Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?
I’m having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I’d like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don’t know jack about the layer 7\regex matching.
you REALLY need to handle this situation with your mail server and not the router…
Why and what direction would you send me?
A mail server is perfectly able to, and is designed to handle this type of spam problems. This is not the proper place to get help with mailserver settings, though. You should have documentation and manufacture support with your mail server.
eg:
webmail_163
^(get|post) .*host:.*\.mail\.(163\.com|126\.com|yeah\.net)\x0d\x0a
webmail_gmail
get (http://mail.google.com/mail/|/mail/)?.*host: mail\.google\.com\x0d\x0a
webmail_hinet
^post ((http://webmail\.hinet\.net/login\.do|/login\.do).*host: webmail\.|(http://webmail1\.hinet\.net/cgi-bin/login\.cgi|/cgi-bin/login\.cgi).*host: webmail1\.)hinet\.net\x0d\x0a
webmail_hotmail
^get (http://.*mail\.live\.com/mail/|/mail/).*host: .*mail\.live\.com\x0d\x0a
webmail_pchome
^(post|get) .*host: mail.pchome.com.tw\x0d\x0a
webmail_qq
^(get|post) /cgi-bin/login.*host:.*(\.mail\.qq|\.foxmail)\.com\x0d\x0a
webmail_seednet
^(post|get) .*host: webmail.seed.net.tw
webmail_sina
^(post|get) .*host: (mail\.sina\.com\.cn|mp\.sina\.com\.tw)\x0d\x0a
webmail_sohu
^(get|post) .*host: .*mail\.sohu\.com\x0d\x0a
webmail_tom
^(get|post).*host: (login\.mail|pass)\.tom.com\x0d\x0a
webmail_url
^post (http://www\.url\.com\.tw/sgllogon/|/sgllogon/)sgllogon\.asp.*host: www\.url\.com\.tw\x0d\x0a
webmail_yahoo
get (http://.*mail\.yahoo\.com/ym/login|/ym/login)?.*host: .*mail\.yahoo\.com\x0d\x0a
webmail_yam
^(get|post).*host: mail.yam.com
You obviously did not even read this thread at all. He is NOT asking how to block email websites!!! He is asking how to reduce spam by stopping people with CERTAIN EMAILS from sending to his mailserver!!!
It’s actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.
If your mailserver is under load because of that, then it is improperly configured. You should set the mailserver to “fail” the account. This means that the server does not even accept the messages to that account. It immediately rejects them based on the address instead of accepting the message and then dropping it.
Again, you need to consult your mailserver support.
I’m not sure you understand the load. I am getting over a million messages a day. That’s a lot. That’s a ton of rejection.
As recommended elsewhere, I am looking into Fail2ban to automate this process using the mail server’s firewall. I just figured a quick and easy firewall script could have been had, but people insist on the run-around.
So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header…
It would be added to a blacklist address list so further SPAM attempts are tarpitted.
Sent from my EVO using Tapatalk
So, if someone sends spam from gmail… you are going to blacklist that IP address… and therefore blacklist all of gmail? (Or Yahoo, etc)?
See what I said earlier:
I will be putting in that particular compromised user’s address. The firewall will start blacklisting the IPs of the various machines on the botnet to prevent them from attempting to login to the mail server repeatedly.
Now:
Future:
So, the issue is that you can’t control the logs on the mail server? And this is the workaround to stop the massive log files???
The logs rotate on schedule, but what’s the point in filling them up with junk? I don’t need any logs of the spammers failed sessions. All of this literally useless garbage just gets in the way.
Tell you what. Instead of disposing of my trash as I do now, I’ll bring it over and dump it in your living room on the floor. Only, I’ll tell 45k other people to do the same. Do you let it pile up and clear it on a given schedule or do you lock your door?
See the actual answer to your question a few posts up from here: