I think some of my computers is infected with malware that sends/spams e-mail around. So as it can contact any server on any port, the previously done firewall rule that block destination port 25 isn’t really a success.
Does anyone know how do I make expression and how do I implement it into firewall so it blocks any outgoing e-mail (only through SMTP) ?
Thanks in advance
Most spamware/adware/spyware programs get away from port 25 as fast as they can. They know you will try blocking them there. You might want to look at the docs under firewall filter. At the end of the doc is a couple examples. The “Protect your Router” is a necessity. The second “Protect your Customers” may help. It blocks/drops the programs that may be affecting your system.
OK, I “protected the router”… now on topic again, dropping only outgoing e-mails - how to do it?
This blocks emails from your localnets to anywhere:
/ip firewall filter add chain=forward action=drop protocol=tcp dst-port=25
blocks outbound email from Outlook Express/Thunderbird
yes I already have that but what if malware/spyware uses different port than 25 to communicate with SMTP server? Which is probably the cause. It can communicate on any port. And only way to stop that from happening is to implement Layer 7 packet inspection which can detect any outgoing mail on any port…
That is what I want to accomplish!
Thanks
well, standart port is 25. malware/spyware smtp servers may communicate on any port =)
yes that is the thing, i know they may communicate on any port. that’s why i need packet inspection so the router opens each packet and checks its header and see what type is it. if it is a mail, it drops it. if not, forwards it. simple as that. Layer 7 filtering it is called 
how should malware communicate with a remote smtp-server on anything else than port 25 and 587? a spammer wants to get his mail delivered with the least amount of work, so he uses open relays or the mx of the spammed person. both only offer those two ports
IF he uses another port, it is traffic between his machines, but no spamming to the outside. then you are screwed and have to eliminate the pc with the malware.
but then we are not talking about spamming. spamming CAN be only done on smtp-ports.
and spyware/malware has no definitive header or something, so either define a new l7-filter (if that is possible, i doubt it) with the reengineered headers (can be done with some sniffing if the traffic is unencrypted, which i also doubt ). or simply live with it, you can’t do something against it if you do not shutdown the client until it is cleaned
i am saying that i received a warning e-mail from my ISP which says that I or anyone in my network sent an unwanted (spam) e-mail and that they will block my Internet access if i do not fix the problem. Since we are all going out through the MT, I thought it is possible for MT to do the packet inspection and forward only “clean” packets
But since it is not possible, I will have to go with firewall blocking SMTP only…
you may tarpit more than 3 (1, 2, 5, etc) simultaneous SMTP connections from every customer - spambots create many connections at a time