Solved

How to avoid being seen as spam

Posted on 2004-04-03
13
9,343 Views
Last Modified: 2009-04-30
Hi,

I have a newsletter script (people have to sign up themselves to be sent this newsletter) running on my university's server. The script sends a MIME e-mail to about 150 addresses and is for a student sport association. We have sponsors whose logo's we agreed to put on the newsletter.

Before we had the sponsors, I used to send it to these addresses without any problems. But since I put the logo's in the newsletter these mails started getting spam-level 5 from the spam-filters of my own university and also from Hotmail so the subject line would be changed to *****SPAM***** Newsletter. Of course, we don't want this.

The script is a PHP script which uses a Mysql database to get the e-mail addresses and it loops until it has sent an e-mail to all addresses.

What do I have to change? Do I have to talk to the association running the student server?

Thanx in advance,

ZFR

0
Comment
Question by:ZFR
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
if your sponsor logo is retrieved from an url, this might be considered as 'distant link' ie potentiel threat.
could be it. otherwise, check maybe for the name of the image or if there is a hidden script, if the imageitself is or is included in a link to a 'marked as ads/banners' address... hope that helps but as far as i know, most filters are customisable and folks should be able to let it through quite easily if they want to receive it indeed.
0
 

Author Comment

by:ZFR
Comment Utility
Hi skullnobrains,

Thanx for the post.

Well, the images are indeed retrieved from an url, we got permission from the sponsors to make copies of their logo's. So I have customised copies of their logo's on the student server, so there is no hidden script or anything of that kind. Also, the names of the images are just regular names (of the sponsors). And some time ago our university's IT department sent out a notice which tells the students (most of them do not have much affinity with IT) how to create a rule which deletes e-mails with *****SPAM***** in the subject :-D

So I really want to figure out a way to get that out of the subject line.

Thanx
ZFR
0
 
LVL 25

Expert Comment

by:Squinky
Comment Utility
What you really want is to lower your spam scoring to stop the SPAM tag from getting there in the first place. Try installing SpamAssassin to test your own spam scoring. Regardless of what filters people actually use, this will give you a good indication of where your messages weak points are, so set it up on a server and get it to look at your own messages. Unfortunately spam filters are wide open to configuration - so what passes one may not pass another.

You may find that your messages get some additional headers attached by whatever spam filter is spotting them, and this will often tell you what has contributed to its designation as spam.

Many admins are clueless and set up really quite destructive filters that really make their recipients suffer lose legitimate messages, and there's nothing you can do about that. For example, it should be perfectly possible for two legitimate recipients to have a conversation about teens, spam and Viagra without it getting trapped by filters, but alas, many admins think otherwise.

Going with embedded images is probably worse than linking to them - attachments arouse more suspicion than links, given it's the route most viruses take. Given that you're really a legitimate sender and not a spammer, make sure that everything looks totally above-board: make sure your image URLs are in the same domain as your email server, make sure your email server's 'HELO' response matches its reverse DNS lookup (so if your server is at mail.example.com, and it's forward lookup is 1.2.3.4, make sure that a reverse lookup on that IP gives the same hostname back, and not some other one (e.g. www.example.com).

If you're still having trouble, it might be worth looking into Habeas tagging (www.habeas.com), which should be free for education and is supported by Hotmail.

If you're not using it already, I strongly recommend using PHPMailer (phpmailer.sourceforge.net) for doing any email sending from PHP.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
<< if your sponsor logo is retrieved from an url, this might be considered as 'distant link' ie potentiel threat. >>

just to point out i meant that this is probalby enough by itself to score u somehow as a potential spammer :

considering the fact that a legitimate user is just simply a real user sending a message he wrote himself only once to 1 or few users,

the spam filter will let u print a link ar a set of links to different pages, whatever the server (as long as your mail is not only a link or mainly links with little text -- this is nonsense but true), will let this link be a link to roughly anything (may not like executables, though).

it will definitely not like any object that means the download of anything from a remote source, ie an image or object tag with a src property set to a distant server.

maybe the scoring will improve on some filters if the images link to the same server as the one specified in the header
<< Content-Base: \"http://www.planetecroisiere.com/public/\" >> (escape characters may not be needed in your code)

a good step will probably be to send the images together with the mail if the sizes are small enough.

have a look at my post in
http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_20939649.html
for a way to embedd the images. this gives an idea but there is definitely much better

cheers

ps : thanks to sqinky this is very valuable piece of info and advice :)
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
<< if your sponsor logo is retrieved from an url, this might be considered as 'distant link' ie potentiel threat. >>

just to point out i meant that this is probalby enough by itself to score u somehow as a potential spammer :

considering the fact that a legitimate user is just simply a real user sending a message he wrote himself only once to 1 or few users,

the spam filter will let u print a link ar a set of links to different pages, whatever the server (as long as your mail is not only a link or mainly links with little text -- this is nonsense but true), will let this link be a link to roughly anything (may not like executables, though).

it will definitely not like any object that means the download of anything from a remote source, ie an image or object tag with a src property set to a distant server.

maybe the scoring will improve on some filters if the images link to the same server as the one specified in the header
<< Content-Base: \"http://www.planetecroisiere.com/public/\" >> (escape characters may not be needed in your code)

a good step will probably be to send the images together with the mail if the sizes are small enough.

have a look at my post in
http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_20939649.html
for a way to embedd the images. this gives an idea but there is definitely much better

cheers

ps : thanks to sqinky this is very valuable piece of info and advice :)
0
 
LVL 25

Expert Comment

by:Squinky
Comment Utility
There's another aspect to bear in mind: filters. Something that we've found is that many corporates use a filter to convert HTML messages with linked external images into plain text messages with attached images. This might sound like a good idea from an anti-spam point of view, but it often does such a bad job that the resulting email is unreadable, and clogs the recipient's mailbox with unwanted attachments. We usually use the multipart/alternative message format, thus providing a separate plain text version of the messge, but most spam filters are too stupid to use it, and insist on doing their own inferior conversion.

Embedding images is very easy with PHPMailer - it's just a matter of saying $mail->AttachFile('myfile.jpg'); you need to be careful about naming them if you want to use the same images within the HTML of the message. The PHPMailer docs have lots to say on this subject.

Unfortunately there's no way to always win. If you use embedded images, you'll often get them stripped out, get a high spam score or worse - some of our recipients are behind filters that reject messaegs outright if they have image attachments, regardless of message contents. Using linked images you often fall foul of HTML converters, and again get high spam scores.

The thing that's really silly is that none of what we're sending is spam - every subscription is double or even triple confirmed opt-in, with full audit trails on everything, and no imported lists, so legitimate recipients are suffering from their own poorly configured filters. Many of them also return useless SMTP error codes - labelling everything with a 5.0.0 code, which doesn't help anyone, and probably actually causes them to receive even more spam.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Expert Comment

by:rlawley
Comment Utility
You won't be able to get the people running the mailserver to change it - it will most likely be a SpamAssassin Score.  Have you got a copy of any of the newsletters once they've been through the mailserver and got the Spam tag?  If so, you might have the breakdown of the SpamAssassin score in the message header.  You can look at this and try to determine if any of the other factors besides the embedded image could be reduced.
0
 

Author Comment

by:ZFR
Comment Utility
first of al, thanx for trying to help verybody....

Well, I have "extended headers" on at hotmail, and I see that I get a spam flag and score of 6, but I do not know what to do with it...

kub.nl is my university's domain.

