PDA

View Full Version : [Solved] rspamd email tags/symbols/scores meaning



Fli
01-05-2024, 06:58 PM
Following block of rspamd tags/symbols for scoring email along with its descriptions was extracted in 2024-01 from https://github.com/rspamd/rspamd/blob/master/rules/regexp/headers.lua and not updated since then.

AOL_SPAM - AOL says this message is spam
APPLE_IOS_MAILER - Sent with Apple iPhone/iPad Mail
APPLE_MAILER - Sent with Apple Mail
CC_EXCESS_BASE64 - Cc header is unnecessarily encoded in base64
CC_EXCESS_BASE64 - Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit
CC_EXCESS_QP - Cc header is unnecessarily encoded in quoted-printable
CC_EXCESS_QP - Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
CTE_CASE - [78]Bit .vs. [78]bit
CT_EXTRA_SEMI - Content-Type ends with a semi-colon
CT_EXTRA_SEMI - Content-Type header ends with a semi-colon
DATA_URI_OBFU - Uses Data URI encoding to obfuscate plain or HTML in base64
ENVFROM_SERVICE_ACCT - Envelope from is a service account
FAKE_RECEIVED_mail_ru - Fake HELO mail.ru in Received header from non-mail.ru sender address
FAKE_RECEIVED_smtp_yandex_ru - Fake smtp.yandex.ru Received header
FAKE_REPLY_C - Fake reply (has RE in subject, but has not References header)
FAKE_REPLY - Fake reply
FM_FAKE_HELO_VERIZON - Fake helo for verizon provider
FORGED_GENERIC_RECEIVED2 - Forged generic Received header
FORGED_GENERIC_RECEIVED3 - Forged generic Received header
FORGED_GENERIC_RECEIVED4 - Forged generic Received header
FORGED_GENERIC_RECEIVED - Forged generic Received header
FORGED_IMS - Forged X-Mailer: Internet Mail Service
FORGED_MSGID_YAHOO - Forged Yahoo Message-ID header
FORGED_MUA_KMAIL_MSGID - Message pretends to be send from KMail but has forged Message-ID
FORGED_MUA_KMAIL_MSGID_UNKNOWN - Message pretends to be send from KMail but has forged Message-ID
FORGED_MUA_MOZILLA_MAIL_MSGID - Message pretends to be send from Mozilla Mail but has forged Message-ID
FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN - Message pretends to be send from Mozilla Mail but has forged Message-ID
FORGED_MUA_OPERA_MSGID - Message pretends to be send from Opera Mail but has forged Message-ID
FORGED_MUA_OUTLOOK - Forged Outlook MUA
FORGED_MUA_POSTBOX_MSGID - Forged mail pretending to be from Postbox but has forged Message-ID
FORGED_MUA_POSTBOX_MSGID_UNKNOWN - Forged mail pretending to be from Postbox but has forged Message-ID
FORGED_MUA_SEAMONKEY_MSGID - Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID
FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN - Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID
FORGED_MUA_THEBAT_BOUN - Forged The Bat! MUA headers
FORGED_MUA_THEBAT_MSGID - Message pretends to be send from The Bat! but has forged Message-ID
FORGED_MUA_THEBAT_MSGID_UNKNOWN - Message pretends to be send from The Bat! but has forged Message-ID
FORGED_MUA_THUNDERBIRD_MSGID - Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID
FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN - Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID
FORGED_OUTLOOK_HTML - Forged outlook HTML signature
FORGED_OUTLOOK_TAGS - Message pretends to be send from Outlook but has 'strange' tags
FORGED_X_MAILER - Forged X-Mailer header
FROM_EXCESS_BASE64 - From header is unnecessarily encoded in base64
FROM_EXCESS_BASE64 - From that contains encoded characters while base 64 is not needed as all symbols are 7bit
FROM_EXCESS_QP - From header is unnecessarily encoded in quoted-printable
FROM_EXCESS_QP - From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
FROM_NEEDS_ENCODING - From header needs encoding
GOOGLE_FORWARDING_MID_BROKEN - Message had invalid Message-ID pre-forwarding
GOOGLE_FORWARDING_MID_MISSING - Message was missing Message-ID pre-forwarding
HAS_DATA_URI - Has Data URI encoding
HAS_GOOGLE_FIREBASE_URL - Contains firebasestorage.googleapis.com URL
HAS_GOOGLE_REDIR - Has google.com/url or alike Google redirection URL
HAS_GUC_PROXY_URI - Has googleusercontent.com proxy URL
HAS_INTERSPIRE_SIG - Has Interspire fingerprint
HAS_LIST_UNSUB - Has List-Unsubscribe header
HAS_ORG_HEADER - Has Organization header
HAS_PHPMAILER_SIG - PHPMailer signature
HAS_WP_URI - Contains WordPress URIs
HAS_X_ANTIABUSE - Has X-AntiAbuse headers
HAS_XAW - Has X-Authentication-Warning header
HAS_XOIP - Has X-Originating-IP header
HAS_X_PHP_SCRIPT - Has X-PHP-Script header
HAS_X_POS - Has X-PHP-Originating-Script header
HAS_X_SOURCE - Has X-Source headers
HEADER_CC_DELIMITER_TAB - Header To begins with tab
HEADER_CC_EMPTY_DELIMITER - Cc header has no delimiter between header name and header value
HEADER_CC_EMPTY_DELIMITER - Header Cc has no delimiter between header name and header value
HEADER_DATE_DELIMITER_TAB - Header Date begins with tab
HEADER_DATE_EMPTY_DELIMITER - Date header has no delimiter between header name and header value
HEADER_DATE_EMPTY_DELIMITER - Header Date has no delimiter between header name and header value
HEADER_FROM_DELIMITER_TAB - Header From begins with tab
HEADER_FROM_EMPTY_DELIMITER - From header has no delimiter between header name and header value
HEADER_FROM_EMPTY_DELIMITER - Header From has no delimiter between header name and header value
HEADER_REPLYTO_DELIMITER_TAB - Header Reply-To begins with tab
HEADER_REPLYTO_EMPTY_DELIMITER - Header Reply-To has no delimiter between header name and header value
HEADER_REPLYTO_EMPTY_DELIMITER - Reply-To header has no delimiter between header name and header value
HEADER_TO_DELIMITER_TAB - Header To begins with tab
HEADER_TO_EMPTY_DELIMITER - Header To has no delimiter between header name and header value
HEADER_TO_EMPTY_DELIMITER - To header has no delimiter between header name and header value
HIDDEN_SOURCE_OBJ - UNIX hidden file/directory in path
HTML_META_REFRESH_URL - Has HTML Meta refresh URL
INTRODUCTION - Sender introduces themselves
INVALID_MSGID - Message-ID header is incorrect
INVALID_MSGID - Message id is incorrect
INVALID_POSTFIX_RECEIVED - Invalid Postfix Received
INVALID_POSTFIX_RECEIVED - Invalid Postfix Received header
MAILER_1C_8 - Sent with 1C:Enterprise 8
MAIL_RU_MAILER - Sent with Mail.Ru web-mail
MAIL_RU_MAILER - Sent with Mail.Ru webmail
MICROSOFT_SPAM - Microsoft says the message is spam
MID_RHS_WWW - Message-ID from www host
MIME_HEADER_CTYPE_ONLY - Only Content-Type header without other MIME headers
MIME_HTML_ONLY - Messages that have only HTML part
MISSING_MID - Message-ID header is missing
MISSING_MID - Message id is missing
MISSING_MIMEOLE - Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)
MISSING_SUBJECT - Subject header is missing', description = 'Subject header is empty
MISSING_TO - To header is missing
MISSING_XM_UA - Message has neither X-Mailer nor User-Agent header
OLD_X_MAILER - X-Mailer header has a very old MUA version
PHP_SCRIPT_ROOT - PHP Script executed by root UID
PHP_XPS_PATTERN - Message contains X-PHP-Script pattern
PRECEDENCE_BULK - Message marked as bulk
RATWARE_MS_HASH - Forged Exchange messages
RCVD_DOUBLE_IP_SPAM - Has two Received headers containing bare IP addresses
RCVD_DOUBLE_IP_SPAM - Two received headers with ip addresses
RCVD_ILLEGAL_CHARS - Header Received has raw illegal character
RCVD_ILLEGAL_CHARS - Received header has raw illegal character
REPLYTO_EXCESS_BASE64 - Reply-To header is unnecessarily encoded in base64
REPLYTO_EXCESS_BASE64 - Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit
REPLYTO_EXCESS_QP - Reply-To header is unnecessarily encoded in quoted-printable
REPLYTO_EXCESS_QP - Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
REPTO_QUOTE_YAHOO - Quoted reply-to from yahoo (seems to be forged)
REPTO_QUOTE_YAHOO - Quoted Reply-To header from Yahoo (seems to be forged)
R_MISSING_CHARSET - Charset header is missing
R_MISSING_CHARSET - Charset is missing in a message
R_NO_SPACE_IN_FROM - No space in from header
R_RCVD_SPAMBOTS - Spambots signatures in received headers
R_SAJDING - Subject seems to be spam
R_UNDISC_RCPT - Recipients are absent or undisclosed
SORTED_RECIPS - Recipients list seems to be sorted
SPAM_FLAG - Message was already marked as spam
STOX_REPLY_TYPE - Reply-type in content-type
STOX_REPLY_TYPE - Reply-type in Content-Type header
STRONGMAIL - Sent via rogue "strongmail" MTA
SUBJECT_ENDS_EXCLAIM - Subject ends with an exclaimation
SUBJECT_ENDS_EXCLAIM - Subject ends with an exclamation mark
SUBJECT_ENDS_QUESTION - Subject ends with a question
SUBJECT_ENDS_QUESTION - Subject ends with a question mark
SUBJECT_ENDS_SPACES - Subject ends with space characters
SUBJECT_HAS_CURRENCY - Subject contains currency
SUBJECT_HAS_EXCLAIM - Subject contains an exclaimation
SUBJECT_HAS_EXCLAIM - Subject contains an exclamation mark
SUBJECT_HAS_QUESTION - Subject contains a question
SUBJECT_HAS_QUESTION - Subject contains a question mark
SUBJECT_NEEDS_ENCODING - Subject needs encoding
SUBJ_EXCESS_BASE64 - Subject header is unnecessarily encoded in base64
SUBJ_EXCESS_BASE64 - Subject is unnecessarily encoded in base64
SUBJ_EXCESS_QP - Subect is unnecessarily encoded in quoted-printable
SUBJ_EXCESS_QP - Subject header is unnecessarily encoded in quoted-printable
SUSPICIOUS_BOUNDARY2 - Suspicious boundary in Content-Type header
SUSPICIOUS_BOUNDARY2 - Suspicious boundary in header Content-Type
SUSPICIOUS_BOUNDARY3 - Suspicious boundary in Content-Type header
SUSPICIOUS_BOUNDARY3 - Suspicious boundary in header Content-Type
SUSPICIOUS_BOUNDARY4 - Suspicious boundary in Content-Type header
SUSPICIOUS_BOUNDARY4 - Suspicious boundary in header Content-Type
SUSPICIOUS_BOUNDARY - Suspicious boundary in Content-Type header
SUSPICIOUS_BOUNDARY - Suspicious boundary in header Content-Type
SUSPICIOUS_OPERA_10W_MSGID - Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail
SUSPICIOUS_RECIPS - Recipients seems to be autogenerated (works if recipients count is more than 5)
TO_EXCESS_BASE64 - To header is unnecessarily encoded in base64
TO_EXCESS_BASE64 - To that contains encoded characters while base 64 is not needed as all symbols are 7bit
TO_EXCESS_QP - To header is unnecessarily encoded in quoted-printable
TO_EXCESS_QP - To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
TO_NEEDS_ENCODING - To header needs encoding
TO_WRAPPED_IN_SPACES - To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)
TRACKER_ID - Spam string at the end of message to make statistics fault
URI_HIDDEN_PATH - URL contains a UNIX hidden file/directory
WP_COMPROMISED - URL that is pointing to a compromised WordPress installation
WWW_DOT_DOMAIN - From/Sender/Reply-To or Envelope is @www.domain.com
XAW_SERVICE_ACCT - Message originally from a service account
XM_UA_NO_VERSION - X-Mailer/User-Agent header has no version number
X_PHP_EVAL - Message sent using eval'd PHP
X_PHP_FORGED_0X - X-PHP-Originating-Script header appears forged
X_PHPOS_FAKE - Fake X-PHP-Originating-Script header
