| AREA TESTED | LOCALE | DESCRIPTION OF TEST | TEST NAME | DEFAULT SCORES (local, net, with bayes, with bayes+net) |
|---|---|---|---|---|
| body | Generic Test for Unsolicited Bulk Email | GTUBE | 1000 | |
| full | Listed in Razor2 (http://razor.sf.net/) | RAZOR2_CHECK | 0 0.899 0 1.047 | |
| body | Razor2 gives confidence between 11 and 50 | RAZOR2_CF_RANGE_11_50 | 0 0.559 0 0.876 | |
| body | Razor2 gives confidence between 51 and 100 | RAZOR2_CF_RANGE_51_100 | 0 1.552 0 1.101 | |
| full | Listed in DCC (http://rhyolite.com/anti-spam/dcc/) | DCC_CHECK | 0 1.806 0 2.907 | |
| full | Listed in Pyzor (http://pyzor.sf.net/) | PYZOR_CHECK | 0 0.322 0 3.511 | |
| body | List removal information | REMOVE_IN_QUOTES | 0.001 0.187 0.001 0.001 | |
| body | Click-to-remove with mailto: found | CLICK_TO_REMOVE_2 | 1 | |
| rawbody | Contains an ASCII-formatted form | ASCII_FORM_ENTRY | 1 | |
| body | Incorporates a tracking ID number | TRACKER_ID | 2.528 3.527 3.261 3.784 | |
| body | RAND found, spammer tried to use a random-ID | MARKUP_RAND | 2.900 2.800 0 0 | |
| body | SSPL found, spammer tried to use a random-ID | MARKUP_SSPL | 1 | |
| body | Contains a large block of hexadecimal code | LARGE_HEX | 0.633 1.595 1.193 1.160 | |
| body | A WHOLE LINE OF YELLING DETECTED | LINES_OF_YELLING | 0 0.011 0 0 | |
| body | 2 WHOLE LINES OF YELLING DETECTED | LINES_OF_YELLING_2 | 0 0.105 0 0 | |
| body | 3 WHOLE LINES OF YELLING DETECTED | LINES_OF_YELLING_3 | 1 | |
| body | Weird repeated double-quotation marks | WEIRD_QUOTING | 1.373 0.471 0.061 0 | |
| rawbody | Extra blank lines in base64 encoding | MIME_BASE64_BLANKS | 1 | |
| rawbody | base64 attachment uses illegal characters | MIME_BASE64_ILLEGAL | 0.432 1.715 0 1.581 | |
| rawbody | Latin alphabet text using base64 encoding | MIME_BASE64_LATIN | 1.101 1.101 0.500 0.500 | |
| rawbody | base64 attachment does not have a file name | MIME_BASE64_NO_NAME | 0.189 0 0 0 | |
| rawbody | Message text disguised using base64 encoding | MIME_BASE64_TEXT | 1.101 1.101 1.001 1.008 | |
| rawbody | Message text in HTML without charset | MIME_HTML_NO_CHARSET | 1.064 0.716 1.030 0.561 | |
| rawbody | MIME section missing boundary | MIME_MISSING_BOUNDARY | 1.179 0.803 0 1.838 | |
| body | Multipart message mostly text/html MIME | MIME_HTML_MOSTLY | 1.587 1.162 1.180 1.238 | |
| body | Message only has text/html MIME parts | MIME_HTML_ONLY | 0.666 0.100 0.248 0.320 | |
| rawbody | Deficient quoted-printable encoding in body | MIME_QP_DEFICIENT | 1.048 1.797 2.097 1.912 | |
| rawbody | Excessive quoted-printable encoding in body | MIME_QP_EXCESSIVE | 1 | |
| rawbody | Quoted-printable line longer than 76 chars | MIME_QP_LONG_LINE | 0.242 0 0 0 | |
| rawbody | Quoted-printable inline text with no charset | MIME_QP_NO_CHARSET | 0.931 0.714 0.047 0.197 | |
| rawbody | Message includes Microsoft executable program | MICROSOFT_EXECUTABLE | 0.100 | |
| rawbody | MIME filename does not match content | MIME_SUSPECT_NAME | 0.100 | |
| body | Character set indicates a foreign language | CHARSET_FARAWAY | 3.200 | |
| body | Message written in an undesired language | UNWANTED_LANGUAGE_BODY | 2.800 | |
| body | Body includes 8 consecutive 8-bit characters | BODY_8BITS | 1.500 | |
| rawbody | Contains a hashbuster in Send-Safe format | RATWARE_HASH_DASH | 1.101 4.300 1.920 4.100 | |
| body | Body contains a ROT13-encoded email address | EMAIL_ROT13 | 4.400 4.300 2.590 4.100 | |
| body | Message body has 70-80% blank lines | BLANK_LINES_70_80 | 1.999 0.867 1.424 2.126 | |
| body | Message body has 80-90% blank lines | BLANK_LINES_80_90 | 1.643 1.489 2.596 2.599 | |
| body | Message body has 90-100% blank lines | BLANK_LINES_90_100 | 1 | |
| header | Has Habeas warrant mark (http://www.habeas.com/) | HABEAS_SWE | -8.0 | |
| header | NJABL: sender is confirmed open relay | RCVD_IN_NJABL_RELAY | 0 1.133 0 0.824 | |
| header | NJABL: dialup sender did non-local SMTP | RCVD_IN_NJABL_DUL | 0 1.580 0 1.708 | |
| header | NJABL: sender is confirmed spam source | RCVD_IN_NJABL_SPAM | 0 0.899 0 0.951 | |
| header | NJABL: sent through multi-stage open relay | RCVD_IN_NJABL_MULTI | 0 0.101 0 0.101 | |
| header | NJABL: sender is an open formmail | RCVD_IN_NJABL_CGI | 0 0.1 0 0.100 | |
| header | NJABL: sender is an open proxy | RCVD_IN_NJABL_PROXY | 0 1.186 0 2.342 | |
| header | SORBS: sender is open HTTP proxy server | RCVD_IN_SORBS_HTTP | 0 0.000 0 1.203 | |
| header | SORBS: sender is open proxy server | RCVD_IN_SORBS_MISC | 0 0.118 0 0.004 | |
| header | SORBS: sender is open SMTP relay | RCVD_IN_SORBS_SMTP | 0 1.630 0 0.382 | |
| header | SORBS: sender is open SOCKS proxy server | RCVD_IN_SORBS_SOCKS | 0 1.603 0 0.927 | |
| header | SORBS: sender is a abuseable web server | RCVD_IN_SORBS_WEB | 0 0.000 0 0.353 | |
| header | SORBS: sender demands to never be tested | RCVD_IN_SORBS_BLOCK | 0 0.001 0 0.001 | |
| header | SORBS: sender is on a hijacked network | RCVD_IN_SORBS_ZOMBIE | 0 0.948 0 0.918 | |
