RSPAMD DETAILS

ABUSE_SURBL

 SURBL: Abuse

AOL_SPAM

 AOL says this message is spam

ARC_ALLOW

 ARC checks success

ARC_DNSFAIL

 ARC DNS error

ARC_INVALID

 ARC structure invalid

ARC_NA

 ARC signature absent

ARC_REJECT

 ARC checks failure

BAYES_HAM

 Message classified as Ham

BAYES_SPAM

 Message classified as Spam

BOGUS_ENCRYPTED_AND_TEXT

 Bogus mix of encrypted and text/html payloads

BROKEN_CONTENT_TYPE

 Message has part with broken content type

BROKEN_HEADERS

 Headers structure is likely broken

CC_EXCESS_BASE64

 Cc that contains encoded characters while base 64 is not needed as all symbols are 7bit

CC_EXCESS_QP

 Cc that contains encoded characters while quoted-printable is not needed as all symbols are 7bit

CRACKED_SURBL

 SURBL: Cracked site

CT_EXTRA_SEMI

 Content-Type ends with a semi-colon

CTE_CASE

 [78]Bit .vs. [78]bit

CTYPE_MISSING_DISPOSITION

 Binary content-type not specified as an attachment

CTYPE_MIXED_BOGUS

 multipart/mixed without non-textual part

DATA_URI_OBFU

 Uses Data URI encoding to obfuscate plain or HTML in base64

DATE_IN_FUTURE

 Message date is in future

DATE_IN_PAST

 Message date is in past

DBL

 DBL Unknown result

DBL_ABUSE

 DBL URIBL Abused legit Spam

DBL_ABUSE_BOTNET

 DBL URIBL Abused legit Botnet C&C

DBL_ABUSE_MALWARE

 DBL URIBL Abused legit Malware

DBL_ABUSE_PHISH

 DBL URIBL Abused legit Phish

DBL_ABUSE_REDIR

 DBL URIBL Abused spammed redirector domain

DBL_BOTNET

 DBL URIBL Botnet C&C domain

DBL_MALWARE

 DBL URIBL Malware

DBL_PHISH

 DBL URIBL Phishing

DBL_PROHIBIT

 DBL URIBL IP queries prohibited

DBL_SPAM

 DBL URIBL Spam

DMARC_POLICY_ALLOW

 DMARC permit policy

DMARC_POLICY_ALLOW_WITH_FAILURES

 DMARC permit policy with DKIM/SPF failure

DMARC_POLICY_QUARANTINE

 DMARC quarantine policy

DMARC_POLICY_REJECT

 DMARC reject policy

DMARC_POLICY_SOFTFAIL

 DMARC failed

DNSWL_BLOCKED

 Resolver blocked due to excessive queries

EMAIL_PLUS_ALIASES

 Removes plus aliases from the email

EMPTY_SUBJECT

 Subject header is empty

ENCRYPTED_PGP

 Message is encrypted with pgp

ENCRYPTED_SMIME

 Message is encrypted with smime

ENVFROM_PRVS

 Envelope From is a PRVS address that matches the From address

ENVFROM_SERVICE_ACCT

 Envelope from is a service account

ENVFROM_VERP

 Envelope From is a VERP address

EXT_CSS

 Message contains external CSS reference

FAKE_REPLY

 Fake reply

FAKE_REPLY_C

 Fake reply (has RE in subject, but has not References header)