YANDEX_RU_MAILER - Sent with yandex.ru web-mail
YANDEX_RU_MAILER - Sent with Yandex webmail






Following block of supposedly SA (SpamAssasin) rules has been extracted from https://www.uibk.ac.at/zid/systeme/mail/mailrelay/sarules.html and the descriptions has been machine translated using https://www.deepl.com/translator (may be inaccurate):
ACCESSDB - Message would have been recognized by access.db
ACT_NOW_CAPS - Respond now (in capital letters)
ADDRESS_IN_SUBJECT - Recipient address is also in the subject line
ADDR_FREE - Sender line contains "Free"
ADDR_NUMS_AT_BIGSITE - Address contains many digits in the user name (known provider)
ADVANCE_FEE_1 - Appears to be advance fee fraud (Nigerian 419)
ADVANCE_FEE_2 - Appears to be advance fee fraud (Nigerian 419)
ADVANCE_FEE_3 - Appears to be advance fee fraud (Nigerian 419)
ADVANCE_FEE_4 - Appears to be advance fee fraud (Nigerian 419)
ALL_NATURAL - All 100% natural
ALL_TRUSTED - Message was only forwarded via trusted computers
AMATEUR_PORN - Possibly porn advertising: Amateur porn
AMAZING_STUFF - Amazing things
AS_SEEN_ON - From the TV commercial
AV_WARN1 - Warning by Virus-Scanner forwarding message
AV_WARN2 - Warning by virus scanner
BAD_CREDIT - Mentions bad loans or creditworthiness
BAD_ENC_HEADER - Message has bad MIME encoding in the header
BANG_EXERCISE - Mentions fitness exercises, with exclamation mark
BANG_GUAR - A guarantee with exclamation mark
BANG_MORE - Always "more", with exclamation mark
BANG_OPRAH - Mentions Oprah (Winfrey), with exclamation mark
BARGAIN_URL - Hyperlink suspected of being spam
BAYES_00 - Spam probability according to Bayes test: 0-1%
BAYES_05 - Spam probability according to Bayes test: 1-5%
BAYES_20 - Spam probability according to Bayes test: 5-20%
BAYES_40 - Spam probability according to Bayes test: 20-40%
BAYES_50 - Spam probability according to Bayes test: 40-60%
BAYES_60 - Spam probability according to Bayes test: 60-80%
BAYES_80 - Spam probability according to Bayes test: 80-95%
BAYES_95 - Spam probability according to Bayes test: 95-99%
BAYES_99 - Probability of spam according to Bayes test: 99-100%
BEST_PORN - Possibly porn advertising: Best and largest collection
BE_BOSS - Become your own boss
BILLION_DOLLARS - Mentions very large amounts of money
BILL_1618 - Claims to comply with US Bill 1618
BIZ_TLD - Hyperlink with ".biz" domain
BLANK_LINES_70_80 - News text consists of 70-80% blank lines
BLANK_LINES_80_90 - News text consists of 80-90% blank lines
BLANK_LINES_90_100 - Message text consists of 90-100% blank lines
BODY_8BITS - Message text contains a sequence of 8 or more 8-bit characters
BODY_ENHANCEMENT - Information on penis/breast enlargement
BODY_ENHANCEMENT2 - Penis/Breast Enlargement Information
BOD_DOCT_LIST - Doctors list in the US
CHARSET_FARAWAY - Character set indicates foreign language
CHARSET_FARAWAY_HEADER - Foreign language character set used in headers
CHELLO_VIRUS - modified by chello Virus detection
CHINA_HEADER - Headers contain reference to "china.com"
CLICK_BELOW_CAPS - Request to click the mouse in capital letters
CLICK_TO_REMOVE_1 - "Removal from the address list just a mouse click away"
COMPETE - Suppliers are fighting for you as a customer
CONFIDENTIAL_ORDER - All orders are treated confidentially
CONFIRMED_FORGED - Fake "Received" headers
CONSOLIDATE_DEBT - Merge debts/credits/bills
CUM_SHOT - Possibly porn advertising: "cum shot"
DATE_IN_FUTURE_03_06 - Sending time 3 to 6 hours after date in "Received" headers
DATE_IN_FUTURE_06_12 - Sending time 6 to 12 hours after date in "Received" headers
DATE_IN_FUTURE_12_24 - Send time 12 to 24 hours after date in "Received" headers
DATE_IN_FUTURE_24_48 - Sending time 24 to 48 hours after date in "Received" headers
DATE_IN_FUTURE_48_96 - Sending time 48 to 96 hours after date in "Received" headers
DATE_IN_FUTURE_96_XX - Sending time more than 96 hours after date in "Received" headers
DATE_IN_PAST_03_06 - Sending time 3 to 6 hours before date in "Received" headers
DATE_IN_PAST_06_12 - Sending time 6 to 12 hours before date in "Received" headers
DATE_IN_PAST_12_24 - Sending time 12 to 24 hours before date in "Received" headers
DATE_IN_PAST_24_48 - Sending time 24 to 48 hours before date in "Received" headers
DATE_IN_PAST_48_96 - Sending time 48 to 96 hours before date in "Received" headers
DATE_IN_PAST_96_XX - Sending time more than 96 hours before date in "Received" headers
DATE_SPAMWARE_Y2K - Date header has unusual format
DAV_NON_HOTMAIL - Message sent using DAV, but not via Hotmail
DCC_CHECK - Listed in the DCC system (http://rhyolite.com/anti-spam/dcc/)
DEAR_FRIEND - Anonymous salutation ("dear friend")
DEAR_SOMETHING - Anonymous salutation ("dear ...")
DEEP_DISC_MEDS - Drug at discount prices
DIET_1 - Reduce your weight
DIET_2 - Lose weight
DIET_3 - Get rid of fat
DIGEST_MULTIPLE - Several internet tests (Razor, DCC, Pyzor, etc.) apply
DIPLOMAS - body contains Degree followed by Dollars
DIPLOMAS1 - Subject contains Degree or Diploma
DISGUISE_PORN - Disguised words indicate pornography
DISGUISE_PORN_MUNDANE - Attempts to disguise mundane words used in porn
DKIM_POLICY_SIGNALL - Domain Keys Identified Mail: policy says domain signs all mails
DKIM_POLICY_SIGNSOME - Domain Keys Identified Mail: policy says domain signs some mails
DKIM_POLICY_TESTING - Domain Keys Identified Mail: policy says domain is testing DK
DKIM_SIGNED - Domain Keys Identified Mail: message has a signature
DKIM_VERIFIED - Domain Keys Identified Mail: signature passes verification
DK_POLICY_SIGNALL - Domain Keys: policy says domain signs all mails
DK_POLICY_SIGNSOME - Domain Keys: policy says domain signs some mails
DK_POLICY_TESTING - Domain Keys: policy says domain is testing DK
DK_SIGNED - Domain Keys: message has an unverified signature
DK_VERIFIED - Domain Keys: signature passes verification
DNS_FROM_AHBL_RHSBL - Sender address in list from dnsbl.ahbl.org
DNS_FROM_RFC_ABUSE - Sender in abuse list of www.rfc-ignorant.org (http://www.rfc-ignorant.org)
DNS_FROM_RFC_BOGUSMX - Sender in bogusmx list from www.rfc-ignorant.org (http://www.rfc-ignorant.org)
DNS_FROM_RFC_DSN - Sender in dsn list from www.rfc-ignorant.org (http://www.rfc-ignorant.org)
DNS_FROM_RFC_POST - Sender in postmaster list of www.rfc-ignorant.org (http://www.rfc-ignorant.org)
DNS_FROM_RFC_WHOIS - Sender in whois-list of www.rfc-ignorant.org (http://www.rfc-ignorant.org)
DNS_FROM_SECURITYSAGE - Envelope sender in blackholes.securitysage.com
DOMAIN_4U2 - English onomatopoeia ("4u") in domain name
DOMAIN_RATIO - Message text mentions many internet domains
DRUGS_ANXIETY - Mentions medication for anxiety neurosis
DRUGS_ANXIETY_EREC - Mentions medication for erectile dysfunction and anxiety neurosis
DRUGS_ANXIETY_OBFU - Mentions (disguised) medication for anxiety neuroses
DRUGS_DIET - Mentions Diet medication
DRUGS_DIET_OBFU - Mentions (disguised) diet medication
DRUGS_ERECTILE - Mentions a medication for erectile dysfunction
DRUGS_ERECTILE_OBFU - Mentions (disguised) medication for erectile dysfunction
DRUGS_MANYKINDS - Mentions at least four types of medication
DRUGS_MUSCLE - Mentions muscle relaxants
DRUGS_PAIN - Mentions pain medication
DRUGS_PAIN_OBFU - Mentions (disguised) painkiller
DRUGS_SLEEP - Mentions sleeping pills
DRUGS_SLEEP_EREC - Mentions medication for erectile dysfunction and sleeping pills
DRUGS_SMEAR1 - Two or more drugs in one word
DRUG_DOSAGE - Mentions the price of a dose
DRUG_ED_CAPS - Mentions medication for erectile dysfunction
DRUG_ED_COMBO - Viagra and other drugs
DRUG_ED_GENERIC - Viagra as a cheap copycat drug
DRUG_ED_ONLINE - Fast delivery of Viagra
DRUG_ED_SILD - Chemical name of a drug for erectile dysfunction
EARN_PER_WEEK - High weekly earnings
EMAIL_ROT13 - Possibly ROT13-coded e-mail address in the text
EMPTY_MESSAGE - Message appears to have no textual parts and no Subject: text
EM_ROLEX - Message puts emphasis on the watch manufacturer
ENGLISH_UCE_SUBJECT - Subject contains English advertising labeling
ENTITY_DEC_ALPHANUM - HTML contains unnecessarily encoded characters
ENV_AND_HDR_DKIM_MATCH - Env and Hdr From used in default DKIM WL Match
ENV_AND_HDR_DK_MATCH - Env and Hdr From used in default DK WL Match
ENV_AND_HDR_SPF_MATCH - Env and Hdr From used in default SPF WL Match
EXCUSE_10 - What to do if you no longer want to receive this...
EXCUSE_12 - Perhaps this e-mail is a mistake...
EXCUSE_23 - You have supposedly given yourself permission
EXCUSE_24 - Supposedly you want to receive this advertising
EXCUSE_4 - Claims that you can have yourself removed from the address list
EXCUSE_6 - Claims that you can have yourself removed from the address list
EXCUSE_REMOVE - Describes how to get rid of these messages
EXTRA_CASH - Extra money
EXTRA_MPART_TYPE - Unnecessary parameters in "Content-Type" header ("...type=")
FAKED_UNDISC_RECIPS - "To: Undisclosed-Recipients" is fake
FAKE_HELO_EMAIL_COM - HELO computer name does not belong to email.com
FAKE_HELO_EUDORAMAIL - HELO computer name does not belong to eudoramail.com
FAKE_HELO_EXCITE - HELO computer name does not belong to emocionar.com
FAKE_HELO_LYCOS - HELO-ComputerName does not belong to lycos.com
FAKE_HELO_MAIL_COM - HELO computer name does not belong to mail.com
FAKE_HELO_MAIL_COM_DOM - HELO computer name suspicious (mail.com)
FAKE_HELO_MSN - HELO computer name does not belong to msn.com
FAKE_HELO_YAHOO_CA - HELO computer name does not belong to yahoo.ca
FAKE_OUTBLAZE_RCVD - "mr.outblaze.com" in "Received" header is fake
FIN_FREE - Financial independence
FORGED_AOL_RCVD - Fake "Received" header (fake mail machines from AOL)
FORGED_AOL_TAGS - AOL email program does not use this type of HTML
FORGED_EUDORAMAIL_RCVD - Fake "Received" header found from eudoramail.com
FORGED_GW05_RCVD - Fake "Received" header found ("by gw05")
FORGED_HOTMAIL_RCVD - Fake "Received" header found from Hotmail
FORGED_HOTMAIL_RCVD2 - Sending address from hotmail.com, but no matching "Received" line
FORGED_IMS_HTML - Exchange does not send pure HTML messages
FORGED_IMS_TAGS - Exchange does not use this type of HTML
FORGED_JUNO_RCVD - Sender juno.com does not match "Received" headers
FORGED_MSGID_AOL - Message-ID is forged, (aol.com)
FORGED_MSGID_EXCITE - Message-ID is forged, (excite.com)
FORGED_MSGID_HOTMAIL - Message-ID is forged, (hotmail.com)
FORGED_MSGID_MSN - Message-ID is forged, (msn.com)
FORGED_MSGID_YAHOO - Message-ID is forged, (yahoo.com)
FORGED_MUA_AOL_FROM - E-mail spoofs e-mail software from AOL
FORGED_MUA_EUDORA - Email spoofs Eudora email software
FORGED_MUA_IMS - Email spoofs Exchange email software
FORGED_MUA_MOZILLA - Fake e-mail pretends to come from Mozilla mail program
FORGED_MUA_OIMO - Email pretends to be Outlook email software
FORGED_MUA_OUTLOOK - Email spoofs Outlook email software
FORGED_MUA_THEBAT_BOUN - Email spoofs email software The Bat!
