From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Wed, 28 Jan 2026 11:08:49 +0000 (+0000)
Subject: [Fix] url_suspect: extract TLD from eSLD for suspicious TLD check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a58904558c856b49ab865a63acea44ae524bebfd;p=thirdparty%2Frspamd.git

[Fix] url_suspect: extract TLD from eSLD for suspicious TLD check

The get_tld() function returns eSLD (e.g., "phishing.tk"), not the TLD
suffix. Extract the actual TLD by removing the first label.

Also add suspicious_tlds_map to test config since the override replaces
the default url_suspect configuration.
---

diff --git a/src/plugins/lua/url_suspect.lua b/src/plugins/lua/url_suspect.lua
index e1c0003e08..23120d1614 100644
--- a/src/plugins/lua/url_suspect.lua
+++ b/src/plugins/lua/url_suspect.lua
@@ -402,16 +402,20 @@ function checks.tld_analysis(task, url, cfg)
     return findings
   end
 
-  local tld = url:get_tld()
-  if not tld then
+  local esld = url:get_tld()
+  if not esld then
     return findings
   end
 
+  local tld = esld:match("^[^%.]+%.(.+)$") or esld
+  lua_util.debugm(N, task, "URL eSLD: %s, TLD: %s", esld, tld)
+
   -- Check suspicious TLDs map
   if maps.suspicious_tlds then
     -- Check both with and without leading dot for flexibility
-    local tld_with_dot = tld:sub(1, 1) == '.' and tld or ('.' .. tld)
-    local tld_without_dot = tld:sub(1, 1) == '.' and tld:sub(2) or tld
+    local tld_with_dot = '.' .. tld
+    local tld_without_dot = tld
+    lua_util.debugm(N, task, "Checking TLDs: with_dot=%s, without_dot=%s", tld_with_dot, tld_without_dot)
     if maps.suspicious_tlds:get_key(tld_with_dot) or maps.suspicious_tlds:get_key(tld_without_dot) then
       lua_util.debugm(N, task, "URL uses suspicious TLD: %s", tld)
       table.insert(findings, {
diff --git a/test/functional/configs/merged-override.conf b/test/functional/configs/merged-override.conf
index a5ddc52790..e812578e00 100644
--- a/test/functional/configs/merged-override.conf
+++ b/test/functional/configs/merged-override.conf
@@ -465,4 +465,10 @@ EOD;
 # URL suspect plugin for testing
 url_suspect {
   enabled = true;
+  checks {
+    tld {
+      # Map is required for suspicious TLD detection
+      suspicious_tlds_map = "file://{= env.TESTDIR =}/../../conf/maps.d/suspicious_tlds.inc";
+    }
+  }
 }