FM_FAKE_HELO_VERIZON

 Fake helo for verizon provider

FORGED_GENERIC_RECEIVED

 Forged generic Received

FORGED_GENERIC_RECEIVED2

 Forged generic Received

FORGED_GENERIC_RECEIVED3

 Forged generic Received

FORGED_GENERIC_RECEIVED4

 Forged generic Received

FORGED_MSGID_YAHOO

 Forged yahoo msgid

FORGED_MUA_KMAIL_MSGID

 Message pretends to be send from KMail but has forged Message-ID

FORGED_MUA_KMAIL_MSGID_UNKNOWN

 Message pretends to be send from KMail but has forged Message-ID

FORGED_MUA_MAILLIST

 Avoid false positives for FORGED_MUA_ in mailing list

FORGED_MUA_MOZILLA_MAIL_MSGID

 Message pretends to be send from Mozilla Mail but has forged Message-ID

FORGED_MUA_MOZILLA_MAIL_MSGID_UNKNOWN

 Message pretends to be send from Mozilla Mail but has forged Message-ID

FORGED_MUA_OUTLOOK

 Forged outlook MUA

FORGED_MUA_SEAMONKEY_MSGID

 Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID

FORGED_MUA_SEAMONKEY_MSGID_UNKNOWN

 Forged mail pretending to be from Mozilla Seamonkey but has forged Message-ID

FORGED_MUA_THEBAT_BOUN

 Forged The Bat! MUA headers

FORGED_MUA_THEBAT_MSGID

 Message pretends to be send from The Bat! but has forged Message-ID

FORGED_MUA_THEBAT_MSGID_UNKNOWN

 Message pretends to be send from The Bat! but has forged Message-ID

FORGED_MUA_THUNDERBIRD_MSGID

 Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID

FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN

 Forged mail pretending to be from Mozilla Thunderbird but has forged Message-ID

FORGED_OUTLOOK_HTML

 Forged outlook HTML signature

FORGED_OUTLOOK_TAGS

 Message pretends to be send from Outlook but has strange tags

FORGED_RECIPIENTS

 Recipients are not the same as RCPT TO: mail command

FORGED_RECIPIENTS_MAILLIST

 Recipients are not the same as RCPT TO: mail command, but a message is from a mailing list

FORGED_SENDER

 Sender is forged (different From: header and smtp MAIL FROM: addresses)

FORGED_SENDER_MAILLIST

 Sender is not the same as MAIL FROM: envelope, but a message is from a mailing list

FORWARDED

 Message was forwarded

FREEMAIL_REPLYTO_NEQ_FROM_DOM

 Freemail From and Reply-To, but to different Freemail services

FROM_DN_EQ_ADDR

 From header display name is the same as the address

FROM_EQ_ENVFROM

 From address is the same as the envelope

FROM_EXCESS_BASE64

 From that contains encoded characters while base 64 is not needed as all symbols are 7bit

FROM_EXCESS_QP

 From that contains encoded characters while quoted-printable is not needed as all symbols are 7bit

FROM_HAS_DN

 From header has a display name

FROM_NAME_EXCESS_SPACE

 From header display name contains excess whitespace

FROM_NAME_HAS_TITLE

 From header display name has a title (Mr/Mrs/Dr)

FROM_NEEDS_ENCODING

 From header needs encoding

FROM_NEQ_DISPLAY_NAME

 Display name contains an email address different to the From address

FROM_NEQ_ENVFROM

 From address is different to the envelope

FROM_NO_DN

 From header does not have a display name

FROM_SERVICE_ACCT

 Sender/From/Reply-To is a service account

FUZZY_DENIED

 Denied fuzzy hash, bl.rspamd.com

FUZZY_PROB

 Probable fuzzy hash, bl.rspamd.com

FUZZY_UNKNOWN

 Generic fuzzy hash match, bl.rspamd.com

FUZZY_WHITE

 Whitelisted fuzzy hash, bl.rspamd.com

FWD_GOOGLE

 Message was forwarded by Google

FWD_MAILRU

 Message was forwarded by Mail.ru

FWD_SRS

 Message was forwarded using SRS

FWD_YANDEX

 Message was forwarded by Yandex

GOOGLE_FORWARDING_MID_BROKEN

 Message had invalid Message-ID pre-forwarding

GOOGLE_FORWARDING_MID_MISSING

 Message was missing Message-ID pre-forwarding

HACKED_WP_PHISHING

 Phishing message from hacked wordpress

HAS_ATTACHMENT

 Message contains attachments

HAS_DATA_URI

 Has Data URI encoding

HAS_GOOGLE_REDIR

 Has google.com/url redirection

HAS_GUC_PROXY_URI

 Has googleusercontent.com proxy URI

HAS_INTERSPIRE_SIG

 Has Interspire fingerprint

HAS_LIST_UNSUB

 Has List-Unsubscribe header

HAS_ONION_URI

 Contains .onion hidden service URI

HAS_ORG_HEADER

 Has Organization header

HAS_PHPMAILER_SIG

 PHPMailer signature

HAS_REPLYTO

 Has Reply-To header

HAS_WP_URI

 Contains WordPress URIs

HAS_X_ANTIABUSE

 Has X-AntiAbuse headers

HAS_X_AS

 Has X-Authenticated-Sender header

HAS_X_GMSV

 Has X-Get-Message-Sender-Via: header

HAS_X_PHP_SCRIPT

 Has X-PHP-Script header

HAS_X_POS

 Has X-PHP-Originating-Script header

HAS_X_PRIO_FIVE

 Priority 5+

HAS_X_PRIO_ONE

 Priority 1

HAS_X_PRIO_THREE

 Priority 3-4

HAS_X_PRIO_TWO

 Priority 2

HAS_X_PRIO_ZERO

 Priority 0

HAS_X_SOURCE

 Has X-Source headers

HAS_XAW

 Has X-Authentication-Warning header

HAS_XOIP

 Has X-Originating-IP header

HEADER_CC_DELIMITER_TAB

 Header To begins with tab

HEADER_CC_EMPTY_DELIMITER

 Header Cc has no delimiter between header name and header value

HEADER_DATE_DELIMITER_TAB

 Header Date begins with tab

HEADER_DATE_EMPTY_DELIMITER

 Header Date has no delimiter between header name and header value

HEADER_FORGED_MDN

 Read confirmation address is different to return path

HEADER_FROM_DELIMITER_TAB

 Header From begins with tab

HEADER_FROM_EMPTY_DELIMITER

 Header From has no delimiter between header name and header value

HEADER_RCONFIRM_MISMATCH

 Read confirmation address is different to from address

HEADER_REPLYTO_DELIMITER_TAB

 Header Reply-To begins with tab

HEADER_REPLYTO_EMPTY_DELIMITER

 Header Reply-To has no delimiter between header name and header value

HEADER_TO_DELIMITER_TAB

 Header To begins with tab

HEADER_TO_EMPTY_DELIMITER

 Header To has no delimiter between header name and header value

HFILTER_FROM_BOUNCE

 Bounce message

HFILTER_FROMHOST_NORES_A_OR_MX

 FROM host no resolve to A or MX

HFILTER_FROMHOST_NORESOLVE_MX

 MX found in FROM host and no resolve

HFILTER_FROMHOST_NOT_FQDN

 FROM host not FQDN

HFILTER_HELO_1

 Helo host checks (very low)

HFILTER_HELO_2

 Helo host checks (low)

HFILTER_HELO_3

 Helo host checks (medium)

HFILTER_HELO_4

 Helo host checks (hard)

HFILTER_HELO_5

 Helo host checks (very hard)

HFILTER_HELO_BADIP

 Helo host is very bad IP

HFILTER_HELO_BAREIP

 Helo host is bare IP

HFILTER_HELO_IP_A

 HELO A IP != hostname IP

HFILTER_HELO_NORES_A_OR_MX

 HELO no resolve to A or MX

HFILTER_HELO_NORESOLVE_MX

 MX found in HELO and no resolve

HFILTER_HELO_NOT_FQDN

 HELO not FQDN

HFILTER_HOSTNAME_1

 Hostname checks (very low)

HFILTER_HOSTNAME_2

 Hostname checks (low)

HFILTER_HOSTNAME_3

 Hostname checks (medium)

HFILTER_HOSTNAME_4

 Hostname checks (hard)

HFILTER_HOSTNAME_5

 Hostname checks (very hard)

HFILTER_HOSTNAME_UNKNOWN

 Unknown hostname (no PTR or no resolve PTR to hostname)

HFILTER_RCPT_BOUNCEMOREONE

 Message from bounce and more than one recipient

HFILTER_URL_ONELINE

 One line URL and text in body

HFILTER_URL_ONLY

 URL only in body

HIDDEN_SOURCE_OBJ

 UNIX hidden file/directory in path

HTML_META_REFRESH_URL

 Has HTML Meta refresh URL

HTML_SHORT_LINK_IMG_1

 Short html part (0..1K) with a link to an image

HTML_SHORT_LINK_IMG_2

 Short html part (1K..1.5K) with a link to an image

HTML_SHORT_LINK_IMG_3

 Short html part (1.5K..2K) with a link to an image

HTTP_TO_HTTPS

 Anchor text contains different scheme to target URL

HTTP_TO_IP

 Anchor points to an IP address

INFO_TO_INFO_LU

 info@ From/To address with List-Unsubscribe headers

INTRODUCTION

 Sender introduces themselves

INVALID_FROM_8BIT

 Invalid 8bit character in From header

INVALID_MSGID

 Message id is incorrect

INVALID_POSTFIX_RECEIVED

 Invalid Postfix Received

INVALID_RCPT_8BIT

 Invalid 8bit character in recipients headers

LONG_SUBJ

 Subject is too long

MAIL_RU_MAILER

 Sent with Mail.Ru web-mail

MAILER_1C_8

 Sent with 1C:Enterprise 8

MAILLIST

 Message seems to be from a mailing list

MAILSPIKE

 Unrecognised result from Mailspike

MANY_INVISIBLE_PARTS

 Many parts are visually hidden

MICROSOFT_SPAM

 Microsoft says the message is spam

MID_BARE_IP

 Message-ID RHS is a bare IP address

MID_CONTAINS_FROM

 Message-ID contains From address

MID_CONTAINS_TO

 Message-ID contains To address

MID_MISSING_BRACKETS

 Message-ID is missing <>

MID_RHS_IP_LITERAL

 Message-ID RHS is an IP-literal

MID_RHS_MATCH_FROM

 Message-ID RHS matches From domain

MID_RHS_MATCH_TO

 Message-ID RHS matches To domain

MID_RHS_NOT_FQDN

 Message-ID RHS is not a fully-qualified domain name

MID_RHS_WWW

 Message-ID from www host

MIME_ARCHIVE_IN_ARCHIVE

 Archive within another archive

MIME_BAD

 Known bad content-type

MIME_BAD_ATTACHMENT

 Invalid attachment mime type

MIME_BAD_EXTENSION

 Bad extension

MIME_BASE64_TEXT

 Has text part encoded in base64

MIME_DOUBLE_BAD_EXTENSION

 Bad extension cloaking

MIME_ENCRYPTED_ARCHIVE

 Encrypted archive in a message

MIME_GOOD

 Known content-type

MIME_HEADER_CTYPE_ONLY

 Only Content-Type header without other MIME headers

MIME_HTML_ONLY

 Messages that have only HTML part

MIME_MA_MISSING_HTML

 MIME multipart/alternative missing text/html part

MIME_MA_MISSING_TEXT

 MIME multipart/alternative missing text/plain part

MIME_UNKNOWN

 Missing or unknown content-type

MISSING_DATE

 Message date is missing

MISSING_FROM

 Missing From: header

MISSING_MID

 Message id is missing

MISSING_MIME_VERSION

 MIME-Version header is missing

MISSING_MIMEOLE

 Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange)

MISSING_SUBJECT

 Subject header is missing

MISSING_TO

 To header is missing

MSBL_EBL

 MSBL EMAILBL

MULTIPLE_FROM

 Multiple addresses in From

MULTIPLE_UNIQUE_HEADERS

 Repeated unique headers

MV_CASE

 Mime-Version .vs. MIME-Version

MW_SURBL_MULTI

 SURBL: Malware sites

OMOGRAPH_URL

 Url contains both latin and non-latin characters

ONCE_RECEIVED

 One received header in a message

ONCE_RECEIVED_STRICT

 One received header with “bad” patterns inside

PH_SURBL_MULTI

 SURBL: Phishing sites

PHISHED_OPENPHISH

 Phished URL found in openphish.com blacklist

PHISHED_PHISHTANK

 Phished URL found in phishtank.com blacklist

PHISHING

 Phished URL

PHP_SCRIPT_ROOT

 PHP Script executed by root UID

PHP_XPS_PATTERN

 Message contains X-PHP-Script pattern

PRECEDENCE_BULK

 Message marked as bulk

PREVIOUSLY_DELIVERED

 Message either to a list or was forwarded

R_BAD_CTE_7BIT

 Detects bad content-transfer-encoding for text parts

R_DKIM_ALLOW

 DKIM verification succeeded

R_DKIM_REJECT

 DKIM verification failed

R_DKIM_TEMPFAIL

 DKIM verification soft-failed

R_EMPTY_IMAGE

 Message contains empty parts and image

R_MISSING_CHARSET

 Charset is missing in a message

R_MIXED_CHARSET

 Mixed characters in a message

R_MIXED_CHARSET_URL

 Mixed characters in a URL inside a message

R_NO_SPACE_IN_FROM

 No space in from header

R_PARTS_DIFFER

 Text and HTML parts differ

R_RCVD_SPAMBOTS

 Spambots signatures in received headers

R_SAJDING

 Subject seems to be spam

R_SPF_ALLOW

 SPF verification allows sending

R_SPF_DNSFAIL

 SPF DNS failure

R_SPF_FAIL

 SPF verification failed

R_SPF_NEUTRAL

 SPF policy is neutral

R_SPF_SOFTFAIL

 SPF verification soft-failed

R_SUSPICIOUS_IMAGES

 Message contains many suspicious messages

R_SUSPICIOUS_URL

 Obfusicated or suspicious URL has been found in a message

R_UNDISC_RCPT

 Recipients are absent or undisclosed

R_WHITE_ON_WHITE

 Message contains low contrast text

RATWARE_MS_HASH

 Forged Exchange messages

RBL_ABUSECH

 From address is listed in Abuse.CH BL

RBL_MAILSPIKE_BAD

 From address is listed in RBL – bad reputation

RBL_MAILSPIKE_VERYBAD

 From address is listed in RBL – very bad reputation

RBL_MAILSPIKE_WORST

 From address is listed in RBL – worst possible reputation

RBL_SARBL_BAD

 A domain listed in the message is blacklisted in SARBL

RBL_SEM

 Address is listed in Spameatingmonkey RBL

RBL_SEM_IPV6

 Address is listed in Spameatingmonkey RBL (IPv6)

RBL_SENDERSCORE

 From address is listed in senderscore.com BL

RBL_SPAMHAUS

 Unrecognised result from Spamhaus Zen

RBL_SPAMHAUS_CSS

 From address is listed in Zen CSS

RBL_SPAMHAUS_DROP

 From address is listed in Zen Drop BL

RBL_SPAMHAUS_PBL

 From address is listed in Zen PBL

RBL_SPAMHAUS_SBL

 From address is listed in Zen SBL

RBL_SPAMHAUS_XBL

 From address is listed in Zen XBL

RBL_SPAMHAUS_XBL_ANY

 From or Received address is listed in Zen XBL (any list)

