hello guys
I have problem with spamhaus, all of my ip blocked in spamhaus
I wanna set rule in firewall to limit 5 Email per hour
how to configuration this rule ?
can you help me ?
MikroTik devices have no information about how many emails are sent. You can’t do such limitations on a router.
There are methods whereby you could configure RouterOS’s firewall to permit no more than 5 SMTP outbound connections per hour, but that’s attacking the symptom instead of the cause.
What’s more useful here is to use RouterOS’s packet filter to capture outbound SMTP connections and then use the information you glean from them to find the host(s) that’s getting your public IP space blacklisted. Fix the cause, then petition Spamhaus and the others that are rightfully flagging your network as a source of spam.
You might have malware on one of your local machines, for instance. Choking the malware back to 5 emails/hour is a worse solution than killing the malware.
Regardless the configuration of remote mail server, with a single connection is possible to send near-unlimited ammount of e-mail…
Just counting outgoing connections, for this, is useless…
thanks guys
yes you right
but I have access to mail server
I wanna limit port 25
for example use 5 time port 25 in 1 hour , is it true ?
whats your ideas ?
is it work ?
You can do that, but if the mesage are spammed for 10.000 users, just a single connection suffice…
And not only 25, but also 587 (I ignore deprecated 465 and 2525)
lista_ip_clienti = user list created dynamically from PPPoE Server
@SMTP_troppi_src = user list of IP than connect to SMTP Server more than 5 times in a minute
/ip firewall mangle
add action=jump chain=prerouting dst-port=25,587 jump-target=prerouting_smtp protocol=tcp src-address-list=lista_ip_clienti
add action=add-src-to-address-list address-list=@SMTP_troppi_src chain=prerouting_smtp \
connection-limit=5,32 protocol=tcp src-address-list=!@SMTP_troppi_src
add action=return chain=prerouting_smtp
In my alternative below, I use "!LAN" instead, since that's a defconf address list, thus more likely to be applicable to the OP's configuration.
@SMTP_troppi_src
I searched the docs, but I couldn't find a special meaning for "@" at the beginning of a list name. Is that a local convention, or did I miss something?
connect to SMTP Server more than 5 times in a minute
I don't see the "in a minute" limit in your example. I think you need an "address-list-timeout" in there somewhere.
Also, the OP specified "per hour" in the thread title, not "per minute".
/ip firewall mangle
I don't see any reason this has to be in the "mangle" section. Regular IP firewall filtering will do for this.
chain=prerouting
I'd put this in the "forward" chain since the rule may need to change based on "out interface" or similar, which the firewall only knows after the routing decision.
add action=return chain=prerouting_smtp
My understanding of the underlying netfilter mechanism is that you don't need an explicit return from a jumped-to chain if you reach the end. Explicit return is for when you want to jump back out in the middle of the chain, as you see in my alternative:
; Create chain for handling SMTP outbound connection attempts.
; Putting the match rules here avoids the need to repeat them
; in each action below, and it makes the overall firewall faster.
add action=jump jump-target=SMTP-rate-limit \
protocol=tcp tcp-flags=syn out-interface=ether1 chain=forward \
dst-port=25,587,465,2525 dst-address-list=!LAN
; Drop conns that reach stage 5 per the limits below.
add action=reject reject-with=icmp-port-unreachable \
src-address-list=SMTP-stage-5 chain=SMTP-rate-limit \
log=yes log-prefix="rejected for 1h"
; Ratcheting connection mechanism: conns move from one stage to
; the next as long as the prior stage doesn't expire, so you need
; 5 conns within a 1-hour span to make it to stage 5.
add action=add-src-to-address-list address-list=SMTP-stage-5 \
address-list-timeout=1h src-address-list=SMTP-stage-4 \
chain=SMTP-rate-limit
add action=return src-address-list=SMTP-stage-5 chain=SMTP-rate-limit
add action=add-src-to-address-list address-list=SMTP-stage-4 \
address-list-timeout=1h src-address-list=SMTP-stage-3 \
chain=SMTP-rate-limit
add action=return src-address-list=SMTP-stage-4 chain=SMTP-rate-limit
add action=add-src-to-address-list address-list=SMTP-stage-3 \
address-list-timeout=1h src-address-list=SMTP-stage-2 \
chain=SMTP-rate-limit
add action=return src-address-list=SMTP-stage-3 chain=SMTP-rate-limit
add action=add-src-to-address-list address-list=SMTP-stage-2 \
address-list-timeout=1h src-address-list=SMTP-stage-1 \
chain=SMTP-rate-limit
add action=return src-address-list=SMTP-stage-2 chain=SMTP-rate-limit
add action=add-src-to-address-list address-list=SMTP-stage-1 \
address-list-timeout=1h chain=SMTP-rate-limit
This is more complicated than rextended's method, but it works according to the requested specs, and it's more explicit, thus easier to debug. You can see the counters go up on the address lists and watch the timeouts to see what state any given host is in.
I doubt it matters which way you do it because both methods use a separate chain, so the action logic only affects SMTP TCP SYN packets, which should be rare. However, I do note that the docs claim the use of "connection-limit" is "very resource-intensive". My simple state-machine logic should not be "very resource intensive".
Beware: both methods need to be repeated for IPv6 if that's a possibility in your setup. The firewalls are separate, and you can't share rules among them. It's really too bad; otherwise, you could "jump" from the v6 firewall into the v4 firewall and share virtually all the logic.
Sidenote, 587 is submission port that always requires login, you can't use it for unauthorized spamming. And 465 was reinstated/repurposed as replacement for 587 with implicit TLS (RFC 8314).
@tangent, on sort order… @ is before a,b,c… etc.
Yes, my connection-tracking settings is involved in limits, I forget that 
I do not want block nothing, I just want be notified,
and the return is present because some other rules are present after that check…
I really do not want block anything, but chek suspicious connections behaviour…
How about you fix the mail server? m?
( @Znevna: for who is that question? 
)
For whoever opened this topic about blacklisted IPs in spamhaus.
This may happen if you’re an ISP or at home where there are infected pc’s actings as email bots. Either way you should block smtp If you’re not using you own email server. Regular email clients are not dependent on smtp since they connect using other ports as @rextended explained.
Bottom line, I strongly advice you to disable smtp (tcp port 25). When this is fixed you may send a request to spamhaus to remove the block.
EDIT:
it doesn’t matter if the bot sends only 5 emails since you might get blocked anyway because the content itself risks being marked as spam.
It is best to solve that in your mailserver. Also, block all outgoing TCP port 25 traffic except from your mailserver.
All four of the ports mentioned in this thread carry SMTP, just with different options and restrictions. (Details)
The proper distinction is that 25 is now supposed to be used only for SMTP-to-SMTP transport, between MTAs.
I don’t see any of this as a good reason not to include port 25 in the port lists in these examples, however. Spammers are all about getting around supposed-to-bes.
it doesn’t matter if the bot sends only 5 emails since you might get blocked anyway because the content itself risks being marked as spam.
Agreed. I posted my solution more as an answer to an intellectual challenge than as good advice. OP should fix the cause, not the symptom.
In general we allow MTA communication only for customers with business contracts. For private customers, all such traffic is closed to fight bots. This applies to most other ISPs that I know of.
And when it comes to SMTP there is of course SSL/TLS (SMTPS) and measures like SPF/DKIM/DMARC (ARC) to check if the origin is legit.
Why? How do you figure that will help??
Fix the SPAM problem, or if you are the SPAM problem, stop sending SPAM..