Here are the headers:

X-Spam-Level: *****
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=6.0 tagged_above=0.0 required=5.0 tests=HTML_60_70, HTML_IMAGE_ONLY_02, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, MIME_BASE64_TEXT, MIME_HTML_NO_CHARSET, MIME_HTML_ONLY
X-Virus-Scanned: by amavisd-new
Return-Path: httpd@kub.nl
X-OriginalArrivalTime: 05 Apr 2004 10:27:09.0783 (UTC) FILETIME=[8D497670:01C41AF8]


ZFR
0
 
LVL 1

Accepted Solution

by:
rlawley earned 250 total points
Comment Utility
Ok, I'm not an expert in this, and your mailscanner is not putting scores for each component (mine does), but it would appear that you could do a number of things to reduce the spam score.  From what I can see, try these:

*  Add a text-only version of the message (even if it only says you need an HTML mail reader to see it) - MIME_HTML_ONLY would probably indicate you don't have one.
*  Add the HTML tag to your message.  Also the Charset. (HTML_MIME_NO_HTML_TAG, MIME_HTML_NO_CHARSET)
*  Add more text - HTML_IMAGE_ONLY_02 means you have images but less than 200 bytes of words

Try this, then see what the score goes down to.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
http://www.google.fr/search?q=cache:jRvvfFAhUsUJ:systems.cs.uoregon.edu/systems/spamassassin.php+HTML_60_70,+HTML_IMAGE_ONLY_02,+HTML_MESSAGE,+HTML_MIME_NO_HTML_TAG,+MIME_BASE64_TEXT,+MIME_HTML_NO_CHARSET,+MIME_HTML_ONLY&hl=fr&ie=UTF-8

original page i got from above but seems hard to get a grip on, so as an exception, the contents are posted below. should help.

