT \|\| __BOUNCE_UNDEL_MSG \|\| __BOUNCE_OOO_H1 \|\| __BOUNCE_OOO_H2 \|\| __BOUNCE_OOO_H3 \|\| __BOUNCE_RPATH_ERRMAIL \|\| __BOUNCE_OOO_3 \|\| __BOUNCE_INTERSCAN \|\| __BOUNCE_ETRUST \|\| __BOUNCE_AUTO_RESPONSE \|\| __BOUNCE_AUTO_RESPOND \|\| __BOUNCE_NO_RESEND \|\| __BOUNCE_NOTIF \|\| __BOUNCE_RET_MAIL \|\| __BOUNCE_DEL_FAIL \|\| __BOUNCE_MAIL_DEL_FAIL \|\| __BOUNCE_AUTO_REPLY))	meta
BTC_ORG	Bitcoin wallet ID + unusual header	(__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED	meta
BUG6152_INVALID_DATE_TZ_ABSURD	Date =~ /[-+](?!(?:0\d\|1[0-4])(?:[03]0\|[14]5))\d{4}/	Wrong/absurd date.	header
BULK_RE_SUSP_NTLD	Precedence bulk and RE: from a suspicious TLD	__SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD	meta
CANT_SEE_AD	You really want to see our spam.	__CANT_SEE_AD_1 \|\| __CANT_SEE_AD_2	meta
CHALLENGE_RESPONSE	Challenge-Response message for mail you sent	__MY_SERVERS_FOUND && __CHALLENGE_RESPONSE	meta
CHARSET_FARAWAY	Character set indicates a foreign language	The content of the mail is in a character set not permitted by the value of the ok_locales configuration setting. The default value of ok_locales is "all", so this rule will only trigger if the value has been locally specified.	body
CHARSET_FARAWAY_HEADER	A foreign language charset used in headers	The character set used in the Subject or other headers does not match that of the message body. This may indicate an attempt to avoid English-language text filters.	header
CK_HELO_DYNAMIC_SPLIT_IP	Relay HELO'd using suspicious hostname (Split IP)	X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?!(?:\d+\.){4})\d+[^\d\s]+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/i	header
CK_HELO_GENERIC	Relay used name indicative of a Dynamic Pool or Generic rPTR	X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S(?:pool\|dyna\|lease\|dial\|dip\|static))\S\d+[^\d\s]+\d+[^\]]+ auth= /i	header
CN_B2B_SPAMMER	Chinese company introducing itself	/\bWe are (?:(?:a )?(?:China\|Taiwan)[-\s]based\|(?:one of (?:the )?best\|(?:a )?leading) (?:international\|[^\.]{10,90} (?:in\|from) (?:\w+, )?(?:China\|Taiwan)))\b/i	body
COMMENT_GIBBERISH	Nonsense in long HTML comment	__COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT	meta
COMPENSATION	Compensation		meta
CONFIRMED_FORGED	Received headers are forged	(__FORGED_RCVD_TRAIL && (__FORGED_AOL_RCVD \|\| __FORGED_HOTMAIL_RCVD \|\| __FORGED_EUDORAMAIL_RCVD \|\| FORGED_YAHOO_RCVD \|\| __FORGED_JUNO_RCVD \|\| FORGED_GMAIL_RCVD))	meta
CONTENT_AFTER_HTML	More content after HTML close tag	__CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOV	meta
CORRUPT_FROM_LINE_IN_HDRS	Informational: message is corrupt, with a From line in its headers	MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS	meta
CRBOUNCE_MESSAGE	Challenge-Response bounce message	!__MY_SERVERS_FOUND && __CHALLENGE_RESPONSE	meta
CTE_8BIT_MISMATCH	Header says 7bits but body disagrees	(__CT_TEXT_PLAIN && (!__CTE \|\| __L_CTE_7BIT) && __L_BODY_8BITS)	meta
CTYPE_001C_B	Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/		header
CTYPE_8SPACE_GIF	Stock spam image part 'Content-Type' found (8 spc)	Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s	mimeheader
CTYPE_NULL	Malformed Content-Type header		meta
CUM_SHOT	Possible porn - Cum Shot		body
CURR_PRICE	/\bCurrent Price:/		body
CURR_PRICE	No description provided		body
DATE_IN_FUTURE_03_06	Date: is 3 to 6 hours after Received: date	The Date header is normally set to the date that a message was created. In this case, this date is 3 to 6 hours later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is wrong.	header
DATE_IN_FUTURE_06_12	Date: is 6 to 12 hours after Received: date	The Date header is normally set to the date that a message was created. In this case, this date is 6 to 12 hours later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is wrong.	header
DATE_IN_FUTURE_12_24	Date: is 12 to 24 hours after Received: date	The Date header is normally set to the date that a message was created. In this case, this date is 12 to 24 hours later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.	header
DATE_IN_FUTURE_24_48	Date: is 24 to 48 hours after Received: date	The Date header is normally set to the date that a message was created. In this case, this date is 1 to 2 days later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.	header
DATE_IN_FUTURE_48_96	Date: is 48 to 96 hours after Received: date	The Date header is normally set to the date that a message was created. In this case, this date is 2 to 4 days later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.	header
DATE_IN_FUTURE_96_Q	Date: is 4 days to 4 months after Received: date	eval:check_for_shifted_date('96', '2920')	header
DATE_IN_FUTURE_96_XX	Date: is 96 hours or more after Received: date	The Date header is normally set to the date that a message was created. In this case, this date is more than 4 days later than the message was received, suggesting that either the message was generated by badly-written mailout software, or the sender's computer clock is very wrong.	header
DATE_IN_PAST_03_06	Date: is 3 to 6 hours before Received: date	The Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 3 to 6 hours before being received by one of the relays.	header
DATE_IN_PAST_06_12	Date: is 6 to 12 hours before Received: date	The Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 6 to 12 hours before being received by one of the relays. This is unlikely in a normal mail client.	header
DATE_IN_PAST_12_24	Date: is 12 to 24 hours before Received: date	The Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 12 to 24 hours before being received by one of the relays. This is unlikely with a normal mail client.	header
DATE_IN_PAST_24_48	Date: is 24 to 48 hours before Received: date	The Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 1 to 2 days before being received by one of the relays. This is unlikely in a normal mail client.	header
DATE_IN_PAST_96_XX	Date: is 96 hours or more before Received: date	The Date: header is checked against the timestamps in the Received: header lines. If the clock generating the Date: header is accurate then the mail was generated 4 days or more before being received by one of the relays. This is unlikely in a normal mail client.	header
DATE_SPAMWARE_Y2K	Date header uses unusual Y2K formatting	Date =~ /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/	header
DAY_I_EARNED	Work-at-home spam		meta
DC_GIF_264_127	Found 264x127 pixel gif, possible pillz	eval:image_size_exact('gif','264','127')	body
DC_GIF_300	Contains a 300x300 pixels gif or larger	eval:image_size_range('gif',300,300)	body
DC_GIF_HTML_RATIO	Low rawbody to GIF pixel area ratio	eval:image_to_text_ratio('gif',0.000, 0.008)	rawbody
DC_GIF_TEXT_RATIO	Low body to GIF pixel area ratio	eval:image_to_text_ratio('gif',0.000, 0.008)	body
DC_GIF_UNO_LARGO	Message contains a single large gif image	( __GIF_ATTACH_1 && __GIF_AREA_180K )	meta
DC_IMAGE_SPAM_HTML	Possible Image-only spam	( ( __HTML_IMG_ONLY \|\| __DC_IMG_HTML_RATIO ) && ( DC_GIF_UNO_LARGO \|\| DC_PNG_UNO_LARGO \|\| __DC_GIF_MULTI_LARGO \|\| __DC_PNG_MULTI_LARGO ))	meta
DC_IMAGE_SPAM_TEXT	Possible Image-only spam with little text	( __DC_IMG_TEXT_RATIO && ( DC_GIF_UNO_LARGO \|\| DC_PNG_UNO_LARGO \|\| __DC_GIF_MULTI_LARGO \|\| __DC_PNG_MULTI_LARGO ))	meta
DC_IMAGE001_GIF	Contains image named image001.gif	eval:image_named('image001.gif')	body
DC_JPEG_200_300	Contains jpeg 200-250 (high) x 300-350 (wide)	eval:image_size_range('gif', 200, 300, 250, 350)	body
DC_JPEG_MULTI_LARGO	Message has 2+ inline jpeg covering lots of area	( __JPEG_ATTACH_2P && __JPEG_AREA_180K )	meta
DC_JPEG_UNO_LARGO	Message hash single large inline jpeg	( __JPEG_ATTACH_1 && __JPEG_AREA_180K )	meta
DC_PNG_UNO_LARGO	Message contains a single large png image	( __PNG_ATTACH_1 && __PNG_AREA_180K )	meta
DC_SCREENSHOT_JPG	Contains inline image matching common screen resolution	( __SCREEN_640x480 \|\| __SCREEN_800x600 \|\| __SCREEN_1024x768 \|\| __SCREEN_1280x1024 )	meta
DCC_CHECK	Detected as bulk mail by DCC ( https://www.rhyolite.com/dcc/ ; dcc-servers.net )	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DCC_REPUT_00_12	DCC reputation between 0 and 12 % (mostly ham)	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DCC_REPUT_13_19	DCC reputation between 13 and 19 %	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DCC_REPUT_70_89	DCC reputation between 70 and 89 %	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DCC_REPUT_90_94	DCC reputation between 90 and 94 %	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DCC_REPUT_90_94	DCC reputation between 90 and 94 %		full
DCC_REPUT_95_98	DCC reputation between 95 and 98 % (mostly spam)	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DCC_REPUT_95_98	DCC reputation between 95 and 98 % (mostly spam)		full
DCC_REPUT_99_100	DCC reputation between 99 % or higher (spam)	The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam. Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Note that DCC is disabled by default in init.pre because it is not open source. See the DCC license for more details. See http://www.rhyolite.com/anti-spam/dcc/ for more information about DCC.	full
DEAR_BENEFICIARY	Dear Beneficiary:		body
DEAR_EMAIL	Message contains Dear email address		body
DEAR_EMAIL_USER	Dear Email User:	/^\s?(?:Dear\s\|Attention:?\s?)(?:E\|Web)-?mail\s(?:account\s)?User\b/i	body
DEAR_FRIEND	Dear Friend? That's not very dear!		body
DEAR_SOMETHING	Contains 'Dear (something)'		body
DEAR_WINNER	Spam with generic salutation of "dear winner"	/\bdear.{1,20}winner/i	body
DIET_1	Lose Weight Spam	The message contains a phrase common to spam promoting weight loss, such as "lose 10lbs".	body
DIGEST_MULTIPLE	Message hits more than one network digest check	RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1	meta
DKIM_ADSP_ALL	No valid author signature, domain signs all mail	The sender's domain says that it uses DKIM (http://www.dkim.org/) on all email, but no valid signature was found. That suggests that the message might not have originated with the purported sender.	header
DKIM_ADSP_CUSTOM_HIGH	No valid author signature, adsp_override is CUSTOM_HIGH	The presence of this test indicates that DKIM support is enabled on the server. The mail does not contain a valid DKIM signature and the domain of the sending address has been matched by an override setting (adsp_override). For frequently seen domains that either do not publish an ADSP (Author Domain Signing Practices) records, or where a stronger (or weaker) policy is desired, the values can be specified in the configuration, saving the need for a DNS lookup. The current default custom_med overrides in 60_adsp_override_dkim.cf include entries for youtube.com. One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.	header
DKIM_ADSP_CUSTOM_LOW	No valid author signature, adsp_override is CUSTOM_LOW	The presence of this test indicates that DKIM support is enabled on the server. The mail does not contain a valid DKIM signature and the domain of the sending address has been matched by an override setting (adsp_override). For frequently seen domains that either do not publish an ADSP (Author Domain Signing Practices) records, or where a stronger (or weaker) policy is desired, the values can be specified in the configuration, saving the need for a DNS lookup. One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.	header
DKIM_ADSP_CUSTOM_MED	No valid author signature, adsp_override is CUSTOM_MED	The presence of this test indicates that DKIM support is enabled on the server. The mail does not contain a valid DKIM signature and the domain of the sending address has been matched by an override setting (adsp_override). For frequently seen domains that either do not publish an ADSP (Author Domain Signing Practices) records, or where a stronger (or weaker) policy is desired, the values can be specified in the configuration, saving the need for a DNS lookup. The current default custom_med overrides in 60_adsp_override_dkim.cf include entries for Yahoo and Google domains. One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.	header
DKIM_ADSP_DISCARD	No valid author signature, domain signs all mail and suggests discarding the rest	The sender's domain says that it uses DKIM (http://www.dkim.org/) on all email, but no valid signature was found. The sender's domain policy suggests discarding this message. That suggests that the message might not have originated with the purported sender.	header
DKIM_ADSP_NXDOMAIN	No valid author signature and domain not in DNS	The presence of this test indicates that DKIM support is enabled on the server. The mail does not contain a valid DKIM signature and the domain of the sending address is not in the DNS One reason for not seeing a signature on a mail from an domain which routinely signs them is that the signature header may have been stripped out, for example as part of a mailing-list expander.	header
DKIM_INVALID	DKIM or DK signature exists, but is not valid	DKIM_SIGNED && !DKIM_VALID	meta
DKIM_POLICY_SIGNALL	eval:check_dkim_signall()	The sender's domain says that it uses DKIM (http://www.dkim.org/) on all email, but no valid signature was found. That suggests that the message did not in fact originate with the purported sender.	header
DKIM_POLICY_SIGNSOME	eval:check_dkim_signsome()	The sender's domain says that it uses DKIM (http://www.dkim.org/) on some email, but no valid signature was found. That suggests that the message might not have originated with the purported sender.	header
DKIM_POLICY_TESTING	eval:check_dkim_testing()	The sender's domain says that it is testing DKIM (http://www.dkim.org/)	header
DKIM_SIGNED	Message has a DKIM or DK signature, not necessarily valid	The message is signed using DKIM (http://www.dkim.org/)	full
DKIM_VALID	Message has at least one valid DKIM or DK signature	eval:check_dkim_valid()	full
DKIM_VALID_AU	Message has a valid DKIM or DK signature from author's domain	eval:check_dkim_valid_author_sig()	full
DKIM_VALID_AU	Message has a valid DKIM or DK signature from author's domain		full
DKIM_VALID_EF	Message has a valid DKIM or DK signature from envelope-from domain	eval:check_dkim_valid_envelopefrom()	full
DKIM_VERIFIED	eval:check_dkim_valid()	The message is signed using DKIM (http://www.dkim.org/) and the signature was verified	full
DKIMDOMAIN_IN_DWL	No description provided		???
DKIMDOMAIN_IN_DWL_UNKNOWN	No description provided		???
DKIMWL_BL	DKIMwl.org - Blocked sender	_DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/	meta
DKIMWL_BLOCKED	ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.		meta
DKIMWL_WL_HIGH	DKIMwl.org - High trust sender	__DKIMWL_WL_HI && !(FREEMAIL_FROM \|\| FREEMAIL_REPLYTO \|\| FREEMAIL_FORGED_REPLYTO)	meta
DKIMWL_WL_MED	DKIMwl.org - Medium trust sender	__DKIMWL_WL_MED && !(FREEMAIL_FROM \|\| FREEMAIL_REPLYTO \|\| FREEMAIL_FORGED_REPLYTO)	meta
DKIMWL_WL_MEDHI	DKIMwl.org - Medium-high trust sender	__DKIMWL_WL_MEDHI && !(FREEMAIL_FROM \|\| FREEMAIL_REPLYTO \|\| FREEMAIL_FORGED_REPLYTO \|\| __DKIMWL_FREEMAIL)	meta
DNS_FROM_AHBL_RHSBL	Envelope sender listed in dnsbl.ahbl.org	eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')	header
DNS_FROM_RFC_BOGUSMX	Envelope sender in bogusmx.rfc-ignorant.org	The domain of the envelope sender is listed in the DNSBL [WWW] bogusmx.rfc-ignorant.org. The criteria for listing is that the domain's MX records are not in compliance with current RFC guidelines.	header
DNS_FROM_RFC_DSN	Envelope sender in dsn.rfc-ignorant.org	The domain of the envelope sender is listed in the DNSBL [WWW] dsn.rfc-ignorant.org. The criteria for listing is that the servers listed in the domain's MX records must accept messages with the empty sender address (MAIL FROM:<>) so that Delivery Status Notification (DSN) messages can be delivered.	header
DOS_ANAL_SPAM_MAILER	X-mailer pattern common to anal porn site spam	X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/	header
DOS_FIX_MY_URI	Looks like a "fix my obfu'd URI please" spam	__MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK	meta
DOS_HIGH_BAT_TO_MX	The Bat! Direct to MX with High Bits	__DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA	meta
DOS_LET_GO_JOB	Let go from their job and now makes lots of dough!	__DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME	meta
DOS_OE_TO_MX	Delivered direct to MX with OE headers	__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE	meta
DOS_OE_TO_MX_IMAGE	Direct to MX with OE headers and an image	__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH	meta
DOS_OUTLOOK_TO_MX	Delivered direct to MX with Outlook headers	__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE	meta
DOS_OUTLOOK_TO_MX_IMAGE	Direct to MX with Outlook headers and an image	__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH	meta
DOS_RCVD_IP_TWICE_C	Received from the same IP twice in a row (only one external relay; empty or IP helo)		header
DOS_STOCK_BAT	Probable pump and dump stock spam	__THEBAT_MUA && (__DOS_BODY_STOCK \|\| __DOS_BODY_TICKER) && (__DOS_REF_TODAY \|\| __DOS_REF_NEXT_WK_DAY \|\| __DOS_REF_2_WK_DAYS)	meta
DOS_STOCK_BAT2	Probable pump and dump stock spam	DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)	meta
DOS_URI_ASTERISK	Found an asterisk in a URI		uri
DOS_YOUR_PLACE	Russian dating spam	(__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE \|\| __DOS_CORRESPOND_EMAIL \|\| __DOS_EMAIL_DIRECTLY \|\| __DOS_I_AM_25 \|\| __DOS_WRITE_ME_AT \|\| __DOS_PERSONAL_EMAIL))	meta
DOTGOV_IMAGE	.gov URI + hosted image	__DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS	meta
DRUG_DOSAGE	Talks about price per dose		body
DRUG_ED_CAPS	Mentions an E.D. drug		body
DRUG_ED_GENERIC	Mentions Generic Viagra		body
DRUG_ED_ONLINE	Fast Viagra Delivery		body
DRUG_ED_SILD	Talks about an E.D. drug using its chemical name		body
DRUGS_ANXIETY	Refers to an anxiety control drug	(__DRUGS_ANXIETY1 \|\| __DRUGS_ANXIETY2 \|\| __DRUGS_ANXIETY3 \|\| __DRUGS_ANXIETY4 \|\|__DRUGS_ANXIETY5 \|\|__DRUGS_ANXIETY6 \|\|__DRUGS_ANXIETY7 \|\|__DRUGS_ANXIETY8 \|\| __DRUGS_ANXIETY9 )	meta
DRUGS_ANXIETY_EREC	Refers to both an erectile and an anxiety drug	(DRUGS_ERECTILE && DRUGS_ANXIETY)	meta
DRUGS_ANXIETY_OBFU	Obfuscated reference to an anxiety control drug	( (__DRUGS_ANXIETY1 &&! __DRUGS_ANXIETY_XAN) \|\| (__DRUGS_ANXIETY3 && !__DRUGS_ANXIETY_VAL))	meta
DRUGS_DIET	Refers to a diet drug	(__DRUGS_DIET1 \|\| __DRUGS_DIET2 \|\| __DRUGS_DIET3 \|\| __DRUGS_DIET4 \|\|__DRUGS_DIET5 \|\|__DRUGS_DIET6 \|\|__DRUGS_DIET7 \|\|__DRUGS_DIET8 \|\| __DRUGS_DIET9 \|\| __DRUGS_DIET10 )	meta
DRUGS_DIET_OBFU	Obfuscated reference to a diet drug	(__DRUGS_DIET1 && !__DRUGS_DIET_PHEN)	meta
DRUGS_ERECTILE	Refers to an erectile drug	(__DRUGS_ERECTILE1 \|\| __DRUGS_ERECTILE2 \|\| __DRUGS_ERECTILE3 \|\| __DRUGS_ERECTILE4 \|\| __DRUGS_ERECTILE5 \|\| __DRUGS_ERECTILE6 \|\| __DRUGS_ERECTILE8 \|\| __DRUGS_ERECTILE10 \|\| __DRUGS_ERECTILE11 )	meta
DRUGS_ERECTILE_OBFU	Obfuscated reference to an erectile drug	( (__DRUGS_ERECTILE1 &&!__DRUGS_ERECTILE_V) \|\| (__DRUGS_ERECTILE3 && !__DRUGS_ERECTILE_C) \|\|__DRUGS_ERECTILE2 \|\| (__DRUGS_ERECTILE10 &&!__DRUGS_ERECTILE_V) \|\| (__DRUGS_ERECTILE6 &&!__DRUGS_ERECTILE_L))	meta
DRUGS_HDIA	Subject mentions "hoodia"	Subject =~ /\bhoodia\b/i	header
DRUGS_MANYKINDS	Refers to at least four kinds of drugs	(DRUGS_ERECTILE + DRUGS_DIET + __DRUGS_PAIN + __DRUGS_SLEEP + DRUGS_MUSCLE + DRUGS_ANXIETY > 3)	meta
DRUGS_MUSCLE	Refers to a muscle relaxant	(__DRUGS_MUSCLE1 \|\| __DRUGS_MUSCLE2 \|\| __DRUGS_MUSCLE3 \|\| __DRUGS_MUSCLE4 \|\|__DRUGS_MUSCLE5 )	meta
DRUGS_SLEEP_EREC	Refers to both an erectile and a sleep aid drug	(DRUGS_ERECTILE && __DRUGS_SLEEP)	meta
DRUGS_SMEAR1	Two or more drugs crammed together into one word	/(?:Viagra\|Valium\|Xanax\|Soma\|Cialis){2}/i	body
DRUGS_STOCK_MIMEOLE	Stock-spam forged headers found (5510)	__MIMEOLE_1106 && __MAILER_OL_5510	meta
DSN_NO_MIMEVERSION	Return-Path <> and no MIME-Version: header	__BOUNCE_RPATH_NULL && !__MIME_VERSION	meta
DUP_SUSP_HDR	Duplicate suspicious message headers	__DUP_SUSP_HDR	meta
DX_TEXT_02	"change your message stat"	/\b(?:change\|modif(?:y\|ications?)) (?:of\|to\|(?:yo)?ur) (?:message\|sub\|comm) stat/i	body
DX_TEXT_03	"XXX Media Group"	/\b[A-Z]{3} Media (?:Group\|Relations)\b/	body
DX_TEXT_05	HTML snobbery	/o text only message available for this email\./i	body
DYN_RDNS_AND_INLINE_IMAGE	Contains image, and was sent by dynamic rDNS	RDNS_DYNAMIC && __ANY_IMAGE_ATTACH	meta
DYN_RDNS_SHORT_HELO_HTML	Sent by dynamic rDNS, short HELO, and HTML	__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE	meta
DYN_RDNS_SHORT_HELO_IMAGE	Short HELO string, dynamic rDNS, inline image	__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH	meta
DYNAMIC_IMGUR	dynamic IP + hosted image	__DYNAMIC_IMGUR	meta
EBAY_IMG_NOT_RCVD_EBAY	E-bay hosted image but message not from E-bay	__EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS	meta
EM_ROLEX	Message puts emphasis on the watch manufacturer		body
EMAIL_ROT13	Body contains a ROT13-encoded email address	ROT13 is defined as: The simple Caesar-cypher encryption that replaces each English letter with the one 13 places forward or back along the alphabet, so that "The butler did it!" becomes "Gur ohgyre qvq vg!" This test indicated an e-mail address was encoded using ROT13. This is normally done to hide the identity of the recipient used for list washing.	body
EMPTY_MESSAGE	Message appears to have no textual parts and no Subject: text	!__MIME_ATTACHMENT && !__NONEMPTY_BODY	meta
EMRCP	"Excess Maximum Return Capital Profit" scam	/\bExcess Maximum Return Capital Profit\b/i	body
ENCRYPTED_MESSAGE	Message is encrypted, not likely to be spam	__CT_ENCRYPTED	meta
END_FUTURE_EMAILS	Spammy unsubscribe	END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64	meta
ENGLISH_UCE_SUBJECT	Subject contains an English UCE tag		header
ENV_AND_HDR_SPF_MATCH	Env and Hdr From used in default SPF WL Match	(USER_IN_DEF_SPF_WL && __ENV_AND_HDR_FROM_MATCH)	meta
ENVFROM_GOOG_TRIX	From suspicious Google subdomain	__ENVFROM_GOOG_TRIX_SPAMMY	meta
EXCUSE_24	Claims you wanted this ad		body
EXCUSE_4	Claims you can be removed from the list		body
EXCUSE_REMOVE	Talks about how to be removed from mailings		body
EXTRA_MPART_TYPE	Header has extraneous Content-type:...type= entry	Message may be Multipart/Related as per RFC 2387, which is over-complicated for normal email	header
FACEBOOK_IMG_NOT_RCVD_FB	Facebook hosted image but message not from Facebook		meta
FAKE_HELO_MAIL_COM_DOM	Relay HELO'd with suspicious hostname (mail.com)		header
FAKE_OUTBLAZE_RCVD	Received header contains faked 'mr.outblaze.com'		header
FAKE_REPLY_C	No description provided		meta
FB_ADD_INCHES	Add / Gain inches		body
FB_ALMOST_SEX	It's almost sex, but not!		body
FB_ANA_TRIM	Broken AnaTrim phrase.		body
FB_ANUI	Phrase: A_U_N_I		body
FB_BILLI0N	Phrase: [BM]Illi0n		body
FB_C0MPANY	Phrase: C0mpany		body
FB_CAN_LONGER	Phrase: can last longer		body
FB_CIALIS_LEO3	Uses a mis-spelled version of cialis.		body
FB_DOUBLE_0WORDS	Looks like double 0 words		body
FB_EMAIL_HIER	Phrase: email hier		body
FB_EXTRA_INCHES	Phrase: extra inches		body
FB_FAKE_NUMBERS	Looks like numbers with O's insted of 0's		body
FB_FAKE_NUMS4	Looks like fake numbers (4)		body
FB_FHARMACY	Phrase: Farmacy		body
FB_FORWARD_LOOK	Phrase: forward look with 0's		body
FB_GAPPY_ADDRESS	Too much spacing in Address	"Gappy" means, the email message body contains some words that were written spaced, for example F o o b a r instead of Foobar.	body
FB_GET_MEDS	Looks like trying to sell meds		body
FB_GVR	Looks like generic viagra		body
FB_HEY_BRO_COMMA	Phrase hey bro,		body
FB_HG_H_CAP	Phrase: HGH		body
FB_HOMELOAN	Phrase (dollar) x home loan		body
FB_IMPRESS_GIRL	Phrase: impress ... girl		body
FB_INCREASE_YOUR	Phrase: Increase your energy		body
FB_INDEPEND_RWD	Phrase: independent reward		body
FB_L0AN	Phrase: L0an		body
FB_LETTERS_21B	Special people leave special signs!		body
FB_LOSE_WEIGHT_CAP	Phrase: LOSE WEIGHT		body
FB_LOWER_PAYM	Phrase: lower your monthly payments		body
FB_MORE_SIZE	Phrase: more size		body
FB_NO_SCRIP_NEEDED	Phrase: no prescription needed.		body
FB_NOT_PHONE_NUM1	Looks like a fake phone number (1)		body
FB_NOT_PHONE_NUM3	Looks like a fake phone number (3)		body
FB_NOT_SCHOOL	Looks like school but it's not!		body
FB_NUMYO	Speaks of teenager.		body
FB_NUMYO2	Speaks of 20+ year old.		body
FB_ODD_SPACED_MONEY	Looks like money but has odd spacing.		body
FB_ONIINE	Mis-spelled online		body
FB_P1LL	Phrase: p1ll		body
FB_PENIS_GROWTH	Phrase: penis growth		body
FB_PIPE_ILLION	Looks like illion, but it's not		body
FB_PIPEDOLLAR	Phrase: Dollar, with pipes or 0's.		body
FB_PROLONGED_HARD	Talks about prolonged hardness		body
FB_QUALITY_REPLICA	Phrase: quality replica		body
FB_RE_FI	Looks like refi.		body
FB_REF_CODE_SPACE	Refcode with spacing		body
FB_REPLIC_CAP	Phrase: REPLICA		body
FB_REPLICA_ROLEX	Phrase: Replica Rolex		body
FB_ROLLER_IS_T	Phrase: Roller is th		body
FB_ROLX	Phrase: rolx		body
FB_SAVE_PERSC	Phrase: save ... prescription.		body
FB_SOFTTABS	Phrase: Softabs		body
FB_SPACED_FREE	Phrase: F R E E		body
FB_SPACED_PHN_3B	Phone number with -- spacing. (B)		body
FB_SPACEY_ZIP	Looks like a s p a c e d zipcode.		body
FB_SPUR_M	Phrase: SPUR-M		body
FB_SSEX	Phrase: ssex	matches /\bssex\b/ This matches the word "ssex". Doesn't match words like "Sussex" or "Essex" because \b means "word boundary". It has also been disabled for years, with a score of 0. Please upgrade your spamassassin install, and run sa-update from cron daily.	body
FB_STOCK_EXPLODE	Looks like stocks exploding.		body
FB_SYMBLO	Mis-spelled symbol.		body
FB_THIS_ADVERT	Phrase: this advertiser		body
FB_THOUS_PERSONAL	Phrase: thousand personal		body
FB_TO_STOP_DISTRO	Phrase: to stop further distribution		body
FB_ULTRA_ALLURE	Phrase: Ultra Allure		body
FB_UNLOCK_YOUR_G	Phrase: lock to your girlfriend		body
FB_UNRESOLV_PROV	Pattern Replacement PROV_D		body
FB_YOUR_REFI	Phrase: Your refi		body
FB_YOURSELF_MASTER	Phrase: yourself master		body
FBI_MONEY	The FBI wants to give you lots of money?	__FBI_SPOOF && LOTS_OF_MONEY	meta
FBI_SPOOF	Claims to be FBI, but not from FBI domain	__FBI_SPOOF	meta
FH_BAD_OEV1441	Bad X-Mailer version		header
FH_DATE_IS_19XX	The date is not 19xx.		header
FH_FAKE_RCVD_LINE	RCVD line looks faked (A)		header
FH_FAKE_RCVD_LINE_B	RCVD line looks faked (B)		header
FH_FROM_CASH	From name has"cash"		header
FH_FROM_GET_NAME	From name says Get		header
FH_FROM_GIVEAWAY	From name is giveaway.		header
FH_FROM_HOODIA	From has Hoodia!!?		header
FH_FROMEML_NOTLD	E-mail address doesn't have TLD (.com, etc.)	The sender's address does not have a full Internet domain. The mail may have arrived from a misconfigured local machine that only used its local name (e.g. bilbo@hobbit), or else it is an attempt to disguise the real sender.	header
FH_HAS_XAIMC	Has X-AIMC-AUTH header		header
FH_HAS_XID	Has X-ID		header
FH_HELO_ALMOST_IP	Helo is almost an IP addr.	An untrusted relay used a hostname (FQDN) as a HELO argument during a SMTP transaction that contains a series of numbers that might represent an IPv4 address. One likely reason for this is that the hostname is taken from the reverse DNS entry used to indicate a dynamically allocated address	header
FH_HELO_ENDS_DOT	Helo ends with a dot.		header
FH_HELO_EQ_610HEX	Helo is 6-10 hex chr's.		header
FH_HELO_EQ_CHARTER	Helo is d-d-d-d charter.com		header
FH_HELO_EQ_D_D_D_D	Helo is d-d-d-d	This rule checks the HELO identifier of the last untrusted relay and matches if the HELO argument contains four numbers (1 to three digits in length) separated by dashes. This is a common method for encoding IPv4 addresses into reverse DNS entries for dynamically allocated address ranges. Since it is not usually expected that servers are given canonical hostnames that encode their IPv4 addresses, the means that the mailer process is probably using information from reverse DNS for its configuration. This indicates that it is not a normally configured mail server, and may well be a bot running on a hijacked PC.	header
FH_HELO_GMAILSMTP	Faked helo of gmail-smtp-in		header
FH_HOST_EQ_DYNAMICIP	Host is dynamicip		header
FH_HOST_EQ_PACBELL_D	Host is pacbell.net dsl		header
FH_HOST_EQ_VERIZON_P	Host is pool-.+verizon.net		header
FH_HOST_IN_ADDRARPA	HOST dns says"in-addr.arpa"		header
FH_MSGID_000000	Special MSGID		header
FH_MSGID_01C67	Special MSGID		header
FH_MSGID_01C70XXX	MESSAGE ID seen often!!!		header
FH_MSGID_REPLACE	Broken Replace Template		header
FH_MSGID_XXBLAH	Common sign in msg-id's 12/21/2006		header
FH_MSGID_XXX	Message-Id = @xxx		header
FH_RE_NEW_DDD	Subject is Re: new \d\d\d		header
FH_XMAIL_REPLACE	Broken Replace Template		header
FILL_THIS_FORM	Fill in a form with personal information		meta
FILL_THIS_FORM_FRAUD_PHISH	No description provided		???
FILL_THIS_FORM_LOAN	No description provided		???
FILL_THIS_FORM_LONG	Fill in a form with personal information		meta
FIN_FREE	Freedom of a financial nature		body
FM_XMAIL_F_OUT	Looks like Fake Outlook?		header
FONT_INVIS_DIRECT	Invisible text + direct-to-MX		meta
FONT_INVIS_DOTGOV	Invisible text + .gov URI		meta
FONT_INVIS_HTML_NOHTML	Invisible text + malformed HTML		meta
FONT_INVIS_LONG_LINE	Invisible text + long lines		meta
FONT_INVIS_MSGID	Invisible text + suspicious message ID		meta
FONT_INVIS_NORDNS	Invisible text + no rDNS		meta
FONT_INVIS_POSTEXTRAS	Invisible text + suspicious URI		meta
FORGED_GMAIL_RCVD	'From' gmail.com does not match 'Received' headers	eval:check_for_forged_gmail_received_headers()	header
FORGED_GMAIL_RCVD	From' gmail.com does not match 'Received' headers		header
FORGED_HOTMAIL_RCVD2	hotmail.com 'From' address, but no 'Received:'		header
FORGED_IMS_HTML	IMS can't send HTML message only	(__IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD))	meta
FORGED_IMS_TAGS	IMS mailers can't send HTML in this format	(!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))	meta
FORGED_MSGID_AOL	Message-ID is forged, (aol.com)	(__AT_AOL_MSGID && !__FROM_AOL_COM)	meta
FORGED_MSGID_EXCITE	Message-ID is forged, (excite.com)	(__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)	meta
FORGED_MSGID_HOTMAIL	Message-ID is forged, (hotmail.com)	(__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))	meta
FORGED_MSGID_MSN	Message-ID is forged, (msn.com)	(__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))	meta
FORGED_MSGID_YAHOO	Message-ID is forged, (yahoo.com)	(__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)	meta
FORGED_MUA_EUDORA	Forged mail pretending to be from Eudora	(__EUDORA_MUA && !__EUDORA_MSGID && !__UNUSABLE_MSGID && !__HAS_X_LOOP && !__HAS_X_MAILING_LIST)	meta
FORGED_MUA_IMS	Forged mail pretending to be from IMS	(__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID)	meta
FORGED_MUA_MOZILLA	Forged mail pretending to be from Mozilla	(__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID)	meta
FORGED_MUA_OIMO	Forged mail pretending to be from MS Outlook IMO	(__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID)	meta
FORGED_MUA_OUTLOOK	Forged mail pretending to be from MS Outlook	(__FORGED_OE \|\| __FORGED_OUTLOOK_DOLLARS)	meta
FORGED_MUA_THEBAT_BOUN	Mail pretending to be from The Bat! (boundary)	(__THEBAT_MUA_V1 && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21)	meta
FORGED_MUA_THEBAT_CS	Mail pretending to be from The Bat! (charset)	(__THEBAT_MUA && __CTYPE_CHARSET_QUOTED)	meta
FORGED_OUTLOOK_HTML	Outlook can't send HTML message only	(!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY)	meta
FORGED_OUTLOOK_TAGS	Outlook can't send HTML in this format	(!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))	meta
FORGED_QUALCOMM_TAGS	QUALCOMM mailers can't send HTML in this format	(__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML)	meta
FORGED_RELAY_MUA_TO_MX	X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10\| 127\| 169\.254\| 172\.(?:1[6-9]\| 2[0-9]\| 3[01])\| 192\.168)\.)\| )[^\[]+(dollar) /		header
FORGED_TELESP_RCVD	Contains forged hostname for a DSL IP in Brazil		header
FORGED_THEBAT_HTML	The Bat! can't send HTML message only	(__THEBAT_MUA_V1 && MIME_HTML_ONLY)	meta
FORGED_YAHOO_RCVD	'From' yahoo.com does not match 'Received' headers	eval:check_for_forged_yahoo_received_headers()	header
FORGED_YAHOO_RCVD	From' yahoo.com does not match 'Received' headers	The address in the From: header contains a Yahoo address, but the Received headers do not show the mail originating from yahoo.com servers.	header
FORM_FRAUD	Fill a form and a fraud phrase	(FILL_THIS_FORM \|\| FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AFR_UNION + __AGREED_RATIO + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __COMPENSATION + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FEES + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + LOTTO_DEPT + __LOTTO_RELATED + LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRUNK_BOX + __UN + __UNCLAIMED + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + LOTTO_YOU_WON + LOTTO_AGENT_FM + LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)	meta
FORM_FRAUD_3	Fill a form and several fraud phrases		meta
FORM_FRAUD_5	Fill a form and many fraud phrases		meta
FORM_LOW_CONTRAST	Fill in a form with hidden text	__FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL	meta
FORWARD_LOOKING	Stock Disclaimer Statement		body
FOUND_YOU	I found you...		meta
FR_3TAG_3TAG	Looks like 3 small tags.		rawbody
FR_ALMOST_VIAG2	Almost looks like viagra.		rawbody
FR_CANTSEETEXT	Phrase class=cantseetext		rawbody
FR_MIDER	Sign often seen in spams		rawbody
FR_TITLE_NUMS	HTML Title is only numbers		rawbody
FRAGMENTED_MESSAGE	Partial message		header
FREE_PORN	Possible porn - Free Porn		body
FREE_QUOTE_INSTANT	Free express or no-obligation quote		body
FREEM_FRNUM_UNICD_EMPTY	Numeric freemail From address, unicode From name and Subject, empty body	__FREEM_FRNUM_UNICD_EMPTY	meta
FREEMAIL_ENVFROM_END_DIGIT	Envelope-from freemail username ends in digit		header
FREEMAIL_FORGED_FROMDOMAIN	2nd level domains in From and EnvelopeFrom freemail headers are different		meta
FREEMAIL_FORGED_REPLYTO	Freemail in Reply-To, but not From		meta
FREEMAIL_FROM	Sender email is freemail	This test indicates the FreeMail plugin is active in the local configuration. The domain of the sender has been identified as that of a free email provider. (e.g. gmail.com or hotmail.com) The default list of known freemail domains is distributed in 20_freemail_domains.cf. Local configuration can be modified to add or whitelist domains.	header
FREEMAIL_REPLY	From and body contain different freemails		meta
FREEMAIL_REPLYTO	Reply-To/From or Reply-To/body contain different freemails		meta
FREEMAIL_REPLYTO_END_DIGIT	Reply-To freemail username ends in digit		header
FREEMAIL_WFH_01	Work-from-Home + freemail	(FREEMAIL_FROM \|\| FREEMAIL_REPLYTO) && __WFH_01	meta
FRNAME_IN_MSG_XPRIO_NO_SUB	From name in message + X-Priority + short or no subject	(__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY \|\| __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED	meta
FROM_2_EMAILS_SHORT	Short body and From looks like 2 different emails	FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS \|\| __NAME_EMAIL_DIFF)	meta
FROM_ADDR_WS	Malformed From address	__FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL	meta
FROM_BANK_NOAUTH	From Bank domain but no SPF or DKIM	__FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)	meta
FROM_BLANK_NAME	From: contains empty name	The "From:" header contains a blank name, matching this regular expression: /(?:\s\|^)"" <\S+>/i . For example: From: "" This is legal, but rare and pointless.	header
FROM_DOMAIN_NOVOWEL	From: domain has series of non-vowel letters		header
FROM_EXCESS_BASE64	From: base64 encoded unnecessarily	__FROM_ENCODED_B64 && !__FROM_NEEDS_MIME	meta
FROM_FMBLA_NDBLOCKED	ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.	__FROM_FMBLA_NDBLOCKED	meta
FROM_FMBLA_NEWDOM	From domain was registered in last 7 days	__FROM_FMBLA_NEWDOM	meta
FROM_FMBLA_NEWDOM14	From domain was registered in last 7-14 days	__FROM_FMBLA_NEWDOM14	meta
FROM_FMBLA_NEWDOM28	From domain was registered in last 14-28 days	__FROM_FMBLA_NEWDOM28	meta
FROM_GOV_DKIM_AU	From Government address and DKIM signed	DKIM_VALID_AU && __FROM_ADDRLIST_GOV	meta
FROM_GOV_REPLYTO_FREEMAIL	From Government domain but ReplyTo is FREEMAIL	FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU	meta
FROM_GOV_SPOOF	From Government domain but matches SPOOFED	!__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)	meta
FROM_ILLEGAL_CHARS	From: has too many raw illegal characters	The From header contains 8-bit and other illegal characters that should be MIME encoded, as described in RFC 2045 This suggests that the sender is using badly-written mailout software, rather than a regular email program.	header
FROM_IN_TO_AND_SUBJ	From address is in To and Subject	(__TO_EQ_FROM && __SUBJ_HAS_FROM_1)	meta
FROM_LOCAL_DIGITS	From: localpart has long digit sequence		header
FROM_LOCAL_HEX	From: localpart has long hexadecimal sequence		header
FROM_LOCAL_NOVOWEL	From: localpart has series of non-vowel letters	The localpart (left of the "@") contains a row of 7 non-vowel characters. This is a good indication that this isn't a valid personal email address being used.	header
FROM_MISSP_DYNIP	From misspaced + dynamic rDNS	__FROM_RUNON && RDNS_DYNAMIC	meta
FROM_MISSP_EH_MATCH	From misspaced, matches envelope	__FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA	meta
FROM_MISSP_FREEMAIL	From misspaced + freemail provider		meta
FROM_MISSP_MSFT	From misspaced + supposed Microsoft tool	__FROM_RUNON && (__ANY_OUTLOOK_MUA \|\| __MIMEOLE_MS)	meta
FROM_MISSP_PHISH	Malformed, claims to be from financial organization - possible phish	__FROM_MISSP_PHISH	meta
FROM_MISSP_REPLYTO	From misspaced, has Reply-To		meta
FROM_MISSP_SPF_FAIL	No description provided		meta
FROM_MISSP_TO_UNDISC	From misspaced, To undisclosed	(__FROM_RUNON && __TO_UNDISCLOSED)	meta
FROM_MISSP_USER	From misspaced, from "User"	(__FROM_RUNON && NSL_RCVD_FROM_USER)	meta
FROM_MISSP_XPRIO	Misspaced FROM + X-Priority		meta
FROM_MISSPACED	From: missing whitespace	__XPRIO && __FROM_MISSPACED	meta
FROM_MULTI_NORDNS	Multiple From addresses + no rDNS		meta
FROM_NEWDOM_BTC	Newdomain with Bitcoin ID
FROM_NO_USER	From: has no local-part before @ sign		header
FROM_NTLD_LINKBAIT	From abused NTLD with little more than a URI		meta
FROM_NTLD_REPLY_FREEMAIL	From abused NTLD and Reply-To is FREEMAIL		meta
FROM_NUMBERO_NEWDOMAIN	Fingerprint and new domain		meta
FROM_NUMERIC_TLD	From: address has numeric TLD		header
FROM_OFFERS	From address is "at something-offers"		header
FROM_PAYPAL_SPOOF	From PayPal domain but matches SPOOFED		meta
FROM_STARTS_WITH_NUMS	From: starts with several numbers		header
FROM_SUSPICIOUS_NTLD	From abused NTLD	__FROM_ADDRLIST_SUSPNTLD	meta
FROM_SUSPICIOUS_NTLD_FP	From abused NTLD	__FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST	meta
FROM_UNBAL2	From with unbalanced angle brackets, '<' missing
FROM_WSP_LEAD	Leading whitespace after '<' in From header field
FROM_WSP_TRAIL	Trailing whitespace before '>' in From header field		header
FROMSPACE	Idiosyncratic "From" header format		header
FRT_ADOBE2	ReplaceTags: Adobe		body
FRT_APPROV	ReplaceTags: Approve		body
FRT_BIGGERMEM1	ReplaceTags: Bigger / Larger, Penis / Member		body
FRT_DIPLOMA	ReplaceTags: Diploma		body
FRT_DISCOUNT	ReplaceTags: Discount		body
FRT_DOLLAR	ReplaceTags: Dollar		body
FRT_ESTABLISH2	ReplaceTags: Establish (2)		body
FRT_FUCK2	ReplaceTags: Fuck (2)		body
FRT_GUARANTEE1	ReplaceTags: Guarantee (1)		body
FRT_INVESTOR	ReplaceTags: Investor		body
FRT_LEVITRA	ReplaceTags: Levitra		body
FRT_MEETING	ReplaceTags: Meeting		body
FRT_OFFER2	ReplaceTags: Offer (2)		body
FRT_OPPORTUN2	ReplaceTags: Oppertun (2)		body
FRT_PENIS1	ReplaceTags: Penis	Message body contains obfuscated variant on the word Penis. Exempt variants are "pen is", "penis", "penny's", "penny s", but not "penny.s".	body
FRT_PHARMAC	ReplaceTags: Pharmac		body
FRT_PRICE	ReplaceTags: Price		body
FRT_REFINANCE1	ReplaceTags: Refinance (1)		body
FRT_ROLEX	ReplaceTags: Rolex		body
FRT_SEXUAL	ReplaceTags: Sexual		body
FRT_SOMA	ReplaceTags: Soma		body
FRT_SOMA2	ReplaceTags: Soma (2)		body
FRT_STRONG1	ReplaceTags: Strong (1)		body
FRT_STRONG2	ReplaceTags: Strong (2)		body
FRT_SYMBOL	ReplaceTags: Symbol		body
FRT_TODAY2	ReplaceTags: Today (2)		body
FRT_VALIUM1	ReplaceTags: Valium		body
FRT_VALIUM2	ReplaceTags: Valium (2)		body
FRT_WEIGHT2	ReplaceTags: Weight (2)		body
FRT_XANAX1	ReplaceTags: Xanax (1)		body
FRT_XANAX2	ReplaceTags: Xanax (2)		body
FS_ABIGGER	Subject has"a bigger"		header
FS_APPROVE_YOU	Subject says approve you		header
FS_AT_NO_COST	Subject says"At No Cost"		header
FS_CHEAP_CAP	Phrase: Cheap in Caps in Subject.		header
FS_DOLLAR_BONUS	Subject talks about money bonus!		header
FS_EJACULA	Phrase: ejaculation in subject.		header
FS_ERECTION	Phrase: erection in subject.		header
FS_HUGECOCK	Phrase: Huge Cock		header
FS_LARGE_PERCENT2	Larger than 100% in subj.		header
FS_LOW_RATES	Subject says low rates		header
FS_NEW_SOFT_UPLOAD	Subj starts with New software uploaded		header
FS_NEW_XXX	Subject looks like Fharmacy spams.	The subject header field matches the regexp /^Re: news? [a-z]{1,5}$/ e.g: Subject: Re: new pill	header
FS_NO_SCRIP	Subject almost says No prescription		header
FS_NUDE	Subject says Nude		header
FS_OBFU_PRMCY	what could this word be?		header
FS_PERSCRIPTION	Subject mis-spelled prescription		header
FS_PHARMASUB2	Looks like Phramacy subject.		header
FS_RAMROD	Subject says Ramrod		header
FS_RE_APPROV	Phrase: re approved		header
FS_REPLICA	Subject says"replica"		header
FS_REPLICAWATCH	Subject says Replica watch		header
FS_START_DOYOU2	Subject starts with Do you dream,have,want,love, etc.	As per the description, the Subject: header line begins with "Do you like" or similar.	header
FS_START_LOSE	Subject starts with Lose		header
FS_TEEN_BAD	Subject says something bad about teens		header
FS_TIP_DDD	Phrase: subject = tip ddd		header
FS_WEIGHT_LOSS	Subject says Weight Loss		header
FS_WILL_HELP	Subject says will help		header
FS_WITH_SMALL	Subject says With ... small		header
FSL_BULK_SIG	Bulk signature with no Unsubscribe		meta
FSL_CTYPE_WIN1251	Content-Type only seen in 419 spam		header
FSL_FAKE_GMAIL_RCVD	X-Spam-Relays-External =~ /gmail-smtp-in\.l\.google\.com/		header
FSL_FAKE_HOTMAIL_RVCD	X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/		header
FSL_GEO_ABUSE	/\/geocities\.com\/\S+(dollar) /		uri
FSL_HELO_BARE_IP_1	X-Spam-Relays-External =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+ /i		header
FSL_HELO_DEVICE	X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device\| speedtouch)\.lan\b/i		header
FSL_HELO_FAKE	No description provided		header
FSL_HELO_NON_FQDN_1	X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i		header
FSL_HELO_SETUP	X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i		header
FSL_INTERIA_ABUSE	/\/\S+\.(?:w\| eu\| fm)\.interia\.pl/		uri
FSL_LSPACES_ABUSE	/cid\-\S+\.spaces\.live\.com/		uri
FSL_NEW_HELO_USER	Spam's using Helo and User		meta
FSL_YG_ABUSE	/\/groups\.yahoo\.com\/group\/\S+\/message\/1(dollar) /		uri
FU_COMMON_SUBS2	Sub-dir seen often in spam (2).		uri
FU_END_ET	ET Phone Home?		uri
FU_ENDS_NUMS_DOTS_CLK	Ends with clk/d+.d+.d+		uri
FU_HOODIA	URL has hoodia in it.		uri
FU_LONG_QUERY3	URL has a long file name with .aspx extension.		uri
FU_MIDER	URL has /gal/		uri
FU_UKGEOCITIES	URL with [a-z]{2}.geocities.com		uri
FU_URI_TRACKER_T	URI style tracker (T)		uri
FUZZY_AFFORDABLE	Attempt to obfuscate words in spam		body
FUZZY_AMAZON	Obfuscated "amazon"		body
FUZZY_AMBIEN	Attempt to obfuscate words in spam		body
FUZZY_ANDROID	Obfuscated "android"		body
FUZZY_APPLE	Obfuscated "apple"		body
FUZZY_BILLION	Attempt to obfuscate words in spam		body
FUZZY_BITCOIN	Obfuscated "Bitcoin"		body
FUZZY_BROWSER	Obfuscated "browser"		body
FUZZY_BTC_WALLET	Heavily obfuscated "bitcoin wallet"		meta
FUZZY_CLICK_HERE	Obfuscated "click here"		body
FUZZY_CPILL	Attempt to obfuscate words in spam	This rule matches what appears to be an attempt to obfuscate the word "Cialis" - a brand-name for Tadalafil, a drug used for treating erectile disfunction.	body
FUZZY_CREDIT	Attempt to obfuscate words in spam		body
FUZZY_DR_OZ	Obfuscated Doctor Oz		meta
FUZZY_ERECT	Attempt to obfuscate words in spam		body
FUZZY_FACEBOOK	Obfuscated "facebook"		body
FUZZY_GUARANTEE	Attempt to obfuscate words in spam		body
FUZZY_IMPORTANT	Obfuscated "important"		body
FUZZY_MEDICATION	Attempt to obfuscate words in spam		body
FUZZY_MERIDIA	Obfuscation of the word "meridia"	/\b(?!meridia)\b/i	body
FUZZY_MICROSOFT	Obfuscated "microsoft"		body
FUZZY_MILLION	Attempt to obfuscate words in spam		body
FUZZY_MONERO	Obfuscated "Monero"		meta
FUZZY_MONEY	Attempt to obfuscate words in spam		body
FUZZY_MORTGAGE	Attempt to obfuscate words in spam		body
FUZZY_NORTON	Obfuscated "norton"		body
FUZZY_OBLIGATION	Attempt to obfuscate words in spam		body
FUZZY_OFFERS	Attempt to obfuscate words in spam		body
FUZZY_OVERSTOCK	Obfuscated "overstock"		body
FUZZY_PAYPAL	Obfuscated "paypal"		body
FUZZY_PHARMACY	Attempt to obfuscate words in spam		body
FUZZY_PHENT	Attempt to obfuscate words in spam		body
FUZZY_PORN	Obfuscated "Pornography" or "Pornographic"		meta
FUZZY_PRESCRIPT	Attempt to obfuscate words in spam		body
FUZZY_PRICES	Attempt to obfuscate words in spam		body
FUZZY_PRIVACY	Obfuscated "privacy"		body
FUZZY_PROMOTION	Obfuscated "promotion"		body
FUZZY_REFINANCE	Attempt to obfuscate words in spam		body
FUZZY_REMOVE	Attempt to obfuscate words in spam		body
FUZZY_ROLEX	Attempt to obfuscate words in spam		body
FUZZY_SAVINGS	Obfuscated "savings"		body
FUZZY_SECURITY	Obfuscated "security"		body
FUZZY_SOFTWARE	Attempt to obfuscate words in spam		body
FUZZY_THOUSANDS	Attempt to obfuscate words in spam		body
FUZZY_UNSUBSCRIBE	Obfuscated "unsubscribe"		body
FUZZY_VIOXX	Attempt to obfuscate words in spam		body
FUZZY_VLIUM	Attempt to obfuscate words in spam		body
FUZZY_VPILL	Attempt to obfuscate words in spam		body
FUZZY_WALLET	Obfuscated "Wallet"		body
FUZZY_XPILL	Attempt to obfuscate words in spam	Message contains the name of a pharmaceutical product written to avoid keyword filtering.	body
GAPPY_LOW_CONTRAST	Gappy subject + hidden text		meta
GAPPY_SALES_LEADS_FREEM	Obfuscated marketing text, freemail or CHN replyto		meta
GAPPY_SUBJECT	Subject: contains G.a.p.p.y-T.e.x.t		meta
GB_BITCOIN_CP	Localized Bitcoin scam
GB_FAKE_RF_SHORT	Fake reply or forward with url shortener		meta
GB_FORGED_MUA_POSTFIX	Forged Postfix mua headers		meta
GB_FREEMAIL_DISPTO	Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails		meta
GB_FREEMAIL_DISPTO_NOTFREEM	Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail		meta
GB_GOOG_IMG_NOT_RCVD_GOOG	Google hosted image but message not from Google		meta
GB_GOOGLE_OBFUR	Obfuscate url through Google redirect		uri
GEO_QUERY_STRING	/^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i		uri
GMD_PDF_EMPTY_BODY	Attached PDF with empty message body		body
GMD_PDF_ENCRYPTED	Attached PDF is encrypted		body
GMD_PDF_HORIZ	Contains pdf 100-240 (high) x 450-800 (wide)		body
GMD_PDF_SQUARE	Contains pdf 180-360 (high) x 180-360 (wide)		body
GMD_PDF_VERT	Contains pdf 450-800 (high) x 100-240 (wide)		body
GMD_PRODUCER_EASYPDF	PDF producer was BCL easyPDF		body
GMD_PRODUCER_GPL	PDF producer was GPL Ghostscript		body
GMD_PRODUCER_POWERPDF	PDF producer was PowerPDF		body
GOOG_MALWARE_DNLD	File download via Google - Malware?		meta
GOOG_REDIR_DOCUSIGN	Indirect docusign link, probable phishing		uri
GOOG_REDIR_HTML_ONLY	Google redirect to obscure spamvertised website + HTML only
GOOG_REDIR_NORDNS	Google redirect to obscure spamvertised website + no rDNS		meta
GOOG_REDIR_SHORT	Google redirect to obscure spamvertised website + short message		meta
GOOG_STO_EMAIL_PHISH	Possible phishing with google hosted content URI having email address		meta
GOOG_STO_HTML_PHISH	Possible phishing with google content hosting to avoid URIBL		meta
GOOG_STO_HTML_PHISH_MANY	Phishing with google content hosting to avoid URIBL		meta
GOOG_STO_IMG_HTML	Apparently using google content hosting to avoid URIBL		meta
GOOG_STO_IMG_NOHTML	Apparently using google content hosting to avoid URIBL		meta
GOOG_STO_NOIMG_HTML	Apparently using google content hosting to avoid URIBL		meta
GOOGLE_DOC_SUSP	Suspicious use of Google Docs		meta
GOOGLE_DOCS_PHISH	Possible phishing via a Google Docs form		meta
GOOGLE_DOCS_PHISH_MANY	Phishing via a Google Docs form		meta
GOOGLE_DRIVE_REPLY_BAD_NTLD	From Google Drive and Reply-To is from a suspicious TLD		meta
GTUBE	Generic Test for Unsolicited Bulk Email	This rule is used to test spam detection machinery. Presence of the GTUBE marker in email should always trigger spam detection. more info	body
GUARANTEED_100_PERCENT	One hundred percent guaranteed		body
HAS_X_NO_RELAY	Has spammy header		meta
HAS_X_OUTGOING_SPAM_STAT	Has header claiming outbound spam scan - why trust the results?		meta
HASHCASH_20	Contains valid Hashcash token (20 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HASHCASH_21	Contains valid Hashcash token (21 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HASHCASH_22	Contains valid Hashcash token (22 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HASHCASH_23	Contains valid Hashcash token (23 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HASHCASH_24	Contains valid Hashcash token (24 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HASHCASH_25	Contains valid Hashcash token (25 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HASHCASH_2SPEND	Hashcash token already spent in another mail	The sender added an unexpired Hashcash token to the message which has been marked as already spent. This may indicate that the message is spam.	header
HASHCASH_HIGH	Contains valid Hashcash token (>25 bits)	The sender added a unique unspent Hashcash token to the message, indicating that it is unlikely to be bulk email	header
HDR_ORDER_FTSDMCXX_001C	Header order similar to spam (FTSDMCXX/MID variant)
HDR_ORDER_FTSDMCXX_BAT	Header order similar to spam (FTSDMCXX/boundary variant)
HDR_ORDER_FTSDMCXX_DIRECT	Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX		meta
HDR_ORDER_FTSDMCXX_NORDNS	Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS		meta
HDRS_LCASE	Odd capitalization of message header		meta
HDRS_LCASE_IMGONLY	Odd capitalization of message headers + image-only HTML		meta
HDRS_MISSP	Misspaced headers		header
HDRS_MISSP	Misspaced headers		meta
HEAD_ILLEGAL_CHARS	Headers have too many raw illegal characters		header
HEAD_LONG	Message headers are very long		header
HEADER_COUNT_CTYPE	Multiple Content-Type headers found		header
HEADER_COUNT_SUBJECT	Multiple Subject headers found		header
HEADER_FROM_DIFFERENT_DOMAINS	From and EnvelopeFrom 2nd level mail domains are different		header
HEADER_SPAM	Bulk email fingerprint (header-based) found		header
HELO_DYNAMIC_CHELLO_NL	Relay HELO'd using suspicious hostname (Chello.nl)		header
HELO_DYNAMIC_DHCP	Relay HELO'd using suspicious hostname (DHCP)	An untrusted relay used a hostname (FQDN) as a HELO argument during a SMTP transaction that appears to suggest a dynamically allocated hostname. For example "dhcp192-0-2-32.example.com". This style of hostname is commonly found in the reverse DNS records for dynamically allocated addresses. It's possible that a spam-engine on a hijacked PC will use a reverse DNS lookup of its own address to formulate a valid HELO argument. See also Rules/HELO_DYNAMIC_IPADDR The IETF's dnsop working group has a draft memo regarding a suggested naming scheme for reverse DNS: http://tools.ietf.org/html/draft-msullivan-dnsop-generic-naming-schemes-00	header
HELO_DYNAMIC_DIALIN	Relay HELO'd using suspicious hostname (T-Dialin)		header
HELO_DYNAMIC_HCC	Relay HELO'd using suspicious hostname (HCC)		meta
HELO_DYNAMIC_HEXIP	Relay HELO'd using suspicious hostname (Hex IP)		header
HELO_DYNAMIC_HOME_NL	Relay HELO'd using suspicious hostname (Home.nl)		header
HELO_DYNAMIC_IPADDR	Relay HELO'd using suspicious hostname (IP addr 1)	The sender was identified by an upstream relay as using a numeric HELO address. It is probably not a regular email client using an authorized relay.	header
HELO_DYNAMIC_IPADDR2	Relay HELO'd using suspicious hostname (IP addr 2)	The sender was identified by an upstream relay as using a numeric HELO address. It is probably not a regular email client using an authorized relay.	header
HELO_DYNAMIC_ROGERS	Relay HELO'd using suspicious hostname (Rogers)		header
HELO_DYNAMIC_SPLIT_IP	Relay HELO'd using suspicious hostname (Split IP)		header
HELO_FRIEND	X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i		header
HELO_LH_HOME	X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home\| lan) /i		header
HELO_LH_LD	X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i	One of the untrusted mail relays identified itself as localhost.localdomain in the SMTP session. This indicates a poorly configured server, possibly one not intended for sending mail.	header
HELO_LOCALHOST	X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i		header
HELO_NO_DOMAIN	Relay reports its domain incorrectly		meta
HELO_OEM	X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc\| oem\S*) /i		header
HELO_STATIC_HOST	Relay HELO'd using static hostname		meta
HEXHASH_WORD	Multiple instances of word + hexadecimal hash		meta
HIDE_WIN_STATUS	Javascript to hide URLs in browser		rawbody
HIGH_CODEPAGE_URI	/^https?:\/\/[^\/]*\&\#(?:\d{4,}\| [3456789]\d\d);/i		uri
HK_CTE_RAW	No description provided		mimeheader
HK_LOTTO	No description provided		meta
HK_NAME_DRUGS	From name contains drugs		header
HK_NAME_FREE	From name mentions free stuff		header
HK_NAME_MR_MRS	No description provided		meta
HK_RANDOM_ENVFROM	Envelope sender username looks random		header
HK_RANDOM_FROM	From username looks random		header
HK_RANDOM_REPLYTO	Reply-To username looks random		header
HK_RCVD_IP_MULTICAST	No description provided		header
HK_SCAM	No description provided		meta
HK_SCAM_N2	/\bnext of kin\b/i		body
HK_SPAMMY_FILENAME	No description provided		meta
HK_WIN	No description provided		meta
HOSTED_IMG_DIRECT_MX	Image hosted at large ecomm, CDN or hosting site, message direct-to-mx		meta
HOSTED_IMG_DQ_UNSUB	Image hosted at large ecomm site, IP addr unsub link		meta
HOSTED_IMG_FREEM	Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to		meta
HOSTED_IMG_MULTI	Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected		meta
HOSTED_IMG_MULTI_PUB_01	Multiple hosted images at public site		meta
HS_BOBAX_MID_2	Bobax? Message-Id: <0IX000EJXVWDA000@example.com>		header
HS_BODY_UPLOADED_SOFTWARE	Somebody has uploaded some new software for you		body
HS_DRUG_DOLLAR_1	Contains a drug and price-like pattern.		body
HS_DRUG_DOLLAR_2	Contains a drug and price-like pattern.		body
HS_DRUG_DOLLAR_3	Contains a drug and price-like pattern.		body
HS_GETMEOFF	Links to common unsubscribe script: 'getmeoff.php'		uri
HS_INDEX_PARAM	Link contains a common tracker pattern.	The mail contains a URL which includes a query parameter, such as [WWW] http://example.com/?12345 . These URLs are often used in mass mailouts to track individual responses.	uri
HS_MEETUP_FOR_SEX	Talks about meeting up for sex.		body
HS_SUBJ_NEW_SOFTWARE	Subject starts with 'New software uploaded by'		header
HS_SUBJ_ONLINE_PHARMACEUTICAL	Subject contains the phrase 'Online pharmaceutical'		header
HS_VPXL	Contains VPXL, yet the recommended dose is only 2 tablets.		body
HTML_BADTAG_40_50	HTML message is 40% to 50% bad tags		body
HTML_BADTAG_50_60	HTML message is 50% to 60% bad tags		body
HTML_BADTAG_60_70	HTML message is 60% to 70% bad tags		body
HTML_BADTAG_90_100	HTML message is 90% to 100% bad tags		body
HTML_CHARSET_FARAWAY	A foreign language charset used in HTML markup		meta
HTML_COMMENT_SAVED_URL	HTML message is a saved web page		body
HTML_COMMENT_SHORT	HTML comment is very short		body
HTML_EMBEDS	HTML with embedded plugin object		body
HTML_ENTITY_ASCII	Obfuscated ASCII		meta
HTML_ENTITY_ASCII_TINY	Obfuscated ASCII + tiny fonts		meta
HTML_EXTRA_CLOSE	HTML contains far too many close tags	The message contains unbalanced HTML. This suggests that it was not generated by a normal email client or HTML editor, but by some mailout software that is trying to hide hashbusting text or otherwise avoid filters.	body
HTML_FONT_FACE_BAD	HTML font face is not a word		body
HTML_FONT_LOW_CONTRAST	HTML font color similar or identical to background	Attempts to hide message (probably scored nicely by bayes ) For example light gray on white or dark gray on black... bgcolor="#f7f7f7" color:"#ffffff"	body
HTML_FONT_SIZE_HUGE	HTML font size is huge	Message is HTML with some text in an unnaturally large font size	body
HTML_FONT_SIZE_LARGE	HTML font size is large	Message is HTML with some text in an unnaturally large font size	body
HTML_FONT_TINY_NORDNS	Font too small to read, no rDNS		meta
HTML_FORMACTION_MAILTO	HTML includes a form which sends mail		body
HTML_IFRAME_SRC	Message has HTML IFRAME tag with SRC URI		body
HTML_IMAGE_ONLY_04	HTML: images with 0-400 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_08	HTML: images with 400-800 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_12	HTML: images with 800-1200 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_16	HTML: images with 1200-1600 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_20	HTML: images with 1600-2000 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_24	HTML: images with 2000-2400 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_28	HTML: images with 2400-2800 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_ONLY_32	HTML: images with 2800-3200 bytes of words	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_RATIO_02	HTML has a low ratio of text to image area	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_RATIO_04	HTML has a low ratio of text to image area	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_RATIO_06	HTML has a low ratio of text to image area	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_IMAGE_RATIO_08	HTML has a low ratio of text to image area	This may indicate a message using an image instead of words in order to sidestep text-based filtering.	body
HTML_MESSAGE	HTML included in message	HTML messages are more visually attractive than plain text.	body
HTML_MIME_NO_HTML_TAG	HTML-only message, but there is no HTML tag		meta
HTML_MISSING_CTYPE	Message is HTML without HTML Content-Type
HTML_NONELEMENT_30_40	30% to 40% of HTML elements are non-standard		body
HTML_NONELEMENT_40_50	40% to 50% of HTML elements are non-standard		body
HTML_NONELEMENT_60_70	60% to 70% of HTML elements are non-standard		body
HTML_NONELEMENT_80_90	80% to 90% of HTML elements are non-standard		body
HTML_OBFUSCATE_05_10	Message is 5% to 10% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OBFUSCATE_10_20	Message is 10% to 20% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OBFUSCATE_20_30	Message is 20% to 30% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OBFUSCATE_30_40	Message is 30% to 40% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OBFUSCATE_50_60	Message is 50% to 60% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OBFUSCATE_70_80	Message is 70% to 80% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OBFUSCATE_90_100	Message is 90% to 100% HTML obfuscation	The message includes HTML with obfuscated text, such as unnecessary hex-encoding of ASCII characters. This is probably an attempt to avoid text-based filters	body
HTML_OFF_PAGE	HTML element rendered well off the displayed page		meta
HTML_SHORT_CENTER	HTML is very short with CENTER tag		meta
HTML_SHORT_LINK_IMG_1	HTML is very short with a linked image		meta
HTML_SHORT_LINK_IMG_2	HTML is very short with a linked image		meta
HTML_SHORT_LINK_IMG_3	HTML is very short with a linked image		meta
HTML_SHRT_CMNT_OBFU_MANY	Obfuscation with many short HTML comments		meta
HTML_SINGLET_MANY	Many single-letter HTML format blocks		meta
HTML_TAG_BALANCE_BODY	HTML has unbalanced "body" tags	HTML tags within the body tag aren't correctly nested. Usually, tags are opened but not closed.	body
HTML_TAG_BALANCE_CENTER	Malformatted HTML		meta
HTML_TAG_BALANCE_HEAD	HTML has unbalanced "head" tags	HTML tags within the head tag aren't correctly nested. Usually, tags are opened but not closed.	body
HTML_TAG_BALANCE_HTML	HTML has unbalanced"html"tags	HTML tags within the email aren't correctly nested. Usually, tags are opened but not closed.	body
HTML_TAG_EXIST_BGSOUND	HTML has "bgsound" tag		body
HTML_TEXT_INVISIBLE_FONT	HTML hidden text - word obfuscation?		meta
HTML_TEXT_INVISIBLE_STYLE	HTML hidden text + other spam signs		meta
HTML_TITLE_SUBJ_DIFF	No description provided		meta
HTTP_77	Contains an URL-encoded hostname (HTTP77)		uri
HTTP_ESCAPED_HOST	Uses %-escapes inside a URL's hostname	The message includes HTML with an obfuscated URL. This is probably an attempt to avoid text-based filters	uri
HTTP_EXCESSIVE_ESCAPES	Completely unnecessary %-escapes inside a URL	Contains a URL with letters replaces by hex codes e.g. %55 for "U". This indicates an attempt to avoid domain or text-based filtering, and indicates the message is probably spam.	uri
HTTPS_HTTP_MISMATCH	eval:check_https_http_mismatch('1','10')		body
HTTPS_IP_MISMATCH	IP to HTTPS link found in HTML	https://www.paypal.com/ Often found in phishing attempts, seldom seen in legitimate e-mail.	body
IMG_ONLY_FM_DOM_INFO	HTML image-only message from .info domain	__HTML_IMG_ONLY && __FROM_DOM_INFO	meta
IMPOTENCE	Impotence cure	/\b(?:impotence (?:problem\|cure\|solution)\|Premature Ejaculation\|erectile dysfunction)/i	body
INVALID_DATE	Invalid Date: header (not RFC 2822)	The Date header in the message is not compliant with RFC 2822 Sec. 3.3 This suggests the sender is using a badly-written mailout program rather than a regular email client.	header
INVALID_DATE_TZ_ABSURD	Invalid Date: header (timezone does not exist)	The Date header includes an impossible UTC offset, e.g. more than +/- 13 hours This suggests the message was generated by badly-written mailout software.	header
INVALID_MSGID	Message-Id is not valid, according to RFC 2822	Matches Message-ID headers that exist but do not meet a lenient definition of valid syntax. Exempts cases of embedded comments in Message ID's	header
INVALID_TZ_CST	Invalid date in header (wrong CST timezone)	The Date header includes a UTC offset which is not valid for CST (Central Standard Time). This suggests the message was generated by badly-written mailout software.	header
INVALID_TZ_EST	Invalid date in header (wrong EST timezone)	The Date header includes a UTC offset which is not valid for EST (Eastern Standard Time). This suggests the message was generated by badly-written mailout software.	header
INVESTMENT_ADVICE	Message mentions investment advice	/\binvestment advice/i	body
IP_LINK_PLUS	Dotted-decimal IP address followed by CGI	m{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi\|click\|ads\|id=)}i	uri
JAPANESE_UCE_BODY	Body contains Japanese UCE tag	(__ISO_2022_JP_DELIM && __JAPANESE_UCE_BODY)	meta
JAPANESE_UCE_SUBJECT	Subject contains a Japanese UCE tag		header
JH_SPAMMY_HEADERS	Has unusual message header(s) seen primarily in spam	__HAS_COMPLAINT_TO \|\| __HAS_TRACKING_CODE \|\| __HAS_LOGID	meta
JH_SPAMMY_PATTERN01	Unusual pattern seen in spam campaign	m;.{0,200}	body
JH_SPAMMY_PATTERN02	Unusual pattern seen in spam campaign	m;]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}	body
JM_I_FEEL_LUCKY	/(?:\&\| \?)btnI=ec(?:(dollar) \| \&)/		uri
JM_RCVD_QMAILV1	Received =~ /by \S+ $Qmailv1$ with ESMTP/		header
JOIN_MILLIONS	Join Millions of Americans		body
JS_FROMCHARCODE	Document is built from a Javascript charcode array	(__JS_FROMCHARCODE && __JS_DOCWRITE)	meta
KB_DATE_CONTAINS_TAB	Date:raw =~ /^\t/		header
KB_FAKED_THE_BAT	No description provided		meta
KB_RATWARE_MSGID	No description provided		meta
KB_RATWARE_OUTLOOK_08	ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) [0-9a-f]{8}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\./msi		header
KB_RATWARE_OUTLOOK_12	ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{4})[0-9a-f]{4}\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi		header
KB_RATWARE_OUTLOOK_16	ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) .{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi		header
KB_RATWARE_OUTLOOK_MID	ALL =~ /^Message-Id: <....([0-9a-f]{8})\(dollar) ([0-9a-f]{8})\(dollar) [0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi		header
KB_RATWARE_OUTLOOK_MID	No description provided		header
KHOP_FAKE_EBAY	Sender falsely claims to be from eBay		meta
KHOP_HELO_FCRDNS	Relay HELO differs from its IP's reverse DNS	__HELO_NOT_RDNS && !(__VIA_ML \|\| __freemail_safe \|\| __RCVD_IN_DNSWL \|\| __NOT_SPOOFED)	meta
KOREAN_UCE_SUBJECT	Subject: contains Korean unsolicited email tag		header
L_SPAM_TOOL_13	Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d(dollar) /		header
LINKEDIN_IMG_NOT_RCVD_LNKN	Linkedin hosted image but message not from Linkedin		meta
LIST_PARTIAL_SHORT_MSG	Incomplete mailing list headers + short message
LIST_PRTL_PUMPDUMP	Incomplete List-* headers and stock pump-and-dump		meta
LIST_PRTL_SAME_USER	Incomplete List-* headers and from+to user the same		meta
LIVE_PORN	Possible porn - Live Porn		body
LIVEFILESTORE	m~livefilestore.com/~		uri
LOCALPART_IN_SUBJECT	Local part of To: address appears in Subject		header
LONG_HEX_URI	Very long purely hexadecimal URI		meta
LONG_IMG_URI	Image URI with very long path component - web bug?		meta
LONG_INVISIBLE_TEXT	Long block of hidden text - bayes poison?		meta
LONG_TERM_PRICE	/long\W+term\W+(target\| projected)(\W+price)?/i		body
LONGLN_LOW_CONTRAST	Excessively long line + hidden text		meta
LONGWORDS	Long string of long words		meta
LOOPHOLE_1	A loop hole in the banking laws?		body
LOTS_OF_MONEY	Huge... sums of money		meta
LOTTERY_1	No description provided		meta
LOTTERY_PH_004470	No description provided		meta
LOTTO_AGENT	Claims Agent		meta
LOTTO_DEPT	Claims Department		meta
LOW_PRICE	Lowest Price		body
LUCRATIVE	Make lots of money!		meta
MAILING_LIST_MULTI	Multiple indicators imply a widely-seen list manager		meta
MALE_ENHANCE	Message talks about enhancing men		body
MALF_HTML_B64	Malformatted base64-encoded HTML content		meta
MALW_ATTACH	Attachment filename suspicious, probable malware exploit		meta
MALWARE_NORDNS	Malware bragging + no rDNS		meta
MALWARE_PASSWORD	Malware bragging + "password"		meta
MANY_HDRS_LCASE	Odd capitalization of multiple message headers		meta
MANY_SPAN_IN_TEXT	Many tags embedded within text		meta
MARKETING_PARTNERS	Claims you registered with a partner		body
MAY_BE_FORGED	Relay IP's reverse DNS does not resolve to IP		meta
MICROSOFT_EXECUTABLE	Message includes Microsoft executable program		body
MID_DEGREES	Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>(dollar) /		header
MILLION_HUNDRED	Million "One to Nine" Hundred		body
MILLION_USD	Talks about millions of dollars		body
MIME_BAD_ISO_CHARSET	MIME character set is an unknown ISO charset	The charset attribute of the MIME Content-Type: header is checked. A flag is raised if it is an ISO character set not recognised by the test. This rule checks the value of "mime_bad_iso_charset" set by [WWW] MIMEEval.pm . MIME headers are defined in [WWW] RFC 2045 Valid charsets are registered with IANA: http://www.iana.org/assignments/character-sets	body
MIME_BASE64_BLANKS	Extra blank lines in base64 encoding	Looking for extra blank lines to appear in the BASE64 encoding. Built into EvalTests.pm	rawbody
MIME_BASE64_NO_NAME	base64 attachment does not have a file name	Normally base64 encoded attachments have some sort of file name, this indicates one is missing.	header
MIME_BASE64_TEXT	Message text disguised using base64 encoding	The message contains text that has been encoded using Base64 content transfer encoding but does not use a character set known to require it. This does not apply to text in the UTF-8 or big5 character sets. This technique is assumed to be used by spammers as a form of obfuscation, presumably to bypass filters that are not MIME-aware. For details on Base64 encoding see [WWW] RFC 2045 sec 6.8 This rule is known to trigger false positives in some circumstances.	rawbody
MIME_BOUND_DD_DIGITS	Spam tool pattern in MIME boundary		header
MIME_BOUND_DIGITS_15	Spam tool pattern in MIME boundary		header
MIME_BOUND_EQ_REL	Content-Type =~ /boundary="=====================_\d+==\.REL"/s		header
MIME_BOUND_MANY_HEX	Spam tool pattern in MIME boundary		header
MIME_CHARSET_FARAWAY	MIME character set indicates foreign language		meta
MIME_HEADER_CTYPE_ONLY	Content-Type' found without required MIME headers		meta
MIME_HTML_MOSTLY	Multipart message mostly text/html MIME	Looks to see if the message is mostly HTML content versus normally having plain text parts of nearly equal size.	body
MIME_HTML_ONLY	Message only has text/html MIME parts	Indicates the message lacks the plain text alternative part.	body
MIME_HTML_ONLY_MULTI	Multipart message only has text/html MIME parts		meta
MIME_NO_TEXT	No (properly identified) text body parts		meta
MIME_PHP_NO_TEXT	No text body parts, X-Mailer: PHP		meta
MIME_QP_LONG_LINE	Quoted-printable line longer than 76 chars	The Quoted-Printable encoding REQUIRES that encoded lines be no more than 76 characters long. See RFC 2045. Although the Quoted-Printable specification requires lines be no more than 76 characters, many implementations ignore this and use a suggested line limit from RFC 5322 of 78 characters. Therefore it is not unusual to see this rule triggered by non-spam. See Bug 5491.	rawbody
MIME_SUSPECT_NAME	MIME filename does not match content		body
MIMEOLE_DIRECT_TO_MX	MIMEOLE + direct-to-MX		meta
MIMEPART_LIMIT_EXCEEDED	Message has too many MIME parts		body
MISSING_DATE	Missing Date: header		meta
MISSING_FROM	Missing From: header		meta
MISSING_HB_SEP	Missing blank line between message header and body		header
MISSING_HEADERS	Missing To: header	The mail header does not contain a To: line. The To: header is described in RFC2822 sec 3.6.3 - note that it is not a mandatory field, but it is considered unusual for MUA software not to add it.	header
MISSING_MID	Missing Message-Id: header		meta
MISSING_MIME_HB_SEP	Missing blank line between MIME header and body	The format for e-mail requires a blank line between the headers and the body of a message, the lack of one causes this rule to fire.	body
MISSING_MIMEOLE	Message has X-MSMail-Priority, but no X-MimeOLE		meta
MISSING_SUBJECT	Missing Subject: header		meta
MIXED_AREA_CASE	Has area tag in mixed case		meta
MIXED_CENTER_CASE	Has center tag in mixed case		meta
MIXED_ES	Too many es are not es		meta
MIXED_FONT_CASE	Has font tag in mixed case		meta
MIXED_HREF_CASE	Has href in mixed case		meta
MIXED_IMG_CASE	Has img tag in mixed case		meta
MONERO_DEADLINE	Monero cryptocurrency with a deadline		meta
MONERO_EXTORT_01	Extortion spam, pay via Monero cryptocurrency		meta
MONERO_MALWARE	Monero cryptocurrency + malware bragging		meta
MONERO_PAY_ME	Pay me via Monero cryptocurrency		meta
MONEY_ATM_CARD	Lots of money on an ATM card		meta
MONEY_BACK	Money back guarantee		body
MONEY_FORM	Lots of money if you fill out a form
MONEY_FORM_SHORT	Lots of money if you fill out a short form		meta
MONEY_FRAUD_3	Lots of money and several fraud phrases		meta
MONEY_FRAUD_5	Lots of money and many fraud phrases		meta
MONEY_FRAUD_8	Lots of money and very many fraud phrases		meta
MONEY_FREEMAIL_REPTO	Lots of money from someone using free email?		meta
MONEY_FROM_41	Lots of money from Africa		meta
MONEY_FROM_MISSP	Lots of money and misspaced From		meta
MONEY_NOHTML	Lots of money in plain text
MORE_SEX	Talks about a bigger drive for sex	/increased?.{0,9}(?:sex\|stamina)/i	body
MPART_ALT_DIFF	HTML and text parts are different	The mail contains the content in both HTML and plain text format, but their content is (very probably) different. This suggests that the sender is not using a normal mail client, and is attempting to evade filtering by using a message which looks different to humans and mail filters.	body
MPART_ALT_DIFF_COUNT	HTML and text parts are different	The mail contains the content in both HTML and plain text format, but their content is (very probably) different - the number of words is significantly different in the two versions. This suggests that the sender is not using a normal mail client, and is attempting to evade filtering by using a message which looks different to humans and mail filters.	body
MSGID_DOLLARS_URI_IMG	Suspicious Message-ID and image		meta
MSGID_FROM_MTA_HEADER	Message-Id was added by a relay		meta
MSGID_HDR_MALF	Has invalid message ID header		meta
MSGID_MULTIPLE_AT	Message-ID contains multiple '@' characters	The Message-Id: header contains more than one "@" characters, rendering it invalid. Invalid Message-Id headers have been seen generated by some types of spamming software. The syntax for the Message-Id field is defined in RFC 2822 sec 3.6.4, as well as recommended algorithms. Bug #5707 suggests that Microsoft Office Outlook 12.0 (a.k.a Office Outlook 2007) generates invalid Message-Id fields, triggering this rule. Note: Since dot-atom-text does not include the @ symbol, multiple instances usually indicate an invalid Message-Id. However it is possible for a syntactically valid (per RFC2822) Message-Id field to contain multiple "@" symbols under the circumstances that the id-left component consists of a double-quoted string (where qtext can contain %d64, although this format is now marked as obsolete by RFC5322) or inside id-right as part of a literal address string. For example: {{{Message-Id: <"12345@example.org"@host.example.com> Message-Id: <12345@[123@456]> Message-Id: <"12345@example.org"@[123@456]>}}} This particular usage, however, is not currently covered by this rule and is not known to be in the wild.	header
MSGID_NOFQDN1	Message-ID with no domain name		meta
MSGID_OUTLOOK_INVALID	Message-Id is fake (in Outlook Express format)	The Message-Id header has the format of one generated by Microsoft Outlook Express, which is based on the date, but the inferred date is inconsistent with other date headers.	header
MSGID_RANDY	Message-Id has pattern used in spam		meta
MSGID_SHORT	Message-ID is unusually short		header
MSGID_SPAM_CAPS	Spam tool Message-Id: (caps variant)	MSGID or message-id is unique identifier in the email header. The same message ID may not be reused during the lifetime of any email with the same message ID. (It is recommended that no message ID be reused for at least two years.) In order to conform to RFC 822, the Message-ID must have the format "<" "unique" "@" "full domain name" ">" this rule activates when "unique" is all in capitals.	header
MSGID_SPAM_LETTERS	Spam tool Message-Id: (letters variant)		header
MSGID_YAHOO_CAPS	Message-ID has ALLCAPS@yahoo.com		header
MSM_PRIO_REPTO	MSMail priority header + Reply-to + short subject		meta
MSMAIL_PRI_ABNORMAL	Email priority often abused		meta
MSOE_MID_WRONG_CASE	No description provided		meta
MULTI_FORGED	Received headers indicate multiple forgeries
MULTIPART_ALT_NON_TEXT	eval:check_ma_non_text()		body
NA_DOLLARS	Talks about a million North American dollars	The body of the mail makes reference to millions of US or Canadian dollars, a common signature that can help identify scam emails.	body
NAME_EMAIL_DIFF	Sender NAME is an unrelated email address		meta
NEW_PRODUCTS	No description provided		meta
NEWEGG_IMG_NOT_RCVD_NEGG	Newegg hosted image but message not from Newegg		meta
NICE_REPLY_A	Looks like a legit reply (A)		meta
NML_ADSP_CUSTOM_HIGH	ADSP custom_high hit, and not from a mailing list		meta
NML_ADSP_CUSTOM_LOW	ADSP custom_low hit, and not from a mailing list		meta
NML_ADSP_CUSTOM_MED	ADSP custom_med hit, and not from a mailing list		meta
NO_DNS_FOR_FROM	Envelope sender has no MX or A DNS records	The return address is fake. The sender has no interest in knowing whether the message was delivered or not, and does not wish anyone to receive a large number of delivery failed reports.	header
NO_FM_NAME_IP_HOSTN	No From name + hostname using IP address		meta
NO_HEADERS_MESSAGE	Message appears to be missing most RFC-822 headers		meta
NO_MEDICAL	No Medical Exams		body
NO_PRESCRIPTION	No prescription needed		body
NO_RDNS_DOTCOM_HELO	Host HELO'd as a big ISP, but had no rDNS		header
NO_RECEIVED	Informational: message has no Received headers		meta
NO_RELAYS	Informational: message was not relayed via SMTP	This indicates no "Received" headers in the mail.	header
NONEXISTENT_CHARSET	Character set doesn't exist		header
NORDNS_LOW_CONTRAST	No rDNS + hidden text		meta
NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL	URI host has a public dotted-decimal IPv4 address	uri
NOT_ADVISOR	Not registered investment advisor		body
NOT_SPAM	I'm not spam! Really! I'm not, I'm not, I'm not!		body
NSL_RCVD_FROM_USER	Received from User		header
NSL_RCVD_HELO_USER	Received from HELO User		header
NULL_IN_BODY	Message has NUL (ASCII 0) byte in message		full
NUMBEREND_LINKBAIT	Domain ends in a large number and very short body with link
NUMERIC_HTTP_ADDR	Uses a numeric IP address in URL	Contains a URL with a numeric address, such as http://192.168.36.67 This may indicate a webserver set up quickly without a DNS entry, or an attempt to avoid domain-based filtering. This indicates the message may be spam or phishing.	uri
OBFU_BITCOIN	Obfuscated BitCoin references	__OBFU_BITCOIN	meta
OBFU_JVSCR_ESC	Injects content using obfuscated javascript	/document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i	rawbody
OBFU_TEXT_ATTACH	Text attachment with non-text MIME type		mimeheader
OBFU_UNSUB_UL	Obfuscated unsubscribe text	__OBFU_UNSUB_UL && !MAILING_LIST_MULTI	meta
OBFUSCATING_COMMENT	HTML comments which obfuscate text	((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) \|\| (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM	meta
OBSCURED_EMAIL	Message seems to contain rot13ed address		body
ODD_FREEM_REPTO	Has unusual reply-to header		meta
OFFER_ONLY_AMERICA	Offer only available to US	__FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA	meta
ONE_TIME	One Time Rip Off		body
ONLINE_MKTG_CNSLT	No description provided		body
ONLINE_PHARMACY	Online Pharmacy		body
OOOBOUNCE_MESSAGE	Out Of Office bounce message	__BOUNCE_OOO_ARHDR && (__BOUNCE_OOO_SUBJECT \|\| __BOUNCE_OOO_BODY \|\| __BOUNCE_OOO_SUBJBODY)	meta
PART_CID_STOCK	Has a spammy image attachment (by Content-ID)		meta
PART_CID_STOCK_LESS	Has a spammy image attachment (by Content-ID, more specific)		meta
PDS_BAD_THREAD_QP_64	Bad thread header - short QP
PDS_BTC_ID	FP reduced Bitcoin ID		meta
PDS_BTC_MSGID	Bitcoin ID with T_MSGID_NOFQDN2		meta
PDS_BTC_NTLD	Bitcoin suspect NTLD
PDS_CPANEL_PORT_SPOOFEDURL	URL using a cPanel port in text but not the href		meta
PDS_DBL_URL_TNB_RUNON	Double-url and To no arrows, from runon		meta
PDS_EMPTYSUBJ_URISHRT	Empty subject with little more than URI shortener
PDS_FRNOM_TODOM_DBL_URL	From Name to domain, double URL		meta
PDS_FRNOM_TODOM_NAKED_TO	Naked to From name equals to Domain		meta
PDS_FROM_NAME_TO_DOMAIN	From:name looks like To:domain		meta
PDS_HELO_SPF_FAIL	High profile HELO that fails SPF		meta
PDS_NAKED_TO_NUMERO	Naked-to, numberonly domain
PDS_NO_FULL_NAME_SPOOFED_URL	HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
PDS_OTHER_BAD_TLD	Untrustworthy TLDs		header
PDS_PHP_EVAL	PHP header shows eval'd code		meta
PDS_PHP_RUNTIME_FUNC	PHP header shows runtime-created function
PDS_RDNS_DYNAMIC_FP	RDNS_DYNAMIC with FP steps		meta
PDS_SHORT_SPOOFED_URL	HTML message short and T_SPOOFED_URL (S_U_FP)
PDS_SHORTFWD_URISHRT_QP	Apparently a short fwd/re with URI shortener
PDS_TINYSUBJ_URISHRT	Short subject with URL shortener
PDS_TO_EQ_FROM_NAME	From: name same as To: address		meta
PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE	Forged replyto and __PDS_TONAME_EQ_TOLOCAL		meta
PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE	To: name matches everything in local email - LCASE headers		meta
PDS_TONAME_EQ_TOLOCAL_VSHORT	Very short body and From looks like 2 different emails
PERCENT_RANDOM	Message has a random macro in it		meta
PHISH_ATTACH	Attachment filename suspicious, probable phishing		meta
PHISH_AZURE_CLOUDAPP	Link to known phishing web application		uri
PHISH_FBASEAPP	Probable phishing via hosted web app		meta
PHISHING_FREEMAIL	Send your login credentials to some random freemail account	(__EMAIL_PHISH \|\| __EMAIL_PHISH_MANY \|\| __ACCT_PHISH \|\| __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO	meta
PHOTO_EDITING_DIRECT	Image editing service, direct to MX		meta
PHOTO_EDITING_FREEM	Image editing service, freemail or CHN replyto		meta
PHP_NOVER_MUA	Mail from PHP with no version number		meta
PHP_ORIG_SCRIPT	Sent by bot & other signs		meta
PHP_ORIG_SCRIPT_EVAL	From suspicious PHP source		meta
PHP_SCRIPT	Sent by PHP script		meta
PHP_SCRIPT_MUA	Sent by PHP script, no version number		meta
PLING_QUERY	Subject has exclamation mark and question mark		meta
POSSIBLE_AMAZON_PHISH_02	No description provided		meta
POSSIBLE_APPLE_PHISH_02	Claims to be from apple but not processed by any apple MTA		meta
POSSIBLE_EBAY_PHISH_02	Claims to be from ebay but not processed by any ebay MTA		meta
POSSIBLE_PAYPAL_PHISH_01	Claims to be from paypal but has non-paypal from email address		meta
POSSIBLE_PAYPAL_PHISH_02	Claims to be from paypal but not processed by any paypal MTA		meta
PP_MIME_FAKE_ASCII_TEXT	MIME text/plain claims to be ASCII but isn't		body
PP_TOO_MUCH_UNICODE02	Is text/plain but has many unicode escapes		body
PP_TOO_MUCH_UNICODE05	Is text/plain but has many unicode escapes		body
PREST_NON_ACCREDITED	'Prestigious Non-Accredited Universities'		body
PREVENT_NONDELIVERY	Message has Prevent-NonDelivery-Report header		header
PRICES_ARE_AFFORDABLE	Message says that prices aren't too expensive		body
PUMPDUMP	Pump-and-dump stock scam phrase		meta
PUMPDUMP_MULTI	Pump-and-dump stock scam phrases		meta
PUMPDUMP_TIP	Pump-and-dump stock tip		meta
PYZOR_CHECK	Listed in Pyzor (http://pyzor.sf.net/ ; https://pyzor.readthedocs.io/en/latest/ )	Pyzor is a collaborative, networked system to detect and block spam using digests of messages. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries. Pyzor initially started out to be merely a Python implementation of Razor, but due to the protocol and the fact that Razor's server is not Open Source or software libre, Frank Tobin decided to implement Pyzor with a new protocol and release the entire system as Open Source and software libre.	full
RAND_HEADER_LIST_SPOOF	Random gibberish message header(s) + pretending to be a mailing list		meta
RAND_HEADER_MANY	Multiple random gibberish message headers		meta
RAND_MKTG_HEADER	Has partially-randomized marketing/tracking header(s)		meta
RATWARE_EFROM	Bulk email fingerprint (envfrom) found		header
RATWARE_EGROUPS	Bulk email fingerprint (eGroups) found		header
RATWARE_GECKO_BUILD	Bulk email fingerprint (Gecko faked) found		header
RATWARE_HASH_DASH	Contains a hashbuster in Send-Safe format		rawbody
RATWARE_MOZ_MALFORMED	Bulk email fingerprint (Mozilla malformed) found		header
RATWARE_MPOP_WEBMAIL	Bulk email fingerprint (mPOP Web-Mail)		header
RATWARE_MS_HASH	Bulk email fingerprint (msgid ms hash) found		meta
RATWARE_NAME_ID	Bulk email fingerprint (msgid from) found		meta
RATWARE_NO_RDNS	Suspicious MsgID and MIME boundary + no rDNS		meta
RATWARE_OE_MALFORMED	X-Mailer has malformed Outlook Express version		header
RATWARE_OUTLOOK_NONAME	Bulk email fingerprint (Outlook no name) found		meta
RATWARE_RCVD_AT	Bulk email fingerprint (Received @) found		header
RATWARE_RCVD_PF	Bulk email fingerprint (Received PF) found		header
RATWARE_ZERO_TZ	Bulk email fingerprint (+0000) found		meta
RAZOR2_CF_RANGE_51_100	Razor2 gives confidence level above 50%	Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.	full
RAZOR2_CF_RANGE_E4_51_100	Razor2 gives engine 4 confidence level above 50%	Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.	full
RAZOR2_CF_RANGE_E8_51_100	Razor2 gives engine 8 confidence level above 50%	Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.	full
RAZOR2_CHECK	Listed in Razor2 (http://razor.sf.net/)	Vipul's Razor is a distributed, collaborative, spam detection and filtering network. It uses a fuzzy checksum technique to identify message bodies based on signatures submitted by users, or inferred by other techniques such as high-confidence Bayesian or DNSBL entries.	full
RCVD_AM_PM	Received headers forged (AM/PM)		header
RCVD_BAD_ID	One of the trace fields (Received: headers) contains an unusually formatted ID parameter. Note: matching this rule does not necessarily infer that the Received: header is invalid or non-standard, only unusual. The format of the Received: header is defined in [WWW] RFC 2821 sec 4.4 (which references atext defined in [WWW] RFC 2822 ) and allows for characters beyond the ASCII alpha/digit/underscore/minus usually seen in IDs.	Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\(dollar) \%&'()*:<=>?\@\[\]^\`{\| }~]\| ;\S)/	header
RCVD_DBL_DQ	Malformatted message header		header
RCVD_DOTEDU_SHORT	Via .edu MTA + short message		meta
RCVD_DOTEDU_SUSP_URI	Via .edu MTA + suspicious URI		meta
RCVD_DOUBLE_IP_LOOSE	Received: by and from look like IP addresses		meta
RCVD_DOUBLE_IP_SPAM	Bulk email fingerprint (double IP) found		meta
RCVD_FAKE_HELO_DOTCOM	Received contains a faked HELO hostname		header
RCVD_FORGED_WROTE	Forged 'Received' header found ('wrote:' spam)		header
RCVD_FORGED_WROTE2	Received =~ /from [0-9.]+ $HELO \S+[A-Za-z]+$ by (\S+) with esmtp $\S+\s\S+$ id \S{6}-\S{6}-\S\S for \S+@\1;/s		header
RCVD_HELO_IP_MISMATCH	Received: HELO and IP do not match, but should	Checks if a HELO string is an IP, and if it is, that it matches the actual IP (or is in the same /24). (It doesn't fire if the HELO string is a hostname or private (RFC 1918) or trusted IP.)	header
RCVD_ILLEGAL_IP	Received: contains illegal IP address	A check is made of the IP addresses listed in the Received lines in the mail header using RelayEval.pm. This test identifies IPv4 addresses that are invalid according the the allowable address space, as well as addresses that should never be seen as a source of mail. The valid, but unusable, address ranges are as follows: 0/8 Reserved 1/8 Unallocated 2/8 Unallocated 5/8 Unallocated 7/8 Live allocation - US DoD 127/8 Loopback range (excepting localhost 127.0.0/24) 223/8 Unallocated 224/4 Multicast Note that ranges currently marked "Unallocated" will probably be allocated by IANA at some point in the future. See also: http://www.iana.org/assignments/ipv4-address-space/ http://tools.ietf.org/html/rfc3330 7.0.0.0/8 is allocated to the US Department of Defense. It was previously listed by IANA as 'Reserved' causing it to be added to "network bogon" lists. For its current use, it is not expected that traffic originating from this range will routed outside of this range. However, it's not clear that legitimate mail headers wouldn't contain IP addresses from this range.	header
RCVD_IN_BL_SPAMCOP_NET	Received via a relay in bl.spamcop.net	A relay in the message's Received headers was listed in the Spamcop DNSBL; see [WWW] http://spamcop.net/ . For the SpamCop URI block list see Rules/URIBL_SC_SURBL .	header
RCVD_IN_BRBL_LASTEXT	eval:check_rbl('brbl-lastexternal','bb.barracudacentral.org')	The last external relay in the Received chain was listed in the DNSBL Barracuda Reputation Block List (BRBL). The Barracuda Reputation Block List (BRBL) is based on the Barracuda Reputation System and operates collaboratively to fight spam. The BRBL provides a list of IP addresses which are sending spam. The Barracuda Reputation system uses automated collection methods to add and delete IP addresses from the BRBL. See: http://www.barracudacentral.org/rbl/removal-request for details on requesting removal from this list.	header
RCVD_IN_CSS	Received via a relay in Spamhaus CSS		header
RCVD_IN_DNSWL_BLOCKED	ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.		header
RCVD_IN_DNSWL_HI	Sender listed at https://www.dnswl.org/, high trust	dnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels. The policy says for trust level "hi": High Never sends spam. Wrongly listed IP addressed should be reported to [MAILTO] admins@dnswl.org or via the online form at [WWW] http://www.dnswl.org/request.pl. Please note that e.g. the trust level "none" means "Legitimate mail server, may also send spam".	header
RCVD_IN_DNSWL_LOW	Sender listed at https://www.dnswl.org/, low trust	dnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels. The policy says for trust level "low": Low Occasional spam occurrences, actively corrected but less promptly. Wrongly listed IP addressed should be reported to [MAILTO] admins@dnswl.org or via the online form at [WWW] http://www.dnswl.org/request.pl. Please note that e.g. the trust level "none" means "Legitimate mail server, may also send spam".	header
RCVD_IN_DNSWL_MED	Sender listed at https://www.dnswl.org/, medium trust	dnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels. The policy says for trust level "med": Medium Extremely rare spam occurrences, corrected promptly. Wrongly listed IP addressed should be reported to [MAILTO] admins@dnswl.org or via the online form at [WWW] http://www.dnswl.org/request.pl. Please note that e.g. the trust level "none" means "Legitimate mail server, may also send spam".	header
RCVD_IN_DNSWL_NONE	Sender listed at https://www.dnswl.org/, no trust	dnswl.org is a community-driven project to prevent false positives. dnswl.org provides a DNS-based whitelist of known legitimate hosts in different categories/trust levels. The policy says for trust level "None": Legitimate mail server, may also send spam. This is the default for some categories (eg Email Marketing Provider) Report Problems IPs sending spam are expected to hit this rule, but if you get so many emails sending spam, and none sending non-spam, that you think it shouldn't be listed, you can report them here: http://www.dnswl.org/registerreporter.pl As with many SpamAssassin network rules, it is important to make sure you have your trusted_networks / internal_networks (TrustPath) configured correctly to ensure that the test is run against the correct IP. IPs that are not listed which should be can be reported here: http://www.dnswl.org/request.pl You can also contact the maintainers of this data at admins@dnswl.org	header
RCVD_IN_IADB_DK	IADB: Sender publishes Domain Keys record		header
RCVD_IN_IADB_DOPTIN	IADB: All mailing list mail is confirmed opt-in		header
RCVD_IN_IADB_DOPTIN_GT50	IADB: Confirmed opt-in used more than 50% of the time		header
RCVD_IN_IADB_DOPTIN_LT50	IADB: Confirmed opt-in used less than 50% of the time		header
RCVD_IN_IADB_EDDB	IADB: Participates in Email Deliverability Database		header
RCVD_IN_IADB_EPIA	IADB: Member of Email Processing Industry Alliance		header
RCVD_IN_IADB_GOODMAIL	IADB: Sender has been certified by GoodMail		header
RCVD_IN_IADB_LISTED	Participates in the IADB system		header
RCVD_IN_IADB_LOOSE	IADB: Adds relationship addrs w/out opt-in		header
RCVD_IN_IADB_MI_CPEAR	IADB: Complies with Michigan's CPEAR law		header
RCVD_IN_IADB_MI_CPR_30	IADB: Checked lists against Michigan's CPR within 30 days		header
RCVD_IN_IADB_MI_CPR_MAT	IADB: Sends no material under Michigan's CPR		header
RCVD_IN_IADB_ML_DOPTIN	IADB: Mailing list email only, confirmed opt-in		header
RCVD_IN_IADB_NOCONTROL	IADB: Has absolutely no mailing controls in place		header
RCVD_IN_IADB_OOO	IADB: One-to-one/transactional email only		header
RCVD_IN_IADB_OPTIN	IADB: All mailing list mail is opt-in		header
RCVD_IN_IADB_OPTIN_GT50	IADB: Opt-in used more than 50% of the time		header
RCVD_IN_IADB_OPTIN_LT50	IADB: Opt-in used less than 50% of the time		header
RCVD_IN_IADB_OPTOUTONLY	IADB: Scrapes addresses, pure opt-out only		header
RCVD_IN_IADB_RDNS	IADB: Sender has reverse DNS record		header
RCVD_IN_IADB_SENDERID	IADB: Sender publishes Sender ID record		header
RCVD_IN_IADB_SPF	IADB: Sender publishes SPF record		header
RCVD_IN_IADB_UNVERIFIED_1	IADB: Accepts unverified sign-ups		header
RCVD_IN_IADB_UNVERIFIED_2	IADB: Accepts unverified sign-ups, gives chance to opt out		header
RCVD_IN_IADB_UT_CPEAR	IADB: Complies with Utah's CPEAR law		header
RCVD_IN_IADB_UT_CPR_30	IADB: Checked lists against Utah's CPR within 30 days		header
RCVD_IN_IADB_UT_CPR_MAT	IADB: Sends no material under Utah's CPR		header
RCVD_IN_IADB_VOUCHED	ISIPP IADB lists as vouched-for sender	The sending host in the first trusted Received: header is a "Vouched listing" in the Institute for Social Internet Public Policy (ISIPP) Accreditation Database (a DNS Whitelist). Sites sending spam from IADB vouched IP addresses can be reported to abuse@suretymail.com.	header
RCVD_IN_MAPS_DUL	Relay in DUL, http://www.mail-abuse.com/enduserinfo_dul.html	The message was received via a relay listed in the DNSBL dialups.mail-abuse.org. The criteria for listing is that the relay address appears to be dynamically allocated, indicating that it is probably a customers computer and not a properly configured mail relay Since 2005, mail-abuse.org is operated by Trend Micro	header
RCVD_IN_MAPS_NML	Relay in NML, http://www.mail-abuse.com/enduserinfo_nml.html	The message was received via a relay listed in the DNSBL nonconfirm.mail-abuse.org. This DNSBL is no longer documented. Since 2005, mail-abuse.org is operated by Trend Micro	header
RCVD_IN_MAPS_OPS	Relay in OPS, http://www.mail-abuse.com/enduserinfo_ops.html		header
RCVD_IN_MAPS_RBL	Relay in RBL, http://www.mail-abuse.com/enduserinfo_rbl.html	The message was received via a relay listed in the DNSBL blackholes.mail-abuse.org. The criteria for listing is that the relay address may be a multi-hop (multiple IP) open relay, a spam source, or a spam support service Since 2005, mail-abuse.org is operated by Trend Micro	header
RCVD_IN_MAPS_RSS	Relay in RSS, http://www.mail-abuse.com/enduserinfo_rss.html	The message was received via a relay listed in the DNSBL relays.mail-abuse.org. The criteria for listing is that the relay address appears to be that of an "open relay" that will relay email from unauthenticated and untrusted users. Since 2005, mail-abuse.org is operated by Trend Micro	header
RCVD_IN_MSPIKE_BL	Mailspike blacklisted		meta
RCVD_IN_MSPIKE_H2	Average reputation (+2)		header
RCVD_IN_MSPIKE_H3	Good reputation (+3)		header
RCVD_IN_MSPIKE_H4	Very Good reputation (+4)		header
RCVD_IN_MSPIKE_H5	Excellent reputation (+5)		header
RCVD_IN_MSPIKE_L2	Suspicious reputation (-2)		header
RCVD_IN_MSPIKE_L3	Low reputation (-3)		header
RCVD_IN_MSPIKE_L4	Bad reputation (-4)		header
RCVD_IN_MSPIKE_L5	Very bad reputation (-5)		header
RCVD_IN_MSPIKE_WL	Mailspike good senders		meta
RCVD_IN_MSPIKE_ZBI	No description provided		meta
RCVD_IN_NJABL_CGI	NJABL: sender is an open formmail	See: [WWW] http://www.njabl.org/	header
RCVD_IN_NJABL_MULTI	NJABL: sent through multi-stage open relay	See: [WWW] http://www.njabl.org/	header
RCVD_IN_NJABL_PROXY	NJABL: sender is an open proxy	See: [WWW] http://www.njabl.org/	header
RCVD_IN_NJABL_RELAY	NJABL: sender is confirmed open relay	See: [WWW] http://www.njabl.org/	header
RCVD_IN_NJABL_SPAM	NJABL: sender is confirmed spam source	See: [WWW] http://www.njabl.org/	header
RCVD_IN_PBL	Received via a relay in Spamhaus PBL	The PBL official page and description is [WWW] here and that page can also be used to look up an IP in the PBL. The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server, except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges. In other words, it lists IP addresses that are not expected to host a normal mail server, and the PBL has Self-Service removal and IP owner management mechanisms.	header
RCVD_IN_PSBL	Received via a relay in PSBL	The last external relay in the Received chain was listed in the DNSBL The Passive Spam Blocklist (PSBL). The Passive Spam Block List, or PSBL, uses the Spamikaze software, which works in a really simple way. If one of my spamtraps receives email from a certain IP address, then that IP address gets listed. After a certain time the IP address times out and is automatically dropped from the list. See: http://www.psbl.org for details on removing addresses from this list.	header
RCVD_IN_RP_CERTIFIED	Sender is in Return Path Certified (trusted relay)		header
RCVD_IN_RP_RNBL	Relay in RNBL, https://senderscore.org/blacklistlookup/	The last external relay in the Received chain was listed in the DNSBL Return Path Reputation Network Blacklist (RNBL). Reputation Network Blacklist is based on real time data compiled through our cooperative Reputation Network. See: https://senderscore.org/rtbl/ for details on requesting removal from this list.	header
RCVD_IN_RP_SAFE	Sender is in Return Path Safe (trusted relay)		header
RCVD_IN_SBL	Received via a relay in Spamhaus SBL	The headers indicate the mail was sent via a server listed on the [WWW] Spamhaus Block List (DNSBL). The Spamhaus Block List (SBL) is a realtime database of IP addresses of spam-sources, including known spammers, spam gangs, spam operations and spam support services. SBL listings are made according to policies outlined in [WWW] SBL Policy & Listing Criteria. For the body URI check see URIBL_SBL, and for other Spamhaus.org RBL listings see RCVD_IN_XBL RCVD_IN_PBL.	header
RCVD_IN_SBL_CSS	Received via a relay in Spamhaus SBL-CSS		header
RCVD_IN_SORBS_BLOCK	SORBS: sender demands to never be tested	This check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS. ref A listing indicates that the administrator of the mail relay has demanded that they never be tested by SORBS.	header
RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address	The last external relay in the Received chain was listed in the [WWW] SORBS "DUL" list, which lists dynamic IP addresses that should not be emitting SMTP traffic directly.	header
RCVD_IN_SORBS_HTTP	SORBS: sender is open HTTP proxy server	This check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS. ref A listing indicates that email may be sent through a webserver proxy by an unauthorized and unauthenticated user.	header
RCVD_IN_SORBS_MISC	SORBS: sender is open proxy server		header
RCVD_IN_SORBS_SMTP	SORBS: sender is open SMTP relay	This check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS. ref A listing indicates that email may be sent through a SMTP proxy by an unauthorized and unauthenticated user.	header
RCVD_IN_SORBS_SOCKS	SORBS: sender is open SOCKS proxy server	This check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS. ref A listing indicates that email may be sent through a SOCKS proxy by an unauthorized and unauthenticated user.	header
RCVD_IN_SORBS_WEB	SORBS: sender is an abusable web server	This check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS. web.dnsbl.sorbs.net List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities.	header
RCVD_IN_SORBS_ZOMBIE	SORBS: sender is on a hijacked network	This check tests the IP address of the last untrusted relay against the DNSBL maintained by SORBS. ref This is a list of networks hijacked from their original owners, some of which have already used for spamming.	header
RCVD_IN_VALIDITY_CERTIFIED	Sender in Validity Certification - Contact certification@validity.com		header
RCVD_IN_VALIDITY_RPBL	Relay in Validity RPBL, https://senderscore.org/blocklistlookup/		header
RCVD_IN_VALIDITY_SAFE	Sender in Validity Safe - Contact certification@validity.com		header
RCVD_IN_XBL	Received via a relay in Spamhaus XBL	The mail was received from a server listed in the [WWW] Spamhaus Exploits Block List DNSBL, which lists hijacked PCs infected by illegal 3rd party exploits. The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are: the CBL (Composite Block List) from [WWW] cbl.abuseat.org the NJABL Open Proxy IPs list from [WWW] www.njabl.org.	header
RCVD_IN_ZEN_BLOCKED	ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/		header
RCVD_IN_ZEN_BLOCKED_OPENDNS	ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/		header
RCVD_MAIL_COM	Forged Received header (contains post.com or mail.com)		header
RCVD_NUMERIC_HELO	Received: contains an IP address used for HELO	In an SMTP session the argument to the first command a client sends (EHLO or HELO) should be the client identifier. RFC2821 specifies the fully-qualified domain name of the SMTP client, the older standard RFC821 refers to the host name. In situations that the client does not have a meaningful domain name the client SHOULD send an address literal (an IP address enclosed by square brackets). If a Received: header is parsed that indicates the EHLO/HELO identifier was given as an IP address, but not enclosed by square brackets, this is in violation of the RFC.	header
RDNS_DYNAMIC	Delivered to internal network by host with dynamic-looking rDNS		meta
RDNS_LOCALHOST	Sender's public rDNS is "localhost"		header
RDNS_NONE	Delivered to internal network by a host with no rDNS		meta
RDNS_NUM_TLD_ATCHNX	Relay rDNS has numeric TLD + suspicious attachment		meta
RDNS_NUM_TLD_XM	Relay rDNS has numeric TLD + suspicious headers		meta
REFINANCE_NOW	Home refinancing		body
REFINANCE_YOUR_HOME	Home refinancing		body
REMOVE_BEFORE_LINK	Removal phrase right before a link	A phrase such as "unsubscribe here", "no thanks", or "not interested" appears in the message body no more than five characters before a URL.	body
REPLICA_WATCH	Message talks about a replica watch		body
REPLYTO_EMPTY	Reply-To undeliverable		header
REPLYTO_WITHOUT_TO_CC	No description provided		meta
REPTO_419_FRAUD	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_AOL	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_AOL_LOOSE	Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox		meta
REPTO_419_FRAUD_CNS	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_GM	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_GM_LOOSE	Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox		meta
REPTO_419_FRAUD_HM	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_OL	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_PM	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_QQ	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_YH	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_YH_LOOSE	Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox		meta
REPTO_419_FRAUD_YJ	Reply-To is known advance fee fraud collector mailbox		header
REPTO_419_FRAUD_YN	Reply-To is known advance fee fraud collector mailbox		header
REPTO_QUOTE_AOL	AOL doesn't do quoting like this
REPTO_QUOTE_IMS	IMS doesn't do quoting like this
REPTO_QUOTE_MSN	MSN doesn't do quoting like this
REPTO_QUOTE_QUALCOMM	Qualcomm/Eudora doesn't do quoting like this
REPTO_QUOTE_YAHOO	Yahoo! doesn't do quoting like this		meta
RISK_FREE	No risk!	/\b(?:risk free\|no risk)/i	body
RP_MATCHES_RCVD	No description provided		???
RUDE_HTML	Spammer message says you need an HTML mailer	__RUDE_HTML_1 \|\| __RUDE_HTML_2 \|\| __RUDE_HTML_3 \|\| __RUDE_HTML_4	meta
SANE_04e8bf28eb445199a7f11b943c44d209	Email.Spam.Gen3177.Sanesecurity.08051611		body
SANE_1c4f3286fa4aed6424ced88bfaf8b09c	Email.Spam.Gen3234.Sanesecurity.08052309		body
SANE_2b173a7fb7518c75ac8a2d294d773fd8	Email.Spam.Sanesecurity.Url_2496		body
SANE_3b92eda751c992f230f215fb7eb36844	Email.Spam.Gen158.Sanesecurity.07012700		body
SANE_4ef8302546bf270a19baf98508afacc4	Email.Spam.Gen1941.Sanesecurity.07112519		body
SANE_7429530a7398f43f1f1b795f9420714e	Email.Spam.Gen2507.Sanesecurity.08021303		body
SANE_91eb43f705d25c804374a746d7519660	Email.Malware.Sanesecurity.07011300		body
SANE_d0d2b0f6373bf91253d66dd74c594b87	Email.Spam.Sanesecurity.Url_2499		body
SB_GIF_AND_NO_URIS	No description provided		meta
SCRIPT_GIBBERISH	Nonsense in HTML "SCRIPT" tag		meta
SENDGRID_REDIR	Redirect URI via Sendgrid	__SENDGRID_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION	meta
SENDGRID_REDIR_PHISH	Redirect URI via Sendgrid + phishing signs	__SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN \|\| FORGED_RELAY_MUA_TO_MX \|\| __TO_IN_SUBJ )	meta
SEO_SUSP_NTLD	SEO offer from suspicious TLD	__FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)	meta
SERGIO_SUBJECT_PORN002	Pictures garbled subject	Subject =~ /p[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}c[^a-zA-Z0-9]{0,3}t[^a-zA-Z0-9]{0,3}u[^a-zA-Z0-9]{1,3}r[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}s/i	header
SERGIO_SUBJECT_PORN003	Videos garbled subject	Subject =~ /v[^a-zA-Z0-9]{1,3}[i1l][^a-zA-Z0-9]{0,3}d[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{0,3}s/i	header
SERGIO_SUBJECT_PORN004	Adult garbled subject	Subject =~ /a[^a-zA-Z0-9]{1,3}d[^a-zA-Z0-9]{1,3}[uv][^a-zA-Z0-9]{1,3}[l1\\|][^a-zA-Z0-9]{1,3}t/i	header
SERGIO_SUBJECT_PORN005	Porn garbled subject	Subject =~ /\bp[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{1,3}r[^a-zA-Z0-9]{0,3}n/i	header
SERGIO_SUBJECT_PORN006	B\\\* J\\ garbled subject	Subject =~ /b[^a-zA-Z0-9]{0,3}l[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{0,3}w[^a-zA-Z0-9]{0,3}j[^a-zA-Z0-9]{0,3}[o0][^a-zA-Z0-9]{0,3}b/i	header
SERGIO_SUBJECT_PORN007	Film garbled subject	Subject =~ /bf[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{1,3}[i1l][^a-zA-Z0-9]{0,3}m/i	header
SERGIO_SUBJECT_PORN008	Mature garbled subject	Subject =~ /m[^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9]{0,3}t[^a-zA-Z0-9]{0,3}[uv][^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}e/i	header
SERGIO_SUBJECT_PORN009	Undress garbled subject	Subject =~ /u[^a-zA-Z0-9]{0,3}n[^a-zA-Z0-9]{0,3}d[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}s[^a-zA-Z0-9]{0,3}s/i	header
SERGIO_SUBJECT_PORN010	Movies garbled subject	Subject =~ /m[^a-zA-Z0-9]{1,3}o[^a-zA-Z0-9]{1,3}v[^a-zA-Z0-9]{1,3}i[^a-zA-Z0-9]{1,3}e/i	header
SERGIO_SUBJECT_PORN011	Sex garbled subject	Subject =~ /s[^a-zA-Z0-9]{1,4}e[^a-zA-Z0-9]{1,4}x/i	header
SERGIO_SUBJECT_PORN012	School garbled subject	Subject =~ /s[^a-zA-Z0-9]{1,4}c[^a-zA-Z0-9]{0,4}h[^a-zA-Z0-9]{0,4}[o0][^a-zA-Z0-9]{0,4}[o0][^a-zA-Z0-9]{0,4}[1l\|]/i	header
SERGIO_SUBJECT_PORN013	Girls garbled subject	Subject =~ /g[^a-zA-Z0-9]{1,3}[i1l][^a-zA-Z0-9]{1,3}r[^a-zA-Z0-9]{1,3}[1l\\|]/i	header
SERGIO_SUBJECT_PORN014	F\\\* garbled subject	Subject =~ /f[^a-zA-Z0-9]{0,3}[uv][^a-zA-Z0-9]{0,3}c[^a-zA-Z0-9]{0,3}k/i	header
SERGIO_SUBJECT_PORN015	Lesbian garbled subject	Subject =~ /l[^a-zA-Z0-9]{0,3}e[^a-zA-Z0-9]{0,3}s[^a-zA-Z0-9]{0,3}b[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9]{0,3}n/i	header
SERGIO_SUBJECT_VIAGRA01	Viagra garbled subject	Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i	header
SHARE_50_50	Share the money 50/50	(__SHARE_IT \|\| __AGREED_RATIO) && __FIFTY_FIFTY	meta
SHOPIFY_IMG_NOT_RCVD_SFY	Shopify hosted image but message not from Shopify	__SHOPIFY_IMG_NOT_RCVD_SFY && !__HAS_CAMPAIGN && !MIME_QP_LONG_LINE && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER	meta
SHORT_HELO_AND_INLINE_IMAGE	Short HELO string, with inline image	(__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)	meta
SHORT_IMG_SUSP_NTLD	Short HTML + image + suspicious TLD	__LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD	meta
SHORT_SHORTNER	Short body with little more than a link to a shortener	__KAM_BODY_LENGTH_LT_512 && (__PDS_URISHORTENER \|\| __URL_SHORTENER)	meta
SHORT_TERM_PRICE	/short\W+term\W+(target\| projected)(\W+price)?/i		body
SHORTCIRCUIT	Not all rules were run, due to a shortcircuited rule		header
SHORTENED_URL_SRC	No description provided		rawbody
SHORTENER_SHORT_IMG	Short HTML + image + URL shortener	__URL_SHORTENER && HTML_SHORT_LINK_IMG_1	meta
SHORTENER_SHORT_SUBJ	URL shortener (avoiding URIBL?) + short subject	__SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO	meta
SINGLETS_LOW_CONTRAST	Single-letter formatted HTML + hidden text	__HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP	meta
SORTED_RECIPS	Recipient list is sorted by address		header
SPAMMY_XMAILER	X-Mailer string is common in spam and not in ham	(__XM_OL_28001441\|\|__XM_OL_48072300\|\|__XM_OL_28004682\|\|__XM_OL_10_0_4115\|\|__XM_OL_4_72_2106_4)	meta
SPF_FAIL	SPF: sender does not match SPF record (fail)	A "Fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. The checking software can choose to mark the mail based on this or to reject the mail outright. From RFC 4408	header
SPF_HELO_FAIL	SPF: HELO does not match SPF record (fail)	A "Fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. The checking software can choose to mark the mail based on this or to reject the mail outright. If the checking software chooses to reject the mail during the SMTP transaction, then it SHOULD use an SMTP reply code of 550 (see RFC 2821) and, if supported, the 5.7.1 Delivery Status Notification (DSN) code (see RFC 3464), in addition to an appropriate reply text. The check_host() function may return either a default explanation string or one from the domain that published the SPF records (see Section 6.2). If the information does not originate with the checking software, it should be made clear that the text is provided by the sender's domain. For example: From RFC 4408	header
SPF_HELO_NEUTRAL	SPF: HELO does not match SPF record (neutral)	The domain owner has explicitly stated that he cannot or does not want to assert whether or not the IP address is authorized. A "Neutral" result MUST be treated exactly like the "None" result; the distinction exists only for informational purposes. Treating "Neutral" more harshly than "None" would discourage domain owners from testing the use of SPF records (see Section 9.1). From RFC 4408	header
SPF_HELO_NONE	SPF: HELO does not publish an SPF Record	eval:check_for_spf_helo_none()	header
SPF_HELO_PASS	SPF: HELO matches SPF record	A "Pass" result means that the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity. From RFC 4408	header
SPF_HELO_SOFTFAIL	SPF: HELO does not match SPF record (softfail)	A "SoftFail" result should be treated as somewhere between a "Fail" and a "Neutral". The domain believes the host is not authorized but is not willing to make that strong of a statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal. The domain owner wants to discourage the use of this host and thus desires limited feedback when a "SoftFail" result occurs. For example, the recipient's Mail User Agent (MUA) could highlight the "SoftFail" status, or the receiving MTA could give the sender a message using a technique called "greylisting" whereby the MTA can issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the first time the message is received, but accept it the second time. From RFC 4408	header
SPF_NEUTRAL	SPF: sender does not match SPF record (neutral)	The domain owner has explicitly stated that he cannot or does not want to assert whether or not the IP address is authorized. A "Neutral" result MUST be treated exactly like the "None" result; the distinction exists only for informational purposes. Treating "Neutral" more harshly than "None" would discourage domain owners from testing the use of SPF records (see Section 9.1). From RFC 4408	header
SPF_NONE	SPF: sender does not publish an SPF Record	eval:check_for_spf_none()	header
SPF_PASS	SPF: sender matches SPF record	A "Pass" result means that the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity. From RFC 4408	header
SPF_SOFTFAIL	SPF: sender does not match SPF record (softfail)	between a "Fail" and a "Neutral". The domain believes the host is not authorized but is not willing to make that strong of a statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal. The domain owner wants to discourage the use of this host and thus desires limited feedback when a "SoftFail" result occurs. For example, the recipient's Mail User Agent (MUA) could highlight the "SoftFail" status, or the receiving MTA could give the sender a message using a technique called "greylisting" whereby the MTA can issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the first time the message is received, but accept it the second time. From [WWW] http://www.openspf.org/RFC_4408#op-result-softfail	header
SPOOF_COM2COM	URI contains ".com" in middle and end		meta
SPOOF_COM2OTH	URI contains ".com" in middle		uri
SPOOF_GMAIL_MID	From Gmail but it doesn't seem to be...	SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID	meta
SPOOF_NET2COM	URI contains ".net" or ".org", then ".com"		uri
SPOOFED_FREEM_REPTO	Forged freemail sender with freemail reply-to	__SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX	meta
SPOOFED_FREEM_REPTO_CHN	Forged freemail sender with Chinese freemail reply-to	(__SPOOFED_FREEM_REPTO \|\| FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM	meta
SPOOFED_FREEM_REPTO_RUS	Forged freemail sender with Russian freemail reply-to	(__SPOOFED_FREEM_REPTO \|\| FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM	meta
SPOOFED_FREEMAIL	No description provided		meta
SPOOFED_FREEMAIL_NO_RDNS	From SPOOFED_FREEMAIL and no rDNS	__SPOOFED_FREEMAIL && __RDNS_NONE	meta
STATIC_XPRIO_OLE	Static RDNS + X-Priority + MIMEOLE	__STATIC_XPRIO_OLE	meta
STOCK_ALERT	Offers a alert about a stock		body
STOCK_IMG_CTYPE	Stock spam image part, with distinctive Content-Type header	(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)	meta
STOCK_IMG_HDR_FROM	Stock spam image part, with distinctive From line	(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&T_TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)	meta
STOCK_IMG_HTML	Stock spam image part, with distinctive HTML	(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)	meta
STOCK_IMG_OUTLOOK	Stock spam image part, with Outlook-like features	(__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)	meta
STOCK_LOW_CONTRAST	Stocks + hidden text	(__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG	meta
STOCK_TIP	Stock tips	__STOCK_TIP && !__DKIM_EXISTS	meta
STOX_BOUND_090909_B	No description provided		header
STOX_REPLY_TYPE	Content-Type =~ /text\/plain; .* reply-type=original/	The mail's content type is "text/plain" and has the "reply-type=original" attribute. There is no IANA registration for the MIME "text/plain" Media Type ( http://www.iana.org/assignments/media-types/text/ ) sub-parameter "reply-type" at this time. This is a non-standard and undefined parameter. However this parameter does appear to be used in Microsoft software such as Outlook Express ( http://support.microsoft.com/kb/887797 ).	header
STOX_REPLY_TYPE_WITHOUT_QUOTES	No description provided		meta
STRONG_BUY	Tells you about a strong buy		body
SUBJ_ALL_CAPS	Subject is all capitals	The Subject: line in the mail header contains all capital letters. This test is only applied to multi-word subject lines over a certain length containing letters in an ASCII-based character-set.	header
SUBJ_AS_SEEN	Subject contains"As Seen"		header
SUBJ_ATTENTION	ATTENTION in Subject	__SUBJ_ATTENTION && !ALL_TRUSTED	meta
SUBJ_BRKN_WORDNUMS	Subject contains odd word breaks and numbers		meta
SUBJ_BUY	Subject line starts with Buy or Buying		header
SUBJ_DOLLARS	Subject starts with dollar amount		header
SUBJ_ILLEGAL_CHARS	Subject: has too many raw illegal characters	(__SUBJ_ILLEGAL_CHARS && !__FROM_YAHOO_COM)	meta
SUBJ_UNNEEDED_HTML	Unneeded HTML formatting in Subject:		meta
SUBJ_YOUR_DEBT	Subject contains"Your Bills"or similar		header
SUBJ_YOUR_FAMILY	Subject contains "Your Family"		header
SUBJECT_DIET	Subject talks about losing pounds		header
SUBJECT_DRUG_GAP_C	Subject contains a gappy version of 'cialis'		header
SUBJECT_DRUG_GAP_L	Subject contains a gappy version of 'levitra'		header
SUBJECT_DRUG_GAP_S	Subject contains a gappy version of 'soma'		header
SUBJECT_DRUG_GAP_VA	Subject contains a gappy version of 'valium'		header
SUBJECT_DRUG_GAP_X	Subject contains a gappy version of 'xanax'		header
SUBJECT_FUZZY_CHEAP	Attempt to obfuscate words in Subject:		header
SUBJECT_FUZZY_MEDS	Attempt to obfuscate words in Subject:		header
SUBJECT_FUZZY_PENIS	Attempt to obfuscate words in Subject:		header
SUBJECT_FUZZY_TION	Attempt to obfuscate words in Subject:	The message subject seems to contain an attempt to obscure "tion" - commonly used as a suffix to create a noun from a verb. This test uses the ReplaceTags plugin.	header
SUBJECT_FUZZY_VPILL	Attempt to obfuscate words in Subject:	__SUBJECT_FUZZY_VPILL && !FUZZY_VPILL	meta
SUBJECT_IN_BLACKLIST	Subject: contains string in the user's black-list	This test is for an optional plugin that allows the user to define subjects that are blacklisted.	header
SUBJECT_IN_WHITELIST	Subject: contains string in the user's white-list		header
SUBJECT_NEEDS_ENCODING	Subject is encoded but does not specify the encoding	(!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME	meta
SUBJECT_SEXUAL	Subject indicates sexually-explicit content		header
SURBL_BLOCKED	ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.	eval:check_uridnsbl('SURBL_BLOCKED')	body
SUSP_UTF8_WORD_FROM	Word in From name using only suspicious UTF-8 characters	__4BYTE_UTF8_WORD_FROM	meta
SUSP_UTF8_WORD_SUBJ	Word in Subject using only suspicious UTF-8 characters	__4BYTE_UTF8_WORD_SUBJ	meta
SUSPICIOUS_RECIPS	Similar addresses in recipient list	The recipients listed in the To: Cc: and Bcc: header fields are checked. If there are more than a specific number of addresses present (5 or more) the addresses are compared to look for similarities.	header
SUSPNTLD_EXPIRATION_EXTORT	Susp NTLD with an expiration notice and lotsa money	LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD	meta
SYSADMIN	Supposedly from your IT department	__SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS	meta
T_ACH_CANCELLED_EXE	ACH cancelled probable malware		meta
T_CDISP_SZ_MANY	Suspicious MIME header		mimeheader
T_COMPENSATION	"Compensation"
T_DATE_IN_FUTURE_96_Q	Date: is 4 days to 4 months after Received: date		header
T_DATE_IN_FUTURE_Q_PLUS	Date: is over 4 months after Received: date		header
T_DOC_ATTACH_NO_EXT	Document attachment with suspicious name		meta
T_DOS_OUTLOOK_TO_MX_IMAGE	Direct to MX with Outlook headers and an image		meta
T_DOS_ZIP_HARDCORE	hardcore.zip file attached; quite certainly a virus		mimeheader
T_DRUGS_ERECTILE_SHORT_SHORTNER	Short erectile drugs advert with T_URL_SHORTENER		meta
T_FILL_THIS_FORM_FRAUD_PHISH	Answer suspicious question(s)		meta
T_FILL_THIS_FORM_LOAN	Answer loan question(s)		meta
T_FILL_THIS_FORM_SHORT	Fill in a short form with personal information		meta
T_FORGED_TBIRD_IMG_SIZE	Likely forged Thunderbird image spam		meta
T_FREEMAIL_DOC_PDF	MS document or PDF attachment, from freemail		meta
T_FREEMAIL_DOC_PDF_BCC	MS document or PDF attachment, from freemail, all recipients hidden		meta
T_FREEMAIL_RVW_ATTCH	Please review attached document, from freemail		meta
T_FROM_MULTI_SHORT_IMG	Multiple From addresses + short message with image		meta
T_FROMNAME_EQUALS_TO	From:name matches To:		meta
T_FROMNAME_SPOOFED_EMAIL	From:name looks like a spoofed email		meta
T_FUZZY_OPTOUT	Obfuscated opt-out text		body
T_FUZZY_WELLSFARGO	Obfuscated "Wells Fargo"		meta
T_GB_FREEM_FROM_NOT_REPLY	From: and Reply-To: have different freemail domains		meta
T_GB_FROMNAME_SPOOFED_EMAIL_IP	From:name looks like a spoofed email from a spoofed ip		meta
T_GB_HASHBL_BTC	Message contains BTC address found on BTCBL		body
T_GB_WEBFORM	Webform with url shortener		meta
T_HTML_ATTACH	HTML attachment to bypass scanning?		meta
T_ISO_ATTACH	ISO attachment - possible malware delivery		meta
T_KAM_HTML_FONT_INVALID	Test for Invalidly Named or Formatted Colors in HTML		meta
T_LARGE_PCT_AFTER_MANY	Many large percentages after...		meta
T_LOTTO_AGENT_FM	Claims Agent	From =~ /(?:claim(?:s\|ing)?(?:[\s_.]processing)?\|fiducia\w+\|dispatch\|reimbursement\|prize[\s_.]transfer\|(?:international\|foreign\|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent\|manager\|officer\|secretary\|director\|department\|dept)/i	header
T_LOTTO_AGENT_RPLY	Claims Agent	Reply-To =~ /(?:claim(?:s\|ing)?(?:[\s_.]processing)?\|fiducia\w+\|dispatch\|reimbursement\|prize\stransfer\|(?:international\|foreign\|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent\|manager\|officer\|secretary\|director\|department\|dept)/i	header
T_LOTTO_URI	Claims Department URL	/(?:claim(?:s\|ing)?(?:[-_]?processing)?\|fiducia\w+\|reimbursement\|(?:international\|foreign\|win+ing)?[-_]?rem+it+ance\|award)[-_]?(?:department\|dept\|unit\|group\|committee\|office\|agent\|manager\|secretary)/i	uri
T_MANY_HDRS_LCASE	Odd capitalization of multiple message headers
T_MANY_PILL_PRICE	Prices for many pills		meta
T_MIME_MALF	Malformed MIME: headers in body		meta
T_MONEY_PERCENT	X% of a lot of money for you		meta
T_OBFU_ATTACH_MISSP	Obfuscated attachment type and misspaced From		meta
T_OBFU_DOC_ATTACH	MS Document attachment with generic MIME type		mimeheader
T_OBFU_GIF_ATTACH	GIF attachment with generic MIME type		mimeheader
T_OBFU_HTML_ATT_MALW	HTML attachment with incorrect MIME type - possible malware		meta
T_OBFU_HTML_ATTACH	HTML attachment with non-text MIME type		mimeheader
T_OBFU_JPG_ATTACH	JPG attachment with generic MIME type		mimeheader
T_OBFU_PDF_ATTACH	PDF attachment with generic MIME type		mimeheader
T_PDS_BTC_AHACKER	Bitcoin Hacker		meta
T_PDS_BTC_HACKER	Bitcoin Hacker		meta
T_PDS_BTC_NTLD	Bitcoin suspect NTLD		meta
T_PDS_EMPTYSUBJ_URISHRT	Empty subject with little more than URI shortener		meta
T_PDS_FREEMAIL_REPLYTO_URISHRT	Freemail replyto with URI shortener		meta
T_PDS_FROM_2_EMAILS	From header has multiple different addresses		meta
T_PDS_FROM_2_EMAILS_SHRTNER	From 2 emails short email with little more than a URI shortener		meta
T_PDS_LTC_AHACKER	Litecoin Hacker		meta
T_PDS_LTC_HACKER	Litecoin Hacker		meta
T_PDS_NO_FULL_NAME_SPOOFED_URL	HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME		meta
T_PDS_PRO_TLD	.pro TLD		header
T_PDS_SHORT_SPOOFED_URL	HTML message short and T_SPOOFED_URL (S_U_FP)		meta
T_PDS_SHORTFWD_URISHRT	Threaded email with URI shortener		meta
T_PDS_SHORTFWD_URISHRT_FP	Apparently a short fwd/re with URI shortener		meta
T_PDS_SHORTFWD_URISHRT_QP	Apparently a short fwd/re with URI shortener		meta
T_PDS_TINYSUBJ_URISHRT	Short subject with URL shortener		meta
T_PDS_URISHRT_LOCALPART_SUBJ	Localpart of To in subject		meta
T_REMOTE_IMAGE	Message contains an external image		meta
T_SENT_TO_EMAIL_ADDR	Email was sent to email address		meta
T_SHARE_50_50	Share the money 50/50		meta
T_SPF_HELO_PERMERROR	SPF: test of HELO record failed (permerror)	eval:check_for_spf_helo_permerror()	header
T_SPF_HELO_TEMPERROR	SPF: test of HELO record failed (temperror)	eval:check_for_spf_helo_temperror()	header
T_SPF_PERMERROR	SPF: test of record failed (permerror)	eval:check_for_spf_permerror()	header
T_SPF_TEMPERROR	SPF: test of record failed (temperror)	eval:check_for_spf_temperror()	header
T_STY_INVIS_DIRECT	HTML hidden text + direct-to-MX		meta
T_SUSPNTLD_EXPIRATION_EXTORT	Susp NTLD with an expiration notice and lotsa money		meta
T_TONOM_EQ_TOLOC_SHRT_PSHRTNER	Short subject with potential shortener and To:name eq To:local	__PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT	meta
T_TONOM_EQ_TOLOC_SHRT_SHRTNER	Short email with shortener and To:name eq To:local		meta
T_WON_MONEY_ATTACH	You won lots of money! See attachment.		meta
T_WON_NBDY_ATTACH	You won lots of money! See attachment.		meta
T_XPRIO_URL_SHORTNER	X-Priority header and short URL		meta
T_ZW_OBFU_BITCOIN	Obfuscated text + bitcoin ID - possible extortion		meta
T_ZW_OBFU_FREEM	Obfuscated text + freemail		meta
T_ZW_OBFU_FROMTOSUBJ	Obfuscated text + from in to and subject		meta
TAB_IN_FROM	From starts with a tab		header
TAGSTAT_IMG_NOT_RCVD_TGST	Tagstat hosted image but message not from Tagstat		meta
TARINGANET_IMG_NOT_RCVD_TN	media.taringa.net hosted image but message not from taringa.net		meta
TBIRD_SUSP_MIME_BDRY	Unlikely Thunderbird MIME boundary	__MUA_TBIRD && __TB_MIME_BDRY_NO_Z	meta
TEQF_USR_IMAGE	To and from user nearly same + image	__TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH	meta
TEQF_USR_MSGID_HEX	To and from user nearly same + unusual message ID	__TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2	meta
TEQF_USR_MSGID_MALF	To and from user nearly same + malformed message ID	__TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2	meta
THEBAT_UNREG	X-Mailer =~ /^The Bat! .{0,20} UNREG(dollar) /		header
THIS_AD	"This ad" and variants	__THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD	meta
THIS_IS_ADV_SUSP_NTLD	This is an advertisement from a suspicious TLD	__FROM_ADDRLIST_SUSPNTLD && __PDS_THIS_IS_ADV	meta
TO_EQ_FM_DIRECT_MX	To == From and direct-to-MX	__TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED	meta
TO_EQ_FM_DOM_HTML_IMG	To domain == From domain and HTML image link	__TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD	meta
TO_EQ_FM_DOM_HTML_ONLY	To domain == From domain and HTML only	__TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX	meta
TO_EQ_FM_DOM_SPF_FAIL	To domain == From domain and external SPF failed		meta
TO_EQ_FM_HTML_ONLY	To == From and HTML only	__TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER	meta
TO_EQ_FM_SPF_FAIL	To == From and external SPF failed		meta
TO_IN_SUBJ	To address is in Subject	__TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW	meta
TO_MALFORMED	To: has a malformed address		header
TO_NAME_SUBJ_NO_RDNS	Recipient username in subject + no rDNS	LOCALPART_IN_SUBJECT && __RDNS_NONE	meta
TO_NO_BRKTS_DYNIP	To: lacks brackets and dynamic rDNS		meta
TO_NO_BRKTS_FROM_MSSP	Multiple header formatting problems	__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && FROM_MISSPACED	meta
TO_NO_BRKTS_HTML_IMG	To: lacks brackets and HTML and one image	__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG	meta
TO_NO_BRKTS_HTML_ONLY	To: lacks brackets and HTML only	__TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY	meta
TO_NO_BRKTS_MSFT	To: lacks brackets and supposed Microsoft tool	__TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD && !__SUBJECT_UTF8_B_ENCODED	meta
TO_NO_BRKTS_NORDNS_HTML	To: lacks brackets and no rDNS and HTML only	__TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__BUGGED_IMG && !__TAG_EXISTS_CENTER && !__SUBSCRIPTION_INFO && !__TAG_EXISTS_STYLE	meta
TO_NO_BRKTS_PCNT	To: lacks brackets + percentage	__TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS	meta
TO_TOO_MANY_WFH_01	Work-from-Home + many recipients	__TO_TOO_MANY_WFH_01	meta
TONLINE_FAKE_DKIM	t-online.de doesn't do DKIM	__HDR_RCVD_TONLINEDE && __DKIM_EXISTS	meta
TONOM_EQ_TOLOC_SHRT_SHRTNER	Short email with shortener and To:name eq To:local	__PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_HTML_LENGTH_1024	meta
TRACKER_ID	Incorporates a tracking ID number	Looks for a tracking number usually found near the end of the message. Notes in rule file indicate it was added around Jul 5th, 2002.	body
TRANSFORM_LIFE	Transform your life!	__TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML	meta
TT_MSGID_TRUNC	Scora: Message-Id ends after left-bracket + digits		header
TT_OBSCURED_VALIUM	Scora: obscured "VALIUM" in subject	( __TT_BROKEN_VALIUM \|\| __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM	meta
TT_OBSCURED_VIAGRA	Scora: obscured "VIAGRA" in subject	( __TT_BROKEN_VIAGRA \|\| __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA	meta
TUMBLR_IMG_NOT_RCVD_TUMB	Tumblr hosted image but message not from Tumblr		meta
TVD_ACT_193	/\bact of (?:193\| nineteen thirty)/i	For some reason, many spam messages have referred to the "Smoot-Hawley Tariff Act" from the 1930's. Read more here: http://en.wikipedia.org/wiki/Smoot%E2%80%93Hawley_Tariff_Act	body
TVD_APPROVED	/you.{1,2}re .{0,20}approved/i	The body of the mail contains a phrase similar to "you're approved".	body
TVD_DEAR_HOMEOWNER	Spam with generic salutation of "dear homeowner"	/^dear homeowner/i	body
TVD_ENVFROM_APOST	Envelope From contains single-quote	EnvelopeFrom =~ /\'/	header
TVD_FINGER_02	Content-Type =~ /^text\/plain(?:; (?:format=flowed\| charset="Windows-1252"\| reply-type=original)){3}/i	This rule matches the Content-Type headers of the type "text/plain" that also have all three of the following properties format=flowed charset="Windows-1252" reply-type=original Apparently a known spam signature. Mails matching this rule will also match STOX_REPLY_TYPE.	header
TVD_FLOAT_GENERAL	Message uses CSS float style	/\bstyle\s=\s"[^"]\bfloat\s:\s[a-z]+\s">\s[a-zA-Z]+\s	rawbody
TVD_FUZZY_DEGREE	Obfuscation of the word "degree"	/\b(?!degree)\b/i	body
TVD_FUZZY_FINANCE	Obfuscation of the word "finance"	/(?!finance)/i	body
TVD_FUZZY_FIXED_RATE	Obfuscation of the phrase "fixed rate"	/(?!fixed rate)\s+/i	body
TVD_FUZZY_MICROCAP	Obfuscation of the word "micro-cap"	/(?!microcap)(?!micro-cap)-? /i	body
TVD_FUZZY_PHARMACEUTICAL	Obfuscation of the word "pharmaceutical"	/(?!pharmaceutical) /i	body
TVD_FUZZY_SYMBOL	Obfuscation of the word "symbol"	/(?!symbol)/i	body
TVD_FW_GRAPHIC_NAME_LONG	Long image attachment name	Content-Type =~ /\bname="[a-z]{8,}\.gif/	mimeheader
TVD_FW_GRAPHIC_NAME_MID	Medium sized image attachment name	Content-Type =~ /\bname="[a-z]{6,7}\.gif/	mimeheader
TVD_INCREASE_SIZE	Advertising for penis enlargement	/\bsize of .{1,20}(?:penis\| dick\| manhood)/i	body
TVD_LINK_SAVE	Spam with the text "link to save"	/\blink to save\b/i	body
TVD_PCT_OFF	Subject =~ /(?:Jan\| Feb\| Mar\| Apr\| May\| Jun\| Jul\| Aug\| Sep\| Oct\| Nov\| Dec)\S* \d+% OFF/		header
TVD_PH_BODY_ACCOUNTS_PRE	The body matches phrases such as "accounts suspended", "account credited", "account verification"	/\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*\| suspen[a-z]+\| notif(?:y\| ication)\| updated\| verifications?\| credited)\b/i	body
TVD_PH_REC	Message includes a phrase commonly used in phishing mails		body
TVD_PH_SUBJ_ACCOUNTS_POST	Subject =~ /\b(?:(?:re-?)?activat[a-z]\| secure\| verify\| restore\| flagged\| limited\| unusual\| update\| report\| notif(?:y\| ication)\| suspen(?:d\| ded\| sion)\| co(?:n\| m)firm[a-z]) (?:[a-z_,-]+ )*?accounts?\b/i		header
TVD_PH_SUBJ_SEC_MEASURES	Subject =~ /\bsecurity (?:[a-z_,-]+ )*?measures?\b/i		header
TVD_PH_SUBJ_URGENT	Subject =~ /^urgent(?:[\s\W]*(dollar) \| .{1,40}(?:alert\| response\| assistance\| proposal\| reply\| warning\| noti(?:ce\| fication)\| greeting\| matter))/i		header
TVD_QUAL_MEDS	The body matches phrases such as "quality meds" or "quality medication"	/\bquality med(?:ication)?s\b/i	body
TVD_RATWARE_CB	Content-Type header that is commonly indicative of ratware	Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i	header
TVD_RATWARE_CB_2	Content-Type header that is commonly indicative of ratware	Content-Type =~ /\bboundary\s=\s"?-+\d+=+\.MRA/	header
TVD_RATWARE_MSGID_02	Ratware with a Message-ID header that is entirely lower-case	Message-ID =~ /^[^<]*<[a-z]+\@/	header
TVD_RCVD_IP	Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/	Checks if the most recently addded Recieved: header begins with "from " followed by a hostname that starts with four groups of digits separated by non-alphanumeric characters (e.g. "." or "-"). This is usually an indication that the hostname is derieved from a public or private IPv4 address scheme. Since these types of addresses are commonly distrubuted to end users rather than mail servers they are often seen in spam sent directly from end user hosts. For example: Received: from 212-98-43-121.static.adslpremium.ch ([212.98.43.121]:3607 helo=xtqq.adslpremium.ch) Received: from 68.207.230.213.client.lchost.net ([213.230.207.68] helo=smtp.fifambeie.co.uk) On servers that also act as smarthosts for machines usually matching this pattern, this rule should be switched off. Note: this rule (and TVD_RCVD_IP4) will also match IPv4 addresses not enclosed in square brackets. This is an implementation error in your mail server software, as IP addresses should be enclosed in brackets. See RFC 5321 §4.1.2.	header
TVD_RCVD_IP4	Received =~ /^from\s+(?:\d+\.){3}\d+\s/	Received via an IPv4 relay which appears to neither have a reverse DNS entry, or identify itself with a HELO or EHLO command. This suggests that the message is not coming from a legitimate email sender.	header
TVD_RCVD_SINGLE	Received =~ /^from\s+(?!localhost)[^\s.a-z0-9-]+\s/	Based on my limited knowledge of Perl, it appears from this line "Received =~ /from\s+(?!localhost)[\s.a-z0-9-]+\s/" that the TVD_RCVD_SINGLE header is used when a "Received" line in the SMTP Transmission header contains "localhost" as a server name.	header
TVD_RCVD_SPACE_BRACKET	Received =~ /\(\[(?!UNIX:)[^\[\]]*\s/		header
TVD_SECTION	References to specific legal codes	/\bSection (?:27A\| 21B)/i	body
TVD_SILLY_URI_OBFU	URI obfuscation that can fool a URIBL or a uri rule	m!https?://[a-z0-9-]+\.[a-z0-9-]\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-][a-z]{3}(?:\s\| (dollar) )!i	body
TVD_SPACE_ENCODED	Space ratio & encoded subject	__TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM	meta
TVD_SPACE_RATIO	No description provided		meta
TVD_SPACE_RATIO_MINFP	Space ratio (vertical text obfuscation?)		meta
TVD_SPACED_SUBJECT_WORD3	Entire subject is "UPPERlowerUPPER" with no whitespace	Subject =~ /^(?:(?:Re\| Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+(dollar) /	header
TVD_STOCK1	Spam related to stock trading	eval:check_stock_info('2')	body
TVD_SUBJ_ACC_NUM	Subject has spammy looking monetary reference		header
TVD_SUBJ_FINGER_03	Entire subject is enclosed in asterisks "* like so *"	Subject =~ /^\s\\s+(?:\w+\W+)+\\s(dollar) /	header
TVD_SUBJ_OWE	Subject line states that the recipieint is in debt	Subject =~ /^\s(?:\w+\s+)+you\s+(?:\w+\s+)(?:owe\| indebted)\s+(?:\w+\s+)+an\s*other/i	header
TVD_SUBJ_WIPE_DEBT	Spam advertising a way to eliminate debt	Subject =~ /(?:wipe out\| remove\| get (?:rid\| out) of\| eradicate) .{0,20}(?:owe\| debt\| obligation)/i	header
TVD_VIS_HIDDEN	Invisible textarea HTML tags	/]+style\s=\s"visibility:\s*hidden\b/i	rawbody
TVD_VISIT_PHARMA	Body mentions online pharmacy	/Online Ph.rmacy/i	body
TW_GIBBERISH_MANY	Lots of gibberish text to spoof pattern matching filters	__TENWORD_GIBBERISH > 20	meta
TXREP	Score normalizing based on sender's reputation	eval:check_senders_reputation()	header
UC_GIBBERISH_OBFU	Multiple instances of "word VERYLONGGIBBERISH word"	(__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED	meta
UNCLAIMED_MONEY	People just leave money laying around		body