| header | SORBS: sent directly from dynamic IP address | RCVD_IN_SORBS_DUL | 0 0.067 0 0.092 | |
| header | Received via a relay in Spamhaus SBL | RCVD_IN_SBL | 0 0.814 0 0.875 | |
| header | Received via a relay in Spamhaus XBL | RCVD_IN_XBL | 0 2.333 0 4.923 | |
| header | Received via a relay in list.dsbl.org | RCVD_IN_DSBL | 0 1.101 0 0.706 | |
| header | Sent via a relay in ipwhois.rfc-ignorant.org | RCVD_IN_RFCI | 0 0.100 0 0.100 | |
| header | From: sender listed in dsn.rfc-ignorant.org | DNS_FROM_RFCI_DSN | 0 1.389 0 0.291 | |
| header | Has Habeas warrant mark and on Infringer List | HABEAS_VIOLATOR | 16.0 | |
| header | Sender is in Bonded Sender Program (trusted relay) | RCVD_IN_BSP_TRUSTED | 0 -4.3 0 -4.3 | |
| header | Sender is in Bonded Sender Program (other relay) | RCVD_IN_BSP_OTHER | 0 -0.1 0 -0.1 | |
| header | Received via a relay in bl.spamcop.net | RCVD_IN_BL_SPAMCOP_NET | 0 2.25 0 1.50 | |
| header | Relay in RBL, http://www.mail-abuse.org/rbl/ | RCVD_IN_MAPS_RBL | 1 | |
| header | Relay in DUL, http://www.mail-abuse.org/dul/ | RCVD_IN_MAPS_DUL | 1 | |
| header | Relay in RSS, http://www.mail-abuse.org/rss/ | RCVD_IN_MAPS_RSS | 1 | |
| header | Relay in NML, http://www.mail-abuse.org/nml/ | RCVD_IN_MAPS_NML | 1 | |
| header | Host HELO did not match rDNS: aol.com | FAKE_HELO_AOL | 1.916 1.875 1.788 2.354 | |
| header | Host HELO did not match rDNS: hotmail.com | FAKE_HELO_HOTMAIL | 1.172 0 2.335 1.499 | |
| header | Host HELO did not match rDNS: usa.net | FAKE_HELO_USA_NET | 2.800 2.800 2.696 2.488 | |
| header | Host HELO did not match rDNS: shaw.ca | FAKE_HELO_SHAW_CA | 0.298 0.904 2.800 0.585 | |
| header | Host HELO did not match rDNS: netscape.com | FAKE_HELO_NETSCAPE_COM | 0.583 1.133 2.078 1.817 | |
| header | Host HELO did not match rDNS: netzero.net | FAKE_HELO_NETZERO | 1 | |
| header | Host HELO did not match rDNS: msn.com | FAKE_HELO_MSN | 0.700 1.883 1.576 0.319 | |
| header | Host HELO did not match rDNS: mail.ru | FAKE_HELO_MAIL_RU | 2.033 1.859 2.462 0.473 | |
| header | Host HELO did not match rDNS: mail.com | FAKE_HELO_MAIL_COM | 4.113 3.526 3.705 3.769 | |
| header | Host HELO did not match rDNS: flashmail.com | FAKE_HELO_FLASHMAIL | 1 | |
| header | Host HELO did not match rDNS: email.com | FAKE_HELO_EMAIL_COM | 2.900 2.800 2.800 2.700 | |
| header | Host HELO did not match rDNS: caramail.com | FAKE_HELO_CARAMAIL | 2.900 2.800 0 2.700 | |
| header | Host HELO did not match rDNS: bigfoot.com | FAKE_HELO_BIGFOOT | 2.900 2.800 2.800 2.700 | |
| header | Host HELO did not match rDNS: eudoramail.com | FAKE_HELO_EUDORAMAIL | 2.900 2.800 2.800 2.700 | |
| header | Host HELO did not match rDNS: excite.com | FAKE_HELO_EXCITE | 2.804 2.800 2.800 2.700 | |
| header | Host HELO did not match rDNS: mailcity.com | FAKE_HELO_MAILCITY | 2.287 2.800 1.309 0 | |
| header | Host HELO did not match rDNS: lycos.com | FAKE_HELO_LYCOS | 2.900 2.800 2.800 1.355 | |
| header | Host HELO did not match rDNS: juno.com | FAKE_HELO_JUNO | 2.551 2.800 2.800 2.700 | |
| header | Host HELO did not match rDNS: yahoo.com | FAKE_HELO_YAHOO | 1.871 0 2.696 2.599 | |
| header | Host HELO did not match rDNS: yahoo.ca | FAKE_HELO_YAHOO_CA | 1.424 1.852 2.800 2.700 | |
| header | From: does not include a real name | NO_REAL_NAME | 0.339 0.285 0.339 0.160 | |
| header | From: ends in numbers | FROM_ENDS_IN_NUMS | 0.999 0.869 0.677 0.994 | |
| header | From: starts with nums | FROM_STARTS_WITH_NUMS | 0.390 1.574 1.044 0.579 | |
| header | From: contains numbers mixed in with letters | FROM_HAS_MIXED_NUMS | 0.100 0.304 0.100 0.259 | |
| header | From address matches known spammer format | FROM_HAS_MIXED_NUMS2 | 1.977 2.800 1.960 2.216 | |
| header | From: contains numbers mixed in with letters | FROM_HAS_MIXED_NUMS3 | 1.811 1.999 4.095 3.248 | |
| header | Uses an address with lots of numbers, at a big ISP | ADDR_NUMS_AT_BIGSITE | 1.044 0.724 1.087 2.699 | |
| header | From address is "at something-offers" | FROM_OFFERS | 4.300 3.932 4.095 4.100 | |
| header | From: has no local-part before @ sign | FROM_NO_USER | 2.226 1.286 2.599 2.386 | |
| header | To: has no local-part before @ sign | TO_NO_USER | 1.662 1.498 1.597 0 | |
| header | To: address contains spaces | TO_HAS_SPACES | 0.492 2.397 0 0 | |
| header | To: is empty | TO_EMPTY | 1.600 0 0 0 | |
| header | Reply-To: is empty | REPLY_TO_EMPTY | 0.065 0.888 1.663 2.599 | |
| header | Reply-To: has an underline and numbers/letters | REPLY_TO_ULINE_NUMS | 0.001 0.001 0.001 2.699 | |
| header | To: repeats address as real name | TO_ADDRESS_EQ_REAL | 0.444 0.011 0.593 0.778 | |
| header | Valid-looking To "undisclosed-recipients" | UNDISC_RECIPS | 1 | |
| header | Faked To "Undisclosed-Recipients" | FAKED_UNDISC_RECIPS | 2.899 2.694 2.800 2.700 | |
| header | Subject has exclamation mark and question mark | PLING_QUERY | 0.014 0.238 0 0 | |
| header | Subject contains a unique ID | SUBJ_HAS_UNIQ_ID | 1.390 0.212 0.882 2.677 | |
| header | Subject contains lots of white space | SUBJ_HAS_SPACES | 1.581 0.973 3.324 4.099 | |
