MAIL FROM:<>RFC821, section 3.6 says:
This notification message must be from the server-SMTP at this host. Of course, server-SMTPs should not send notification messages about problems with notification messages. One way to prevent loops in error reporting is to specify a null reverse-path in the MAIL command of a notification message. When such a message is relayed it is permissible to leave the reverse-path null. A MAIL command with a null reverse-path appears as follows: MAIL FROM:<>RFC1123, section 5.2.9 says:
5.2.9 Command Syntax: RFC-821 Section 4.1.2 The syntax shown in RFC-821 for the MAIL FROM: command omits the case of an empty path: "MAIL FROM:<>" (see RFC-821 Page 15). An empty reverse path MUST be supported.(emphasis and links added by me). Error messages (in general: delivery status notifications) are sent this way, so they must not be rejected.
Guess what? Some people can't read and they have a setting in their mail server (IMail 4.0+ for NT) that rejects those addresses. Why are people allowed to distribute (sell?) such software? (they probably take some other company as bad example...).
user@YOUR.DOMAIN
Next, someone from YOUR.DOMAIN sends an e-mail to that user at REMOTE.DOMAIN which gets forward to user@YOUR.DOMAIN That is, your server receives an e-mail with a local sender address and a local receiver address, which is relayed from a remote system (REMOTE.DOMAIN).
If you would reject those mails, the above scenario would break. Can you make sure that this scenario won't happen? If you can, you may take a look at a proposal from Ted Deppner. However, you have to change it for 8.9. Note: this hack is not supported by me.
Note: Sender addresses can't be trusted unless you can verify them. In ``real life'' you usually trust a signed letter, at least if you can verify the signature. For e-mail, you should do the same: don' trust it unless it is digitally signed and you can verify the signature. Even then, the senders system could be compromised, but that's similar to a faked signature on a letter.
This works only in a few cases, but will reject many legitimate e-mails.
For example, almost all members of the Sendmail consortium use
<sendmail+USER@sendmail.org>
as sender address when answering questions, however,
at most one of them actually sends mail from a machine in that domain.
Other proposals what should be in this text? Send me an e-mail.
Remember: the net was there before the spammers. Don't let them destroy it by overreacting.