Blacklisting SPAM

d3tonador · June 25, 2016, 1:12pm

Hi,

I need to block those ip making email spam for “MikroTik RouterOS 6.12”.
Can anyone help me create this rule?
Thanks in advance!

Best regards,

BartoszP · June 25, 2016, 4:29pm

Where do you have spammers address list from ? How this list looks like ?
If you have such list you can use as it is described in this thread http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1

d3tonador · June 25, 2016, 9:33pm

Hi BartoszP, thanks for your prompt response.
Thats the thing. I dont have such list.
I manage a network of almost 500 private IPs. Yesterday night I got an email from my ISP, they have detected SPAM coming from my public IP.
Im wondering how to detect and black list those IPs, otherwise my ISP may block my IP.
Thanks!!

BartoszP · June 26, 2016, 7:03am

You need make rule which records source addresses for clents with traffic to SMTP ports.
Then you need to make decision if each particular value is “good” … it means if such client makes esonable SMTP traffic or exceeds it and is SUSPECTED. Check if client sends to spammers addresses or there are connections from these addresses to client IP as it could mean that some PC on client’s side could be “zombies” driven by spammers.
You should warn such user about too high traffic as you ISP warns you. You can limit or block SMTP traffic from this particular address till the client confirms you if the traffic is OK or NOT … You should act as your ISP does.
Check Firewall rules for limiting options: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

andriys · June 26, 2016, 7:30am

Consider simply blocking all outgoing traffic to port 25/tcp. Nowadays there’s virtually no good reason for anyone not running a real mail server to make outgoing connections to this port, unless they are spammers.

d3tonador · June 28, 2016, 2:07pm

Hi guys,

Is this the rule I need?
Of course I’ll then need to evaluate the address and take action.
Thank you alot!!

add chain=tcp protocol=tcp dst-port=25 action=add-src-to-address-list
comment=“add src smtp”

add chain=tcp protocol=tcp dst-port=465 action=add-src-to-address-list
comment=“add src smtp”

add chain=udp protocol=udp dst-port=587 action=add-src-to-address-list
comment=“add src smtp”

add chain=udp protocol=udp dst-port=25 action=add-src-to-address-list
comment=“add src smtp”

add chain=udp protocol=udp dst-port=465 action=add-src-to-address-list
comment=“add src smtp”

add chain=udp protocol=udp dst-port=587 action=add-src-to-address-list
comment=“add src smtp”

Sob · June 28, 2016, 2:35pm

Neither of those ports use udp, only tcp. And you don’t need to worry about all of them. Definitely not 587, because it requires authentication and can not be misused by anonymous users. With 465 it’s a little grey area, because it’s unofficial smtp with ssl without authentication requirements, which theoretically can be misused by anonymous users. But in practice, vast majority of spammers prefer 25.

BartoszP · June 28, 2016, 3:01pm

And you can have one rule combined for all

add chain=udp protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

d3tonador · June 29, 2016, 12:53pm

Great thank you all for helping on this matter!!!
I’ll be posting outcome soon.

grusu · June 29, 2016, 1:39pm

“chain=udp” is wrong.
You can try to block spammers with rules like these:

[color=black][font=monospace, Courier]/ip firewall filter[/font][/color]
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet log-prefix=spammer protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    log-prefix=spammer protocol=tcp src-address-list=spammers

You can try to adjust the values for “limit” and “connection-limit” according to your needs.
And of course, you can modify “address-list-timeout” as needed.

BartoszP · June 29, 2016, 2:06pm

My mistake … easy to fix if someone is following this thread

add chain=output protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"
add chain=forward protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

grusu · June 29, 2016, 5:22pm

BartoszP:

My mistake … easy to fix if someone is following this thread

add chain=output protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"
add chain=forward protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

It is absolutely useless to put this rule on output chain. Output chain is from your router to outside. I’m sure your router does not send spam.
And for what reason you put port 110? It is the port used for the POP3 protocol. Spammers trying to send emails not to download them.

jarda · June 29, 2016, 8:34pm

Even mikrotik routers are connecting out silently without telling you. It’s not useless to have firewall rules in output chain.

grusu · June 29, 2016, 8:52pm

Hi Jarda,
I absolutely agree with you. I have referred strictly to this case.

BartoszP · June 30, 2016, 8:01am

Grusu,

A. These rules are just for collecting where to and where from e-mails are send/received but not for blocking. And these rules are not complete … they are just an idea.
B. What if router NATs or transforms packets ? Then transformed packets IMHO are not in forward chain.
C. As I have wrote in other thread … let firewall to do it’s work … optimization later.

d3tonador · June 30, 2016, 12:49pm

BartoszP:

My mistake … easy to fix if someone is following this thread

add chain=output protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"
add chain=forward protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

Dont worry I knew it was wrong, but the idea was clear.
So, I created this rule in order to -at least- detect those using smtp:
** ;;; add src smtp**
** chain=tcp action=add-src-to-address-list protocol=tcp address-list=add src smtp **
** address-list-timeout=0s dst-port=25,110,465**

Is this right? so far no entry in the address list. any idea?

d3tonador · June 30, 2016, 1:10pm

I removed that rule as i had no results, i guess it wast the right “chain”.
I then added this two rules and I have some outcome now…

15 ;;; SPAMERS
chain=output action=add-src-to-address-list protocol=tcp address-list=“”
address-list-timeout=3h dst-port=25,110,465

16 ;;; SPAMERS
chain=forward action=add-src-to-address-list protocol=tcp address-list=“”
address-list-timeout=3h dst-port=25,110,465

And the the entries from the address list are…

544 D SPAMERS 10.5.10.234
545 D SPAMERS 10.11.5.172
546 D SPAMERS 10.5.10.40
547 D SPAMERS 190.104.246.162

Now I’ll monitor their queue for traffic and I may contact them directly to find out where they use those ports intentionally or have become zombies.
Once again, thank you all for helping on this matter and my apologies for my poor english.

d3tonador · June 30, 2016, 2:01pm

what about these three list? OpenBL.org, Spamhaus and dshield.
Should I use them?

d3tonador · June 30, 2016, 6:07pm

I think I found something,
I now have this IP in the address-list I created for catching the spammers:
557 D SPAMMERS 123.129.65.102

This IP is from outside and its known in many block lists.

BartoszP · June 30, 2016, 6:14pm

Congratulations Mr. Poirot It’s time to catch next one …