Analyze SpamAssassin reports and get a breakdown of sender spam scores.
Note: Administrator notices (e.g., blocked DNS queries) typically have 0.0 scores and indicate configuration issues rather than spam characteristics.
| Score | Rule Name | Category | Description |
|---|---|---|---|
| +1000.0 | GTUBE | Test | Generic Test for Unsolicited Bulk Email |
| +4.4 | KB_RATWARE_OUTLOOK_MID | Forgery | Ratware Message-ID pretending to be Outlook |
| +4.3 | HELO_DYNAMIC_HCC | Network | HELO contains dynamic IP pattern |
| +4.3 | HK_NAME_DRUGS | Content | Pharmaceutical spam keywords in sender name |
| +4.1 | BITCOIN_EXTORT_01 | Scam | Bitcoin extortion/sextortion attempt |
| +4.1 | KB_RATWARE_MSGID | Forgery | Ratware-style Message-ID detected |
| +4.0 | URI_PHISH | Phishing | URI found in phishing database |
| +4.0 | FORGED_MUA_OUTLOOK | Forgery | Forged Outlook mail user agent |
| +3.9 | FSL_INTERIA_ABUSE | Network | Sent from known abuse source |
| +3.9 | MSGID_OUTLOOK_INVALID | Forgery | Invalid Outlook Message-ID format |
| +3.8 | KB_DATE_CONTAINS_TAB | Header | Date header contains tab character |
| +3.8 | FILL_THIS_FORM_LONG | Phishing | Contains form-filling phishing text |
| +3.8 | DOS_BODY_HIGH_NO_MID | Header | High body score with no Message-ID |
| +3.8 | HTML_SHORT_CENTER | HTML | Short HTML message with centered text |
| +3.5 | PHISH_AZURE_CLOUDAPP | Phishing | Link to Azure cloudapp phishing site |
| +3.5 | BITCOIN_MALF_HTML | Scam | Bitcoin malware/scam in HTML content |
| +3.5 | ADVANCE_FEE_3_NEW | Scam | Advance fee fraud (419 scam) patterns |
| +3.5 | FSL_HAS_TINYURL | URI | Contains TinyURL shortened link |
| +3.5 | HTML_TEXT_INVISIBLE_STYLE | HTML | Invisible text using CSS styling |
| +3.5 | URI_WP_DIRINDEX | URI | WordPress directory index exploit |
| +3.5 | PDS_FROM_2_EMAILS | Header | From header contains two email addresses |
| +3.5 | REPLICA_WATCH | Content | Replica watch spam keywords |
| +3.4 | SCC_CANSPAM_2 | Legal | Missing CAN-SPAM compliance elements |
| +3.4 | FROM_MISSP_FREEMAIL | Forgery | Misspelled freemail provider in From |
| +3.4 | TO_EQ_FM_HTML_ONLY | Header | To equals From, HTML only message |
| +3.2 | FROM_MISSP_PHISH | Phishing | Misspelled domain in From (phishing) |
| +3.1 | MALE_ENHANCE | Content | Male enhancement spam keywords |
| +3.1 | UNDISC_MONEY | Scam | Undisclosed money transfer scam |
| +3.1 | DEAR_WINNER | Scam | Lottery/prize winner scam |
| +3.1 | FROM_UNBAL2 | Header | Unbalanced quotes in From header |
| +3.1 | UNDISC_FREEM | Header | Undisclosed recipients from freemail |
| +3.0 | FORGED_MUA_THEBAT_BOUN | Forgery | Forged The Bat! mailer bounce |
| +3.0 | IMG_DIRECT_TO_MX | URI | Image links directly to mail server |
| +3.0 | LONG_INVISIBLE_TEXT | HTML | Long sections of invisible text |
| +3.0 | ACCT_PHISHING_MANY | Phishing | Multiple account phishing indicators |
| +3.0 | URI_EXCESS_SLASHES | URI | Excessive slashes in URI (obfuscation) |