ACCEPT_CREDIT_CARDS Accept Credit Cards
ACCESSDB Message would have been caught by accessdb
ACT_NOW_CAPS Talks about 'acting now' with capitals
ADDRESSES_ON_CD Addresses on CD are only useful for spam
ADDR_FREE From Address contains FREE
ADDR_NUMS_AT_BIGSITE Uses an address with lots of numbers, at a big ISP
ADULT_SITE Possible porn - Adult Web Sites
ADVERT_CODE Subject: starts with advertising tag
ADVERT_CODE2 Subject: contains advertising tag
ALL_CAP_PORN Possible porn - in ALL CAPS
ALL_NATURAL Spam is 100% natural?!
AMATEUR_PORN Possible porn - Amateur Porn
AMAZING_STUFF Amazing Stuff
ANTISPAM_BILL Very likely mention of anti-spam bill
AOL_USERS_LINK Includes a link for AOL users to click
APPLY_FREE Free Application
APPLY_ONLINE Apply online (with capital O)
ASCII_FORM_ENTRY Contains an ASCII-formatted form
ASKS_BILLING_ADDRESS Asks for a billing address
AS_SEEN_ON As seen on national TV!
AUTO_EMAIL_REMOVAL Claims auto-email removal
AZOOGLE From azoogle.com, azogle.com, etc.
BAD_CREDIT Eliminate Bad Credit
BANG_BOSS Talks about your boss with an exclamation!
BANG_EXERCISE Talks about exercise with an exclamation!
BANG_GUARANTEE Something is emphatically guaranteed
BANG_MONEY Talks about money with an exclamation!
BANG_MORE Talks about more with an exclamation!
BANG_OPRAH Talks about Oprah with an exclamation!
BANG_QUOTE Talks about quotes with an exclamation!
BANKRUPTCY Avoid Bankruptcy
BARELY_LEGAL Possible porn - Barely Legal
BARGAIN_URL Includes a link to a likely spammer domain
BAYES_00 Bayesian spam probability is 0 to 1%
BAYES_01 Bayesian spam probability is 1 to 10%
BAYES_10 Bayesian spam probability is 10 to 20%
BAYES_20 Bayesian spam probability is 20 to 30%
BAYES_30 Bayesian spam probability is 30 to 40%
BAYES_40 Bayesian spam probability is 40 to 44%
BAYES_44 Bayesian spam probability is 44 to 50%
BAYES_50 Bayesian spam probability is 50 to 56%
BAYES_56 Bayesian spam probability is 56 to 60%
BAYES_60 Bayesian spam probability is 60 to 70%
BAYES_70 Bayesian spam probability is 70 to 80%
BAYES_80 Bayesian spam probability is 80 to 90%
BAYES_90 Bayesian spam probability is 90 to 99%
BAYES_99 Bayesian spam probability is 99 to 100%
BEEN_TURNED_DOWN Have you been turned down?
BEST_PORN Possible porn - Best, Largest, Most Porn
BETTERMEMORY Describes "better memory"
BE_AMAZED Apparently, you'll be amazed
BE_BOSS Be your own boss
BILLION_DOLLARS Talks about lots of money
BILL_1618 Claims compliance with Senate Bill 1618
BIZ_TLD Contains a URL in the BIZ top-level domain  
BLANK_LINES_70_80 Message body has 70-80% blank lines
BLANK_LINES_80_90 Message body has 80-90% blank lines
BLANK_LINES_90_100 Message body has 90-100% blank lines
BODY_8BITS Body includes 8 consecutive 8-bit characters
BTAMAIL_HEADER Header contains an address from btamail.net.cn
BTAMAIL_URL Frequent Spam content
BUGGY_CGI Broken CGI script message
BULK_EMAIL Talks about bulk email
BUY_DIRECT Buy Direct
BUY_JUDGEMENTS Buying judgements
BZ_TLD Contains a URL in the BZ top-level domain  
CABLE_CONVERTER Cable Converter
CALL_FREE Contains a tollfree number
CALL_NOW Urges you to call now
CANNOT_BE_SPAM Claims "cannot be considered spam"
CASHCASHCASH Contains at least 3 dollar signs in a row
CASH_BONUS Cash Bonus
CBYI Contains "CBYI"
CELEBRITY_PORN Possible porn - Celebrity Porn
CELL_PHONE_BOOST Talks about cell-phone signal improvement
CENTS_ON_DOLLAR Cents on the Dollar
CHANGE_TERMS Terms and conditions
CHARSET_FARAWAY Character set indicates a foreign language
CHARSET_FARAWAY_HEADER A foreign language charset used in headers
CHILD_SUPPORT "Collect Child Support" Scam
CHINA_HEADER Involves 'china.com'
CHINA_URL Frequent Spam content
CLICK_BELOW Asks you to click below
CLICK_BELOW_CAPS Asks you to click below (in capital letters)
CLICK_TO_REMOVE_1 Click to be removed
CLICK_TO_REMOVE_2 Click-to-remove with mailto: found
COMMUNIGATE Sent using a trial version of CommuniGate
COMPARE_RATES Compare Rates
COMPETE Compete for your business
COMPLAIN_TO Message has Complain-To header
COMPLETELY_FREE No such thing as a free lunch (2)
CONFIDENTIAL_ORDER Confidentiality on all orders
CONFIRMED_FORGED Received headers are forged
CONGRATULATIONS Congratulations - you've been scammed?
CONSOLIDATE_DEBT Consolidate debt, credit, or bills
COPY_ACCURATELY Common pyramid scheme phrase (1)
CREDITORS_CALLING Calling Creditors
CREDIT_BUREAU Credit Bureaus
CREDIT_CARD Credit Card Offers
CUM_SHOT Possible porn - Cum Shot
DAILY_PL Spam URL pattern, DailyPromotions redirect
DAILY_PXE Spam URL pattern, DailyPromotions server link
DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
DATE_IN_FUTURE_24_48 Date: is 24 to 48 hours after Received: date
DATE_IN_FUTURE_48_96 Date: is 48 to 96 hours after Received: date
DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date
DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date
DATE_IN_PAST_48_96 Date: is 48 to 96 hours before Received: date
DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date
DATE_MISSING Missing Date: header
DATE_SPAMWARE_Y2K Date header uses unusual Y2K formatting
DATE_YEAR_ZERO_FIRST Invalid Date: year begins with zero
DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
DEAR_FRIEND Dear Friend? That's not very dear!
DEAR_SOMETHING Contains 'Dear (something)'
DIET Lose Weight Spam
DIG_UP_INFO Dig up Dirt on Friends
DIRECT_EMAIL Talks about direct email
DISCONTINUE List removal information
DISGUISE_PORN Attempts to disguise porn words
DNS_FROM_RFCI_DSN From: sender listed in dsn.rfc-ignorant.org
DOMAINS_CHEAP Subject: domain names are cheap
DOMAIN_4U2 Domain name containing a "4u" variant
DOMAIN_BODY Domain registration spam body
DOMAIN_SUBJECT Subject: domain registration spam subject
DONT_DELETE Don't delete me! Nooooo!!!!
DO_IT_TODAY Do it Today
DRASTIC_REDUCED Drastically Reduced
EARNINGS Potential Earnings
EARN_MONEY Message talks about earning money
EARN_PER_WEEK Contains 'earn $something per week'
EASY_TERMS Easy Terms
EJACULATION Increase your ejaculation!
EMAIL_MARKETING Talks about email marketing
EMAIL_ROT13 Body contains a ROT13-encoded email address
ENHANCE_WEBSITE Talks about 'enhancing any website'
EXCUSE_1 Gives a lame excuse about why spam was sent
EXCUSE_10 "if you do not wish to receive any more"
EXCUSE_11 Claims you were on a list
EXCUSE_12 Nobody's perfect
EXCUSE_13 Gives an excuse for why message was sent
EXCUSE_14 Tells you how to stop further spam
EXCUSE_15 Claims to be legitimate email
EXCUSE_16 I wonder how many emails they sent in error
EXCUSE_18 Claims not to be spam
EXCUSE_19 Claims you opted-in or registered
EXCUSE_2 Claims you actually asked for this spam
EXCUSE_20 Claims you registered at their site
EXCUSE_21 Claims address was obtained legitimately
EXCUSE_22 You're receiving this offer for a reason
EXCUSE_23 Claims you have provided permission
EXCUSE_24 Claims you wanted this ad
EXCUSE_3 Claims you can be removed from the list
EXCUSE_4 Claims you can be removed from the list
EXCUSE_6 Claims you can be removed from the list
EXCUSE_7 Claims you can be removed from the list
EXCUSE_8 Claims you can be removed from the list
EXCUSE_REMOVE Talks about how to be removed from mailings
EXPERTS_SHOW_HOW Talks about 'experts' showing you how
EXTRA_CASH Offers Extra Cash
EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
E_MAILPROMO_URL Includes a link to a likely spammer domain
FAKED_HOTMAIL_DAV X-Originating-Email header does not match From
FAKED_IP_IN_RCVD Received: contains a name with a faked IP-address
FAKED_UNDISC_RECIPS Faked To "Undisclosed-Recipients"
FAKE_HELO_AOL Host HELO did not match rDNS: aol.com
FAKE_HELO_BIGFOOT Host HELO did not match rDNS: bigfoot.com
FAKE_HELO_CARAMAIL Host HELO did not match rDNS: caramail.com
FAKE_HELO_EMAIL_COM Host HELO did not match rDNS: email.com
FAKE_HELO_EUDORAMAIL Host HELO did not match rDNS: eudoramail.com
FAKE_HELO_EXCITE Host HELO did not match rDNS: excite.com
FAKE_HELO_FLASHMAIL Host HELO did not match rDNS: flashmail.com
FAKE_HELO_HOTMAIL Host HELO did not match rDNS: hotmail.com
FAKE_HELO_JUNO Host HELO did not match rDNS: juno.com
FAKE_HELO_LYCOS Host HELO did not match rDNS: lycos.com
FAKE_HELO_MAILCITY Host HELO did not match rDNS: mailcity.com
FAKE_HELO_MAIL_COM Host HELO did not match rDNS: mail.com
FAKE_HELO_MAIL_RU Host HELO did not match rDNS: mail.ru
FAKE_HELO_MSN Host HELO did not match rDNS: msn.com
FAKE_HELO_NETSCAPE_COM Host HELO did not match rDNS: netscape.com
