SpamC rules signification
Added 2 months ago
If an email was caught by SpamC, you may want to know what does a rulename mean. This document lists the rules our users ask for the most commonly, this is not and doesnt aim to be a complete list of the rules we are using.
Here is how to handle SpamC rules in MailCleaner :
SORBS is a RBL we provide for administrators who want an agressive filtering. You can uncheck it from SpamC if you see it present in several false positives reports.
is a rule relative to the DNS configuration of a server. This is a meta tule including a lot of different elements
The mail subject is entirely in caps
The full circle name used by the sending server is dynamic
MailCleaner checks that the sending server is using a "Full Circle DNS" name (This can be checked here : http://multirbl.valli.org/fcrdns-test/ )
This rule adds points when several rule of BOTNET have been met
MailCleaner s rule : Message contains a sentence like "claim your free copy" or "Check secret story". This rule detects sentences done with this pattern "one of the words(claim see check) + your + one of the word(free full secret) + one of the word (copy story)"
The mail contains an image attachment, and the message was received by the last trusted relay from an IP address with a reverse DNS name that suggests it is dynamically allocated.
The mail has at least one large image attachment and a comparatively small amount of text.
Message has a valid DKIM or DK signature from author's domain
Hostname contains a subpart of its own IP address
the sending server hostname contains strings leading to think the mail was sent by an email client instead of a real mail server
The mail contains alternative parts which are supposed to be identical so that the same text is displayed in text or HTML mode. Here the 2 parts are different, this is most of the time a spam technique
Possible Image-only spam with little text
Message contains an invisible character usually used to prevent antispam to correctly identified a word
Message has 2+ inline png covering lots of area
This may indicate a message using an image instead of words in order to sidestep text-based filtering
Low body to pixel area ratio
Low body to pixel area ratio
is a rule which detects the use of specific character. This one will not be displayed in the message , spammers use it to circumvant some rules detections for example viagra would be detected but using this character in the word viagra would let it be displayed normally but would prevent it to be detected (as it would be written "viagra" and not "viagra")
mail subject contains a (maybe obfuscated) string based on the rape word --Since this may involve obfuscating techniques, it is sometime hard to find out what lured SpamC
This detects subjects / mail beginning like "Dear Mister". This is rarely used in ham and corresponds to specific spams waves
The sender's domain says that it uses DKIM on all email, but no valid signature was found. That suggests that the message might not have originated with the purported sender.
Message has a DKIM or DK signature, not necessarily valid
Headers contain between xK and (x+1)K characters total
The mail is malformed : the specified Content-type for the mail is something other than "text/plain", so the headers should have conformed to the MIME specification. This suggests that the message was generated by a badly-written mailout program rather than by a normal email client.
The Subject header contains 8-bit and other illegal characters that should be MIME encoded, as described in RFC 2045
this is about the ratio of spaces to non-spaces in each paragraph. apparently messages where generally there are lots of spaces mean the message is spam.
identifies the email came from a PHP script
The Subject: header line contains characters outside of the US-ASCII range that have not been encoded with Base64 or Quoted-Printable encoding. This violates the RFC standards for mail headers. Properly behaved MUAs would be expected not to do this
The date header is missing.
The message contains the name of a pharmatical product written in an obfuscated way
mail doesnt contain a message-ID header
This rules applies when there is an header X-Forefront-Antispam-Report in a mail. Here you can have more information on why this header was added, see https://technet.microsoft.com/en-us/library/dn205071(v=exchg.150).aspx
Pyzor is a HashSharingSystem. That is to say that it detects mails with a close signature of known spams.