| Tag | Part | Score | Description | Test |
| ACCEPT_CREDIT_CARDS | BODY | 1 | Accept Credit Cards | /\baccept.{1,15}credit card\b/i |
| ACT_NOW | BODY | 1 | Act Now! Don't Hesitate! | /\b(?:act.{0,4} now|do.{0.5} hesitate|start now)\b/i |
| ADDRESSES_ON_CD | BODY | 3.722 | Only thing addresses on CD are useful for is SPAM | /addresses on cd/i |
| ADVERT_CODE | Subject | 3.77 | Subject: contains advertising tag | /(^\s*|\s+)ADV:/i |
| ALL_CAPS_SUBJECT | EOH | 2.36 | SUBJECT: header found | /\nSUBJECT: /s |
| ALL_CAP_PORN | BODY | 1 | Possible porn - in ALL CAPS | /\b(?:ORGY|FUCKING|FETISH|WEBCAM|VOYEUR|ANAL|CUM)\b/ |
| ALL_NATURAL | BODY | 1.024 | Spam is 100% natural?! | /\b(?:100%|completely|totally|all) natural/i |
| AMAZING | BODY | 1.631 | Contains word 'AMAZING' in all-caps | /AMAZING/ |
| ANOTHER_NET_AD | BODY | 3 | Tells you it's an ad | /Another Internet Ad campaign produced/ |
| AOL_USERS_LINK | BODY | 0.9 | Includes a link for AOL users to click | /AOL\s+Users\s+Click/is |
| ASCII_FORM_ENTRY | RAWBODY | 1.55 | Contains an ASCII-formatted form | /[^<][A-Za-z][A-Za-z]+.{1,15}?[\x09\x20]*_{30,}/ |
| ASKS_BILLING_ADDRESS | BODY | 2.627 | Asks for a billing address | /\bbilling address\b/i |
| AS_SEEN_ON | BODY | 2.166 | As seen on national TV! | /seen on\b\s*(?:TV|ABC|NBC|CBS|CNN|Oprah|USA Today|48 Hours|New York Times|\w+\s+TV|:)/i |
| AUTO_EMAIL_REMOVAL | BODY | 3.044 | Claims auto-email removal | /Auto Email Removal/ |
| BAD_CREDIT | BODY | 1 | Eliminate Bad Credit | /\b(?:bad|poor|no|eliminate|repair|(?:re)establish|damag).{0,10} (?:credit|debt)\b/i |
| BAD_HELO_WARNING | EOH | 3.082 | Fake name used in SMTP HELO command | check_for_bad_helo() |
| BALANCE_FOR_LONG | EOB | -2 | Message text is over 500 lines long | check_for_very_long_text(500) |
| BASE64_ENC_TEXT | EOB | 1.441 | Message text disguised using base-64 encoding | check_for_base64_enc_text() |
| BE_AMAZED | BODY | 1.03 | Apparently, you'll be amazed | /\bbe amazed\b/i |
| BIG_FONT | RAWBODY | 2.085 | FONT Size +2 and up or 3 and up | /<\s*FONT\s[^>]*size\s*=(?:3D)?\s*['\"]?\s*(?:\+[23456789]|(?:[3456789]|\d{2,}))/is |
| BILLION_DOLLARS | BODY | 1.072 | Talks about lots of money | /[BM]ILLION DOLLAR/ |
| BILL_1618 | BODY | 4.827 | Claims compliance with senate bill 1618 | /Bill.{0,10}1618.{0,10}TITLE.{0,10}III/i |
| BRAND_NEW_PAGER | ? | 4.9 | No such thing as a free lunch | ? |
| BUGGY_CGI | BODY | 4.066 | Broken CGI script message | /Below is the result of your feedback form/ |
| BUGGY_CGI_DE | ? | 1 | ? | ? |
| BUGGY_CGI_ES_2 | BODY | 1 | Broken Spanish CGI script message (2) | /E-mail adicional do usuario. Enviado/i |
| BUGGY_CGI_PT | BODY | 4 | Broken Portuguese CGI script message | /Abaixo o resultado do preenchimento do Formulario/ |
| BUGGY_CGI_PT_2 | BODY | 1 | Broken Portuguese CGI script message (2) | /E-mail adicional do usuario. Enviado/i |
| BUGZILLA_BUG | Subject | -2 | Looks like a Bugzilla bug | /\[Bug \d+\]/ |
| BULK_EMAIL | BODY | 2.1 | Talks about bulk email | /bulk e-*mail/i |
| CALL_FREE | BODY | 1.052 | Contains a tollfree number | /(?:call|dial|toll free).{1,15}8(?:00|88|77|66|55|44|33|22)[\)\s-]*[\dA-Z]+[\s-]?[\dA-Z]+/i |
| CALL_NOW | BODY | 2.196 | Urges you to call now | /CALL NOW/i |
| CASHCASHCASH | BODY | 1.64 | Contains at least 3 dollar signs in a row | /\${3,}/ |
| CASINO | BODY | 2 | Contains "Casino" | /casino/i |
| CBYI | BODY | 2.66 | Contains "CBYI" | /CBYI/ |
| CHARSET_FARAWAY | EOB | 2 | Character set indicates a foreign language | check_for_faraway_charset() |
| CHARSET_FARAWAY_BODY | MIME | 2.1 | Character set indicates foreign language body | check_for_faraway_charset_in_body() |
| CHARSET_FARAWAY_HEADERS | EOH | 1.817 | A foreign language charset used in headers | check_for_faraway_charset_in_headers() |
| CHECK_OR_MONEY_ORDER | BODY | 3.358 | Talk about a check or money order | /check or money order/i |
| CLICKSFORMONEY_NET | URI | 1 | Frequent SPAM content | /clicksformoney\.net/i |
| CLICK_BELOW | BODY | 1.52 | Asks you to click below | /click (?:here|below)/is |
| CLICK_HERE_LINK | RAWBODY | 1.788 | Tells you to click on a URL | /click here.{0,100}<\/a>/is |
| CLICK_TO_REMOVE_2 | RAWBODY | 2.634 | Click-to-remove with mailto: found beforehand | /mailto:.{0,50}click.{0,50}remove/is |
| CLICK_TO_REMOVE_MAILTO | RAWBODY | 1 | Click-to-remove with mailto: found | /\bclick to.{0,30}remove.{0,50}mailto:/is |
| COMMUNIGATE | BODY | 4.95 | Communigate is SPAM software | /transferred with a trial version of CommuniGate/ |
| COPYRIGHT_CLAIMED | BODY | -1.568 | Contains a claim of copyright | /copyright.{0,100}all rights reserved/is |
| COPY_ACCURATELY | BODY | 0.933 | Common pyramid scheme phrase (1) | /copy.{1,10}name.{1,10}address.{1,10}ACCURATELY/i |
| COPY_DVDS | BODY | 2.746 | Containts 'Copy DVDs' | /copy.{1,20}dvd/i |
| CORRUPT_MSGID | Message-Id | 2.742 | 'Message-Id' contains bits of Received header | /\@Received: / |
| CTYPE_JUST_HTML | EOH | 3.154 | HTML-only mail, with no text version | check_for_content_type_just_html() |
| CYBER_FIRE_POWER | BODY | 3.5 | mentions Cyber FirePower!, a spam-tool | /(?:by|for) Cyber FirePower\!/ |
| DATE_IN_FUTURE | EOH | 2.318 | Date: Differs by more than 4 days from current date | check_for_forward_date() |
| DATE_MISSING | EOH | 0.248 | Missing Date: header | check_for_missing_headers('Date') |
