Handling Zombies

  1. Home
  2. Handling Zombies

Handling Zombies

Some of the spam, malware and phishing emails come from zombie networks. Fortunately for us they share a generic pattern. A zombie computer sends messages directly to the MX servers of the recipient instead of using the SMTP relay hosts of its service provider.

So if a typical hostname is like c-98-214-27-79.hsd1.il.comcast.net, then we can create a regular expression to match it. If a match is found we can decide what to do with it, ie. drop, mark or pass.

The ‘message_from_a_zombie’ variable decides what to do with messages from zombies. You can drop those messages (2), mark them as spam immediately skipping the antispam check (1), or let the statistical module decide their fate (0). The last option is the default action.

To make the zombie detection work, we need a regex file containing patterns. The $(datarootdir)/clapf/zombienets.regex.dist file is a good start to create your own zombie regex file, ie. $(datarootdir)/clapf/zombienets.regex (/usr/local/clapf/zombienets.regex by default).

There are cases when your smtp server running clapf is behind some smtp servers, so you don’t deal with the real sender directly. Unfortunately this situation hinders clapf to find out whether a zombie has sent the email or not. To workaround the problem, you may specify the IP-addresses and hostnames you want clapf to skip.

Let’s say you have some MX servers in the xxxx.hu domain (11.22.33.*) that pass you the emails. Then clapf may encounter a mail header like this:

Received: from mx1.xxxx.hu (mx1.xxxx.hu [11.22.33.112])
   by mx.acts.hu (Postfix) with ESMTP id A18971701E
   for <sj@acts.hu>; Mon, 17 May 2010 16:10:09 +0200 (CEST)
Received: from netcabo.pt (a213-22-49-142.cpe.netcabo.pt [213.22.49.142])
   by mx1.xxxx.hu (Postfix) with ESMTP id 3DC3342A18D
   for <sj@acts.hu>; Mon, 17 May 2010 16:10:09 +0200 (CEST)

If you set the following, then clapf will skip both mx1.xxxx.hu, and 11.22.33.112 (the IP-address matches the skipped_received_ips directive), so clapf knows that a213-22-49-142.cpe.netcabo.pt/213.22.49.142 is the real sender.

skipped_received_ips=11.22.33.

Clapf also features a modified postgrey daemon which delays only hosts having a suspicious PTR rekord. For a detailed explanation how to install the modified postgrey, please see the zombie/README file.