SecureTide® Filter Tests and Definitions

Filter tests have a number value (weight) of between 0 and 20, 20 being the highest. 20 is also the default weight at which a message will be quarantined. Spam filtering can be made more aggressive by setting it to hold at lower weights, such as 15 or 10. This, however, is considered very aggressive and is only suggested in extreme or specific situations.
Weight Checking
WEIGHT10 - Really aggressive spam filtering
WEIGHT15 - More aggressive spam filtering

WEIGHT20 - Default spam filtering
WEIGHT30 - Unquestionably spam
Content Tests
419SCAM - This looks for and attempts to identify emails that are known as 419 scams (Nigerian scam)

 - Checks to see if an email is using the outdated 8 bit character encoding format as opposed to the universally adopted 7 bit format

ADULTPHRASE - This test looks for words or phrases within the email subject and/or body that are commonly reserved for pornographic spam messages
ADULTWORDS - Much like ADULTPHRASE, this test looks for a few of the same words or phrases that are also included in that test and adds a little extra weight to the worst of the worst, this test is much smaller and adds very little extra weight.
ANGELFIRELINK - Triggers when an email contains a Angelfire link in the body

 - AppRiver’s domain based blacklist. This test monitors all traffic from every domain we see in email links and monitors its associated traffic and patterns. ARGDBL can be used to blacklist, whitelist, or passively monitor any domain we may see. This is done both manually and through automation.
ARMALWARE - This test looks for known URL patterns that are associated with malware campaigns

BADCHARSET - Looks for a lack of defined character set, or simply an unrecognized character set
BADHEADERS - Looks for improperly formed headers
BASE64BAD - Looks for bad or improper Base64 encoded portions of an email
BASE64NULL - This test fails when a Base64 segment is decoded and is found to contain a null byte

BASE64TEXT - Looks to see if a MIME segment contains a Major-Content-Type of text as well as a Content-Transfer-Encoding type of Base64

BOUNCEBLOCK - Looks for verbiage that identifies the email as a bounce message

BOUNCELOOP - Aims to identify and stop bounce messages that are caught in a loop of bouncing back and forth between mail servers

BOUNCETRACKER - This test will fail if the return path contains the username of the recipient

 - Looks for messages that were sent as a bulk mail campaign

 - Hidden HTML comments exist within the email

 - This test will fail when the sender attempts to encode the subject line of an email with any number of various encodings such as Base64, Unicode, etc.

 - FILECHECK is a byte level signature test that is meant to block attachment spam
FINGERPRINT - A test used to block troublesome campaigns that tend to follow certain patterns. FINGERPRINT can be used to block based on several different pieces of criteria and assign each rule its own specific weight

 - This looks for inconsistencies in header formats from popular free mailers such  as Hotmail, Gmail, etc

 - Looks for header forgeries of the country route used to deliver an email
GARBAGEWORDS - This test attempts to identify spam that is using nothing but groups of unintelligible letters to fill email bodies as if they were words in an attempt to avoid certain types of filtering
GEOCITIESLINK - Triggers when an email contains a Geocities link in the body
GOOGLEBLOGLINK - Triggers when an email contains a Google Blog link in the body
GOOGLEGRPSLINK - Triggers when an email contains a Google Groups link in the body
GOOGLENOTELINK - Triggers when an email contains a Google Notes link in the body
GOOGLESITELINK - Triggers when an email contains a Google Site link in the body

HTMLSCRIPT - A test that looks for scripting language within the .HTML portion of an email body

 - This looks for code within HTML that causes a link to redirect viewers to another page

 - This looks for specific verbiage that classifies it as a stock or investment mailer

 - This looks for a link within the body of an email that contains an IP address as opposed to a domain name

 - This looks for a group of character sets containing Cyrillic characters
JAVAOBFUSCATE - This test looks for obfuscated JavaScript within an email body
JAVAWRITE - his test looks for the JavaScript “document.write()”command in an email which indicates an output of some sort. This is a common JavaScript command; however it is often seen in malicious scripts as well
LINKWILD - A test that looks for known URL patterns of known spam campaigns

LIVEGRPSLINK - Triggers when an email contains a MS Live Groups link in the body

MAXINVALID - This test will trigger when an email is addressed to many recipients surpassing the maximum number of invalid mailboxes allowed. That is >=3 invalid recipients or >25% of total recipients.

