1# Using score set 0 logs for revision 1896155 from: 2# ham-darxus.r1896155.log ham-ena-week0.r1896155.log ham-ena-week1.r1896155.log ham-ena-week2.r1896155.log ham-ena-week3.r1896155.log ham-ena-week4.r1896155.log ham-giovanni-ham.r1896155.log ham-giovanni-spammy.r1896155.log ham-giovanni-spam.r1896155.log ham-grenier.r1896155.log ham-hege.r1896155.log ham-jhardin.r1896155.log ham-llanga.r1896155.log ham-mmiroslaw-mails-ham.r1896155.log ham-mmiroslaw-mails-spam.r1896155.log ham-pds.r1896155.log ham-spamsponge.r1896155.log ham-thendrikx.r1896155.log spam-darxus.r1896155.log spam-ena-week0.r1896155.log spam-ena-week1.r1896155.log spam-ena-week2.r1896155.log spam-ena-week3.r1896155.log spam-ena-week4.r1896155.log spam-giovanni-ham.r1896155.log spam-giovanni-spammy.r1896155.log spam-giovanni-spam.r1896155.log spam-grenier.r1896155.log spam-hege.r1896155.log spam-jhardin.r1896155.log spam-llanga.r1896155.log spam-mmiroslaw-mails-ham.r1896155.log spam-mmiroslaw-mails-spam.r1896155.log spam-pds.r1896155.log spam-spamsponge.r1896155.log spam-thendrikx.r1896155.log 3 4score ACCT_PHISHING_MANY 2.999 5score AC_BR_BONANZA 0.001 6score AC_DIV_BONANZA 0.001 7score AC_FROM_MANY_DOTS 2.999 8score AC_HTML_NONSENSE_TAGS 1.999 9score ADMITS_SPAM 2.399 10score ADVANCE_FEE_2_NEW_FORM 1.648 11score ADVANCE_FEE_2_NEW_FRM_MNY 2.216 12score ADVANCE_FEE_2_NEW_MONEY 1.482 13score ADVANCE_FEE_3_NEW 3.401 14score ADVANCE_FEE_3_NEW_FRM_MNY 0.001 15score ADVANCE_FEE_3_NEW_MONEY 2.699 16score ADVANCE_FEE_4_NEW 2.399 17score ADVANCE_FEE_4_NEW_FRM_MNY 0.001 18score ADVANCE_FEE_4_NEW_MONEY 0.001 19score ADVANCE_FEE_5_NEW 0.904 20score ADVANCE_FEE_5_NEW_FRM_MNY 0.001 21score ADVANCE_FEE_5_NEW_MONEY 0.001 22score AD_PREFS 0.218 23score AMAZON_IMG_NOT_RCVD_AMZN 2.499 24score AXB_XMAILER_MIMEOLE_OL_024C2 0.001 25score BIGNUM_EMAILS_FREEM 1.577 26score BIGNUM_EMAILS_MANY 2.999 27score BITCOIN_DEADLINE 2.999 28score BITCOIN_MALF_HTML 3.499 29score BITCOIN_SPAM_02 2.061 30score BITCOIN_SPAM_07 3.499 31score BITCOIN_SPAM_09 1.499 32score BITCOIN_XPRIO 1.996 33score BITCOIN_YOUR_INFO 2.999 34score BODY_SINGLE_WORD 0.001 35score BOGUS_MIME_VERSION 3.499 36score CK_HELO_GENERIC 0.001 37score CONTENT_AFTER_HTML 2.499 38score CTE_8BIT_MISMATCH 0.999 39score DEAR_BENEFICIARY 0.447 40score DX_TEXT_03 0.999 41score DYNAMIC_IMGUR 2.013 42score FILL_THIS_FORM 1.201 43score FONT_INVIS_DIRECT 0.001 # force non-zero 44score FONT_INVIS_DOTGOV 2.407 45score FONT_INVIS_HTML_NOHTML 0.996 46score FONT_INVIS_LONG_LINE 1.467 47score FONT_INVIS_MSGID 2.499 48score