Mail server spam protection

drevokocur · Mon Aug 20, 2012 11:40 am

Hi there,
I`m using Mikrotik maybe a year with a basic configuration and everything was fine, but now I have problems with spams. I have been blacklisted with a reason that I have a Win32/Zbot virus or that I`m natting it.

IP Address ******** is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2012-08-20 06:00 GMT (+/- 30 minutes), approximately 3 hours ago.

This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft).

I have a mail server behind NAT, and users are sending emails only from internal network. It is (or should be) not possible to connect to the mail server from outside. For this reason I have VPN connection.

Now I see on my mail server, that there are many failed attempts to connect to accounts on my mail sever, so the mail server is blocking them automatically:

"DEBUG" 2408 "2012-08-20 09:39:54.499" "Creating session 7895"
"SMTPD" 2408 7895 "2012-08-20 09:39:54.499" "192.168.1.1" "SENT: 220 ip-mx.*****.sk ESMTP"
"SMTPD" 2388 7895 "2012-08-20 09:39:54.873" "192.168.1.1" "RECEIVED: EHLO dj"
"SMTPD" 2388 7895 "2012-08-20 09:39:54.873" "192.168.1.1" "SENT: 250-ip-mx.*****.sk[nl]250-SIZE 20480000[nl]250 AUTH LOGIN"
"SMTPD" 2400 7895 "2012-08-20 09:39:55.248" "192.168.1.1" "RECEIVED: AUTH LOGIN"
"SMTPD" 2400 7895 "2012-08-20 09:39:55.248" "192.168.1.1" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2396 7895 "2012-08-20 09:39:55.622" "192.168.1.1" "RECEIVED: aW5iYWdiYkBldXJva29udGsdfFrdC5zsdfaw=="
"SMTPD" 2396 7895 "2012-08-20 09:39:55.622" "192.168.1.1" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2364 7895 "2012-08-20 09:39:55.997" "192.168.1.1" "RECEIVED: ***"
"SMTPD" 2364 7895 "2012-08-20 09:39:56.012" "192.168.1.1" "SENT: 535 Authentication failed. Restarting authentication process."
"DEBUG" 2384 "2012-08-20 09:39:56.402" "Ending session 7895"

I know that this is a matter of the mail server, but I don`t understand, how it is possible, that anyone can possibly login from outside to the mail server.

Please take a look if these settings are secure enough:

0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established
in-interface=ether1-gateway

2 ;;; default configuration
chain=input action=accept connection-state=related
in-interface=ether1-gateway

3 chain=forward action=add-src-to-address-list protocol=tcp address-list=""
address-list-timeout=0s dst-port=25 connection-limit=30,32 limit=50,5

4 chain=forward action=accept protocol=tcp src-address-list=spammer
dst-port=25

5 ;;; MAIL
chain=forward action=accept protocol=tcp dst-address=192.168.1.205
dst-port=25

6 ;;; VPN
chain=input action=accept protocol=tcp dst-port=1723

7 chain=forward action=drop dst-address=192.168.1.4-192.168.1.49
in-interface=ether1-gateway

8 chain=forward action=drop dst-address=192.168.1.66-192.168.1.78
in-interface=ether1-gateway

9 chain=forward action=drop dst-address=192.168.1.123-192.168.1.199
in-interface=ether1-gateway

10 chain=forward action=drop dst-address=192.168.1.206-192.168.1.254
in-interface=ether1-gateway

11 chain=forward action=drop src-address=110.53.27.247
in-interface=ether1-gateway

12 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

7-10 are blocked internal ranges to access the internet
11 is blocked IP that I think is fail-authentificating to the mail server, but it has not helped

0 ;;; default configuration
chain=srcnat action=masquerade

1 ;;; MAIL
chain=dstnat action=dst-nat to-addresses=192.168.1.205 protocol=tcp
in-interface=ether1-gateway dst-port=25

2 ;;; PPTP
chain=dstnat action=dst-nat to-ports=1723 protocol=tcp
in-interface=ether1-gateway src-port=1723

3 ;;; WEB SERVER
chain=dstnat action=dst-nat to-addresses=192.168.1.200 to-ports=80
protocol=tcp in-interface=ether1-gateway dst-port=80

I`m also using the spam script from Mikrotik WIKI (http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output), but it is not logging anything, don`t know why. Thanks.

Kindis · Mon Aug 20, 2012 12:31 pm

Could be that you have a virus issue internally. Review the smtp logs for clues. Also test your smtp server via mxtoolbox and see how many providers have blocked you. Could be a black list provider that is not that "serious"

Sent from my Transformer Prime TF201 using Tapatalk 2

SurferTim · Mon Aug 20, 2012 1:44 pm

Normally, a virus will use its own embedded email server code to send copies of the virus. You might try blocking any port 25 forward through the localnet interface from any device except to and from your email server.

