You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Roman Serbski <me...@gmail.com> on 2005/05/01 12:02:19 UTC
OT: The highest score?
Hi all,
What was the highest score you've ever seen? I received a message
yesterday that was scored with 51.9(!). =)
SA in action: ;-)
Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: REPORT hits = 51.9/3.5
4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
1.2 SUBJ_HAS_SPACES Subject contains lots of white space
3.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
0.1 RCVD_BY_IP Received by mail server with no name
0.0 FROM_ILLEGAL_CHARS From contains too many raw illegal characters
2.9 SUBJ_ILLEGAL_CHARS Subject contains too many raw illegal characters
2.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters
0.5 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname
0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
2.0 HTML_TAG_EXIST_MARQUEE BODY: HTML has "marquee" tag
0.0 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag
0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
0.8 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background
0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
50% [cf: 100]
0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are non-standard
1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000]
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 HTML_EVENT_UNSAFE BODY: HTML contains unsafe auto-executing code
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[200.89.154.29 listed in dnsbl.sorbs.net]
0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
[200.89.154.29 listed in combined.njabl.org]
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[200.89.154.29 listed in sbl-xbl.spamhaus.org]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address [200.89.154.29 listed in dnsbl.sorbs.net]
3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?200.89.154.29>]
0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[200.89.154.29 listed in combined.njabl.org]
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: ourk2.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: ourk2.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: ourk2.com]
4.1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found
0.6 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
0.0 UPPERCASE_25_50 message body is 25-50% uppercase
0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: yup, this smells like SPAM -
hits=51.9 - rejecting message...
Re: OT: The highest score?
Posted by Matt Kettler <mk...@evi-inc.com>.
Roman Serbski wrote:
>Hi all,
>
>What was the highest score you've ever seen? I received a message
>yesterday that was scored with 51.9(!). =)
>
I hate to say it, but I've seen scores over 1000.0. All you need to do
is include a GTUBE :)
USER_IN_BLACKLIST will also jack it up quite a bit with a +100 score.
GTUBE and blacklists aside, my highest spam score in recent history
(past 4 weeks) was 45.74:
score=45.74, required 5, autolearn=spam, AB_URI_RBL 1.00, BAYES_99 5.40,
DCC_CHECK 1.00, DRUGS_ERECTILE 1.00, HTML_70
_80 0.10, HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10,
INFO_GREYLIST_NOTDELAYED -0.01, JP_URI_RBL 1.00, LOCAL_RCVD_HELO_XIP
1.50, MIME_HTML_ONLY 0.32, MIME_HTML_ONLY_MULTI 1.10, NO_DNS_FOR_FROM
1.65, OB_URI_RBL 2.10, RAZOR2_CF_RANGE_51_100 0.20, RAZOR2_CHECK 1.05,
RCVD_IN_CHINA_KR 2.50, RCVD_IN_DSBL 0.71, RCVD_IN_NJABL_PROXY 2.34,
RCVD_IN_SORBS_MISC 0.00, RCVD_IN_XBL 4.92, SARE_RAND_2V 1.50,
SPAMCOP_URI_RBL 3.00, SUBJ_VIAGRA 4.10, VIAGRA_ONLINE 4.06, WS_URI_RBL
2.10, X_MESSAGE_INFO 2.00
But I tend to lean towards lowering rule scores from their defaults. I
tend to find some SARE rules, etc are a bit overly aggressive in scoring
for my tastes.
Re: OT: The highest score?
Posted by Kelson <ke...@speed.net>.
Roman Serbski wrote:
> What was the highest score you've ever seen? I received a message
> yesterday that was scored with 51.9(!). =)
Unfortunately I just purged the spamtraps, but that's what log files are
for. Here's the highest one from this week:
Score: 63.173
BAYES_99
BIZ_TLD
DOMAIN_RATIO
FORGED_IMS_HTML
FORGED_IMS_TAGS
FORGED_MUA_IMS
FORGED_YAHOO_RCVD
FROM_ILLEGAL_CHARS
HEAD_ILLEGAL_CHARS
HTML_90_100
HTML_FORMACTION_MAILTO
HTML_IMAGE_ONLY_20
HTML_IMAGE_RATIO_02
HTML_MESSAGE
LOCAL_SURBL_MULTI
MIME_HTML_ONLY
MIME_HTML_ONLY_MULTI
MISSING_MIMEOLE
MPART_ALT_DIFF
MSGID_SPAM_CAPS
MSGID_YAHOO_CAPS
RAZOR2_CF_RANGE_51_100
RAZOR2_CHECK
RCVD_BY_IP
RCVD_DOUBLE_IP_SPAM
RCVD_HELO_IP_MISMATCH
RCVD_IN_DSBL
RCVD_IN_NJABL_PROXY
RCVD_IN_NJABL_RELAY
RCVD_IN_SORBS_HTTP
RCVD_NUMERIC_HELO
SUBJ_ILLEGAL_CHARS
URIBL_OB_SURBL
URIBL_SBL
URIBL_WS_SURBL
The only custom rule in there is LOCAL_SURBL_MULTI, which adds an extra
3 points if 3 or more SURBLs fire. So technically this should only have
been 60.173.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: OT: The highest score?
