Attachments are in the email itself. If you go look at any mail message with an attachment, you'll find the mime encoded attachment(s) within.
Using /bin/false stops them from logging in. However, that can cause problems for programs like "vacation" that want to use sendmail, because it wants a real shell (Google for "using vacation with /bin/false").
See the sendmail FAQ for quotas:
http://www.sendmail.org/~ca/email/lfaq.html#QUOTA