Email Security Filter Tests and Definitions

Filter tests have a number value (weight) of between 0 and 20, 20 being the highest. 20 is also the default weight at which a message will be quarantined. Spam filtering can be made more aggressive by setting it to hold at lower weights, such as 15 or 10. This is considered very aggressive and is only suggested in extreme or specific situations.

Weight Checking

WEIGHT10 - Really aggressive spam filtering

WEIGHT15 - More aggressive spam filtering

WEIGHT20 - Default spam filtering

WEIGHT30 - Unquestionably spam


Content Tests

419SCAM - This looks for and attempts to identify emails that are known as 419 scams (Nigerian scam)

8BIT - Checks to see if an email is using the outdated 8 bit character encoding format as opposed to the universally adopted 7 bit format

ADULTPHRASE - This test looks for words or phrases within the email subject and/or body that are commonly reserved for pornographic spam messages

ADULTWORDS - Much like ADULTPHRASE, this test looks for a few of the same words or phrases that are also included in that test and adds a little extra weight to the worst of the worst, this test is much smaller and adds very little extra weight.

ANGELFIRELINK - Triggers when an email contains a Angelfire link in the body

ARGDBL - AppRiver’s domain based blacklist. This test monitors all traffic from every domain we see in email links and monitors its associated traffic and patterns. ARGDBL can be used to blacklist, whitelist, or passively monitor any domain we may see. This is done both manually and through automation

ARMALWARE - This test looks for known URL patterns that are associated with malware campaigns

BADCHARSET - Looks for a lack of defined character set, or simply an unrecognized character set

BADHEADERS - Looks for improperly formed headers

BASE64BAD - Looks for bad or improper Base64 encoded portions of an email

BASE64NULL - This test fails when a Base64 segment is decoded and is found to contain a null byte

BASE64TEXT - Looks to see if a MIME segment contains a Major-Content-Type of text as well as a Content-Transfer-Encoding type of Base64

BOUNCEBLOCK - Looks for verbiage that identifies the email as a bounce message

BOUNCELOOP - Aims to identify and stop bounce messages that are caught in a loop of bouncing back and forth between mail servers

BOUNCETRACKER - This test will fail if the return path contains the username of the recipient

BULKMAILER - Looks for messages that were sent as a bulk mail campaign

COMMENTS - Hidden HTML comments exist within the email

ENCODEDSUBJECT - This test will fail when the sender attempts to encode the subject line of an email with any number of various encodings such as Base64, Unicode, etc.

FILECHECK - FILECHECK is a byte level signature test that is meant to block attachment spam

FINGERPRINT - A test used to block troublesome campaigns that tend to follow certain patterns. FINGERPRINT can be used to block based on several different pieces of criteria and assign each rule its own specific weight

FORGEDMAILER - This looks for inconsistencies in header formats from popular free mailers such  as Hotmail, Gmail, etc.

FORGEDROUTE - Looks for header forgeries of the country route used to deliver an email

GARBAGEWORDS - This test attempts to identify spam that is using nothing but groups of unintelligible letters to fill email bodies as if they were words in an attempt to avoid certain types of filtering

GEOCITIESLINK - Triggers when an email contains a Geocities link in the body

GOOGLEBLOGLINK - Triggers when an email contains a Google Blog link in the body

GOOGLEGRPSLINK - Triggers when an email contains a Google Groups link in the body

GOOGLENOTELINK - Triggers when an email contains a Google Notes link in the body

GOOGLESITELINK - Triggers when an email contains a Google Site link in the body

HTMLSCRIPT - A test that looks for scripting language within the .HTML portion of an email body

HTTPREDIRECT - This looks for code within HTML that causes a link to redirect viewers to another page

INVESTMENT - This looks for specific verbiage that classifies it as a stock or investment mailer

IPINURL - This looks for a link within the body of an email that contains an IP address as opposed to a domain name

ISRUSSIAN - This looks for a group of character sets containing Cyrillic character

JAVAOBFUSCATE - This test looks for obfuscated JavaScript within an email body

JAVAWRITE - This test looks for the JavaScript “document.write()”command in an email which indicates an output of some sort. This is a common JavaScript command; however it is often seen in malicious scripts as well

LINKWILD - A test that looks for known URL patterns of known spam campaigns

LIVEGRPSLINK - Triggers when an email contains a MS Live Groups link in the body

MAXINVALID - This test will trigger when an email is addressed to many recipients surpassing the maximum number of invalid mailboxes allowed. That is > = 3 invalid recipients or >25% of total recipients.