FORM_FRAUD_5 0.001 49score FOUND_YOU 3.249 50score FREEMAIL_FORGED_FROMDOMAIN 0.249 51score FROMSPACE 2.999 52score FROM_2_EMAILS_SHORT 0.001 53score FROM_IN_TO_AND_SUBJ 1.799 54score FROM_MISSPACED 1.999 55score FROM_MISSP_EH_MATCH 0.494 56score FROM_MISSP_FREEMAIL 2.999 57score FROM_MISSP_MSFT 2.752 58score FROM_MISSP_TO_UNDISC 1.842 59score FROM_MISSP_USER 0.001 60score FROM_MISSP_XPRIO 2.499 61score FROM_MULTI_NORDNS 2.250 62score FROM_NTLD_REPLY_FREEMAIL 1.621 63score FROM_SUSPICIOUS_NTLD 0.500 64score FROM_SUSPICIOUS_NTLD_FP 1.999 65score FSL_CTYPE_WIN1251 0.001 66score FSL_HELO_FAKE 2.999 67score FSL_NEW_HELO_USER 0.001 68score FUZZY_AMAZON 2.199 69score FUZZY_BITCOIN 0.832 70score FUZZY_BTC_WALLET 2.354 71score FUZZY_WALLET 2.999 72score GAPPY_LOW_CONTRAST 2.500 73score GB_FAKE_RF_SHORT 1.999 74score GB_FREEMAIL_DISPTO 0.499 75score GOOG_REDIR_NORDNS 2.503 76score GOOG_REDIR_SHORT 3.399 77score GOOG_STO_EMAIL_PHISH 2.999 78score GOOG_STO_IMG_HTML 2.917 79score GOOG_STO_NOIMG_HTML 3.000 80score HAS_X_OUTGOING_SPAM_STAT 1.999 81score HDRS_LCASE_IMGONLY 0.100 82score HDRS_MISSP 2.499 83score HDR_ORDER_FTSDMCXX_DIRECT 1.999 84score HDR_ORDER_FTSDMCXX_NORDNS 2.908 85score HEADER_FROM_DIFFERENT_DOMAINS 0.249 86score HELO_NO_DOMAIN 0.001 87score HK_LOTTO 0.999 88score HK_NAME_MR_MRS 1.000 89score HK_RANDOM_ENVFROM 1.000 90score HK_RANDOM_FROM 0.999 91score HK_RANDOM_REPLYTO 1.000 92score HK_SCAM 0.476 93score HK_WIN 1.000 94score HOSTED_IMG_DIRECT_MX 2.197 95score HOSTED_IMG_FREEM 3.499 96score HOSTED_IMG_MULTI_PUB_01 2.999 97score HTML_ENTITY_ASCII 2.236 98score HTML_FONT_TINY_NORDNS 1.999 99score HTML_OFF_PAGE 2.999 100score HTML_TAG_BALANCE_CENTER 2.242 101score HTML_TEXT_INVISIBLE_STYLE 0.001 102score JH_SPAMMY_HEADERS 3.499 103score LONGLN_LOW_CONTRAST 2.499 104score LONG_HEX_URI 2.795 105score LONG_IMG_URI 0.791 106score LONG_INVISIBLE_TEXT 1.426 107score LOTS_OF_MONEY 0.010 108score LOTTO_DEPT 1.999 109score MALWARE_NORDNS 3.158 110score MANY_SPAN_IN_TEXT 2.199 111score MILLION_HUNDRED 0.003 112score MIMEOLE_DIRECT_TO_MX 1.999 113score MIXED_AREA_CASE 1.816 114score MIXED_CENTER_CASE 2.499 115score MIXED_ES 3.753 116score MIXED_FONT_CASE 2.499 117score MIXED_HREF_CASE 1.087 118score MIXED_IMG_CASE 1.991 119score MONEY_ATM_CARD 0.416 120score MONEY_FORM 0.001 121score MONEY_FORM_SHORT 2.499 122score MONEY_FRAUD_3 0.001 123score MONEY_FRAUD_5 2.899 124score MONEY_FRAUD_8 3.099 125score MONEY_FREEMAIL_REPTO 1.545 126score MONEY_FROM_41 1.999 127score MONEY_FROM_MISSP 1.999 128score MSMAIL_PRI_ABNORMAL 