Preventing Local Users from Replying to Spammers

Before creating any user accounts, create an acceptable use policy that, among many other things, gives you the power to block spam communications—both inbound and outbound. Ensure that all users agree to this policy before giving out any user accounts.

Add the spam addresses you want blocked to the /etc/mail/access text file. Use To: and From: tags to prevent mail from being sent to spammers or from being accepted from spammers. Run makemap to build a hash database from the text file.

Create a sendmail configuration that enables the access database with the access_db feature. The required sendmail FEATURE command is:

dnl Use the access database


Rebuild the file, copy the new file to /etc/mail, and restart sendmail

By default, the access database applies to source addresses. The action defined in the database entry is taken based on the source of the email. For example, mail from anyone at is rejected with an “Access denied” error. However, the access database does not prevent mail from the local host being sent to someone at

Adding the To:tag to an access database entry applies the action defined in the entry to recipient addresses that match the key, while the From: tag specifically requests that the action be applied to matching source addresses. Here is the access database rewritten with To: and From: tags:          REJECT            ERROR:5.7.1:550 Mail to this site is not allowed     ERROR:5.7.1:550 Invalid mail source       ERROR:5.7.1:550 Mail to this site is not allowed         DISCARD           ERROR:5.7.1:550 Mail to this site is not allowed

Because the action for the From: entry is REJECT, mail from that site is rejected. With the addition of the To: entry, mail addressed to is also rejected, as this test shows:

# telnet localhost smtp

Trying  Connected to localhost.

Escape character is '^]'.

220 ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -  0400

HELO localhost

250 Hello IDENT:UWSRv+Jij66J8vALUBVBECbGPVoU8OQe@localhost   [], pleased to meet you

MAIL From:<>

250 2.1.0 <>... Sender ok  

RCPT To:<>

550 5.7.1 <>... Mail to this site is not allowed


221 2.0.0 closing connection  Connection closed by foreign host.

The blacklist_recipients feature is an alternative way to block outbound mail to known spammers. The blacklist_recipients feature applies every untagged entry in the access database to recipient addresses. The following lines added to the sendmail configuration enable the access database and apply the database to recipient addresses:

dnl Use the access database


dnl Also apply the access database to recipient addresses


The blacklist_recipients feature works well, and it is very easy to use. However, because it applies to every untagged entry in the access database, it does not provide the level of configuration control provided by the To: tag. Additionally, tags are self-documenting. Anyone looking at the sample access database just shown understands that mail to is not allowed when they see the To: tag and the error in the action field.