|
AREA TESTED
|
LOCALE
|
DESCRIPTION OF TEST
|
TEST NAME
|
DEFAULT SCORES (local, net, with bayes, with bayes+net)
|
|
header
|
|
Message-Id indicates a non-spam MUA (Pine)
|
USER_AGENT_PINE
|
-5.801 -5.801 -5.701 -5.701
|
|
header
|
|
User-Agent header indicates a non-spam MUA (Mozilla)
|
USER_AGENT_MOZILLA_UA
|
-5.801 -5.800 -5.701 -6.300
|
|
header
|
|
X-Mailer header indicates a non-spam MUA (Netscape)
|
USER_AGENT_MOZILLA_XM
|
0.001
|
|
header
|
|
User-Agent header indicates a non-spam MUA (Outlook Express)
|
USER_AGENT_MACOE
|
0.001
|
|
header
|
|
User-Agent header indicates a non-spam MUA (Entourage)
|
USER_AGENT_ENTOURAGE
|
0.001
|
|
header
|
|
User-Agent header indicates a non-spam MUA (KMail)
|
USER_AGENT_KMAIL
|
-5.800 -5.801 -6.300 -6.400
|
|
header
|
|
User-Agent header indicates a non-spam MUA (IMP)
|
USER_AGENT_IMP
|
0.001
|
|
header
|
|
X-Mailer header indicates a non-spam MUA (T-Offline)
|
USER_AGENT_TONLINE
|
-2.900
|
|
header
|
|
X-Mailer header indicates a non-spam MUA (Apple Mail)
|
USER_AGENT_APPLEMAIL
|
0.001
|
|
header
|
|
User-Agent header indicates a non-spam MUA (Gnus)
|
USER_AGENT_GNUS_UA
|
-6.400 -6.300 -2.900 -6.300
|
|
header
|
|
X-Mailer header indicates a non-spam MUA (Gnus)
|
USER_AGENT_GNUS_XM
|
-1.897 -1.997 -1.240 -1.808
|
|
header
|
|
X-Mailer header indicates a non-spam MUA (VM)
|
USER_AGENT_VM
|
-5.801 -5.701 -5.701 -5.701
|
|
header
|
|
X-Mailer header indicates a non-spam MUA (Forte)
|
USER_AGENT_FORTE
|
-2.900
|
|
body
|
|
Generic Test for Unsolicited Bulk Email
|
GTUBE
|
1000
|
|
full
|
|
Listed in Razor1, see http://razor.sf.net/
|
RAZOR_CHECK
|
1
|
|
full
|
|
Listed in Razor2, see http://razor.sf.net/
|
RAZOR2_CHECK
|
0 2.029 0 0.787
|
|
body
|
|
Razor2 gives a spam confidence level between 1 and 10
|
RAZOR2_CF_RANGE_01_10
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 11 and 20
|
RAZOR2_CF_RANGE_11_20
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 21 and 30
|
RAZOR2_CF_RANGE_21_30
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 31 and 40
|
RAZOR2_CF_RANGE_31_40
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 41 and 50
|
RAZOR2_CF_RANGE_41_50
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 51 and 60
|
RAZOR2_CF_RANGE_51_60
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 61 and 70
|
RAZOR2_CF_RANGE_61_70
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 71 and 80
|
RAZOR2_CF_RANGE_71_80
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 81 and 90
|
RAZOR2_CF_RANGE_81_90
|
0.001
|
|
body
|
|
Razor2 gives a spam confidence level between 91 and 100
|
RAZOR2_CF_RANGE_91_100
|
0.001
|
|
full
|
|
Listed in DCC, see http://rhyolite.com/anti-spam/dcc/
|
DCC_CHECK
|
0 3.126 0 2.756
|
|
full
|
|
Listed in Pyzor, see http://pyzor.sf.net/
|
PYZOR_CHECK
|
0 4.400 0 1.248
|
|
body
|
|
List removal information
|
REMOVE_IN_QUOTES
|
0.185 0.366 0.166 0.604
|
|
body
|
|
Click-to-remove with mailto: found beforehand
|
CLICK_TO_REMOVE_2
|
0.802 0.140 0.909 0.133
|
|
rawbody
|
|
Contains an ASCII-formatted form
|
ASCII_FORM_ENTRY
|
0.001
|
|
body
|
|
Incorporates a tracking ID number
|
TRACKER_ID
|
2.560 4.295 3.249 4.295
|
|
body
|
|
RAND found, spammer forgot to run the random-ID generator
|
MARKUP_RAND
|
2.900
|
|
body
|
|
SSPL found, spammer forgot to run the random-ID generator
|
MARKUP_SSPL
|
0.001
|
|
body
|
|
Contains a large block of hexadecimal code
|
LARGE_HEX
|
0.884 0.424 0.811 0.521
|
|
body
|
|
A WHOLE LINE OF YELLING DETECTED
|
LINES_OF_YELLING
|
0.001
|
|
body
|
|
2 WHOLE LINES OF YELLING DETECTED
|
LINES_OF_YELLING_2
|
0.001
|
|
body
|
|
3 WHOLE LINES OF YELLING DETECTED
|
LINES_OF_YELLING_3
|
0.001
|
|
body
|
|
Weird repeated double-quotation marks in body
|
WEIRD_QUOTING
|
0.426 2.275 0.642 2.308
|
|
rawbody
|
|
Message text disguised using base-64 encoding
|
BASE64_ENC_TEXT
|
2.685 1.735 1.857 1.738
|
|
rawbody
|
|
Excessive quoted-printable encoding in body
|
MIME_EXCESSIVE_QP
|
0.001
|
|
rawbody
|
|
Message text in HTML without specified charset
|
MIME_HTML_NO_CHARSET
|
0.001
|
|
rawbody
|
|
Quoted-printable line longer than 76 characters
|
MIME_LONG_LINE_QP
|
0.001
|
|
rawbody
|
|
MIME section missing boundary
|
MIME_MISSING_BOUNDARY
|
0.001
|
|
rawbody
|
|
Message includes Microsoft executable program
|
MICROSOFT_EXECUTABLE
|
0.100
|
|
rawbody
|
|
MIME filename does not match content
|
MIME_SUSPECT_NAME
|
0.100
|
|
body
|
|
Character set indicates a foreign language
|
CHARSET_FARAWAY
|
3.200
|
|
body
|
|
Written in an undesired language
|
UNDESIRED_LANGUAGE_BODY
|
3.970
|
|
body
|
|
Body includes 8 consecutive 8-bit characters
|
BODY_8BITS
|
1.500
|
|
rawbody
|
|
Deficient quoted-printable encoding in body
|
MIME_DEFICIENT_QP
|
2.098 1.927 1.262 2.696
|
|
header
|
|
Uses the Habeas warrant mark (http://www.habeas.com/)
|
HABEAS_SWE
|
-6.400 -6.300 -6.300 -6.300
|
|
header
|
|
Message from eBay
|
GENUINE_EBAY_RCVD
|
-2.600 -2.900 -1.401 -2.900
|
|
header
|
|
Has an Approved-By moderated list header
|
APPROVED_BY
|
-1.434 -0.534 -0.344 -0.275
|
|
header
|
|
Looks like a Bugzilla bug
|
BUGZILLA_BUG
|
-6.400 -6.300 -2.900 -6.300
|
|
header
|
|
Looks like a Debian BTS bug
|
DEBIAN_BTS_BUG
|
0.001
|
|
header
|
|
From Majordomo
|
MAJORDOMO
|
0.001
|
|
header
|
|
Has a valid-looking References header
|
REFERENCES
|
-6.600 -6.600 -6.500 -6.500
|
|
header
|
|
Has a X-Cron-Env header
|
CRON_ENV
|
-6.400 -6.300 -5.701 -5.701
