Skip to content

Instantly share code, notes, and snippets.

@cpragadeesh
Created August 23, 2017 21:02
Show Gist options
  • Save cpragadeesh/b8d8338ba9a4b7cde0214cf2e60f5352 to your computer and use it in GitHub Desktop.
Save cpragadeesh/b8d8338ba9a4b7cde0214cf2e60f5352 to your computer and use it in GitHub Desktop.
SYMBOL OLD_SCORE NEW_SCORE
R_MIXED_CHARSET 5 3.69
FORGED_MUA_THEBAT_BOUN 2 0.43
FORGED_MUA_THEBAT_MSGID_UNKNOWN 3 1.52
MID_BARE_IP 2 0.64
FROM_EXCESS_BASE64 1.5 1.71
SUBJ_ALL_CAPS 3 1.56
FAKE_REPLY_C 6 2.69
TO_DOM_EQ_FROM_DOM 0 3.69
R_BAD_CTE_7BIT 4 5.56
SUSPICIOUS_RECIPS 1.5 0.24
FORGED_OUTLOOK_HTML 5 2.87
MV_CASE 0.5 0.80
R_SUSPICIOUS_URL 5 2.13
BROKEN_HEADERS 10 3.98
FAKE_REPLY 1 -1.20
SUBJECT_ENDS_EXCLAIM 0 8.24
RATWARE_MS_HASH 2 3.17
RCPT_COUNT_GT_50 0 -0.70
PREVIOUSLY_DELIVERED 0 2.59
SUBJECT_HAS_EXCLAIM 0 -1.02
FROM_EQ_ENVFROM 0 3.78
INTRODUCTION 2 3.31
REPTO_QUOTE_YAHOO 2 1.70
R_UNDISC_RCPT 3 1.52
MIME_HTML_ONLY 0.2 0.57
FORGED_MUA_MAILLIST 0 0.58
TAGGED_RCPT 0 -1.20
URI_COUNT_ODD 1 0.40
HEADER_FORGED_MDN 2 0.43
MISSING_TO 2 0.86
FROM_EXCESS_QP 1.2 -0.26
TO_DN_EQ_ADDR_SOME 0 0.75
FROM_DN_EQ_ADDR 1 -0.14
HAS_XAW 0 -6.80
REPLYTO_ADDR_EQ_FROM 0 6.13
HAS_ATTACHMENT 0 0.98
HAS_ORG_HEADER 0 0.42
HTML_SHORT_LINK_IMG_1 2 2.97
REPLYTO_EQ_FROM 0 7.95
RCVD_COUNT_FIVE 0 8.33
HAS_X_PRIO_ONE 0 1.74
PRECEDENCE_BULK 0 -11.08
RCPT_COUNT_THREE 0 1.93
TO_EXCESS_BASE64 1.5 1.71
RCVD_COUNT_TWO 0 2.79
MID_RHS_IP_LITERAL 0.5 -2.58
ARC_NA 0 2.39
RCVD_COUNT_SEVEN 0 -3.90
DATE_IN_FUTURE 4 1.56
RCPT_COUNT_SEVEN 0 0.45
FORGED_MUA_KMAIL_MSGID 3 0.99
MIME_BASE64_TEXT 0 1.56
TO_EQ_FROM 0 0.06
MISSING_SUBJECT 2 0.43
INVALID_MSGID 1.7 0.38
MID_MISSING_BRACKETS 0.5 -0.42
SUBJECT_NEEDS_ENCODING 1 0.50
FROM_NO_DN 0 7.86
MIME_GOOD -0.1 -6.49
MIME_HEADER_CTYPE_ONLY 2 0.56
EXT_CSS 1 -0.14
RCVD_COUNT_THREE 0 3.35
RCPT_COUNT_TWO 0 -22.50
TO_DN_ALL 0 3.11
HFILTER_HOSTNAME_4 2.5 0.71
HAS_REPLYTO 0 -2.50
INVALID_RCPT_8BIT 6 2.69
MID_RHS_MATCH_FROM 0 -1.72
MISSING_MIMEOLE 2 3.36
RCVD_ILLEGAL_CHARS 4 2.20
TAGGED_FROM 0 -1.72
HAS_X_PRIO_FIVE 0 -0.70
MID_CONTAINS_FROM 1 6.82
HTTP_TO_IP 1 -0.14
CT_EXTRA_SEMI 1 -0.14
REPLYTO_DN_EQ_FROM_DN 0 -0.41
