This is an old revision of the document!

Handling zombies

Some of the spam, malware and phishing emails come from zombie networks. Fortunately for us they share a generic pattern. A zombie computer sends messages directly to the MX servers of the recipient instead of using the SMTP relay hosts of its service provider.

So if a typical hostname is like, then we can create a regular expression to match it. If a match is found we can decide what to do with it, ie. drop, mark or pass.

The 'message_from_a_zombie' variable decides what to do with messages from zombies. You can drop those messages (2), mark them as spam immediately skipping the antispam check (1), or let the statistical module decide their fate (0). The last option is the default action.

There are cases when your smtp server running clapf is behind some smtp servers, so you don't deal with the real sender directly. Unfortunately this situation hinders clapf to find out whether a zombie has sent the email or not. To workaround the problem, you may specify the IP-addresses and hostnames you want clapf to skip.

Let's say you have some MX servers in the domain (11.22.33.*) that pass you the emails. Then clapf may encounter a mail header like this:

Received: from ( [])
   by (Postfix) with ESMTP id A18971701E
   for <>; Mon, 17 May 2010 16:10:09 +0200 (CEST)
Received: from ( [])
   by (Postfix) with ESMTP id 3DC3342A18D
   for <>; Mon, 17 May 2010 16:10:09 +0200 (CEST)

If you set the following, then clapf will skip both, and (the IP-address matches the skipped_received_ips directive), so clapf knows that is the real sender.


Clapf also features a modified postgrey daemon which delays only hosts having a suspicious PTR rekord. For a detailed explanation how to install the modified postgrey, please see the zombie/README file.