| DATE_WARNING | Date-warning | 1 | Date-warning header exists | /./ |
| DCC_CHECK | FULL | 2 | Listed in DCC, see http://www.rhyolite.com/anti-spam/dcc/dcc-tree/dcc.html | check_dcc() |
| DEAR_FRIEND | BODY | 2.069 | How dear can you be if you don't know my name? | /Dear Friend/ |
| DEAR_SOMEBODY | BODY | 1 | Contains 'Dear Somebody' | /Dear [A-Z][a-z]+/ |
| DIFFERENT_REPLY_TO | EOH | 0.9 | Reply-To: massively different from From: or To: | check_for_spam_reply_to() |
| DIFF_C_PATCH | RAWBODY | -5 | Contains what looks like a patch from diff -c | /^\*\*\* \S+ \S\S\S \S\S\S .\d \d\d:\d\d:\d\d \d+$/ |
| DIRECT_EMAIL | BODY | 2.283 | Talks about direct email | /direct e-*mail\b/i |
| DOMAIN_BODY | BODY | 4.782 | Domain registration spam body | /\s(\.|dot\s+)(info|biz|name)\s/i |
| DOMAIN_SUBJECT | Subject | 0.586 | Subject: domain registration spam subject | /(\s(\.|dot\s+)(info|biz|name)|domain)\b.*(extension|info|regist(ry|ration|er)|submission)/i |
| DONT_DELETE | BODY | 0.916 | Don't delete me! Nooooo!!!! | /(?:don'?t delete this|do not delete)/i |
| EARN_PER_WEEK | BODY | 4.667 | Contains 'earn $something per week' | /(?:earn|make).{1,20}\d\d\d+.{1,30}(?:per week|per month|weekly|monthly)/i |
| EGP_HTML_BANNER | BODY | -6 | non-spam EGP banner found | /^<!-- \|\*\*\|begin egp html banner/ |
| EJACULATION | BODY | 3.454 | Increase your ejaculation! | /(?:increase|improve).{0,10}ejaculation/i |
| EMAIL_HARVEST | BODY | 1 | Email harvest leads to SPAM for thanksgiving | /email harvest/ |
| EMAIL_MARKETING | BODY | 0.715 | Talks about email marketing | /e-*mail marketing/i |
| EU_200_32_CE | BODY | 1 | Claims compliance with SPAM regulations | /Directive 200.32.CE/i |
| EU_EMAIL_OPTOUT | BODY | 1.82 | Claims compliance with SPAM regulations | /EU (?:e-?mail opt.?out|e.?commerce) directive/i |
| EVITE | BODY | -5 | Claw back some for evite | /evite.citysearch.com/ |
| EXCUSE_1 | BODY | 2.27 | Gives a lame excuse about why you were sent this SPAM | /(?:You (?:were sent|have received|are receiving)|You're receiving).{0,15}(?:message|e-?mail)s? because/i |
| EXCUSE_10 | BODY | 1 | "if you do not wish to receive any more" | /if you (?:(?:want|wish|care|prefer) not to |(?:don't|do not) (?:want|wish|care) to )(?:be contacted again|receive (any)?\s*(?:more|future|further) (?:e?-?mail|messages?|offers|solicitations))/i |
| EXCUSE_11 | BODY | 1.4 | Claims you were on a list | /you.{0,15}(?:name|mail).{0,15}(?:was|were).{0,15}list/i |
| EXCUSE_12 | BODY | 4 | Nobody's perfect | /this (?:e?-?mail|message) (?:(?:has )?reached|was sent to) you in error/i |
| EXCUSE_13 | BODY | 1.841 | Gives an excuse for why message was sent | /mail was sent to you because /i |
| EXCUSE_14 | BODY | 2 | Tells you how to stop further SPAM | /you (?:do not|no longer) wish to receive/i |
| EXCUSE_15 | BODY | 2.1 | Claims to be legitimate email | /this (?:|e?-?mail|message )(?:is|was) (?:not|never) (?:spam|(?:sent |)unsolicited)/i |
| EXCUSE_16 | BODY | 1.345 | I wonder how many emails they sent in error... | /received this.{1,10}in error/i |
| EXCUSE_17 | BODY | 2.608 | Suspect you might have received the message by mistake | /received.{0,15} by mistake/i |
| EXCUSE_18 | BODY | 1 | Claims not to be SPAM | /we do not (?:spam|send unsolicited)/i |
| EXCUSE_2 | BODY | 1.34 | Claims you actually asked for this SPAM | /If you did not opt.in/i |
| EXCUSE_3 | BODY | 2.747 | Claims you can be removed from the list | /to (?:be removed|be deleted|no longer receive th(?:is|ese) messages?) (?:from|send|reply|[e-]*mail)/i |
| EXCUSE_4 | BODY | 0.864 | Claims you can be removed from the list | /To Be Removed,? Please/i |
| EXCUSE_5 | BODY | 1.8 | Claims you can be removed from the list | /that your email address is removed/i |
| EXCUSE_6 | BODY | 1 | Claims you can be removed from the list | /(?:wish to|click to|To) remove yourself/i |
| EXCUSE_7 | BODY | 1.38 | Claims you can be removed from the list | /you (?:wish|want|would like|desire) to be removed/i |
| EXCUSE_8 | BODY | 4.4 | Claims you can be removed from the list | /requests to be taken off our mailing list/i |
| EXCUSE_9 | BODY | 1 | Claims you can be removed from the list | /If you do.{0,3}n.{0,3}t (?:want|wish|care) to receive emails (?:on this subject|in the future)/i |
| E_WEBHOSTCENTRAL_URL | URI | 1 | Frequent SPAM content | /e-webhostcentral\.com/i |
| FAKED_IP_IN_RCVD | Received | 1.101 | Received: contains a name with a faked IP-address | /from [-0-9a-z\._]+_\[\d+\.\d+\.\d+\.\d+\] /i |
| FAKED_UNDISC_RECIPS | To | 3.435 | Faked To "Undisclosed-Recipients" | /Undisclosed.*Recipient\S*@/i |
| FARM_PORN | BODY | 1.5 | Possible porn - Sex with Animals | /\b(?:farm|animal) .{0,9}(?:sex|fuck\S+|action)\b/i |
| FILTERED_BY_WORLDREMOVE | BODY | 2.12 | Claims to listen to some removal request list | /filtered by WorldRemove/ |
| FORGED_EUDORAMAIL_RCVD | EOH | 2.548 | Forged eudoramail.com 'Received:' header found | check_for_forged_eudoramail_received_headers() |
| FORGED_GW05_RCVD | EOH | 2.857 | Forged 'by gw05' 'Received:' header found | check_for_forged_gw05_received_headers() |
| FORGED_HOTMAIL_RCVD | EOH | 0.53 | Forged hotmail.com 'Received:' header found | check_for_forged_hotmail_received_headers() |
| FORGED_JUNO_RCVD | EOH | 2.027 | Forged juno.com 'Received:' header found | check_for_forged_juno_received_headers() |
