PC World 2007 November

home *** CD-ROM | disk | FTP | other *** search

/ PC World 2007 November / PCWorld_2007-11_cd.bin / zabezpeceni / microworld / mwav.exe / global.dat < prev next >

Wrap

Text File | 2007-02-05 | 53.0 KB | 4,241 lines

YOU_CAN_SEARCH YOU CAN SEARCH FOR ANYONE body /you can search for anyone/i 1 0.0 1 -3 RATWARE_OE_MALFORMED X-Mailer has malformed Outlook Express version header /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/ X-Mailer 1 3.000 1 WHY_PAY_MORE Why Pay More? body /\bwhy pay more\b/i 1 0 1 WHILE_YOU_SLEEP While you Sleep body /\bwhile you sleep\b/i 1 0.463 1 WHY_WAIT What are you waiting for body /\b(?:why wait|what are you waiting for)\b/i 1 0.356 1 WEIRD_QUOTING Weird repeated double-quotation marks body /[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/ 1 1.341 1 UNDISC_RECIPS Valid-looking To "undisclosed-recipients" header /^undisclosed-recipients?:\s*;$/ To 1 0.000 1 HTTP_CTRL_CHARS_HOST Uses control sequences inside a URL hostname uri /^https?\:\/\/[^\/\s]*[\x00-\x08\x0b\x0c\x0e-\x1f]/ 1 1.480 1 __ADDR_NUMS_AT_BIGSITE Uses an address with lots of numbers, at a big ISP header /<?\S{0,20}\d{5,}\S{0,20}\@(?:bigfoot|email|excite|hotmail|juno|msn|yahoo)\.(?:com|net|org)/mi ALL 1 0 1 NUMERIC_HTTP_ADDR Uses a numeric IP address in URL uri /^https?\:\/\/\d{7}/is 1 0.472 1 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL uri m{^https?://\d+\.\d+\.\d+\.\d+}i 1 0.160 1 HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname uri /^https?\:\/\/[^\/\s]*%[0-9a-fA-F][0-9a-fA-F]/ 1 0.124 1 REMOVE_PAGE URL of page called "remove" uri /^https?:\/\/[^\/]+\/.*?remove/ 1 0 1 USERPASS URL contains username and (optional) password uri m{^https?://[^/\s]*?(?::[^/\s]+?)?\@} 1 0.825 1 HTTP_ENTITIES_HOST URI obscured with character entities uri m{https?://[^\s\">/]*\&\#[\da-f]+}i 1.059 1 TO_ADDRESS_EQ_REAL To: repeats address as real name header /^\s*"([^"@]+\@[^"@]+)"\s+<\1>\s*$/i To 1 0 1 TO_INVESTORS To: non-existent 'Investors' address header /\bInvestors\@/ To 1 0 1 TO_EMPTY To: is empty header /^\s*$/ To 1 0.115 1 TO_NO_USER To: has no local-part before @ sign header /(?:^\@|<\@| \@[^\)<]*$|<>)/ To 1 0 1 TO_MALFORMED To: has a malformed address header /(?:^|[^\S"])(?:(?:\"[^\"]+\"|\S+)\@\S+\.\S+|^\s*.+:\s*;|^\s*\"[^\"]+\":\s*;|^\s*$[^$]*\)\s*$|<\S+(?:\!\S+){1,}>|^\s*$)/ To 0 0 1 TO_RECIP_MARKER To header contains 'recipient' marker header /\#recipient\#/ To 1 1.033 1 SUBJ_GUARANTEED Subject GUARANTEED header /^guaranteed|(?-i:GUARANTEE)/i Subject 1 1.360 1 SUBJ_HAS_SPACES Subject contains lots of white space header /(?:\s{6}|\t\s|\s\t)\S/ Subject 1 0.870 1 JAPANESE_UCE_SUBJECT Subject contains a Japanese UCE tag header /\e\$B.*(?:L\$>5Bz|EE;R%a!<%k)9-9p/ Subject 1 1.280 1 SUBJ_YOUR_OWN Subject contains "Your Own" header /Your Own/i Subject 1 0.811 1 SUBJ_YOUR_FAMILY Subject contains "Your Family" header /Your Family/i Subject 1 0.338 1 SUBJ_YOUR_DEBT Subject contains "Your Bills" or similar header /Your (?:Bills|Debt|Credit)/i Subject 1 0.557 1 SUBJ_FOR_ONLY Subject contains "For Only" header /For Only/i Subject 1 0.316 1 SUBJ_AS_SEEN Subject contains "As Seen" header /\bAs Seen/i Subject 1 1.515 1 FORWARD_LOOKING Stock Disclaimer Statement body /\bcontains forward-looking statements\b/i 1.048 1 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy) header /boundary=\"=_NextPart_2rfkindysadvnqw3nerasdf\"/ Content-Type 1 2.160 1 MIME_BOUND_MANY_HEX Spam tool pattern in MIME boundary header /boundary="[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}"/ Content-Type 1 2.144 1 MSGID_SPAM_ZEROES Spam tool Message-Id: (12-zeroes variant) header /<0000[0-9a-f]{8}\$0000[0-9a-f]{4}\$0000[0-9a-f]{4}\@/ MESSAGEID 1 1.222 1 ALL_NATURAL Spam is 100% natural?! body /\b(?:100%|completely|totally|all) natural/i 0.357 1 X_PRIORITY_HIGH Sent with 'X-Priority' set to high header /^1/ X-Priority 1 0.122 1 TO_TXT Sent to a text file header /\.txt[\'\"]?\@/i To 1 1.360 1 MICRO_CAP_WARNING SEC-mandated penny-stock warning body /Investing in micro-cap securities is highly speculative/i 1 1.200 1 SAVE_THOUSANDS Save big money body /\bsave (?:thousands|millions)\b/i 0.398 1 REVERSE_AGING Reverses Aging body /\breverses? aging\b/i 1 1.520 1 REPLY_TO_EMPTY Reply-To: is empty header /^\s*$/ Reply-To 1 0.449 1 WRINKLES Removes Wrinkles body /\bwrinkle reduction\b/i 1 1.360 1 NO_OBLIGATION There is no obligation body /no obligation/i 0.303 1 STRONG_BUY Tells you about a strong buy body /strong buy/i 2.080 1 OPT_OUT Talks about opting out (lowercase version) body /\bopt-out\b/ 1 0.823 1 BANG_OPRAH Talks about Oprah with an exclamation! body /\boprah!/i 1 0.366 1 BANG_MORE Talks about more with an exclamation! body /\b(?-i:M)ore!/i 0.106 1 MILLION_USD Talks about millions of dollars body /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i 1.606 1 EXCUSE_REMOVE Talks about how to be removed from mailings body /to be removed from.{0,20}(?:mailings|offers)/i 0.110 1 HIDDEN_CHARGES Talks about Hidden Charges body /\bhidden charges\b/i 1 0.611 1 BANG_EXERCISE Talks about exercise with an exclamation! body /\bexercis(?:e|er|es)!/i 0.537 1 ACT_NOW_CAPS Talks about 'acting now' with capitals body /A(?i:ct) N(?i:ow)/ 0.120 1 NA_DOLLARS Talks about a million North American dollars body /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i 1 0.609 1 GAPPY_SUBJECT Subject: contains G.a.p.p.y-T.e.x.t header /\b(?:[a-z]([-_. =~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4}/i Subject 1 1.600 1 SUBJ_DOLLARS Subject starts with dollar amount header /^\$[0-9.,]+\b/ Subject 1 0.301 1 SUBJ_BUY 'Subject' starts with Buy, Buying header /^buy/i Subject 1 0.116 1 SUB_HELLO Subject starts with "Hello" header /^hello\b/i Subject 1 1.760 1 SUB_FREE_OFFER Subject starts with "Free" header /^fre{2,}\b/i Subject 1 0.286 1 SUBJ_LIFE_INSURANCE Subject includes "life insurance" header /life\s+insurance/i Subject 1 1.520 1 PLING_QUERY Subject has exclamation mark and question mark header /\?.