Well geez, I'm sorry I even asked the question. Many thanks to Chuq and
others who commented on what the true solutions were, which I had already
The bottom line is, until mailing list software writers and mailing list
administrators configure their lists to always require confirmation from the
desired recipient, there's no practical way for an innocent victim to
prevent their personal or business e-mail address from being bombed with a
denial of service attack of this nature.
I wrote a procmail recipe that alleviates nearly all of the problem mail by
dropping into another folder any mail that does not directly address an
address using one of our domains. Using formail, I can re-process an
attacked mailbox if the problem recurs in the future.
This solution covers most of the needs we had without having to change the
world, or write sophisticated "detect that a mailbox is being bombed in
real-time without human intervention" software. I'd rather write dwim()
instead, as it would be much easier.