I think this is out of the realm of sendmail itself but is there a way
to configure it so that mail from <> to a certain user is rejected
outright at the smtp layer. We have some issues with users being the
subject of reverse spam attacks. We can deal with the mail during
mailbox delivery but we wish to block at the gateway. We also use
spamassassin and mimedefang so we can probably put such a rejection
there if sendmail itself cannot be configured. Has anyone configured
this in mimedefang?

Roberto Ullfig wrote:

> I think this is out of the realm of sendmail itself but is there a way
> to configure it so that mail from <> to a certain user is rejected
> outright at the smtp layer. We have some issues with users being the
> subject of reverse spam attacks. We can deal with the mail during
> mailbox delivery but we wish to block at the gateway. We also use
> spamassassin and mimedefang so we can probably put such a rejection
> there if sendmail itself cannot be configured. Has anyone configured
> this in mimedefang?

It's really easy. Something like this:

sub filter_recipient
{
my($recipient, $sender, $rest_of_the_junk) = @_;
if ($sender eq <> && (
$recipient eq '<person1@example.com>' ||
$recipient eq '<person2@example.com>' ||
$recipient eq '<person3@example.com>')) {
return ('REJECT', 'Unwanted backscatter... sorry');
}
return ('CONTINUE', 'OK');
}

You can obviously clean up the logic, and may need to do canonicalization
on recipient addresses to account for upper/lower-case variations, but
the idea is simple.

Regards,

David.

David F. Skoll wrote:

Oops... I missed a couple of important quotation marks...

sub filter_recipient
{
my($recipient, $sender, $rest_of_the_junk) = @_;
if ($sender eq '<>' && (
$recipient eq '<person1@example.com>' ||
$recipient eq '<person2@example.com>' ||
$recipient eq '<person3@example.com>')) {
return ('REJECT', 'Unwanted backscatter... sorry');
}
return ('CONTINUE', 'OK');
}

-- David.

"Roberto Ullfig" <rullfig@uic.edu> wrote in message
news:810b1fbc-7980-4c20-a0b9-8c0a5ead5072@t54g2000hsg.googlegroups.com...
> I think this is out of the realm of sendmail itself but is there a way
> to configure it so that mail from <> to a certain user is rejected
> outright at the smtp layer. We have some issues with users being the
> subject of reverse spam attacks. We can deal with the mail during
> mailbox delivery but we wish to block at the gateway. We also use
> spamassassin and mimedefang so we can probably put such a rejection
> there if sendmail itself cannot be configured. Has anyone configured
> this in mimedefang?

As an alternative to the other response, look into the "compat" feature for
the access file. It specifies sender and recipient pairs.

D. Stussy wrote:

> As an alternative to the other response, look into the "compat"
> feature for the access file. It specifies sender and recipient
> pairs.

That's a much superior solution if you aren't already using MIMEDefang
for other things. MIMEDefang is a rather heavyweight solution.

If you are already using MIMEDefang for other things, you need to
decide which is easier to maintain and extend (Perl or Sendmail rules
and tables), and that really depends on your taste and needs. I tend
to go the Perl route because I'm more of a programmer than a Sendmail
cf guru. :-)

Regards,

David.

"D. Stussy" <spam@bde-arc.ampr.org> wrote:

> "Roberto Ullfig" <rullfig@uic.edu> wrote in message
> news:810b1fbc-7980-4c20-a0b9-8c0a5ead5072@t54g2000hsg.googlegroups.com...
>> I think this is out of the realm of sendmail itself but is there a way
>> to configure it so that mail from <> to a certain user is rejected
>> outright at the smtp layer. We have some issues with users being the
>> subject of reverse spam attacks. We can deal with the mail during
>> mailbox delivery but we wish to block at the gateway. We also use
>> spamassassin and mimedefang so we can probably put such a rejection
>> there if sendmail itself cannot be configured. Has anyone configured
>> this in mimedefang?
>
> As an alternative to the other response, look into the "compat" feature for
> the access file. It specifies sender and recipient pairs.

http://www.sendmail.org/m4/features.html#compat_check
<quote>
compat_check Enable ruleset check_compat to look up pairs of
addresses with the Compat: tag -- Compat:sender<@>recipient -- in the
access map. Valid values for the RHS include
* DISCARD: silently discard recipient
* TEMP: return a temporary error
* ERROR: return a permanent error

In the last two cases, a 4xy/5xy SMTP reply code should follow the
colon.
</quote>

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
If you are going to run a rinky-dink distro made by a couple of
volunteers, why not run a rinky-dink distro made by a lot of volunteers?
-- Jaldhar H. Vyas on debian-devel

On 03/23/08 10:21, Andrzej Adam Filip wrote:
> http://www.sendmail.org/m4/features.html#compat_check
> <quote>
> compat_check Enable ruleset check_compat to look up pairs of
> addresses with the Compat: tag -- Compat:sender<@>recipient -- in the
> access map. Valid values for the RHS include
> * DISCARD: silently discard recipient
> * TEMP: return a temporary error
> * ERROR: return a permanent error
>
> In the last two cases, a 4xy/5xy SMTP reply code should follow the
> colon.
> </quote>

I know what the documentation says. However in my tests compat_check
ran after the SMTP session was finished. So even if you send an error
(temporary or permanent) the SMTP session still saw that the message was
accepted.

In short, do some serious testing of this before you rely on it.



Grant. . . .

Grant Taylor <gtaylor@riverviewtech.net> wrote:

> On 03/23/08 10:21, Andrzej Adam Filip wrote:
>> http://www.sendmail.org/m4/features.html#compat_check
>> <quote>
>> compat_check Enable ruleset check_compat to look up pairs of
>> addresses with the Compat: tag -- Compat:sender<@>recipient -- in the
>> access map. Valid values for the RHS include
>> * DISCARD: silently discard recipient
>> * TEMP: return a temporary error
>> * ERROR: return a permanent error
>>
>> In the last two cases, a 4xy/5xy SMTP reply code should follow the
>> colon.
>> </quote>
>
> I know what the documentation says. However in my tests compat_check
> ran after the SMTP session was finished. So even if you send an error
> (temporary or permanent) the SMTP session still saw that the message
> was accepted.
>
> In short, do some serious testing of this before you rely on it.

Thank you for pointing out I have quoted misleading documentation
*without* making it less misleading.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
Example is not the main thing in influencing others. It is the only thing.
-- Albert Schweitzer

On 03/24/08 11:16, Andrzej Adam Filip wrote:
> Thank you for pointing out I have quoted misleading documentation
> *without* making it less misleading.

I'm sorry for being misleading. I was trying to make others aware that
things were *not as they seem* *prior* to someone depending on them.

Rather than stating false information I was stating what limited
information I had (/ have) available at the (/ this) time.

My previous testing on the "compat_check" / "check_compat" ruleset and /
or routine did not behave as you might think. My testing was along the
lines of recipient does not want messages from sender and to return a
specific error to that effect. However the message was refused at the
SMTP level with a generic non descript error that was not what I wanted
returned.

I'm sorry that I don't have more details than that as it has been more
than a year since I tried. At the point in time that I found that the
error message was the generic non descript I found a different solution
to my needs.



Grant. . . .