MISSING_MIME_VERSION 2 2.24
PHISHING 7 3.26
TO_EXCESS_QP 1.2 -0.56
MID_RHS_WWW 0.5 -0.96
URL_IN_SUBJECT 4 -1.04
RCVD_COUNT_ONE 0 -0.70
SUBJECT_HAS_QUESTION 0 0.64
FORGED_OUTLOOK_TAGS 2.1 0.48
FROM_HAS_DN 0 -7.43
CTYPE_MIXED_BOGUS 0.1 0.96
R_SUSPICIOUS_IMAGES 5 2.26
RCPT_COUNT_TWELVE 0 3.08
SUBJECT_ENDS_SPACES 0.5 0.09
INVALID_FROM_8BIT 6 2.69
SUBJ_EXCESS_QP 1.2 -0.02
FORGED_MUA_OUTLOOK 3 7.04
TO_DN_NONE 0 7.12
MIME_MA_MISSING_HTML 1 -0.14
CTE_CASE 0.5 0.44
TO_MATCH_ENVRCPT_ALL 0 -0.70
RCPT_COUNT_FIVE 0 -0.27
HAS_X_ANTIABUSE 0 -1.02
RCVD_COUNT_TWELVE 0 -6.64
HTML_SHORT_LINK_IMG_3 0.5 -0.42
ENVFROM_SERVICE_ACCT 1 -0.14
MIME_MA_MISSING_TEXT 2 0.43
MID_RHS_NOT_FQDN 0.5 -1.47
FROM_NEQ_ENVFROM 0 0.50
HAS_WP_URI 0 -1.42
HTML_SHORT_LINK_IMG_2 1 1.13
HFILTER_URL_ONLY 2.2 0.54
MIME_UNKNOWN 0.1 -0.65
MIME_BAD_ATTACHMENT 4 1.56
TO_DN_SOME 0 -8.21
RCPT_COUNT_ONE 0 17.47
HAS_XOIP 0 1.58
R_PARTS_DIFFER 1 0.42
SUBJECT_HAS_CURRENCY 1 0.53
RCPT_COUNT_ZERO 0 -0.70
FROM_NAME_EXCESS_SPACE 1 0.60
RCVD_NO_TLS_LAST 0 8.29
REPLYTO_DOM_EQ_FROM_DOM 0 3.16
REPLYTO_DOM_NEQ_FROM_DOM 0 -10.65
MAILLIST -0.2 1.88
FROM_NAME_HAS_TITLE 1 1.23
R_MISSING_CHARSET 2.5 2.18
DATE_IN_PAST 1 5.14
R_DKIM_NA 0 -0.70
R_SPF_DNSFAIL 0 5.33
SUBJECT_ENDS_QUESTION 1 3.54
HAS_X_PRIO_THREE 0 16.29
BROKEN_CONTENT_TYPE 1.5 0.79
ONCE_RECEIVED 4 1.56
TO_DN_EQ_ADDR_ALL 0 -0.70
Class changes
FAKE_REPLY 1 -1.20
FROM_EXCESS_QP 1.2 -0.26
FROM_DN_EQ_ADDR 1 -0.14
MID_RHS_IP_LITERAL 0.5 -2.58
MID_MISSING_BRACKETS 0.5 -0.42
EXT_CSS 1 -0.14
HTTP_TO_IP 1 -0.14
CT_EXTRA_SEMI 1 -0.14
TO_EXCESS_QP 1.2 -0.56
MID_RHS_WWW 0.5 -0.96
URL_IN_SUBJECT 4 -1.04
SUBJ_EXCESS_QP 1.2 -0.02
MIME_MA_MISSING_HTML 1 -0.14
HTML_SHORT_LINK_IMG_3 0.5 -0.42
ENVFROM_SERVICE_ACCT 1 -0.14
MID_RHS_NOT_FQDN 0.5 -1.47
MIME_UNKNOWN 0.1 -0.65
MAILLIST -0.2 1.88
Pre-rescore test stats
Statistics at threshold: 15
F-score: 0.07
False positive rate: 0.00 %
False negative rate: 96.20 %
Overall accuracy: 49.33 %
Post-rescore test stats
Statistics at threshold: 15
F-score: 0.84
False positive rate: 39.44 %
False negative rate: 2.53 %
Overall accuracy: 80.00 %
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment