Cleanbox
Features Blog Pricing Developers
Sign in Start free trial

Spam symbol reference guide

When creating a filter with the Spam symbol component, you can match on specific indicators from the spam scanning engine. The symbol wiki in the filter editor shows all available symbols. This article highlights the ~25 most useful ones for filter rules, organized by category.

Cleanbox custom symbols

These are unique to Cleanbox, based on crowd-sourced sender reputation across all users:

SymbolScoreWhat it means
CLEANBOX_BLOCK+8.010+ users reported this sender, 90%+ marked as spam
CLEANBOX_QUARANTINE+5.05+ users reported, 70%+ spam ratio
CLEANBOX_GREYLIST+2.03+ users reported, more spam than legitimate
CLEANBOX_TRUSTED-2.05+ teams whitelisted/prioritized this sender
CLEANBOX_UNCOMMON+1.0Sender infrastructure not commonly seen across Cleanbox users
CLEANBOX_BULK_ESP+0.5Sent via bulk email service provider (Mailchimp, SendGrid, etc.)
CLEANBOX_AI_SPAM+2.0 to +4.5AI content classifier detected spam, phishing, or scam patterns. Variable score based on AI confidence and Bayes agreement.
CLEANBOX_AI_HAM-2.0 to -4.5AI content classifier confirmed legitimate email. Variable negative score reduces false positive risk.

Authentication

SymbolScoreWhat it means
R_SPF_ALLOW-0.2SPF check passed — sender IP is authorized
R_SPF_FAIL+1.0SPF check failed — sender IP not authorized by domain
R_SPF_SOFTFAIL0SPF soft fail — domain uses ~all policy
R_DKIM_ALLOW-0.2DKIM signature is valid
R_DKIM_REJECT+1.0DKIM signature failed verification
DMARC_POLICY_ALLOW-0.5Email passes the sender's DMARC policy
DMARC_POLICY_REJECT+2.0Email fails the sender's DMARC policy
DMARC_POLICY_QUARANTINE+1.5DMARC policy recommends quarantine
FORGED_SENDER+0.3From header does not match SMTP envelope sender

Content and classification

SymbolScoreWhat it means
BAYES_SPAM+5.1Bayesian classifier says probably spam
BAYES_HAM-3.0Bayesian classifier says probably legitimate
ZERO_FONT+1.0Invisible text (font-size: 0) — spam evasion technique
MANY_INVISIBLE_PARTS+1.0Many visually hidden HTML sections
R_WHITE_ON_WHITE+4.0Low contrast text (white on white background)
PHISHING+4.0Phished URL detected in the message
SPOOF_DISPLAY_NAME+8.0Display name impersonates another sender
LEAKED_PASSWORD_SCAM+7.0Bitcoin wallet + sextortion scam patterns
FUZZY_DENIED+12.0Matches known spam fingerprint (Rspamd fuzzy hash)

Reputation and infrastructure

SymbolScoreWhat it means
RDNS_NONE+0.5Sending server has no reverse DNS record
MID_BARE_IP+2.0Message-ID contains raw IP instead of hostname
RCVD_COUNT_ZERO0No Received headers — email likely fabricated

Using symbols in filters

To create a filter based on a spam symbol:

  1. Create or edit a filter
  2. Add a rule with component Spam symbol
  3. Operator: equals (exact name match) or exists (symbol triggered regardless of score)
  4. Value: the symbol name (e.g., ZERO_FONT)
  5. Action: Deny to block, or Allow with folder routing to sort

Click the symbol wiki icon in the filter editor to browse all available symbols and click one to insert it.

For practical filter examples using these symbols, see Filter samples: 8 practical use cases. For a deeper explanation of how Rspamd works, see Rspamd Spam Symbols Explained on our blog.