Preventing Local Users from Replying to Spammers

Before creating any user accounts, create an acceptable use policy that, among many other things, gives you the power to block spam communications—both inbound and outbound. Ensure that all users agree to this policy before giving out any user accounts.

Add the spam addresses you want blocked to the /etc/mail/access text file. Use To: and From: tags to prevent mail from being sent to spammers or from being accepted from spammers. Run makemap to build a hash database from the text file.

Create a sendmail configuration that enables the access database with the access_db feature. The required sendmail FEATURE command is:

dnl Use the access database

FEATURE(`access_db')

Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail, and restart sendmail

By default, the access database applies to source addresses. The action defined in the database entry is taken based on the source of the email. For example, mail from anyone at example.com is rejected with an “Access denied” error. However, the access database does not prevent mail from the local host being sent to someone at example.com.

Adding the To:tag to an access database entry applies the action defined in the entry to recipient addresses that match the key, while the From: tag specifically requests that the action be applied to matching source addresses. Here is the access database rewritten with To: and From: tags:

From:example.com          REJECT

To:example.com            ERROR:5.7.1:550 Mail to this site is not allowed

From:wrotethebook.net     ERROR:5.7.1:550 Invalid mail source

To:wrotethebook.net       ERROR:5.7.1:550 Mail to this site is not allowed

From:fake.ora.com         DISCARD

To:fake.ora.com           ERROR:5.7.1:550 Mail to this site is not allowed

Because the action for the From: example.com entry is REJECT, mail from that site is rejected. With the addition of the To: entry, mail addressed to example.com is also rejected, as this test shows:

# telnet localhost smtp

Trying 127.0.0.1...  Connected to localhost.

Escape character is '^]'.

220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 -  0400

HELO localhost

250 chef.wrotethebook.com Hello IDENT:UWSRv+Jij66J8vALUBVBECbGPVoU8OQe@localhost   [127.0.0.1], pleased to meet you

MAIL From:<craig@chef.wrotethebook.com>

250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok  

RCPT To:<crook@example.com>

550 5.7.1 <crook@example.com>... Mail to this site is not allowed

QUIT

221 2.0.0 chef.wrotethebook.com closing connection  Connection closed by foreign host.
Alternatives

The blacklist_recipients feature is an alternative way to block outbound mail to known spammers. The blacklist_recipients feature applies every untagged entry in the access database to recipient addresses. The following lines added to the sendmail configuration enable the access database and apply the database to recipient addresses:

dnl Use the access database

FEATURE(`access_db')

dnl Also apply the access database to recipient addresses

FEATURE(`blacklist_recipients')

The blacklist_recipients feature works well, and it is very easy to use. However, because it applies to every untagged entry in the access database, it does not provide the level of configuration control provided by the To: tag. Additionally, tags are self-documenting. Anyone looking at the sample access database just shown understands that mail to example.com is not allowed when they see the To: tag and the error in the action field.