| FORGED_RCVD_FOUND | EOH | 0.5 | Possibly-forged 'Received:' header found | /\nSubject:.*\nReceived: /s |
| FORGED_YAHOO_RCVD | EOH | 1.998 | Forged yahoo.com 'Received:' header found | check_for_forged_yahoo_received_headers() |
| FORM_W_MAILTO_ACTION | RAWBODY | 2.971 | Includes a form which will send an email | /action=[3D=\s"']*mailto:/is |
| FOR_FREE | BODY | 0.211 | No such thing as a free lunch (1) | /\bfor FREE\b/i |
| FOR_FREE2 | Subject | 1 | No such thing as a free lunch (in subject) | /(for|4|your|YOUR|absolutely) FREE/ |
| FOR_INSTANT_ACCESS | BODY | 2.554 | Instant Access button | /INSTANT ACCESS/i |
| FOR_JUST_SOME_AMT | BODY | 0.783 | Contains 'for only' some amount of cash | /for (?:just|only) \$?\d+\.?\d*[^\.]*!/i |
| FREEMEGS_URL | URI | 2.7 | Frequent SPAM content | /25freemegs\.com/i |
| FREEWEBCO_NET_URL | URI | 1 | Frequent SPAM content | /freewebco\.net/i |
| FREEWEBHOSTINGCENTRAL | URI | 1 | Frequent SPAM content | /freewebhostingcentral/i |
| FREE_CONSULTATION | BODY | 4.039 | Offers a free consultation | /FREE CONSULTATION/i |
| FREE_MONEY | BODY | 1.004 | Free money! | /\b(:?fast|free|easy|big)\s*(?:money|\$+|bucks|cash)/i |
| FREE_PRIORITY_MAIL | BODY | 2.749 | There's no such thing as a free shipping | /FREE.{0,10} PRIORITY MAIL SHIPPING/i |
| FREQ_SPAM_PHRASE | EOB | 0 | Contains phrases frequently found in spam | check_for_spam_phrases("10") |
| FRIEND_AT_PUBLIC | To | 3 | sent to you@you.com or similar | /(yourdomain|you|your|public).(com|org|net)/i |
| FROM_AND_TO_SAME | EOH | 0.877 | From and To the same address | check_for_from_to_equivalence() |
| FROM_BTAMAIL | From | 3.207 | From an address @btamail.net.cn | /\@btamail.net.cn/i |
| FROM_MALFORMED | From | 2.221 | From: has a malformed address | ! /(?:\"[^\"]+\"|\S+)\@\S+\.\S+|<\S+(\!\S+){1,}>/ |
| FROM_MISSING | EOH | 1.298 | Missing From: header | |
| FROM_NAME_EQ_FROM_ADDR | EOH | 2.391 | 'From:' address also used as sender's real name | check_from_name_eq_from_address() |
| FROM_NO_USER | From | 1.3 | From: has no local-part before @ sign | /(?:^\@|<\@| \@[^<]*$|<>)/ |
| FROM_STARTS_WITH_NUMS | From | 1.288 | From: starts with nums | /^\d\d/ |
| FROM_TOPICA | From | 1 | From an address @email-publisher.com | /\@(?:\w\.)*email-publisher.com/i |
| FROM_UGETMORE | From | 1 | From an address @ugetmore4less.net | /\@ugetmore4less.net/i |
| FRONTPAGE | RAWBODY | 4.775 | Frontpage used to create the message | /FrontPage.Editor/ |
| FULL_REFUND | BODY | 2.846 | Offers a full refund | /FULL REFUND/i |
| GAPPY_SUBJECT | Subject | 2.67 | 'Subject' contains G.a.p.p.y-T.e.x.t | /\b(?:[a-z][-_\.\,\:\;\'\~\s]{1,3}){4,}/i |
| GAPPY_TEXT | BODY | 2.5 | Contains 'G.a.p.p.y-T.e.x.t' | /\b(?:[a-z][-_\.\,\:\;\'\~\s]{1,3}){5,}/i |
| GENTLE_FEROCITY | BODY | 2.458 | Contains "Gentle Ferocity" | /Gentle Ferocity/i |
| GREAT_OFFER | BODY | 1.361 | Trying to offer you something | /(?:offer expires|see full offer for details|great offer)/i |
| GREEN_EXCUSE_1 | BODY | 3.8 | Claims SPAM helps the environment | /using email instead can significantly reduce this/i |
| GREEN_EXCUSE_2 | BODY | 3.4 | Claims SPAM helps the environment | /the trees, save the planet, use email!/i |
| GUARANTEE | BODY | 1.895 | Contains word 'guarantee' in all-caps | /GUARANTEE/ |
| HOME_EMPLOYMENT | BODY | 2.04 | Information on how to work at home (2) | /HOME.{0,10}(?: EMPLOYMENT|WORKER|BUSINESS)/i |
| HR_3113 | BODY | 1.28 | Mentions Spam law "H.R. 3113" | /H\.\s*R\.\s*3113/is |
| HTML_EMBEDS | RAWBODY | 0.265 | HTML with embedded plugin object | /<(?:object|embed)\s/i |
| HTML_WITH_BGCOLOR | RAWBODY | 1.2 | HTML mail with non-white background | /<body [^>]*bgcolor[=3d\"\'\\#]+[0-9a-e][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]/is |
| HTTP_CTRL_CHARS_HOST | URI | 1 | Uses control sequences inside a URL's hostname | /^https?\:\/\/[^\/]*[\x00-\x08\x0b\x0c\x0e-\x1f]/ |
| HTTP_ESCAPED_HOST | URI | 1 | Uses %-escapes inside a URL's hostname | /^https?\:\/\/[^\/]*%/ |
| HTTP_NUMBER_WORD | URI | 1 | URL contains spamhaus signature: numbered servers | /^https?:\/\/(?:zero|one|two|three|four|five|six|seven|eight|nine|ten|eleven|twelve|thirteen|fourteen|fifteen|sixteen|seventeen|eighteen|nineteen|twenty)\./i |
| HTTP_USERNAME_USED | URI | 1 | Uses a username in a URL | /^https?\:\/\/[^\s\/]+\@/is |
| HTTP_WITH_EMAIL_IN_URL | URI | 1 | 'remove' URL contains an email address | /^https?\:\/\/\S+=[-_\+a-z0-9\.]+\@[-_\+a-z0-9\.]+\.[-_\+a-z0-9]{2,3}(?:\&|\s)/ |
| ILLEGAL_CHARSET_SUBJECT | Subject | 2 | Subject: header that violates RFC2822 with non-ASCII | /[^\011\012\015\040-\176]/ |
| IMPOTENCE | BODY | 3.132 | Impotence cure | /(?:impotence (?:problem|cure|solution)|Premature Ejaculation|erectile dysfunction)/i |
| INCREASE_SALES | BODY | 2.93 | Offers increased sales | /INCREASE SALES/i |
| INCREASE_TRAFFIC | BODY | 2.744 | Instructions on how to boost traffic | /increase.{1,15} traffic\b/i |
| INTERNET_TERROR_RANT | BODY | 3.1 | Cyber FirePower! rant about losing dropboxes | /At the time of this mailing the return email address is a bonafide legitimate return email address that was signed up for with the express purpose.{0,30}internet terrorists\./si |
| INTL_EXEC_GUILD | BODY | 1.65 | Well known SPAM senders | /International Executive Guild/ |
| INVALID_DATE | Date | 1.514 | Invalid Date: header (has AM/PM) | / AM| PM/i |