Posted by Fred <sp...@freddyt.com>.
Chris Lear wrote:
> I've removed the SARE forged rules now altogether, and
> most of the remaining spam scores under 50 (just one 52.9 yesterday).
>
> Chris
Nope no citibank here, just making a generic rule like the rest, if you give
me some info on what's wrong with it, I'll gladly fix it. Just after I said
these rules havn't been touched in months, look what happens ;)
Thanks,
Re: OT: The highest score?
Posted by Chris Lear <ch...@laculine.com>.
* Chris wrote (05/04/05 01:27):
> On Sunday 01 May 2005 04:49 pm, John Andersen wrote:
>> On Sunday 01 May 2005 02:02 am, Roman Serbski wrote:
[...]
> * 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com)
[...]
The SARE_FORGED_* rules are a good way to score over 100 points quickly.
When I first installed SARE I had some very high-scoring *ham* (hitting
SARE_FORGED_CITI. The SARE people don't work in the banking sector, it
seems), and, as a result, some crazy AWL scores afterwards. I've removed
the SARE forged rules now altogether, and most of the remaining spam
scores under 50 (just one 52.9 yesterday).
Chris
Re: OT: The highest score?
Posted by Chris <cp...@earthlink.net>.
On Sunday 01 May 2005 04:49 pm, John Andersen wrote:
> On Sunday 01 May 2005 02:02 am, Roman Serbski wrote:
> > Hi all,
> >
> > What was the highest score you've ever seen? I received a message
> > yesterday that was scored with 51.9(!). =)
>
> Since you can control the scores by setting the score for one
> or several tests, I just don't see how this is in any way meaningful.
>
> Most users adjust one or more scores to get rid of spam
> that creep in under the radar. There is no reason to suspect
> that exact same spam would get the same score for anyone
> else.
How about this one, actually there are two like this:
X-Spam-Status: Yes, score=132.2 required=5.0 tests=AWL,BAYES_99,DCC_CHECK,
DIGEST_MULTIPLE,HTML_80_90,HTML_EVENT_UNSAFE,HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY,
MIME_HTML_ONLY_MULTI,MIME_QP_LONG_LINE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,
NORMAL_HTTP_TO_IP,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,
RCVD_HELO_IP_MISMATCH,RCVD_IN_XBL,RCVD_NUMERIC_HELO,RM_t_bobbf,
SARE_FORGED_EBAY,SPF_SOFTFAIL autolearn=disabled version=3.0.3
X-Spam-Pyzor: Reported 1 times.
X-Spam-Report:
* 0.1 RM_t_bobbf Definate spam destination email address
* 3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
* 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
* 0.5 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
* [SPF failed: Please see
http://spf.pobox.com/why.html?sender=aw-confirm%40eBay.com&ip=212.118.20.121&receiver=cpollock.localdomain]
* 2.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but
should
* 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for
HELO
* 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
* 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
* 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level
above 50%
* [cf: 100]
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 0.9992]
* 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.5 HTML_EVENT_UNSAFE BODY: HTML contains unsafe auto-executing
code
* 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76
chars
* 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
* 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [212.118.20.121 listed in sbl-xbl.spamhaus.org]
* 0.1 DIGEST_MULTIPLE Message hits more than one network digest check
* 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag
* 104 SARE_FORGED_EBAY Message appears to be forged, (ebay.com)
* 2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME
parts
* 0.4 AWL AWL: From: address is in the auto white-list
I can see though that I'm going to have to make an adjustment to my auto
whitelist.
--
Chris
Registered Linux User 283774 http://counter.li.org
19:23:23 up 6 days, 13:25, 2 users, load average: 1.37, 1.23, 0.75
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Our business in life is not to succeed but to continue to fail in high
spirits.
-- Robert Louis Stevenson
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: OT: The highest score?
Posted by John Andersen <js...@pen.homeip.net>.
On Sunday 01 May 2005 02:02 am, Roman Serbski wrote:
> Hi all,
>
> What was the highest score you've ever seen? I received a message
> yesterday that was scored with 51.9(!). =)
Since you can control the scores by setting the score for one
or several tests, I just don't see how this is in any way meaningful.
Most users adjust one or more scores to get rid of spam
that creep in under the radar. There is no reason to suspect
that exact same spam would get the same score for anyone
else.
--
_____________________________________
John Andersen
Re: The highest score?
Posted by jdow <jd...@earthlink.net>.
I cheat. I have a couple personal rules guaranteed to hit spam and no
ham whatsoever. They hit 100. "MOM Agent" is guaranteed spam. It seems
to hit 200. So it's not fair. I have, however, seen over 100 with pure
SARE rule sets so many of them were hit.
