Conditions

In/Out

Condition

Inbound

the From: field address is in the Accepted Senders list
This list is from Praetor v1.5 and contains SMTP protocol level white list entries that should be transferred to the message level Approved Senders list

Inbound

the Sender: field address is in the Approved Senders list

Inbound

the From: or Sender: field address is in the Approved Senders list

Inbound

the From: or Sender: domain is in the Approved Domains list

Inbound

the From: or Reply-To: address is in the Approved Listserver Addresses list
This list of listserver addresses should be updated to bypass further spam tests

Inbound

the recipient address is in the Approved Local Address list
This list is typically used to defend against Reverse NDR attacks

Inbound

the recipient address is NOT in the Approved Local Address list

Inbound

the From: or Sender: address is in the Suspicious Senders list

Inbound

the From: or Sender: friendlyname is in the Suspicious Friendlyname Senders list

Inbound

the From: or Sender: domain is in the Suspicious Domain list

Both

the recipient address is in the Banned Recipients list

Both

the Subject: line contains words in the Banned Subject list

Both

the message field contains words in the specified list

Used with new ability to create your own user list as described below

Both

the Subject: line contains words in the Banned Virus Subject list

Both

the message body text contains words in the Banned message text list

Both

the message body text contains Suspected Virus Message Text list

Both

with specific filenames in the Banned Attachment list

Both

with specific filenames in the Suspicious Attachments list

Both

the Subject: line contains words in the Banned Profanity list

Both

the message body text contains words in the Banned Profanity list

Both

the Subject or Body contain words in the Banned Profanity list

Inbound

the X-Mailer: field contains words in the Bulk Mail Program Signatures list
Some spammers use off-the-shelf bulk mailing software that set this field

Both

the From:, Sender:, To: or Cc: address is in the Competitor's Domains list

Both

the From:, Sender:, To:, or Cc: address is in the Former Employee Address list

Both

the Subject or Body contain words in the Banned Confidential Information list

Both

the 821 To: address is in the Former Employee Address list

Both

the message body text contains words in the Variable info in message text list

Both

with specific words in the From: field

Both

with specific words in the Sender: field

Both

with specific words in the From: or Sender: field

Both

with specific words in the Reply-To: field

Both

with specific words in the To: field

Both

with specific words in the Cc: field

Both

with specific words in any recipient address

Both

with specific words in any address field

Both

with specific date string in the Date: field

Both

with specific words in the Subject: line

Inbound

with specific words in any Received: field

Both

with specific filenames as attachments

Both

with specific words in the Message-ID: field

Both

with specific words in any Precedence: field

Both

with specific words in any X- field

Both

with specific words in any List- field

Both

with specific words in the message body

Both

with specific words in the Subject: or message body

Both

with specific words in any message header field

Inbound

with failed DNS lookup on From: domain

Inbound

with failed DNS lookup on Sender: domain

Inbound

with failed DNS lookup on Reply-to: domain

Inbound

with DNSBL entry of CIP
CIP is the connected IP address of the remote sending mail host

Inbound

with failed DNS lookup on any replyable sender domain

Both

with specific words in the entire message (excluding msg headers)

Inbound

the 822 headers contain 8-bit data

Both

with  Banned msg body words in the entire message (excluding msg headers)
This condition may be slow if the message is large

Both

the 821 headers contain 8-bit data

Inbound

the Subject or Body contains 8-bit data

Inbound

sender address is suspicious

Both

the Subject or Body contain words in the Weighted sex-related list with threshold of 200
Checks for sexual content

Both

the message body text contains words in the Weighted advanced fee fraud list with a threshold of 200
Checks for fraud content such as Nigerian advanced fee scams

Both

the message body text contains words in the weighted drug solicitation list with a threshold of 200
Checks for content offering discounted prescription drugs

Both

with specific weighted words in the Subject or Body
This can be used to check for general content

Both

the Body contains URL domains in the Banned URL domains list
This list of domains in spams received by CMS not yet on any DNS blacklist

Inbound

there are no local To: or Cc: recipients
This is a typical spam tactic where your local recipient is a Bcc, but it is also used in messages from valid listservers.  Get around this by populating the approved listservers list

Both

the From: and To: addresses are the same

Both

the To: field is missing or blank
This is a typical spam tactic

Both

the To: field exists

Both

the Cc: field is missing or blank

Both

the Cc: field exists

Both

the From: field is missing or blank

Both

the From: field exists

Both

the Precedence: field has bulk
Some spammers use off-the-shelf bulk mailing software that set this field

Both

the Message-ID: field exists

Both

the Message-ID: field does not exist

Both

the Message-ID: field is blank

Both

with a (raw message) size in a specific range

Both

Containing attachments

Both

Containing only 1 To: recipient

Both

Containing no attachments

Both

Containing over 20 RFC822 To: recipients

Both

Containing over 20 RFC821 To: Recipients

Both

Containing a single RFC821 To: Recipient

Both

the message has Bcc recipients

Both

with specific addresses in the 821 From: field

Both

with specific addresses in the 821 To: field

Both

the Subject: field is missing or blank

Both

check EXCEPTIONS only
Advanced condition used to filter all except for those in the exception, e.g. as used by the Reverse NDR rule

Inbound

with a connecting IP in a DNS blacklist
Connecting IP address of remote sending mail host is blacklisted

Both

the From: friendlyname is in the Expletive Friendlyname list
Profanity is found in the sender name

Both

the Subject or Body contain words in the Expletive list
Disallow profanity

Both

the Subject or Body contain words in the Spam list

Both

the Subject: line contains words in the Suspicious Characters list
Detect spam that contains repeating punctuations or symbols in the subject

Both

the message body text contains words in the Opt-Out list
The recently enacted US CAN-SPAM law require spammers to provide some way to opt-out from future mailings.  While CMS recommends you don't follow this method since you'll just verify your email address and get more spam, the opt-out instructions are detectable

Inbound

the From: field friendlyname is blank
The name exists but blank

Inbound

the msg contains embedded encoded-HTML segments

Inbound

the msg contains an obfuscated URL
Obfuscated URLs include those that use IP addresses instead of domains, or try to hide the URL by encoding the characters and digits

Inbound

the msg contains only external references
The message only has URLs and gibberish

Both

the msg contains invisible html text
Invisible because the font color is almost the same as the background color

Both

the msg contains tiny html text
The font size is so small that it is not visible on the screen

Inbound

with a spamicity value greater than specific value
Bayesian test for spam

Inbound

with a spamicity value less than specific value
Bayesian test for non-spam

Inbound

with a spamicity value in a specific range
Bayesian test for unsure