Hi Friends!
By pure chance, I verified that my public IP Address was present in “The Spamhaus”,
so how I could verify if the router is hacked?
Note that I bought the router a couple of years ago and immediately disabled the web interface, now i log in via ssh.
Dont bother wondering… Netinstall with the latest long term firmware and get on with life.
If in doubt netinstall!!
Thanks not necessary just send me some coffee!
Thanks @anav for the useful tips!
But is it possible to understand if the router is hacked?
I’ve rebooted the device and the second day, scan again the new public ip with spamhaus that put it to PBL1722199 - https://www.spamhaus.org/pbl/query/PBL1722199
So, should I think to have an unknown smtp server into my Mikrotik?
If it’s spam, it’s far more likely that it’s some infected device behind the router than the router itself. If you’re not running mailserver, you can block access from LAN to SMTP port (tcp 25), because nothing should need it (clients should use other ports to access mailservers). You can also log connections and see what device does it.
One of the hypotheses was that the router was compromised and that there was software installed that could send mail.
But your guess is as entitled to consider too.
Thanks for your tips, I will try…
Send and receive are two different things, you don’t need anything listening on smtp port to send mail. Of course if anyone would be able to hack the router enough to install own software, they could install smtp server if they wanted to. I just don’t see any reasonable explanation what it would be good for. It would be better to stay hidden and don’t advertise own presence so obviously.
Done!
To see the “smtp” logs now, all I need to do is launch the “/log print” command?
Anyway I think the problem is upstream and depends on the provider who has dirty addresses. I rebooted and immediately after, checking if the new address was in Spamhaus and to my surprise it was present!
Yes, “/log print” is one way, or use WinBox or WebFig to view log, whatever you like most.
If you are getting already blacklisted addresses, there’s not much you can do with it, other than convincing ISP to give you new static address that’s not blacklisted.
Spamhaus tends to reckon many home ISP’s IP addresses as spammy because the vast majority of email from them is indeed spam from hacked devices. So it lists the ISP’s entire range, excluding the addresses used by the ISP’s own mail servers.
As I have my own email server hosted on a VPS elsewhere, and it does ‘is this IP address spammy’ checks when receiving email, I have to tell it that my home IP address is OK so that I can send outgoing email via it! Fortunately, that only changes when I change router.
If I look at the mail server logs, a great deal of spam would be coming from home ISP address ranges, so I can fully understand why Spamhaus does it.
Yes, this is a great truth!
The most of the problems on the internet come from (home user) Microsoft systems, always insecure, also due to the inexperience of the users and not only due to the inability of Microsoft technicians (even if in this they have made great contributions..).
Microsoft systems should be declared simply illegal or at least not usable in “home user” conditions, but Microsoft’s enormous economic and financial power (now also in the pharmaceutical field) will prevent this because he can afford to buy politicians at will.
Apple from this point of view, thanks to the theft of the GNU-Hurd code, is certainly in an advantageous position, even if it creates problems of another kind …
Then there is the question of proprietary software that cannot be inspected, but here we really go further.
That said, I don’t think we’ll get out of this…
