Here is an interesting extension for check_rcpt by Ted Deppner. He writes: We basically say, Is it a local client? Is it destined for us? (At this point we know WE aren't sending it, and it is destined for US ). We then ask, Are they saying they are us?
And his ruleset is:
# ip-names of tcp clients that can do anything they want
F{LocalNames} /etc/mail/relay.localnames
# names of mail domains AND tcp clients we handle mail for
F{RelayTo} /etc/mail/relay.relayto
Scheck_rcpt
# first: get client addr
R$+ $: $(dequote "" $&{client_name} $) $| $1
#R$+ $: $(dequote "" $&{client_addr} $) $| $1
R $| $* $@ ok # no client addr: directly invoked
R$*$={LocalNames} $| $* $@ ok # from here
#R$={LocalAddr}$* $| $* $@ ok # from here
# not local, check rcpt
R$* $| $* $: $>3 $2
# remove local part, maybe repeatedly
R$*<@$=w.>$* $>3 $1 $3
# alternatively:
R$*<@$*$={RelayTo}.>$* $>3 $1 $4
# still something left? -> mark it
R$*<@$+>$* $: <RELAY>
# now get and canonify the FROM address
R$* $: $1 $| $>3 $(dequote "" $&f $)
# compare it with a "local" domain
R$* $| $*<@$*$={RelayTo}.> $#error $@ 4.7.1 $: 471 Your attempt at spam failed
# nope, it's a relay attempt
R<RELAY> $| $* $#error $@ 5.7.1 $: 571 we do not relay
So the trick is:
if it comes from an outside machine and it goes to a local address,
but it has a local address as FROM,
then it probably is a spam attempt.
It actually happened (to get around some guards),
so this is another step to fight spam.
However: it is possible that this check catches mail
which has been forwarded from another site back to yours
(the envelope FROM stays the same!).
So be careful with this rules and check your logfile
(it is only temporarily rejected).