*!|!.*\?/ Subject 1 0.326 1 RCVD_NUMERIC_HELO Received: contains a numeric HELO header eval:check_for_numeric_helo() Received 1 1.253 1 JOIN_MILLIONS Join Millions of Americans body /\bjoin (?:millions|thousands)\b/i 0.178 1 CHINA_HEADER Involves 'china.com' header /\@china\.com/i ALL 1 1.440 1 INVALID_DATE_TZ_ABSURD Invalid Date: header (timezone does not exist) header /[-+](?:1[4-9]\d\d|[2-9]\d\d\d)$/ Date 1 1.346 1 INVALID_DATE Invalid Date: header (not RFC 2822) header /^\s*(?:(?i:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+)?[0-3\s]?[0-9]\s+(?i:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+(?:[12][901])?[0-9]{2}\s+[0-2]?[0-9](?:\:[0-5][0-9]){1,2}\s+(?:[AP]M\s+)?(?:[+-][0-9]{4}|UT|[A-Z]{2,3}T)(?:\s+$.*$)?\s*$/ [if-unset: Wed, 31 Jul 2002 16:41:57 +0200] Date 0 1.700 1 WITH_LC_SMTP Received line contains spam-sign (lowercase smtp) header /\swith\ssmtp;\s/ Received 1 1.440 1 RCVD_AM_PM Received headers forged (AM/PM) header /; [A-Z][a-z][a-z], \d{1,2} \d{4} \d{1,2}:\d\d:\d\d [AP]M [+-]\d{4}/ Received 1 1.662 1 RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname header /^from (?:msn|yahoo|yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)\.com \(/m Received 1 1.652 1 RECEIVE_OFFER Receive a special offer body /receive special offer/i 0.172 1 PREST_NON_ACCREDITED 'Prestigious Non-Accredited Universities' body /prestigi?ous\b.{0,20}\bnon-accredited\b.{0,20}\buniversities/i 1.280000 1 PORN_15 Possible porn - various types of feline body /(?=[celstwvy])(?:college|eating|licking|spears|tight|wet|shaved|voyeur|young|teen(?:age)?).{0,16}pussy/i 0.451000 1 PORN_16 Possible porn - nasty, dirty, little etc. body /\b(?:nasty|teen|dir(?:ty|iest)?|little).{0,16}\bsluts?/i 1.309000 1 NASTY_GIRLS Possible porn - Nasty Girls body /\b(?:horniest|nasty|nastiest|hottest|wildest|slutty|xxx+)\b.{0,9}\b(?:girl|women|teen|babe)/i 0.339000 1 LIVE_PORN Possible porn - Live Porn body /\blive .{0,9}(?:fuck(?:ing)?|sex|naked|girls?|virgins?|teens?|porno?)\b/i 0.332000 1 HARDCORE_PORN Possible porn - Hardcore Porn body /\bh[a\@]rd[ -]?core .{0,9}(?:teen|virgin|cheerleader|amat(?:eu|ue)r)|\bextreme h[a\@]rdcore/i 1.440000 1 FREE_PORN Possible porn - Free Porn body /\bfree (?:porn|xxx|adult)/i 0.143000 1 CUM_SHOT Possible porn - Cum Shot body /\bcum[ -]?shots?\b/i 2.095000 1 AMATEUR_PORN Possible porn - Amateur Porn body /\bamateur .{0,9}(?:sex|porn|star|sites?|college|babes|action|pics|trash|gang|rape)|\b(?:real|best) amateur/i 1.473000 1 UNCLAIMED_MONEY People just leave money laying around body /\bunclaimed (?:funds|money|prizes?|rewards?)\b/i 1.920000 1 ONLINE_PHARMACY Online Pharmacy body /\bonline pharmacy|\b(?:drugs|medications) online/i 3.145000 1 ONE_TIME One Time Rip Off body /\bone\W+time (?:charge|investment|offer|promotion)/i 1.138000 1 GUARANTEED_100_PERCENT One hundred percent guaranteed body /100% GUARANTEED/i 0.810000 1 EXTRA_CASH Offers Extra Cash body /\bextra cash\b/i 0.172000 1 FULL_REFUND Offers a full refund body /full refund|refunds? your money in full/i 1 0.490000 1 OFFSHORE_SCAM Off Shore Scams body /\boffshore\b.{0,20}(?:credit card|companies|account|financ|websites?)/i 0.147000 1 NOT_ADVISOR Not registered investment advisor body /not a registered investment advisor/i 2.160000 1 EXCUSE_12 Nobody's perfect body /this (?:e?-?mail|message) (?:(?:has )?reached|was sent to) you in error/i 1.131000 1 NO_COST No such thing as a free lunch (3) body /\bno (?:cost|charge)\b/i 0.565000 1 NO_MEDICAL No Medical Exams body /\bno medical exam/i 1 1.200000 1 NO_FORMS No Claim Forms body /\bno .{0,9}forms\b/i 1 0.501000 1 MONEY_BACK Money back guarantee body /money back guarantee/i 0.645000 1 MSGID_NO_HOST Message-Id has no hostname header /\@>(?:$|\s)/m MESSAGEID 1 0.129000 1 URI_4YOU Message has URI 4you uri m@^(?:https?://|mailto:)[^\/]*4you@i 0.135000 1 URI_OFFERS Message has link to company offers uri m/offer([sz]|-\S+)?\.(?:com|bi?z)/i 0.133000 1 US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN) body /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i 0.152000 1 MEET_SINGLES Meet Singles body /\bmeet .{0,12}singles|thousands of personal/i 0.370000 1 MAILTO_SUBJ_REMOVE mailto URI includes removal text rawbody /mailto:.{0,64}\@.{0,64}\?subject=(?:\"|3D)*(?:remove?|delete|please.?(?:delete|remove|unsubscribe)|abuse|off\b|stop|take.?me.?off)/i 0.100000 1 MORTGAGE_PITCH Looks like mortgage pitch body /mortgage (?:rates?|quotes?|approv(?:al|ed)|payment|interest|loans?|app(?:\b|lication))/i 0.151000 1 TRACKER_ID Incorporates a tracking ID number body /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is 1.032000 1 MAILTO_TO_REMOVE Includes a 'remove' email address uri /^mailto:.*?remove/is 0.383000 1 MAILTO_TO_SPAM_ADDR Includes a link to a likely spammer email uri /^mailto:[a-z]+\d{2,}\@/is 0.276000 1 BARGAIN_URL Includes a link to a likely spammer domain uri /bargain([sz]|-\S+)?\.(?:com|biz)/ 0.463000 1 IMPOTENCE Impotence cure body /\b(?:impotence (?:problem|cure|solution)|Premature Ejaculation|erectile dysfunction)/i 1 0.592000 1 REFINANCE_NOW Home refinancing body /time to refinance|refinanc\w{1,3}\b.{0,16}\bnow\b/i 0.872000 1 REFINANCE_YOUR_HOME Home refinancing body /\brefinance your(?: current)? (?:home|house)\b/i 1 0.302000 1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry header /(?:\s*multipart\/)?.* type=/i Content-Type 1 0.733000 1 GET_PAID Get Paid body /\bget (?-i:P)aid\b/i 0.204000 1 FRONTPAGE Frontpage used to create the message rawbody /FrontPage.Editor/ 0.809000 1 FROM_STARTS_WITH_NUMS From: starts with nums header /^\d{6,}\S+\@/i From 1 0.283000 1 FROM_ENDS_IN_NUMS From: ends in numbers header /\D\d{8,}\@/i From 1 1.880000 1 NO_REAL_NAME From: does not include a real name header /^["\s]*\<?\S+\@\S+\>?\s*$/ From 1 0.550000 1 FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters header /^[a-z]+\d+[a-z]+\d+[a-z]+\w*\@/i From 1 1.510000 1 FROM_NO_LOWER 'From' has no lower-case characters header /[a-z]/ From 0 0.141000 1 FROM_OFFERS From address is "at something-offers" header /\@\S*offers(?![eo]n\b)/i From:addr 1 1.641000 1 ADDR_FREE From Address contains FREE header /\b(?-i:F)ree(?-i:[ A-Z]).*</i From 1 0.205000 1 FREE_PREVIEW Free Preview body /\bfree preview\b/i 1.409000 1 FREE_QUOTE_INSTANT Free express or no-obligation quote body /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i 1.178000 1 BAD_CREDIT Eliminate Bad Credit body /\b(?:bad|poor|no\b|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)\b/i 0.129000 1 DOMAIN_4U2 Domain name containing a "4u" variant body /[\@\.]\S{0,20}(?:[^0-9][42](?:yo)?u|for-*you)(?:[.-]\S{1,20})?\.(?:net|com|org|info)\b/ 1.429000 1 SOME_BREAKTHROUGH Describes some sort of breakthrough body /\b(?:science|medical|major|scientific|fundamental|technology|revolutionary)\s+breakthrough/i 1 1.049000 1 DEAR_FRIEND Dear Friend? That's not very dear! body /^\s*Dear Friend\b/i 0.811000 1 DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting header /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/ Date 1 0.745000 1 HAIR_LOSS Cures Baldness body /\b(?=[gnrt])(?:thinn?ing|restore|grow|new) hair|\bhair loss/i 0.102000 1 FREE_SAMPLE Contains 'free sample' with capitals body /(?-i:F)ree sample/i 0.231000 1 FREE_ACCESS Contains 'free access' with capitals body /(?-i:F)ree access/i 0.156000 1 FORGED_TELESP_RCVD Contains forged hostname for a DSL IP in Brazil header /\.(?!br).. \(\d+-\d+-\d+-\d+\.dsl\.telesp\.net\.br / Received 1 1.280000 1 EARN_PER_WEEK Contains 'earn $something per week' body /\b(?:earn|make).{1,20}\d\d\d+.{1,30}(?:per week|per month|weekly|monthly)/i 1 1.055000 1 DEAR_SOMETHING Contains 'Dear (something)' body /\bDear (?:IT\W|Internet|candidate|sirs?|madam|investor|travell?er|car shopper|web)\b/i 1 1.605000 1 CONSOLIDATE_DEBT Consolidate debt, credit, or bills body /(?:consolidate .{0,9} (?:debt|credit|bills)|debt[ -]?(?:consolidation|elimination))/i 0.119000 1 HTTP_EXCESSIVE_ESCAPES Completely unnecessary %-escapes inside a URL uri /^https?:\/\/\S*%(?:3\d|[46][1-9a-f]|[57][\da])/i 1.145000 1 COMPETE Compete for your business body /\bcompete for your business\b/i 1.330000 1 EXCUSE_24 Claims you wanted this ad body /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i 1.440000 1 MARKETING_PARTNERS Claims you registered with a partner body /\b(?:marketing|network) partner|\bpartner (?:web)?site/i 1.435000 1 EXCUSE_23 Claims you have provided permission body /you have provided permission/i 1.280000 1 EXCUSE_4 Claims you can be removed from the list body /To Be Removed,? Please/i 0.697000 1 EXCUSE_6 Claims you can be removed from the list body /\b(?:wish to|click to) remove yourself/i 1.680000 1 WE_HONOR_ALL Claims to honor removal requests body /\b(?:honou?r|respect)(?: all)? remov(?:e|al) requests?\b/i 1.169000 1 SENT_IN_COMPLIANCE Claims compliance with spam regulations body /(?:e.?mail|message) .{0,10}sen[dt] (?:to you )?in (?:\w{1,10} )?compliance (?:of|with)/i 0.508000 1 NONEXISTENT_CHARSET Character set doesn't exist header /charset=.?DEFAULT/ Content-Type 1 1.280000 1 RATWARE_JPFREE Bulk email fingerprint (jpfree) found header /jpfree Group Mail Express/ X-Mailer 1 1.200000 1 RATWARE_RCVD_LC_ESMTP Bulk email fingerprint ('esmtp' Received) found header /^from (?:(?:unknown|\d+\.\d+\.\d+\.\d+) $\S+$|\[\d+\.\d+\.\d+\.\d+\]) by \S+ with (?:esmtp|local|smtp); /m Received 1 1.416000 1 RATWARE_EGROUPS Bulk email fingerprint (eGroups) found header /eGroups Message Poster/ X-Mailer 1 3.052000 1 EMAIL_ROT13 Body contains a ROT13-encoded email address body /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/ 1.600000 1 BE_BOSS Be your own boss body /\byour own boss\b/i 1.268000 1 DISGUISE_PORN Attempts to disguise porn words body /\b(?:c[*0]cks?|d[1*]cks?|h[0*]rny|b[1*]tch(?:es)|f[*0]ckk?ed|p[*]ssy|p[*]ssies)\b/i 0.110000 1 AMAZING_STUFF Amazing Stuff body /\bamazing (?:product|rates)/i 0.733000 1 EXCUSE_10 "if you do not wish to receive any more" body /if you (?:(?:want|wish|care|prefer) not to |do ?n[o']t (?:want|wish|care) to )(?:be contacted again|receive (?:any ?)?(?:more|future|further)\b.{1,10}\b(?:e?-?mail|message|offer|solicitation)s?|be included)/i 0.341000 1 HELO_DYNAMIC_HCC RELAY HELO'D USING SUSPICIOUS HOSTNAME (HCC) ->HELO_DYNAMIC_HCC header /^\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i X-MS-MailSender 1 4.100000 1 HELO_DYNAMIC_IPADDR RELAY HELO'D USING SUSPICIOUS HOSTNAME (IP ADDR 1) ->HELO_DYNAMIC_IPADDR header /^[a-z]\S*\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+/i X-MS-MailSender 1 1.250000 1 -3 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should ->RCVD_HELO_IP_MISMATCH header eval:helo_ip_mismatch() Received 1 4.000000 1 MIME_BAD_ISO_CHARSET MIME character set is an unknown ISO charset ->MIME_BAD_ISO_CHARSET body eval:check_for_mime('mime_bad_iso_charset') 1 4.185000 1 SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters ->SUBJ_ILLEGAL_CHARS header eval:check_illegal_chars('Subject','0.00','2') Subject 1 4.279000 1 X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found ->X_MESSAGE_INFO body exists:X-Message-Info 1 4.400000 1 BAD_ENC_HEADER Message has bad MIME encoding in the header ->BAD_ENC_HEADER header /=\?[^?\s]+\?[^?\s]\?\s*[^?]+\s(?!\?