FORGED_MUA_THEBAT_CS - Email pretends to be The Bat! email software
FORGED_OUTLOOK_HTML - Outlook does not send pure HTML messages
FORGED_OUTLOOK_TAGS - Outlook does not use this HTML marker
FORGED_QUALCOMM_TAGS - Qualcomm email program does not use this type of HTML
FORGED_RCVD_HELO - "Received" headers contain fake HELO identification
FORGED_TELESP_RCVD - Fake computer names of a Brazilian DSL provider
FORGED_THEBAT_HTML - The Bat! v1 does not send pure HTML messages
FORGED_UIBK - contains forged uibk Received header
FORGED_YAHOO_RCVD - Fake "Received" header from yahoo.com found
FORWARD_LOOKING - Contains wording from stock prospectuses
FORW_LOOK - body with forward looking statements
FRAGMENTED_MESSAGE - Partial message
FREE_ACCESS - Contains "free access" with capital letters
FREE_PORN - Possibly porn advertising: Free porn
FREE_PREVIEW - Free sample
FREE_QUOTE_INSTANT - Free a quick price offer, without obligation
FREE_SAMPLE - Contains "free sample" with capital letters
FRELAY_DYN_RDNS6 - last relay seems to be a dynamic ip
FRELAY_DYN_RDNSB - One of the bad relays
FRELAY_DYN_RDNSG - One of the good relays
FRELAY_DYN_RDNSM - last relay seems to be a mail server or relays
FRELAY_DYN_RDNSN - last relay in .net domain
FRELAY_DYN_RDNSX - last relay seems to be a dynamic ip
FRELAY_DYN_RDNSZ - Correct multiple FRELAY-Entries
FRELAY_NO_RDNS - last relay has no reverse dns
FRELAY_WANADOO_FR - last relay is from abo.wanadoo.fr
FRELAY_WANADOO_NL - last relay is from .cable.wanadoo.nl
FRELAY_YAHOO - last relay is yahoo mail relays
FROM_ALL_NUMS - address contains only digits in user name
FROM_AND_TO_SAME - Sender and recipient lines almost identical
FROM_BLANK_NAME - From: contains empty name
FROM_DOMAIN_NOVOWEL - From: domain has series of non-vowel letters
FROM_ENDS_IN_NUMS - Sender address ends with digits in username
FROM_EXCESS_BASE64 - From: base64 encoded unnecessarily
FROM_EXCESS_QP - From: quoted-printable encoded unnecessarily
FROM_HAS_MIXED_NUMS - Sender address contains mixture of digits/letters
FROM_HAS_ULINE_NUMS - Sender's username contains underscore and digits/letters
FROM_ILLEGAL_CHARS - Sender address contains too many invalid characters
FROM_LOCAL_DIGITS - From: localpart has long digit sequence
FROM_LOCAL_HEX - From: localpart has long hexadecimal sequence
FROM_LOCAL_NOVOWEL - From: localpart has series of non-vowel letters
FROM_NONSENDING_DOMAIN - Message from domain that never sends e-mail
FROM_NO_LOWER - Sender line does not contain lower case letters
FROM_NO_USER - Address part before the @ sign is missing from the sender
FROM_OFFERS - Sender address contains "@...offers"
FROM_STARTS_WITH_NUMS - Sender address begins with digits in the user name
FRONTPAGE - Message was generated by the Frontpage program
FULL_REFUND - Offers a full refund
FUZZY_AFFORDABLE - Attempt to obfuscate words in spam
FUZZY_AMBIEN - Attempt to obfuscate words in spam
FUZZY_BILLION - Attempt to obfuscate words in spam
FUZZY_CELEBREX - Attempt to obfuscate words in spam
FUZZY_CPILL - Attempt to obfuscate words in spam
FUZZY_CREDIT - Attempt to obfuscate words in spam
FUZZY_ERECT - Attempt to obfuscate words in spam
FUZZY_FOLLOW - Attempt to obfuscate words in spam
FUZZY_GUARANTEE - Attempt to obfuscate words in spam
FUZZY_MEDICATION - Attempt to obfuscate words in spam
FUZZY_MILF - Attempt to obfuscate words in spam
FUZZY_MILLION - Attempt to obfuscate words in spam
FUZZY_MONEY - Attempt to obfuscate words in spam
FUZZY_MORTGAGE - Attempt to obfuscate words in spam
FUZZY_OBLIGATION - Attempt to obfuscate words in spam
FUZZY_OFFERS - Attempt to obfuscate words in spam
FUZZY_PHARMACY - Attempt to obfuscate words in spam
FUZZY_PHENT - Attempt to obfuscate words in spam
FUZZY_PLEASE - Attempt to obfuscate words in spam
FUZZY_PRESCRIPT - Attempt to obfuscate words in spam
FUZZY_PRICES - Attempt to obfuscate words in spam
FUZZY_REFINANCE - Attempt to obfuscate words in spam
FUZZY_REMOVE - Attempt to obfuscate words in spam
FUZZY_ROLEX - Attempt to obfuscate words in spam
FUZZY_SOFTWARE - Attempt to obfuscate words in spam
FUZZY_THOUSANDS - Attempt to obfuscate words in spam
FUZZY_TRAMADOL - Attempt to obfuscate words in spam
FUZZY_VICODIN - Attempt to obfuscate words in spam
FUZZY_VIOXX - Attempt to obfuscate words in spam
FUZZY_VLIUM - Attempt to obfuscate words in spam
FUZZY_VPILL - Attempt to obfuscate words in spam
FUZZY_XPILL - Attempt to obfuscate words in spam
GAPPY_SUBJECT - Subject contains text with "L.ü.c.k.e.n"
GET_PAID - Get paid
GTUBE - Test to check anti-spam software
GUARANTEED_100_PERCENT - 100% guaranteed...
GUARANTEED_STUFF - Guaranteed income
HABEAS_ACCREDITED_COI - Habeas Accredited Confirmed Opt-In or Better
HABEAS_ACCREDITED_SOI - Habeas Accredited Opt-In or Better
HABEAS_CHECKED - Habeas Checked
HAIR_LOSS - Hair loss remedy
HARDCORE_PORN - Possibly porn advertising: "hard core"
HASHCASH_20 - Contains correct hashcash identification (20 bits)
HASHCASH_21 - Contains correct hashcash identification (21 bits)
HASHCASH_22 - Contains correct hashcash code (22 bits)
HASHCASH_23 - Contains correct hashcash identifier (23 bits)
HASHCASH_24 - Contains correct hashcash identifier (24 bits)
HASHCASH_25 - Contains correct hashcash marking (25 bits)
HASHCASH_2SPEND - Hashcash marker already used in another message
HASHCASH_HIGH - Contains correct hashcash mark (> 25 bits)
HDR_ORDER_MTSRIX - Sequence of headers indicates spam (MTSRIX)
HDR_ORDER_TRIMRS - Sequence of headers indicates spam (TRIMRS)
HEADER_COUNT_CTYPE - Header "Content-Type" present multiple times
HEADER_SPAM - Bulk email fingerprint (header-based) found
HEAD_ILLEGAL_CHARS - Headers contain too many invalid characters
HEAD_LONG - Message headers are very long
HELO_DYNAMIC_ADELPHIA - HELO computer name suspicious (Adelphia)
HELO_DYNAMIC_ATTBI - HELO computer name suspicious (ATTBI.com)
HELO_DYNAMIC_CHELLO_NL - HELO computer name suspicious (Chello.nl)
HELO_DYNAMIC_CHELLO_NO - HELO computer name suspicious (Chello.no)
HELO_DYNAMIC_COMCAST - HELO computer name suspicious (Comcast)
HELO_DYNAMIC_DHCP - HELO computer name suspicious (DHCP)
HELO_DYNAMIC_DIALIN - HELO computer name suspicious (T-Dialin)
HELO_DYNAMIC_HCC - HELO computer name suspicious (HCC)
HELO_DYNAMIC_HEXIP - HELO computer name suspicious (Hexadecimal IP address)
HELO_DYNAMIC_HOME_NL - HELO computer name suspicious (Home.nl)
HELO_DYNAMIC_IPADDR - HELO computer name suspicious (IP address 1)
HELO_DYNAMIC_IPADDR2 - HELO computer name suspicious (IP address 2)
HELO_DYNAMIC_NTL - HELO computer name suspicious (NTL)
HELO_DYNAMIC_OOL - HELO computer name suspicious (OptOnline)
HELO_DYNAMIC_ROGERS - HELO computer name suspicious (Rogers)
HELO_DYNAMIC_RR2 - HELO computer name suspicious (RR 2)
HELO_DYNAMIC_SPLIT_IP - HELO computer name suspicious (disconnected IP address)
HELO_DYNAMIC_TELIA - HELO computer name suspicious (Telia)
HELO_DYNAMIC_VELOX - HELO computer name suspicious (Veloxzone)
HELO_DYNAMIC_VTR - HELO computer name suspicious (VTR)
HELO_DYNAMIC_YAHOOBB - HELO computer name suspicious (YahooBB)
HG_HORMONE - Mentions human growth hormones
HIDDEN_CHARGES - Mentions hidden costs
HIDE_WIN_STATUS - JavaScript instructions hide hyperlinks
HIGH_CODEPAGE_URI -
HOT_NASTY - Possibly porn advertising: hot, naughty, wild and young
HTML_00_10 - Message consists of 0-10% HTML
HTML_10_20 - Message consists of 10-20% HTML
HTML_20_30 - Message consists of 20-30% HTML
HTML_30_40 - Message consists of 30-40% HTML
HTML_40_50 - Message consists of 40-50% HTML
HTML_50_60 - Message consists of 50-60% HTML
HTML_60_70 - Message consists of 60-70% HTML
HTML_70_80 - Message consists of 70-80% HTML
HTML_80_90 - Message consists of 80-90% HTML
HTML_90_100 - Message consists of 90-100% HTML
HTML_ATTR_BAD - HTML markers with many invalid attributes
HTML_ATTR_UNIQUE - HTML markers with random attributes
HTML_BACKHAIR_2 - HTML markers should camouflage words
HTML_BACKHAIR_4 - HTML markers should camouflage words
HTML_BACKHAIR_8 - HTML markers should disguise words
HTML_BADTAG_00_10 - Message contains 0-10% incorrect HTML syntax
HTML_BADTAG_10_20 - Message contains 10-20% incorrect HTML syntax
HTML_BADTAG_20_30 - Message contains 20-30% incorrect HTML syntax
HTML_BADTAG_30_40 - Message contains 30-40% incorrect HTML syntax
HTML_BADTAG_40_50 - Message contains 40-50% incorrect HTML syntax
HTML_BADTAG_50_60 - Message contains 50-60% incorrect HTML syntax
HTML_BADTAG_60_70 - Message contains 60-70% incorrect HTML syntax
HTML_BADTAG_70_80 - Message contains 70-80% incorrect HTML syntax
HTML_BADTAG_80_90 - Message contains 80-90% incorrect HTML syntax
HTML_BADTAG_90_100 - Message contains 90-100% incorrect HTML syntax
HTML_CHARSET_FARAWAY - Foreign language character set used for HTML
HTML_COMMENT_SAVED_URL - Message is a saved web page
HTML_COMMENT_SHORT - HTML comment is very short
HTML_EHTML2 - HTML has doubled end HTML tag
HTML_EMBEDS - HTML message with embedded WWW plugin
HTML_EVENT_UNSAFE - HTML with unsafe, automatically executed program statements
HTML_EXTRA_CLOSE - HTML contains far too many close tags
HTML_FONT_BIG - HTML tag for large font
HTML_FONT_FACE_BAD - HTML font specified incorrectly
HTML_FONT_FACE_CAPS - Name of HTML font with additional capital letters
HTML_FONT_INVISIBLE - Same HTML font color as the background
HTML_FONT_LOW_CONTRAST - HTML font color similar to background color
HTML_FONT_SIZE_HUGE - HTML font size is huge
HTML_FONT_SIZE_LARGE - HTML font size is very large
HTML_FONT_SIZE_NONE - HTML font size is negative
HTML_FONT_SIZE_TINY - HTML font size is tiny
HTML_FONT_TINY - HTML marker for tiny font size
HTML_FORMACTION_MAILTO - HTML form in message sent by e-mail
HTML_IMAGE_ONLY_04 - Except images only 0-400 characters text
HTML_IMAGE_ONLY_08 - Except images only 400-800 characters of text
HTML_IMAGE_ONLY_12 - Except images only 800-1200 characters text
HTML_IMAGE_ONLY_16 - Except images only 1200-1600 characters text
HTML_IMAGE_ONLY_20 - Except images only 1600-2000 characters Text
HTML_IMAGE_ONLY_24 - Except images only 2000-2400 characters text
HTML_IMAGE_ONLY_28 - HTML: images with 2400-2800 bytes of words
HTML_IMAGE_ONLY_32 - HTML: images with 2800-3200 bytes of words
HTML_IMAGE_ONLY_45 - HTML: images with 3200 to 4500 bytes of words
HTML_IMAGE_ONLY_80 - HTML: images with 4500 to 8000 bytes of words
HTML_IMAGE_RATIO_02 - Ratio of image area to text is small
HTML_IMAGE_RATIO_04 - Ratio of image area to text is small
HTML_IMAGE_RATIO_06 - Ratio of image area to text is small
HTML_IMAGE_RATIO_08 - Ratio of image area to text is small
HTML_LINK_OPT_OUT - HTML link text says "opt out" or similar
HTML_LINK_PUSH_HERE - Hyperlink says "push here"
