Rspamd blacklist domains with wildcards

NethServer Version: 7.6.1810
Module: Email

I’ve got difficulties coming with spam messages coming from several similar domains like

I’ve tried to learn the Rspamd with these messages, but probably due to the changing number in the domain name these messages are still passing through. So I’ve started to learn myself, how to configure Rspamd manually with the intention to blacklist domains with wildcards like


But I haven’t got too far, because when I started the testing with just adding a normal (non-wildcard) domain of an public freemail provider ( to the blacklist
updated the filter with
signal-event nethserver-mail-filter-update
and sent a mail from that domain, the mail went through.

X-Spamd-Result: default: False [1.46 / 20.00];
IP_SCORE(1.16)[asn: 6830(4.81), country: AT(0.96)];
RCVD_IN_DNSWL_LOW(-0.10)[ :];
ASN(0.00)[asn:6830, ipnet:, country:AT];

So my questions are:

  • how to configure rspamd to respect the blacklist /etc/rspamd/
  • how to add domains with wildcards to the blacklist, if possible

I would appreciate any advice on that.
Thank you very much.


@stephdl Can you help here?


The from domain blacklist is a template, if you add a domain en call the rspamd event it will be overwritten

Try to add a domain manually to the template with a wilcard and simply restart rspamd:

systemctl restart rspamd

I am not aware if we could use a wildcard with rspamd, check the documentation about multimap

1 Like

How to work with templates you can find here:

If you have any questions don’t be shy to ask.

for now add it manually to the file, then restart rspamd

just tested it, wildcard doesn’t work in blacklist of rspamd

this is a clue, in theory we could make a map (/etc/rspamd/local.d/multimap.conf) and create a regex-map to catch your *domain

Thank you very much stephdl for posting this clue.
I have just tried to modify the /etc/rspamd/local.d/multimap.conf by adding the line:

regexp = true;

in the section:

#blacklist the domains of senders
regexp = true;
message = "Sender domain address rejected";

then added a line in


restarted the rspamd

systemctl restart rspamd

and then sent a test mail from

The email didn’t make it through:

Diagnostic-Code: smtp; 554 5.7.1 Sender domain address rejected

So it seems, it works!
Thank you very much for pointing me!
I wonder how it wil work with the real spamming domains.

1 Like

try it please and come back, use \d+ to match the numerical value, think that if you expand the filter event you rewrite your changes

if you tests are concluant we could think to make some changes

I have added the real spamming domains regexes and moved the modifications into the custom templates


and updated the filters and restarted rspamd

signal-event nethserver-mail-filter-update
systemctl restart rspamd

The changes has shown in /etc/rspamd/…, so I hope they will survive updates etc…
I will report, if it help to fight the spam from the problematic domains.


Well, it seems I am still missing something. Spams from the respective domains are still coming through.
What I don’t understand and maybe is a reason for the above: I test the multimap filter from my freemail account When I send the mail from the freemail’s web interface, it is rejected as expected by the multimap filter:

`Diagnostic-Code: smtp; 554 5.7.1 Sender address rejected`

Rspamd history:
| IP address||
|[Envelope From] From||
|[Envelope To] To/Cc/Bcc||
|[Envelope To] To/Cc/Bcc||
MagnitudeValueName **ASN** (0) [asn:43614, ipnet:, country:CZ]

But when I send the mail from the very same freemail account and address from my e-mail client, it comes through:

Rspamd history:
| IP address:
|[Envelope From] From||
|[Envelope To] To/Cc/Bcc||
|[Envelope To] To/Cc/Bcc||
MagnitudeValueName|**ASN** (0) [asn:6830, ipnet:, country:AT]
**BAYES_HAM** (-0.616602) [82.06%]
**DMARC_NA** (0) []
**FROM_HAS_DN** (0)
**IP_SCORE** (0.681956) [ipnet:, asn: 6830(4.79), country: AT(0.96)]
**MIME_GOOD** (-0.1) [text/plain]
**MIME_TRACE** (0) [0:+]
**MX_INVALID** (0.5) [cached]
**R_DKIM_NA** (0)
**R_SPF_NA** (0)
**RCPT_COUNT_ONE** (0) [1]
**RCVD_COUNT_THREE** (0) [3]
**RCVD_IN_DNSWL_LOW** (-0.1) [ :]
**TO_DN_ALL** (0)