Spam symbols available in filters
When creating a filter with the Spam symbol component, you can match on specific indicators from the spam scanner. The symbol wiki in the filter editor shows all available symbols. This article highlights the most useful ones for filter rules.
Cleanbox custom symbols
These are unique to Cleanbox, based on crowd-sourced sender reputation:
| Symbol | Score | What it means |
|---|---|---|
CLEANBOX_BLOCK | +8.0 | 10+ users reported this sender, 90%+ marked as spam |
CLEANBOX_QUARANTINE | +5.0 | 5+ users reported, 70%+ spam ratio |
CLEANBOX_GREYLIST | +2.0 | 3+ users reported, more spam than legitimate |
CLEANBOX_TRUSTED | -2.0 | 5+ teams whitelisted/prioritized this sender |
CLEANBOX_UNCOMMON | +1.0 | Sender infrastructure not commonly seen across Cleanbox users |
CLEANBOX_BULK_ESP | +0.5 | Sent via bulk email service provider (Mailchimp, SendGrid, etc.) |
Authentication symbols
| Symbol | Score | What it means |
|---|---|---|
R_SPF_ALLOW | -0.2 | SPF check passed — sender IP is authorized |
R_SPF_FAIL | +1.0 | SPF check failed — sender IP not authorized by domain |
R_DKIM_ALLOW | -0.2 | DKIM signature is valid |
R_DKIM_REJECT | +1.0 | DKIM signature failed verification |
DMARC_POLICY_ALLOW | -0.5 | Email passes sender's DMARC policy |
DMARC_POLICY_REJECT | +2.0 | Email fails sender's DMARC policy |
FORGED_SENDER | +0.3 | From header doesn't match the SMTP envelope sender |
Content and reputation symbols
| Symbol | Score | What it means |
|---|---|---|
BAYES_SPAM | +5.1 | Bayesian classifier says message is probably spam |
BAYES_HAM | -3.0 | Bayesian classifier says message is probably legitimate |
ZERO_FONT | +1.0 | Invisible text (font-size: 0) — spam evasion technique |
MANY_INVISIBLE_PARTS | +1.0 | Many visually hidden sections in the HTML |
R_WHITE_ON_WHITE | +4.0 | Low contrast text (white on white) to hide content |
RDNS_NONE | +0.5 | Sending server has no reverse DNS record |
MID_BARE_IP | +2.0 | Message-ID contains a raw IP address instead of hostname |
PHISHING | +4.0 | Phished URL detected in the message |
FUZZY_DENIED | +12.0 | Message matches known spam fingerprint (Rspamd fuzzy hash) |
SPOOF_DISPLAY_NAME | +8.0 | Display name is used to impersonate another sender |
LEAKED_PASSWORD_SCAM | +7.0 | Contains Bitcoin wallet + scam patterns (sextortion) |
Practical filter examples
| Goal | Symbol | Action |
|---|---|---|
| Block emails with hidden text tricks | ZERO_FONT | Deny |
| Block phishing attempts | PHISHING | Deny |
| Block display name spoofing | SPOOF_DISPLAY_NAME | Deny |
| Block sextortion scams | LEAKED_PASSWORD_SCAM | Deny |
| Flag emails that fail DMARC | DMARC_POLICY_REJECT | Allow, mark flagged, deliver to "Review" |
| Sort bulk ESP emails to folder | CLEANBOX_BULK_ESP | Allow, deliver to "Marketing" |
To insert a symbol into your filter rule, click the symbol wiki icon in the filter editor. This opens a searchable list of all available symbols — click one to insert it as the rule value.
For the full list of Rspamd symbols, including ones not commonly used in filters, see our blog article Rspamd Spam Symbols Explained.
