How to block e-mail relaying

Pithy saying is loading (requires JavaScript) ...

Relaying is when the machine sending the e-mail message is not your local machine and the machine receiving the e-mail message is also not your local machine. Spammers relay millions of e-mail messages through an open relay to disguise the source of SPAM. This is why blocking relaying is A Good Thing.

On UNIX machines, I know of three ways to prevent spammers using you as a relay:

  1. Simply kill the Sendmail daemon.

    This prevents the machine receiving e-mail and so will prevent relaying. This is the appropriate solution for almost all UNIX workstations.

    Having killed the Sendmail daemon, you need to run Sendmail every 15 minutes or so to clear the queue. You can do this either via cron or by invoking Sendmail with something similar to:

    /usr/lib/sendmail -q15m

    With no Sendmail daemon running, e-mail sent to the machine will need to be redirected to your mail hub using DNS MX records. If you cannot use MX records for some reason (I couldn't) then e-mail sent to the machine will queue on the sending machine, probably for several days. This is impolite and can be avoided by running a dummy SMTP server that rejects all incoming e-mail. A dummy SMTP server I wrote in Perl is available.

  2. Install Open Source Sendmail Version 8.9.x or later.

    The later versions of Sendmail block relaying by default.

  3. Install Kai's SpamShield™ - disappeared.

    This Perl script works by scanning the Sendmail Version 8 log file every few minutes and disconnecting any discovered spammers.

    SpamShield™ is particularly useful for ISPs as it can stop their users sending SPAM. Note that SpamShield™ can be configured to only send e-mail about potential problems, thus allowing an ISP to gain confidence before unleashing the beast.

All three ways are free.

Note that if you run a mail hub then it will only be secure against relaying if the machines you permit to relay through it are also secure against relaying. The easiest way to secure the other UNIX machines is by killing the Sendmail daemon.

On my mail hub I used Sendmail Version 8.8.8 with Claus Aßmann's "check_*" rulesets. These additional rulesets are built into Sendmail versions 8.9.x and later.

On my client machines I used a simple Sendmail configuration file that punts all e-mail to a mail hub. I pulled it from the Internet years ago and do not know who wrote it. It seems to work with all versions of Sendmail, but note that it gives you no protection from relaying so you must block this on the client machines.


For those with a technical bent, the background image was produced using a PostScript program.

Webmaster: /