| header | Subject is all capitals | SUBJ_ALL_CAPS | 0.550 0.567 0 0 | |
| header | Message-Id has no @ sign | MSGID_HAS_NO_AT | 1 | |
| header | Message-Id generated by a spam tool | MSGID_SPAM_1 | 2.900 2.800 0 2.700 | |
| header | Spam tool Message-Id: (6-letter variant) | MSGID_SPAM_6LETTER | 2.900 2.800 2.800 2.700 | |
| header | Spam tool Message-Id: (99x9xx99 variant) | MSGID_SPAM_99X9XX99 | 4.300 4.300 4.100 4.100 | |
| header | Spam tool Message-Id: (12-zeroes variant) | MSGID_SPAM_ZEROES | 4.400 4.300 4.200 4.100 | |
| header | Spam tool Message-Id: (3-dollars variant) | MSGID_3_DOLLARS | 2.900 0 2.800 0 | |
| header | Spam tool Message-Id: (4-num-dollar variant) | MSGID_4NUMS_DOLLAR | 2.900 2.800 2.800 2.700 | |
| header | Spam tool Received: (6-caps ESMTP ID variant) | RCVD_6_CAPS_ESMTP_ID | 2.900 2.800 2.800 2.700 | |
| header | Message-Id has no hostname | MSGID_NO_HOST | 0.381 1.278 2.397 1.103 | |
| header | Message-Id is fake (in Outlook Express format) | MSGID_OUTLOOK_INVALID | 4.400 4.300 4.200 4.100 | |
| header | Message-Id was added by a relay | MSGID_FROM_MTA_SHORT | 3.665 3.310 3.167 3.030 | |
| header | Message-Id was added by a relay | MSGID_FROM_MTA_LATER | 1 | |
| header | Message-Id was added by a relay | MSGID_FROM_MTA_BACKUP | 0 1.774 0 0.817 | |
| header | Message-Id was added by a hotmail.com relay | MSGID_FROM_MTA_HOTMAIL | 1.747 1.560 2.800 2.700 | |
| header | Date header uses unusual Y2K formatting | DATE_SPAMWARE_Y2K | 4.500 4.400 4.300 4.200 | |
| header | Invalid Date: header (not RFC 2822) | INVALID_DATE | 0.042 0 0 0 | |
| header | Invalid Date: header (timezone does not exist) | INVALID_DATE_TZ_ABSURD | 1.746 1.737 1.749 1.779 | |
| header | Invalid Date: year begins with zero | DATE_YEAR_ZERO_FIRST | 2.900 0 2.800 0 | |
| header | Date: is 3 to 6 hours before Received: date | DATE_IN_PAST_03_06 | 0.322 0.680 0.753 0.419 | |
| header | Date: is 6 to 12 hours before Received: date | DATE_IN_PAST_06_12 | 0.800 0.599 1.363 0.650 | |
| header | Date: is 12 to 24 hours before Received: date | DATE_IN_PAST_12_24 | 0.756 0.385 1.364 0.746 | |
| header | Date: is 24 to 48 hours before Received: date | DATE_IN_PAST_24_48 | 1 | |
| header | Date: is 48 to 96 hours before Received: date | DATE_IN_PAST_48_96 | 1 | |
| header | Date: is 96 hours or more before Received: date | DATE_IN_PAST_96_XX | 1.781 1.238 2.165 1.534 | |
| header | Date: is 3 to 6 hours after Received: date | DATE_IN_FUTURE_03_06 | 2.904 2.834 0.753 1.931 | |
| header | Date: is 6 to 12 hours after Received: date | DATE_IN_FUTURE_06_12 | 1.609 1.946 1.559 1.973 | |
| header | Date: is 12 to 24 hours after Received: date | DATE_IN_FUTURE_12_24 | 1.754 1.953 2.216 3.332 | |
| header | Date: is 24 to 48 hours after Received: date | DATE_IN_FUTURE_24_48 | 2.730 2.796 2.567 2.546 | |
| header | Date: is 48 to 96 hours after Received: date | DATE_IN_FUTURE_48_96 | 1 | |
| header | Date: is 96 hours or more after Received: date | DATE_IN_FUTURE_96_XX | 2.486 2.370 2.071 2.599 | |
| header | Subject: starts with advertising tag | ADVERT_CODE | 2.899 1.578 2.633 1.817 | |
| header | Subject: contains advertising tag | ADVERT_CODE2 | 2.299 2.098 2.097 1.999 | |
| header | Subject contains too many raw illegal characters | SUBJ_ILLEGAL_CHARS | 3.610 2.651 3.475 3.913 | |
| header | From contains too many raw illegal characters | FROM_ILLEGAL_CHARS | 4.300 4.300 4.100 4.100 | |
| header | Header contains too many raw illegal characters | HEAD_ILLEGAL_CHARS | 4.300 4.300 4.100 4.100 | |
| header | Subject contains a Japanese UCE tag | JAPANESE_UCE_SUBJECT | 2.900 2.800 2.800 2.700 | |
| header | Subject contains a Russian UCE tag | RUSSIAN_UCE_SUBJECT | 1 | |
| header | Subject: contains Korean unsolicited email tag | KOREAN_UCE_SUBJECT | 3.659 3.835 2.800 2.700 | |
| header | sent to you@you.com or similar | FRIEND_AT_PUBLIC | 2.900 0 0 0 | |
| header | sent from or to friend@public.com | FRIEND_PUBLIC | 1 | |
| header | Subject: domain names are cheap | DOMAINS_CHEAP | 1 | |
| header | Subject: domain registration spam subject | DOMAIN_SUBJECT | 1 | |
| header | Domain in From header has no MX or A DNS records | NO_DNS_FOR_FROM | 0 1.105 0 1.650 | |
| header | From and To are the same, but not exactly | FROM_AND_TO_SAME | 0.718 1.443 2.097 0.522 | |
| header | Received via buggy SMTP server (MDaemon 2.7.4SP4R) | MDAEMON_2_7_4 | 2.900 2.800 2.800 2.700 | |
| header | Received: contains a forged HELO | FORGED_RCVD_HELO | 1 | |
| header | Received: contains a numeric HELO | RCVD_NUMERIC_HELO | 1.271 0.326 1.526 1.502 | |
| header | Received: contains a name with a faked IP-address | FAKED_IP_IN_RCVD | 2.900 2.800 2.800 2.700 | |
| header | Received via SMTPD32 server (SMTPD32-n.n) | SMTPD_IN_RCVD | 1 | |
| header | Lots and lots of Cc: headers | LOTS_OF_CC_LINES | 2.900 2.800 0 0 | |
| header | Received forged, contains fake AOL relays | FORGED_AOL_RCVD | 4.300 4.300 4.100 4.100 | |
| header | Contains forged hostname for a DSL IP in Brazil | FORGED_TELESP_RCVD | 2.900 2.800 2.800 2.700 | |
| header | Forged hotmail.com 'Received:' header found | FORGED_HOTMAIL_RCVD | 0.470 0.001 0.500 0.500 | |
| header | hotmail.com 'From' address, but no 'Received:' | FORGED_HOTMAIL_RCVD2 | 0.051 0 1.884 2.499 | |
| header | Forged eudoramail.com 'Received:' header found | FORGED_EUDORAMAIL_RCVD | 2.799 2.796 2.696 2.700 | |
| header | 'From' yahoo.com does not match 'Received' headers | FORGED_YAHOO_RCVD | 0.375 0.477 1.181 0.901 | |
| header | 'From' juno.com does not match 'Received' headers | FORGED_JUNO_RCVD | 1.538 2.796 2.696 2.058 | |
| header | Forged 'by gw05' 'Received:' header found | FORGED_GW05_RCVD | 2.900 2.800 2.800 2.700 | |
| header | Forged hotmail.com Received 'from mx' header | FORGED_MX_HOTMAIL | 2.900 2.800 2.800 2.700 | |
| header | Sent by a known spamhaus (qves) | RCVD_BY_QVES_COM | 2.900 0 0 0 | |
| header | Character set doesn't exist | NONEXISTENT_CHARSET | 2.900 2.800 2.800 2.700 | |
| header | A foreign language charset used in headers | CHARSET_FARAWAY_HEADER | 3.200 | |
| header | 'X-Mailer' line contains gibberish | X_MAILER_GIBBERISH | 1 | |
| header | Sent with 'X-Priority' set to high | X_PRIORITY_HIGH | 1.495 0.516 1.486 1.305 | |
| header | Sent with 'X-Msmail-Priority' set to high | X_MSMAIL_PRIORITY_HIGH | 0.500 0.501 0.501 0.500 | |
| header | 'From' contains more than one address | MANY_FROMS | 1 | |
| header | Header contains an address from btamail.net.cn | BTAMAIL_HEADER | 2.900 0 0 0 | |
| header | From: address is in the user's black-list | USER_IN_BLACKLIST | 100.000 | |
| header | From: address is in the user's white-list | USER_IN_WHITELIST | -100.000 | |
| header | From: address is in the default white-list | USER_IN_DEF_WHITELIST | -15.000 | |
| header | Content type is "TEXT/HTML" in all caps | HTML_ALL_CAPS | 1 | |
| header | Received: says mail sent around the world (HELO) | ROUND_THE_WORLD_LOCAL | 3.072 2.965 2.696 2.699 | |
| header | Received: says mail sent around the world (DNS) | ROUND_THE_WORLD | 0 2.515 0 2.141 | |
| header | Missing To: header | MISSING_HEADERS | 1 | |
| header | Similar addresses in recipient list | SUSPICIOUS_RECIPS | 2.632 3.003 2.696 2.599 | |
| header | Very similar addresses in recipient list | VERY_SUSP_RECIPS | 2.900 2.800 2.800 2.700 | |
| header | Recipient list is sorted by address | SORTED_RECIPS | 4.299 4.300 2.696 2.699 | |
| header | User is listed in 'blacklist_to' | USER_IN_BLACKLIST_TO | 10.000 | |
| header | User is listed in 'whitelist_to' | USER_IN_WHITELIST_TO | -6.000 | |
| header | User is listed in 'more_spam_to' | USER_IN_MORE_SPAM_TO | -20.000 | |
| header | User is listed in 'all_spam_to' | USER_IN_ALL_SPAM_TO | -100.000 | |
| header | Subject: contains G.a.p.p.y-T.e.x.t | GAPPY_SUBJECT | 2.326 1.316 2.696 2.270 | |
| header | Message has X-List-Unsubscribe header | X_LIST_UNSUBSCRIBE | 2.900 2.800 2.800 2.700 | |
| header | Message has X-Encoding header | X_ENC_PRESENT | 2.900 2.800 2.800 2.700 | |
| header | Message has x-esmtp header | X_ESMTP | 0.218 1.582 1.368 0 | |
| header | Message has X-Library header | X_LIBRARY | 1.403 1.376 2.282 1.578 | |
| header | Message has X-MailingID header | X_MAIL_ID_PRESENT | 0 2.800 0 0 | |
| header | Message has X-PMFLAGS header | X_PMFLAGS_PRESENT | 2.900 2.800 2.800 2.700 | |
| header | Message has X-Precedence-Ref header | X_PRECEDENCE_REF | 2.900 2.800 2.800 2.700 | |
| header | Message has X-ServerHost header | X_SERV_HOST_PRESENT | 0 2.800 0 0 | |
| header | Message has X-Stormpost-To header | X_STORMPOST_TO | 2.900 0 2.800 0 | |
| header | Message has X-x header | X_X_PRESENT | 2.900 2.800 2.800 2.700 | |
| header | Message has X-Fix header | X_FIX_PRESENT | 1 | |
| header | Message has Complain-To header | COMPLAIN_TO | 1 | |
| header | Message has X-VMP-Text header | X_VMP_TEXT | 2.900 2.800 2.800 0 | |
| header | Message has X-GCMulti header | X_GCMULTI | 1 | |
| header | Message has X-Mime-Key header | X_MIME_KEY | 1 | |
| header | Message has microsoft header | MICROSOFT | 1 | |
| header | MiME-Version header (oddly capitalized) | MIME_ODD_CASE | 2.900 2.800 2.800 2.700 | |
| header | Subject contains "As Seen" | SUBJ_AS_SEEN | 2.699 2.596 0.744 2.500 | |
| header | Subject starts with dollar amount | SUBJ_DOLLARS | 1.180 0.616 0.523 1.921 | |
| header | Subject contains "Double Your" | SUBJ_DOUBLE_YOUR | 0 2.232 0 0 | |
| header | Subject contains "For Only" | SUBJ_FOR_ONLY | 0.773 0.913 0.689 0.972 | |
| header | Subject contains "FREE" in CAPS | SUBJ_FREE_CAP | 0.395 0.070 0 0 | |
| header | Subject contains "Free Instant" | SUBJ_FREE_INSTANT | 2.900 2.800 2.800 2.700 | |
| header | Subject starts with "Free" | SUB_FREE_OFFER | 0.803 0.484 0.223 1.660 | |
| header | Subject GUARANTEED | SUBJ_GUARANTEED | 2.895 2.407 2.696 2.504 | |
| header | Subject starts with "Hello" | SUB_HELLO | 0.872 2.696 1.514 2.456 | |
| header | Subject includes "life insurance" | SUBJ_LIFE_INSURANCE | 0 1.657 0 0 | |
| header | Subject contains "Now Only" | SUBJ_NOW_ONLY | 0.045 0.577 0 0 | |
| header | Subject contains "Ripped & Strong" | SUBJ_RIPPED | 1 | |
| header | Subject includes "viagra" | SUBJ_VIAGRA | 2.535 2.816 4.095 4.100 | |
| header | Subject contains "Your Bills" or similar | SUBJ_YOUR_DEBT | 2.136 0.700 0.700 0.821 | |
| header | Subject contains "Your Family" | SUBJ_YOUR_FAMILY | 2.840 2.796 2.697 2.700 | |
| header | Subject contains "Your Own" | SUBJ_YOUR_OWN | 0.391 2.052 0.110 2.299 | |
| header | Received contains a (dollar) variable reference | VAR_REF_IN_RECEIVED | 1 | |
| header | Received contains a faked HELO hostname | RCVD_FAKE_HELO_DOTCOM | 2.063 1.354 3.207 1.555 | |
| header | To: username at front of subject | USERNAME_IN_SUBJECT | 2.900 2.800 2.800 2.700 | |
| header | Subject talks about losing pounds | LOSE_POUNDS | 2.899 2.796 2.796 2.618 | |
| header | Header has extraneous Content-type:...type= entry | EXTRA_MPART_TYPE | 1.116 0 0 0 | |
| header | To header contains 'recipient' marker | TO_RECIP_MARKER | 1 | |
| header | Subject talks about savings | SAVINGS | 0 0.395 0 0 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DASH_DIGIT | 1.182 2.033 0.319 1.702 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_HASHES | 1 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DIGITS_4 | 1 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DIGITS_7 | 2.399 2.197 1.643 1.647 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_HEX_24 | 1.462 0 1.934 0 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_MA | 1 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_MANY_HEX | 2.899 2.796 2.800 2.700 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_OPTIN | 2.900 2.800 2.800 2.700 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_MAIL_BOUND | 2.900 2.800 2.800 2.700 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_TEP | 1 | |
| header | Spam tool pattern in MIME boundary (rfkindy) | MIME_BOUND_RKFINDY | 1.951 2.800 2.697 2.700 | |
| header | Missing Date: header | DATE_MISSING | 1.540 0.985 0.869 1.917 | |
| header | Received contains fake 'Post.cz' hostname | POST_IN_RCVD | 1 | |
| header | To: non-existent 'Investors' address | TO_INVESTORS | 1 | |
| header | To: has a malformed address | TO_MALFORMED | 0.345 0.274 0.907 0.640 | |
| header | From azoogle.com, azogle.com, etc. | AZOOGLE | 2.900 0 2.800 0 | |
| header | Subject talks about being approved | SUBJECT_APPROVED | 1.223 2.056 1.004 0.173 | |
| header | Subject has a Time ID | SUBJ_HAS_TIME_ID | 1 | |
| header | From address is webmail, but starts with a number | FROM_NUM_AT_WEBMAIL | 1.106 1.101 4.200 4.100 | |
| header | From webmail service and address ends in numbers | FROM_WEBMAIL_END_NUMS6 | 0.989 2.062 1.709 2.699 | |
| header | From Address contains FREE | ADDR_FREE | 1.506 1.804 2.596 2.599 | |
| header | Message was sent by a Squid HTTP proxy | RECEIVED_IDENT_SQUID | 2.900 0 2.800 2.700 | |
| header | Received contains 'CacheFlowServer' IDENT name | RECEIVED_CACHEFLOW | 2.710 2.800 2.800 2.700 | |
| header | Sent to a text file | TO_TXT | 2.900 2.800 2.800 2.700 | |
| header | Involves 'china.com' | CHINA_HEADER | 2.899 2.796 2.800 2.700 | |
| header | Received line contains spam-sign (lowercase smtp) | WITH_LC_SMTP | 4.300 4.300 2.800 2.700 | |
| header | 'From' has no lower-case characters | FROM_NO_LOWER | 1.599 1.897 1.498 1.999 | |
| header | 'Subject' starts with Buy, Buying | SUBJ_BUY | 0.431 0.885 0.665 0.632 | |
| header | Subject is indicative of a Nigerian spam | NIGERIAN_SUBJECT1 | 0.029 1.877 2.150 2.599 | |
| header | Subject is indicative of a Nigerian spam | NIGERIAN_SUBJECT2 | 2.900 2.800 2.666 2.699 | |
| header | Subject is indicative of a Nigerian spam | NIGERIAN_SUBJECT6 | 1 | |
| header | Message would have been caught by accessdb | ACCESSDB | 1 | |
| header | Header contains forged Yahoo! SMTP server hostname | FORGED_YAHOO_RCVD_SMTP | 2.899 2.800 2.800 2.700 | |
| header | Received headers forged (numeric hostname) | FORGED_RCVD_FROM_NUM | 2.900 2.800 2.800 2.700 | |
| header | Received headers forged (AM/PM) | RCVD_AM_PM | 4.300 4.300 4.100 4.100 | |
| header | Received headers forged (empty HELO) | RATWARE_EMPTY_HELO | 2.900 2.800 2.800 2.700 | |
| header | "To" header contains a filename | TO_FILENAME | 1 | |
| header | Reply-To address with reply and numbers | ID_REPLY_TO_REPLY | 1 | |
| header | Multiple Content-Type headers found | HEADER_COUNT_CTYPE | 0.170 2.021 2.297 1.635 | |
| header | Message-Id header indicates message is spam | MSGID_THREESIXSIX | 0.196 1.298 0 0 | |
| header | Host HELO'd using the wrong IP network | FORGED_RCVD_NET_HELO | 2.725 3.022 4.095 4.099 | |
| header | Host HELO'd as a big ISP, but had no rDNS | NO_RDNS_DOTCOM_HELO | 2.194 2.952 2.865 4.099 | |
| header | Message has X-Originating-Host header | X_ORIG_HOST | 2.900 2.800 2.800 2.700 | |
| header | Bulk email fingerprint (X-Message-Info) found | X_MESSAGE_INFO | 3.600 4.077 7.503 2.253 | |
| header | Spam tool pattern in MIME boundary | MIME_BOUND_DD_DIGITS | 3.600 4.230 8.610 2.784 | |
