The following ruleset discards email that originates from domains for which we are not best MX. It is meant to be applied on outgoing email servers:
LOCAL_CONFIG Kbestmx bestmx -T.TMP LOCAL_RULESETS SLocal_check_mail R$* $: $>canonify $1 # You may (or may not) want to comment the following line R < @ > $#OK R$* < @ $+. > $* $1 < @ $2 > $3 R$* < @ $+ > $* $: $2 # Short circuit certain domains (and host names) Rexample.com $#OK R$* . example.com $#OK R$* $: $(bestmx $1 $: NO $) # If a temporary error occurs, do not block R$*.TMP $#OK Rserver.example.com. $#OK R$* $#discard $: $1
This works for as long as spammers do not use domains for which they do not control the DNS zones. If they do control the DNS zones they can easily add your relays as MX to them. In such cases the above ruleset must be modified to lookup the name servers for domains that server.example.com is best MX and then decide to discard. However the above trick erased thousands of outgoing spams yesterday.
PS: Like I posted on twitter: I rewrote the above filter in ~35 lines of Perl (subroutine filter_sender for MIMEDefang’s mimedefang-filter). The sendmail version is both more compact and readable (at least to me).