Community discussions

MikroTik App
 
lctn
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Tue Apr 04, 2006 3:51 pm

Need help blocking aggressive spam traffic

Mon Jul 30, 2012 11:19 pm

Recently, we have been clobbered with an immense amount of spam traffic. I would like to block abnormal traffic destined for port 25, so our MTAs do not have to deal with it at the server.

We are using a 450g unit as our firewall.

Any help is appreciated

Raymond
 
User avatar
nsayer
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Thu Jun 02, 2011 5:32 pm
Location: Santa Clara, CA, US

Re: Need help blocking aggressive spam traffic

Tue Jul 31, 2012 4:20 am

I guess the first question is... what constitutes "abnormal" in this context?
 
lctn
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Tue Apr 04, 2006 3:51 pm

Re: Need help blocking aggressive spam traffic

Tue Jul 31, 2012 4:32 am

The only visual I have is a high number of connections to my relay servers. For this, I have just blocked subnets. I would guess there should be a way to identify a steady stream of port 25 packets, since normaltraffic should be in short burst.

Just guessing......
 
User avatar
nsayer
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Thu Jun 02, 2011 5:32 pm
Location: Santa Clara, CA, US

Re: Need help blocking aggressive spam traffic

Tue Jul 31, 2012 8:00 am

I dunno, I think you're likely to get more mileage out of hardening your mail server rather than attacking this in the firewall.

One trick I've gotten good results with is configuring sendmail with

FEATURE(`greet_pause', `2500')dnl

The concept is that the RFC says that the client must wait for the server to send the initial greeting before sending any commands. "Lazy" clients - which often are spam sources - often just send the entire command set all in one go without waiting. Any session where a command is received before the greeting is sent is "poisoned" and all commands return errors for the duration.

Now, lots of spammers have figured this out and become more standards compliant, but judging by my logs, this technique still reaps benefits.

But it's like anything - no one solution is sufficient to control spam. You need a layered defense if you're going to bother anymore.

Who is online

Users browsing this forum: mkx, mojojojo, seriosha and 90 guests