FAKE_HELO_NETZERO Host HELO did not match rDNS: netzero.net
FAKE_HELO_SHAW_CA Host HELO did not match rDNS: shaw.ca
FAKE_HELO_USA_NET Host HELO did not match rDNS: usa.net
FAKE_HELO_YAHOO Host HELO did not match rDNS: yahoo.com
FAKE_HELO_YAHOO_CA Host HELO did not match rDNS: yahoo.ca
FALLING_INTEREST Interest rates
FANTASTIC Fantastic Deal
FINANCIAL Financial Freedom
FIND_ANYTHING Find out anything
FORGED_AOL_HTML AOL can't send HTML message only
FORGED_AOL_RCVD Received forged, contains fake AOL relays
FORGED_AOL_TAGS AOL mailers can't send HTML in this format
FORGED_EUDORAMAIL_RCVD Forged eudoramail.com 'Received:' header found
FORGED_GW05_RCVD Forged 'by gw05' 'Received:' header found
FORGED_HOTMAIL_RCVD Forged hotmail.com 'Received:' header found
FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
FORGED_IMS_HTML IMS can't send HTML message only
FORGED_IMS_TAGS IMS mailers can't send HTML in this format
FORGED_JUNO_FROM Has invalid account name for juno.com address
FORGED_JUNO_RCVD 'From' juno.com does not match 'Received' headers
FORGED_MUA_AOL_FROM Forged mail pretending to be from AOL (by From)
FORGED_MUA_APPLEMAIL AppleMail can't send HTML message only
FORGED_MUA_EUDORA Forged mail pretending to be from Eudora
FORGED_MUA_IMS Forged mail pretending to be from IMS
FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla
FORGED_MUA_MSN Forged mail pretending to be from MSN
FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO
FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
FORGED_MUA_THEBAT Mail pretending to be from The Bat! (mid)
FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)
FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset)
FORGED_MX_HOTMAIL Forged hotmail.com Received 'from mx' header
FORGED_OUTLOOK_HTML Outlook can't send HTML message only
FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format
FORGED_RCVD_FROM_NUM Received headers forged (numeric hostname)
FORGED_RCVD_HELO Received: contains a forged HELO
FORGED_RCVD_NET_HELO Host HELO'd using the wrong IP network
FORGED_TELESP_RCVD Contains forged hostname for a DSL IP in Brazil
FORGED_THEBAT_HTML The Bat! can't send HTML message only
FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers
FORGED_YAHOO_RCVD_SMTP Header contains forged Yahoo! SMTP server hostname
FORWARD_LOOKING Stock Disclaimer Statement
FOR_FREE No such thing as a free lunch (1)
FOR_JUST_SOME_AMT Contains 'for only' some amount of cash
FREE_ACCESS Contains 'free access' with capitals
FREE_CELL_PHONE Talks about free mobile phones
FREE_CONSULTATION Offers a consultation for nothing
FREE_DVD Free DVD
FREE_GRANT Free Grant Money
FREE_INSTALL Contains 'free installation' with capitals
FREE_INVESTMENT Free Investment
FREE_LEADS Free Leads
FREE_MEMBERSHIP Free Membership
FREE_PASSWORD Offers Free (often stolen) Passwords
FREE_PORN Possible porn - Free Porn
FREE_PREVIEW Free Preview
FREE_QUOTE Free Quote
FREE_QUOTE_INSTANT Free express or no-obligation quote
FREE_SAMPLE Contains 'free sample' with capitals
FREE_TRIAL Free Trial
FREE_WEBSITE Free Website
FRIEND_AT_PUBLIC sent to you@you.com or similar
FRIEND_PUBLIC sent from or to friend@public.com
FROM_ALL_NUMS From an address that is all numbers (non-phone)
FROM_AND_TO_SAME From and To are the same, but not exactly
FROM_ENDS_IN_NUMS From: ends in numbers
FROM_HAS_MIXED_NUMS From: contains numbers mixed in with letters
FROM_HAS_MIXED_NUMS2 From address matches known spammer format
FROM_HAS_MIXED_NUMS3 From: contains numbers mixed in with letters
FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters
FROM_ILLEGAL_CHARS From contains too many raw illegal characters
FROM_NO_LOWER 'From' has no lower-case characters
FROM_NO_USER From: has no local-part before @ sign
FROM_NUM_AT_WEBMAIL From address is webmail, but starts with a number
FROM_OFFERS From address is "at something-offers"
FROM_STARTS_WITH_NUMS From: starts with nums
FROM_WEBMAIL_END_NUMS6 From webmail service and address ends in numbers
FRONTPAGE Frontpage used to create the message
FULL_REFUND Offers a full refund
FURTHER_TRANSMISSIONS Claims compliance with spam regulations
GAPPY_SUBJECT Subject: contains G.a.p.p.y-T.e.x.t
GENERIC_VIAGRA Mentions Generic Viagra
GENTLE_FEROCITY Contains "Gentle Ferocity"
GET_IT_NOW Contains 'Get it now' with capitals
GET_PAID Get Paid
GET_STARTED_NOW Get Started Now
GREAT_OFFER Trying to offer you something
GTUBE Generic Test for Unsolicited Bulk Email
GUARANTEE Contains word 'guarantee' in all-caps
GUARANTEED_100_PERCENT One hundred percent guaranteed
GUARANTEED_STUFF Guaranteed Stuff
HABEAS_SWE Has Habeas warrant mark (http://www.habeas.com/)
HABEAS_VIOLATOR Has Habeas warrant mark and on Infringer List
HAIR_LOSS Cures Baldness
HARDCORE_PORN Possible porn - Hardcore Porn
HEADER_COUNT_CTYPE Multiple Content-Type headers found
HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters
HELPED_FINANCE A dodgy mortgage testimonial
HERBAL_VIAGRA Plugs "Herbal Viagra"
HG_HORMONE Talks about hormones for human growth
HIDDEN_ASSETS 'Hidden' assets
HIDDEN_CHARGES Talks about Hidden Charges
HIDE_WIN_STATUS Javascript to hide URLs in browser
HOME_EMPLOYMENT Information on how to work at home (2)
HOT_NASTY Possible porn - Hot, Nasty, Wild, Young
HR_3113 Mentions Spam law "HR 3113"
HR_4176 Claims compliance with House Bill 4176
HTML_00_10 Message is 0% to 10% HTML
HTML_10_20 Message is 10% to 20% HTML
HTML_20_30 Message is 20% to 30% HTML
HTML_30_40 Message is 30% to 40% HTML
HTML_40_50 Message is 40% to 50% HTML
HTML_50_60 Message is 50% to 60% HTML
HTML_60_70 Message is 60% to 70% HTML
HTML_70_80 Message is 70% to 80% HTML
HTML_80_90 Message is 80% to 90% HTML
HTML_90_100 Message is 90% to 100% HTML
HTML_ALL_CAPS Content type is "TEXT/HTML" in all caps
HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup
HTML_COMMENT_8BITS HTML comment has 3 consecutive 8-bit chars
HTML_COMMENT_EMAIL HTML comment contains email address
HTML_COMMENT_RATIO HTML comments are large percentage of message
HTML_COMMENT_SAVED_URL HTML message is a saved web page
HTML_COMMENT_SHOUTING HTML comment inside of "shouting" markup
HTML_COMMENT_SKY HTML comment contains SKY database codes
HTML_EMBEDS HTML with embedded plugin object
HTML_EVENT HTML contains auto-executing code
HTML_EVENT_UNSAFE HTML contains unsafe auto-executing code
HTML_FONTCOLOR_BLUE HTML font color is blue
HTML_FONTCOLOR_CYAN HTML font color is cyan
HTML_FONTCOLOR_GRAY HTML font color is gray
HTML_FONTCOLOR_GREEN HTML font color is green
HTML_FONTCOLOR_MAGENTA HTML font color is magenta
HTML_FONTCOLOR_NAME HTML font color has unusual name
HTML_FONTCOLOR_RED HTML font color is red
HTML_FONTCOLOR_UNKNOWN HTML font color is unknown to us
HTML_FONTCOLOR_UNSAFE HTML font color not in safe 6x6x6 palette
HTML_FONTCOLOR_YELLOW HTML font color is yellow
HTML_FONT_BIG HTML has a big font
HTML_FONT_FACE_BAD HTML font face is not a word
HTML_FONT_FACE_CAPS HTML font face has excess capital characters
HTML_FONT_FACE_ODD HTML font face is not a commonly used face
HTML_FONT_INVISIBLE HTML font color is same as background
HTML_FONT_LOW_CONTRAST HTML font color similar to background
HTML_FORMACTION_MAILTO HTML includes a form which sends mail
HTML_IMAGE_AREA_04 HTML has 4-5 kilopixels of images
HTML_IMAGE_AREA_05 HTML has 5-6 kilopixels of images
HTML_IMAGE_AREA_06 HTML has 6-7 kilopixels of images
HTML_IMAGE_AREA_07 HTML has 7-8 kilopixels of images
HTML_IMAGE_AREA_08 HTML has 8-9 kilopixels of images
HTML_IMAGE_AREA_09 HTML has over 9 kilopixels of images
HTML_IMAGE_ONLY_02 HTML: images with 0-200 bytes of words
HTML_IMAGE_ONLY_04 HTML: images with 200-400 bytes of words
HTML_IMAGE_ONLY_06 HTML: images with 400-600 bytes of words
HTML_IMAGE_ONLY_08 HTML: images with 600-800 bytes of words
HTML_IMAGE_ONLY_10 HTML: images with 800-1000 bytes of words
HTML_IMAGE_ONLY_12 HTML: images with 1000-1200 bytes of words
HTML_IMAGE_RATIO_02 HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_04 HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_06 HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_08 HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_10 HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_12 HTML has a low ratio of text to image area
HTML_IMAGE_RATIO_14 HTML has a low ratio of text to image area
HTML_JAVASCRIPT JavaScript code
HTML_LINK_CLICK_CAPS HTML link text says "CLICK"
HTML_LINK_CLICK_HERE HTML link text says "click here"
