Wietse Venema, author of tcp-wrappers, portmap, and other security tools, has developed an access control patch for sendmail. This allows the sysadmin to designate hostnames from which mail will not be accepted. This can be effective against spam: after the first round of spam, simply type in the name/address of the spammer's email host. However, a few caveats:

-This is only as good as the ip address/domain name. Be aware that ip addresses/domain names can easily be spoofed. Also, persistent spammers change their mail hosts to foil this kind of solution. (I think I read somewhere that there's also a little-used SMTP source-routing protocol, which, I suppose, could be used to get around this.) Still, it may give you some relief if your users are getting bombarded with spam.

-This can lead to a denial of service attack, depending on who you rely on for your list of spam sites (this is why I'm not planning on maintaining such a list). If you maintain the list of blocked hosts yourself based on first-hand experience with spammers, this is probably not a problem. If, however, www sites spring up with lists of e-mail spam sites, and you accept these lists unquestioningly, you might wind up blocking e-mail service to sites that your users wish to receive bona-fide email from.

-Finally, you have to be use version 8.7.5 sendmail (or you have to be prepared for a little customization).

More information and the patch are available from:

ftp://ftp.win.tue.nl/pub/security/sendmail-tcpd.patch

Thanks to Shumon Huque in SAS computing for pointing this out. Dave