 - Written to find emails with blank body segments

NONENGLISH - Looks for non-English character sets – this test has been replaced with language specific character set tests
ONSUGARLINK - Triggers when an email contains a OnSugar link in the body

OPTOUT - This test looks for evidence of Opt Out links such as subscription newsletters (should) have

 - This test looks for phishing scams
PHISHAR - This test is manually populated and looks for known patterns in URLs that lead to phishing sites

 - This test pulls in known phishing data from a third party source
PORTINURL - This looks for a specified port within a link     e.g.

QUOTEDPRINTABLE - This test looks for quoted printable code within the body of an email
REDIRECTHOLE - This test looks for evidence within a link that it will redirect visitors to a secondary site other than the one displayed in the link, or immediately after initially visiting that site.
SHORTURL - This test looks for the use of a URL shortening service being used within the body of an email

SIGNATURE - A major portion of our spam and malware blocking ability comes from SIGNATURE rules which are written based on the actual content of these messages        

 - Looks for email attempting to evade word filters by placing spaces between the letters of a word/s in the subject line of an email

 - Looks for words or phrases within the email subject and/or body that are commonly reserved for spam messages

 - This test looks for common spearphishing tactics such as when an email may appear to come from within an organization, but an external "Reply-To" address is used to communicate between the attacker and their victim. Much like the FINGERPRINT test, many different factors can be used to customize each rule for each different tactic used. Each SPEARPHISH rule may also be assigned its own weight.

 - A Web bug is a bit of hidden code that allows a sender to verify that their recipient has opened and viewed their email, this test looks for these
WEBGARDENLINK - Triggers when an email contains a WebGarden link in the body
WORDPRESSLINK - Triggers when an email contains a WordPress link in the body
YAHOOGRPSLINK - Triggers when an email contains a Yahoo Groups link in the body

Sender Verification

 - Looks for emails that have been delivered from a home (ISP) connection. Used to detect botnet activity that purports to come from larger businesses that wouldn’t be coming from a home connection.

 - This test looks to see if the domain name used in the HELO transaction of the SMTP process is a valid domain

 - This test checks to see if the domain in the return path is a valid domain with an A or MX DNS record

 - This test looks to see if the domain presented in the HELO transaction of the SMTP process has a reverse DNS entry

 - This test fails when an email makes unnecessary country hops along its route, specifically if the email travels back through a country that it had previously been through on that particular trip
SIG-BLACK - Not exactly a test but is tagged in a header when an email’s sending IP reputation falls within a certain area as denoted by GBUdb – which is an IP reputation filter
SIG-CAUTION - Not exactly a test but is tagged in a header when an email’s sending IP reputation falls within a certain area as denoted by GBUdb – which is an IP reputation filter

 - This looks at messages purporting to come from larger common domains such as banks, freemail, or the like, and compares their reverse DNS entry to make sure it matches with known origins associated with the “From” address.

 - This test will trigger if an email "Hard" fails Sender Policy Framework verification

SPFSOFTFAIL - This test will trigger if an email "Soft" fails Sender Policy Framework verification


Regional Dialects

AFRICAN-CHR - Identifies characters from African regions

ARABIC-CHR - Identifies Arabic characters

ASIAN-CHR - Identifies characters from Asian regions

ASIAN-SUB - Identifies subjects containing characters from Asian regions

CYRILLIC-CHR - Identifies characters from Cyrillic regions

GREEK-CHR - Identifies Greek characters

HEBREW-CHR - Identifies Hebrew characters

PORTUGUESE-CHR - Identifies Portuguese characters

SPANISH-CHR - Identifies Spanish characters

TURKISH-CHR - Identifies specific characters from the Turkish alphabet in email

Add Feedback