NOLEGITCONTENT - Written to find emails with blank body segments

NONENGLISH - Looks for non-English character sets – this test has been replaced with language specific character set tests

ONSUGARLINK - Triggers when an email contains a OnSugar link in the body

OPTOUT - This test looks for evidence of Opt Out links such as subscription newsletters (should) have

PHISHING - This test looks for phishing scams

PHISHAR - This test is manually populated and looks for known patterns in URLs that lead to phishing sites

PHISHURL - This test pulls in known phishing data from a third party source

PORTINURL - This looks for a specified port within a link (e.g.,

QUOTEDPRINTABLE - This test looks for quoted printable code within the body of an email

REDIRECTHOLE - This test looks for evidence within a link that it will redirect visitors to a secondary site other than the one displayed in the link, or immediately after initially visiting that site.

SHORTURL - This test looks for the use of a URL shortening service being used within the body of an email

SIGNATURE - A major portion of our spam and malware blocking ability comes from SIGNATURE rules which are written based on the actual content of these messages

SPACEDSUBJECT - Looks for email attempting to evade word filters by placing spaces between the letters of a word/s in the subject line of an email

SPAMPHRASE - Looks for words or phrases within the email subject and/or body that are commonly reserved for spam messages

SPEARPHISH - This test looks for common spearphishing tactics such as when an email may appear to come from within an organization, but an external "Reply-To" address is used to communicate between the attacker and their victim. Much like the FINGERPRINT test, many different factors can be used to customize each rule for each different tactic used. Each SPEARPHISH rule may also be assigned its own weight.

WEBBUG - A Web bug is a bit of hidden code that allows a sender to verify that their recipient has opened and viewed their email, this test looks for these

WEBGARDENLINK - Triggers when an email contains a WebGarden link in the body

WORDPRESSLINK -  Triggers when an email contains a WordPress link in the body

YAHOOGRPSLINK - Triggers when an email contains a Yahoo Groups link in the body

Sender Verification

FROMISP - Looks for emails that have been delivered from a home (ISP) connection. Used to detect botnet activity that purports to come from larger businesses that wouldn’t be coming from a home connection.

HELOBOGUS - This test looks to see if the domain name used in the HELO transaction of the SMTP process is a valid domain

RETURNPATH - This test checks to see if the domain in the return path is a valid domain with an A or MX DNS record

REVDNS - This test looks to see if the domain presented in the HELO transaction of the SMTP process has a reverse DNS entry

ROUTING - This test fails when an email makes unnecessary country hops along its route, specifically if the email travels back through a country that it had previously been through on that particular trip

SIG-BLACK - Not exactly a test but is tagged in a header when an email’s sending IP reputation falls within a certain area as denoted by GBUdb – which is an IP reputation filter

SIG-CAUTION - Not exactly a test but is tagged in a header when an email’s sending IP reputation falls within a certain area as denoted by GBUdb – which is an IP reputation filter

SPAMDOMAINS - This looks at messages purporting to come from larger common domains such as banks, freemail, or the like, and compares their reverse DNS entry to make sure it matches with known origins associated with the “From” address.

SPFHARDFAIL - This test will trigger if an email Hard fails Sender Policy Framework verification

SPFSOFTFAIL - This test will trigger if an email Soft fails Sender Policy Framework verification

Regional Dialects

AFRICAN-CHR - Identifies characters from African regions

ARABIC-CHR - Identifies Arabic characters

ASIAN-CHR - Identifies characters from Asian regions

ASIAN-SUB - Identifies subjects containing characters from Asian regions

CYRILLIC-CHR - Identifies characters from Cyrillic regions

GREEK-CHR - Identifies Greek characters

HEBREW-CHR - Identifies Hebrew characters

PORTUGUESE-CHR - Identifies Portuguese characters

SPANISH-CHR - Identifies Spanish characters

TURKISH-CHR - Identifies specific characters from the Turkish alphabet in email


Add Feedback