| header | Spam tool Message-Id: (caps variant) | MSGID_SPAM_CAPS | 3.520 3.069 6.845 1.916 | |
| header | Bulk email fingerprint (Received @) found | RATWARE_RCVD_AT | 2.560 1.116 1.628 1.014 | |
| header | Subject contains a gappy version of 'xanax' | SUBJECT_DRUG_GAP_X | 2.552 2.120 0.647 0.543 | |
| header | Subject contains a gappy version of 'soma' | SUBJECT_DRUG_GAP_S | 1.863 1.180 3.770 0.764 | |
| header | Subject contains a gappy version of 'valium' | SUBJECT_DRUG_GAP_VA | 1.468 1.548 0.780 0.321 | |
| body | HTML included in message | HTML_MESSAGE | 0.160 0.001 0.100 0.100 | |
| body | Message is 0% to 10% HTML | HTML_00_10 | 1 | |
| body | Message is 10% to 20% HTML | HTML_10_20 | 1 | |
| body | Message is 20% to 30% HTML | HTML_20_30 | 0.691 0.474 1.172 0 | |
| body | Message is 30% to 40% HTML | HTML_30_40 | 0.837 0.809 0.919 0 | |
| body | Message is 40% to 50% HTML | HTML_40_50 | 0.870 0.474 0.898 0 | |
| body | Message is 50% to 60% HTML | HTML_50_60 | 0.699 0.183 0.514 0.100 | |
| body | Message is 60% to 70% HTML | HTML_60_70 | 0.359 0.100 0.516 0.113 | |
| body | Message is 70% to 80% HTML | HTML_70_80 | 0.383 0.105 0.305 0.100 | |
| body | Message is 80% to 90% HTML | HTML_80_90 | 0.014 0 0 0 | |
| body | Message is 90% to 100% HTML | HTML_90_100 | 0.308 1.073 0 1.187 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING3 | 1 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING4 | 0 0.309 0 0 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING5 | 0 1.762 0 0 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING6 | 1 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING7 | 0.514 2.400 1.316 0.045 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING8 | 0.066 1.232 0.932 0.442 | |
| body | HTML has very strong "shouting" markup | HTML_SHOUTING9 | 0.500 0.500 0 0 | |
| body | HTML table has thick border | HTML_TABLE_THICK_BORD | 0.580 0.699 0 0 | |
| body | HTML comment contains email address | HTML_COMMENT_EMAIL | 1 | |
| body | HTML comment inside of "shouting" markup | HTML_COMMENT_SHOUTING | 1 | |
| body | HTML comment contains SKY database codes | HTML_COMMENT_SKY | 2.900 2.800 2.800 2.700 | |
| body | HTML comment has 3 consecutive 8-bit chars | HTML_COMMENT_8BITS | 0.121 0.822 0 0 | |
| body | HTML message is a saved web page | HTML_COMMENT_SAVED_URL | 0.404 0.821 0.768 1.039 | |
| body | HTML with embedded plugin object | HTML_EMBEDS | 0 0.280 0 0 | |
| body | HTML contains auto-executing code | HTML_EVENT | 1 | |
| body | HTML contains unsafe auto-executing code | HTML_EVENT_UNSAFE | 0 0.130 0 0 | |
| body | HTML has a big font | HTML_FONT_BIG | 0.271 0.100 0.270 0.267 | |
| body | HTML font color not in safe 6x6x6 palette | HTML_FONTCOLOR_UNSAFE | 0.100 | |
| body | HTML font color has unusual name | HTML_FONTCOLOR_NAME | 1 | |
| body | HTML font color is same as background | HTML_FONT_INVISIBLE | 0.938 0.446 0.957 0.601 | |
| body | HTML font color similar to background | HTML_FONT_LOW_CONTRAST | 1 | |
| body | HTML font color is gray | HTML_FONTCOLOR_GRAY | 1 | |
| body | HTML font color is red | HTML_FONTCOLOR_RED | 0.100 0.100 0.100 0.101 | |
| body | HTML font color is yellow | HTML_FONTCOLOR_YELLOW | 1 | |
| body | HTML font color is green | HTML_FONTCOLOR_GREEN | 0.056 0.103 0.043 0 | |
| body | HTML font color is cyan | HTML_FONTCOLOR_CYAN | 1 | |
| body | HTML font color is blue | HTML_FONTCOLOR_BLUE | 0.100 | |
| body | HTML font color is magenta | HTML_FONTCOLOR_MAGENTA | 1 | |
| body | HTML font color is unknown to us | HTML_FONTCOLOR_UNKNOWN | 0.100 0.100 0.283 0.100 | |
| body | HTML font face is not a word | HTML_FONT_FACE_BAD | 0.063 0.203 0 0 | |
| body | HTML font face is not a commonly used face | HTML_FONT_FACE_ODD | 0.185 0 0 0 | |
| body | HTML font face has excess capital characters | HTML_FONT_FACE_CAPS | 1 | |
| body | HTML includes a form which sends mail | HTML_FORMACTION_MAILTO | 2.900 2.800 1.812 0.966 | |
| body | HTML has 4-5 kilopixels of images | HTML_IMAGE_AREA_04 | 1 | |
| body | HTML has 5-6 kilopixels of images | HTML_IMAGE_AREA_05 | 0.283 1.342 1.122 2.199 | |
| body | HTML has 6-7 kilopixels of images | HTML_IMAGE_AREA_06 | 1 | |
| body | HTML has 7-8 kilopixels of images | HTML_IMAGE_AREA_07 | 1.615 1.681 1.997 1.022 | |
| body | HTML has 8-9 kilopixels of images | HTML_IMAGE_AREA_08 | 1 | |
| body | HTML has over 9 kilopixels of images | HTML_IMAGE_AREA_09 | 1 | |
| body | HTML: images with 0-200 bytes of words | HTML_IMAGE_ONLY_02 | 2.751 2.244 1.472 1.230 | |
| body | HTML: images with 200-400 bytes of words | HTML_IMAGE_ONLY_04 | 1.898 1.527 1.136 1.001 | |
| body | HTML: images with 400-600 bytes of words | HTML_IMAGE_ONLY_06 | 1.531 1.709 0.527 1.439 | |
| body | HTML: images with 600-800 bytes of words | HTML_IMAGE_ONLY_08 | 0.525 0.837 0 0 | |
| body | HTML: images with 800-1000 bytes of words | HTML_IMAGE_ONLY_10 | 0.615 1.138 0.431 0.019 | |