{^_-}
----- Original Message -----
From: "Roman Serbski" <me...@gmail.com>
Hi all,
What was the highest score you've ever seen? I received a message
yesterday that was scored with 51.9(!). =)
SA in action: ;-)
Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: REPORT hits = 51.9/3.5
4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
1.2 SUBJ_HAS_SPACES Subject contains lots of white space
3.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
0.1 RCVD_BY_IP Received by mail server with no name
0.0 FROM_ILLEGAL_CHARS From contains too many raw illegal characters
2.9 SUBJ_ILLEGAL_CHARS Subject contains too many raw illegal characters
2.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters
0.5 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname
0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a
URL
2.0 HTML_TAG_EXIST_MARQUEE BODY: HTML has "marquee" tag
0.0 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag
0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
0.8 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background
0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
50% [cf: 100]
0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are non-standard
1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000]
0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.5 HTML_EVENT_UNSAFE BODY: HTML contains unsafe auto-executing code
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[200.89.154.29 listed in dnsbl.sorbs.net]
0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
[200.89.154.29 listed in combined.njabl.org]
3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[200.89.154.29 listed in sbl-xbl.spamhaus.org]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address [200.89.154.29 listed in dnsbl.sorbs.net]
3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
[<http://dsbl.org/listing?200.89.154.29>]
0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[200.89.154.29 listed in combined.njabl.org]
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: ourk2.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: ourk2.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: ourk2.com]
4.1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found
0.6 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
0.0 UPPERCASE_25_50 message body is 25-50% uppercase
0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: yup, this smells like SPAM -
hits=51.9 - rejecting message...
Re: OT: The highest score?
Posted by Kris Deugau <kd...@vianet.ca>.
Roman Serbski wrote:
> What was the highest score you've ever seen? I received a message
> yesterday that was scored with 51.9(!). =)
Bah. I've seen a few that scored ~55 with stock 2.64 scores. With
SpamCopURI, and custom scores, they jumped to ~80.
I *think* I found one that scored ~80 on the stock 2.64 scores once, but
I'm not certain.
One weekend while I was particularly bored, I started putting together
an uberspam that would trip as many stock 2.64 rules as possible. I got
about a third of the way through the rules before stopping, and the
score was pushing 300. <g>
-kgd
--
Get your mouse off of there! You don't know where that email has been!
Re: OT: The highest score?
Posted by Doc Schneider <ma...@maddoc.net>.
I've seen one as high as 94.2 and was a really short spam too. Funny how
scoing works. 8*)
-Doc (SA/SARE/URIBL/SURBL - Stealth Ninja)
Roman Serbski wrote:
> Hi all,
>
> What was the highest score you've ever seen? I received a message
> yesterday that was scored with 51.9(!). =)
>
> SA in action: ;-)
>
> Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: REPORT hits = 51.9/3.5
>
> 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
> 1.2 SUBJ_HAS_SPACES Subject contains lots of white space
> 3.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2)
> 3.8 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
> 0.1 RCVD_BY_IP Received by mail server with no name
> 0.0 FROM_ILLEGAL_CHARS From contains too many raw illegal characters
> 2.9 SUBJ_ILLEGAL_CHARS Subject contains too many raw illegal characters
> 2.1 HEAD_ILLEGAL_CHARS Header contains too many raw illegal characters
> 0.5 HTTP_ESCAPED_HOST URI: Uses %-escapes inside a URL's hostname
> 0.2 HTTP_EXCESSIVE_ESCAPES URI: Completely unnecessary %-escapes inside a URL
> 2.0 HTML_TAG_EXIST_MARQUEE BODY: HTML has "marquee" tag
> 0.0 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag
> 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.0 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
> 0.8 HTML_FONT_LOW_CONTRAST BODY: HTML font color similar to background
> 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
> 0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup
> 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above
> 50% [cf: 100]
> 0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are non-standard
> 1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000]
> 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
> 0.5 HTML_EVENT_UNSAFE BODY: HTML contains unsafe auto-executing code
> 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
> 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
> [200.89.154.29 listed in dnsbl.sorbs.net]
> 0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> [200.89.154.29 listed in combined.njabl.org]
> 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
> [200.89.154.29 listed in sbl-xbl.spamhaus.org]
> 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
> address [200.89.154.29 listed in dnsbl.sorbs.net]
> 3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
> [<http://dsbl.org/listing?200.89.154.29>]
> 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
> [200.89.154.29 listed in combined.njabl.org]
> 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: ourk2.com]
> 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
> [URIs: ourk2.com]
> 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
> [URIs: ourk2.com]
> 4.1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found
> 0.6 FORGED_OUTLOOK_HTML Outlook can't send HTML message only
> 2.4 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
> 0.0 UPPERCASE_25_50 message body is 25-50% uppercase
> 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
> 3.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
>
> Sat, 30 Apr 2005 19:45:21 KGST:80593: SA: yup, this smells like SPAM -
> hits=51.9 - rejecting message...