I am trying to find out what is the meaning of the flag TO_NO_BRKTS_HTML_IMG in SpamAssassin.

The provided description for it says:

To: lacks brackets and HTML and one image

As far as I understand it means the mail message is in HTML format and contains only one image, but what does "To: lacks brackets" mean?

Also ran into this problem and digged in the source code of spamassassin and found this:

meta       __TO_NO_BRKTS_HTML_IMG  __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG
meta       TO_NO_BRKTS_HTML_IMG    __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE 
describe   TO_NO_BRKTS_HTML_IMG    To: lacks brackets and HTML and one image
score      TO_NO_BRKTS_HTML_IMG    2.000   # limit
tflags     TO_NO_BRKTS_HTML_IMG    publish

So, a single image in a email and a missing name in the to field seems to trigger this. To be more concrete, this happens, when:

• The recipient does not contain < and > (__TO_NO_ARROWS_R)
• The recipient is undisclosed (__TO_UNDISCLOSED)
• The email contains html (HTML_MESSAGE)
• The email contains exactly one image (__ONE_IMG)
• The sender (from) does not only contain numbers (__FM_TO_ALL_NUMS)
• The recipient (to) does not contain a name (eg. [email protected] <foo bar>) (__FROM_FULL_NAME)
• Dont know what this is for, the comment in the sourcecode itself says # Explain later. ;) (__HAS_THREAD_INDEX)
• No DKIM signature exists (__DKIM_EXISTS)
• No Sender-header is given (__HAS_SENDER)
• Is not part of an conversation (?) (__THREADED)
• Line length does not exceed 998 characters regarding to RFC 5322 (__LONGLINE)

"To: lacks brakets" means that the To: header value has no ending >

To: <[email protected]> Doesn't trigger the rule
To: [email protected] Does trigger the rule

You can get more information about Internet Message Format here