Knowledge Base » Documentation MailCleaner »
SpamC rules signification
MailCleaner Support
Added over 5 years ago
If an email was caught by SpamC, you may want to know what does a rulename mean. This document lists the rules our users ask for the most commonly, this is not and doesnt aim to be a complete list of the rules we are using.
Here is how to handle SpamC rules in MailCleaner :
https://support.mailcleaner.net/boards/3/topics/51-how-to-create-custom-spamc-rules
SpamC rules are stored in 2 folders.
We selected a lots of various 3rd party rules/plugins for SpamC which are in
/var/lib/spamassassin/3.004000/updates_spamassassin_org/
(in fact those rules can be modified/adapted by our teams)
We provide our own rules/plugins in
/usr/mailcleaner/share/spamassassin
So best way to find a specific rule is
grep -R --color RULE_NAME /var/lib/spamassassin/3.004000/* /usr/mailcleaner/share/*
RCVD_IN_****
A server which relayed the message is listed in a RBL (Relay BlackList)
RCVD_IN_SORBS_SPAM
SORBS is a RBL we provide for administrators who want an agressive filtering. You can uncheck it from SpamC if you see it present in several false positives reports. (This recommandation is only true for SORBS RBL)
HTTPS_HTTP_MISMATCH
This rule is triggered when a link presents its text as an HTTPS link while the real target is HTTP (not S). For example :
<a href="http://spammersite.com/virus">https://www.email-service.com/login</a>
URI_OBFU_WWW
A link contained in the mail is obfuscated
BOTNET_BADDNS
is a rule relative to the DNS configuration of a server. This is a meta tule including a lot of different elements
SUBJ_ALL_CAPS
The mail subject is entirely in caps
RDNS_DYNAMIC
The full circle name used by the sending server is dynamic
RDNS_NONE
MailCleaner checks that the sending server is using a "Full Circle DNS" name (This can be checked here : http://multirbl.valli.org/fcrdns-test/ )
BOTNET_CLIENT
This rule adds points when several rule of BOTNET have been met
MC_URI_EASYMONEY_LVL4
MailCleaner s rule : Message contains a sentence like "claim your free copy" or "Check secret story". This rule detects sentences done with this pattern "one of the words(claim see check) + your + one of the word(free full secret) + one of the word (copy story)"
DYN_RDNS_AND_INLINE_IMAGE
The mail contains an image attachment, and the message was received by the last trusted relay from an IP address with a reverse DNS name that suggests it is dynamically allocated.
DC_IMAGE_SPAM_HTML
The mail has at least one large image attachment and a comparatively small amount of text.
DKIM_VALID_AU
Message has a valid DKIM or DK signature from author's domain
GENERIC_IXHASH
A fingerprint of the mail is performed and checked versus fingerprints of known spams. This is a network based test.
BOTNET_IPINHOSTNAME
Hostname contains a subpart of its own IP address
BOTNET_CLIENTWORDS
the sending server hostname contains strings leading to think the mail was sent by an email client instead of a real mail server
HTML_FONT_FACE_BAD BODY
The mail contains an inexistent font face definition.
MPART_ALT_DIFF
The mail contains alternative parts which are supposed to be identical so that the same text is displayed in text or HTML mode. Here the 2 parts are different, this is most of the time a spam technique
DC_IMAGE_SPAM_TEXT
Possible Image-only spam with little text
DC_PNG_MULTI_LARGO 0.7
Message has 2+ inline png covering lots of area
HTML_IMAGE_RATIO_04 0.6
This may indicate a message using an image instead of words in order to sidestep text-based filtering
DC_IMG_HTML_RATIO 0.3
Low body to pixel area ratio
DC_IMG_TEXT_RATIO
Low body to pixel area ratio
MC_CONTAINS_ZERO1 MC_CONTAINS_ZERO2 MC_CONTAINS_ZERO3 MC_CONTAINS_ZERO4 MC_CONTAINS_ZERO5
is a rule which detects the use of specific/invisible characters usually used to prevent antispam to correctly identified a word. Spammers use those characters it to circumvant some rules detections for example using this character in the word viagra would let it be displayed normally but would prevent it to be detected (as it would be written "viagra" and not "viagra")
More information at : https://en.wikipedia.org/wiki/Zero-width_space
T_FILL_THIS_FORM_SHORT
This rule detects mails including a short form asking for personal information
SARE_ADLTSUB10
mail subject contains a (maybe obfuscated) string based on the rape word --Since this may involve obfuscating techniques, it is sometime hard to find out what lured SpamC
MC_ESCURL
Detects bad characters in an URL of the message
MC_FREEMAIL_BODY
Detects the use of a "freemail" address in the body of a message. Freemail addresses are mails where one can easily register without giving real information about himself. (for example : gmail.com yahoo.com hotmail.com ...) Spams often contain such mails in the body and ask the recipient of the message to answer to this email address
DEAR_SOMETHING
This detects subjects / mail beginning like "Dear Mister". This is rarely used in ham and corresponds to specific spams waves
DKIM_ADSP_ALL
The sender's domain says that it uses DKIM on all email, but no valid signature was found. That suggests that the message might not have originated with the purported sender.
