I am confused, how would filtering at the smtp port on source address work?
What you do is return a 421 error if you don't "like" the source address (this is checked very early on). You can also return a 500-series error, but that generates an immediate bounce, which is "nice" to the spammer. I prefer to be nasty and eat their resources instead.
If delivery fails, does not the sender often use MX records and send via an intermediary host?
Not if you return a 400-series error. The host doing the sending will retry. If you block at the packet level, then yes, the sender will go to a secondary MX *IF* there is one and it can be reached. The 421 response is the best possible one, because it screws the sender, is cheap compute-wise for you, and has the desired effect without causing other disruption.
If so the source address is lost unless all the MX hosts have the same filter list. And in any case I believe that typically sendmail will accept email from anyone for delivery to anyone. So a spammer could scatter his emails all over the Internet thru thousands of intermediate hosts, if he used the right software to do it.
Best Regards, Robert Laughlin
He has to be able to inject it in the first place. As more potential relays implement this, that becomes much harder. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal