Anti spam methodologies (is it the new frontier?)

[Andy Poling <andy@realbig.com>]

One of my clients (who is using ZMAILER) has been having problems with sites
outside using their systems as mail exploders for spamming.  I.e. they
submit mail via SMTP with a couple hundred AOL and Compu$erve addresses and
expect us to do the spam delivery for them.  

Also occasionally, a new client thinks we've just fallen off a passing
turnip truck and tries to spam from one of our systems.  That's the quickest
way I know to get a prompt and (not so) courteous refund.  :-)

This obviously rubs us the wrong way for (at least) two reasons: we hate
spam, and we hate people who abuse our mail system without asking first.

Since this client is selling web sites, it's not practical to block access
from all of e.g. interramp.com's IP address space.

I've thought of a few fairly simple approaches, and I thought I'd see what
the folks here think.  I would prefer to abort the SMTP session, rather than
attempting to return the spam mail.

The first solution that comes to mind is to refuse to accept mail that is
not either from or to a local IP address/host.  This would be a little
awkward, since it's not always immediately evident which incoming mail is
destined for local hosts.  Probably not practical.

The second solution would be to set (at runtime via a command-line option) a
maximum number of resipients that we will accept in a single mail message.
Generally these scum of the earth are lazy and using PCs and they therefore
like to put a ton of addresses on each individual message.  Since we frown
upon spamming by internal folks too, and we don't run any mailing lists,
this looks like an attractive solution.  This solution could be implemented
entirely within smtpserver without need of any outside intelligence, and
with minimum code change, since it really just requires a counter around the
"Rcpt_to" processing.

Lastly, a sort-of combination of the two might be best: refuse to accept
more than X recipients from a non-internal IP address.

A realy simple one I just thought of: if we cannot establish an SMTP session
back to them (indicating a spamming PC) tell them to shove off.  If we can,
well.. heh heh... just send it back to 'em. :-)

Comments before I start hacking?

-Andy

(this sig left intentionally blank - too many hats for one sig)