Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
current:zombies [2015/01/14 09:03]
sj created
current:zombies [2015/01/20 22:42] (current)
sj
Line 2: Line 2:
  
  
-Most of the spam, malware and phishing emails come from zombie networks. Fortunately for us they share a generic pattern. A zombie computer sends messages directly to the MX servers of the recipient instead of using the SMTP relay hosts of its service provider.+Some of the spam, malware and phishing emails come from zombie networks. Fortunately for us they share a generic pattern. A zombie computer sends messages directly to the MX servers of the recipient instead of using the SMTP relay hosts of its service provider.
  
 So if a typical hostname is like c-98-214-27-79.hsd1.il.comcast.net,​ then we can create a regular expression to match it. If a match is found we can decide what to do with it, ie. drop, mark or pass. So if a typical hostname is like c-98-214-27-79.hsd1.il.comcast.net,​ then we can create a regular expression to match it. If a match is found we can decide what to do with it, ie. drop, mark or pass.
  
-To activate this feature ​do the following:+The '//​message_from_a_zombie//'​ variable decides what to do with messages from zombies. You can drop those messages (2), mark them as spam immediately skipping the antispam check (1), or let the statistical module decide their fate (0). The last option is the default action. 
 + 
 +To make the zombie detection work, we need a regex file containing patterns. The $(datarootdir)/​clapf/​zombienets.regex.dist file is a good start to create your own zombie regex file, ie. $(datarootdir)/​clapf/​zombienets.regex (///​usr/​local/​clapf/​zombienets.regex//​ by default).
  
-  * Install the [[http://​laurikari.net/​tre/​|TRE library]], then recompile clapf 
-  * Set '//​message_from_a_zombie//'​ variable to decide what to do with messages from zombies. You can drop those messages (2), mark them as spam immediately skipping the antispam check (1), or let the statistical module decide their fate (0). The last option is the default action. 
-  * Finally recompile the clapf daemon. 
  
 There are cases when your smtp server running clapf is behind some smtp servers, so you don't deal with the real sender directly. Unfortunately this situation hinders clapf to find out whether a zombie has sent the email or not. To workaround the problem, you may specify the IP-addresses and hostnames you want clapf to skip. There are cases when your smtp server running clapf is behind some smtp servers, so you don't deal with the real sender directly. Unfortunately this situation hinders clapf to find out whether a zombie has sent the email or not. To workaround the problem, you may specify the IP-addresses and hostnames you want clapf to skip.
  
-Let's say you have some MX servers in the xxxx.hu domain (195.56.111.*) that pass you the emails. Then clapf may encounter a mail header like this:+Let's say you have some MX servers in the xxxx.hu domain (11.22.33.*) that pass you the emails. Then clapf may encounter a mail header like this:
  
-  Received: from mx1.xxxx.hu (mx1.xxxx.hu [195.56.111.112])+  Received: from mx1.xxxx.hu (mx1.xxxx.hu [11.22.33.112])
      by mx.acts.hu (Postfix) with ESMTP id A18971701E      by mx.acts.hu (Postfix) with ESMTP id A18971701E
      for <​sj@acts.hu>;​ Mon, 17 May 2010 16:10:09 +0200 (CEST)      for <​sj@acts.hu>;​ Mon, 17 May 2010 16:10:09 +0200 (CEST)
Line 24: Line 23:
  
  
-If you set the following, then clapf will skip both mx1.xxxx.hu,​ and 195.56.111.112 (the IP-address matches the skipped_received_ips directive), so clapf knows that a213-22-49-142.cpe.netcabo.pt/​213.22.49.142 is the real sender.+If you set the following, then clapf will skip both mx1.xxxx.hu,​ and 11.22.33.112 (the IP-address matches the skipped_received_ips directive), so clapf knows that a213-22-49-142.cpe.netcabo.pt/​213.22.49.142 is the real sender. 
 + 
 +<​code>​ 
 +skipped_received_ips=11.22.33. 
 +</​code>​
  
-<​HTML>​ 
-<pre> 
-skipped_received_ips=195.56.111. 
-</​pre>​ 
-</​HTML>​ 
  
-For a detailed explanation how to install the modified postgrey, please see the contrib/zombie/​README file.+Clapf also features a modified postgrey daemon which delays only hosts having a suspicious PTR rekord. ​For a detailed explanation how to install the modified postgrey, please see the zombie/​README file.