I`m using Mikrotik maybe a year with a basic configuration and everything was fine, but now I have problems with spams. I have been blacklisted with a reason that I have a Win32/Zbot virus or that I`m natting it.
I have a mail server behind NAT, and users are sending emails only from internal network. It is (or should be) not possible to connect to the mail server from outside. For this reason I have VPN connection.IP Address ******** is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-08-20 06:00 GMT (+/- 30 minutes), approximately 3 hours ago.
This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft).
Now I see on my mail server, that there are many failed attempts to connect to accounts on my mail sever, so the mail server is blocking them automatically:
I know that this is a matter of the mail server, but I don`t understand, how it is possible, that anyone can possibly login from outside to the mail server."DEBUG" 2408 "2012-08-20 09:39:54.499" "Creating session 7895"
"SMTPD" 2408 7895 "2012-08-20 09:39:54.499" "192.168.1.1" "SENT: 220 ip-mx.*****.sk ESMTP"
"SMTPD" 2388 7895 "2012-08-20 09:39:54.873" "192.168.1.1" "RECEIVED: EHLO dj"
"SMTPD" 2388 7895 "2012-08-20 09:39:54.873" "192.168.1.1" "SENT: 250-ip-mx.*****.sk[nl]250-SIZE 20480000[nl]250 AUTH LOGIN"
"SMTPD" 2400 7895 "2012-08-20 09:39:55.248" "192.168.1.1" "RECEIVED: AUTH LOGIN"
"SMTPD" 2400 7895 "2012-08-20 09:39:55.248" "192.168.1.1" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2396 7895 "2012-08-20 09:39:55.622" "192.168.1.1" "RECEIVED: aW5iYWdiYkBldXJva29udGsdfFrdC5zsdfaw=="
"SMTPD" 2396 7895 "2012-08-20 09:39:55.622" "192.168.1.1" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2364 7895 "2012-08-20 09:39:55.997" "192.168.1.1" "RECEIVED: ***"
"SMTPD" 2364 7895 "2012-08-20 09:39:56.012" "192.168.1.1" "SENT: 535 Authentication failed. Restarting authentication process."
"DEBUG" 2384 "2012-08-20 09:39:56.402" "Ending session 7895"
Please take a look if these settings are secure enough:
7-10 are blocked internal ranges to access the internet0 ;;; default configuration
chain=input action=accept protocol=icmp
1 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=ether1-gateway
2 ;;; default configuration
chain=input action=accept connection-state=related
in-interface=ether1-gateway
3 chain=forward action=add-src-to-address-list protocol=tcp address-list=""
address-list-timeout=0s dst-port=25 connection-limit=30,32 limit=50,5
4 chain=forward action=accept protocol=tcp src-address-list=spammer
dst-port=25
5 ;;; MAIL
chain=forward action=accept protocol=tcp dst-address=192.168.1.205
dst-port=25
6 ;;; VPN
chain=input action=accept protocol=tcp dst-port=1723
7 chain=forward action=drop dst-address=192.168.1.4-192.168.1.49
in-interface=ether1-gateway
8 chain=forward action=drop dst-address=192.168.1.66-192.168.1.78
in-interface=ether1-gateway
9 chain=forward action=drop dst-address=192.168.1.123-192.168.1.199
in-interface=ether1-gateway
10 chain=forward action=drop dst-address=192.168.1.206-192.168.1.254
in-interface=ether1-gateway
11 chain=forward action=drop src-address=110.53.27.247
in-interface=ether1-gateway
12 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
11 is blocked IP that I think is fail-authentificating to the mail server, but it has not helped
I`m also using the spam script from Mikrotik WIKI (http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output), but it is not logging anything, don`t know why. Thanks.0 ;;; default configuration
chain=srcnat action=masquerade
1 ;;; MAIL
chain=dstnat action=dst-nat to-addresses=192.168.1.205 protocol=tcp
in-interface=ether1-gateway dst-port=25
2 ;;; PPTP
chain=dstnat action=dst-nat to-ports=1723 protocol=tcp
in-interface=ether1-gateway src-port=1723
3 ;;; WEB SERVER
chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=80
protocol=tcp in-interface=ether1-gateway dst-port=80