DKIM_SIGNED
Message has a DKIM or DK signature, not necessarily valid
SINGLE_HEADER_1K
SINGLE_HEADER_2K
SINGLE_HEADER_3K
SINGLE_HEADER_4K
SINGLE_HEADER_5K
Headers contain between xK and (x+1)K characters total
MIME_HEADER_CTYPE_ONLY
The mail is malformed : the specified Content-type for the mail is something other than "text/plain", so the headers should have conformed to the MIME specification. This suggests that the message was generated by a badly-written mailout program rather than by a normal email client.
SUBJ_ILLEGAL_CHARS
The Subject header contains 8-bit and other illegal characters that should be MIME encoded, as described in RFC 2045
KHOP_BIG_TO_CC
Mail was sent to a large number of person (To and Cc)
TVD_SPACE_RATIO_MINFP
this is about the ratio of spaces to non-spaces in each paragraph. apparently messages where generally there are lots of spaces mean the message is spam.
PHP_ORIG_SCRIPT
identifies the email came from a PHP script
SUBJECT_NEEDS_ENCODING
The Subject: header line contains characters outside of the US-ASCII range that have not been encoded with Base64 or Quoted-Printable encoding. This violates the RFC standards for mail headers. Properly behaved MUAs would be expected not to do this
MISSING_DATE
The date header is missing.
FUZZY_XPILL
The message contains the name of a pharmatical product written in an obfuscated way
MISSING_MID
mail doesnt contain a message-ID header
AXB_X_FF_SEZ_S
This rules applies when there is an header X-Forefront-Antispam-Report in a mail. Here you can have more information on why this header was added, see https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx
PYZOR_CHECK
Pyzor is a HashSharingSystem. That is to say that it detects mails with a close signature of known spams.
MC_ADULT_SUBJ_SEX
The subject contains a word starting with "sex"
MC_ADULT_BDY_SEX
The body contains a word starting with "sex"
FR_3TAG_3TAG
An HTML balise of 3 characters is opened and closed right after
DCC_CHECK
The DCC or Distributed Checksum Clearinghouse is a system of servers collecting and counting checksums of millions of mail messages. The counts can be used by SpamAssassin to detect and reject or filter spam.
Because simplistic checksums of spam can be easily defeated, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves.
MC_MESSAGESNIFFER
This rule give a score when the message was identified as spam by our partner MessageSniffer
MC_MAILTO_WITH_SUBJ_ORDER
Contains a link to send an email with Subjet order/commande/bestellung
T_DKIM_INVALID
The mail is DKIM signed but DKIM is invalid
URI_HEX
An URI is composed of a long hexadecimal sequence
DKIM_SIGNED
Gives minor points to DKIM signed messages, of the DKIM signature is valid, those points will be withdrawed to go back to 0
MC_KREDIT
The term "kredit" "credit" is present in the body of the mail
RCVD_IN_BRBL_LASTEXT
the last external IP in the Received from headers is listed in Barracuda RBL bb.barracudacentral.org
MC_ADULT_BDY_COQUIN_EN
looks in the body of the mail for a word in the list horny horniest naughty naughtiest sluty slutiest