Tom wrote...
The exploit is based upon the fact that the
destination host
rejects unknown users; MX backups, not having that information,
generally accept *@domain, so the spammer hack is to find the
n>0th MX host, and queue it all up there. SPreads the load.
What we did was simply use virtusertable on the MX host to list
each and every single valid user. CLearly this doesn't scale for
many users but for the dozen or so we have it's fine.
/etc/mail/virtusertable also handles all the virtual domains etc
all i one place.
There's a little better way to handle this....I do have a direct line to one
of the programmers inside
Sendmail.org. Their internal direction is all LDAP
based for local user tests, replacement of getuserinfo, etc. There's
obviously a noticeable trend towards this in the released code as well.
So, long story short, put all your users in LDAP for sendmail. Then you
don't run the security risk of having local user accounts for email
customers, AND all your MX hosts have access to the LDAP database to prevent
the exploit you mentioned above.
Regards,
Jay West