This nat is forwarding port 25 to your inbound email server from your public ip.

1 ;;; MAIL
chain=dstnat action=dst-nat to-addresses=192.168.1.205 protocol=tcp
in-interface=ether1-gateway dst-port=25

I would change the masquerade to this. The current rule will make all external ips appear to the email server as coming from your router localnet ip (192.168.1.1?).

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-gateway

drevokocur · Mon Aug 20, 2012 4:54 pm

Normally, a virus will use its own embedded email server code to send copies of the virus. You might try blocking any port 25 forward through the localnet interface from any device except to and from your email server.

This nat is forwarding port 25 to your inbound email server from your public ip.
1 ;;; MAIL
chain=dstnat action=dst-nat to-addresses=192.168.1.205 protocol=tcp
in-interface=ether1-gateway dst-port=25
I would change the masquerade to this. The current rule will make all external ips appear to the email server as coming from your router localnet ip (192.168.1.1?).
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-gateway

Great help, thanks! Now I can see the source IP that is spamming me.

SurferTim · Mon Aug 20, 2012 5:00 pm

Now that you know who the spammer is, may I suggest "src-address=xx.xx.xx.xx action=tarpit".

drevokocur · Mon Aug 20, 2012 5:13 pm

Could be that you have a virus issue internally. Review the smtp logs for clues. Also test your smtp server via mxtoolbox and see how many providers have blocked you. Could be a black list provider that is not that "serious"

Sent from my Transformer Prime TF201 using Tapatalk 2

Thanks, I`m using mxtoolbox. It is the http://cbl.abuseat.org/. Some mails are going trough but some don`t.

I have detected a Trojan downloader on one internal PC and the synonymic name was also the Win32/Zbot, so I hope as I have removed it, it will be fine now. I`m waiting for the blacklist refresh now.

I don`t know if it has any connection with this, but I still being bombed with authentification to the mail server. I have blocked now to source ip range 110.53.*.* so I hope it will be fine now.

drevokocur · Mon Aug 20, 2012 5:17 pm

Now that you know who the spammer is, may I suggest "src-address=xx.xx.xx.xx action=tarpit".

Yes, I have done this, but I have set there action=drop. Should I change it to tarpit?

I have set there a range 110.53.1.1-110.53.255.255 because there were more adressess like this.

drevokocur · Tue Aug 21, 2012 9:07 am

Thanks again, I`m now able to block the IPs that are authentifying to my mail server, but there are always new and new ones.

Only yesterday I have added these:

11 chain=forward action=tarpit protocol=tcp
dst-address=110.53.1.1-110.53.255.254

12 chain=forward action=tarpit protocol=tcp
dst-address=115.63.1.1-115.63.255.254

13 chain=forward action=tarpit protocol=tcp
dst-address=110.52.1.1-110.52.255.254

14 chain=forward action=tarpit protocol=tcp
dst-address=123.54.1.1-123.54.255.254

15 chain=forward action=tarpit protocol=tcp dst-address=42.49.1.1-42.49.255.25>

16 chain=forward action=tarpit protocol=tcp
dst-address=125.42.1.1-125.42.255.254

17 chain=forward action=tarpit protocol=tcp
dst-address=125.44.1.1-125.44.255.254

18 chain=forward action=tarpit protocol=tcp
dst-address=222.140.1.1-222.140.255.254

You think it is comming from outside, or there can be still a problem on my network? Thanks.

Normally, a virus will use its own embedded email server code to send copies of the virus. You might try blocking any port 25 forward through the localnet interface from any device except to and from your email server.

This nat is forwarding port 25 to your inbound email server from your public ip.
1 ;;; MAIL
chain=dstnat action=dst-nat to-addresses=192.168.1.205 protocol=tcp
in-interface=ether1-gateway dst-port=25
I would change the masquerade to this. The current rule will make all external ips appear to the email server as coming from your router localnet ip (192.168.1.1?).
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-gateway

SurferTim · Tue Aug 21, 2012 2:40 pm

Thanks again, I`m now able to block the IPs that are authentifying to my mail server, but there are always new and new ones.

Welcome to the wonderful world of email servers. Hackers and spammers are everywhere.

edit: If you are looking for spam prevention, then you might want to look into a spam blocker service like Spamhaus.
http://www.spamhaus.org/

Mail server spam protection

Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Re: Mail server spam protection

Who is online