| body | HTML: images with 1000-1200 bytes of words | HTML_IMAGE_ONLY_12 | 0.787 1.012 0.483 0 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_02 | 1 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_04 | 0.821 0.892 0.667 1.050 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_06 | 0.935 0.317 0.649 0 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_08 | 0.605 0.408 0.413 0.359 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_10 | 0.535 0.488 0.619 0.315 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_12 | 0.324 0 0 0 | |
| body | HTML has a low ratio of text to image area | HTML_IMAGE_RATIO_14 | 0 0.276 0 0 | |
| body | JavaScript code | HTML_JAVASCRIPT | 1 | |
| body | HTML link text says "push here" or similar | HTML_LINK_PUSH_HERE | 1.147 0.500 1.000 1.001 | |
| body | HTML link text says "click here" | HTML_LINK_CLICK_HERE | 0.100 | |
| body | HTML link text says "CLICK" | HTML_LINK_CLICK_CAPS | 0.501 0.501 0.500 0.500 | |
| body | Frame wanted to load outside URL | HTML_RELAYING_FRAME | 0.877 0.303 0.485 1.732 | |
| body | Image tag intended to identify you | HTML_WEB_BUGS | 1.116 0.587 0.279 0.336 | |
| body | Javascript to move windows around | HTML_WIN_BLUR | 0.064 0 0 0.951 | |
| body | Javascript to change window focus | HTML_WIN_FOCUS | 1 | |
| body | Javascript to open a new window | HTML_WIN_OPEN | 1 | |
| body | HTML mail with non-white background | HTML_WITH_BGCOLOR | 1 | |
| body | HTML has excess "a" close tags | HTML_TAG_BALANCE_A | 0.066 0.079 0 0.196 | |
| body | HTML has excess "font" close tags | HTML_TAG_BALANCE_FONT | 1 | |
| body | HTML has unbalanced "html" tags | HTML_TAG_BALANCE_HTML | 0.671 0.411 0.099 0 | |
| body | HTML has unbalanced "body" tags | HTML_TAG_BALANCE_BODY | 0.353 0.257 0.233 0 | |
| body | HTML has unbalanced "head" tags | HTML_TAG_BALANCE_HEAD | 1 | |
| body | HTML is missing "table" close tags | HTML_TAG_BALANCE_TABLE | 0.667 0.196 0.154 0 | |
| body | HTML has "base" tags | HTML_TAG_EXISTS_BASE | 1 | |
| body | HTML has "param" tag | HTML_TAG_EXISTS_PARAM | 1 | |
| body | HTML has "tbody" tag | HTML_TAG_EXISTS_TBODY | 0.132 0.100 0.047 0 | |
| body | HTML title contains no text | HTML_TITLE_EMPTY | 0.449 0.544 0.200 0.119 | |
| body | HTML title contains "Untitled" | HTML_TITLE_UNTITLED | 0.501 0.699 0.360 0.430 | |
| rawbody | Form for changing email address | SPAM_FORM | 1 | |
| rawbody | Form for checking email address | SPAM_FORM_RETURN | 1 | |
| rawbody | Obfuscated action attribute in HTML form | SPAM_FORM_ACTION | 1 | |
| rawbody | Javascript to hide URLs in browser | HIDE_WIN_STATUS | 0.157 0 0.846 2.173 | |
| rawbody | Contains link without http:// prefix | LINK_TO_NO_SCHEME | 0.452 0.755 0.176 1.597 | |
| body | List removal information | REMOVE_SUBJ | 0.343 0.054 0 0.355 | |
| body | List removal information | SUBJ_REMOVE | 1 | |
| body | List removal information | REPLY_REMOVE_SUBJECT | 0.412 0.757 1.432 2.097 | |
| body | List removal information | DISCONTINUE | 1 | |
| body | To be removed from list | REMOVE_FROM_LIST | 0.166 0 0 0 | |
| body | List removal information | REMOVE_REMOVAL_1WORD | 1.101 1.100 0.500 1.891 | |
| body | List removal information | REMOVE_REMOVAL_2WORD | 0.500 0.500 0.500 1.947 | |
| body | Send real mail to be unsubscribed | REMOVE_POSTAL | 2.900 2.800 2.696 2.700 | |
| body | Asks you to click below (in capital letters) | CLICK_BELOW_CAPS | 0.173 0.566 0.500 0.500 | |
| body | Click to be removed | CLICK_TO_REMOVE_1 | 1.101 1.101 1.000 1.001 | |
| body | Claims compliance with spam regulations | SENT_IN_COMPLIANCE | 0.700 2.800 2.800 2.700 | |
| body | Claims compliance with Senate Bill 1618 | BILL_1618 | 0.248 0.319 2.696 2.699 | |
| body | Claims compliance with Senate Bill 1618 | S_1618 | 1 | |
| body | Claims compliance with Senate Bill 1618 | UNDER_BILL_1618 | 0 0.253 0 0 | |
| body | Claims compliance with spam regulations | SECTION_301 | 0 0.454 0 0 | |
| body | Claims compliance with House Bill 4176 | HR_4176 | 2.900 0 0 0 | |
| body | Claims compliance with spam regulations | FURTHER_TRANSMISSIONS | 0 2.800 0 0 | |
| body | Contains word 'guarantee' in all-caps | GUARANTEE | 2.155 2.146 1.703 2.257 | |
| body | Doesn't ask any questions | NO_QS_ASKED | 2.271 2.005 1.018 2.600 | |
| body | Offers a full refund | FULL_REFUND | 1 | |
| body | No such thing as a free lunch (1) | FOR_FREE | 0.927 0.694 0.781 0.592 | |
| body | No such thing as a free lunch (2) | COMPLETELY_FREE | 0.500 0.736 0.500 0.500 | |
| body | No such thing as a free lunch (3) | NO_COST | 0.692 1.001 0.741 1.671 | |
| body | One hundred percent guaranteed | GUARANTEED_100_PERCENT | 1.101 1.101 1.001 1.000 | |
| body | Discusses money making | MONEY_MAKING | 2.799 2.294 0 2.399 | |
| body | Talks about bulk email | BULK_EMAIL | 1 | |
| body | Dear Friend? That's not very dear! | DEAR_FRIEND | 1.888 1.065 2.397 1.846 | |
| body | Contains 'Dear (something)' | DEAR_SOMETHING | 1.611 1.157 2.164 2.299 | |
| body | Urges you to call now | CALL_NOW | 1 | |
| body | Contains a tollfree number | CALL_FREE | 1 | |
| body | Wants you to do business online | ONLINE_BIZ_OPS | 1 | |