0.001 129score NAME_EMAIL_DIFF 2.946 130score NA_DOLLARS 0.847 131score NICE_REPLY_A -1.338 132score NORDNS_LOW_CONTRAST 1.888 133score NO_FM_NAME_IP_HOSTN 0.001 # force non-zero 134score NSL_RCVD_FROM_USER 0.001 135score NSL_RCVD_HELO_USER 0.541 136score OBFU_BITCOIN 1.929 137score OBFU_TEXT_ATTACH 0.001 138score ODD_FREEM_REPTO 2.999 139score ONLINE_MKTG_CNSLT 2.599 140score PDS_BTC_ID 0.500 141score PDS_BTC_MSGID 1.000 142score PDS_CPANEL_PORT_SPOOFEDURL 0.499 143score PDS_DBL_URL_TNB_RUNON 1.999 144score PDS_FRNOM_TODOM_DBL_URL 1.420 145score PDS_FRNOM_TODOM_NAKED_TO 1.499 146score PDS_FROM_NAME_TO_DOMAIN 1.999 147score PDS_OTHER_BAD_TLD 1.999 148score PDS_PHP_EVAL 1.499 149score PDS_RDNS_DYNAMIC_FP 0.001 # force non-zero 150score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 1.999 151score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 1.999 152score PDS_TO_EQ_FROM_NAME 0.001 153score PHP_ORIG_SCRIPT 2.499 154score PHP_ORIG_SCRIPT_EVAL 2.999 155score PHP_SCRIPT 2.499 156score PP_MIME_FAKE_ASCII_TEXT 1.000 157score RAND_MKTG_HEADER 2.000 158score RATWARE_NO_RDNS 2.999 159score RDNS_NUM_TLD_XM 2.727 160score REPLYTO_EMPTY 2.799 161score REPTO_419_FRAUD_GM 2.303 162score SCRIPT_GIBBERISH 2.799 163score SENDGRID_REDIR 1.499 164score SERGIO_SUBJECT_VIAGRA01 2.369 165score SHOPIFY_IMG_NOT_RCVD_SFY 2.499 166score SHORTENED_URL_SRC 2.399 167score SHORT_SHORTNER 1.999 168score STATIC_XPRIO_OLE 0.687 169score STOX_BOUND_090909_B 3.100 170score THIS_AD 0.899 171score THIS_IS_ADV_SUSP_NTLD 0.001 172score TO_EQ_FM_DIRECT_MX 0.001 173score TO_IN_SUBJ 0.099 174score TO_NAME_SUBJ_NO_RDNS 1.334 175score TO_NO_BRKTS_DYNIP 0.001 176score TO_NO_BRKTS_FROM_MSSP 2.499 177score TO_NO_BRKTS_HTML_IMG 1.999 178score TO_NO_BRKTS_HTML_ONLY 1.999 179score TO_NO_BRKTS_NORDNS_HTML 0.001 180score TO_NO_BRKTS_PCNT 2.500 181score TRANSFORM_LIFE 2.499 182score TUMBLR_IMG_NOT_RCVD_TUMB 1.535 183score TVD_RCVD_SPACE_BRACKET 2.633 184score UNDISC_FREEM 3.299 185score UNDISC_MONEY 3.399 186score UNICODE_OBFU_ASC 2.499 187score URI_DOTEDU 1.999 188score URI_FIREBASEAPP 2.999 189score URI_GOOGLE_PROXY 2.399 190score URI_IN_URI_10 2.700 191score URI_PHISH 2.780 192score URI_PHP_REDIR 3.499 193score URI_TRY_3LD 1.404 194score URI_WPADMIN 2.599 195score URI_WP_DIRINDEX 3.499 196score URI_WP_HACKED_2 2.499 197score VFY_ACCT_NORDNS 2.599 198score XFER_LOTSA_MONEY 0.999 199score XM_DIGITS_ONLY 1.393 200score XM_LIGHT_HEAVY 2.499 201score XM_RANDOM 2.499 202score XM_RECPTID 2.999 203score YOU_INHERIT 1.283 204score AC_POST_EXTRAS 1.000 