RCPT_COUNT_FIVE

 5-7 recipients

RCPT_COUNT_GT_50

 50+ recipients

RCPT_COUNT_ONE

 One recipient

RCPT_COUNT_SEVEN

 7-11 recipients

RCPT_COUNT_THREE

 3-5 recipients

RCPT_COUNT_TWELVE

 12-50 recipients

RCPT_COUNT_TWO

 Two recipients

RCPT_COUNT_ZERO

 No recipients

RCVD_COUNT_FIVE

 5-7 received

RCVD_COUNT_ONE

 One received

RCVD_COUNT_SEVEN

 7-11 received

RCVD_COUNT_THREE

 3-5 received

RCVD_COUNT_TWELVE

 12+ received

RCVD_COUNT_TWO

 Two received

RCVD_COUNT_ZERO

 No received

RCVD_DOUBLE_IP_SPAM

 Two received headers with ip addresses

RCVD_HELO_USER

 HELO User spam pattern

RCVD_ILLEGAL_CHARS

 Header Received has raw illegal character

RCVD_IN_DNSWL

 Unrecognised result from dnswl.org

RCVD_IN_DNSWL_HI

 Sender listed at www.dnswl.org, high trust

RCVD_IN_DNSWL_LOW

 Sender listed at www.dnswl.org, low trust

RCVD_IN_DNSWL_MED

 Sender listed at www.dnswl.org, medium trust

RCVD_IN_DNSWL_NONE

 Sender listed at www.dnswl.org, no trust

RCVD_NO_TLS_LAST

 Last hop did not use encrypted transports

RCVD_TLS_ALL

 All hops used encrypted transports

RCVD_TLS_LAST

 Last hop used encrypted transports

RCVD_VIA_SMTP_AUTH

 Authenticated hand-off was seen in Received headers

RDNS_NONE

 Cannot resolve reverse DNS for senders IP

RECEIVED_SPAMHAUS_XBL

 Received address is listed in Zen XBL

REPLYTO_ADDR_EQ_FROM

 Reply-To header is identical to SMTP From

REPLYTO_DN_EQ_FROM_DN

 Reply-To display name matches From

REPLYTO_DOM_EQ_FROM_DOM

 Reply-To domain matches the From domain

REPLYTO_DOM_NEQ_FROM_DOM

 Reply-To domain does not match the From domain

REPLYTO_EMAIL_HAS_TITLE

 Reply-To header has title

REPLYTO_EQ_FROM

 Reply-To header is identical to From header

REPLYTO_EQ_TO_ADDR

 Reply-To is the same as the To address

REPLYTO_EXCESS_BASE64

 Reply-To that contains encoded characters while base 64 is not needed as all symbols are 7bit

REPLYTO_EXCESS_QP

 Reply-To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit

REPLYTO_UNPARSEABLE

 Reply-To header could not be parsed

REPTO_QUOTE_YAHOO

 Quoted reply-to from yahoo (seems to be forged)

RSPAMD_EMAILBL

 Rspamd EMAILBL, bl.rspamd.com

RSPAMD_URIBL

 Rspamd URIBL, bl.rspamd.com

RWL_MAILSPIKE_EXCELLENT

 From address is listed in RWL – excellent reputation

RWL_MAILSPIKE_GOOD

 From address is listed in RWL – good reputation

RWL_MAILSPIKE_NEUTRAL

 Neutral result from Mailspike

RWL_MAILSPIKE_POSSIBLE

 From address is listed in RWL – possibly legit

RWL_MAILSPIKE_VERYGOOD

 From address is listed in RWL – very good reputation

SBL_URIBL

 SBL URIBL: filtered result

SEM_URIBL

 Spameatingmonkey URIBL

SEM_URIBL_FRESH15

 Spameatingmonkey URIBL. Domains registered in the last 15 days (.aero, .biz, .com, .info, .name, .net, .pro, .sk, .tel, .us)

SEM_URIBL_FRESH15_UNKNOWN

 Spameatingmonkey Fresh15 URIBL: Unknown result

SEM_URIBL_UNKNOWN

 Spameatingmonkey URIBL: Unknown result

SIGNED_PGP

 Message is signed with pgp

SIGNED_SMIME

 Message is signed with smime

SORTED_RECIPS

 Recipients list seems to be sorted

SPAM_FLAG

 Message was already marked as spam

SPOOF_DISPLAY_NAME

 Display name is being used to spoof and trick the recipient

SPOOF_REPLYTO

 Reply-To is being used to spoof and trick the recipient to send an off-domain reply

STOX_REPLY_TYPE

 Reply-type in content-type

STRONGMAIL

 Sent via rogue strongmail MTA

SUBJ_ALL_CAPS

 All capital letters in subject

SUBJ_EXCESS_BASE64

 Subject is unnecessarily encoded in base64

SUBJ_EXCESS_QP

 Subject is unnecessarily encoded in quoted-printable

SUBJECT_ENDS_EXCLAIM

 Subject ends with an exclaimation

SUBJECT_ENDS_QUESTION

 Subject ends with a question

SUBJECT_ENDS_SPACES

 Subject ends with space characters

SUBJECT_HAS_CURRENCY

 Subject contains currency

SUBJECT_HAS_EXCLAIM

 Subject contains an exclaimation

SUBJECT_HAS_QUESTION

 Subject contains a question

SUBJECT_NEEDS_ENCODING

 Subject needs encoding

SURBL_BLOCKED

 SURBL: blocked by policy/overusage

SUSPICIOUS_BOUNDARY

 Suspicious boundary in header Content-Type

SUSPICIOUS_BOUNDARY2

 Suspicious boundary in header Content-Type

SUSPICIOUS_BOUNDARY3

 Suspicious boundary in header Content-Type

SUSPICIOUS_BOUNDARY4

 Suspicious boundary in header Content-Type

SUSPICIOUS_OPERA_10W_MSGID

 Message pretends to be send from suspicious Opera Mail/10.x (Windows) but has forged Message-ID, apparently from KMail

SUSPICIOUS_RECIPS

 Recipients seems to be autogenerated (works if recipients count is more than 5)

TAGGED_FROM

 SMTP from has plus tags

TAGGED_RCPT

 SMTP recipients have plus tags

TO_DN_ALL

 All the recipients have display names

TO_DN_EQ_ADDR_ALL

 All of the recipients have display names that are the same as their address

TO_DN_EQ_ADDR_SOME

 Some of the recipients have display names that are the same as their address

TO_DN_NONE

 None of the recipients have display names

TO_DN_RECIPIENTS

 To header display name is Recipients

TO_DN_SOME

 Some of the recipients have display names

TO_DOM_EQ_FROM_DOM

 To domain is the same as the From domain

TO_EQ_FROM

 To address matches the From address

TO_EXCESS_BASE64

 To that contains encoded characters while base 64 is not needed as all symbols are 7bit

TO_EXCESS_QP

 To that contains encoded characters while quoted-printable is not needed as all symbols are 7bit

TO_MATCH_ENVRCPT_ALL

 All of the recipients match the envelope

TO_MATCH_ENVRCPT_SOME

 Some of the recipients match the envelope

TO_NEEDS_ENCODING

 To header needs encoding

TO_WRAPPED_IN_SPACES

 To address is wrapped in spaces inside angle brackets (e.g. display-name < local-part@domain >)

TRACKER_ID

 Spam string at the end of message to make statistics fault

UNITEDINTERNET_SPAM

 United Internet says this message is spam

URI_COUNT_ODD

 Odd number of URIs in multipart/alternative message

URI_HIDDEN_PATH

 Message contains URI with a hidden path

URIBL_BLACK

 uribl.com: black URL

URIBL_BLOCKED

 uribl.com: query refused

URIBL_GREY

 uribl.com: grey URL

URIBL_MULTI

 uribl.com: unrecognised result

URIBL_RED

 uribl.com: red URL

URIBL_SBL_CSS

 Spamhaus SBL CSS URIBL

URIBL_SL

 Spamhaus SBL URIBL

URL_IN_SUBJECT

 URL found in Subject

WP_COMPROMISED

 URL that is pointing to a compromised WordPress installation

WWW_DOT_DOMAIN

 From/Sender/Reply-To or Envelope is @www.domain.com

X_PHP_EVAL

 Message sent using evald PHP

X_PHP_FORGED_0X

 X-PHP-Originating-Script header appears forged

X_PHPOS_FAKE

 Fake X-PHP-Originating-Script header

XAW_SERVICE_ACCT

 Message originally from a service account

XM_CASE

 X-mailer .vs. X-Mailer

XM_UA_NO_VERSION

 X-Mailer/User-Agent has no version

YANDEX_RU_MAILER

 Sent with yandex.ru web-mail

ZERO_FONT

 Zero sized font used