HTML_MESSAGE - Message contains HTML
HTML_MIME_NO_HTML_TAG - Message consists only of HTML, but has no "html" element
HTML_MISSING_CTYPE - HTML message without matching header "Content-Type"
HTML_NONELEMENT_00_10 - 0-10% of HTML elements do not comply with the standard
HTML_NONELEMENT_10_20 - 10-20% of the HTML elements do not comply with the standard
HTML_NONELEMENT_20_30 - 20-30% of HTML elements do not comply with the standard
HTML_NONELEMENT_30_40 - 30-40% of HTML elements do not comply with the standard
HTML_NONELEMENT_40_50 - 40-50% of HTML elements do not comply with the standard
HTML_NONELEMENT_50_60 - 50-60% of HTML elements do not comply with the standard
HTML_NONELEMENT_60_70 - 60-70% of HTML elements do not comply with the standard
HTML_NONELEMENT_70_80 - 70-80% of HTML elements do not comply with the standard
HTML_NONELEMENT_80_90 - 80-90% of HTML elements do not comply with the standard
HTML_NONELEMENT_90_100 - 90-100% of HTML elements do not conform to the standard
HTML_OBFUSCATE_05_10 - Message text contains 0-10% random HTML
HTML_OBFUSCATE_10_20 - Message text contains 10-20% random HTML
HTML_OBFUSCATE_20_30 - News text contains 20-30% random HTML
HTML_OBFUSCATE_30_40 - Message text contains 30-40% random HTML
HTML_OBFUSCATE_40_50 - Message text contains 40-50% random HTML
HTML_OBFUSCATE_50_60 - News text contains 50-60% random HTML
HTML_OBFUSCATE_60_70 - News text contains 60-70% random HTML
HTML_OBFUSCATE_70_80 - News text contains 70-80% random HTML
HTML_OBFUSCATE_80_90 - News text contains 80-90% random HTML
HTML_OBFUSCATE_90_100 - News text contains 90-100% random HTML
HTML_SHORT_CENTER - Little HTML with "center" element
HTML_SHORT_COMMENT - Little HTML and then comments
HTML_SHORT_LENGTH - Very, very small HTML part
HTML_SHORT_LINK_IMG_1 - HTML is very short with a linked image
HTML_SHORT_LINK_IMG_2 - HTML is very short with a linked image
HTML_SHORT_LINK_IMG_3 - HTML is very short with a linked image
HTML_SHOUTING3 - Many visually conspicuous ("screaming") HTML elements
HTML_SHOUTING4 - Many visually striking ("screaming") HTML elements
HTML_SHOUTING5 - Many visually conspicuous ("screaming") HTML elements
HTML_SHOUTING6 - Many visually conspicuous ("screaming") HTML elements
HTML_SHOUTING7 - Many visually conspicuous ("screaming") HTML elements
HTML_TAG_BALANCE_BODY - Number of "body" tags not balanced
HTML_TAG_BALANCE_HEAD - Number of "head" tags not balanced
HTML_TAG_EXIST_BGSOUND - HTML has "bgsound" tag
HTML_TAG_EXIST_MARQUEE - HTML element "marquee" found
HTML_TAG_EXIST_TBODY - HTML element "tbody" found
HTML_TEXT_AFTER_BODY - Text after end marker "/body"
HTML_TEXT_AFTER_HTML - Text after end marker "/html"
HTML_TINY_FONT - body contains 1 or 0-point font
HTML_TITLE_EMPTY - HTML message with empty title
HTML_TITLE_LONG - HTML title is very long
HTML_TITLE_SUBJ_DIFF -
HTML_TITLE_UNTITLED - HTML message with title "Untitled"
HTTPS_IP_MISMATCH - IP to HTTPS link found in HTML
HTTP_77 - Contains URL with encoded host name
HTTP_CTRL_CHARS_HOST - Uses control characters within the URL hostname
HTTP_ESCAPED_HOST - Uses % encoding within the hyperlink
HTTP_EXCESSIVE_ESCAPES - Superfluous % encoding in web address
IMPOTENCE - Eliminates impotence
INFO_TLD - Hyperlink with ".info" domain
INTERRUPTUS - Message looks to contain HTML-interrupted text
INVALID_DATE - Date header not standard compliant with RFC 2822
INVALID_DATE_TZ_ABSURD - Invalid date, this time zone does not exist
INVALID_MSGID - "Message-ID" line is invalid according to RFC-2822
INVALID_TZ_CST - Invalid date in header (wrong CST time zone)
INVALID_TZ_EST - Invalid date in header (wrong EST time zone)
INVALID_TZ_GMT - Invalid date in header (wrong GMT/UTC time zone)
INVESTMENT_ADVICE - Message mentions investment advice
INVESTMENT_EXPERT - Message mentions investment expert
IP_LINK_PLUS - IP address (a.b.c.d) followed by CGI program
JAPANESE_UCE_SUBJECT - Subject contains Japanese advertising labeling
JOIN_MILLIONS - Copy millions of Americans
JS_FROMCHARCODE - Document is generated from JavaScript program
KOREAN_UCE_SUBJECT - Subject contains Korean advertising code
LIVE_PORN - Possible porn ad: be there live
LOCALPART_IN_SUBJECT - Local part of To: address appears in Subject
LONGWORDS - A series of long words in a row
LOTS_OF_STUFF - Thousands/millions of porn images
LOW_PRICE - Lowest prices
MAILTO_SUBJ_REMOVE - Hyperlink with "mailto:" should remove you from the address list
MAILTO_TO_REMOVE - Contains an email address with "remove"
MAILTO_TO_SPAM_ADDR - Hyperlink with email address of a suspected spam sender
MALE_ENHANCE - Message talks about enhancing men
MANY_DUL -
MANY_EXCLAMATIONS - Subject contains many exclamation marks
MARKETING_PARTNERS - Allegedly you have registered with a partner company
MEET_SINGLES - Meet other single people
MICROSOFT_EXECUTABLE - Message includes Microsoft executable program
MICRO_CAP_WARNING - Warning about cheap stocks under US Securities and Exchange Commission regulations
MILLION_USD - Mentions millions of dollars
MIME_BAD_ISO_CHARSET - MIME character set is an unknown ISO charset
MIME_BASE64_BLANKS - Superfluous blank lines in base64 encoding
MIME_BASE64_NO_NAME - base64 attachment has no file name
MIME_BASE64_TEXT - Text camouflaged by base64 encoding
MIME_BOUND_DD_DIGITS - Certain pattern of spam software in MIME delimiter
MIME_BOUND_DIGITS_15 - Certain pattern of spam software in MIME delimiter
MIME_BOUND_DIGITS_7 - Specific pattern of spam software in MIME delimiter
MIME_BOUND_MANY_HEX - Specific pattern of spam software in MIME limitation
MIME_BOUND_NEXTPART - Specific pattern of spam software in MIME delimiter
MIME_BOUND_RKFINDY - Specific pattern of spam software in MIME delimiter (rfkindy)
MIME_CHARSET_FARAWAY - MIME character set indicates foreign language
MIME_HEADER_CTYPE_ONLY - "Content-Type" header found without MIME headers
MIME_HTML_MOSTLY - Multi-part MIME message mainly in HTML
MIME_HTML_ONLY - MIME message consists only of HTML
MIME_HTML_ONLY_MULTI - Multi-part MIME message consists only of HTML
MIME_MISSING_BOUNDARY - Missing limitation of a MIME section
MIME_QP_LONG_LINE - "quoted-printable" encoded line longer than 76 characters
MIME_SUSPECT_NAME - MIME file name does not correspond to the MIME type
MISSING_DATE - Missing date header
MISSING_HB_SEP - Missing blank line between message header and body
MISSING_HEADERS - Missing recipient address ("To")
MISSING_MIMEOLE - Header "X-MSMail-Priority" but no "X-MimeOLE"
MISSING_MIME_HB_SEP - Missing blank line between MIME header and body
MISSING_SUBJECT - Subject is missing
ML_MARKETING - Mentions fraud with pyramid schemes
MONEY_BACK - With money-back guarantee
MORE_SEX - Become more sexually active
MORTGAGE_BEST - Information about mortgage loans
MORTGAGE_PITCH - Advertises mortgage loans
MORTGAGE_RATES - Information about mortgage loans
MPART_ALT_DIFF - Message text in text and HTML format are different
MPART_ALT_DIFF_COUNT - HTML and text parts are different
MSGID_DOLLARS - Pattern in header "Message ID" typical for spam
MSGID_DOLLARS_RANDOM -
MSGID_FROM_MTA_HEADER - Added header "Message-ID" from external sender computer
MSGID_FROM_MTA_HOTMAIL - Header "Message-ID" from hotmail.com sender computer added
MSGID_FROM_MTA_ID - Header "Message-ID" was added locally
MSGID_LONG - Message-ID is unusually long
MSGID_MULTIPLE_AT - Message-ID contains multiple '@' characters
MSGID_NO_HOST - Host name missing in "Message-ID" header
MSGID_OUTLOOK_INVALID - Fake header "Message-ID" in Outlook Express format
MSGID_RANDY - Pattern in header "Message-ID" typical for spam
MSGID_RATWARE1 - Bulk email fingerprint found
MSGID_SHORT - Message-ID is unusually short
MSGID_SPAM_99X9XX99 - Message ID header generated by spam software (99x9xx99)
MSGID_SPAM_ALPHA_NUM - Message ID header generated by spam software (alphanumeric)
MSGID_SPAM_CAPS - Header "Message-ID" generated by spam software (uppercase)
MSGID_SPAM_LETTERS - Header "Message ID" generated by spam software (letters)
MSGID_SPAM_ZEROES - Header "Message ID" generated by spam software (12 zeros)
MSGID_YAHOO_CAPS - "Message ID" header contains [email protected]
MULTI_FORGED - Multiple forged "Received" headers
MULTI_STOCK - Contains several stock properties
MYTOB - Contains W32/Mytob string +++ Attachment: No
NASTY_GIRLS - Possible porn ad: Naughty girls
NA_DOLLARS - Deals with one million dollars from the US or Canada
NONEXISTENT_CHARSET - The specified character set does not exist
NORMAL_HTTP_TO_IP - Uses an IP address (a.b.c.d) in a hyperlink
NOT_ADVISOR - Revolves around an unregistered investment advisor
NO_COST - Offers something completely free of charge...
NO_DNS_FOR_FROM - Domain of sending address not registered in DNS (no MX/A record)
NO_FORMS - No forms required
NO_MEDICAL - No medical exams required
NO_OBLIGATION - Completely without obligation
NO_PRESCRIPTION - No prescription needed
NO_RDNS_DOTCOM_HELO - HELO identification as major provider, but rDNS name incorrect
NO_REAL_NAME - No full name in sender address
NO_RECEIVED - Informational: message has no Received headers
NO_RELAYS - Informational: message was not relayed via SMTP
NUMERIC_HTTP_ADDR - Uses a single number as IP address in a hyperlink
OBFUSCATING_COMMENT - HTML comment tries to obfuscate text
OBF_STOCK - body with words where O replaced by zero
OBF_STOCK2 - body with words containing d1gits
OBF_STOCK3 - body with words containing d1gits
OBF_STOCK4 - body obfuscating stock terms
OBSCURED_EMAIL - Possibly ROT13-encoded e-mail address in the text
OFFSHORE_SCAM - Dubious financial transactions abroad ("offshore")
ONE_TIME - One-off offer/opportunity
ONLINE_PHARMACY - Internet pharmacy
OPTING_OUT_CAPS - "If you do not wish to participate..." (opt-out)
ORG_MIME_TOOLS - Organization is MIME-tools
PERCENT_RANDOM - Message has a random macro in it
PLING_PLING - Unusually many exclamation marks in the subject line
PLING_QUERY - Subject contains exclamation and question marks
PORN_15 - Words and phrases indicate pornography
PORN_16 - Words and phrases indicate pornography
PORN_URL_MISC - Words/phrases in URL indicate pornography (various)
PORN_URL_SEX - Words/phrases in URL indicate pornography (sex)
PORN_URL_SLUT - Words/phrases in URL indicate pornography (slut)
PREST_NON_ACCREDITED - Buy degrees from obscure universities
PREVENT_NONDELIVERY - Message has Prevent-NonDelivery-Report header
PRICES_ARE_AFFORDABLE - Message says that prices aren't too expensive
PRIORITY_NO_NAME - Contains header "X-Priority" but no "X-Mailer"
PYZOR_CHECK - Listed in the Pyzor system (http://pyzor.sf.net/)
QUALIFY_FOR_THIS - Qualify for this special...