205score AC_SPAMMY_URI_PATTERNS1 1.000 206score AC_SPAMMY_URI_PATTERNS10 1.000 207score AC_SPAMMY_URI_PATTERNS11 1.000 208score AC_SPAMMY_URI_PATTERNS12 1.000 209score AC_SPAMMY_URI_PATTERNS2 1.000 210score AC_SPAMMY_URI_PATTERNS3 1.000 211score AC_SPAMMY_URI_PATTERNS4 1.000 212score AC_SPAMMY_URI_PATTERNS8 1.000 213score AC_SPAMMY_URI_PATTERNS9 1.000 214score ADULT_DATING_COMPANY 10.001 # force non-zero 215score ALIBABA_IMG_NOT_RCVD_ALI 1.000 216score APP_DEVELOPMENT_FREEM 1.000 217score APP_DEVELOPMENT_NORDNS 1.000 218score BEBEE_IMG_NOT_RCVD_BB 1.000 219score BITCOIN_BOMB 1.000 220score BITCOIN_EXTORT_01 1.000 221score BITCOIN_EXTORT_02 1.000 222score BITCOIN_IMGUR 1.000 223score BITCOIN_MALWARE 1.000 224score BITCOIN_OBFU_SUBJ 1.000 225score BITCOIN_ONAN 1.000 226score BITCOIN_PAY_ME 1.000 227score BITCOIN_SPAM_01 1.000 228score BITCOIN_SPAM_03 1.000 229score BITCOIN_SPAM_04 1.000 230score BITCOIN_SPAM_06 1.000 231score BITCOIN_SPAM_08 1.000 232score BITCOIN_SPAM_10 1.000 233score BITCOIN_SPAM_11 1.000 234score BITCOIN_SPAM_12 1.000 235score BODY_SINGLE_URI 1.000 236score BODY_URI_ONLY 1.000 237score BOGUS_MSM_HDRS 1.000 238score BOMB_FREEM 1.000 239score BOMB_MONEY 1.000 240score BTC_ORG 1.000 241score BULK_RE_SUSP_NTLD 1.000 242score CANT_SEE_AD 1.000 243score COMMENT_GIBBERISH 1.000 244score DAY_I_EARNED 1.000 245score DOTGOV_IMAGE 1.000 246score EBAY_IMG_NOT_RCVD_EBAY 1.000 247score ENCRYPTED_MESSAGE -1.000 248score END_FUTURE_EMAILS 1.000 249score ENVFROM_GOOG_TRIX 1.000 250score FACEBOOK_IMG_NOT_RCVD_FB 1.000 251score FBI_MONEY 1.000 252score FBI_SPOOF 1.000 253score FONT_INVIS_NORDNS 1.000 254score FONT_INVIS_POSTEXTRAS 1.000 255score FORM_FRAUD 1.000 256score FREEM_FRNUM_UNICD_EMPTY 1.000 257score FRNAME_IN_MSG_XPRIO_NO_SUB 1.000 258score FROM_ADDR_WS 1.000 259score FROM_MISSP_PHISH 1.000 260score FROM_NTLD_LINKBAIT 1.000 261score FROM_NUMERIC_TLD 1.000 262score GAPPY_SALES_LEADS_FREEM 1.000 263score GB_FORGED_MUA_POSTFIX 1.000 264score GB_FREEMAIL_DISPTO_NOTFREEM 0.500 265score GB_GOOGLE_OBFUR 0.750 266score GB_GOOG_IMG_NOT_RCVD_GOOG 1.000 267score GOOGLE_DOCS_PHISH 1.000 268score GOOGLE_DOCS_PHISH_MANY 1.000 269score GOOGLE_DOC_SUSP 1.000 270score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.000 271score GOOG_MALWARE_DNLD 1.000 272score GOOG_STO_HTML_PHISH 1.000 273score GOOG_STO_HTML_PHISH_MANY 1.000 274score GOOG_STO_IMG_NOHTML 1.000 275score HAS_X_NO_RELAY 1.000 276score HEXHASH_WORD 1.000 277score HK_CTE_RAW 1.000 278score HK_RCVD_IP_MULTICAST 1.000 279score HOSTED_IMG_DQ_UNSUB 