OpenBSD 4.1′s spamd(8) now includes default support for trapping SMTP clients using an envelope to: not listed in /etc/mail/spamd.alloweddomains. If you only accept mail for example.com and example.org, put them in spamd.alloweddomains, and mail to: all other domains (relay attempts) are rejected and the host trapped. Clean and effective. Good job, Bob!
Parsing my logs, though, shows a lot of spam attempts using the envelope from: of my domains. Email clients should use other acceptable means of submission/SMTP injection, including connecting with internal servers via VPN, where they’d never hit spamd. If someone were using SMTP-after-POP, for example, they’d presumably get whitelisted and bypass spamd.
This patch against 4.1-STABLE is a quick copy-and-paste job (I’m not a C programmer), but it works for me.
So, if someone tries to send mail via my external spamd firewall, claiming to have an envelope from: of one of my domains, then I’m not going to accept the message and will trap the host. It’s a virtual certainty you’re a spammer — if it’s from an actual user, then s/he needs to use another connectivity method.