You are correct - Sendmail doesn't log them by default. If you get a null connection, that gets logged. If the sender is refused by check_rcpt, that gets logged. But invalid commands, including those generated after a sender ignores a 5xx error and carries on through the DATA phase, aren't logged at all.
Hm, wouldn't better idea be detecting this in Sendmail. For example, after sendmail sends 5xx response to DATA, if next command looks like mail header, or if next 5 or 6 commands are invalid, start inserting sleep(60) after every call to read(), and call read() with really small buffer (say only 1k, or even smaller). Only minimum bandwith will be wasted, spammer would be significantly slowed down, and you are still perfectly RFC compliant (there's nothing in RFC's saying that you are not allowed to slow things down). It shouldn't be hard to patch Sendmail in this way. Basically, this would be generalization of already existing Sendmail feature (slowing things down if number of bad RCPT's is detected). If tactic becomes widespread, spammers might start actually looking for 5xx codes and acting accordingly.
-- Aleksandar Milivojevic <[EMAIL PROTECTED]> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