1.000 280score HOSTED_IMG_MULTI 1.000 281score HTML_ENTITY_ASCII_TINY 1.000 282score HTML_SHRT_CMNT_OBFU_MANY 1.000 283score HTML_SINGLET_MANY 1.000 284score HTML_TEXT_INVISIBLE_FONT 1.000 285score IMG_ONLY_FM_DOM_INFO 1.000 286score JH_SPAMMY_PATTERN01 1.000 287score JH_SPAMMY_PATTERN02 1.000 288score KHOP_HELO_FCRDNS 0.400 289score LINKEDIN_IMG_NOT_RCVD_LNKN 1.000 290score LIST_PRTL_PUMPDUMP 1.000 291score LIST_PRTL_SAME_USER 1.000 292score LOTTO_AGENT 1.000 293score LUCRATIVE 1.000 294score MALF_HTML_B64 1.000 295score MALWARE_PASSWORD 1.000 296score MIME_NO_TEXT 1.000 297score MONERO_DEADLINE 1.000 298score MONERO_EXTORT_01 1.000 299score MONERO_MALWARE 1.000 300score MONERO_PAY_ME 1.000 301score MSGID_DOLLARS_URI_IMG 1.000 302score MSGID_HDR_MALF 1.000 303score MSM_PRIO_REPTO 1.000 304score NEWEGG_IMG_NOT_RCVD_NEGG 1.000 305score NEW_PRODUCTS 1.000 306score OFFER_ONLY_AMERICA 1.000 307score PDS_FROM_2_EMAILS 1.000 308score PHISH_AZURE_CLOUDAPP 3.500 309score PHISH_FBASEAPP 1.000 310score PHOTO_EDITING_DIRECT 1.000 311score PHOTO_EDITING_FREEM 1.000 312score PHP_NOVER_MUA 1.000 313score PHP_SCRIPT_MUA 1.000 314score PP_TOO_MUCH_UNICODE02 0.500 315score PP_TOO_MUCH_UNICODE05 1.000 316score PUMPDUMP 1.000 317score PUMPDUMP_MULTI 1.000 318score RAND_HEADER_LIST_SPOOF 1.000 319score RAND_HEADER_MANY 1.000 320score RCVD_DOTEDU_SHORT 1.000 321score RCVD_DOTEDU_SUSP_URI 1.000 322score RDNS_NUM_TLD_ATCHNX 1.000 323score REPTO_419_FRAUD 1.000 324score REPTO_419_FRAUD_AOL 1.000 325score REPTO_419_FRAUD_AOL_LOOSE 1.000 326score REPTO_419_FRAUD_CNS 1.000 327score REPTO_419_FRAUD_GM_LOOSE 1.000 328score REPTO_419_FRAUD_HM 1.000 329score REPTO_419_FRAUD_OL 1.000 330score REPTO_419_FRAUD_PM 1.000 331score REPTO_419_FRAUD_QQ 1.000 332score REPTO_419_FRAUD_YH 1.000 333score REPTO_419_FRAUD_YH_LOOSE 1.000 334score REPTO_419_FRAUD_YJ 1.000 335score REPTO_419_FRAUD_YN 1.000 336score SENDGRID_REDIR_PHISH 1.000 337score SEO_SUSP_NTLD 1.000 338score SHORTENER_SHORT_IMG 1.000 339score SHORT_IMG_SUSP_NTLD 1.000 340score SPOOFED_FREEMAIL_NO_RDNS 1.000 341score SPOOF_GMAIL_MID 1.000 342score STOCK_TIP 1.000 343score SUBJ_BRKN_WORDNUMS 1.000 344score SYSADMIN 1.000 345score TAGSTAT_IMG_NOT_RCVD_TGST 1.000 346score TARINGANET_IMG_NOT_RCVD_TN 1.000 347score TONLINE_FAKE_DKIM 1.000 348score TVD_SPACE_ENC_FM_MIME 1.000 349score TW_GIBBERISH_MANY 1.000 350score UC_GIBBERISH_OBFU 1.000 351score UNICODE_OBFU_ZW 1.000 352score URI_ADOBESPARK 1.000 353score URI_AZURE_CLOUDAPP 1.000 354score URI_DASHGOVEDU 1.000 355score URI_DATA 1.000 356score URI_DOTEDU_ENTITY 1.000 357score URI_GOOG_STO_SPAMMY 3.000 358score URI_HEX_IP 1.000 359score URI_IMG_WP_REDIR 1.000 360score URI_LONG_REPEAT 1.000 361score URI_ONLY_MSGID_MALF 1.000 362score URI_OPTOUT_3LD 1.000 363score URI_TRY_USME 1.000 364score URI_WP_HACKED 1.000 365score USB_DRIVES 1.000 366score VPS_NO_NTLD 1.000 367score WALMART_IMG_NOT_RCVD_WAL 1.000 368score WORD_INVIS 1.000 369score WORD_INVIS_MANY 1.000 370score XPRIO 1.000 371score XPRIO_SHORT_SUBJ 1.000 372# in active.list but have no hits in recent corpus 373score BITCOIN_SPAM_05 0.001 # force non-zero 374score BITCOIN_SPF_ONLYALL 0.001 # force non-zero 375score DKIMWL_BL 0.001 # force non-zero 376score DKIMWL_BLOCKED 0.001 # force non-zero 377score DKIMWL_WL_HIGH 0.001 # force non-zero 378score DKIMWL_WL_MED 0.001 # force non-zero 379score DKIMWL_WL_MEDHI 0.001 # force non-zero 380score FROM_BANK_NOAUTH 0.001 # force non-zero 381score FROM_FMBLA_NDBLOCKED 0.001 # force non-zero 382score FROM_FMBLA_NEWDOM 0.001 # force non-zero 383score FROM_FMBLA_NEWDOM14 0.001 # force non-zero 384score FROM_FMBLA_NEWDOM28 0.001 # force non-zero 385score FROM_GOV_DKIM_AU 0.001 # force non-zero 386score FROM_GOV_REPLYTO_FREEMAIL 0.001 # force non-zero 387score FROM_GOV_SPOOF 0.001 # force non-zero 388score FROM_MISSP_SPF_FAIL 0.001 # force non-zero 389score FROM_NEWDOM_BTC 0.001 # force non-zero 390score FROM_NUMBERO_NEWDOMAIN 0.001 # force non-zero 391score FROM_PAYPAL_SPOOF 0.001 # force non-zero 392score FSL_BULK_SIG 0.001 # force non-zero 393score PDS_HELO_SPF_FAIL 0.001 # force non-zero 394score RCVD_IN_MSPIKE_BL 0.001 # force non-zero 395score RCVD_IN_MSPIKE_H2 0.001 # force non-zero 396score RCVD_IN_MSPIKE_H3 0.001 # force non-zero 397score RCVD_IN_MSPIKE_H4 0.001 # force non-zero 398score RCVD_IN_MSPIKE_H5 0.001 # force non-zero 399score RCVD_IN_MSPIKE_L2 0.001 # force non-zero 400score RCVD_IN_MSPIKE_L3 0.001 # force non-zero 401score RCVD_IN_MSPIKE_L4 0.001 # force non-zero 402score RCVD_IN_MSPIKE_L5 0.001 # force non-zero 403score RCVD_IN_MSPIKE_WL 0.001 # force non-zero 404score RCVD_IN_MSPIKE_ZBI 0.001 # force non-zero 405score SPOOFED_FREEMAIL 0.001 # force non-zero 406score SPOOFED_FREEM_REPTO 0.001 # force non-zero 407score SPOOFED_FREEM_REPTO_CHN 0.001 # force non-zero 408score SPOOFED_FREEM_REPTO_RUS 0.001 # force non-zero 409score SURBL_BLOCKED 0.001 # force non-zero 410score TO_EQ_FM_DOM_SPF_FAIL 0.001 # force non-zero 411score TO_EQ_FM_SPF_FAIL 0.001 # force non-zero 412score USER_IN_DKIM_WELCOMELIST 0.001 # force non-zero 413