Rspamd 4.0.0 ships memory savings, a new scan protocol, and a required migration step
The open-source spam filtering platform Rspamd released version 4.0.0, delivering infrastructure changes across its scan protocol, memory model, hash storage, and configuration system. Several of the changes are breaking, and at least one requires a migration step before upgrade.
A new scan protocol
The release introduces a /checkv3 endpoint that replaces HTTP headers with structured JSON or msgpack for metadata transport. The new endpoint uses multipart/form-data for requests and multipart/mixed for responses, supports per-part zstd compression, includes an optional body part for rewritten messages, and uses zero-copy piecewise writev for response output. Operators can activate the new protocol with the rspamc --protocol-v3 or rspamc --msgpack flags.
The previous protocol remains available.
Fasttext goes built-in, cuts memory use
Rspamd previously depended on an external C++ libfasttext library. Version 4 removes that dependency and replaces it with a built-in mmap-based shim that loads model data into shared memory across all worker processes. The change eliminates per-worker heap copies of model data, which the project estimates saved between 500MB and 7GB of RAM in multi-worker deployments, depending on model size. Existing .bin and .ftz model files continue to work without modification.
The ENABLE_FASTTEXT cmake option is removed; Fasttext support is now always compiled in. Packagers must remove the external libfasttext build dependency.
Fuzzy hashes gain multiple flags
A stored fuzzy hash previously carried a single flag. Version 4 allows a single digest to carry up to eight flags simultaneously, so multiple detection rules can match the same hash independently without duplicating the stored entry. The Redis update logic was rewritten in Lua with EVALSHA and NOSCRIPT recovery.
The release also introduces an HTML_FUZZY_PHISHING symbol. It fires when an HTML template matches a known phishing template but the embedded domains differ, targeting phishing campaigns that reuse a template structure while swapping out links.
The wire protocol moves to epoch 12 and remains backward-compatible. The highest-value flag occupies the primary slot.
Ring Hash replaces Jump Hash
Rspamd used Jump Hash for consistent upstream hashing in sharded Bayes deployments. Version 4 replaces it with Ring Hash (Ketama) with virtual nodes. Under Ring Hash, only roughly 1/n keys redistribute when an upstream fails, and keys return to their original upstream when it recovers.
This change is a breaking one for operators running per-user Bayes on sharded Redis. After the upgrade, existing data lands on the wrong shards. The project requires operators to run rspamadm statistics_dump migrate before upgrading. Single-server deployments are not affected.
HTTPS support added natively
Workers can now serve HTTPS without a reverse proxy in front. SSL is auto-detected from bind socket configuration. The previous ssl = true worker option is removed; operators should remove it from configs and apply the ssl suffix to bind lines.
Token bucket load balancing becomes the default
Proxy upstream load balancing switches from simple round-robin to token bucket balancing by default. The algorithm accepts configurable max_tokens, scale, and base_cost parameters for burst traffic handling. Operators who want to restore round-robin can remove the token_bucket key from proxy upstream config.
Jinja2 templating for configuration files
Configuration files are now preprocessed by the Lupa Jinja2-compatible template engine before UCL parsing. Environment variables prefixed with RSPAMD_ are available inside templates as the env table. The templating system uses modified delimiters ({= =} for expressions, {% %} for control structures) to avoid conflicts with UCL syntax. Validation filters including mandatory, require_int, and require_json abort startup on invalid input, which the project intends to support container deployments that configure Rspamd through environment variables.
Other additions and fixes
Rspamd 4 adds native UUID v7 generation per scanning task, synchronized with the Log-Tag header and ClickHouse UUID v7 column support. The Bayesian classifier gains multiclass support, allowing classifiers to learn arbitrary categories beyond binary spam/ham. The WebUI learning interface is updated accordingly.
Hyperscan compilation moves to an async Lua backend with Redis-based shared cache across workers and hosts. Multiple use-after-free conditions in Hyperscan cache handling during live configuration reload are resolved.
SenderScore RBLs are disabled by default in this release. The project notes that the rules require a MyValidity account and were returning blocked results for all unregistered IPs. Operators with registered accounts must explicitly re-enable the rules.
PDF parsing receives fixes for ASCII85 decoding, ligature substitution, and object padding evasion. DKIM unknown and broken key handling is updated to follow RFC behavior. A memory leak in the RSA path of DKIM signing is fixed, as is a SHA-1 DKIM signature crypto-policy bypass on RHEL/CentOS 10.
A use-after-free in fuzzy UDP sessions and a CPU busy-loop in the fuzzy TCP client are also resolved in this release.
Rspamd is available for free download on GitHub.
Must read:
- 40 open-source tools redefining how security teams secure the stack
- Firmware scanning time, cost, and where teams run EMBA
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!