Spambot?

I received and configured my Mikrotik router today and I am a bit of a newb.
I am trying to chase a suspected spambot.
I am logging port 25 transactions and I am getting thousands or records like this:

in:pppoe-out1 out:bridge, proto TCP (SYN), 5.34.205.132:58742->xxx.xxx.xxx.xxx:25, NAT 5.34.205.132:58742->(yyy.yyy.yyy.yyy:25->192.168.88.116:25), len 60

xxx.xxx.xxx.xxx is my internal ip for my linux server
yyy.yyy.yyy.yyy is my public ip address
5.34.205.132 is a low reputation IP which would not have a legitimate reason for connecting with my network.


Can someone please help me understand what this means?

Do your linux server run any form for SMTP (mail server)?

On the linux server, run:

ss -topan | grep ":25"

Si if you have some

LISTEN      0        128               0.0.0.0:25                0.0.0.0:*

That mean you have an SMTP server running.

If you have many of this:

ESTAB       0        0             serverIP:22343        publicIP:25 users:(("xxxxx,pid=1660,fd=240))

Server tries to communicate with some using port 25, with process name xxxxx

post your config
/export hide-sensitive file=anynameyouwish

You seem to have a port forwarding rule for TCP port 25 in place. If so, your suspicion is correct - 5.34.205.132 is trying to connect to your mail server and send something, probably spam, through it. You can add that address to an address-list and drop packets whose source address is on that address-list already in /ip firewall raw if you want to reduce the load to your mail server, but if you otherwise need the mailserver to be accessible from the internet, that’s about all you can do.