=)/ ALL 1 3.100000 1 FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com' ->FAKE_OUTBLAZE_RCVD header /\.mr\.outblaze\.com/ Received 1 3.100000 1 FROM_ILLEGAL_CHARS From: has too many raw illegal characters ->FROM_ILLEGAL_CHARS header eval:check_illegal_chars('From','0.20','2') From 1 4.100000 1 FUZZY_ERECT ATTEMPT TO OBFUSCATE WORDS IN SPAM ->FUZZY_ERECT body /<inter W2><post P3>(?!erection)<E><R><E><C><T><O><N>/i 1 3.400000 1 -3 FUZZY_GUARANTEE Attempt to obfuscate words in spam ->FUZZY_GUARANTEE body /<inter W1><post P2>(?!guarantee)<G><A><R><A><N><T><E><E>/i 1 3.658000 1 FUZZY_MEDICATION Attempt to obfuscate words in spam ->FUZZY_MEDICATION body /<inter W1><post P2>(?!medication)<M><E><D><C><A><T><O><N>/i 1 3.400000 1 FUZZY_MILLION Attempt to obfuscate words in spam ->FUZZY_MILLION body /(?!million)<M><L><L><O><N>/i 1 3.600000 1 FUZZY_MORTGAGE Attempt to obfuscate words in spam ->FUZZY_MORTGAGE body /<inter W1><post P2>(?!mortgage)<M><O><R><T><G><A><G><E>/i 1 3.655000 1 FUZZY_OBLIGATION Attempt to obfuscate words in spam ->FUZZY_OBLIGATION body /<inter W1><post P2>(?!obligation)<O><L><G><A><T><O><N>/i 1 3.272000 1 FUZZY_PHARMACY Attempt to obfuscate words in spam ->FUZZY_PHARMACY body /<inter W2><post P2>(?!pharmacy)<H><A><R><M><A><C><Y>/i 1 3.200000 1 FUZZY_PLEASE Attempt to obfuscate words in spam ->FUZZY_PLEASE body /(?!please)<L><E><A><S><E>/i 1 3.466000 1 FUZZY_PRESCRIPT Attempt to obfuscate words in spam ->FUZZY_PRESCRIPT body /<inter W2><post P2>(?!prescription)<R><E><S><C><R><T><O><N>/i 1 3.600000 1 FUZZY_PRICES Attempt to obfuscate words in spam ->FUZZY_PRICES body /<inter W2><post P2>(?!price)<R><C><E><S>/i 1 3.200000 1 FUZZY_XPILL Attempt to obfuscate words in spam ->FUZZY_XPILL body /<inter W3><post P2>(?!xanax)<X><A><N><A><X>/i 1 3.337000 1 HEADER_SPAM Bulk email fingerprint (header-based) found ->HEADER_SPAM header /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m ALL 1 3.789000 1 HELO_DYNAMIC_COMCAST RELAY HELO'D USING SUSPICIOUS HOSTNAME (COMCAST) ->HELO_DYNAMIC_COMCAST header /^[a-z-]+\d+[a-z]{3}\.[a-z0-9]+\...\.comcast/i X-MS-MailSender 1 3.500000 1 -3 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) ->HELO_DYNAMIC_DHCP header /^\S*(?:cm|catv|docsis|cable|dsl|dhcp|cpe|node)\S*\d+[^\d\s]+\d+/i X-MS-MailSender 1 3.792000 1 HELO_DYNAMIC_IPADDR2 RELAY HELO'D USING SUSPICIOUS HOSTNAME (IP ADDR 2) ->HELO_DYNAMIC_IPADDR2 header /^\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]\d+[^\d\s][^\.]*\.\S+\.\S+/i X-MS-MailSender 1 1.250000 1 -3 HELO_DYNAMIC_SPLIT_IP RELAY HELO'D USING SUSPICIOUS HOSTNAME (SPLIT IP) ->HELO_DYNAMIC_SPLIT_IP header /^\d+\.\S+\d+[^\d\s]\d+[^\d\s]\d+[^\d\s]/ X-MS-MailSender 1 1.250000 1 -3 HTML_EHTML2 HTML has doubled end HTML tag ->HTML_EHTML2 rawbody m'</html></html>'i 1 3.052000 1 HTML_EXTRA_CLOSE HTML contains far too many close tags ->HTML_EXTRA_CLOSE body eval:html_range('closed_extra_ratio', '0.09', 'inf') 1 3.600000 1 HTML_IMAGE_ONLY_04 HTML_IMAGE_ONLY - not much raw HTML with images (absolute) ->HTML_IMAGE_ONLY_04 body eval:html_image_only('0000','0400') 1 3.600000 1 HTML_IMAGE_ONLY_08 # HTML_IMAGE_ONLY - not much raw HTML with images (absolute) ->HTML_IMAGE_ONLY_08 body eval:html_image_only('0400','0800') 1 3.469000 1 HTML_OBFUSCATE_20_30 HTML OBFUSCATION ->HTML_OBFUSCATE_20_30 body eval:html_range('obfuscation_ratio','.2','.3') 1 3.400000 1 -3 HTML_TINY_FONT body contains 1 or 0-point font ->HTML_TINY_FONT body /\<.*font\-size\:[ \"]*[01][^0-9]+.*\>/i 1 3.393000 1 INVALID_TZ_EST Invalid date in header (wrong EST timezone) ->INVALID_TZ_EST header /[+-]\d\d[30]0(?<!-0500|-0300|\+1000|\+1100)\s+(?:\bEST\b|$EST$)/ ALL 1 3.145000 1 INVESTMENT_ADVICE MESSAGE MENTIONS INVESTMENT ADVICE ->INVESTMENT_ADVICE body /\binvestment advice/i 1 3.700000 1 -3 INVESTMENT_EXPERT Message mentions investment expert ->INVESTMENT_EXPERT body /\binvestment expert/i 1 3.300000 1 KOREAN_UCE_SUBJECT Subject: contains Korean unsolicited email tag header /[({[<][. ]*(?:\xbc\xba[. ]*\xc0\xce[. ]*)?(?:\xb1\xa4(?:[. ]*|[\x00-\x7f]{0,3})\xb0\xed|\xc1\xa4[. ]*\xba\xb8|\xc8\xab[. ]*\xba\xb8)[. ]*[)}\]>]/ Subject 1 3.100000 1 MALE_ENHANCE Message talks about enhancing men ->MALE_ENHANCE body /male enhancement/i 1 3.100000 1 __ISO_2022_JP_DELIM body /\e\$B/ 1 0.0 1 __HG_HORMONE body /\b(?:human growth hormone|(?-i:HGH)|H.G.H)\b/i 1 0.0 1 HG_HORMONE Talks about hormones for human growth meta (!__ISO_2022_JP_DELIM && __HG_HORMONE) 1 1.472000 1 __MANY_EXCLS header /![^!]+!/ Subject 1 0.0 1 MANY_EXCLAMATIONS Subject has many exclamations meta (!__ISO_2022_JP_DELIM && __MANY_EXCLS) 1 0.659000 1 __PLING_PLING header /!!!/ Subject 1 0.0 1 PLING_PLING Subject has lots of exclamation marks meta (!__ISO_2022_JP_DELIM && __PLING_PLING) 0.343000 1 __NEXTPART_ALL header /NextPart/ Content-Type 1 0.0 1 __NEXTPART_NORMAL header /="(?:----_?=_)?NextPart_[\dA-F]{3}(_[\dA-F]{3,8})?_[\dA-F]{8}\.[\dA-F]{8}"/ Content-Type 1 0.0 1 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary meta (__NEXTPART_ALL && !__NEXTPART_NORMAL) 0.224000 1 FORGED_AOL_RCVD Received forged, contains fake AOL relays header eval:check_for_fake_aol_relay_in_rcvd() Received 1 0.0 1 FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found header eval:check_for_forged_hotmail_received_headers() Received 1 2.152 1 FORGED_EUDORAMAIL_RCVD Forged eudoramail.com 'Received:' header found header eval:check_for_forged_eudoramail_received_headers() Received 1 0.528 1 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers header eval:check_for_forged_yahoo_received_headers() Received 1 0.928 1 FORGED_JUNO_RCVD 'From' juno.com does not match 'Received' headers header eval:check_for_forged_juno_received_headers() Received 1 1.478 1 FORGED_GW05_RCVD Forged 'by gw05' 'Received:' header found header eval:check_for_forged_gw05_received_headers() Received 1 0.0 1 MULTI_FORGED Received headers indicate multiple forgeries meta ((FORGED_AOL_RCVD + FORGED_HOTMAIL_RCVD + FORGED_EUDORAMAIL_RCVD + FORGED_YAHOO_RCVD + FORGED_JUNO_RCVD + FORGED_GW05_RCVD) > 1) 1.031000 1 __ANY_QUALCOMM_MUA header /\bQUALCOMM\b/ X-Mailer 1 0.0 1 __MIME_HTML body eval:check_for_mime_html() 1 0.0 1 __TAG_EXISTS_HTML body eval:html_tag_exists('html') 1 0.0 1 FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format meta (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML) 1.783000 1 MIME_CHARSET_FARAWAY MIME character set indicates foreign language meta (__MIME_CHARSET_FARAWAY && __HIGHBITS) 2.450000 1 __MSGID_BEFORE_RECEIVED header /\nMessage-Id:.