How to reject/detect emails claiming to be from my own domain?
I use Exim configured with mysql to filter my email. I find the configuration easier to do. Sendmail configuration has always seemed quite cryptic to me.
To prevent a sender from changing the mail_from identity and retrying you will need to add their IP address to a blacklist and enforce the blacklist. If you can get the filter to drop the connection rather than reject the mail_from, then they will need to reconnect to change the mail_from address. I don't think many senders will do so. I'll check my database and update later.
The following rule will check to see if the From address is withing the 'example.com' domain. Add these lines to your local.cf file and restart spamassassin. Increase the score when you are confident that it is working correctly. This presumes you are not using spamassassin for outgoing email.
header LOCAL_FROM_HERE From =~ /[.@]example.com/ score LOCAL_FROM_HERE -0.75 describe LOCAL_FROM_HERE From header is local address
EDIT: I ran some queries on my database of email data. Of 2500 connections that used a local address in the MAIL FROM command, only 28 retried with a non-local address. This is about a 1% fail rate on just rejecting the use of local addresses in the MAIL FROM command. I found no cases where a server reconnected and tried a non-local address.
Assuming the Envelope_from header is added before spamassassin filters the message both conditions can be combined in a single blacklist entry in local.cf. Again this assumes you do not run spamassassin on outgoing email.
blacklist_from *@example.com
EDIT2: I use an ACL in Exim to reject the Mail From command if a local domain is used in the address. This applies if the connecting host is not one I consider local. Local hostss include servers on the local network, approved relays, and hosts using an authenticated connection on the submission port (587).