RATWARE_BOUND_PIECE - Bulk email fingerprint (piece boundary) found
RATWARE_EFROM - Bulk email fingerprint (envfrom) found
RATWARE_EGROUPS - Message structure indicates spam software (eGroups)
RATWARE_GECKO_BUILD - Headers contain fake references to Mozilla/Gecko
RATWARE_HASH_2 - Message structure indicates spam software (identification number)
RATWARE_HASH_2_V2 - Message structure indicates spam software (identification number)
RATWARE_HASH_DASH - Contains defense measure against anti-spam software ("hashbuster")
RATWARE_JPFREE - Message structure indicates spam software ("jpfree")
RATWARE_MOZ_MALFORMED - Headers contain fake references to Mozilla
RATWARE_MPOP_WEBMAIL - Bulk email fingerprint (mPOP Web-Mail)
RATWARE_MS_HASH - Bulk email fingerprint (msgid ms hash) found
RATWARE_NAME_ID - Bulk email fingerprint (msgid from) found
RATWARE_NETIP - Spam hints found (netIP)
RATWARE_OE_MALFORMED - Headers contain fake references to Outlook Express
RATWARE_OUTLOOK_NONAME - Bulk email fingerprint (Outlook no name) found
RATWARE_RCVD_AT - "Received" header with @ sign
RATWARE_RCVD_LC_ESMTP - Message structure indicates spam software ("esmtp" in lower case)
RATWARE_RCVD_PF - Fake "Received" header from Postfix
RATWARE_STORM_URI - Message structure indicates spam software ("StormPost")
RATWARE_ZERO_TZ - Strange time zone (+0000)
RAZOR2_CF_RANGE_51_100 - Razor2 spam score is between 51 and 100
RAZOR2_CF_RANGE_E4_51_100 - Razor2 gives engine 4 confidence level above 50%
RAZOR2_CF_RANGE_E8_51_100 - Razor2 gives engine 8 confidence level above 50%
RAZOR2_CHECK - Listed in the "Razor2" system (http://razor.sf.net/)
RCVD_AM_PM - Fake "Received" headers (AM/PM timing)
RCVD_BONUS_SPC_DATE - Additional spaces in the date
RCVD_BY_IP - Transported by computer without name
RCVD_DOUBLE_IP_LOOSE - Recipients/senders in headers look like IP addresses
RCVD_DOUBLE_IP_SPAM - Signs of spam software (duplicate IP address)
RCVD_FAKE_HELO_DOTCOM - "Received" headers contain fake HELO computer name
RCVD_HELO_IP_MISMATCH - HELO name and IP address in headers do not match
RCVD_ILLEGAL_IP - "Received" headers contain invalid IP address
RCVD_IN_BL_SPAMCOP_NET - Transported via computer in list from www.spamcop.net (http://www.spamcop.net)
RCVD_IN_BSP_OTHER - Sending computer in list from http://www.bondedsender.org/
RCVD_IN_BSP_TRUSTED - Sender computer in list from http://www.bondedsender.org/
RCVD_IN_DSBL - Transported via computer in list from list.dsbl.org
RCVD_IN_IADB_VOUCHED - ISIPP IADB lists as vouched-for sender
RCVD_IN_MAPS_DUL - Transported via computer to list from http://www.mail-abuse.org/dul/
RCVD_IN_MAPS_NML - Transported via computer to list from http://www.mail-abuse.org/nml/
RCVD_IN_MAPS_RBL - Transported via computer to list from http://www.mail-abuse.org/rbl/
RCVD_IN_MAPS_RSS - Transported via computer to list from http://www.mail-abuse.org/rss/
RCVD_IN_NJABL_CGI - NJABL: Sent via an outdated and unsecured web form
RCVD_IN_NJABL_DUL - NJABL: Sending computer only temporarily connected to the Internet
RCVD_IN_NJABL_MULTI - NJABL: Forwarded several times via "open relay" computer
RCVD_IN_NJABL_PROXY - NJABL: Sender computer reported as "open proxy"
RCVD_IN_NJABL_RELAY - NJABL: Sender computer confirmed as "open relay"
RCVD_IN_NJABL_SPAM - NJABL: Sender computer is confirmed spam sender
RCVD_IN_SBL - Transported via computer in SBL list (http://www.spamhaus.org/sbl/)
RCVD_IN_SORBS_BLOCK - SORBS: Sender computer refuses tests
RCVD_IN_SORBS_DUL - SORBS: Sender computer only temporarily connected to the Internet
RCVD_IN_SORBS_HTTP - SORBS: Sender computer reported as "open HTTP proxy
RCVD_IN_SORBS_MISC - SORBS: Sender computer reported as "open proxy
RCVD_IN_SORBS_SMTP - SORBS: Sender computer is an unsecured mail server
RCVD_IN_SORBS_SOCKS - SORBS: Sender computer reported as "open SOCKS proxy"
RCVD_IN_SORBS_WEB - SORBS: Sender computer is an unsecured WWW server
RCVD_IN_SORBS_ZOMBIE - SORBS: Sender computer in list of "hijacked" address blocks
RCVD_IN_WHOIS_BOGONS - CompleteWhois: sender on bogons IP block
RCVD_IN_WHOIS_HIJACKED - CompleteWhois: sender on hijacked IP block
RCVD_IN_WHOIS_INVALID - CompleteWhois: sender on invalid IP block
RCVD_IN_XBL - Transported via computer in XBL list (http://www.spamhaus.org/xbl/)
RCVD_NUMERIC_HELO - "Received" headers contain numeric HELO identification
RCV_ACAT - Received from several Austrian University Networks
RCV_CHELLO - Received from Chello
RCV_EXCHANGE - Received from Exchange
RCV_INODE - Received via Inode
RCV_SMTP_AUTH - Received with authenticated SMTP at uibk
RCV_SMTP_UIBK - Received by smtp.uibk.ac.at
RCV_TILAK - Received via Tilak
RCV_WEBMAIL - Received from Web-Mail
RECEIVE_OFFER - A special offer for you
REFINANCE_NOW - All about construction financing
REFINANCE_YOUR_HOME - All about construction financing
REMOVE_BEFORE_LINK - Removal phrase right before a link
REMOVE_PAGE - Hyperlink of a page called "remove
REMOVE_POSTAL - Send letter/postcard to be removed from the list...
REPLICA_WATCH - Message talks about a replica watch
REPLY_TO_EMPTY - Header "Reply-To" is present but empty
REPTO_OVERQUOTE_THEBAT - The Bat! doesn't do quoting like this
REPTO_QUOTE_AOL - AOL doesn't do quoting like this
REPTO_QUOTE_IMS - IMS doesn't do quoting like this
REPTO_QUOTE_MSN - MSN doesn't do quoting like this
REPTO_QUOTE_QUALCOMM - Qualcomm/Eudora doesn't do quoting like this
REPTO_QUOTE_YAHOO - Yahoo! doesn't do quoting like this
RESISTANCE_IS_FUTILE - Resistance to this spam is futile...
REVERSE_AGING - Stop the aging process
RISK_FREE - Without any risk
ROUND_THE_WORLD - "Received" headers prove sending around the world (DNS)
ROUND_THE_WORLD_LOCAL - "Received" headers prove sending around the world (HELO)
RUDE_HTML - Spammer message says you need an HTML mailer
SATIS_GUAR - Satisfaction is guaranteed
SAVE_THOUSANDS - Save a lot of money
SEE_FOR_YOURSELF - See for yourself
SENT_IN_COMPLIANCE - Claims to comply with spam regulations
SMTP_REC_FLOHAU - Mail sent to Florian Hauser
SOMETHING_FOR_ADULTS - Possible porn advertising: websites for adults only
SOME_BREAKTHROUGH - Someone has made the big breakthrough
SORTED_RECIPS - Recipients are sorted by address
SPAM_HTML_IMG - SPAM within Image
SPAM_NUMBER - SPAM within Image
SPF_FAIL - SPF: Sender computer does not match SPF data set (fail)
SPF_HELO_FAIL - HELO name does not match SPF record (fail)
SPF_HELO_NEUTRAL - SPF: HELO does not match SPF record (neutral)
SPF_HELO_PASS - SPF: HELO name matches SPF record
SPF_HELO_SOFTFAIL - HELO name does not match SPF record (softfail)
SPF_NEUTRAL - SPF: sender does not match SPF record (neutral)
SPF_PASS - SPF: sender computer matches SPF record
SPF_SOFTFAIL - Sender computer does not match SPF record (softfail)
SPOOF_COM2COM - URI contains ".com" in middle and end
SPOOF_COM2OTH - URI contains ".com" in middle
SPOOF_NET2COM - URI contains ".net" or ".org", then ".com"
SPOOF_OURI - URI has items in odd places
STOCK1 - body with stock phrases
STOCK2 - body with stock phrases
STOCK3 - body with stock phrases
STOCK4 - body with stock prices
STOCK5 - body obfuscated Symbol ref
STOCKFRAUD - body with "ST0CKS featured" O replaced by zero
STOCK_ALERT - Provides a notification about stock values
STRONG_BUY - Mentions a strong buy recommendation (of stocks?)
STYLE_HIDD - Body contains style hidden textarea
SUBJECT_DIET - Subject is about weight loss
SUBJECT_DRUG_GAP_C - Subject contains 'cialis' with L.ü.c.k.e.n
SUBJECT_DRUG_GAP_L - Subject contains 'levitra' with L.ü.c.k.e.n
SUBJECT_DRUG_GAP_P - Subject contains 'phentermine' with L.ü.c.k.e.n
SUBJECT_DRUG_GAP_S - Subject contains 'soma' with L.ü.c.k.e.n
SUBJECT_DRUG_GAP_VA - Subject contains 'valium' with L.ü.c.k.e.n
SUBJECT_DRUG_GAP_VIC - Subject contains 'vicodin' with L.ü.c.k.e.n
SUBJECT_DRUG_GAP_X - Subject contains 'xanax' with L.ü.c.k.e.n
SUBJECT_ENCODED_TWICE - Subject: MIME encoded twice
SUBJECT_EXCESS_BASE64 - Subject: base64 encoded encoded unnecessarily
SUBJECT_EXCESS_QP - Subject: quoted-printable encoded unnecessarily
SUBJECT_FUZZY_CHEAP - Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_MEDS - Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_PENIS - Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_TION - Attempt to obfuscate words in Subject:
SUBJECT_FUZZY_VPILL - Attempt to obfuscate words in Subject:
SUBJECT_IN_BLACKLIST - Subject: contains string in the user's black-list
SUBJECT_IN_WHITELIST - Subject: contains string in the user's white-list
SUBJECT_NOVOWEL - Subject: has long non-vowel letter sequence
SUBJECT_SEXUAL - Subject indicates sexual message text
SUBJ_2_NUM_PARENS - Subject with typical characteristics of spam (2 numbers)
SUBJ_ADVERT - subject starts with advertisement
SUBJ_ALL_CAPS - Subject contains only capital letters
SUBJ_ANSWER - Subject Re: ANSWER
SUBJ_ARB1 - subject contains jobs,fast career
SUBJ_AS_SEEN - Subject contains "as seen"
SUBJ_ATTN_WINNER - Subject contains ATTN WINNER
SUBJ_BUY - Subject is about buying ("buy...")
SUBJ_CAP - Subj cont someth like Small-Cap, MicroCap
SUBJ_CONSONANTS - Subject contains consecutive consonants in "word"
SUBJ_CREDIT1 - Subject contains credit
SUBJ_CREDIT2 - Subject contains credit
SUBJ_CTXE - Subject contains CTXE.PK
SUBJ_CYW - Subject is CONFIRM YOUR WINNING
SUBJ_DATE - Subject contains subjDATE
SUBJ_DOLLARS - Subject begins with a dollar amount
SUBJ_DOWNL_S - Subject downloadable software
SUBJ_EMAILING - Subject STOCK-SPAM
SUBJ_EURO - Subject is n Euro free
SUBJ_FAMILIEN - Subject contains Families on the move
SUBJ_FIFTH - Subject is FIFTH INTERNATIONAL SCIENTIFIC..
SUBJ_FOR_ONLY - Subject contains "For Only"
SUBJ_FREE_CAP - Subject contains "FREE" in capital letters
SUBJ_GATES_1 - Subject contains Bill Gates distributes money
SUBJ_GEIL - Subject is horny
SUBJ_GEWONNEN - Subject have won nn Euro
SUBJ_GIANNI - Subject FROM WENA GIANNI
SUBJ_GRUSS1 - Subject You have received a greeting card
SUBJ_GUARANTEED - Subject contains "GUARANTEE"
SUBJ_HAS_SPACES - Subject contains a lot of spaces
SUBJ_HAS_UNIQ_ID - Unique identifier in the subject
SUBJ_HEHE - Subject contains hehe|hihi
SUBJ_HMGP - Subject contains HMGP to Acquire Additional
SUBJ_HOMO_SIEMPRE - Subject homosexual desde siempre y nada
SUBJ_ILLEGAL_CHARS - Subject contains too many invalid characters
SUBJ_INC_4_DAY - Subject 76% increase in 4 days
SUBJ_IS_SPAM_REPORT - Mail is SPAM report
SUBJ_JOB - Subject contains JOB: Home Workers Needed
SUBJ_LETTER_RUS1 - Subject carta from Russia
SUBJ_LETTER_RUS2 - Subject Ask for help from Russia
SUBJ_LETTER_RUS3 - Subject Message from Russia
SUBJ_LIFE_INSURANCE - Subject contains "life insurance"
SUBJ_LOTTERY - Subject contains LOTTERY
SUBJ_LOTTERY2 - Subject is Lottery
SUBJ_MITARBEITER - Subject contains New employees wanted|Employees urgently needed|Company looking for employees
SUBJ_MOBILF - Subject Mobile phone
SUBJ_MOMENTOUS - Subject Momentous message. You have to read
SUBJ_MONSTER - Subject contains We are looking for employees in EU
SUBJ_MSR - Subject Mail server report
SUBJ_MS_DOLLARS - Subject contains Dollars or Euros from Microsoft
SUBJ_MS_VERSCHENKT - Subject contains Microsoft is giving away dollars
SUBJ_NUM_PDF - Subject cites PDF file
SUBJ_NUM_ZIP - Subject cites ZIP file
SUBJ_OBFSTOCK - Subj contains St0ck
SUBJ_OEMSW - Subject OEM Software
SUBJ_ONLY_NUM - subject contains only Numbers
SUBJ_ON_OTC - Subject contains on OTC
SUBJ_PENNY_ST - Subj cont someth like Penny Stock
SUBJ_PHIS_EBAY - Ebay phishing mail
SUBJ_POSTCARD - Subject contains You have received a postcard
SUBJ_PR1CE - Subject contains Pr1ce
SUBJ_PROOF - Subject Proofreading
SUBJ_QUOTES1 - Subject Quotes.com
SUBJ_RAIKA_PHISH6 - Subject contains Raiffeisenbank. Wichtiges Update
SUBJ_RE - Subject is Re[1]:
SUBJ_REHI - Subject is Re: Hi/News
SUBJ_REN - Subject is ReN:
SUBJ_RE_SMTH_N - Subject is Re: something numbers
SUBJ_SCREENSAVER_1 - Subject Dream is real
SUBJ_SCREENSAVER_2 - Look at this beautiful screensaver in your attachment
SUBJ_SM_WROTE - Subject someone wrote:
SUBJ_SOLEIT - Contains Subject Sonnenstudio.*Soleit/
SUBJ_SPAM - Subject contains SPAM-Warning
SUBJ_SPARKASSE - Subject Sparkasse implements new security system
SUBJ_SSEX - subject contains ssex
SUBJ_STOCK - subject contains stock
SUBJ_STOCK2 - various STOCK subjects
SUBJ_STOCK3 - various STOCK subjects
SUBJ_STOCK5 - Subject STOCK-SPAM
SUBJ_ST_OCK - Subject St ock
SUBJ_TERR_GRO - Subject terrific growth!
