SITUATION :::: we are using Bluehost for our official email addresses and recently, our users are receiving a lot of spam email and when they click on the attachment, what happens is that email id start sending a lot of emails ( 1 user send 5000 email in 24 hours ), as a result Bluehost block us for sending email to external domains because of daily quota exceed.
Looking for Solution ::: What I want to do is limit each user to send limited email per minute or per day . So how can I achieve this with Mikrotik.
That would be very hard to achieve on Mikrotik because Mikrotik doesn’t run application firewall and thus doesn’t know anything about users. It only knows about IP addresses. If normal situation is “one user per IP address”, then it might be possible to do something using connection-limit property of firewall (FW properties).
Your first solution should be to educate users not to open suspicious attachments.
Second solution should be to implement a proper e-mail filtering solution.
Rate limiting SMTP should not be considered a solution and will likely cause problems in the future. Also rate limiting won’t clear any mail in the outgoing queues of the clients so they will still be sending spam.
Adjust connection-limit in the filter rule as necessary.
connection-limit=30,32 means max 30 connections and the 32 means /32 which is one individual IP address
limit=50,5 means max 50 packets per second and a burst setting of 5
Also the 1d setting in the filter rule means addresses added to the list expire after 1 day.
Aside from the technical solution, and educating users, and using anti-virus software; I’m not sure anyone expects an ISP to provide email service anymore. There are plenty of email services to use, on their own. I think that was mainly a thing back in the 90’s.
On a side note, smtp is normally not needed for regular email clients and therefore a majority of all isps blocks egress smtp for personal signed consumer agreements to prevent spam bots.
Hosting etc is normally regarded as business services that usually allows smtp but only if they sign a separate business agreement.
Private email require authorization using login to its hosted service with for example SSL/TLS (IMAP/POP/OUTLOOK) on common ports like 443, 465, 587, 993, 995 etc hence smtp is disabled for this type of use. That is, the main objective is to prevent spam bots that are originating from infected consumer pc’s
This thread is quite old now, but I decided to reply.
SMTP uses port 25, which is now reserved for server to server communication (MTA to MTA). Users now should always use submission either on port 587 with STARTLS or the resurrected port 465 with TLS. Therefore on border routers/gateways and firewalls you should always block port 25 on egress. If the network hosts its own MTA, then port 25 on egress should be allowed only for the IP of the MTA (mail server). I haven’t really seen any spam bots using ports 587 and 465, mainly because they always work with SASL and require authentication. So bots rely on simple “mail injection” on the destination server, i.e. delivering mails directly to the mailbox of the target recipients.
SMTP is always open for business-grade connections and normally closed for regular consumers. If a botnet manages to steal the username and password for your email account, it’ll use ports 587 or 465.
