Need help with spammers/viruses

We have recently been had our Nat tagged by a botnet. I believe that it started with the w32.stormworm I have had no luck in trapping the data as of yet. And we continue to be black listed by the CBL. I have tried a basic script for smtp traffic but have had no luck. below is the script I currently have running and it is catching some traffic but not all. Any help and or suggestions someone may have would be greatly appreicated. Thanks So Much…

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment=“BLOCK SPAMMERS OR INFECTED USERS”

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment=“Detect and add-list SMTP virus or spammers”

wiki.mikrotik.com look at Dmitri’s firewall stuff

Thanks I took a look but not having any luck finding his post on wiki do have any url’s?

Is the filter not tagging the traffic?
If not, you might try changing “add chain=forward” to “add chain=input”

Torch port 25 and look for the flood of traffic. Block port 25 on the offending IP.

I just finished playing that game. Business client, with about 30 pc’s in 4 citys, had an infected machine that was triggering the script and blocking all their outgoing email. Ended up removing the virus for them as well.

http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling

Try removing “limit=50,5” and doing more aggressive connection-limit, can try connection-limit=20,32

Good luck & Regards!

Greetings!

I take a “backwards” approach to this challenge. I inform my customers in my “EULA” that port 25 is blocked, and if they use Outlook Express or Thunderbird, they can receive email, but will not be able to send any. The solution through my service is to subscribe to a port 80 email service (webmail). Most reputable ISPs block port 25 from unknown IP addresses for spam relay prevention purposes anyway.

I add this as the first line in my firewall:

/ip firewall filter
add chain=forward protocol=tcp dst-port=25 insert-before=0 action=drop

That should stop all port 25 traffic. Then as each user proves they are not the one:

/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address=192.168.xxx.xxx/32 insert-before=0 action=accept

That should allow port 25 through for IP 192.168.xxx.xxx

I do not allow port 25 access to any customers at the present time.

There is a way to force all smtp traffic to a specific server, but I do not use that setting either.

I took a similar approach (block port 25 outgoing) so users can still use SMTPS (over ssl) on different ports, but I’ve created an address list, so I exclude everyone who requests smtp acces by adding them to that IP list.

/ip firewall filter chain=forward action=reject reject-with=icmp-network-unreachable in-interface=lan dst-port=25 protocol=tcp
src-address-list=!Allow_SMTP

Thanks everyone lots of good so I ultimately just decided to block port 25 and open 587 for my users. Thanks for all the good advice…

If you use this method in v3 you will encounter problems, as it will block users which doesn’t spam randomly. There is something buggy in v3 with this rules.

In our case problem started few days after we upgraded to v3 where we had also this method of indentification of spammers or infected users.

However in v2.9.48 there is no any problem with this.

Just a note: I have found that “drop” is the only defense against the spambots. If you use “reject”, the best you can hope for is a standoff with a virus-infected machine. Both machines will eat all your bandwidth with request-reject messages. Make the little suckers wait for a response that will never come!!

EDIT: See post below. I like the tarpit! Thanks!

use ‘tarpit’, not ‘drop’ - spambots will be confused
Make the little suckers get ACK response =))

Ditto this: Tarpit will sometimes even crash the infected machine.

any issues using tarpit instead of drop? Stability? CPU load? Network load?

no issues