*\nReceived:/si ALL 1 0.0 1 __MSGID_BEFORE_OKAY header /\@[a-z0-9.-]+\.(?:yahoo|wanadoo)(?:\.[a-z]{2,3}){1,2}>/ Message-Id 1 0.0 1 MSGID_FROM_MTA_HEADER Message-Id was added by a relay meta (__MSGID_BEFORE_RECEIVED && !__MSGID_BEFORE_OKAY) 0.274000 1 __HAS_MSGID header /\S/ MESSAGEID 1 0.0 1 __SANE_MSGID header /^<[^<>\\ \t\n\r\x0b\x80-\xff]+\@[^<>\\ \t\n\r\x0b\x80-\xff]+>\s*$/m MESSAGEID 1 0.0 1 __MSGID_COMMENT header /$.*$/m MESSAGEID 1 0.0 1 INVALID_MSGID Message-Id is not valid, according to RFC 2822 meta (__HAS_MSGID && !(__SANE_MSGID || __MSGID_COMMENT)) 1.705 1 __HAS_MSMAIL_PRI header exists:X-MSMail-Priority 1 0.0 1 __HAS_MIMEOLE header exists:X-MimeOLE 1 0.0 1 __HAS_SQUIRRELMAIL_IN_MAILER header /SquirrelMail\b/ X-Mailer 1 0.0 1 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE meta (__HAS_MSMAIL_PRI && !__HAS_MIMEOLE && !__HAS_SQUIRRELMAIL_IN_MAILER) 1.394 1 __UPPERCASE_75_100 body eval:check_for_uppercase('75', '100') 1 0.0 1 UPPERCASE_75_100 message body is 75-100% uppercase meta (!__ISO_2022_JP_DELIM && __UPPERCASE_75_100) 0.809 1 __UPPERCASE_50_75 body eval:check_for_uppercase('50', '75') 1 0.0 1 UPPERCASE_50_75 message body is 50-75% uppercase meta (!__ISO_2022_JP_DELIM && __UPPERCASE_50_75) 0.206 1 __CTYPE_CHARSET_QUOTED header /charset=\"/i Content-Type 1 0.0 1 FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset) meta (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED) 1.760 1 MIME_HTML_ONLY Message only has text/html MIME parts body eval:check_for_mime_html_only() 0.0 1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag meta (MIME_HTML_ONLY && !__TAG_EXISTS_HTML) 0.512 1 __OBFUSCATING_COMMENT_A rawbody /\w(?:<![^>]*>)+\w/ 1 0.0 1 HTML_MESSAGE HTML included in message body eval:html_test('html') 1 0.0 1 __OBFUSCATING_COMMENT_B rawbody /[^\s>](?:<![^>]*>)+[^\s<]/ 1 0.0 1 OBFUSCATING_COMMENT HTML comments which obfuscate text meta ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || (__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) 0.806 1 FROM_ALL_NUMS don't match US/Canada phone numbers: 10 digits optionally preceded by a "1" header /^(?:\d{1,9}|[02-9]\d{10}|\d{12,})@/ From 1 1.920 1 __ANY_AOL_MUA header /^AOL\b/ X-Mailer 1 0.0 1 FORGED_AOL_TAGS AOL mailers can't send HTML in this format meta (__ANY_AOL_MUA && __MIME_HTML && !__TAG_EXISTS_HTML) 0.281 0 __HTML_CHARSET_FARAWAY body eval:html_charset_faraway() 1 0.0 1 __HIGHBITS body /(?:[\x80-\xff].?){4,}/ 1 0.0 1 HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup meta (__HTML_CHARSET_FARAWAY && __HIGHBITS) 0.500000 1 __DOUBLE_IP_SPAM_1 two reliable signatures ->__DOUBLE_IP_SPAM_1 header /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with/ Received 1 0.000 1 -3 __DOUBLE_IP_SPAM_2 two reliable signatures ->__DOUBLE_IP_SPAM_2 header /from\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+by\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};/ Received 1 0.000 1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found ->RCVD_DOUBLE_IP_SPAM meta (__DOUBLE_IP_SPAM_1 || __DOUBLE_IP_SPAM_2) 1 4.070 1 __RATWARE_0_TZ_DATE __ratware_0_tz_date header / \+0000$/ Date 1 0.000 1 __RATWARE_NAME_ID __ratware_name_id header eval:check_ratware_name_id() ALL 1 0.000 1 RATWARE_NAME_ID Bulk email fingerprint (msgid from) found ->RATWARE_NAME_ID meta (__RATWARE_0_TZ_DATE && __RATWARE_NAME_ID) 1 4.100 1 __AT_EXCITE_MSGID __at_excite_msgid header /\@excite\.com\b/i message-id 1 0.000 1 __MY_RCVD_EXCITE __my_rcvd_excite header /\.excite\.com\b/i Received 1 0.000 1 FORGED_MSGID_EXCITE Message-ID is forged, (excite.com) ->FORGED_MSGID_EXCITE meta (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE) 1 3.000 1 __AT_YAHOO_MSGID __at_yahoo_msgid header /\@yahoo\.com\b/i message-id 1 0.000 1 __FROM_YAHOO_COM __from_yahoo_com header /\@yahoo\.com\b/i From 1 0.000 1 FORGED_MSGID_YAHOO Message-ID is forged, (yahoo.com) ->FORGED_MSGID_YAHOO meta (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM) 1 3.712 1 __LONGWORDS_A __longwords_a body /\b(?:[a-z]{8,}[\s\.]+){6}/ 1 0.000 1 __LONGWORDS_B __longwords_b body /\b(?:[a-z]{6,}[\s\.]+){9}/ 1 0.000 1 __LONGWORDS_C __longwords_c body /\b(?:[a-z]{5,}[\s\.]+){10}/ 1 0.000 1 LONGWORDS Long string of long words ->LONGWORDS meta (__LONGWORDS_A + __LONGWORDS_B + __LONGWORDS_C > 1) 1 3.789 1 __DRUGS_PAIN4 __drugs_pain4 body /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}c[_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}d[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}ns?[_\W]{0,3}(?:\b|\s)/i 1 0.000 1 __DRUGS_PAIN_VICO __drugs_pain_vico body /vicodin/i 1 0.000 1 __DRUGS_PAIN10 __drugs_pain10 body /(?:\b|\s)[_\W]{0,3}(?:\\\/|V)[_\W]{0,3}[i1!|l\xEC-\xEF][_\W]{0,3}[o0\xF2-\xF6][_\W]{0,3}x[_\W]{0,3}xx?_{0,3}\b/i 1 0.000 1 __DRUGS_PAIN_VIOXX __drugs_pain_vioxx body /vioxx/i 1 0.000 1 __DRUGS_PAIN7 __drugs_pain7 body /\b_{0,3}f[_\W]?[i1!|l\xEC-\xEF][_\W]?[o0\xF2-\xF6][_\W]?r[_\W]?[i1!|l\xEC-\xEF][_\W]?c[_\W]?[e3\xE8-\xEB][_\W]?[t7]_{0,3}\b/i 1 0.000 1 __DRUGS_PAIN_FIO __drugs_pain_fio body /fioricet/i 1 0.000 1 DRUGS_PAIN_OBFU Obfuscated reference to a pain relief drug ->DRUGS_PAIN_OBFU meta (( __DRUGS_PAIN4 &&! __DRUGS_PAIN_VICO) || ( __DRUGS_PAIN10 &&!__DRUGS_PAIN_VIOXX) || ( __DRUGS_PAIN7 &&!__DRUGS_PAIN_FIO)) 1 3.700 1 __FRAUD_KJV __FRAUD_KJV body /(?:claim|concerning) (?:the|this) money/i 1 0.000 1 -3 __UNUSABLE_MSGID "message ID is either too old or has been rewritten by a gateway". ->__UNUSABLE_MSGID header eval:check_messageid_not_usable() message-ID 1 0.000 1 __HAS_OUTLOOK_IN_MAILER __has_outlook_in_mailer header /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ X-Mailer 1 0.000 1 __FRAUD_IRJ company/firm/storage house body /(?:finance|holding|securit(?:ies|y)) (?:company|firm|storage house)/i 1 0.000 1 __FRAUD_NEB government/bank of nigeria body /(?:government|bank) of nigeria/i 1 0.000 1 __FRAUD_XJR honest/you being a/to any foreigner body /(?:who was a|as a|an? honest|you being a|to any) foreigner/i 1 0.000 1 __FRAUD_EZY late president body /\b(?:of|the) late president\b/i 1 0.000 1 __FRAUD_ZFJ (wife|son|brother|daughter) of the late body /\b(?:wife|son|brother|daughter) of the late\b/i 1 0.000 1 __FRAUD_KDT millions body /\bU\.?S\.?(?:D\.?)?\s*(?:\$\s*)?(?:\d+,\d+,\d+|\d+\.\d+\.\d+|\d+(?:\.\d+)?\s*milli?on)/i 1 0.000 1 __FRAUD_BGP attached to ticket number body /\battached to ticket number\b/i 1 0.000 1 __FRAUD_FBI disburs body /\bdisburs/i 1 0.000 1 __FRAUD_JBU foreign account body /\bforeign account\b/i 1 0.000 1 __FRAUD_JYG give/s you fund/money/total/sum/contact/percent body /\bgive\s+you .{0,15}(?:fund|money|total|sum|contact|percent)\b/i 1 0.000 1 __FRAUD_XVW honest cooperation body /\bhonest cooperation\b/i 1 0.000 1 __FRAUD_SNT locate relative body /\blocate(?: .{1,20})? extended relative/i 1 0.000 1 __FRAUD_LTX million united states dollars body /\bmilli?on (?:.{1,25} thousand\s*)?(?:(?:united states|u\.?s\.?) dollars|(?i:U\.?S\.?D?))\b/i 1 0.000 1 __FRAUD_MCQ transaction magnitude/diplomatic/strict/absolute/secret/confiden/guarantee body /\btransaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee)/i 1 0.000 1 __FRAUD_PVN as the beneficiary body /as the beneficiary/i 1 0.000 1 __FRAUD_FVU award notification body /award notification/i 1 0.000 1 __FRAUD_CKF computer ballot system body /computer ballot system/i 1 0.000 1 __FRAUD_FCW fiduciary agent body /fiduciary agent/i 1 0.000 1 __FRAUD_MQO foreign business partner/customer body /foreign (?:business partner|customer)/i 1 0.000 1 __FRAUD_TCC foreign bank/account body /foreign (?:offshore )?(?:bank|account)/i 1 0.000 1 __FRAUD_GBW god gives second chance body /god gives .{1,10}second chance/i 1 0.000 1 __FRAUD_NRG i am contacting you body /i am contacting you/i 1 0.000 1 __FRAUD_RLX lottory coordinator/international body /lott(?:o|ery) (?:co,?ordinator|international)/i 1 0.000 1 __FRAUD_AXF magnanimity body /magnanimity/i 1 0.000 1 __FRAUD_THJ modalit(?:y|ies) body /modalit(?:y|ies)/i 1 0.000 1 __FRAUD_YQV nigerian? (?:national|government) body /nigerian? (?:national|government)/i 1 0.000 1 __FRAUD_YJA over-invoice body /over-invoice/i 1 0.000 1 __FRAUD_YPO the total sum body /the total sum/i 1 0.000 1 __FRAUD_UOQ vital documents body /vital documents/i 1 0.000 1 __FRAUD_DBI dollars usd dollars body /(?:\bdollars?\b|\busd(?:ollars)?(?:[0-9]|\b)|\bus\$|\$[0-9,.]{6,}|\$[0-9].{0,8}[mb]illion|\$[0-9.,]{2,10} ?m|\beuros?\b|u[.]?s[.]? [0-9.]+ m)/i 1 0.000 1 __FRAUD_BEP bank of nigeria/central bank of/trust bank/apex bank/amalgamated bank body /\b(?:bank of nigeria|central bank of|trust bank|apex bank|amalgamated bank)\b/i 1 0.000 1 __FRAUD_DPR respond/reply urgently/immediately body /\b(?:(?:respond|reply) (?:urgently|immediately)|(?:urgent|immediate|earliest) (?:reply|response))\b/i 1 0.000 1 __FRAUD_QXX my name is/i am engr/barrister/dr/prince body /\b(?:my name is|i am) (?:mrs?|engr|barrister|dr|prince(?:ss)?)[. ]/i 1 0.000 1 __FRAUD_QFY over sing body /\bover-? *(?:invoiced?|cost(?:s|ing)?)\b/i 1 0.000 1 __FRAUD_PTS assassination body /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|kill(?:ed|ing)\b[^.]{0,99}\b(?:war veterans|rebels?))\b/i 1 0.000 1 __FRAUD_TDP business partner/s body /\b(?:business partner(?:s|ship)?|silent partner(?:s|ship)?)\b/i 1 0.000 1 __FRAUD_GAN charles taylor body /\b(?:charles taylor|serena|abacha|gu[eüΘüΦ]i|sese[- ]?seko|kabila)\b/i 1 0.000 1 __FRAUD_IPK visit your country body /\b(?:in|to|visit) your country\b/i 1 0.000 1 __FRAUD_AON confidential/private/alternate body /\b(?:confidential|private|alternate|alternative) (?:(?:e-? *)?mail)\b/i 1 0.000 1 __FRAUD_WNY disbursement body /\b(?:disburse?(?:ment)?|incurr?(?:ed)?|remunerr?at(?:ed?|ion)|remm?itt?(?:ed|ance|ing)?)\b/i 1 0.000 1 __FRAUD_AUM the desk of body /\bthe desk of\b/i 1 0.000 1 __FRAUD_WFC secure funds/monies body /\bsecur(?:e|ing) (?:the )?(?:funds?|monies)\b/i 1 0.000 1 __FRAUD_YWW furnish you with body /\bfurnish you with\b/i 1 0.000 1 __FRAUD_ULK affidavits body /\baffidavits?\b/i 1 0.000 1 __FRAUD_IOU no risks body /\b(?:no risks?|risk-? *free|free of risks?|100% safe)\b/i 1 0.000 1 __FRAUD_JNB operating for accounts body /\boperat(?:e|ing)\b[^.]{0,99}\b(?:for(?:ei|ie)gn|off-? ?shore|over-? ?seas?) (?:bank )?accounts?\b/i 1 0.000 1 __FRAUD_IRT compliments of the/dear friend body /\b(?:compliments? of the|dear friend|dear sir|yours faithfully|season'?s greetings)\b/i 1 0.000 1 __FRAUD_ETX your contact body /\byour\b[^.]{0,99}\b(?:contact (?:details|information)|private (?:e?[- ]?mail|telephone|tel|phone|fax))\b/i 1 0.000 1 __FRAUD_WDR private lawyer body /\bprivate lawyer\b/i 1 0.000 1 __FRAUD_UUY legitimate business body /\blegitimate business(?:es)?\b/i 1 0.000 1 __FRAUD_MLY reply/respond to/through body /\b(?:reply|respond)\b[^.]{0,50}\b(?:to|through)\b[^.]{0,50}\@\b/i 1 0.000 1 ADVANCE_FEE_3 advance_fee_3 meta (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 3) 1 3.336 1 ADVANCE_FEE_4 advance_fee_4 meta (__FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_EZY + __FRAUD_ZFJ + __FRAUD_KDT + __FRAUD_BGP + __FRAUD_FBI + __FRAUD_JBU + __FRAUD_JYG + __FRAUD_XVW + __FRAUD_SNT + __FRAUD_LTX + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_FCW + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_NRG + __FRAUD_RLX + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __FRAUD_DBI + __FRAUD_BEP + __FRAUD_DPR + __FRAUD_QXX + __FRAUD_QFY + __FRAUD_PTS + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IPK + __FRAUD_AON + __FRAUD_WNY + __FRAUD_AUM + __FRAUD_WFC + __FRAUD_YWW + __FRAUD_ULK + __FRAUD_IOU + __FRAUD_JNB + __FRAUD_IRT + __FRAUD_ETX + __FRAUD_WDR + __FRAUD_UUY + __FRAUD_MLY > 4) 1 3.727 1 __REPTO_OVERQUOTE BAT reply to format ->__REPTO_OVERQUOTE header /"[\w. -]+"\s*\</ Reply-To 1 0.000 1 __THEBAT_MUA BAT mailer header /The Bat!/ X-Mailer 1 0.000 1 REPTO_OVERQUOTE_THEBAT The Bat! doesn't do quoting like this ->REPTO_OVERQUOTE_THEBAT meta (__REPTO_OVERQUOTE && __THEBAT_MUA) 1 2.146 1 __MOZILLA_MUA header /\bMozilla\b/ X-Mailer 1 0.0 1 __MOZILLA_MSGID header /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m MESSAGEID 1 0.0 1 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla meta (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID) 0.539 1 __AOL_MUA header /\bAOL\b/ X-Mailer 1 0.0 1 __AOL_FROM header /\@(?:aol|cs)\.com$/i From:addr 1 0.0 1 FORGED_MUA_AOL_FROM Forged mail pretending to be from AOL (by From) meta (__AOL_MUA && !__AOL_FROM) 3.035 1 __CD header exists:Content-Disposition 1 0 1 __CT header exists:Content-Type 1 0 1 __CTE header exists:Content-Transfer-Encoding 1 0 1 __MIME_VERSION header exists:MIME-Version 1 0 1 __CT_TEXT_PLAIN header /^text\/plain\b/i Content-Type 1 0 1 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers meta (!__CD && !__CTE && __CT && !__MIME_VERSION && !__CT_TEXT_PLAIN) 0.182 1 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters ->MSGID_MULTIPLE_AT header /<[^>]*\@[^>]*\@/ Message-Id 1 3.187 1 MSGID_SHORT MESSAGE-ID IS UNUSUALLY SHORT-> MSGID_SHORT header /^.{1,15}$|<.{0,4}\@/m Message-Id 1 3.100 1 -3 MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant)-> MSGID_SPAM_LETTERS header /<[a-z]{5,}\@(\S+\.)+\S+>/ Message-Id 1 3.021 1 NO_PRESCRIPTION No prescription needed -> NO_PRESCRIPTION body /no.{1,10}P(?:er|re)scription.{1,10}(?:needed|require|necessary)/i 1 3.887 1 RATWARE_RCVD_AT BULK EMAIL FINGERPRINT (RECEIVED @) FOUND ->RATWARE_RCVD_AT header / by \S+\@\S+ with Microsoft SMTPSVC/ Received 1 3.330 1 -3 RATWARE_RCVD_PF BULK EMAIL FINGERPRINT (RECEIVED PF) FOUND ->RATWARE_RCVD_PF header / $Postfix$ with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s Received 1 3.600 1 -3 REMOVE_BEFORE_LINK Removal phrase right before a link ->REMOVE_BEFORE_LINK body m{(?:no thanks|not interested|unsubscribe here).{0,5}http://}i 1 3.700 1 SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' ->SUBJECT_DRUG_GAP_C header /\bc.{0,2}i.{0,2}a.{0,2}l.{0,2}i.{0,2}s\b/i Subject 1 3.140 1 SUBJECT_DRUG_GAP_VIC Subject contains a gappy version of 'vicodin' -> SUBJECT_DRUG_GAP_VIC header /v.{0,2}i.{0,2}c.{0,2}[0o].{0,2}d.{0,2}i.{0,2}n/i Subject 1 3.145 1 URI_NO_WWW_BIZ_CGI CGI in .biz TLD other than third-level "www" -> URI_NO_WWW_BIZ_CGI uri /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.biz\/(?=\S{15,})\S*\?/i 1 3.000 1 URI_UNSUBSCRIBE URI contains suspicious unsubscribe link - > URI_UNSUBSCRIBE uri /\b(?:gone|opened|out)\.php/i 1 3.200 1 SUBJECT_FUZZY_MEDS ATTEMPT TO OBFUSCATE WORDS IN SUBJECT: -> SUBJECT_FUZZY_MEDS header /<M><E><D><S>/i Subject 1 3.600 1 -3 __MSGID_DOLLARS_MAYBE May be dollar in Message-id ->__MSGID_DOLLARS_MAYBE header /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/mi Message-Id 1 0.000 1 __MSGID_DOLLARS_OK Dollar sign OK ->__MSGID_DOLLARS_OK header /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/m Message-Id 1 0.000 1 MSGID_DOLLARS_RANDOM Dollar signs in Message-id -> MSGID_DOLLARS_RANDOM meta (__MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK) 1 3.780 1 __MSGID_RANDY -> __MSGID_RANDY header /<[a-z\d][a-z\d\$-]{10,29}[a-z\d]\@[a-z\d][a-z\d.]{3,12}[a-z\d]>/ Message-Id 1 0.000 1 __MSGID_OK_HEX -> __MSGID_OK_HEX header /\b[a-f\d]{8}\b/ Message-Id 1 0.000 1 __MSGID_OK_DIGITS -> __MSGID_OK_DIGITS header /\d{10}/ Message-Id 1 0.000 1 __MSGID_OK_HOST -> __MSGID_OK_HOST header /\@(?:\D{2,}|(?:\d{1,3}\.){3}\d{1,3})>/ Message-Id 1 0.000 1 MSGID_RANDY Message-Id has pattern used in spam ->MSGID_RANDY meta (__MSGID_RANDY && !(__MSGID_OK_HEX || __MSGID_OK_DIGITS || __MSGID_OK_HOST)) 1 3.412 1 __PC_RND_HEADER -> __PC_RND_HEADER header /%RA?ND(?:OM)?(?:_|\b|[A-Z]{3})/i ALL 1 0.000 1 __PC_RND_RAWBODY -> __PC_RND_RAWBODY rawbody /%RA?ND(?:OM)?(?:_|\b|[A-Z]{3})/i 1 0.000 1 PERCENT_RANDOM Message has a random macro in it ->PERCENT_RANDOM meta (__PC_RND_HEADER || __PC_RND_RAWBODY) 1 3.196 1 __HAS_X_MAILER X-MAILER HEADER PRESENT -> __HAS_X_MAILER header exists:X-Mailer X-Mailer 1 0.000 1 -3 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found ->RATWARE_OUTLOOK_NONAME meta (__MSGID_DOLLARS_OK && !__HAS_X_MAILER) 1 3.471 1 __CTYPE_HTML header /text\/html/i Content-Type 1 0.0 1 __0_TZ_1 ->__0_TZ_1 header /^\"(\w)(\w+) (\w+)\" <\1\2[\._]?\3_?[a-z][a-z]\@/i From 1 0.000 1 __0_TZ_2 -> __0_TZ_2 header /^\"(\w)(\w+) (\w+)\" <\1[\._]?\3_?[a-z][a-z]\@/i From 1 0.000 1 __0_TZ_3 -> __0_TZ_3 header /^\"(\w)(\w+) (\w+)\" <\3_?[a-z][a-z]\@/i From 1 0.000 1 __0_TZ_4 -> __0_TZ_4 header /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\4_?[a-z][a-z]\@/i From 1 0.000 1 __0_TZ_5 -> __0_TZ_5 header /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\3[\._]?\4_?[a-z][a-z]\@/i From 1 0.000 1 __0_TZ_6 -> __0_TZ_6 header /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\3\4_?[a-z][a-z]\@/i From 1 0.000 1 __0_TZ_7 -> __0_TZ_7 header /^\"(\w)(\w+) (\w)\. (\w+)\" <\3[\._]?\4_?[a-z][a-z]\@/i From 1 0.000 1 RATWARE_ZERO_TZ Bulk email fingerprint (+0000) found -> RATWARE_ZERO_TZ meta (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7)) 1 3.792 1 __REPTO_QUOTE AOL doesn't do quoting like this -> __REPTO_QUOTE header /".*"\s*\</ Reply-To 1 0.000 1 __FROM_MSN_COM -> __FROM_MSN_COM header /\@msn\.com\b/i From 1 0.000 1 __AT_MSN_MSGID -> __AT_MSN_MSGID header /\@msn\.com\b/i Message-Id 1 0.000 1 -3 REPTO_QUOTE_MSN MSN doesn't do quoting like this -> REPTO_QUOTE_MSN meta (__REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID)) 1 3.249 1 REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this -> REPTO_QUOTE_YAHOO meta (__REPTO_QUOTE && (__FROM_YAHOO_COM || __AT_YAHOO_MSGID)) 1 3.428 1 ADDR_NUMS_AT_BIGSITE Has an address with lots of numbers at a big ISP meta (__ADDR_NUMS_AT_BIGSITE && !FROM_ENDS_IN_NUMS && !FROM_STARTS_WITH_NUMS && !FROM_HAS_MIXED_NUMS && !FROM_ALL_NUMS) 1 1.007 1 HOT_NASTY Possible porn - Hot, Nasty, Wild, Young body /\b(?