Hi,
we have the problem that infected customers start over again to send spam. This happens about 1x per month. We have about 500 Customers in our Network.
We use this script to detect the infected users, and it works perfectly:
It is possible that we block all smtp traffic on our gateway nat routers, and only allow say 10 ips of known mail servers?
Any ideas?
Sure. You’re not very clear on what direction traffic is going in, but just as an example the below will block all SMTP traffic to servers other than 192.168.1.10 and 172.16.0.20.
/ip firewall address-list
add list=Known-Good-SMTP address=192.168.1.10
add list=Known-Good-SMTP address=172.16.0.20
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 dst-address-list=!Known-Good-SMTP action=drop
As a general rule in an ISP environment, we block all outbound SMTP unless its destination is our mail servers. This forces users to employ SSL (465) or SMTP-AUTH (TCP 587). Without this rule a user will inevitably get a virus and land one of your IP addresses on an SMTP blacklist. If you NAT customers behind a single IP this could become extremely problematic.
Fewi’s rule suggestion is exactly what you’re looking for.
Most newer mail clients these days already try connecting on the more secure ports if port 25 fails to respond.
Thats the problem, from time to time we land on the blacklist with one of our 6 ips from the nat routers…
The script detect the bad host, but it’s too late, than we are on the blacklist.
We have no incomming smtp traffic behind the nat routers, there are only private customers. So we can use the code from fewi 
In future we will block port 25 outgoing and use ssl. But set ssl smtp port on all customer pcs is too much work at time…
Thanks all 