| body | Talks about lots of money | BILLION_DOLLARS | 1 | |
| body | Talks about opting in (lowercase version) | OPT_IN | 0.018 0 0 0.228 | |
| body | Talks about opting in (capitalized version) | OPT_IN_CAPS | 0.814 0.295 0.602 2.570 | |
| body | Talks about opting out (lowercase version) | OPT_OUT | 1 | |
| body | Talks about opting out (capitalized version) | OPT_OUT_CAPS | 0 0.792 0 0 | |
| body | Talks about direct email | DIRECT_EMAIL | 1 | |
| body | Talks about mass email | MASS_EMAIL | 1 | |
| body | Talks about email marketing | EMAIL_MARKETING | 1 | |
| body | Tells you it's an ad | PRODUCED_AND_SENT_OUT | 1 | |
| body | Instructions on how to increase something | INCREASE_SOMETHING | 1 | |
| body | "another mailing" will "never" be "received" | NEVER_ANOTHER | 2.900 2.800 2.800 2.700 | |
| body | one time mailing doesn't mean it isn't spam | ONE_TIME_MAILING | 2.388 2.296 1.911 2.599 | |
| body | Get a million email addresses | MILLION_EMAIL | 2.499 1.646 2.197 1.999 | |
| body | Addresses on CD are only useful for spam | ADDRESSES_ON_CD | 1 | |
| body | Gives a lame excuse about why spam was sent | EXCUSE_1 | 0.417 0 0 0 | |
| body | Claims you actually asked for this spam | EXCUSE_2 | 1 | |
| body | Claims you can be removed from the list | EXCUSE_3 | 0.100 0.100 0 0 | |
| body | Claims you can be removed from the list | EXCUSE_4 | 2.899 2.216 2.596 2.499 | |
| body | Claims you can be removed from the list | EXCUSE_6 | 0.791 1.616 1.950 0.244 | |
| body | Claims you can be removed from the list | EXCUSE_7 | 1 | |
| body | "if you do not wish to receive any more" | EXCUSE_10 | 0.149 0.136 0 0 | |
| body | Claims you were on a list | EXCUSE_11 | 1.072 0.146 1.334 0 | |
| body | Nobody's perfect | EXCUSE_12 | 2.423 2.120 0.462 2.167 | |
| body | Gives an excuse for why message was sent | EXCUSE_13 | 0.853 1.639 0 0.580 | |
| body | Tells you how to stop further spam | EXCUSE_14 | 0.320 0.153 0 0.084 | |
| body | Claims to be legitimate email | EXCUSE_15 | 0 0.708 0 0 | |
| body | I wonder how many emails they sent in error | EXCUSE_16 | 0.061 0.171 0 0 | |
| body | Claims not to be spam | EXCUSE_18 | 0.430 0.280 0 0 | |
| body | Claims you opted-in or registered | EXCUSE_19 | 0.727 0.500 0.613 0.500 | |
| body | Claims you registered at their site | EXCUSE_20 | 2.900 0 0 0 | |
| body | Claims address was obtained legitimately | EXCUSE_21 | 1.940 2.800 0.110 2.700 | |
| body | You're receiving this offer for a reason | EXCUSE_22 | 2.900 2.800 2.800 2.700 | |
| body | Claims you have provided permission | EXCUSE_23 | 2.900 2.800 2.800 2.700 | |
| body | Claims you wanted this ad | EXCUSE_24 | 0.700 1.395 2.796 2.700 | |
| body | Talks about how to be removed from mailings | EXCUSE_REMOVE | 0.879 0.501 0.903 1.000 | |
| body | Plugs Viagra | VIAGRA | 1.536 1.890 0.500 4.099 | |
| body | Plugs "Natural Viagra" | NATURAL_VIAGRA | 2.900 2.800 0 2.700 | |
| body | Plugs "Herbal Viagra" | HERBAL_VIAGRA | 1 | |
| body | Targeted Traffic / Email Addresses | TARGETED | 1.686 1.271 0 2.499 | |
| body | Offers a limited time offer | LIMITED_TIME_ONLY | 0.478 0.020 0 0.246 | |
| body | Tells you about a strong buy | STRONG_BUY | 2.799 0 2.800 2.700 | |
| body | Claims to honor removal requests | WE_HONOR_ALL | 1.101 4.300 4.100 4.065 | |
| body | Sent using a trial version of CommuniGate | COMMUNIGATE | 2.300 1.465 1.554 2.399 | |
| body | Gives information about an opportunity | OPPORTUNITY | 0.904 1.598 0 2.055 | |
| body | Offers "pure" profit | PURE_PROFIT | 1 | |
| body | Offers a picked stock | STOCK_PICK | 0 1.248 0 0 | |
| body | Offers a alert about a stock | STOCK_ALERT | 2.172 2.399 0 1.727 | |
| body | SEC-mandated penny-stock warning | MICRO_CAP_WARNING | 1 | |
| body | Not registered investment advisor | NOT_ADVISOR | 2.900 2.800 2.800 2.700 | |
| body | Offers a consultation for nothing | FREE_CONSULTATION | 1.566 1.170 0 0.711 | |
| body | Describes some sort of breakthrough | SOME_BREAKTHROUGH | 0 0.599 0 0 | |
| body | They have selected you for something | SELECTED_YOU | 0.764 2.059 0 1.381 | |
| body | Asks for credit card details | WANTS_CREDIT_CARD | 2.489 2.275 1.728 1.887 | |
| body | Asks for a billing address | ASKS_BILLING_ADDRESS | 1 | |
| body | Asks you for your signature on a form | PRINT_FORM_SIGNATURE | 1.263 0.125 0.039 1.617 | |
| body | Contains mail-in order form | MAIL_IN_ORDER_FORM | 2.075 2.800 0 2.700 | |
| body | offers "instant access" | INSTANT_ACCESS | 1 | |
| body | University Diplomas | UNIVERSITY_DIPLOMAS | 1 | |
| body | 'Prestigious Non-Accredited Universities' | PREST_NON_ACCREDITED | 0.898 1.367 0 1.103 | |
| body | Possible registry spammer | NEW_DOMAIN_EXTENSIONS | 2.199 1.999 1.552 2.199 | |
| body | Domain registration spam body | DOMAIN_BODY | 1.479 1.797 1.052 2.199 | |
| body | Gives instructions for removal from list | REMOVAL_INSTRUCTIONS | 0.870 0.692 0.959 2.599 | |
| body | Claims "cannot be considered spam" | CANNOT_BE_SPAM | 0.377 0.019 0.701 1.837 | |
| body | Claims "This is not spam" |