weird spam false spam marking by rspamd

Hello ,
I have found a weird false spam designation by rspamd:
you csn find the lgo for that message below.
As i understand, rspamd is marking is detecting "cia.ltda" as an URL. Curiously the only part where that text is found is on a pdf attachment showing a company name:
CompanyName Cia. Ltda. = CompanyName LLC. = CompanyName GmbH.
Not an URL
Nor the sender ip or url are blacklisted.
Am i interpreting this correctly?
Can youy suggest a way to avoid this problem?
Thanks

The log for the mesage:
2026-03-18 10:35:38 #3876723(normal) <ce2bb8>; task; rspamd_task_write_log: id: <[email protected]>, qid: <24A282040053>, ip: a.b.c.d, from: <[email protected]>, (default: T (rewrite subject): [8.48/12.00] [URIBL_BLACK(7.50){cia.ltda:url;},BAYES_HAM(-3.00){100.00%;},SUBJ_ALL_CAPS(3.00){49;},HFILTER_HOSTNAME_2(1.00){mx-01.hosted.zzz.zz;},BAD_REP_POLICIES(0.10){},MIME_GOOD(-0.10){multipart/mixed;multipart/related;multipart/alternative;text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ARC_SIGNED(0.00){yyy.yy:s=default:i=1;},ASN(0.00){asn:13424, ipnet:a.b.c.d/24, country:yy;},DKIM_TRACE(0.00){XXX.xx:+;},DMARC_POLICY_ALLOW(0.00){xxx.xx;quarantine;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GREYLIST(0.00){pass;body;},HAS_ATTACHMENT(0.00){},HAS_XOIP(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:+;4:~;5:~;6:~;7:~;...;},MISSING_XM_UA(0.00){},RCPT_COUNT_THREE(0.00){3;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_ALLOW(0.00){xxx.xx:s=selector1;},R_DUMMY(0.00){},R_SPF_ALLOW(0.00){+a:mailers.zzz.zz;},SUSPICIOUS_AUTH_ORIGIN(0.00){},TO_DN_EQ_ADDR_SOME(0.00){},TO_DN_SOME(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 499334, time: 1146.676ms, dns req: 56, digest: <008e4c4867795927a1e96341ebff9b51>, rcpts: <[email protected],[email protected],[email protected]>, mime_rcpts: <[email protected],[email protected],[email protected]>, settings_id: ispc_spamfilter_user_59

 

Have you examined the full headers of that message?

 

Hello Taleman,
Yes, "cia.ltda." is not there.

Here are the headers:
--------------------
Received: from mail.receiver.net
by mail.receiver.net with LMTP
id /EnmIiqqumlJPTsAoYMCrw
(envelope-from <[email protected]>); Wed, 18 Mar 2026 10:35:38 -0300
Received: from exchange.hosted.senderhost.net (mx-01.hosted.senderhost.net [a.b.c.d])
by mail.receiver.net (Postfix) with ESMTPS id 24A282040053;
Wed, 18 Mar 2026 10:35:36 -0300 (-03)
Received: from MX-01.HOSTED.senderhost.net (e.f.g.h) by
MX-01.HOSTED.senderhost.net (e.f.g.h) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2507.35; Wed, 18 Mar 2026 10:20:33 -0300
Received: from MX-01.HOSTED.senderhost.net ([ip6]) by
MX-01.HOSTED.senderhost.net ([ip6]) with mapi id
15.01.2507.035; Wed, 18 Mar 2026 10:20:33 -0300
From: "sender" <[email protected]>
To: "'A'" <[email protected]>,
<[email protected]>,
<[email protected]>
Subject: *** SPAM *** subject text
Date: Wed, 18 Mar 2026 10:20:33 -0300
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0253_01DCB6F4.92070000"
X-Mailer: Microsoft Outlook 16.0
Authentication-Results: mail.receiver.net;
dkim=pass header.d=senderdomain.net header.s=selector1 header.b=G35VuOdn;
dmarc=pass (policy=quarantine) header.from=senderdomain.net;
spf=pass (mail.receiver.net: domain of [email protected] designates a.b.c.d as permitted sender) [email protected]
X-Spamd-Bar: ++++++++
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.49
Thread-Index: AQJ47Gk2Ji9IghKV6WgJKYa8FuXOrA==
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
X-OlkEid: 00000000C0D4A4D3ECEAFA42BFA15D9855F01A1B0700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C1010022B300000000529A6BFF02B80142B35A73A0C430170C
X-Originating-IP: [j.k.l.m]

This is a multipart message in MIME format.

-------------------------------