Hello , I have found a weird false spam designation by rspamd: you csn find the lgo for that message below. As i understand, rspamd is marking is detecting "cia.ltda" as an URL. Curiously the only part where that text is found is on a pdf attachment showing a company name: CompanyName Cia. Ltda. = CompanyName LLC. = CompanyName GmbH. Not an URL Nor the sender ip or url are blacklisted. Am i interpreting this correctly? Can youy suggest a way to avoid this problem? Thanks The log for the mesage: 2026-03-18 10:35:38 #3876723(normal) <ce2bb8>; task; rspamd_task_write_log: id: <[email protected]>, qid: <24A282040053>, ip: a.b.c.d, from: <[email protected]>, (default: T (rewrite subject): [8.48/12.00] [URIBL_BLACK(7.50){cia.ltda:url;},BAYES_HAM(-3.00){100.00%;},SUBJ_ALL_CAPS(3.00){49;},HFILTER_HOSTNAME_2(1.00){mx-01.hosted.zzz.zz;},BAD_REP_POLICIES(0.10){},MIME_GOOD(-0.10){multipart/mixed;multipart/related;multipart/alternative;text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){yyy.yy:s=default:i=1;},ASN(0.00){asn:13424, ipnet:a.b.c.d/24, country:yy;},DKIM_TRACE(0.00){XXX.xx:+;},DMARC_POLICY_ALLOW(0.00){xxx.xx;quarantine;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GREYLIST(0.00){pass;body;},HAS_ATTACHMENT(0.00){},HAS_XOIP(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:+;4:~;5:~;6:~;7:~;...;},MISSING_XM_UA(0.00){},RCPT_COUNT_THREE(0.00){3;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_ALLOW(0.00){xxx.xx:s=selector1;},R_DUMMY(0.00){},R_SPF_ALLOW(0.00){+a:mailers.zzz.zz;},SUSPICIOUS_AUTH_ORIGIN(0.00){},TO_DN_EQ_ADDR_SOME(0.00){},TO_DN_SOME(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 499334, time: 1146.676ms, dns req: 56, digest: <008e4c4867795927a1e96341ebff9b51>, rcpts: <[email protected],[email protected],[email protected]>, mime_rcpts: <[email protected],[email protected],[email protected]>, settings_id: ispc_spamfilter_user_59
Hello Taleman, Yes, "cia.ltda." is not there. Here are the headers: -------------------- Received: from mail.receiver.net by mail.receiver.net with LMTP id /EnmIiqqumlJPTsAoYMCrw (envelope-from <[email protected]>); Wed, 18 Mar 2026 10:35:38 -0300 Received: from exchange.hosted.senderhost.net (mx-01.hosted.senderhost.net [a.b.c.d]) by mail.receiver.net (Postfix) with ESMTPS id 24A282040053; Wed, 18 Mar 2026 10:35:36 -0300 (-03) Received: from MX-01.HOSTED.senderhost.net (e.f.g.h) by MX-01.HOSTED.senderhost.net (e.f.g.h) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 18 Mar 2026 10:20:33 -0300 Received: from MX-01.HOSTED.senderhost.net ([ip6]) by MX-01.HOSTED.senderhost.net ([ip6]) with mapi id 15.01.2507.035; Wed, 18 Mar 2026 10:20:33 -0300 From: "sender" <[email protected]> To: "'A'" <[email protected]>, <[email protected]>, <[email protected]> Subject: *** SPAM *** subject text Date: Wed, 18 Mar 2026 10:20:33 -0300 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0253_01DCB6F4.92070000" X-Mailer: Microsoft Outlook 16.0 Authentication-Results: mail.receiver.net; dkim=pass header.d=senderdomain.net header.s=selector1 header.b=G35VuOdn; dmarc=pass (policy=quarantine) header.from=senderdomain.net; spf=pass (mail.receiver.net: domain of [email protected] designates a.b.c.d as permitted sender) [email protected] X-Spamd-Bar: ++++++++ X-Spam-Level: ******** X-Spam-Status: Yes, score=8.49 Thread-Index: AQJ47Gk2Ji9IghKV6WgJKYa8FuXOrA== X-MS-Has-Attach: yes X-MS-TNEF-Correlator: X-OlkEid: 00000000C0D4A4D3ECEAFA42BFA15D9855F01A1B0700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C1010022B300000000529A6BFF02B80142B35A73A0C430170C X-Originating-IP: [j.k.l.m] This is a multipart message in MIME format. -------------------------------
The full headers are not interesting here. The URL parser found "cia.ltda" as a domain in the content of the message. It then check for RBLs and got a positive match from URIBL. So either the parser has a bug and somehow detected "CompanyName Cia. Ltda." as the URL "cia.ltda" or there really is the string "cia.ltda" in that message and indeed that domain was/is listed at URIBLs Blacklist.
Hello, It has to be a bug. I receive without issues other emails from same sender except when message include a pdf in which format includes the text companyname cia. ltda. and we have been receivind those email normaly until a few days ago after an update that include rspamd. Also its definetly detecting the cia.ltda. in a pdf attachment, checj sending the same attachmen in a clean no text message from a gmail account and get same detection. Can this detection be disabled? Thanks. 2026-04-02 10:50:14 #3963445(normal) <dc2e80>; task; rspamd_task_write_log: id: <CAF7i1azgXHfjZSYrNQUHXKAwG6GA3y6oeOuxpw3whCb1eXCQwQ@mail.gmail.com>, qid: <10AEE2040052>, ip: 209.85.210.43, from: <[email protected]>, (default: F (soft reject): [10.09/12.00] [URIBL_BLACK(7.50){cia.ltda:url;},BAYES_SPAM(2.60){91.93%;},BAD_REP_POLICIES(0.10){},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},MX_GOOD(-0.01){},ALIAS_RESOLVED(0.00){},ARC_ALLOW(0.00){google.com:s=arc-20240605:i=1;},ARC_SIGNED(0.00){eilers.cl:s=default:i=2;},ASN(0.00){asn:15169, ipnet:209.85.128.0/17, country:US;},DKIM_TRACE(0.00){gmail.com:+;},DMARC_POLICY_ALLOW(0.00){gmail.com;none;},DWL_DNSWL_NONE(0.00){gmail.com:dkim;},FREEMAIL_ENVFROM(0.00){gmail.com;},FREEMAIL_FROM(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GREYLIST(0.00){greylisted;Thu, 02 Apr 2026 13:55:14 GMT;new record;},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:~;4:~;},MISSING_XM_UA(0.00){},PREVIOUSLY_DELIVERED(0.00){[email protected];},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ONE(0.00){1;},RCVD_IN_DNSWL_NONE(0.00){209.85.210.43:from;},RCVD_TLS_LAST(0.00){},RWL_MAILSPIKE_GOOD(0.00){209.85.210.43:from;},R_DKIM_ALLOW(0.00){gmail.com:s=20251104;},R_DUMMY(0.00){},R_SPF_ALLOW(0.00){+ip4:209.85.128.0/17:c;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 118932, time: 1824.798ms, dns req: 36, digest: <6ec6051c001bb86da52d295179bed2d1>, rcpts: <myaccount@mydomain>, mime_rcpts: <myaccount@mydomain>, forced: soft reject "Try again later"; score=nan (set by greylist), settings_id: ispc_spamfilter_user_77
Dont disable it. The configuration for the RBLs is set in /etc/rspamd/modules.d/rbl.conf. There is also a list of map file locations where you can exclude domains from the blacklisting. To be clear, this seems to be a bug in the URL detection of rspamd and should be reported upstream. And it seems like that the domain in question is blacklisted for a reason, but I think the risk of allowing it is minimal. To exclude the domain just create the file "/etc/rspamd/local.d/maps.d/surbl-whitelist.inc.local" and add "cia.ltda" in there. Run "systemctl reload rspamd" after that and your issue should be gone.
This seems to be similar issue in the rspamd bugtracker: https://github.com/rspamd/rspamd/issues/4956
