Spoofing Internal Network from WAN Connection Through Port 25 or Malware?

DukeOfAwesome · October 2, 2017, 10:54pm

Hi Everyone,

I’m a total nube with Mikrotik so please be kind.

I’ve setup an RB3011 with a PPPoE connection as the WAN. The internal network is on 192.168.0.0/24 and is applied to Port 5 of SW1. Internally we have a CentOS VM that acts as an email gateway and forwards email to our internal Exchange server. The Gateway allows email to be sent from any IP from the internal subnet of 192.168.0.0/24. We have since stopped this to prevent this exploit for the time being as it’s being used to send spam.

Over the weekend someone somehow has managed to Spoof our internal subnet to send spam through our gateway. I just don’t understand how they can do that through the WAN address. The only other possibility is that the Mikrotik has Malware on it and this Malware is generating the spam. I can see from the email header that the spam emails are coming from 192.168.0.254 which is the IP of the Mikrotik.

How can I prevent this from happening in the future or how can I test the device for Malware?

Thanks

Duke

kujo · October 3, 2017, 4:04am

Can you look at mail log files? This is not router problem, but mikrotik can make a spoofing preventing rule in firewall

 ip firewall filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=wan log=yes

Yours respectfully!

DukeOfAwesome · October 4, 2017, 12:56am

kujo:

Can you look at mail log files? This is not router problem, but mikrotik can make a spoofing preventing rule in firewall
 ip firewall filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=wan log=yes
Yours respectfully!

Thanks Kujo, but I think I figured it out. I think it had something to do with my Masquerading rule being allowed to masquerade any connection. I limited the Masquerading to our internal network and the spoofing seems to have stopped.

Thanks again… Duke