I seem to be having a problem with spam
I see this script on Butch’s blog: I am looking at the last one his favorites
http://blog.butchevans.com/2008/12/spam-trojan-detection-with-mikrotik-routeros/
can I copy and paste that in my router? But if I have a problem how do I diable it
thanks
Spam isn’t something you should take care of in your router. I would take care of it on the server side with server blacklists from spamhaus.
What is posted there is not a script. It is a set of filter rules and address lists that will drop tcp traffic that goes over port 25 (most often SMTP) if it violates certain limits that usually identify it as spamy behavior. If you had problems with the specific rules you would either need to adjust them or disable them.
These are the specific rules that we use on our networks and they work, but if you are protecting a server at a central location and not a specific network, you will need a different approach. In either case if you have a SMTP relay server, you will want to have some form of spam filtering on the server to protect the server and prevent yourself from being black listed.
/ip firewall filter
add action=add-src-to-address-list address-list="Block Spam" address-list-timeout=1h chain=forward comment="Detect Possible Spamer" connection-limit=10,32 disabled=no \
dst-port=25 limit=30,5 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp src-address-list="Block Spam"
Hi, just struggling with the same problem. We have own smtp server (ClearOs Linux), but it is not reliable (if it would broke, my brother would not be able to repair it himself, and I am not always available at hand), so that server is not a problem. But then we have users, who request that e.g. gmail (plus cca 8 other well known services) being used, so we have an address list of “allowed_mail_servers”, where users have to authenticate, so we allow that.
But - then we are allowed to use our ISPs mail server. I tried to set-up some rules, but so far I am not sure it works reliably:
chain=mail action=add-src-to-address-list protocol=tcp dst-address=x.x.x.x address-list=mail_spammers address-list-timeout=0s dst-port=25 connection-limit=30,32 limit=50,5
And I have some questions:
do all viruses/spam malware behave the way, that it opens multiple connections? I mean - is it possible to open one tcp connection to smtp server, and deliver multiple emails? Because if so, then the connection-limit rule might not catch all spam techniques
limit= 50, 5 - OK, so I limit by 50 pps. Is that reliable? I mean - 50 packets, even of 1400bytes size = ~ 70 KB of data. So - is 70KB of data delivered per second any good measure for the technique to work reliably?
I can see that with newer OSes (I am not working with MT so frequently, so sorry if it is in there for ages 
), there is so called dst-limit. My question is - could I use the rule, instead of setting limit + connection limit? Is that the same? I mean - could following rule be used instead?:
chain=mail action=add-src-to-address-list protocol=tcp dst-address=x.x.x.x address-list=mail_spammers address-list-timeout=0s dst-port=25 dst-limit=50,5,addresses-and-dst-port/1m40s
Thanks a lot,
Best regards,
Petr
Spam is not something you deal with on a router. Spam is something you deal with on a mail server, be it the actual mail servers involved in the email chain or a proxy transparently inserted. To efficiently deal with spam you need something that inherently understands mail on the application layer.