|
|
header
|
|
Has a In-Reply-To header
|
IN_REP_TO
|
-3.300 -3.301 -0.600 -3.201
|
|
header
|
|
Has a X-Authentication-Warning header
|
X_AUTH_WARNING
|
-1.008 -1.513 -0.137 -1.409
|
|
header
|
|
Has a X-Mailing-List header
|
X_MAILING_LIST
|
-0.001 -0.001 -0.001 -3.101
|
|
header
|
|
Has a X-Loop header
|
X_LOOP
|
0.001
|
|
header
|
|
Has a X-Accept-Language header
|
X_ACCEPT_LANG
|
0.001
|
|
header
|
|
Has a Resent-To header
|
RESENT_TO
|
0.001
|
|
header
|
|
Email came from some known mailing list software
|
KNOWN_MAILING_LIST
|
-0.600 -0.912 -0.017 -0.601
|
|
body
|
|
Came from MSN Communities
|
MSN_GROUPS
|
0.001
|
|
header
|
|
Subject is an eBay question
|
Q_FOR_SELLER
|
-1.124 -0.176 -1.643 -2.275
|
|
header
|
|
Subject contains newsletter header (in review)
|
SUBJECT_IS_IN_REVIEW
|
0.001
|
|
header
|
|
Appears to be from yahoo groups
|
FROM_EGROUPS
|
-0.614 -3.100 -0.600 -0.600
|
|
header
|
|
'Message-Id' was added by yahoo.com, that's OK
|
YAHOO_MSGID_ADDED
|
0.001
|
|
body
|
|
Common footer for Hotmail
|
HOTMAIL_FOOTER1
|
0.001
|
|
body
|
|
Common footer for Hotmail
|
HOTMAIL_FOOTER2
|
0.001
|
|
body
|
|
Common footer for Hotmail
|
HOTMAIL_FOOTER3
|
0.001
|
|
body
|
|
Common footer for Hotmail
|
HOTMAIL_FOOTER5
|
0.001
|
|
body
|
|
Common footer for MSN
|
MSN_FOOTER1
|
0.001
|
|
body
|
|
Yahoo! Groups message
|
GROUPS_YAHOO_1
|
-5.801
|
|
full
|
|
Short signature present (no empty lines)
|
SIGNATURE_SHORT_DENSE
|
0.001
|
|
full
|
|
Short signature present (empty lines)
|
SIGNATURE_SHORT_SPARSE
|
0.001
|
|
full
|
|
Long signature present (no empty lines)
|
SIGNATURE_LONG_DENSE
|
-6.400 -6.300 -6.300 -6.300
|
|
full
|
|
Long signature present (empty lines)
|
SIGNATURE_LONG_SPARSE
|
-5.801 -5.801 -3.101 -5.801
|
|
body
|
|
A MailMan confirm-your-address message
|
MAILMAN_CONFIRM
|
0.001
|
|
header
|
|
Contains a PGP-signed message (signature attached)
|
PGP_SIGNATURE_2
|
-6.400 -6.300 -6.300 -6.300
|
|
rawbody
|
|
Contains what looks like a patch from diff -u
|
PATCH_UNIFIED_DIFF
|
-6.027 -6.027 -2.900 -6.300
|
|
rawbody
|
|
Contains what looks like a patch from diff -c
|
PATCH_CONTEXT_DIFF
|
0.001
|
|
body
|
|
Contains what looks like an 'E-Mail Disclaimer'
|
DISCLAIMER_LEGALESE
|
0.001
|
|
body
|
|
Contains what looks like an email attribution
|
EMAIL_ATTRIBUTION
|
-6.600 -6.500 -6.500 -6.500
|
|
rawbody
|
|
Contains what looks like a quoted email text
|
QUOTED_EMAIL_TEXT
|
-3.301 -3.201 -3.201 -3.201
|
|
body
|
|
Contains twice quoted reply
|
QUOTE_TWICE_1
|
-0.600 -0.600 -0.601 -0.600
|
|
body
|
|
Contains a password retrieval system
|
FORGOTTEN_PASSWORD
|
-0.620 -0.981 -0.217 -0.563
|
|
header
|
|
Where are you working at?