SUBJ_TITLE_PER - Subject is Title and Name
SUBJ_TTHEMEE - Subject tthemee
SUBJ_UBTA - Subject contains UBTA and the Wall Street Journal
SUBJ_VDIAGRA - Subject VdIAGRA
SUBJ_VERTRETER - Subject contains Search for regional representative
SUBJ_VIEAGRA - Subject VIEAGRA
SUBJ_VKAGRA - Subject VkAGRA
SUBJ_VLAGHRA - Subject VlAGHRA
SUBJ_VLBAGRA - Subject VlbAGRA
SUBJ_VLRAGRA - Subject VlrAGRA
SUBJ_VMLAGRA - Subject VmlAGRA
SUBJ_VZIAGRA - Subject VzIAGRA
SUBJ_WIN1 - Subject contains winning or winner
SUBJ_WIN2 - Subject contains winning notification
SUBJ_WIN3 - Subject contains award
SUBJ_WINNER - Subject You are the winner
SUBJ_WIN_NOTIF - Subject contains winning notification
SUBJ_XX_HERE - Subject xx here
SUBJ_YOUR_DEBT - Subject is about bills or loans
SUBJ_YOUR_FAMILY - Subject contains "Your Family"
SUBJ_YOUR_OWN - Subject contains "Your Own"
SUBJ_ZUSAMMENT - Subject Do this together
SUB_AWARDN - Subject contains award notification
SUB_FREE_OFFER - Subject starts with "Free"
SUB_HELLO - Subject begins with "Hello"
SUSPICIOUS_RECIPS - Recipient addresses are similar
TERRA_ES - Contains hyperlink with "terra.es"
TEXTAREA_HIDD - Body contains style hidden textarea
TO_ADDRESS_EQ_REAL - Destination address repeats the address as recipient name
TO_CC_NONE - No To: or Cc: header
TO_EMPTY - Destination address exists but is empty
TO_MALFORMED - Format of the target address incorrect
TO_NO_USER - Address part before the @ sign is missing in the recipient address
TO_RECIP_MARKER - Recipient line contains "recipient" marker
TO_TXT - Sent to a text file
TRACKER_ID - Contains an identity number for user tracking
UNCLAIMED_MONEY - Money or winnings without owner
UNCLOSED_BRACKET - Headers contain an unclosed bracket
UNDISC_RECIPS - "undisclosed-recipients" looks correct
UNIQUE_WORDS - Message body contains many words only once
UNPARSEABLE_RELAY - Informational: message has unparseable relay lines
UNRESOLVED_TEMPLATE - Headers contain unreplaced variables
UNWANTED_LANGUAGE_BODY - Message text in unwanted language
UPPERCASE_25_50 - Message text consists of 25-50% capital letters
UPPERCASE_50_75 - Message text consists of 50-75% capital letters
UPPERCASE_75_100 - Message text consists of 75-100% capital letters
URG_BIZ - Urgent business
URIBL_AB_SURBL - Contains URL in AB list (www.surbl.org (http://www.surbl.org))
URIBL_JP_SURBL - Contains URL in JP list (www.surbl.org (http://www.surbl.org))
URIBL_OB_SURBL - Contains URL in OB list (www.surbl.org (http://www.surbl.org))
URIBL_PH_SURBL - Contains URL in PH list (www.surbl.org (http://www.surbl.org))
URIBL_SBL - Contains an URL listed in the SBL list (http://www.spamhaus.org/sbl/)
URIBL_SBLXBL - Contains an URL listed in the SBL-XBL blocklist
URIBL_SC_SURBL - Contains an URL listed in the SC list (www.surbl.org (http://www.surbl.org))
URIBL_WS_SURBL - Contains a URL listed in the WS list (www.surbl.org (http://www.surbl.org))
URI_4YOU - Hyperlink contains "4you"
URI_AFFILIATE - Contains URL with advertising partner identification
URI_DIGITS - URI hostname has long digit sequence
URI_HEX - URI hostname has long hexadecimal sequence
URI_IS_POUND - File name consists only of "#"; perhaps a JavaScript trick
URI_NOVOWEL - URI hostname has long non-vowel sequence
URI_NO_WWW_ANY_CGI - CGI with long hostname other fourth-level "www"
URI_NO_WWW_BIZ_CGI - CGI in .biz TLD other than third-level "www"
URI_NO_WWW_INFO_CGI - CGI in .info TLD other than third-level "www"
URI_OFFERS - Hyperlink to company offer
URI_REDIRECTOR - Message contains HTTP URL with redirect
URI_SCHEME_MIXED_CASE - URI scheme has mixed uppercase and lowercase
URI_UNSUBSCRIBE - URI contains sospechoso unsubscribe link
URI_UPPER_LOWER - URI contains capitalized hostname parts ("Abcde")
URL_2PRIVATE - Contains URL only2private.net/
URL_ADULTDREAMS - Contains URL with adultdreams.info/
URL_ADVENT1 - Contains URL my-adventskalender.de/
URL_ADVENT2 - Contains URL my-adventskalender.de/
URL_AMERICACLICKHERE - Contains URL americaclickhere.info/
URL_ARODSHOP - Contains URL arodshop.info/
URL_ASSISI - Contains URL camminodiassisi.it/
URL_BUYPENTAX - Contains URL buypentax.info/
URL_CASINOTROPEZ - Contains URL casinotropez.com/
URL_CA_BA_PHISH - Contains URL with ba-ca.onlinebanking.com.de/
URL_DAEN_HH - Contains URL daenische-hobbyhuren.com/
URL_DAYZERS - Contains URL dayzers.nl/
URL_DILDO1 - Contains URL dildololita16.org/
URL_DILDO2 - Contains URL dildoteenies.org/
URL_EUTRAINING - Contains URL eutraining.be/
URL_EVENGIO - Contains URL evengio4u.com/
URL_E_T_I - Contains URL e-t-i.be/
URL_FA_CN - Contains URL fardoheir.cn/
URL_GENEKAM - Contains URL genekam.de/
URL_GEOCITIES - Contains URL with geocities.com/
URL_GOHOMEVIDEO - Contains URL gohomevideo.info/
URL_GOLYR - Contains URL with golyr.de/
URL_GREAT_ROD1 - Contains URL greatrodstewart.info/
URL_GREAT_ROD2 - Contains URL rodstewartdirect.info/
URL_GREAT_ROD3 - Contains URL exaltedrodshop.info/
URL_HEISSE_EX - Contains URL meine-heisse-ex.com/
URL_IMAGESHACK - Contains URL imageshack.us/
URL_INFOMANIAC - contains URL with infomaniac.cc/
URL_INTERNG - Contains URL www.interng.com/ (http://www.interng.com/)
URL_INZ_ALARM - Contains URL inzestalarm.com/
URL_ISVTIROL - Contains URL isvtirol.at/
URL_JENNY - Contains URL jennywillanalsex/
URL_JOB2 - Contains URL kukarachax.com/
URL_JOB_AGEN - Contains URL job-agency.biz/
URL_LOLITA1 - Contains URL gefesselte-lolitas.org/
URL_MAEDELS - Contains URL erniedrigte-maedels.org/
URL_MAU_GEW - Contains URL www.mauritius-gewinnspiel.com/ (http://www.mauritius-gewinnspiel.com/)
URL_MEDIAWORLD - Contains URL mediaworld.cc/
URL_MEETSWEET - Contains URL meet-some-sweet.com/
URL_MORTGAGEXTREME - Contains URL mortgagextreme.info/
URL_MYHOMEBBS - Contains URL myhomebbs.info/
URL_MYSITECONTENT - Contains URL mysitecontent.info/
URL_NEXTLEVEL - Contains URL nextlevel-europe.com/
URL_OBFU_DOT - replaces dot by mime encoding of dot in URIs
URL_OUTERFEANS - contains URL with outerfeans.com/
URL_PASAWIM - Contains URL pasawim.com/
URL_PH_BAWAG - Bawag Phising
URL_PINKFLICKS - Contains URL with pinkflicks
URL_POLITICAMENTECORRETTO - Contains URL politicamentecorretto/
URL_RAIKA_PHISH0 - Contains URL with banking-raiffeisen.com/
URL_RAIKA_PHISH1 - Contains URL with raiffeisen-bank.net/
URL_RAIKA_PHISH5 - Contains URL with raika-at.net
URL_RBN_GROUP - Contains URL rbn-group.com/
URL_SCHMERZ - Contains URL sie-weint-vor-schmerz/
URL_SH_CN - Contains URL shaesnowwai.cn/
URL_STAR_DOT1 - chars to replace in URIs
URL_STAR_DOT2 - chars to replace in URIs
URL_THEROBMAN - Contains URL therobman.info/
URL_THEWORLDMOSQUE - Contains URL theworldmosque.info/
URL_TK_COM - Contains URL www.tk-com.com/ (http://www.tk-com.com/)
URL_UK_GEOCITIES - Contains URL with uk.geocities.com/
URL_VERGE1 - Contains URL vergewaltigt.org/
URL_WEBERDIT - Contains URL martinsweberdito/
URL_YAHOO_GEOCITIES - Contains URL with geocities.yahoo.com/
URL_ZUSCHL - Contains URL 123zuschlag.at/
USERPASS - Hyperlink contains user name and (possibly) a password
USER_IN_ALL_SPAM_TO - Recipient address should receive all (spam) messages
USER_IN_BLACKLIST - Sender address is on your personal blacklist
USER_IN_BLACKLIST_TO - Recipient address is in your personal blacklist
USER_IN_DEF_DKIM_WL - From: address is in the default DKIM white-list
USER_IN_DEF_DK_WL - From: address is in the default DK white-list
USER_IN_DEF_SPF_WL - From: address is in the default SPF white-list
USER_IN_DEF_WHITELIST - From: address is in the general white-list
USER_IN_DKIM_WHITELIST - From: address is in the user's DKIM whitelist
USER_IN_DK_WHITELIST - From: address is in the user's DK whitelist
USER_IN_MORE_SPAM_TO - Recipient address should receive almost all (spam) messages
USER_IN_SPF_WHITELIST - From: address is in the user's SPF whitelist
USER_IN_WHITELIST - Sender's address is in your personal whitelist
USER_IN_WHITELIST_TO - Recipient address is in your personal whitelist
US_DOLLARS_3 - Mentions millions of dollars
VCALENDAR - Seems to be a calendar message
VIA_GAP_GRA - Attempts to disguise the word 'viagra'
WEBSHIELD1 - unwanted Sendernotification from NAI Webshield
WEBSHIELD2 - unwanted Sendernotification from NAI Webshield
WEIRD_PORT - Unusual port number in HTTP hyperlink
WEIRD_QUOTING - Strange accumulation of quotation marks in message text
WE_HONOR_ALL - Claims to follow requests to remove from the list
WHILE_YOU_SLEEP - While you sleep...
WHY_PAY_MORE - Why pay more than necessary?
WHY_WAIT - What are you waiting for?
WIN_NOTIF - body contains winning notification
WITH_LC_SMTP - Headers with "smtp" in lower case
WRINKLES - Remedy for wrinkles
X_AUTH_WARN_FAKED - Header "X-Authentication-Warning" looks fake
X_IP - Message has X-IP header
X_LIBRARY - Contains header "X-Library"
X_MAILER_SPAM - X-Mailer: header is bulk email fingerprint
X_MESSAGE_FLAG_ODD - Message has X-Message-flag header (odd case)
X_MESSAGE_INFO - Header "X-Message-Info"
X_MIME_AUTOCONVERTED - Message has X-MIME-Autoconverted "Yes" header
X_MSMAIL_PRIORITY_HIGH - X-MSMail-Priority header has a value that is too high
X_ORIG_IP_NOT_IPV4 - Header "X-Originating-IP" does not appear to contain an IPv4 address
X_PRIORITY_CC - Cc: after X-Priority: (bulk email fingerprint)
X_PRIORITY_HIGH - Header "X-Priority" has a value that is too high
YAHOO_DRS_REDIR - URL with redirection via Yahoo
YAHOO_RD_REDIR - URL with redirection via Yahoo
YOU_CAN_SEARCH - You can inquire about anyone




Following block of supposedly rspamd symbols has been extracted from https://www.apt-browse.org/browse/debian/jessie/main/amd64/rspamd/0.6.10/file/etc/rspamd/metrics.conf :
AB_SURBL_MULTI - AbuseButler web sites
ADVANCE_FEE_2 - 2 'advance fee' patterns in a message
ADVANCE_FEE_3 - 3 'advance fee' patterns in a message
BAYES_HAM - Message probably ham, probability:
BAYES_SPAM - Message probably spam, probability:
CC_EXCESS_BASE64 - Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit
CC_EXCESS_QP - Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
DATE_IN_FUTURE - Message date is in future
DATE_IN_PAST - Message date is in past
DBL - DBL uribl
DRUGS_ANXIETY -
DRUGS_ANXIETY_EREC -
DRUGS_DIET -
DRUGS_ERECTILE -
DRUGS_MANYKINDS - Drugs patterns inside message
DRUGS_MUSCLE -
FAKE_RECEIVED_mail_ru - Fake helo mail.ru in header Received from non mail.ru sender address
FAKE_RECEIVED_smtp_yandex_ru - Fake smtp.yandex.ru Received
FAKE_REPLY_C - Fake reply (has RE in subject, but has not References header)
FM_FAKE_HELO_VERIZON - Fake helo for verizon provider
FORGED_GENERIC_RECEIVED2 - Forged generic Received
FORGED_GENERIC_RECEIVED3 - Forged generic Received
FORGED_GENERIC_RECEIVED4 - Forged generic Received
FORGED_GENERIC_RECEIVED5 - Forged generic Received
FORGED_GENERIC_RECEIVED - Forged generic Received
FORGED_MSGID_YAHOO - Forged yahoo msgid
FORGED_MUA_KMAIL_MSGID - Message pretends to be send from KMail but has forged Message-ID
FORGED_MUA_KMAIL_MSGID_UNKNOWN - Message pretends to be send from KMail but has forged Message-ID
FORGED_MUA_MOZILLA_MAIL_MSGID - Message pretends to be send from Mozilla Mail but has forged Message-ID
FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN - Message pretends to be send from Mozilla Mail but has forged Message-ID
FORGED_MUA_OPERA_MSGID - Message pretends to be send from Opera Mail but has forged Message-ID
FORGED_MUA_OUTLOOK - Forged outlook MUA
FORGED_MUA_OUTLOOK_MAILLIST - Forged outlook MUA, but from maillist
FORGED_MUA_SEAMONKEY_MSGID - Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID
FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN - Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID
FORGED_MUA_THEBAT_BOUN - Forged The Bat! MUA headers
FORGED_MUA_THEBAT_MSGID - Message pretends to be send from The Bat! but has forged Message-ID
FORGED_MUA_THEBAT_MSGID_UNKNOWN - Message pretends to be send from The Bat! but has forged Message-ID
FORGED_MUA_THUNDERBIRD_MSGID - Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID
FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN - Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID
FORGED_OUTLOOK_HTML - Forged outlook HTML signature
FORGED_OUTLOOK_TAGS - Message pretends to be send from Outlook but has 'strange' tags
FORGED_RECIPIENTS_MAILLIST - Recipients are not the same as RCPT TO: mail command, but from maillist
FORGED_RECIPIENTS - Recipients are not the same as RCPT TO: mail command
FORGED_SENDER - Sender is forged (different From: header and smtp MAIL FROM: addresses)
FROM_EXCESS_BASE64 - From that contains encoded characters while base 64 is not needed as all symbols are 7bit
FROM_EXCESS_QP - From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
FUZZY_DENIED - Denied fuzzy hash
FUZZY_PROB - Probable fuzzy hash
FUZZY_UNKNOWN - Generic fuzzy hash match
FUZZY_WHITE - Whitelisted fuzzy hash
HEADER_CC_DELIMITER_TAB - Header Cc begins with tab
HEADER_CC_EMPTY_DELIMITER - Header Cc has no delimiter between header name and header value
HEADER_DATE_DELIMITER_TAB - Header Date begins with tab
HEADER_DATE_EMPTY_DELIMITER - Header Date has no delimiter between header name and header value
HEADER_FROM_DELIMITER_TAB - Header From begins with tab
HEADER_FROM_EMPTY_DELIMITER - Header From has no delimiter between header name and header value
HEADER_REPLYTO_DELIMITER_TAB - Header Reply-To begins with tab
HEADER_REPLYTO_EMPTY_DELIMITER - Header Reply-To has no delimiter between header name and header value
HEADER_TO_DELIMITER_TAB - Header To begins with tab
HEADER_TO_EMPTY_DELIMITER - Header To has no delimiter between header name and header value
HTML_SHORT_LINK_IMG_2 - Short html part with a link to an image
INVALID_EXIM_RECEIVED2 - Invalid Exim Received
INVALID_EXIM_RECEIVED - Invalid Exim Received
INVALID_MSGID - Message id is incorrect
INVALID_POSTFIX_RECEIVED - Invalid Postfix Received
JP_SURBL_MULTI - jwSpamSpy + Prolocation sites
MAILLIST - Message seems to be from maillist
MIME_HEADER_CTYPE_ONLY - Only Content-Type header without other MIME headers
MIME_HTML_ONLY - Messages that have only HTML part
MISSING_MID - Message id is missing
MISSING_MIMEOLE - Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)
MISSING_SUBJECT - Subject is missing inside message
MISSING_TO - To header is missing
OB_SURBL_MULTI - Outblaze URI Blacklist
ONCE_RECEIVED - One received header in a message
ONCE_RECEIVED_STRICT - One received header with 'bad' patterns inside
PHISHING - Phished mail
PH_SURBL_MULTI - Phishing and malware sites
RAMBLER_EMAILBL - rambler.ru emailbl
RAMBLER_URIBL - rambler.ru uribl
RATWARE_MS_HASH - Forged Exchange messages
R_BAD_CTE_7BIT - Detects bad content-transfer-encoding for text parts
RBL_MAILSPIKE - From address is listed in mailspike.com BL
RBL_SENDERSCORE - From address is listed in senderscore.com BL
RBL_SORBS
RBL_SORBS_BLOCK - Dynamic IP Address ranges (NOT a Dial Up list!)
RBL_SORBS_DUL - List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)
RBL_SORBS_HTTP - From address is listed in SORBS RBL
RBL_SORBS_MISC - List of Open SOCKS Proxy Servers.
RBL_SORBS_RECENT - List of Open SMTP relay servers.
RBL_SORBS_SMTP - List of open Proxy Servers not listed in the SOCKS or HTTP lists.
RBL_SORBS_SOCKS - List of Open HTTP Proxy Servers.
RBL_SORBS_WEB - List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net).
RBL_SORBS_ZOMBIE - List of hosts demanding that they never be tested by SORBS.
RCVD_DOUBLE_IP_SPAM - Two received headers with ip addresses
RCVD_ILLEGAL_CHARS - Header Received has raw illegal character
R_DKIM_ALLOW - DKIM verification succeed
R_DKIM_REJECT - DKIM verification failed
R_DKIM_TEMPFAIL - SPF verification soft-failed
R_EMPTY_IMAGE - Message contains empty parts and image
REPLYTO_EXCESS_BASE64 - Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit
REPLYTO_EXCESS_QP - Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
REPTO_QUOTE_YAHOO - Quoted reply-to from yahoo (seems to be forged)
R_FLASH_REDIR_IMGSHACK - Flash redirect on imageshack.us
R_IP_PBL - IP in received headers is in PBL
R_LOTTO - Lotto signatures
R_MISSING_CHARSET - Charset is missing in a message
R_MIXED_CHARSET - Mixed characters in a message
R_NO_SPACE_IN_FROM - No space in from header
R_PARTS_DIFFER - Text and HTML parts differ
R_RCVD_SPAMBOTS - Spambots signatures in received headers
R_SAJDING - Subject seems to be spam
R_SPF_ALLOW - SPF verification alowed
R_SPF_FAIL - SPF verification failed
R_SPF_SOFTFAIL - SPF verification soft-failed
R_TO_SEEMS_AUTO - To header seems to be autogenerated
R_UNDISC_RCPT - Recipients are absent or undisclosed
R_WHITE_ON_WHITE - White color on white background in HTML messages
SC_SURBL_MULTI - SpamCop web sites
SORTED_RECIPS - Recipients list seems to be sorted
STOX_REPLY_TYPE - Reply-type in content-type
SUBJECT_NEEDS_ENCODING - Subject needs encoding
SUSPICIOUS_BOUNDARY2 - Suspicious boundary in header Content-Type
SUSPICIOUS_BOUNDARY3 - Suspicious boundary in header Content-Type
SUSPICIOUS_BOUNDARY4 - Suspicious boundary in header Content-Type
SUSPICIOUS_BOUNDARY - Suspicious boundary in header Content-Type
SUSPICIOUS_OPERA_10W_MSGID - Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail
SUSPICIOUS_RECIPS - Recipients seems to be autogenerated (works if recipients count is more than 5)
TO_EXCESS_BASE64 - To that contains encoded characters while base 64 is not needed as all symbols are 7bit
TO_EXCESS_QP - To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit
TRACKER_ID - Spam string at the end of message to make statistics faults 0
URIBL_BLACK - uribl.com black url
URIBL_GREY - uribl.com grey url
URIBL_RED - uribl.com red url
WS_SURBL_MULTI - sa-blacklist web sites



Following block of supposedly rspamd symbols has been extracted from https://wiki.fiat-tux.fr/books/administration-systèmes/page/rspamd and the descriptions has been machine translated using https://www.deepl.com/translator (may be inaccurate):
ARC_REJECT: is the ARC signature valid?ARC_SIGNED: does an ARC signature exist?
ASN: IP score in relation to the ASN to which it belongs. Rspamd provides statistics on IP addresses, subnets, ASNs and countries.
BAYES_SPAM: Bayesian mail analysis
CTYPE_MIXED_BOGUS: multipart/mixed mails without non-textual part
DKIM_SIGNED: message has a DKIM signature (without prejudging its validity)
DKIM_TRACE: something with DKIM, for sure, but I don't know what exactly
DMARC_POLICY_SOFTFAIL: DMARC check failed
FORGED_RECIPIENTS: recipients are not the same as RCPT TO mail command
FORGED_RECIPIENTS_MAILLIST : the recipients are not the same as the RCPT TO mail command, but the message comes from a mailing list
FORGED_SENDER : the Sender header is forged (difference between From header and MAIL FROM header)
FORGED_SENDER_MAILLIST: the Sender header is forged (difference between the From and MAIL FROM headers) but the message comes from a mailing list
FROM_NEQ_ENVFROM: the From address is different from the envelope address
FROM_NO_DN: From header has no display name
HAS_LIST_UNSUB: has List-Unsubscribe header
HAS_REPLYTO: does the mail have a Reply-To header?
LOCAL_WL_IP : check local whitelist
MAILLIST : the mail seems to come from a mailing list
MID_RHS_MATCH_FROM : can the From address be found in the Message-ID?
MID_RHS_NOT_FQDN : the Message-ID does not contain a fully qualified domain name (fqdn).
MIME_GOOD : known content type
MIME_HTML_ONLY : no text version of the HTML message
MIME_TRACE : something to do with MIME types, but I don't know what exactly
MV_CASE : the MIME-Version header is not case-sensitive (e.g. Mime-Version)
ONCE_RECEIVED: there's only one Received header, which may indicate a compromised machine (according to the rspamd doc)
PRECEDENCE_BULK: mass mailings
RCPT_COUNT_ONE: a single recipient
RCVD_COUNT_THREE: mail has between 3 and 5 Received headers (has passed through 3/4/5 different servers)
RCVD_IN_DNSWL_FAIL: test failure [[https://www.dnswl.org]] (a white list of IP addresses)
RCVD_TLS_LAST: the last server (last hop) uses secure transport
R_DKIM_ALLOW : DKIM correct
RECEIVED_SPAMHAUS_FAIL: a priori blacklisted at Spamhaus (an RBL)
R_EMPTY_IMAGE : message contains empty text and an image
REPLYTO_DN_EQ_FROM_DN: is the display name of the Reply-To header the same as that of the From header?
REPLYTO_DOM_NEQ_FROM_DOM: Reply-To domain does not match that of From
R_SPF_ALLOW : SPF record respected
TO_DN_NONE : none of the recipients have display names
TO_DOM_EQ_FROM_DOM : To domain is the same as From domain




Unknown source (carlos rspamd):
ABUSE_SURBL - SURBL: ABUSE
BAYES_HAM - Message probably ham, probability:
BAYES_SPAM - Message probably spam, probability:
CRACKED_SURBL - SURBL: cracked site
DBL_ABUSE_BOTNET - DBL uribl abused legit botnet C&C
DBL_ABUSE - DBL uribl abused legit spam
DBL_ABUSE_MALWARE - DBL uribl abused legit malware
DBL_ABUSE_PHISH - DBL uribl abused legit phish
DBL_ABUSE_REDIR - DBL uribl abused spammed redirector domain
DBL_BOTNET - DBL uribl botnet C&C domain
DBL - DBL unknown result
DBL_MALWARE - DBL uribl malware
DBL_PHISH - DBL uribl phishing
DBL_PROHIBIT - DBL uribl IP queries prohibited!
