Port 25 capture IP address

Montana · August 9, 2007, 12:17am

I have an individual that is trying to use an email server behind our Nat’ed network. I have blocked port 25 to stop this but I would like to find the customer instead. The problem is that this is random and I cant seem to find him when he is doing this. Everyone on my network is using a private static IP address. Is there a way that I could capture/log his IP address when he makes an attempt to use port 25? If so what do I need to key in?
Thanks Mike

janisk · August 9, 2007, 7:20am

if i understood you correctly then create address list of your clients (their static ips) and create firewall rule on router through which the communication goes with action log all packets that goes to port 25 to your server and exclude good ip addresses (of your static clients)

here more onf firewall filters
http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

abab_rafiq · August 9, 2007, 8:46am

use torch .. to find out.

Rafiq…

plcoomer · August 9, 2007, 12:27pm

How about this…
ip firewall filter
add chain=forward action=log src-por=25 protocol=tcp log-prefix=“He has Mail Server”

Then keep an eye on your log.

Or just prevent it completely and allow no incoming port 25 tcp packets to your private Ip range. Also think about POP mail packets I think port 110

Montana · August 9, 2007, 4:23pm

Thanks P this is what I needed.

ralphw · August 11, 2007, 4:30pm

We block all inbound port 25 traffic at the edge, unless customer is a business customer and pays specifically for a business account which allows a mail server, where they will be assigned a static IP. If your TOS does not allow servers (mail or otherwise) then you will be in good shape. I see this as a revenue generating opportunity. If you block inbound 25, they will call you and you will not have to chase them down.

It is rather strage though that if you have a NAT range that anyone can get any inbound 25 traffic to a specific internal host without an outbound TCP request to each host they are talking to. NAT takes care of that problem most of the time. If they are running a ETRN pulling server then when you block 25 you will see them just re-assign it to an alternate port.

Just be sure to alert your tech support to what you are doing so they don’t make you look silly and waste lots of support time when people call in.

Ralph