This is an old revision of the document!


Handling zombies

Most of the spam, malware and phishing emails come from zombie networks. Fortunately for us they share a generic pattern. A zombie computer sends messages directly to the MX servers of the recipient instead of using the SMTP relay hosts of its service provider.

So if a typical hostname is like c-98-214-27-79.hsd1.il.comcast.net, then we can create a regular expression to match it. If a match is found we can decide what to do with it, ie. drop, mark or pass.

To activate this feature do the following:

  • Install the TRE library, then recompile clapf
  • Set 'message_from_a_zombie' variable to decide what to do with messages from zombies. You can drop those messages (2), mark them as spam immediately skipping the antispam check (1), or let the statistical module decide their fate (0). The last option is the default action.
  • Finally recompile the clapf daemon.

There are cases when your smtp server running clapf is behind some smtp servers, so you don't deal with the real sender directly. Unfortunately this situation hinders clapf to find out whether a zombie has sent the email or not. To workaround the problem, you may specify the IP-addresses and hostnames you want clapf to skip.

Let's say you have some MX servers in the xxxx.hu domain (195.56.111.*) that pass you the emails. Then clapf may encounter a mail header like this:

Received: from mx1.xxxx.hu (mx1.xxxx.hu [195.56.111.112])
   by mx.acts.hu (Postfix) with ESMTP id A18971701E
   for <sj@acts.hu>; Mon, 17 May 2010 16:10:09 +0200 (CEST)
Received: from netcabo.pt (a213-22-49-142.cpe.netcabo.pt [213.22.49.142])
   by mx1.xxxx.hu (Postfix) with ESMTP id 3DC3342A18D
   for <sj@acts.hu>; Mon, 17 May 2010 16:10:09 +0200 (CEST)

If you set the following, then clapf will skip both mx1.xxxx.hu, and 195.56.111.112 (the IP-address matches the skipped_received_ips directive), so clapf knows that a213-22-49-142.cpe.netcabo.pt/213.22.49.142 is the real sender.

skipped_received_ips=195.56.111.

For a detailed explanation how to install the modified postgrey, please see the contrib/zombie/README file.