| +3.0 | URI_FIREBASEAPP | Phishing | Firebase app link (often phishing) |
| +3.0 | GOOG_STO_EMAIL_PHISH | Phishing | Google storage email phishing |
| +3.0 | HTML_ENTITY_ASCII | HTML | HTML entities for ASCII obfuscation |
| +3.1 | MONEY_FORM | Scam | Money transfer form scam |
| +2.9 | DOS_OE_TO_MX_IMAGE | Network | Outlook Express to MX with image |
| +2.9 | X_MAILER_CME_6543_MSN | Forgery | Forged MSN mailer header |
| +2.5 | MISSING_MID | Header | Missing Message-ID header |
| +2.3 | TVD_PH_1 | Phishing | Phishing pattern detected |
| +2.3 | FUZZY_CREDIT | Content | Fuzzy match on credit card terms |
| +2.2 | SUBJ_ALL_CAPS | Header | Subject is all capital letters |
| +2.1 | FROM_EXCESS_BASE64 | Header | Excessive Base64 in From header |
| +2.1 | FUZZY_AMBIEN | Content | Fuzzy match on pharmaceutical terms |
| +2.0 | RCVD_IN_BL_SPAMCOP_NET | Network | Listed in SpamCop blocklist |
| +2.0 | RCVD_IN_XBL | Network | Listed in Spamhaus XBL |
| +1.8 | HTML_MESSAGE | Format | HTML message (no plain text) |
| +1.7 | MISSING_HEADERS | Header | Missing essential headers |
| +1.6 | FORGED_OUTLOOK_HTML | Forgery | Outlook HTML signature forged |
| +1.5 | MIME_HTML_ONLY | Format | MIME HTML only, no text part |
| +1.5 | RCVD_IN_SBL | Network | Listed in Spamhaus SBL |
| +1.3 | RCVD_IN_PBL | Network | Listed in Spamhaus PBL |
| +1.2 | SPF_FAIL | Auth | SPF check failed |
| +1.0 | DKIM_INVALID | Auth | DKIM signature invalid |
| +1.0 | RDNS_NONE | Network | No reverse DNS for sending IP |
| +1.0 | URIBL_BLACK | URI | URI in Spamhaus URIBL blacklist |
| +0.8 | BAYES_50 | Bayes | Bayesian spam probability 40-60% |
| +0.5 | HTML_FONT_LOW_CONTRAST | HTML | Low contrast font colors |
| +0.1 | DKIM_SIGNED | Auth | DKIM signature present (not validated) |
| +0.1 | SPF_HELO_NONE | Auth | No SPF record for HELO domain |
| -1.9 | BAYES_00 | Bayes | Bayesian spam probability 0-1% |
| -0.5 | BAYES_05 | Bayes | Bayesian spam probability 1-5% |
| -0.1 | DKIM_VALID | Auth | Valid DKIM signature |
| -0.1 | DKIM_VALID_AU | Auth | DKIM valid, author domain match |
| -0.1 | DKIM_VALID_EF | Auth | DKIM valid, envelope from match |
| -0.1 | SPF_PASS | Auth | SPF check passed |
| -1.0 | ALL_TRUSTED | Network | All relays are trusted |
| +0.0 | RCVD_IN_DNSWL_NONE | Network | Listed in DNSWL, no trust level |
| -0.7 | RCVD_IN_DNSWL_LOW | Network | Listed in DNSWL, low trust |
| -2.3 | RCVD_IN_DNSWL_MED | Network | Listed in DNSWL, medium trust |
| -5.0 | RCVD_IN_DNSWL_HI | Network | Listed in DNSWL, high trust |
| -0.5 | RCVD_IN_MSPIKE_H2 | Network | Cloudmark Sender Intelligence good |
| -1.0 | RCVD_IN_MSPIKE_H3 | Network | Cloudmark excellent reputation |
| -2.0 | RCVD_IN_MSPIKE_H4 | Network | Cloudmark outstanding reputation |
| -100.0 | USER_IN_WELCOMELIST | Whitelist | Sender in user's welcomelist |
| -50.0 | USER_IN_DEF_WELCOMELIST | Whitelist | Sender in default welcomelist |