Spam symbol reference guide
When creating a filter with the Spam symbol component, you can match on specific indicators from the spam scanning engine. The symbol wiki in the filter editor shows all available symbols. This article highlights the ~25 most useful ones for filter rules, organized by category.
Cleanbox custom symbols
These are unique to Cleanbox, based on crowd-sourced sender reputation across all users:
| Symbol | Score | What it means |
|---|---|---|
CLEANBOX_BLOCK | +8.0 | 10+ users reported this sender, 90%+ marked as spam |
CLEANBOX_QUARANTINE | +5.0 | 5+ users reported, 70%+ spam ratio |
CLEANBOX_GREYLIST | +2.0 | 3+ users reported, more spam than legitimate |
CLEANBOX_TRUSTED | -2.0 | 5+ teams whitelisted/prioritized this sender |
CLEANBOX_UNCOMMON | +1.0 | Sender infrastructure not commonly seen across Cleanbox users |
CLEANBOX_BULK_ESP | +0.5 | Sent via bulk email service provider (Mailchimp, SendGrid, etc.) |
CLEANBOX_AI_SPAM | +2.0 to +4.5 | AI content classifier detected spam, phishing, or scam patterns. Variable score based on AI confidence and Bayes agreement. |
CLEANBOX_AI_HAM | -2.0 to -4.5 | AI content classifier confirmed legitimate email. Variable negative score reduces false positive risk. |
Authentication
| Symbol | Score | What it means |
|---|---|---|
R_SPF_ALLOW | -0.2 | SPF check passed — sender IP is authorized |
R_SPF_FAIL | +1.0 | SPF check failed — sender IP not authorized by domain |
R_SPF_SOFTFAIL | 0 | SPF soft fail — domain uses ~all policy |
R_DKIM_ALLOW | -0.2 | DKIM signature is valid |
R_DKIM_REJECT | +1.0 | DKIM signature failed verification |
DMARC_POLICY_ALLOW | -0.5 | Email passes the sender's DMARC policy |
DMARC_POLICY_REJECT | +2.0 | Email fails the sender's DMARC policy |
DMARC_POLICY_QUARANTINE | +1.5 | DMARC policy recommends quarantine |
FORGED_SENDER | +0.3 | From header does not match SMTP envelope sender |
Content and classification
| Symbol | Score | What it means |
|---|---|---|
BAYES_SPAM | +5.1 | Bayesian classifier says probably spam |
BAYES_HAM | -3.0 | Bayesian classifier says probably legitimate |
ZERO_FONT | +1.0 | Invisible text (font-size: 0) — spam evasion technique |
MANY_INVISIBLE_PARTS | +1.0 | Many visually hidden HTML sections |
R_WHITE_ON_WHITE | +4.0 | Low contrast text (white on white background) |
PHISHING | +4.0 | Phished URL detected in the message |
SPOOF_DISPLAY_NAME | +8.0 | Display name impersonates another sender |
LEAKED_PASSWORD_SCAM | +7.0 | Bitcoin wallet + sextortion scam patterns |
FUZZY_DENIED | +12.0 | Matches known spam fingerprint (Rspamd fuzzy hash) |
Reputation and infrastructure
| Symbol | Score | What it means |
|---|---|---|
RDNS_NONE | +0.5 | Sending server has no reverse DNS record |
MID_BARE_IP | +2.0 | Message-ID contains raw IP instead of hostname |
RCVD_COUNT_ZERO | 0 | No Received headers — email likely fabricated |
Using symbols in filters
To create a filter based on a spam symbol:
- Create or edit a filter
- Add a rule with component Spam symbol
- Operator: equals (exact name match) or exists (symbol triggered regardless of score)
- Value: the symbol name (e.g.,
ZERO_FONT) - Action: Deny to block, or Allow with folder routing to sort
Click the symbol wiki icon in the filter editor to browse all available symbols and click one to insert it.
For practical filter examples using these symbols, see Filter samples: 8 practical use cases. For a deeper explanation of how Rspamd works, see Rspamd Spam Symbols Explained on our blog.