| INVALID_DATE_NO_TZ | Date | 2 | Invalid Date: header (no timezone) | /^..., \d+ ... .... ..:..:..$/ |
| INVALID_DATE_ODD_MONTH | Date | 0.572 | Invalid Date: header (wierd month) | /\d+ [^A-Z]{3,} \d\d\d\d/i |
| INVALID_DATE_TZ_ABSURD | Date | 2.126 | Invalid Date: header (timezone does not exist) | /[-+](?:1[4-9]\d\d|[2-9]\d\d\d)$/ |
| INVALID_MSGID | Message-Id | 1.523 | Message-Id is not valid, according to RFC-2822 | ! /^<(?:\".+\"|[^\s]+)\@(?:\[.+\]|[^\s]+)>$/ |
| INVESTOR_SPEC_SHEET | BODY | 1.235 | Standard investment opportunity spam | /Investor Spec Sheet/i |
| IN_ACCORDANCE_WITH_LAWS | BODY | 2.595 | Claims to be in accordance with some Spam law | /has been sent in accordance with/ |
| IN_REP_TO | In-Reply-To | -4.431 | 'In-Reply-To' line found | /\S/ |
| ITS_EFFECTIVE | BODY | 1 | Something claims to be effective | /\bit's effective\b/i |
| JAVASCRIPT | RAWBODY | 1.712 | JavaScript code | /<SCRIPT/i |
| JAVASCRIPT_URI | URI | 1 | Javascript protocol in a URI | /^javascript:/i |
| JODY | BODY | 2.983 | Contains "My wife, Jody" testimonial | /(?:My wife, Jody|Mi esposa, Jody)/ |
| JUST_MAILED_PAGE | RAWBODY | 2 | Saved web page | /\n\n.{0,160}<!-- saved from url=/s |
| KIFF | BODY | 3.15 | Contains "Temple Kiff" | /temple kiff/i |
| KNOWN_BAD_DIALUPS | EOH | 1.308 | Received via known spam-harbouring dialups | check_for_bad_dialup_ips() |
| LARGE_HEX | BODY | 1.108 | Contains a large block of hexadecimal code | /[0-9a-fA-F]{70,}/ |
| LASER_PRINTER | BODY | 3.9 | Discusses laser printer supplies | /LASER PRINTER SUPPLIES/ |
| LIMITED_TIME_ONLY | BODY | 1.27 | Offers a limited time offer | /LIMITED TIME ONLY/i |
| LINES_OF_YELLING | BODY | 0.453 | A WHOLE LINE OF YELLING DETECTED | check_for_yelling() |
| LINES_OF_YELLING_2 | BODY | 0.579 | 2 WHOLE LINES OF YELLING DETECTED | check_for_num_yelling_lines("2") |
| LINES_OF_YELLING_3 | BODY | -1.518 | 3 WHOLE LINES OF YELLING DETECTED | check_for_num_yelling_lines("3") |
| LONG_NUMERIC_HTTP_ADDR | URI | 1 | Uses a long numeric IP address in URL | /^https?\:\/\/000\d+/is |
| LOTS_OF_CC_LINES | EOH | 2.481 | Lots and lots of Cc: headers | check_lots_of_cc_lines() |
| MAILMAN_CONFIRM | BODY | -4 | A MailMan confirm-your-address message | /We have received a request .*subscription of your email address.* to the .* mailing list/ |
| MAILTO_LINK | RAWBODY | 0.8 | Includes a URL link to send an email | /=[3D=\s"']*mailto:/is |
| MAILTO_TO_REMOVE | URI | 1 | Includes a 'remove' email address | /^mailto:.*?remove/is |
| MAILTO_TO_SPAM_ADDR | URI | 1 | Includes a link to a likely spammer email address | /^mailto:[a-z]+\d{2,}\@/is |
| MAILTO_WITH_SUBJ | URI | 1 | Includes a link to send a mail with a subject | /^mailto:\S+\?subject=/is |
| MAILTO_WITH_SUBJ_REMOVE | URI | 1 | Includes a URL link to send an email with the subject 'remove' | /^mailto:\S+\?subject=[3D=\s"']*remove/is |
| MAIL_IN_ORDER_FORM | BODY | 4.8 | Contains mail-in order form | /Mail-in Order Form/i |
| MAJORDOMO | Subject | 1.296 | From Majordomo | /Majordomo (?:request )?results/ |
| MANY_FROMS | From | 4.409 | 'From' contains more than one address | /^[^\"\<\(]+, [^\"\<\(]+$/ |
| MASS_EMAIL | BODY | 1.8 | Talks about mass email | /mass e-*mail/i |
| MAY_BE_FORGED | Received | 1.341 | 'Received:' has 'may be forged' warning | /\(may be forged\)/i |
| MDAEMON_2_7_4 | Received | 1.9 | Received via buggy SMTP server (MDaemon 2.7.4SP4R) | /with SMTP .MDaemon.v2.7.SP4.R./ |
| MICRO_CAP_WARNING | BODY | 3.987 | SEC-mandated penny-stock warning -- thanks SEC | /Investing in micro-cap securities is highly speculative/i |
| MIME_NULL_BLOCK | BODY | 0.157 | Correct for MIME 'null block' | /This message is in MIME format/ |
| MISSING_HEADERS | EOH | 0.932 | Missing To: header | check_for_missing_to_header() |
| MLM | BODY | 1 | Multi Level Marketing | /\b(?:MLM|multi.level.marketing)\b/i |
| MONEY_BACK | BODY | 1.489 | Money back guarantee. | /money back guarantee/i |
| MONEY_MAKING | BODY | 2.49 | Discusses money making | /money making/i |
| MONSTERHUT | RAWBODY | 2.657 | Mentions monsterhut.com | /monsterhut.com/ |
| MORTGAGE_RATES | BODY | 2.77 | Information on mortgage rates | /Mortgage rates/i |
| MSGID_CHARS_SPAM | Message-Id | 2.058 | Message-Id has characters indicating spam | /[:}{,!\/]/ |
| MSGID_HAS_NO_AT | Message-Id | 1.273 | Message-Id has no @ sign | ! /\@/ |
| MSGID_SPAMSIGN_1 | Message-Id | 2.815 | Message-Id generated by a spam tool | /^<[0-9a-f]{12,12}\$[0-9a-f]{8,8}\$[0-9a-f]{8,8}\@>$/ |
| MSG_ID_ADDED_BY_MTA | Message-Id | 0.982 | 'Message-Id' was added by a relay | / \(added by / |
| MSG_ID_ADDED_BY_MTA_2 | EOH | 2.405 | 'Message-Id' was added by a relay (2) | /\nMessage-Id: .*(?!yahoo).*\nReceived: /s |
| MURKOWSKI_CRUFT | RAWBODY | 2.7 | Old Murkowski disclaimer | /www\.senate\.gov\/~?murkowski/ |
| MYCASINOBUILDER | BODY | 3.87 | Contains "mycasinobuilder.com" | /MYCASINOBUILDER.COM/i |
| NEW_DOMAIN_EXTENSIONS | BODY | 2.527 | Possible registry spammer | /new\s*domain\s*extension/i |
| NIGERIAN_SCAM | BODY | 2.6 | Nigerian scam, cf http://www.snopes2.com/inboxer/scams/nigeria.htm | /BASED ON INFORMATION GATHERED ABOUT YOU, WE BELIEVE\s*YOU WOULD BE IN A POSITION TO HELP US IN TRANSFER/i |
| NIGERIAN_SCAM_2 | BODY | 4.315 | Mutated Nigerian scams, cf http://www.snopes2.com/inboxer/scams/nigeria.htm | /\b(?:Government|Federal Republic)\b.{1,10}(?:Nigerian?|Sierra[- ]?Leone)\b.{1,10}(?:NATIONAL|Government|embassy|chamber of commerce)\b/i |
| NIGERIAN_SCAM_3 | BODY | 4.339 | Nigerian Bank or Petroleum scam, cf http://www.snopes2.com/inboxer/scams/nigeria.htm | /(?:Bank of Nigeria|Nigerian? National Petroleum)/i |
| NIGERIAN_SCAM_4 | BODY | 3.002 | Nigerian widow needs your help, cf http://www.snopes2.com/inboxer/scams/nigeria.htm | /\b(wife|widow|son|husband)\b.{0,60}\b(?:Abacha|Kabila|Sekou?|Stojiljkovic|Bangura)\b/i |
| NIGERIAN_SCAM_5 | BODY | 1 | Nigerian widow needs your help, cf http://www.snopes2.com/inboxer/scams/nigeria.htm | /\b(?:Abacha|Kabila|Sekou?|Stojiljkovic|Bangura)\b.{0,60}\b(wife|widow|son|husband)\b/i |
| NIGERIAN_SCAM_6 | BODY | 1 | Mutated Nigerian scams (6) | /\b(?:late|former|past|new|Nigerian|military)\b.{0,20}\bhead of state/i |
| NIGERIAN_SCAM_7 | BODY | 1 | Mutated Nigerian scams (7) | /\b(?:late|former|past)\b.{0,40}\b(?:Abacha|Kabila|Sekou?|Stojiljkovic|Bangura)\b|\b(?:Abacha|Kabila|Sekou?|Stojiljkovic|Bangura)\b.{0,40}\b(?:late|former|past)\b/i |
| NIGERIAN_SCAM_8 | BODY | 1 | Mutated Nigerian scams (8) | /\b(?:Tribunal|War Crimes|Hague)\b.{0,60}\b(?:Vlajko|Stojiljkovic)\b|\b(?:Vlajko|Stojiljkovic)\b.{0,60}\b(?:Tribunal|War Crimes|Hague)\b/i |
| NORMAL_HTTP_TO_IP | URI | 1 | Uses a dotted-decimal IP address in URL | /^https?\:\/\/\d+\.\d+\.\d+\.\d+/is |
| NOT_INTENDED | BODY | 1.782 | Not intended for residents of XYZ. | /not intended for residents ?(:of|in)/i |
| NO_CATCH | BODY | 3.411 | There is no catch. | /there is no catch/i |
| NO_COST | BODY | 1.036 | No such thing as a free lunch (3) | /\bno (?:cost|charge)\b/i |
| NO_DISSAPOINTMENT | BODY | 1.466 | You won't be dissapointed. | /You won'?t be diss?app?ointed/i |
| NO_EXPERIENCE | BODY | -1.063 | No experience needed! | /\bNo EXPERIENCE/i |
| NO_MX_FOR_FROM | EOH | 1.8 | No MX records for the From: domain | check_for_from_mx() |
| NO_OBLIGATION | BODY | 2.551 | There is no obligation. | /no obligation/i |
| NO_QS_ASKED | BODY | 3.32 | Doesn't ask any questions | /NO QUESTIONS ASKED/i |
| NO_SELLING | BODY | 3.816 | Claims not to be selling anything | /absolutely NO selling/i |
| NUMERIC_HTTP_ADDR | URI | 1 | Uses a numeric IP address in URL | /^https?\:\/\/\d{7,}/is |
| OFFSHORE_SCAM | BODY | 1 | Off Shore Scams | /\boffshore\b.{0,20}(?:credit card|companies|account|financ|websites?)\b/i |
| ONCE_IN_LIFETIME | BODY | 0.8 | Once in a lifetime, apparently | /once in a lifetime opportunity/i |
| ONE_HUNDRED_PC_FREE | BODY | 2.397 | No such thing as a free lunch (2) | /(?:100%|completely|totally|absolutely) FREE/i |
| ONE_HUNDRED_PC_GUAR | BODY | 4.399 | One hundred percent guaranteed | /100% GUARANTEED/i |
| ONE_TIME_MAILING | BODY | 2.648 | 'one time mailing' doesn't mean it isn't spam | /this\b.{0,20}\b(?:one|1).time\b.{0,20}\b(?:mail|offer)/i |
| ONLINE_BIZ_OPS | BODY | 1 | Wants you to do business online | /online business opportunities/i |
| OPPORTUNITY | BODY | 2.85 | Gives information about an opportunity | /OPPORTUNITY/ |
| OPT_IN | BODY | 2.1 | Talks about opting in | /\bopt-in\b/i |
| ORDER_STATUS | Subject | -3 | Subject looks like order info | / order\b/i |
| PARA_A_2_C_OF_1618 | BODY | 2.129 | Claims compliance with senate bill 1618 | /Paragraph .a.{0,10}2.{0,10}C. of S. 1618/i |
| PENIS_ENLARGE | BODY | 1.92 | Information on getting a larger penis | /\b(?:add\b|enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b).{0,50}\b:penis\b/i |
| PENIS_ENLARGE2 | BODY | 3.676 | Information on getting a larger penis | /\bpenis\b.{0,50}\b(?:add\b|enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b)/i |
| PENNIES_A_DAY | BODY | 3.379 | Contains 'for only pennies a day' | /for (?:just|only) pennies a day/i |
| PGP_SIGNATURE | RAWBODY | -5 | Contains a PGP-signed message | /-----BEGIN PGP SIGNATURE-----/ |
| PLEASE_READ | Subject | 0.985 | Please read this! Please oh please oh please! | /please read/i |
| PLING | Subject | 0.544 | Subject has an exclamation mark | /!/ |
| PLING2 | Subject | 0.6 | Subject has 2 exclamation marks | /\!\!/ |
| PLING3 | ? | 0.6 | Subject has 3 and more exclamation marks | ? |
| POPLAUNCH | BODY | 3.633 | SPAM software | /StealthLaunch PopLaunch.\s/ |
| PORN_1 | BODY | 2.93 | Uses words and phrases which indicate porn (1) | /\bbarely\b.{0,15}\blegal\b/i |
| PORN_10 | BODY | 0.066 | Uses words and phrases which indicate porn (10) | /\blolita|\bslut|\bwhore|(?:[^x]|\b)xxx(?:[^x]|\b)|\bporn|\b(?:Asian|Japanese|oriental)\s+(?:girls|schoolgirls)\b|\bbabes\b|gang[ -]?bang|\bskank|\btits\b|\btitties\b|\bpussy\b|\bpussies\b|\bbi(?!-)\b|free pics/i |
| PORN_11 | BODY | 0.779 | Uses words and phrases which indicate porn (11) | /hard[ -]?core|web[ -]?cam|\bamateur\b/i |
| PORN_12 | BODY | 0.626 | Uses words and phrases which indicate porn (12) | /(?:lolita|xxx|sex|slut|whore|hottest|hard-?core|horn|virgin|naught|web.?cam|le[sz]|skank|tit|puss|adult|fuck)/i and /(?:(?:\blolita|(?:[^x]|\b)xxx(?:[^x]|\b)|\bsex|\bslut|\bwhore|\bhottest\b|hard-?core|\bhorny\b|\bhorniest\b|\bvirgin|\bnaughty\b|\bnaughtiest\b|\bweb.?cam|\ble[sz]b(?:ian|o)|\bskank|\btits\b|\btitties\b|\bpussy\b|\bpussies\b|\badult\b|\bfuck).{0,7}){2,}/i |
| PORN_13 | BODY | 4.194 | Uses words and phrases which indicate porn (13) | /must be (?:at least|over) 18/i |
| PORN_14 | BODY | 0.4 | Uses words and phrases which indicate porn (14) | /\bpics\b|\byears? old\b|\bmy name'?s\b|\bmy name is\b/i |
| PORN_2 | BODY | 2.2 | Uses words and phrases which indicate porn (2) | /\bwild\b.{0,15}\bhard[ -]?core\b/i |
| PORN_3 | EOB | 0.605 | Uses words and phrases which indicate porn (3) | porn_word_test() |
| PORN_4 | URI | 1 | Uses words and phrases which indicate porn (4) | /^https?:\/\/[\w\.-]*(?:xxx|sex|anal|slut|pussy|cum|nympho|suck|porn|hard-?core|taboo|whore|voyeur|lesbian|gurlpages|naughty|lolita|teen|schoolgirl|kooloffer|erotic|lust|panty|panties)[\w-]*\./ |
| PORN_6 | BODY | 2.519 | Uses words and phrases which indicate porn (6) | /(?:\d+\+? xxx pictures|xxx photos?)/i |
| PORN_7 | BODY | 1 | Uses words and phrases which indicate porn (7) | /Free XXX/i |
| PORN_8 | BODY | 0.45 | Uses words and phrases which indicate porn (8) | /(?:video|movie|teen|ware|mp3)z/ |
| PORN_9 | BODY | 2.192 | Uses words and phrases which indicate porn (9) | /(?:sex|gay|slut|whore|\bcum|f.ck|adult|xxx)[ -]?fest|\bcum[ -]?shot|\bcum[ -]?dumpster/i |
| POST_IN_RCVD | Received | 3.476 | Received contains fake 'Post.cz' hostname | / Post\.(?:sk|cz)/ |
| PREST_NON_ACCREDITED | BODY | 4.21 | 'Prestigious Non-Accredited Universities' | /prestigi?ous\b.{0,20}\bnon-accredited\b.{0,20}\buniversities/i |
| PRINT_FORM_SIGNATURE | BODY | 1.862 | Asks you for your signature on a form | /Sign(ature)?(?:\s*here|\s*please)?:.{0,30}___/i |
| PRINT_OUT_AND_FAX | BODY | 1 | Contains words 'print out and fax' | /print\s+out\s+and\s+fax/i |
| PRODUCED_AND_SENT_OUT | BODY | 4.129 | Tells you it's an ad | /This a.?d is produced and sent out by/i |
| PROFITS | BODY | 0.46 | Contains word 'profits' in all-caps | /PROFITS/ |
| PURE_PROFIT | BODY | 2.777 | Profit is dirty, not pure | /PURE PROFIT/i |
| Q_FOR_SELLER | Subject | -4 | Subject is an eBay question | /Question.*(for|to|from eBay).*(seller|Member)/ |
| RAPE | BODY | 1 | Possible porn - Rape | /\b(?:virgin|gang|teen|amat[eu][eu]r) rape|rape (?:sites?|sex)\b/i |
| RATWARE | EOH | 1.97 | Bulk email software fingerprints found in headers | /(?:4\.\.72\.1712\.3|ACE Contact Manager|Aristotle Mail|Avalanche|Calypso|clansoft|Cognigen|Cyber-Bomber|Crescent|DiffondiCool|Dynamic Mail Server|CTMailer|E-Broadcaster|E-mail Magnet|Ellipse Bulk Emailer|EmailBlaster|Emailer.Platinum|eMerge|Extractor|Floodgate|FlashSend|Goldrush|Group Mail|Internet Marketing|Mailcast|MailKing|MassE-Mail|massmail\.pl|Matchmaker|NetMailer|News Breaker|pop3.report|RamoMail|Ready Aim|Shopping.Planet|Stalker.s|TBBS\/TIGER|TOO BAD|TotalMailTURBO Mail|V3,1,6,1|V3,1,2,0|V3,2,2,0|V.null.\.1712\.3|WindoZ|WinNT.s.Blat|WorldMerge|YMR)/ |
| RCVD_IN_BL_SPAMCOP_NET | EOH | 2 | Received via a relay in bl.spamcop.net | check_rbl('spamcop', 'bl.spamcop.net.') |
| RCVD_IN_ORBS | EOH | 1 | Received via a relay in orbs.dorkslayers.com | check_rbl('relay', 'orbs.dorkslayers.com.') |
| RCVD_IN_OSIRUSOFT_COM | EOH | 2 | Received via a relay in relays.osirusoft.com | check_rbl('relay', 'relays.osirusoft.com.') |
| RCVD_IN_RELAYS_ORDB_ORG | EOH | 2 | Received via a relay in relays.ordb.org | check_rbl('relay', 'relays.ordb.org.') |
| RCVD_IN_RFCI | EOH | 0.5 | Received via a relay in ipwhois.rfc-ignorant.org | check_rbl('rfci', 'ipwhois.rfc-ignorant.org.') |
| RCVD_IN_VISI | EOH | 1 | Received via a relay in relays.visi.com | check_rbl('relay', 'relays.visi.com.') |
| READ_TO_END | BODY | 3.882 | You'd better read all of this spam! | /read this (?:e-?mail )?to the end/i |
| REALLY_UNSAFE_JAVASCRIPT | RAWBODY | 3.295 | Auto-executing JavaScript code | /<(?:body|frame) [^>]*on(?:Load|UnLoad|BeforeUnload)/is |
| REAL_THING | BODY | 0.148 | It's the real thing, baby! | /the real thing/i |
| RELAYING_FRAME | RAWBODY | 4.4 | Frame wanted to load outside URL | /<i?frame\s/i |
| REMOVAL_INSTRUCTIONS | BODY | 3.772 | Gives instructions for removal from list | /REMOVAL INSTRUCTIONS/i |
| REMOVE_IN_QUOTES | BODY | 1.93 | List removal information | /\"remove\"/i |
| REMOVE_PAGE | URI | 1 | URL of page called "remove" | /^https?:\/\/[^\/]+\/.*?remove/ |
| REMOVE_SUBJ | BODY | 2.345 | List removal information | /remove.{1,15}subject/i |
| REPLY_REMOVE_SUBJECT | BODY | 0.288 | List removal information | /reply.{1,15}remove.{1,15}subject/i |
| REPLY_TO_EMPTY | Reply-To | 4.335 | Reply-To: is empty | /^(?:\@|\s*$)/ |
| RESISTANCE_IS_FUTILE | BODY | 4.948 | Resistance to this spam is futile | /Replying to this email will not unsubscribe you./i |
| RISK_FREE | BODY | 2.151 | Risk free. Suuurreeee.... | /risk free/i |
| ROUND_THE_WORLD | EOH | 3 | Received: says mail bounced all around the world | check_for_round_the_world_received() |
| SAFEGUARD_NOTICE | BODY | 3 | Contains signature of unregistered spam tool | /This safeguard is not inserted when using the registered version/ |
| SEARCH_ENGINE | BODY | 1 | Search Engine Site Ranking | /\b(?:(?:submit|traffic|top).{0.10} search engines?|site ranking)\b/i |
| SEARCH_ENGINE_PROMO | BODY | 2.6 | Discusses search engine listings | /\b(?:(?:submitt?|list)(?:ed|ing|s)?|place(?:d|ment))\s+.{0,15}\b(?:in|to)\b.{0,15}\b(?:(?:top|best|major|largest|biggest).{0,15}\b)?(?:search(?:ing)?\s*(?:engine|site)|director(?:y|ies))\b/is |
| SECTION_301 | BODY | 1.24 | Claims compliance with SPAM regulations | /SECTION.{0,10}301/i |
| SEE_FOR_YOURSELF | BODY | 2.515 | See for yourself | /See (?:for|it) yourself/i |
| SENT_IN_COMPLIANCE | BODY | 1.744 | Claims compliance with SPAM regulations | /message .{0,10}sen(?:d|t) in compliance (?:of|with)/i |
| SERIOUS_ONLY | BODY | 2.652 | Serious Enquiries Only. | /Serious [IE]nquiries Only/i |
| SEXY_PICS | BODY | 0.5 | Sexy pictures | /sexy pictures/i |
| SHOES_GUY | BODY | 6.8 | Want some shoes? | /(?:\b(?:Lingui|Guilin)\b.{1,30}){2,}/i |
| SHORT_RECEIVED_LINE | Received | 1.805 | 'Received:' contains huge hostname | /\S{120,}/s |
| SIGNATURE_DELIM | BODY | 0.753 | Standard signature delimiter present | /^-- $/ |
| SLIGHTLY_UNSAFE_JAVASCRIPT | RAWBODY | 1 | JavaScript code which can easily be executed | /\bon(?:Blur|Change|Focus|Error|Key(?:Press|Down|Up)|Mouse(?:Down|Up|Over|Move|Out)|Resize|Move|Scroll|Stop|Click)\b/i |
| SMTPD_IN_RCVD | Received | 1.26 | Received via SMTPD32 server (SMTPD32-n.n) | /\(SMTPD32-\d+\..+\)/ |
| SOCIAL_SEC_NUMBER | BODY | 2.305 | Talks about social security numbers | /social security (?:number|record)/i |
| SPAM_FORM | RAWBODY | 3.243 | Form for changing email address | /CHANGE EMAIL ADDRESS IN ACTION OF FORM/ |
| SPAM_FORM_INPUT | RAWBODY | 4 | Form for verifying email address | /<input name=.*submit type=.*submit value=.*" *Submit By E-Mail *">/i |
| SPAM_FORM_RETURN | RAWBODY | 2.787 | Form for checking email address | /return validate_form/ |
| SPAM_PHRASES_020 | EOB | 0 | spam-phrase score is over 20 | check_for_spam_phrases("20") |
| SPAM_PHRASES_040 | EOB | 0 | spam-phrase score is over 40 | check_for_spam_phrases("40") |
| SPAM_PHRASES_100 | EOB | 0 | spam-phrase score is over 100 | check_for_spam_phrases("100") |
| SPAM_REDIRECTOR | URI | 1.706 | Uses open redirection service | /https?\:.*(?:rd\.yahoo\.com|wwp\.icq\.com)/is |
| STAINLESS_STEEL | URI | 1 | Stainless Steel Network Spam | /www.BuyStainlessOnline.com/i |
| STOCK_ALERT | BODY | 3.696 | Offers a stock alert | /stock alert/i |
| STOCK_PICK | BODY | 2.671 | Offers a stock pick | /STOCK PICK/i |
| STRONG_BUY | BODY | 3.838 | Tells you about a strong buy | /strong buy/i |
| SUBJ_2_CREDIT | BODY | 2.824 | Contains 'subject to credit approval' | /subject to credit approval/i |
| SUBJ_ALL_CAPS | Subject | 1.933 | Subject is all capitals | subject_is_all_caps() |
| SUBJ_ENDS_IN_Q_MARK | Subject | 0.1 | Subject: ends in a question mark | /\?+\s*$/ |
| SUBJ_FULL_OF_8BITS | EOH | 3.136 | Subject is full of 8-bit characters | check_subject_for_lotsa_8bit_chars() |
| SUBJ_HAS_Q_MARK | Subject | 1.021 | Subject: contains a question mark | /\?.{2,}$/ |
| SUBJ_HAS_SPACES | Subject | 2.741 | Subject contains lots of white space | /(?:\s{6,}|\t)/ |
| SUBJ_HAS_UNIQ_ID | EOH | 2.037 | Subject contains a unique ID number | check_for_unique_subject_id() |
| SUBJ_MISSING | EOH | 2.428 | Subject: is empty or missing | subject_missing() |
| SUBJ_REMOVE | BODY | 3.9 | List removal information | /subject.{1,15}remove/i |
| SUPERLONG_LINE | RAWBODY | 0.7 | Contains a line >=199 characters long | /^[^<]{199,}$/m |
| SUSPICIOUS_CC_RECIPS | Cc | 2.496 | Cc: contains similar domains at least 10 times | /(@[-a-z0-9_.]{2,}).*(?:\1.*){9,}/is |
| SUSPICIOUS_RECIPS | To | 0.6 | To: contains similar domains at least 10 times | /(@[-a-z0-9_.]{2,}).*(?:\1.*){9,}/is |
| S_1618 | BODY | 3.5 | Claims compliance with senate bill 1618 | /S..{0,10}1618.{0,10}-.{0,10}SECTION.{0,10}301/i |
| TAKE_ACTION_NOW | BODY | 2.257 | Tells you to 'take action now!' | /take action now!/i |
| THE_FOLLOWING_FORM | BODY | 1.707 | Asks you to fill out a form | /the following form\b/i |
| THIS_AINT_JUNK | BODY | 1 | Claims "This is not junk email" | /This.{0,30}is not (?:a )?junk (?:email)?/is |
| THIS_AINT_SPAM | BODY | 2.17 | Claims "This is not spam" | /This.{0,30}is not (?:a )?spam/is |
| TONER | BODY | 3.014 | Contains "Toner Cartridge" | /toner cartridge/i |
| TO_BE_REMOVED_REPLY | BODY | 1.82 | Says: "to be removed, reply via email" or similar | /\bto\b.{0,20}\bremove.{0,20}\breply\b/is |
| TO_EMPTY | To | 2.541 | To: is empty | /^(?:\@|\s*$)/ |
| TO_INVESTORS | To | 0.01 | To: non-existent 'Investors' address | /\bInvestors\@/ |
| TO_LOCALPART_EQ_REAL | To | 0.597 | To: repeats local-part as real name | /^\s*(\"?)([\w%\+\-=_\.]+)\1\s*<\2\@[\w%\+\-=_\.]+>/i |
| TO_MALFORMED | To | 1 | To: has a malformed address | ! /(?:(?:\"[^\"]+\"|\S+)\@\S+\.\S+|undisclosed-recipients:|<\S+(\!\S+){1,}>)/ |
| TO_NO_USER | To | 1.928 | To: has no local-part before @ sign | /(?:^\@|<\@| \@[^<]*$|<>)/ |
| TO_UNSUB_REPLY | BODY | 1.81 | Says: "to unsubscribe, reply via email" or similar | /\bto\b.{0,20}\bunsubscribe.{0,20}\breply\b/is |
| TRACE_BY_SSN | BODY | 4 | Talks about tracing by SSN | /Trace anyone by social security number/i |
| TRACKER_ID | RAWBODY | 1.7 | Incorporates a tracking ID number | /^\W{4,6} (?:[a-z]{10,}|[A-Z]{10,}) \W{4,6}\s*$/ |
| UCE_MAIL_ACT | BODY | 1.64 | Mentions Spam Law "UCE-Mail Act" | /Unsolicited Commercial Electronic Mail Act/ |
| UNCENSORED | BODY | 1 | Possible porn - Uncensored Photos | /\buncensored (?:pics|photo)/i |
| UNDISC_RECIPS | To | 1.164 | Valid-looking To "undisclosed-recipients" | /^undisclosed-recipients?:\s*;$/ |
| UNIFIED_PATCH | RAWBODY | -5 | Contains what looks like a patch from diff -u | /^\@\@ [-+0-9]+,[0-9]+ [-+0-9]+,[0-9]+ \@\@$/ |