HTML_LINK_PUSH_HERE HTML link text says "push here" or similar
HTML_MESSAGE HTML included in message
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
HTML_RELAYING_FRAME Frame wanted to load outside URL
HTML_SHOUTING3 HTML has very strong "shouting" markup
HTML_SHOUTING4 HTML has very strong "shouting" markup
HTML_SHOUTING5 HTML has very strong "shouting" markup
HTML_SHOUTING6 HTML has very strong "shouting" markup
HTML_SHOUTING7 HTML has very strong "shouting" markup
HTML_SHOUTING8 HTML has very strong "shouting" markup
HTML_SHOUTING9 HTML has very strong "shouting" markup
HTML_TABLE_THICK_BORD HTML table has thick border
HTML_TAG_BALANCE_A HTML has excess "a" close tags
HTML_TAG_BALANCE_BODY HTML has unbalanced "body" tags
HTML_TAG_BALANCE_FONT HTML has excess "font" close tags
HTML_TAG_BALANCE_HEAD HTML has unbalanced "head" tags
HTML_TAG_BALANCE_HTML HTML has unbalanced "html" tags
HTML_TAG_BALANCE_TABLE HTML is missing "table" close tags
HTML_TAG_EXISTS_BASE HTML has "base" tags
HTML_TAG_EXISTS_PARAM HTML has "param" tag
HTML_TAG_EXISTS_TBODY HTML has "tbody" tag
HTML_TITLE_EMPTY HTML title contains no text
HTML_TITLE_UNTITLED HTML title contains "Untitled"
HTML_WEB_BUGS Image tag intended to identify you
HTML_WIN_BLUR Javascript to move windows around
HTML_WIN_FOCUS Javascript to change window focus
HTML_WIN_OPEN Javascript to open a new window
HTML_WITH_BGCOLOR HTML mail with non-white background
HTTP_CTRL_CHARS_HOST Uses control sequences inside a URL hostname
HTTP_ENTITIES_HOST URI obscured with character entities
HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname
HTTP_EXCESSIVE_ESCAPES Completely unnecessary %-escapes inside a URL
HTTP_WITH_EMAIL_IN_URL 'remove' URL contains an email address
IDENT_NOBODY Received lines include an 'ident:nobody' string
ID_REPLY_TO_REPLY Reply-To address with reply and numbers
ID_UNIQUE X-List-Unsubscribe has a numbered address
IMPOTENCE Impotence cure
INCOME Additional Income
INCREASE_SEX Talks about a bigger drive for sex
INCREASE_SOMETHING Instructions on how to increase something
INCREDIBLE Things incredible
INITIAL_INVEST Requires Initial Investment
INSTANT_ACCESS offers "instant access"
INTL_DRIVERS_LICENSE International driving license
INTL_EXEC_GUILD Well known spam senders
INVALID_DATE Invalid Date: header (not RFC 2822)
INVALID_DATE_TZ_ABSURD Invalid Date: header (timezone does not exist)
INVALID_MSGID Message-Id is not valid, according to RFC 2822
INVALUABLE_MARKETING Invaluable marketing information
IN_ACCORDANCE_WITH Claims to be in accordance with some law
IP_LINK_PLUS Dotted-decimal IP address followed by CGI
ITS_LEGAL Claims to be Legal
JAPANESE_UCE_SUBJECT Subject contains a Japanese UCE tag
JAVASCRIPT_URI Javascript protocol in a URI
JODY Contains "My wife, Jody" testimonial
JOIN_MILLIONS Join Millions of Americans
KIFF Contains "Temple Kiff"
KOREAN_UCE_SUBJECT Subject: contains Korean unsolicited email tag
LARGE_COLLECTION Possible porn - Large Number of movies, pics
LARGE_HEX Contains a large block of hexadecimal code
LESBIAN Possible porn - Lesbian Site
LIMITED_TIME_ONLY Offers a limited time offer
LINES_OF_YELLING A WHOLE LINE OF YELLING DETECTED
LINES_OF_YELLING_2 2 WHOLE LINES OF YELLING DETECTED
LINES_OF_YELLING_3 3 WHOLE LINES OF YELLING DETECTED
LINK_TO_NO_SCHEME Contains link without http:// prefix
LIVE_PORN Possible porn - Live Porn
LONG_DISTANCE Long Distance Phone Offer
LOSEBODYFAT Describes body fat loss
LOSEWEIGHT Describes weight loss
LOSE_POUNDS Subject talks about losing pounds
LOTS_OF_CC_LINES Lots and lots of Cc: headers
LOTS_OF_STUFF Thousands or millions of pics/movies/etc
LOW_INTEREST Lower Interest Rates
LOW_PAYMENT Lower Monthly Payment
LOW_PRICE Lowest Price
LUXURY_CAR Luxury Car
LYING_EYES Will not Believe your Eyes!
MAILTO_LINK Includes a URL link to send an email
MAILTO_SUBJ_REMOVE mailto URI includes removal text
MAILTO_TO_B2BMAIL Includes a link to a likely spammer email
MAILTO_TO_REMOVE Includes a 'remove' email address
MAILTO_TO_SPAM_ADDR Includes a link to a likely spammer email
MAILTO_WITH_SUBJ Includes a link to send a mail with a subject
MAIL_IN_ORDER_FORM Contains mail-in order form
MANY_EXCLAMATIONS Subject has many exclamations
MANY_FROMS 'From' contains more than one address
MARKETING Direct Marketing
MARKETING_PARTNERS Claims you registered with a partner
MARKET_SOLUTION Marketing Solutions
MARKUP_RAND RAND found, spammer tried to use a random-ID
MARKUP_SSPL SSPL found, spammer tried to use a random-ID
MASS_EMAIL Talks about mass email
MDAEMON_2_7_4 Received via buggy SMTP server (MDaemon 2.7.4SP4R)
MEET_SINGLES Meet Singles
MEGA_SITE Possible porn - Mega Porn
MICROSOFT Message has microsoft header
MICROSOFT_EXECUTABLE Message includes Microsoft executable program
MICRO_CAP_WARNING SEC-mandated penny-stock warning
MILLION_EMAIL Get a million email addresses
MILLION_USD Talks about millions of dollars
MIME_BASE64_BLANKS Extra blank lines in base64 encoding
MIME_BASE64_ILLEGAL base64 attachment uses illegal characters
MIME_BASE64_LATIN Latin alphabet text using base64 encoding
MIME_BASE64_NO_NAME base64 attachment does not have a file name
MIME_BASE64_TEXT Message text disguised using base64 encoding
MIME_BOUND_DASH_DIGIT Spam tool pattern in MIME boundary
MIME_BOUND_DIGITS_4 Spam tool pattern in MIME boundary
MIME_BOUND_DIGITS_7 Spam tool pattern in MIME boundary
MIME_BOUND_HASHES Spam tool pattern in MIME boundary
MIME_BOUND_HEX_24 Spam tool pattern in MIME boundary
MIME_BOUND_MA Spam tool pattern in MIME boundary
MIME_BOUND_MAIL_BOUND Spam tool pattern in MIME boundary
MIME_BOUND_MANY_HEX Spam tool pattern in MIME boundary
MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary
MIME_BOUND_OPTIN Spam tool pattern in MIME boundary
MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy)
MIME_BOUND_TEP Spam tool pattern in MIME boundary
MIME_CHARSET_FARAWAY MIME character set indicates foreign language
MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
MIME_HTML_MOSTLY Multipart message mostly text/html MIME
MIME_HTML_NO_CHARSET Message text in HTML without charset
MIME_HTML_ONLY Message only has text/html MIME parts
MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
MIME_MISSING_BOUNDARY MIME section missing boundary
MIME_ODD_CASE MiME-Version header (oddly capitalized)
MIME_QP_DEFICIENT Deficient quoted-printable encoding in body
MIME_QP_EXCESSIVE Excessive quoted-printable encoding in body
MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
MIME_QP_NO_CHARSET Quoted-printable inline text with no charset
MIME_SUSPECT_NAME MIME filename does not match content
MISSING_HEADERS Missing To: header
MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
MISSING_OUTLOOK_NAME Message looks like Outlook, but isn't
MLM Multi Level Marketing mentioned
MONEY_BACK Money back guarantee
MONEY_MAKING Discusses money making
MONSTERHUT Mentions monsterhut.com
MORE_TRAFFIC More Internet Traffic
MORTGAGE_BEST Information on mortgages
MORTGAGE_LINKS Message has link to mortgage URI
MORTGAGE_NETWORK Something about a mortgage network
MORTGAGE_PITCH Looks like mortgage pitch
MORTGAGE_RATES Information on mortgage rates
MORTGAGE_WAITING Something about waiting for mortgages
MSGID_3_DOLLARS Spam tool Message-Id: (3-dollars variant)
MSGID_4NUMS_DOLLAR Spam tool Message-Id: (4-num-dollar variant)
MSGID_FROM_MTA_BACKUP Message-Id was added by a relay
MSGID_FROM_MTA_HEADER Message-Id was added by a relay
MSGID_FROM_MTA_HOTMAIL Message-Id was added by a hotmail.com relay
MSGID_FROM_MTA_LATER Message-Id was added by a relay
MSGID_FROM_MTA_SHORT Message-Id was added by a relay
MSGID_HAS_NO_AT Message-Id has no @ sign
MSGID_NO_HOST Message-Id has no hostname
MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)
MSGID_SPAM_1 Message-Id generated by a spam tool
MSGID_SPAM_6LETTER Spam tool Message-Id: (6-letter variant)
MSGID_SPAM_99X9XX99 Spam tool Message-Id: (99x9xx99 variant)
MSGID_SPAM_ZEROES Spam tool Message-Id: (12-zeroes variant)
MSGID_THREESIXSIX Message-Id header indicates message is spam
MULTI_FORGED Received headers indicate multiple forgeries
MURKOWSKI_CRUFT Old Murkowski disclaimer
MUST_BE_18 Possible porn - Must be 18
NASTY_GIRLS Possible porn - Nasty Girls
NATURAL_VIAGRA Plugs "Natural Viagra"
NA_DOLLARS Talks about a million North American dollars
NEVER_ANOTHER "another mailing" will "never" be "received"
NEW_CUSTOMER New Customers Only
NEW_DOMAIN_EXTENSIONS Possible registry spammer
NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+
NIGERIAN_BODY2 Message body looks like a Nigerian spam message 2+
NIGERIAN_BODY3 Message body looks like a Nigerian spam message 3+
NIGERIAN_BODY4 Message body looks like a Nigerian spam message 4+
NIGERIAN_BODY_GOVT_3 Message body has many indications of Nigerian scam
NIGERIAN_SCAM_VIRTUE Possible Nigerian Scam Text
NIGERIAN_SUBJECT1 Subject is indicative of a Nigerian spam
NIGERIAN_SUBJECT2 Subject is indicative of a Nigerian spam
NIGERIAN_SUBJECT6 Subject is indicative of a Nigerian spam
NONEXISTENT_CHARSET Character set doesn't exist
NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
NOT_ADVISOR Not registered investment advisor
NOT_INTENDED Not intended for residents of somewhere
NOT_MLM Apparently, NOT Multi Level Marketing
NO_AGE No Age Restrictions
NO_CATCH There is no catch
NO_COST No such thing as a free lunch (3)
NO_CREDIT_CHECK No Credit Check
NO_DISAPPOINTMENT You won't be "disappointed"
NO_DNS_FOR_FROM Domain in From header has no MX or A DNS records
NO_EXPERIENCE No experience needed!
NO_FEE No Fees
NO_FORMS No Claim Forms
NO_GIMMICK No Gimmick
NO_INVENTORY No Inventory
NO_INVESTMENT No Investment
NO_MEDICAL No Medical Exams
NO_MIDDLEMAN No Middleman
NO_OBLIGATION There is no obligation
NO_PURCHASE No Purchase Necessary
NO_QS_ASKED Doesn't ask any questions
NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
NO_REAL_NAME From: does not include a real name
NO_SELLING Claims not to be selling anything
NO_STRINGS No Strings Attached
NUMERIC_HTTP_ADDR Uses a numeric IP address in URL
OBFUSCATING_COMMENT HTML comments which obfuscate text
OBSCURED_EMAIL Message seems to contain rot13ed address
OFFER Free Offer
OFFERS_ETC Stop the offers, coupons, discounts etc!
OFFSHORE_SCAM Off Shore Scams
ONCE_IN_LIFETIME Once in a lifetime, apparently
ONE_TIME One Time Rip Off
ONE_TIME_MAILING one time mailing doesn't mean it isn't spam
ONLINE_BIZ_OPS Wants you to do business online
ONLINE_PHARMACY Online Pharmacy
ONLY_COST Only $$$
OPPORTUNITY Gives information about an opportunity
OPPORTUNITY_2 Opportunity - What a deal!
OPT_HEADER Headers include an "opt"ed phrase
OPT_IN Talks about opting in (lowercase version)
OPT_IN_CAPS Talks about opting in (capitalized version)
OPT_OUT Talks about opting out (lowercase version)
OPT_OUT_CAPS Talks about opting out (capitalized version)
ORDER_NOW Encourages you to waste no time in ordering
ORDER_REPORT Order a report from someone
OUR_AFFILIATE_PARTNERS Mentions their affiliate partners
OUR_COMPENSATION Mentions their full compensation
OUR_PRIVACY_POLICY Mentions where their privacy policy is
OUR_PUBLICATIONS Mentions their website and/or publications
OUR_STRICT_ANTI Mentions their strict antipathy on something
OVERWHELMING_GROWTH Mentions their overwhelming growth
PAY_SITE Possible porn - Pay Site
PENIS_ENLARGE Information on getting larger penis/breasts
PENIS_ENLARGE2 Information on getting larger penis/breasts
PENNIES_A_DAY Contains 'for only pennies a day'
PHONE_CANCER Cell Phone Cancer Scam
PLING_PLING Subject has lots of exclamation marks
PLING_QUERY Subject has exclamation mark and question mark
PORN_15 Possible porn - various types of feline
PORN_16 Possible porn - nasty, dirty, little etc.
PORN_4 URL uses words/phrases which indicate porn
PORN_6 Possible Porn - XXX Photos
PORN_GALLERIES Possible porn - Galleries of Pictures
PORN_MEMBERSHIP Possible Porn - Porn membership
PORN_PASSWORD Possible porn - Porn Password
POST_IN_RCVD Received contains fake 'Post.cz' hostname
PREST_NON_ACCREDITED 'Prestigious Non-Accredited Universities'
PRINT_FORM_SIGNATURE Asks you for your signature on a form
PRIORITY_MAIL Orders shipped by priority mail
PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
PRIZE Talks about prizes
PRODUCED_AND_SENT_OUT Tells you it's an ad
PROMOTION Contains 'Special Promotion'
PSYCHIC Psychics Scam
PURE_PROFIT Offers "pure" profit
PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
RAPE Possible porn - Rape
RATWARE_BAD_REFS References header has bad format
RATWARE_BANG_HASH Bulk email fingerprint (bang-hash) found
RATWARE_CARETOP Bulk email fingerprint (Caretop) found
RATWARE_CHARSET Bulk email fingerprint (charset) found
RATWARE_CHARSET_V2 Bulk email fingerprint (charset 2) found
RATWARE_DIFFOND Bulk email fingerprint (DiffondiCool) found
RATWARE_DIRECT_EMAIL Bulk email fingerprint (Direct Email) found
RATWARE_EGROUPS Bulk email fingerprint (eGroups) found
RATWARE_EMPTY_HELO Received headers forged (empty HELO)
RATWARE_EMWAC Bulk email fingerprint ("EMWAC SMTPRS") found
RATWARE_EVAMAIL Bulk email fingerprint (EVAMAIL) found
RATWARE_EXISCAN_FORGED Headers indicate forged Exiscan message
RATWARE_FLOAT Bulk email fingerprint (float) found
RATWARE_GR Bulk email fingerprint (GRMessageQueue) found
RATWARE_HASH_2 Bulk email fingerprint (hash 2) found
RATWARE_HASH_2_V2 Bulk email fingerprint (hash 2 v2) found
RATWARE_HASH_DASH Contains a hashbuster in Send-Safe format
RATWARE_IMKTG Bulk email fingerprint (IMktg) found
RATWARE_JIXING Bulk email fingerprint (JiXing) found
RATWARE_JPFREE Bulk email fingerprint (jpfree) found
RATWARE_LC_OUTLOOK Bulk email fingerprint ("outlook") found
RATWARE_MMAILER Bulk email fingerprint (MMailer) found in headers
RATWARE_OE_MALFORMED X-Mailer has malformed Outlook Express version
RATWARE_OE_PI X-Mailer contains "OutLook Express 3.14159"
RATWARE_POWERC Bulk email fingerprint (PowerCampaign) found
RATWARE_RCVD_BONUS_SPC Bulk email fingerprint (bonus space) found
RATWARE_RCVD_LC_ESMTP Bulk email fingerprint ('esmtp' Received) found
RATWARE_SCREWUP_1 Bulk email fingerprint (screwup 1) found
RATWARE_SCREWUP_2 Bulk email fingerprint (screwup 2) found
RATWARE_STORM Bulk email fingerprint (StormPost) found
RATWARE_STORM_URI Bulk email fingerprint (StormPost) found
RATWARE_VC_IPA Bulk email fingerprint (VC_IPA) found
RATWARE_XMAILER Bulk email fingerprint (xmailer tag) found
RATWARE_X_SCANNER Has X-Scanner header
RAVAGESOFAGING Describes the ravages of aging
RAZOR2_CF_RANGE_11_50 Razor2 gives confidence between 11 and 50
RAZOR2_CF_RANGE_51_100 Razor2 gives confidence between 51 and 100
RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
RCVD_6_CAPS_ESMTP_ID Spam tool Received: (6-caps ESMTP ID variant)
RCVD_AM_PM Received headers forged (AM/PM)
RCVD_BY_QVES_COM Sent by a known spamhaus (qves)
RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname
RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
RCVD_IN_BSP_OTHER Sender is in Bonded Sender Program (other relay)
RCVD_IN_BSP_TRUSTED Sender is in Bonded Sender Program (trusted relay)
RCVD_IN_DSBL Received via a relay in list.dsbl.org
RCVD_IN_DYNABLOCK Sent directly from dynamic IP address
RCVD_IN_MAPS_DUL Relay in DUL, http://www.mail-abuse.org/dul/
RCVD_IN_MAPS_NML Relay in NML, http://www.mail-abuse.org/nml/
RCVD_IN_MAPS_RBL Relay in RBL, http://www.mail-abuse.org/rbl/
RCVD_IN_MAPS_RSS Relay in RSS, http://www.mail-abuse.org/rss/
RCVD_IN_NJABL Received via a relay in dnsbl.njabl.org
RCVD_IN_NJABL_CGI NJABL: sender is an open formmail
RCVD_IN_NJABL_DIALUP NJABL: dialup sender did non-local SMTP
RCVD_IN_NJABL_MULTI NJABL: sent through multi-stage open relay
RCVD_IN_NJABL_PROXY NJABL: sender is an open proxy
RCVD_IN_NJABL_RELAY NJABL: sender is confirmed open relay
RCVD_IN_NJABL_SPAM NJABL: sender is confirmed spam source
RCVD_IN_OPM Received via a relay in opm.blitzed.org
RCVD_IN_OPM_HTTP OPM: sender is open HTTP CONNECT proxy
RCVD_IN_OPM_HTTP_POST OPM: sender is open HTTP POST proxy
RCVD_IN_OPM_ROUTER OPM: sender is open router proxy
RCVD_IN_OPM_SOCKS OPM: sender is open SOCKS proxy
RCVD_IN_OPM_WINGATE OPM: sender is open WinGate proxy
RCVD_IN_RFCI Sent via a relay in ipwhois.rfc-ignorant.org
RCVD_IN_SBL Received via a relay in Spamhaus Block List
RCVD_IN_SORBS SORBS: sender is listed in SORBS
RCVD_IN_SORBS_BLOCK SORBS: sender demands to never be tested
RCVD_IN_SORBS_HTTP SORBS: sender is open HTTP proxy server
RCVD_IN_SORBS_MISC SORBS: sender is open proxy server
RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay
RCVD_IN_SORBS_SOCKS SORBS: sender is open SOCKS proxy server
RCVD_IN_SORBS_SPAM SORBS: spam source or spam-supporting ISP
RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server
RCVD_IN_SORBS_ZOMBIE SORBS: sender is on a hijacked network
RCVD_NUMERIC_HELO Received: contains a numeric HELO
READ_TO_END You'd better read all of this spam!