=[dehklnswxy])(?:horny|nasty|hot|wild|young|horniest|nastiest|hottest|wildest|youngest|naughty|dirtiest|slutty|kinky|lusty|extreme|xxx+)\b.{0,9}\b(?=[acfghilmpsvx])(?:virgins?\b|asian|cheerleader|sex|selection|fuck|fucking|anal\b|lesb(?:ian|o)|incest|chicks?|pics|movies|video|gay\b|porn|h[a\@]rdcore|schoolgirls|amateur|slut|adult|cum\b|xxx|sites?|hotties|shit)/i 0.157 1 STOCK_ALERT Offers a alert about a stock body /\bstock alert/i 1.680 1 OBSCURED_EMAIL Message seems to contain rot13ed address body /\w+\^\S+\(\w{2,4}\b/ 1.680 1 IP_LINK_PLUS Dotted-decimal IP address followed by CGI uri m{^https?://\d+\.\d+\.\d+\.\d+.{0,20}(?:cgi|click|ads|id=)}i 1 0.467 1 BIZ_TLD Contains a URL in the BIZ top-level domain uri /\.biz(?::\d+)?(?:\/|$)/i 1.169 1 BILL_1618 Claims compliance with Senate Bill 1618 body /\bs\W{0,4}1618\b/i 1.405 1 RATWARE_HASH_2 Bulk email fingerprint (hash 2) found header /^[A-Za-z0-9_]{16,}$/ X-Mailer 1 1.949 1 RATWARE_HASH_2_V2 Bulk email fingerprint (hash 2 v2) found header /^[A-Za-z0-9_]{14,}$/ X-Mailer 1 2.000 1 __EUDORA_MSGID header /^<(?:\d\d?\.){3,5}\d{14}\.[a-f0-9]{8}\@\S+(?:\sport\s\d+)?>$/m MESSAGEID 1 0.0 1 __OIMO_MSGID header /^<[A-P]{26}A[ABC]\.[-\w.]+\@\S+>$/m MESSAGEID 1 0.0 1 __EUDORA_MUA header /^QUALCOMM Windows Eudora (?:Pro |Light )?Version [3456]\./ X-Mailer 1 0.0 1 __THEBAT_MUA_V2 header /^The Bat! \(v2\./ X-Mailer 1 0.0 1 MIME_BOUND_DD_DIGITS SPAM TOOL PATTERN IN MIME BOUNDARY ->MIME_BOUND_DD_DIGITS header /boundary=\"--\d+\"/ Content-Type 1 4.500 1 -3 MSGID_SPAM_CAPS SPAM TOOL MESSAGE-ID: (CAPS VARIANT) ->MSGID_SPAM_CAPS header /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/ Message-ID 1 4.400 1 -3 URI_NO_WWW_INFO_CGI CGI in .info TLD other than third-level "www" ->URI_NO_WWW_INFO_CGI uri /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i 1 4.100 1 __THEBAT_MUA_V1 BAT mailer header /^The Bat! \(v1\./ X-Mailer 1 0.000 1 FORGED_THEBAT_HTML The Bat! can't send HTML message only meta (__THEBAT_MUA_V1 && MIME_HTML_ONLY) 1 2.387 1 __FORGED_RCVD_TRAIL header eval:check_for_forged_received_trail() Received 1 0.0 1 CONFIRMED_FORGED Received headers are forged meta (__FORGED_RCVD_TRAIL && (FORGED_AOL_RCVD || FORGED_HOTMAIL_RCVD || FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || FORGED_JUNO_RCVD || FORGED_GW05_RCVD)) 1 0.690 1 __ANY_OUTLOOK_MUA header /^Microsoft Outlook\b/ X-Mailer 1 0.0 1 __YAHOO_BULK header /from \[\S+\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/ Received 1 0.0 1 FORGED_OUTLOOK_HTML Outlook can't send HTML message only meta (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY) 3.872 1 __TAG_EXISTS_HEAD body eval:html_tag_exists('head') 1 0.0 1 __TAG_EXISTS_META body eval:html_tag_exists('meta') 1 0.0 1 __TAG_EXISTS_BODY body eval:html_tag_exists('body') 1 0.0 1 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format meta (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) 3.537 1 __HAS_X_PRIORITY header exists:X-Priority 1 0.0 1 __IS_EXCH header /Produced By Microsoft Exchange V/ X-MimeOLE 1 0.0 1 __USER_AGENT header exists:User-Agent 1 0.0 1 __X_NEWSREADER header exists:X-Newsreader 1 0.0 1 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer meta ((__HAS_X_PRIORITY && __HAS_MSMAIL_PRI) && !__HAS_X_MAILER && !__IS_EXCH && !__USER_AGENT && !__X_NEWSREADER) 2.155 1 __CTYPE_HAS_BOUNDARY header /boundary/i Content-Type 1 0.0 1 __BAT_BOUNDARY header /boundary=\"?-{10}/ Content-Type 1 0.0 1 __MAILMAN_21 header /\d/ X-Mailman-Version 1 0.0 1 FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary) meta (__THEBAT_MUA_V1 && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21) 2.163 1 __ANY_IMS_MUA header /^Internet Mail Service\b/ X-Mailer 1 0.0 1 FORGED_IMS_TAGS IMS mailers can't send HTML in this format meta (!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) 2.054 1 __IMS_MUA header /Internet Mail Service/ X-Mailer 1 0.0 1 __IMS_HTML_BUILDS header /^Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/ X-Mailer 1 0.0 1 __IMS_HTML_RCVD header /\bby \S+ with Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/ Received 1 0.0 1 FORGED_IMS_HTML IMS can't send HTML message only meta (!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD)) 2.184 1 FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters header /_\S?(?:[a-z]+\w*?\d+|\d+\w*?[a-z]+)\w*\@/i 0.217 1 __OIMO_MUA header /Outlook IMO/ X-Mailer 1 0.0 1 __OE_MSGID_2 header /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m message-id 1 0.0 1 FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO meta (__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID) 0.981 1 __IMS_MSGID header /^<[A-F\d]{36,40}\@\S+>$/m MESSAGEID 1 0.0 1 FORGED_MUA_IMS Forged mail pretending to be from IMS meta (__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID) 1.198 1 MSGID_DOLLARS Message-Id has pattern used in spam ->MSGID_DOLLARS meta (__OE_MSGID_2 && !__HAS_OUTLOOK_IN_MAILER && !__UNUSABLE_MSGID) 1 3.171 1 __OE_MUA header /\bOutlook Express [456]\./ X-Mailer 1 0.0 1 __OE_MSGID_1 header /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m message-id 1 0.0 1 __OE_MSGID_3 header /^<BAY\d+-DAV\d+[A-Z0-9]{25}\@phx\.gbl>$/m message-id 1 0.0 1 __OUTLOOK_DOLLARS_MUA header /^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\./ X-Mailer 1 0.0 1 __OUTLOOK_DOLLARS_OTHER header /^<\!\~\!/m message-id 1 0.0 1 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook meta ((__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID) || (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__IMS_MSGID && !__UNUSABLE_MSGID)) 4.056 1 __HAS_X_LOOP header exists:X-Loop 1 0.0 1 __HAS_X_MAILING_LIST header exists:X-Mailing-List 1 0.0 1 FORGED_MUA_EUDORA Forged mail pretending to be from Eudora meta (__EUDORA_MUA && !__EUDORA_MSGID && !__UNUSABLE_MSGID && !__HAS_X_LOOP && !__HAS_X_MAILING_LIST) 1.944 1