I wrote some time ago a small test to check incoming IP's for specific vulnerable open ports (DCOM ports) to score potentially trojanned windows machines.
Nice. Definitely put it on the wiki. (Does the wiki support attachments? If not, I guess the Perl could be inlined.) Here's where to hang it:
<http://wiki.apache.org/spamassassin/CustomPlugins>
I question the name, though. "Zombie" sounds too general for a TCP port 135 check. Better to say specifically what's wrong with the relay (ie. "with listening TCP port 135") so that the admin knows exactly what's triggering the rule.
As your code can check for other ports, an admin could extend it to check for other kinds of zombies and define distinct rules for each flavor.
