Spam prevention

Sayajin · September 6, 2016, 7:28am

Hi,

I have tried setting up firewall rules to limit & block spammers with connection limits as per the mikrotik wiki,
the problem is that if I have the connection limit & limit both enabled it does not count at all no matter what I change the values to.

If I remove either the connection limit or the limit it starts counting.

Using a CCR1009-8G-1S-1S+
RouterOS: 6.35.4

/ip firewall filter
add action=jump chain=forward comment="SMTP Outbound" dst-port=25,587 jump-target=SMTP-Outbound out-interface=vlan-interface protocol=tcp
add chain=SMTP-Outbound dst-port=25,587 out-interface=vlan-interface protocol=tcp src-address-list=smtp-bypass
add action=drop chain=SMTP-Outbound dst-port=25,587 out-interface=vlan-interface protocol=tcp src-address-list=spam-block
add action=add-src-to-address-list address-list=spam-block address-list-timeout=1d chain=SMTP-Outbound connection-limit=30,32 dst-port=25,587 limit=30,5:packet out-interface=vlan-interface protocol=tcp
add action=return chain=SMTP-Outbound log=yes log-prefix="SMTP: "

Please can someone assist

normis · September 6, 2016, 8:05am

Are you sure the spammers are located inside your LAN and are using SMPT servers in the internet?

Sayajin · September 6, 2016, 8:09am

Yes they are since the log entry on the return rule picks them all up & I have to manually block them

pe1chl · September 6, 2016, 8:19am

It is a good idea to match some ports and interfaces and then jump to another chain for further handling
of that specific protocol, but then I would not repeat the whole matching in that chain again and again, it
is not required and only wastes CPU.
In that chain you only need to do your rate limiting (in this case).

Sayajin · September 6, 2016, 8:39am

Firstly why would I only require rate limiting when all the other howto’s have both?

and if that is the case what would be the best rates/time, burst & mode (packet/bit) to use to trap smtp spammers?
keep in mind that this is an edge router with about 600 mikrotik boards using pppoe connections with between 5-30 clients on the inside of each client board

thanks in advance

pe1chl · September 6, 2016, 9:32am

I do not intend to address your rate limiting, I only want to point out that it is not required to do the matching
of port number and interface in each and every rule in your custom table. You branch to your custom table using
a jump from the forward table, and when you are in your custom table you already know those conditions are matched.