| UNIVERSITY_DIPLOMAS | BODY | 2.715 | University Diplomas | /\b(?:college|university)\s+diplomas/i |
| UNNEEDED_HTML_ENCODING | RAWBODY | 2.183 | Unneeded encoding of HTML tags | /font=3E/i |
| UNSUB_PAGE | URI | 1 | URL of page called "unsubscribe" | /^https?:\/\/.*?(?!cgi).*?unsubscribe/i |
| UNSUB_SCRIPT | URI | 1 | URL of CGI script called "unsubscribe" or "remove" | /^https?:\/\/.*?cgi.*?(unsubscribe|remove)/i |
| URGENT_BIZ | BODY | 2.586 | Containts 'URGENT BUSINESS' | /URGENT BUSINESS/i |
| URI_IS_POUND | URI | 1 | Filename is just a '\\#'; probably a JS trick | m{\\#$} |
| USER_AGENT | User-Agent | -1 | Found a User-Agent header | /./ |
| US_DOLLARS | BODY | 2.429 | Nigerian scam key phrase | /Million\b.{0,40}\b(?:United States? Dollars|USD|U\.? ?S\.? Dollar)/i |
| US_DOLLARS_2 | BODY | 0.198 | Nigerian scam key phrase ($NN.Nm/USDNN.Nm) | /(?:\$|usd)\d{2,3}(?:\.\d)?m\b/i |
| US_DOLLARS_3 | BODY | 2.695 | Nigerian scam key phrase ($NN,NNN,NNN.NN) | /(?:\$|usd ?)\d{1,3},\d{3},\d{3}(?:\.\d\d)?/i |
| VACATION_SCAM | BODY | 1 | Vacation Offers | /\b(?:free|mini-?|dream|special).{0,10}vacation|vacation (?:offer|promotion|package|for two|getaway)\b/i |
| VERY_SUSP_CC_RECIPS | Cc | 1.572 | Cc: contains similar usernames at least 10 times | check_for_susp_recips(10) |
| VERY_SUSP_RECIPS | To | 2.5 | To: contains similar usernames at least 10 times | check_for_susp_recips(10) |
| VIAGRA | BODY | 3.9 | Plugs Viagra | /VIAGRA/i |
| VJESTIKA | BODY | 2.807 | Contains "Vjestika Aphrodisia" | /Vjestika Aphrodisia/i |
| WANTS_CREDIT_CARD | BODY | 1.532 | Asks for credit card details | /\bcredit.?card\s+order/i |
| WEB4PORNO_URL | URI | 5 | Frequent SPAM content | /web4porno\.com/i |
| WEB_BUGS | RAWBODY | 1 | Image tag with an ID code to identify you | /<\s*img\s[^>]*src[^>]+\?/i |
| WEIRD_PORT | URI | 1 | Uses non-standard port number for HTTP | m{https?://[^/]+:\d+/} |
| WE_HATE_SPAM | BODY | 3.024 | Says "We strongly oppose the use of SPAM email" | /We .{0,30}oppose the use of SPAM/is |
| WE_HONOR_ALL | BODY | 4.536 | Claims to honor removal requests | /we (?:honou?r|respect)(?: all)? remov(?:e|al) requests/i |
| WORK_AT_HOME | BODY | 3.3 | Information on how to work at home (1) | /(?:WORK|(?:MAKE|EARN).{1,10}(?:MONEY|\$+|BUCKS|CASH)).{1,10}(?:AT|FROM) (?:YOUR )?HOME/i |
| WWW_AUTOREMOVE_COM | URI | 1 | Frequent SPAM content | /autoremove\.com/i |
| WWW_CLIK4YOU_COM | URI | 1 | Frequent SPAM content | /clik4you\.com/i |
| WWW_DIRECTFORCEMARKETING_COM | URI | 1 | Frequent SPAM content | /directforcemarketing\.com/i |
| WWW_NETSITESFORFREE_NET | URI | 1 | Frequent SPAM content | /netsitesforfree\.net/i |
| WWW_REMOVEYOU_COM | URI | 1 | Frequent SPAM content | /removeyou\.com/i |
| WWW_TRAFFICWOW_NET | URI | 1 | Frequent SPAM content | /trafficwow\.net/i |
| X_ACCEPT_LANG | X-Accept-Language | -2 | Found a X-Accept-Language header | /./ |
| X_ANTIABUSE | X-AntiAbuse | 2.37 | Found a X-AntiAbuse header | /./ |
| X_AUTH_WARNING | X-Authentication-Warning | 1 | X-Authentication-Warning header exists | /./ |
| X_EM_REGISTRATION | X-EM-Registration | 1.191 | Found a X-EM-Registration header | /./ |
| X_EM_VER_PRESENT | X-Em-Version | 0.832 | Found an X-Em-Version: header | /\S/ |
| X_ENC_PRESENT | X-Encoding | 1 | Found an X-Encoding header | /./ |
| X_ESMTP | x-esmtp | -1.662 | Found a x-esmtp header | /./ |
| X_FIX_PRESENT | X-Fix | 1 | Found an X-Fix header | /./ |
| X_LOOP | X-Loop | -1 | Found a X-Loop header | /./ |
| X_MAILER_GIBBERISH | X-Mailer | 4.26 | 'X-Mailer' line contains gibberish | /^[A-Fa-f0-9\.]{48,}$/ |
| X_MAILER_MASS_SENDER | X-Mailer | 2 | 'X-Mailer' has 'Advanced Mass Sender' or 'Direct Email' | /(Advanced Mass Sender|Direct Email)/ |
| X_MAILING_LIST | X-Mailing-List | -1 | Found a X-Mailing-List header | /./ |
| X_MAIL_ID_PRESENT | X-MailingID | 1 | Found an X-MailingID header | /./ |
| X_MSMAIL_PRIORITY_HIGH | X-Msmail-Priority | -1.356 | Sent with 'X-Msmail-Priority' set to high | /^High/ |
| X_PMFLAGS_PRESENT | X-PMFLAGS | 2.783 | Found an X-PMFLAGS: (all caps) header | /\S/ |
| X_PRECEDENCE_REF | X-Precedence-Ref | 4.555 | Found a X-Precedence-Ref header | /./ |
| X_PRIORITY_HIGH | X-Priority | 1.658 | Sent with 'X-Priority' set to high | /^1/ |
| X_SERV_HOST_PRESENT | X-ServerHost | 1 | Found an X-ServerHost header | /./ |
| X_SMTPEXP_REGISTRATION | X-SMTPExp-Registration | 1.622 | Found a X-SMTPExp-Registration header | /./ |
| X_SMTPEXP_VERSION | X-SMTPExp-Version | 1.622 | Found a X-SMTPExp-Version header | /./ |
| X_STORMPOST_TO | X-Stormpost-To | 2.272 | Found a X-Stormpost-To header | /./ |
| X_UIDL_SPAMSIGN | X-UIDL | 1 | X-UIDL: header contains invalid chars | /[^\s\x21-\x7E]/ |
| X_X_PRESENT | X-x | 1 | Found an X-x header | /./ |
| YAHOO_MSGID_ADDED | EOH | -2.4 | 'Message-Id' was added by yahoo.com, that's OK | /Message-Id: <\S+\.mail.yahoo.com>\nReceived: .*by \S+mail.yahoo.com via HTTP;/s |
| YELLOWSUN | URI | 1 | Frequent SPAM content | /yellowsun01\.com/i |
| YOUR_INCOME | BODY | 1 | Doing something with my income | /\byour income\b/i |
| YOU_HAVE_BEEN_SELECTED | BODY | 2.606 | "You have been selected as a finalist", sure | /You have been selected as a (?:finalist|winner)/i |
| YR_MEMBERSHIP_EXCH | Subject | 4.2 | Subject contains 'Your Membership Exchange' | /Your Membership Exchange/ |
