Localhost forgery

[Kevin Miller]

I'm being bombarded with a ton of spam that claims to be from localhost (but the IP isn't in the 127. range).  They are false NDRs, bouncing off of foreign servers.  A large number of my users are being joe-jobbed, and the remote servers send the NDRs here.  Here's a couple of examples from the the mail log:

Aug 20 06:32:30 mx2 sendmail-in[25703]: n7KEVnN7025703: from=<qvmanifestation at grahamevinson.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [123.26.216.57] (may be forged)
Aug 20 07:34:33 mx2 sendmail-in[29611]: n7KFYJdI029611: from=<kzmatrimony at ivory.plala.or.jp>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [222.254.108.100] (may be forged)

I'd really like to be able to block them at the MTA level, but barring that, a spamassassin rule would do nicely.  Anybody have a rule available that would fit the bill?  There are too many sources to try to blacklist - I'd be playing whack-a-mole all day long.

(I've been on vacation the past few weeks, so if this has been discussed please let me know the subject line.)

Thanks...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500