UNCLOSED_BRACKET	Headers contain an unclosed bracket		header
UNDISC_FREEM	Undisclosed recipients + freemail reply-to	__UNDISC_FREEM	meta
UNDISC_MONEY	Undisclosed recipients + money/fraud signs	__UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH	meta
UNICODE_OBFU_ASC	Obfuscating text with unicode		meta
UNICODE_OBFU_ZW	Obfuscating text with hidden characters		meta
UNPARSEABLE_RELAY	Informational: message has unparseable relay lines	The Received: lines from the email are analyzed to determine the relay path. This rule matches mail that contains one or more Received: lines that cannot be parsed to extract this information. Note that this is an "informational" rule -- in other words, it is not intended to differentiate spam from nonspam, and should not have a significant score.	header
UNRESOLVED_TEMPLATE	Headers contain an unresolved template		header
UNWANTED_LANGUAGE_BODY	Message written in an undesired language	The content of the mail appears to be in a language not permitted by the value of the ok_languages configuration setting. The default value of ok_languages is "all", so this rule will only trigger if the value has been locally specified.	body
UPPERCASE_50_75	message body is 50-75% uppercase	(!__ISO_2022_JP_DELIM && __UPPERCASE_50_75)	meta
UPPERCASE_75_100	message body is 75-100% uppercase	(!__ISO_2022_JP_DELIM && __UPPERCASE_75_100)	meta
URG_BIZ	Contains urgent matter	The body of the mail contains a phrase regarding some urgent matter, such as "urgent reply" or "urgent business proposal".	body
URI_ADOBESPARK	No description provided		meta
URI_AZURE_CLOUDAPP	Link to hosted azure web application, possible phishing	__URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE	meta
URI_DASHGOVEDU	Suspicious domain name	__URI_DASHGOVEDU	meta
URI_DATA	"data:" URI - possible malware or phish	__URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB	meta
URI_DOTEDU	Has .edu URI	__URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK	meta
URI_DOTEDU_ENTITY	Via .edu MTA + suspicious HTML content	__URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO	meta
URI_DOTTY_HEX	Suspicious URI format	__URI_DOTTY_HEX	meta
URI_DQ_UNSUB	IP-address unsubscribe URI	__URI_DQ_UNSUB	meta
URI_FIREBASEAPP	Link to hosted firebase web application, possible phishing	__URI_FIREBASEAPP \|\| __URI_WEBAPP	meta
URI_GOOG_STO_SPAMMY	Link to spammy content hosted by google storage	m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200\|7(?:7(?:7burnf4\|ancemrani\|kneesleeve\|metabolism)\|88medw4\|arshield777\|burn7774\|savingsoff)\|a(?:lliedtrust7\|n(?:c77emen777\|tidcfsdfzef)\|ppempresa\|tividade)\|b(?:7772dcb\|athdfgdfgdfh\|cvncv7845\|d(?:sgbsehtth\|thdethydeth)\|edvgervg\|looodsugarerte\|rtghrh)\|c(?:art\-checkout\|bdkfgdfg\|dfeesde\|jowa)\|d(?:e(?:rma(?:hdth\|thbsdrhg)\|tranmultas)\|giadikir784\|irecting77\|rtrebtgh747\|zdzefef)\|e(?:7co7verage\|liminatorlower\|ntrega)\|f(?:dfdfdzezr78\|habgfdgbfrtg\|i(?:delty(?:gbdtrbr\|tyhjudtyu)\|ghttinnitusnow\|xguca777)\|latbelly\|rgdfgdfh\|s(?:dcfzef\|efzgefz)\|tlkopmdrdfe\|ungusfghgh)\|g(?:fhfjgfhfg\|rfgrgrg\|u(?:mmzdfefzf\|tterprotection7))\|hdfghbrh\|in(?:formedetranmulta\|s7urance7net\|vest777in)\|li(?:berty77arran\|fefiltrevdf)\|m(?:ale77en\|edicar123n\|on(?:5g154g\|tzdzsds))\|p(?:o(?:rtableheater7\|vsedfzef)\|rintsvalentine\|soidngf8147\|ureplant7)\|r(?:enewlaemailved\|iverb1986srt4\|oundupccancer)\|s(?:dfgwsd74fg\|teelprobite77\|ughdetged\|zdzdzdzd)\|t(?:acflashlight72\|heunbreakable\|r(?:abalhos\|ugreen30)\|unnifgdege)\|v(?:frgrerg\|szdefzsfzef)\|w(?:4enmedicra8\|defgzegfze\|e(?:bwhatsfotos\|llgrove90))\|xcbxcbopiaze\|yusdgtduf777))/;i	uri
URI_GOOGLE_PROXY	Accessing a blacklisted URI or obscuring source of phish via Google proxy?	__URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL	meta
URI_HEX	URI hostname has long hexadecimal sequence		uri
URI_HEX_IP	URI with hex-encoded IP-address host	__URI_HEX_IP	meta
URI_HOST_IN_BLACKLIST	DEPRECATED: See URI_HOST_IN_BLOCKLIST		meta
URI_HOST_IN_BLOCKLIST	Host or Domain is listed in the user's URI block-list		body
URI_HOST_IN_WELCOMELIST	Host or Domain is listed in the user's URI welcome-list		body
URI_HOST_IN_WHITELIST	DEPRECATED: See URI_HOST_IN_WELCOMELIST		meta
URI_IMG_WP_REDIR	Image via WordPress "accelerator" proxy	__URI_IMG_WP_REDIR	meta
URI_IN_URI_10	Multiple URIs inside URI		uri
URI_LONG_REPEAT	Very long identical host+domain	__URI_LONG_REPEAT	meta
URI_MALWARE_SCMS	Link to malware exploit download (.SettingContent-ms file)	/\.SettingContent-ms\b/i	uri
URI_NO_WWW_BIZ_CGI	CGI in .biz TLD other than third-level "www"	.biz website having a third level domain (subdomain) different from www.	uri
URI_NO_WWW_INFO_CGI	CGI in .info TLD other than third-level "www"	.info website having a third level domain (subdomain) different from www.	uri
URI_NOVOWEL	URI hostname has long non-vowel sequence		uri
URI_OBFU_DOM	URI pretending to be different domain	__URI_OBFU_DOM && !__VIA_ML	meta
URI_OBFU_WWW	Obfuscated URI		body
URI_ONLY_MSGID_MALF	URI only + malformed message ID	__URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW	meta
URI_OPTOUT_3LD	Opt-out URI, suspicious hostname	m,^https?://(?:quit\|bye\|remove\|exit\|leave\|disallow\|halt\|stop\|end\|herego\|out\|discontinue)\d*\.[^/]+\.(?:com\|net)\b,i	uri
URI_OPTOUT_USME	Opt-out URI, unusual TLD	m,^https?://(?:quit\|bye\|remove\|exit\|leave\|disallow\|halt\|stop\|end\|herego\|out\|discontinue)\d*\.[^/]+\.(?:us\|me\|mobi\|club)\b,i	uri
URI_PHISH	Phishing using web form		meta
URI_PHP_REDIR	PHP redirect to different URL (link obfuscation)	__URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA	meta
URI_TRUNCATED	Message contained a URI which was truncated		body
URI_TRY_3LD	"Try it" URI, suspicious hostname	__URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU	meta
URI_TRY_USME	"Try it" URI, unusual TLD	__URI_TRY_USME && !__DKIM_EXISTS	meta
URI_UNSUBSCRIBE	URI contains suspicious unsubscribe link		uri
URI_WP_DIRINDEX	URI for compromised WordPress site, possible malware	__URI_WPDIRINDEX	meta
URI_WP_HACKED	URI for compromised WordPress site, possible malware		meta
URI_WP_HACKED_2	URI for compromised WordPress site, possible malware		meta
URI_WPADMIN	WordPress login/admin URI, possible phishing		meta
URIBL_AB_SURBL	Contains an URL listed in the AB SURBL blocklist	The mail body contains a URI containing a domain that has matched an entry on the DNSBL AbuseButler URI Blacklist (SURBL). [WWW] AbuseButler is kindly providing its top 400 or so [WWW] Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the sc.surbl.org data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting. See: [WWW] http://www.surbl.org [WWW] http://www.abusebutler.com	body
URIBL_ABUSE_SURBL	Contains an URL listed in the ABUSE SURBL blocklist		body
URIBL_BLACK	Contains an URL listed in the URIBL blacklist	"black.uribl.com - This lists contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in SPAM. This list has a goal of zero False Positives. This zone rebuilds frequently as new data is added."	body
URIBL_BLOCKED	ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
URIBL_CR_SURBL	Contains an URL listed in the CR SURBL blocklist		body
URIBL_CSS	Contains an URL's NS IP listed in the Spamhaus CSS blocklist		body
URIBL_CSS_A	Contains URL's A record listed in the Spamhaus CSS blocklist		body
URIBL_DBL_ABUSE_BOTCC	Contains an abused botnet C&C URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_ABUSE_MALW	Contains an abused malware URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_ABUSE_PHISH	Contains an abused phishing URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_ABUSE_REDIR	Contains an abused redirector URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_ABUSE_SPAM	Contains an abused spamvertized URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_BLOCKED	ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/		body
URIBL_DBL_BLOCKED_OPENDNS	ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/		body
URIBL_DBL_BOTNETCC	Contains a botned C&C URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_ERROR	Error: queried the Spamhaus DBL blocklist for an IP		body
URIBL_DBL_MALWARE	Contains a malware URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_PHISH	Contains a Phishing URL listed in the Spamhaus DBL blocklist		body
URIBL_DBL_SPAM	Contains a spam URL listed in the Spamhaus DBL blocklist		body
URIBL_GREY	Contains an URL listed in the URIBL greylist	"grey.uribl.com - This lists contains domains found in UBE/UCE, and probably honour opt-out requests. This list can and probably will cause False Positives depending on your definition of SPAM. This zone rebuilds several times a day as necessary."	body
URIBL_JP_SURBL	Contains an URL listed in the JP SURBL blocklist	The mail body contains a URI containing a domain that has matched an entry on the DNSBL jwSpamSpy + Prolocation data source URI Blacklist (SURBL). Joe Wein's jwSpamSpy program forms the basis of the JP data, being used both by Joe's own systems and also Raymond Dijkxhoorn and his colleagues at Prolocation. Prolocation is processing more than 300,000 likely unsolicited messages per day using jwSpamSpy plus their own policies and adding them to Joe's data. The resulting list has a very good detection rate around 80% and a very low false positive rate around 0.01%. See: [WWW] http://www.surbl.org [WWW] http://www.jwspamspy.net/	body
URIBL_MW_SURBL	Contains a URL listed in the MW SURBL blocklist		body
URIBL_OB_SURBL	Contains an URL listed in the OB SURBL blocklist	The mail body contains a URI containing a domain that has matched an entry on the DNSBL Outblaze URI Blacklist (SURBL). Outblaze describes the data as coming from spam trap message body analysis and from user reports via a "this is spam" button. SURBL applies additional policies to its version of the Outblaze URI data that are published as ob.surbl.org. The user reports are also used, but not directly. See: [WWW] http://www.surbl.org [WWW] http://www.outblaze.com	body
URIBL_PH_SURBL	Contains an URL listed in the PH SURBL blocklist		body
URIBL_RED	Contains an URL listed in the URIBL redlist	"red.uribl.com - This list contains domains that are not listed on black and are either very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk."	body
URIBL_RHS_DOB	Contains an URI of a new domain (Day Old Bread)	The mail contains a URI containing a domain listed in the DNSBL [WWW] dob.sibl.support-intelligence.net - which lists domains registered in the last five days.	body
URIBL_SBL	Contains an URL listed in the SBL blocklist	The mail body contains a URI containing a domain that has matched an entry on the [WWW] Spamhaus Block List (DNSBL). The Spamhaus Block List (SBL) is a realtime database of IP addresses of spam-sources, including known spammers, spam gangs, spam operations and spam support services. SBL listings are made according to policies outlined in [WWW] SBL Policy & Listing Criteria. For the Received header check see RCVD_IN_SBL, and for other Spamhaus.org RBL listings see RCVD_IN_XBL RCVD_IN_PBL.	body
URIBL_SBL_A	Contains URL's A record listed in the Spamhaus SBL blocklist		body
URIBL_SC_SURBL	Contains an URL listed in the SC SURBL blocklist	The mail body contains a URI containing a domain that has matched an entry on the DNSBL SpamCop URI Blacklist (SURBL). sc.surbl.org contains domains and a few web site IP addresses processed from SpamCop URI reports, also known as "spamvertised" sites. The reports are not used directly, but are subject to extensive processing. See: [WWW] http://www.surbl.org [WWW] http://www.spamcop.net For the SpamCop relay block list see Rules/RCVD_IN_BL_SPAMCOP_NET .	body
URIBL_WS_SURBL	Contains an URL listed in the WS SURBL blocklist	The mail body contains a URI containing a domain that has matched an entry on the DNSBL Bill Stearns URI Blacklist (SURBL). ws.surbl.org has records from Bill Stearns' former SpamAssassin ruleset sa-blacklist, plus some other manual lists. [WWW] http://www.surbl.org [WWW] http://www.sa-blacklist.stearns.org/sa-blacklist/	body
URIBL_ZEN_BLOCKED	ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked. See https://www.spamhaus.org/returnc/vol/
URIBL_ZEN_BLOCKED_OPENDNS	ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/		body
US_DOLLARS_3	Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)	The default value of ok_languages is "all", so this rule will only trigger if the value has been locally specified.	body
USB_DRIVES	Trying to sell custom USB flash drives	__SUBJ_USB_DRIVES	meta
USER_IN_ALL_SPAM_TO	User is listed in 'all_spam_to'		header
USER_IN_BLACKLIST	From: address is in the user's black-list		header
USER_IN_BLACKLIST_TO	User is listed in 'blacklist_to'		header
USER_IN_BLOCKLIST	From: user is listed in the block-list		header
USER_IN_BLOCKLIST_TO	User is listed in 'blocklist_to'		header
USER_IN_DEF_DKIM_WL	From: address is in the default DKIM welcome-list		header
USER_IN_DEF_SPF_WL	From: address is in the default SPF white-list		header
USER_IN_DEF_WELCOMELIST	From: user is listed in the default welcome-list		header
USER_IN_DEF_WHITELIST	From: address is in the default white-list	The From: address was listed in the default whitelist. The whitelist contains a series of addresses and domains that are allowed to relay for that address. From [WWW] 60_whitelist.cf These should be addresses which send mail that is often tagged (incorrectly) as spam; it also helps that they be addresses of big companies with lots of lawyers, so if spammers impersonate them, they'll get into big trouble, so it doesn't provide a shortcut around SpamAssassin.	header
USER_IN_DKIM_WELCOMELIST	From: address is in the user's DKIM welcomelist		header
USER_IN_DKIM_WHITELIST	From: address is in the user's DKIM whitelist		header
USER_IN_MORE_SPAM_TO	User is listed in 'more_spam_to'		header
USER_IN_SPF_WHITELIST	From: address is in the user's SPF whitelist		header
USER_IN_WELCOMELIST	User is listed in 'welcomelist_from'		header
USER_IN_WELCOMELIST_TO	User is listed in 'welcomelist_to'		header
USER_IN_WHITELIST	From: address is in the user's white-list	A user or site administrator has added the sender's address to a list of trusted addresses. Use of this setting is not recommended, since it blindly trusts the message, which is routinely and easily forged by spammers and phish senders. The recommended solution is to instead use whitelist_auth or other authenticated whitelisting methods, or whitelist_from_rcvd.	header
USER_IN_WHITELIST_TO	User is listed in 'whitelist_to'	If the given address appears as a recipient in the message headers (Resent-To, To, Cc, obvious envelope recipient, etc.) the mail will be whitelisted. Useful if you're deploying SpamAssassin system-wide, and don't want some users to have their mail filtered	header
VBOUNCE_MESSAGE	Virus-scanner bounce message	!MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS \|\| __VBOUNCE_EXIM \|\| __VBOUNCE_GUIN \|\| __VBOUNCE_CISCO \|\| __VBOUNCE_SMTP \|\| __VBOUNCE_AOL \|\| __VBOUNCE_DUTCH \|\| __VBOUNCE_MAILMARSHAL \|\| __VBOUNCE_MAILMARSHAL2 \|\| __VBOUNCE_NAVFAIL \|\| __VBOUNCE_REJECTED \|\| __VBOUNCE_NAV \|\| __VBOUNCE_MELDING \|\| __VBOUNCE_VALERT \|\| __VBOUNCE_REJ_FILT \|\| __VBOUNCE_YOUSENT \|\| __VBOUNCE_MAILSWEEP \|\| __VBOUNCE_SCREENSAVER \|\| __VBOUNCE_DISALLOWED \|\| __VBOUNCE_FROMPT \|\| __VBOUNCE_WARNING \|\| __VBOUNCE_DETECTED \|\| __VBOUNCE_AUTOMATIC \|\| __VBOUNCE_INTERSCAN \|\| __VBOUNCE_VIOLATION \|\| __VBOUNCE_ALERT \|\| __VBOUNCE_NAV2 \|\| __VBOUNCE_NAV3 \|\| __VBOUNCE_INTERSCAN2 \|\| __VBOUNCE_INTERSCAN3 \|\| __VBOUNCE_ANTIGEN \|\| __VBOUNCE_LUTHER \|\| __VBOUNCE_AMAVISD \|\| __VBOUNCE_AMAVISD2 \|\| __VBOUNCE_SCANMAIL \|\| __VBOUNCE_DOMINO1 \|\| __VBOUNCE_DOMINO2 \|\| __VBOUNCE_RAV \|\| __VBOUNCE_GSHIELD \|\| __VBOUNCE_ATTACHMENT0 \|\| __VBOUNCE_AVREPORT0 \|\| __VBOUNCE_SENDER \|\| __VBOUNCE_MAILSWEEP2 \|\| __VBOUNCE_MAILSWEEP3 \|\| __VBOUNCE_CLICKBANK \|\| __VBOUNCE_FORBIDDEN \|\| __VBOUNCE_MMS \|\| __VBOUNCE_QUOTED_EXE \|\| __VBOUNCE_MAJORDOMO_HELP \|\| __VBOUNCE_AV_RESULTS \|\| __VBOUNCE_EMVD \|\| __VBOUNCE_UNDELIV \|\| __VBOUNCE_BANNED_MAT \|\| __VBOUNCE_NAV_DETECT \|\| __VBOUNCE_DEL_WARN \|\| __VBOUNCE_MIME_INFO \|\| __VBOUNCE_EMAIL_REJ \|\| __VBOUNCE_CONT_VIOL \|\| __VBOUNCE_SYM_AVF \|\| __VBOUNCE_SYM_EMP \|\| __VBOUNCE_ATT_QUAR \|\| __VBOUNCE_SECURIQ \|\| __VBOUNCE_VIR_FOUND \|\| __VBOUNCE_EMANAGER \|\| __VBOUNCE_JMAIL \|\| __VBOUNCE_GWAVA \|\| __VBOUNCE_PT_BLOCKED \|\| __VBOUNCE_INFLEX)	meta
VFY_ACCT_NORDNS	Verify your account to a poorly-configured MTA - probable phishing	__VFY_ACCT_NORDNS && !__STY_INVIS_MANY	meta
VIA_GAP_GRA	Attempts to disguise the word 'viagra'		body
VPS_NO_NTLD	vps[0-9] domain at a suspiscious TLD	__VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD	meta
WALMART_IMG_NOT_RCVD_WAL	Walmart hosted image but message not from Walmart	__WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS	meta
WEIRD_PORT	Uses non-standard port number for HTTP	The mail contains an HTTP URI that uses an non-standard port (i.e. something other than 80, 8080, or 443). Ports are considered standard if [WWW] registered with IANA: http://www.iana.org/assignments/port-numbers	uri
WEIRD_QUOTING	Weird repeated double-quotation marks	It's looking for \042\223\224\262\263\271 to be repeated twice, followed by a non-space between 0-16 then another pair of \042\223\224\262\263\271	body
WIKI_IMG	Image from wikipedia	m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png\|gif\|jpe?g),i	uri
WITH_LC_SMTP	Received line contains spam-sign (lowercase smtp)		header
WORD_INVIS	A hidden word		meta
WORD_INVIS_MANY	Multiple individual hidden words		meta
X_IP	Message has X-IP header	The message contains an "X-Ip:" header. The rules [WWW] commit log describes it as a "not-quite-perfect-but-still-good header existence test". Presumably it is commonly used in spam for tracking purposes.	header
X_MAILER_CME_6543_MSN	No description provided	X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*(dollar) /	header
X_MESSAGE_INFO	Bulk email fingerprint (X-Message-Info) found		header
X_PRIORITY_CC	Cc: after X-Priority: (bulk email fingerprint)		header
XFER_LOTSA_MONEY	Transfer a lot of money	__XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO	meta
XM_DIGITS_ONLY	X-Mailer malformed	__XM_DIGITS_ONLY	meta
XM_LIGHT_HEAVY	Special edition of a MUA	__XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE	meta
XM_PHPMAILER_FORGED	Apparently forged header	__XM_PHPMAILER_FORGED	meta
XM_RANDOM	X-Mailer apparently random	__XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY	meta
XM_RECPTID	Has spammy message header	__HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX	meta
XPRIO	Has X-Priority header		meta
XPRIO_SHORT_SUBJ	Has X Priority header + short subject	__XPRIO && __SUBJ_SHORT	meta
YAHOO_DRS_REDIR	Has Yahoo Redirect URI		uri
YAHOO_RD_REDIR	Has Yahoo Redirect URI		uri
YOU_INHERIT	Discussing your inheritance	__YOU_INHERIT	meta

Login/Sign Up

Search

Menu

SpamAssassin Rules

How to read the SpamAssassin Rules Table

How Reliable is this Data?

SpamAssassin Rule Types ("Area Tested")

Detailed description of SpamAssassin Rules

Found a mistake? Is something missing? Let us know!