|
HAS_ORGANIZATION
|
0.001
|
|
body
|
|
Common footer for Hotmail
|
HOTMAIL_FOOTER4
|
0.001
|
|
header
|
|
From the Mailer-Daemon
|
MAILER_DAEMON
|
0.001
|
|
header
|
|
Mailer daemon failure notice (1)
|
FAILURE_NOTICE_1
|
0.001
|
|
body
|
|
Mailer daemon failure notice (2)
|
FAILURE_NOTICE_2
|
0.001
|
|
header
|
|
Forwarded email
|
FWD_MSG
|
0.001
|
|
header
|
|
Message-Id indicates the message was sent from MS Exchange
|
MSGID_GOOD_EXCHANGE
|
-5.801 -5.701 -5.701 -5.701
|
|
header
|
|
From: does not include a real name
|
NO_REAL_NAME
|
0.888 0.732 0.887 0.991
|
|
header
|
|
From: ends in numbers
|
FROM_ENDS_IN_NUMS
|
0.611 0.719 0.580 0.675
|
|
header
|
|
From: starts with nums
|
FROM_STARTS_WITH_NUMS
|
0.001
|
|
header
|
|
From: contains numbers mixed in with letters
|
FROM_HAS_MIXED_NUMS
|
0.001
|
|
header
|
|
Uses an address with lots of numbers, at a big ISP
|
ADDR_NUMS_AT_BIGSITE
|
0.580 0.449 1.971 1.094
|
|
header
|
|
From address is "at something-offers"
|
FROM_OFFERS
|
4.300 4.295 4.300 4.295
|
|
header
|
|
From: has no local-part before @ sign
|
FROM_NO_USER
|
1.576 1.044 2.796 2.731
|
|
header
|
|
To: has no local-part before @ sign
|
TO_NO_USER
|
2.796 2.796 2.696 2.124
|
|
header
|
|
To: address contains spaces
|
TO_HAS_SPACES
|
0.001
|
|
header
|
|
To: is empty
|
TO_EMPTY
|
2.280 2.596 2.596 2.497
|
|
header
|
|
Reply-To: is empty
|
REPLY_TO_EMPTY
|
1.866 0.767 0.561 1.566
|
|
header
|
|
Reply-To: contains an underline and numbers/letters
|
REPLY_TO_HAS_UNDERLINE_NUMS
|
0.745 0.500 1.744 0.001
|
|
header
|
|
To: repeats address as real name
|
TO_ADDRESS_EQ_REAL
|
0.001
|
|
header
|
|
Valid-looking To "undisclosed-recipients"
|
UNDISC_RECIPS
|
0.001
|
|
header
|
|
Faked To "Undisclosed-Recipients"
|
FAKED_UNDISC_RECIPS
|
4.300
|
|
header
|
|
Subject has exclamation mark and question mark
|
PLING_QUERY
|
0.001
|
|
header
|
|
Subject contains a unique ID
|
SUBJ_HAS_UNIQ_ID
|
1.485 0.820 0.831 0.953
|
|
header
|
|
Subject contains lots of white space
|
SUBJ_HAS_SPACES
|
2.425 2.026 1.101 2.329
|
|
header
|
|
Subject is all capitals
|
SUBJ_ALL_CAPS
|
1.115 1.054 0.849 0.664
|
|
header
|
|
Message-Id has no @ sign
|
MSGID_HAS_NO_AT
|
0.001
|
|
header
|
|
Message-Id generated by a spam tool
|
MSGID_SPAMSIGN_1
|
2.900
|
|
header
|
|
Message-Id generated by spam tool (zeroes variant)
|
MSGID_SPAMSIGN_ZEROES
|
4.400 4.300 4.300 4.300
|
|
header
|
|
Message-Id generated by spam tool (6-letter variant)