DBL_SPAM - DBL uribl spam
DISPOSABLE_CC - To a disposable e-mail address
DISPOSABLE_ENVFROM - Envelope From is a Disposable e-mail address
DISPOSABLE_ENVRCPT - Envelope Recipient is a Disposable e-mail address
DISPOSABLE_FROM - From a Disposable e-mail address
DISPOSABLE_REPLYTO - Reply-To a disposable e-mail address
DISPOSABLE_TO - To a disposable e-mail address
DMARC_POLICY_ALLOW - DMARC permit policy
DMARC_POLICY_ALLOW_WITH_FAILURES - DMARC permit policy with DKIM/SPF failure
DMARC_POLICY_QUARANTINE - DMARC quarantine policy
DMARC_POLICY_REJECT - DMARC reject policy
DMARC_POLICY_SOFTFAIL - DMARC failed
DNSWL_BLOCKED - Resolver blocked due to excessive queries
FORGED_MUA_MAILLIST - Avoid false positives for FORGED_MUA_* in maillist
FORGED_RECIPIENTS_MAILLIST - Recipients are not the same as RCPT TO: mail command, but a message from a maillist
FORGED_RECIPIENTS - Recipients are not the same as RCPT TO: mail command
FORGED_SENDER_MAILLIST - Sender is not the same as MAIL FROM: envelope, but a message is from a maillist
FORGED_SENDER - Sender is forged (different From: header and smtp MAIL FROM: addresses)
FREEMAIL_CC - To is a Freemail address
FREEMAIL_ENVFROM - Envelope From is a Freemail address
FREEMAIL_ENVRCPT - Envelope Recipient is a Freemail address
FREEMAIL_FROM - From is a Freemail address
FREEMAIL_REPLYTO - Reply-To is a Freemail address
FREEMAIL_TO - To is a Freemail address
FUZZY_DENIED - Denied fuzzy hash
FUZZY_LC_DENIED - Denied local fuzzy hash
FUZZY_LC_UNKNOWN - Generic local fuzzy hash match
FUZZY_PROB - Probable fuzzy hash
FUZZY_UNKNOWN - Generic fuzzy hash match
FUZZY_WHITE - Whitelisted fuzzy hash
HACKED_WP_PHISHING - Phishing message from hacked wordpress
HFILTER_FROM_BOUNCE - Bounce message
HFILTER_FROMHOST_NORES_A_OR_MX - FROM host no resolve to A or MX
HFILTER_FROMHOST_NORESOLVE_MX - MX found in FROM host and no resolve
HFILTER_FROMHOST_NOT_FQDN - FROM host not FQDN
HFILTER_HELO_1 - Helo host checks (very low)
HFILTER_HELO_2 - Helo host checks (low)
HFILTER_HELO_3 - Helo host checks (medium)
HFILTER_HELO_4 - Helo host checks (hard)
HFILTER_HELO_5 - Helo host checks (very hard)
HFILTER_HELO_BADIP - Helo host is very bad ip
HFILTER_HELO_BAREIP - Helo host is bare ip
HFILTER_HELO_IP_A - Helo A IP != hostname IP
HFILTER_HELO_NORES_A_OR_MX - Helo no resolve to A or MX
HFILTER_HELO_NORESOLVE_MX - MX found in Helo and no resolve
HFILTER_HELO_NOT_FQDN - Helo not FQDN
HFILTER_HOSTNAME_1 - Hostname checks (very low)
HFILTER_HOSTNAME_2 - Hostname checks (low)
HFILTER_HOSTNAME_3 - Hostname checks (medium)
HFILTER_HOSTNAME_4 - Hostname checks (hard)
HFILTER_HOSTNAME_5 - Hostname checks (very hard)
HFILTER_HOSTNAME_UNKNOWN - Unknown hostname (no PTR or no resolve PTR to hostname)
HFILTER_RCPT_BOUNCEMOREONE - Message from bounce and over 1 recipient
HFILTER_URL_ONELINE - One line URL and text in body
HFILTER_URL_ONLY - URL only in body
LOCAL_BL_FROM - Local from blacklist
LOCAL_BL_IP - Local ip blacklist
LOCAL_BL_IP - Sender ip listed in local ip blacklist
LOCAL_WL_FROM - Local from whitelist
LOCAL_WL_RCPT - Local rcpt whitelist
MAILLIST - Message seems to be from maillist
MAILSPIKE - Unrecognised result from Mailspike
MANY_INVISIBLE_PARTS - Many parts are visually hidden. Reached if more than 10 elements are hidden
MIME_ARCHIVE_IN_ARCHIVE - Archive within another archive
MIME_BAD_ATTACHMENT - Invalid attachment mime type
MIME_BAD_EXTENSION - Bad extension
MIME_BAD - Known bad content-type
MIME_DOUBLE_BAD_EXTENSION - Bad extension cloaking
MIME_ENCRYPTED_ARCHIVE - Encrypted archive in a message
MIME_GOOD - Known content-type
MIME_UNKNOWN - Missing or unknown content-type
MSBL_EBL - MSBL emailbl
MW_SURBL_MULTI - SURBL: Malware sites
ONCE_RECEIVED - One received header in a message
ONCE_RECEIVED_STRICT - One received header with 'bad' patterns inside
PHISHED_OPENPHISH - Phished URL found in openphish.com
PHISHED_PHISHTANK - Phished URL found in phishtank.com
PHISHING - Phished URL
PH_SURBL_MULTI - SURBL: Phishing sites
RAMBLER_EMAILBL - Rambler emailbl
RAMBLER_URIBL - Rambler uribl
RBL_ABUSECH - From address is listed in ABUSE.CH BL
RBL_MAILSPIKE_BAD - From address is listed in RBL - bad reputation
RBL_MAILSPIKE_VERYBAD - From address is listed in RBL - very bad reputation
RBL_MAILSPIKE_WORST - From address is listed in RBL - worst possible reputation
RBL_SARBL_BAD - A domain listed in the mail is blacklisted in SARBL
RBL_SEM - Address is listed in Spameatingmonkey RBL
RBL_SEM_IPV6 - Address is listed in Spameatingmonkey RBL (ipv6)
RBL_SENDERSCORE - From address is listed in senderscore.com BL
RBL_SPAMHAUS_CSS - From address is listed in zen css
RBL_SPAMHAUS_DROP - From address is listed in zen drop bl
RBL_SPAMHAUS_PBL - From address is listed in zen pbl (ISP list)
RBL_SPAMHAUS_SBL - From address is listed in zen sbl
RBL_SPAMHAUS - Unrecognised result from Spamhaus zen
RBL_SPAMHAUS_XBL_ANY - From or receive address is listed in zen xbl (any list)
RBL_SPAMHAUS_XBL - From address is listed in zen xbl
RCVD_IN_DNSWL_HI - Sender listed at http://www.dnswl.org, high trust
RCVD_IN_DNSWL_LOW - Sender listed at http://www.dnswl.org, low trust
RCVD_IN_DNSWL_MED - Sender listed at http://www.dnswl.org, medium trust
RCVD_IN_DNSWL_NONE - Sender listed at http://www.dnswl.org, low none
RCVD_IN_DNSWL - Unrecognised result from dnswl.org
R_DKIM_ALLOW - DKIM verification succeed
R_DKIM_REJECT - DKIM verification failed
R_DKIM_TEMPFAIL - DKIM verification soft-failed
RDNS_NONE - Cannot resolve reverse DNS for sender's IP
RECEIVED_SPAMHAUS_XBL - Received address is listed in zen xbl
R_MIXED_CHARSET - Mixed characters in a message
R_MIXED_CHARSET_URL - Mixed characters in a URL inside message
R_SPF_ALLOW - SPF verification allows sending
R_SPF_DNSFAIL - SPF DNS failure
R_SPF_FAIL - SPF verification failed
R_SPF_NEUTRAL - SPF policy is neutral
R_SPF_SOFTFAIL - SPF verification soft-failed
R_WHITE_ON_WHITE - Message contains low contrast text
RWL_MAILSPIKE_EXCELLENT - From address is listed in RWL - excellent reputation
RWL_MAILSPIKE_GOOD - From address is listed in RWL - good reputation
RWL_MAILSPIKE_NEUTRAL - Neutral result from Mailspike
RWL_MAILSPIKE_POSSIBLE - From address is listed in RWL - possibly legit
RWL_MAILSPIKE_VERYGOOD - From address is listed in RWL - very good reputation
SBL_URIBL - SBL URIBL: Filtered result
SEM_URIBL_FRESH15 - Spameatingmonkey uribl. Domains registered in the last 15 days (.AERO,.BIZ,.COM,.INFO,.NAME,.NET,.PRO,.SK,.TEL,.U S)
SEM_URIBL_FRESH15_UNKNOWN - Spameatingmonkey Fresh15 uribl: unknown result
SEM_URIBL - Spameatingmonkey uribl
SEM_URIBL_UNKNOWN - Spameatingmonkey uribl: unknown result
SURBL_BLOCKED - SURBL: blocked by policy/overusage
URIBL_BLACK - uribl.com black url
URIBL_BLOCKED - uribl.com: query refused
URIBL_GREY - uribl.com grey url
URIBL_MULTI - uribl.com: unrecognised result
URIBL_RED - uribl.com red url
URIBL_SBL_CSS - Spamhaus SBL CSS URIBL
URIBL_SBL - Spamhaus SBL URIBL
ZERO_FONT - Zero sized font used. Reached if more than 5 elements have zero size




source https://github.com/rspamd/rspamd/blob/0c533d20e6c22426ad8015f6568f373d9c8a5519/rules/misc.lua#L337-L354
BOGUS_ENCRYPTED_AND_TEXT - Bogus mix of encrypted and text/html payloads
DATE_IN_FUTURE - Message date is in future
DATE_IN_PAST - Message date is in past
EMAIL_PLUS_ALIASES - Removes plus aliases from the email
ENCRYPTED_PGP - Message is encrypted with pgp
ENCRYPTED_SMIME - Message is encrypted with smime
ENVFROM_PRVS - Envelope From is a PRVS address that matches the From address
ENVFROM_VERP - Envelope From is a VERP address
FREEMAIL_REPLYTO_NEQ_FROM_DOM - Freemail From and Reply-To, but to different Freemail services
FROM_NEQ_DISPLAY_NAME - Display name contains an email address different to the From address
INFO_TO_INFO_LU - info@ From/To address with List-Unsubscribe headers
INVALID_DATE - Malformed date header
MISSING_DATE - Message date is missing
OMOGRAPH_URL - Url contains both latin and non-latin characters
R_BAD_CTE_7BIT - Detects bad content-transfer-encoding for text parts
RCVD_HELO_USER - HELO User spam pattern
RCVD_NO_TLS_LAST - Last hop did not use encrypted transports
RCVD_TLS_ALL - All hops used encrypted transports
RCVD_TLS_LAST - Last hop used encrypted transports
RCVD_VIA_SMTP_AUTH - Authenticated hand-off was seen in Received headers
R_PARTS_DIFFER - Text and HTML parts differ
R_SUSPICIOUS_URL - Obfuscated or suspicious URL has been found in a message
SIGNED_PGP - Message is signed with pgp
SIGNED_SMIME - Message is signed with smime
SPOOF_DISPLAY_NAME - Display name is being used to spoof and trick the recipient
SPOOF_REPLYTO - Reply-To is being used to spoof and trick the recipient to send an off-domain reply
TAGGED_FROM - SMTP from has plus tags
TAGGED_RCPT - SMTP recipients have plus tags
URI_COUNT_ODD - Odd number of URIs in multipart/alternative message
URL_IN_SUBJECT - URL found in Subject
ZERO_WIDTH_SPACE_URL - Zero width space in url



source: https://fossies.org/linux/rspamd/conf/composites.conf
FORGED_SENDER_FORWARDING - Forged sender, but message is forwarded
AUTH_NA - Authenticating message via SPF/DKIM/DMARC/ARC not available
AUTH_NA_OR_FAIL - No authenticating method SPF/DKIM/DMARC/ARC was successful
APPLE_MAILER_COMMON - Message was sent by 'Apple Mail' and has common symbols in place
APPLE_IOS_MAILER_COMMON - Message was sent by 'Apple iOS Mail' and has common symbols in place
HACKED_WP_PHISHING - Phish message sent by hacked Wordpress instance
COMPROMISED_ACCT_BULK - Likely to be from a compromised account
UNDISC_RCPTS_BULK - Missing or undisclosed recipients with a bulk signature
RCVD_UNAUTH_PBL - Relayed through Spamhaus PBL IP without sufficient authentication (possibly indicating an open relay)
RCVD_DKIM_ARC_DNSWL_MED - Sufficiently DKIM/ARC signed and received from IP with medium trust at DNSWL
RCVD_DKIM_ARC_DNSWL_HI - Sufficiently DKIM/ARC signed and received from IP with high trust at DNSWL
AUTOGEN_PHP_SPAMMY - Message was generated by PHP script and contains some spam indicators
PHISH_EMOTION - Phish message with subject trying to address users emotion
HAS_ANON_DOMAIN - Contains one or more domains trying to disguise owner/destination
BAD_REP_POLICIES - Contains valid policies but are also marked by fuzzy/bayes/SURBL/RBL
BROKEN_HEADERS_MAILLIST - Negate BROKEN_HEADERS when message comes via some mailing list
LEAKED_PASSWORD_SCAM - Contains BTC wallet address and scam patterns
FREEMAIL_AFF - Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses
REDIRECTOR_URL_ONLY - Message only contains a redirector URL
THREAD_HIJACKING_FROM_INJECTOR - Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE - Message contains redirector, anonymous or IPFS gateway URL and is marked by fuzzy/bayes/SURBL/RBL



Others:
RBL_NIXSPAM - Blacklist has over 500,000 entries added per day once spam is detected. The spam filters are incredibly fast and accurate. If that IP Address does not send anymore spam for 12 hours, the entry is removed
BAD_REP_POLICIES - https://rspamd.com/doc/modules/reputation.html ;