[benzedrine.ch logo]
Daniel Hartmeier
Packet Filter
Mailing list
Annoying spammers
Prioritizing ACKs
Transparent squid
Planet Wars
Hexiom solver
Polygon partition
Mikero's grid puzzle
Dark Star

Reject mail with no valid recipients


A lot of spam I see does not use valid recipients. Either many address harvesters are buggy, or spammers are trying to guess addresses.

The point is that a significant percentage (if not even the majority) of spams don't carry valid recipients. Checking the validity of a recipient is much cheaper than content-based analysis, as done with milter-spamd.

However, filtering is often done on an intermediate relay, which doesn't have a complete list of all valid recipients. Maintaining a copy of the list on the relay would be cumbersome.

This is the sole purpose of milter-checkrcpt. It checks the validity of recipients by asking another mail server, like your internal mail server, which already has the complete list of valid users.

Invalid recipients are permanently removed from mails. Mails with no valid recipients are refused.

See milter-regex for a general introduction about milter plugins.

milter-checkrcpt runs on OpenBSD and is BSD licensed.

Man page

MILTER-CHECKRCPT(8)     OpenBSD System Manager's Manual    MILTER-CHECKRCPT(8)

     milter-checkrcpt - sendmail milter plugin for recipient checking against

     milter-checkrcpt [-d] [-h helo] [-m mailfrom] [-p pipe] [-r recipient]
                      [-s server] [-u user]

     The milter-checkrcpt plugin can be used with the milter API of
     sendmail(8) to filter mails with invalid recipients.  The validity of a
     recipient address is determined by querying another mail server over

     The options are as follows:

     -d            Don't detach from controlling terminal and produce verbose
                   debug output on stdout.

     -h helo       Use the specified string in the SMTP HELO line sent to the
                   server, instead of the default, the local host name.

     -m mailfrom   Use the specified string in the SMTP MAIL FROM line sent to
                   the server, instead of the default, milter-checkrcpt@helo.

     -p pipe       Use the specified pipe to interface sendmail(8).  Default
                   is unix:/var/spool/milter-checkrcpt/sock.

     -r recipient  Test the specified recipient and terminate immediately.

     -s server     Use the specified server IP address.  This option is manda-

     -u user       Run as the specified user instead of the default, _milter-
                   checkrcpt.  When milter-checkrcpt is started as root, it
                   calls setuid(2) to drop privileges.  The non-privileged us-
                   er should have read access to the configuration file and
                   read-write access to the pipe.

     Recipients are checked by contacting the specified server and performing
     the following SMTP dialogue:

           220 WELCOME
           HELO helo
           250 HELO ACCEPTED
           MAIL FROM: <mailfrom@helo>
           250 SENDER OK
           RCPT TO: <recipient>
           250 RECIPIENT OK
           221 CLOSING

     If the server responds with positive completion reply codes (200-299) to
     all commands sent, or with a temporary failure code (400-499) to any com-
     mand sent, the recipient is considered valid.  If any command results in
     a different reply code, the recipient is considered invalid.  If the con-
     nection to the server cannot be established at all, the recipient is con-
     sidered valid.  Note that this dialogue does not actually send any mail
     to the server.  A single mail can have one or multiple recipients.  The
     plugin checks each recipient, removing any invalid recipients from the
     mail.  If no valid recipients are found, the plugin instructs sendmail(8)
     to reject the mail with SMTP reply code 554 ("Transaction failed"), ex-
     tended reply code 5.7.1 ("Permanent failure"), and reply text "No valid
     recipients".  Otherwise, the plugin accepts the mail.

     The plugin needs to be registered in the sendmail(8) configuration, by
     adding the following lines to the .mc file

                   `S=unix:/var/spool/milter-checkrcpt/sock, T=S:30s;R:2m')

     rebuilding /etc/mail/sendmail.cf from the .mc file using m4(1), and
     restarting sendmail(8).

     milter-checkrcpt sends log messages to syslogd(8) using facility daemon
     and, with increasing verbosity, level err, notice, info and debug.  The
     following syslog.conf(5) section can be used to log messages to a dedi-
     cated file:

     daemon.err;daemon.notice        /var/log/milter-checkrcpt

     mailstats(1), syslog.conf(5), sendmail(8), syslogd(8)

     Simple Mail Transfer Protocol, RFC 2821.

     The first version of milter-checkrcpt was written in 2007.

     Daniel Hartmeier <daniel@benzedrine.ch>

OpenBSD 4.4                      May 20, 2009                                2



0.3: Mar 7, 2012

Do not refuse mail when the backend server reports temporary failure (4xx) (suggested by Shinta Sato).

0.2: Jul 12, 2011

Don't generate space after MAIL FROM:/RCPT TO: (from Claus Assmann).

0.1: May 20, 2009

First public version.

Related links

Last updated on Tue Jun 9 20:28:27 2015 by daniel@benzedrine.ch.