|
MSGID_SPAMSIGN_6LETTER
|
4.400 4.400 4.300 4.300
|
|
header
|
|
Message-Id generated by spam tool (4-zeroes variant)
|
MSGID_OE_SPAM_4ZERO
|
1.558 3.255 4.300 4.300
|
|
header
|
|
Message-Id generated by spam tool (3-dollars variant)
|
MSGID_3_DOLLARS
|
2.900
|
|
header
|
|
Message-Id generated by spam tool (4-num-dollar variant)
|
MSGID_4NUMS_DOLLAR
|
2.900
|
|
header
|
|
Message-Id has characters indicating spam
|
MSGID_CHARS_SPAM
|
0.275 0.439 0.691 0.399
|
|
header
|
|
Message-Id has no hostname
|
MSGID_NO_HOST
|
2.793 2.900 0.730 1.908
|
|
header
|
|
Message-Id is fake (in Outlook Express format)
|
MSGID_OUTLOOK_TIME
|
4.400
|
|
header
|
|
Invalid Date: header (not RFC 2822)
|
INVALID_DATE
|
0.444 0.567 0.605 0.452
|
|
header
|
|
Invalid Date: header (timezone does not exist)
|
INVALID_DATE_TZ_ABSURD
|
4.400 4.300 4.300 4.300
|
|
header
|
|
Invalid Date: year begins with zero
|
DATE_YEAR_ZERO_FIRST
|
4.300
|
|
header
|
|
Date: is 3 to 6 hours before Received: date
|
DATE_IN_PAST_03_06
|
0.270 0.271 0.364 0.348
|
|
header
|
|
Date: is 6 to 12 hours before Received: date
|
DATE_IN_PAST_06_12
|
0.728 0.474 0.313 0.141
|
|
header
|
|
Date: is 12 to 24 hours before Received: date
|
DATE_IN_PAST_12_24
|
0.001
|
|
header
|
|
Date: is 24 to 48 hours before Received: date
|
DATE_IN_PAST_24_48
|
0.001
|
|
header
|
|
Date: is 48 to 96 hours before Received: date
|
DATE_IN_PAST_48_96
|
0.001
|
|
header
|
|
Date: is 96 hours or more before Received: date
|
DATE_IN_PAST_96_XX
|
1.270 1.966 2.108 0.830
|
|
header
|
|
Date: is 3 to 6 hours after Received: date
|
DATE_IN_FUTURE_03_06
|
2.370 0.870 1.525 1.519
|
|
header
|
|
Date: is 6 to 12 hours after Received: date
|
DATE_IN_FUTURE_06_12
|
1.522 1.015 1.060 1.249
|
|
header
|
|
Date: is 12 to 24 hours after Received: date
|
DATE_IN_FUTURE_12_24
|
1.635 2.796 0.500 0.902
|
|
header
|
|
Date: is 24 to 48 hours after Received: date
|
DATE_IN_FUTURE_24_48
|
2.696 2.596 2.696 2.900
|
|
header
|
|
Date: is 48 to 96 hours after Received: date
|
DATE_IN_FUTURE_48_96
|
2.197 2.197 1.599 1.305
|
|
header
|
|
Date: is 96 hours or more after Received: date
|
DATE_IN_FUTURE_96_XX
|
0.001
|
|
header
|
|
Subject: starts with advertising tag
|
ADVERT_CODE
|
1.101 1.981 4.300 1.115
|
|
header
|
|
Subject: contains advertising tag
|
ADVERT_CODE2
|
2.144 2.453 1.101 1.410
|
|
header
|
|
Subject: contains Korean unsolicited email tag
|
KOREAN_UCE_SUBJECT
|
4.300
|
|
header
|
|
|