RECEIVED_CACHEFLOW Received contains 'CacheFlowServer' IDENT name
RECEIVED_IDENT_SQUID Message was sent by a Squid HTTP proxy
RECEIVE_EMAIL Receive third party email
RECEIVE_OFFER Receive a special offer
REFINANCE_NOW Home refinancing
REFINANCE_YOUR_HOME Home refinancing
REMOVAL_INSTRUCTIONS Gives instructions for removal from list
REMOVE_FROM_LIST To be removed from list
REMOVE_IN_QUOTES List removal information
REMOVE_PAGE URL of page called "remove"
REMOVE_POSTAL Send real mail to be unsubscribed
REMOVE_REMOVAL_1WORD List removal information
REMOVE_REMOVAL_2WORD List removal information
REMOVE_REMOVAL_NEAR List removal information
REMOVE_SUBJ List removal information
REPLY_REMOVE_SUBJECT List removal information
REPLY_TO_EMPTY Reply-To: is empty
REPLY_TO_ULINE_NUMS Reply-To: has an underline and numbers/letters
RESISTANCE_IS_FUTILE Resistance to this spam is futile
REVERSE_AGING Reverses Aging
RICH If only it were that easy
RISK_FREE Risk free. Suuurreeee....
ROUND_THE_WORLD Received: says mail sent around the world (DNS)
ROUND_THE_WORLD_LOCAL Received: says mail sent around the world (HELO)
RUSSIAN_UCE_SUBJECT Subject contains a Russian UCE tag
SAFEGUARD_NOTICE Contains signature of unregistered spam tool
SATISFACTION Satisfaction Guaranteed
SAVE_BUCKS Save $$$
SAVE_MONEY Save big money
SAVE_ON_INSURANCE Trying to sell insurance online
SAVE_THOUSANDS Save big money
SAVE_UP_TO Save Up To
SAVINGS Subject talks about savings
SEARCH_ENGINE_PROMO Discusses search engine listings
SECRET_RECORD Secretly Recorded
SECTION_301 Claims compliance with spam regulations
SEDUCTION Score with babes!
SEE_FOR_YOURSELF See for yourself
SELECTED_YOU They have selected you for something
SENT_IN_COMPLIANCE Claims compliance with spam regulations
SERIOUS_CASH Serious cash
SERIOUS_ONLY Serious Enquiries Only
SEX_FEST Possible porn - Porn Fest
SHOPPING_SPREE Shopping Spree
SMTPD_IN_RCVD Received via SMTPD32 server (SMTPD32-n.n)
SOME_BREAKTHROUGH Describes some sort of breakthrough
SORTED_RECIPS Recipient list is sorted by address
SPAM_FORM Form for changing email address
SPAM_FORM_ACTION Obfuscated action attribute in HTML form
SPAM_FORM_INPUT Form for verifying email address
SPAM_FORM_RETURN Form for checking email address
START_NOW_CAPS Talks about 'starting now' with capitals
STOCK_ALERT Offers a alert about a stock
STOCK_PICK Offers a picked stock
STOP_SNORING Contains "Stop Snoring"
STRONG_BUY Tells you about a strong buy
SUBJECT_APPROVED Subject talks about being approved
SUBJ_2_CREDIT Contains 'subject to credit approval'
SUBJ_ALL_CAPS Subject is all capitals
SUBJ_AS_SEEN Subject contains "As Seen"
SUBJ_BUY 'Subject' starts with Buy, Buying
SUBJ_DOLLARS Subject starts with dollar amount
SUBJ_DOUBLE_YOUR Subject contains "Double Your"
SUBJ_FOR_ONLY Subject contains "For Only"
SUBJ_FREE_CAP Subject contains "FREE" in CAPS
SUBJ_FREE_INSTANT Subject contains "Free Instant"
SUBJ_GUARANTEED Subject GUARANTEED
SUBJ_HAS_SPACES Subject contains lots of white space
SUBJ_HAS_TIME_ID Subject has a Time ID
SUBJ_HAS_UNIQ_ID Subject contains a unique ID
SUBJ_ILLEGAL_CHARS Subject contains too many raw illegal characters
SUBJ_LIFE_INSURANCE Subject includes "life insurance"
SUBJ_NOW_ONLY Subject contains "Now Only"
SUBJ_REMOVE List removal information
SUBJ_RIPPED Subject contains "Ripped & Strong"
SUBJ_VIAGRA Subject includes "viagra"
SUBJ_YOUR_DEBT Subject contains "Your Bills" or similar
SUBJ_YOUR_FAMILY Subject contains "Your Family"
SUBJ_YOUR_OWN Subject contains "Your Own"
SUB_FREE_OFFER Subject starts with "Free"
SUB_HELLO Subject starts with "Hello"
SUPPLIES_LIMITED Supplies are Limited
SUSPICIOUS_RECIPS Similar addresses in recipient list
S_1618 Claims compliance with Senate Bill 1618
TAKE_ACTION_NOW Tells you to 'take action now!'
TARGETED Targeted Traffic / Email Addresses
THE_BEST_RATE The best Rates
THE_FOLLOWING_FORM Asks you to fill out a form
THIS_AINT_SPAM Claims "This is not spam"
THIS_IS_AN_AD Says "this is an advertisement" (thanks!)
TONER Contains "Toner Cartridge"
TO_ADDRESS_EQ_REAL To: repeats address as real name
TO_EMPTY To: is empty
TO_FILENAME "To" header contains a filename
TO_HAS_SPACES To: address contains spaces
TO_INVESTORS To: non-existent 'Investors' address
TO_MALFORMED To: has a malformed address
TO_NO_USER To: has no local-part before @ sign
TO_RECIP_MARKER To header contains 'recipient' marker
TO_TXT Sent to a text file
TRACE_BY_SSN Talks about tracing by SSN
TRACKER_ID Incorporates a tracking ID number
UCE_MAIL_ACT Mentions Spam Law "UCE-Mail Act"
UNCLAIMED_MONEY People just leave money laying around
UNDER_BILL_1618 Claims compliance with Senate Bill 1618
UNDISC_RECIPS Valid-looking To "undisclosed-recipients"
UNIVERSITY_DIPLOMAS University Diplomas
UNSECURED_CREDIT Unsecured Credit/Debt
UNSUB_PAGE URL of page called "unsubscribe"
UNSUB_SCRIPT URL of CGI script has unsubscribe or remove
UNWANTED_LANGUAGE_BODY Message written in an undesired language
UPPERCASE_25_50 message body is 25-50% uppercase
UPPERCASE_50_75 message body is 50-75% uppercase
UPPERCASE_75_100 message body is 75-100% uppercase
UP_TO_OR_MORES Has generic 'up to X or more' noise
URGENT_BIZ Contains urgent matter
URI_4YOU Message has URI 4you
URI_BANNEDCD Message has URI for bannedcd
URI_DOLLARMACHINE Message has URI for dollarmachine
URI_FREEHT Message has URI for freeht
URI_HITBOX Message has URI for hitbox.com
URI_IS_POUND Filename is just a '\#'; probably a JS trick
URI_OFFERS Message has link to company offers
URI_PXLG Frequent Spam Content
USERNAME_IN_SUBJECT To: username at front of subject
USERPASS URL contains username and (optional) password
USER_4U2 Local part containing a "4u" variant
USER_IN_ALL_SPAM_TO User is listed in 'all_spam_to'
USER_IN_BLACKLIST From: address is in the user's black-list
USER_IN_BLACKLIST_TO User is listed in 'blacklist_to'
USER_IN_DEF_WHITELIST From: address is in the default white-list
USER_IN_MORE_SPAM_TO User is listed in 'more_spam_to'
USER_IN_WHITELIST From: address is in the user's white-list
USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
USE_IDENTITY Someone using your identity
US_DOLLARS_2 Mentions $$$ ($NNN.N m/USDNNN.N m/US$NN.N m)
US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN)
VACATION_SCAM Vacation Offers
VAR_REF_IN_RECEIVED Received contains a $variable reference
VERB_UP_TO_OR_MORES Has add/lose/make/save up to X or more
VERY_SUSP_RECIPS Very similar addresses in recipient list  
VIAGRA Plugs Viagra
VIAGRA_COMBO Viagra and other drugs
VIAGRA_ONLINE Fast Viagra Delivery
VJESTIKA Contains "Vjestika Aphrodisia"
WALAA Illiterate spammer cannot spell 'voila'
WANTS_CREDIT_CARD Asks for credit card details
WEALTH Achieve Wealth
WEIRD_PORT Uses non-standard port number for HTTP
WEIRD_QUOTING Weird repeated double-quotation marks
WE_HATE_SPAM We strongly oppose the use of spam email too
WE_HATE_SPAM2 Mailer is against spam -- aren't we all?
WE_HONOR_ALL Claims to honor removal requests
WE_PROMISE_YOU Promise you ...!
WHILE_SUPPLIES While Supplies Last
WHILE_YOU_SLEEP While you Sleep
WHY_PAY_MORE Why Pay More?
WHY_WAIT What are you waiting for
WITH_LC_SMTP Received line contains spam-sign (lowercase smtp)
WORK_AT_HOME Information on how to work at home (1)
WORRY_FREE No Worries, Mate
WRINKLES Removes Wrinkles
WWW_CLIK4YOU_COM Frequent Spam content
X_ENC_PRESENT Message has X-Encoding header
X_ESMTP Message has x-esmtp header
X_FIX_PRESENT Message has X-Fix header
X_GCMULTI Message has X-GCMulti header
X_LIBRARY Message has X-Library header
X_LIST_UNSUBSCRIBE Message has X-List-Unsubscribe header
X_MAILER_GIBBERISH 'X-Mailer' line contains gibberish
X_MAIL_ID_PRESENT Message has X-MailingID header
X_MIME_KEY Message has X-Mime-Key header
X_MSMAIL_PRIORITY_HIGH Sent with 'X-Msmail-Priority' set to high
X_ORIG_HOST Message has X-Originating-Host header
X_PMFLAGS_PRESENT Message has X-PMFLAGS header
X_PRECEDENCE_REF Message has X-Precedence-Ref header
X_PRIORITY_HIGH Sent with 'X-Priority' set to high
X_PRI_MISMATCH_HI 'X-Priority' does not match 'X-MSMail-Priority'
X_SERV_HOST_PRESENT Message has X-ServerHost header
X_STORMPOST_TO Message has X-Stormpost-To header
X_VMP_TEXT Message has X-VMP-Text header
X_X_PRESENT Message has X-x header
YAHOO_REDIR Has Yahoo Redirect URI
YOUR_INCOME Doing something with my income
YOU_CAN_SEARCH You can search for anyone
YOU_WON Who really wins?
__MIME_BASE64 Includes a base64 attachment
__MIME_QP Includes a quoted-printable attachment
0
 

Author Comment

by:ZFR
Comment Utility
adding the HTML tags did the trick.... got my spam score down to 3.9 (just enough)
so rlawley gets the points

Thanx also to skullnobrains and squinky


ZFR
0
 

Expert Comment

by:diamond_magic5625
Comment Utility
here is a all-PHP solution...
just add this to the headers section:
"X-Mailer: Certifed Mailer\n"
by deafunt, this is:
X-Mailer: CGI-Mailer, somthing most spam blockers block.

like this:
mail($to,$subject,$messagebody,"X-Mailer: Certifed Mailer\n");
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
<< just add this to the headers section:
<< "X-Mailer: Certifed Mailer\n"
<< by deafunt, this is:
<< X-Mailer: CGI-Mailer, somthing most spam blockers block.

may work, but definitely not for long, and 'Certified Mailer' is unusefull for the recipient and a forgery as well.

i'd suggest that folks try and keep the general use such as an outcoming from a regular mail client.
then on such cases, be on the contrary specific.
call the mailer yoursite-mailer.

the first time any client will receive the mail, and not consider it to be a spam, the spamblocker will add your mailer to his trusted list.
(actually, your mails will probably go through with the same score a the moment...)

such behavior is in my opinion what makes spam blockers unreliable, and the reason why i have to dig through dozens of spams everyday,
and use spamboxes, and new accounts rather often...

ps : i'm NOT starting a polemic. just a suggestion and statement that may well be commented.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now