Blacklisting SPAM

d3tonador · Sat Jun 25, 2016 4:12 pm

Hi,

I need to block those ip making email spam for "MikroTik RouterOS 6.12".
Can anyone help me create this rule?
Thanks in advance!

Best regards,

Sat Jun 25, 2016 7:29 pm

Where do you have spammers address list from ? How this list looks like ?
If you have such list you can use as it is described in this thread http://forum.mikrotik.com/viewtopic.php?t=98804

d3tonador · Sun Jun 26, 2016 12:33 am

Where do you have spammers address list from ? How this list looks like ?
If you have such list you can use as it is described in this thread http://forum.mikrotik.com/viewtopic.php?t=98804

Hi BartoszP, thanks for your prompt response.
Thats the thing. I dont have such list.
I manage a network of almost 500 private IPs. Yesterday night I got an email from my ISP, they have detected SPAM coming from my public IP.
Im wondering how to detect and black list those IPs, otherwise my ISP may block my IP.
Thanks!!

Sun Jun 26, 2016 10:03 am

You need make rule which records source addresses for clents with traffic to SMTP ports.
Then you need to make decision if each particular value is "good" ... it means if such client makes esonable SMTP traffic or exceeds it and is SUSPECTED. Check if client sends to spammers addresses or there are connections from these addresses to client IP as it could mean that some PC on client's side could be "zombies" driven by spammers.
You should warn such user about too high traffic as you ISP warns you. You can limit or block SMTP traffic from this particular address till the client confirms you if the traffic is OK or NOT ... You should act as your ISP does.
Check Firewall rules for limiting options: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Sun Jun 26, 2016 10:30 am

Consider simply blocking all outgoing traffic to port 25/tcp. Nowadays there's virtually no good reason for anyone not running a real mail server to make outgoing connections to this port, unless they are spammers.

d3tonador · Tue Jun 28, 2016 5:07 pm

Hi guys,

Is this the rule I need?
Of course I'll then need to evaluate the address and take action.
Thank you alot!!

add chain=tcp protocol=tcp dst-port=25 action=add-src-to-address-list \
comment="add src smtp"

add chain=tcp protocol=tcp dst-port=465 action=add-src-to-address-list \
comment="add src smtp"

add chain=udp protocol=udp dst-port=587 action=add-src-to-address-list \
comment="add src smtp"

add chain=udp protocol=udp dst-port=25 action=add-src-to-address-list \
comment="add src smtp"

add chain=udp protocol=udp dst-port=465 action=add-src-to-address-list \
comment="add src smtp"

add chain=udp protocol=udp dst-port=587 action=add-src-to-address-list \
comment="add src smtp"

Sob · Tue Jun 28, 2016 5:35 pm

Neither of those ports use udp, only tcp. And you don't need to worry about all of them. Definitely not 587, because it requires authentication and can not be misused by anonymous users. With 465 it's a little grey area, because it's unofficial smtp with ssl without authentication requirements, which theoretically can be misused by anonymous users. But in practice, vast majority of spammers prefer 25.

Tue Jun 28, 2016 6:01 pm

And you can have one rule combined for all

add chain=udp protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

d3tonador · Wed Jun 29, 2016 3:53 pm

Great thank you all for helping on this matter!!!!
I'll be posting outcome soon.

grusu · Wed Jun 29, 2016 4:39 pm

And you can have one rule combined for all
Code: Select all
add chain=udp protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp" 

"chain=udp" is wrong.
You can try to block spammers with rules like these:

[color=black][font=monospace, Courier]/ip firewall filter[/font][/color]
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet log-prefix=spammer protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    log-prefix=spammer protocol=tcp src-address-list=spammers

You can try to adjust the values for "limit" and "connection-limit" according to your needs.
And of course, you can modify "address-list-timeout" as needed.

Wed Jun 29, 2016 5:06 pm

My mistake ... easy to fix if someone is following this thread

add chain=output protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"
add chain=forward protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

grusu · Wed Jun 29, 2016 8:22 pm

My mistake ... easy to fix if someone is following this thread

add chain=output protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"
add chain=forward protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

It is absolutely useless to put this rule on output chain. Output chain is from your router to outside. I'm sure your router does not send spam.

And for what reason you put port 110? It is the port used for the POP3 protocol. Spammers trying to send emails not to download them.

Wed Jun 29, 2016 11:34 pm

Even mikrotik routers are connecting out silently without telling you. It's not useless to have firewall rules in output chain.

grusu · Wed Jun 29, 2016 11:52 pm

Even mikrotik routers are connecting out silently without telling you. It's not useless to have firewall rules in output chain.

Hi Jarda,
I absolutely agree with you. I have referred strictly to this case.

Thu Jun 30, 2016 11:01 am

And for what reason you put port 110? It is the port used for the POP3 protocol. Spammers trying to send emails not to download them.

Grusu,

A. These rules are just for collecting where to and where from e-mails are send/received but not for blocking. And these rules are not complete ... they are just an idea.
B. What if router NATs or transforms packets ? Then transformed packets IMHO are not in forward chain.
C. As I have wrote in other thread ... let firewall to do it's work .... optimization later.

d3tonador · Thu Jun 30, 2016 3:49 pm

My mistake ... easy to fix if someone is following this thread

add chain=output protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"
add chain=forward protocol=tcp dst-port=25,110,465...and_other+ports... action=add-src-to-address-list comment="add src smtp"

Dont worry I knew it was wrong, but the idea was clear.
So, I created this rule in order to -at least- detect those using smtp:
;;; add src smtp

chain=tcp action=add-src-to-address-list protocol=tcp address-list=add src smtp
address-list-timeout=0s dst-port=25,110,465

Is this right? so far no entry in the address list. any idea?

d3tonador · Thu Jun 30, 2016 4:10 pm

I removed that rule as i had no results, i guess it wast the right "chain".
I then added this two rules and I have some outcome now...

15 ;;; SPAMERS
chain=output action=add-src-to-address-list protocol=tcp address-list=""
address-list-timeout=3h dst-port=25,110,465

16 ;;; SPAMERS
chain=forward action=add-src-to-address-list protocol=tcp address-list=""
address-list-timeout=3h dst-port=25,110,465

And the the entries from the address list are...

544 D SPAMERS 10.5.10.234
545 D SPAMERS 10.11.5.172
546 D SPAMERS 10.5.10.40
547 D SPAMERS 190.104.246.162

Now I'll monitor their queue for traffic and I may contact them directly to find out where they use those ports intentionally or have become zombies.
Once again, thank you all for helping on this matter and my apologies for my poor english.

d3tonador · Thu Jun 30, 2016 5:01 pm

what about these three list? OpenBL.org, Spamhaus and dshield.
Should I use them?

d3tonador · Thu Jun 30, 2016 9:07 pm

I think I found something,
I now have this IP in the address-list I created for catching the spammers:
557 D SPAMMERS 123.129.65.102

This IP is from outside and its known in many block lists.

Thu Jun 30, 2016 9:14 pm

Congratulations Mr. Poirot

It's time to catch next one ....

d3tonador · Wed Jul 06, 2016 3:54 am

Congratulations Mr. Poirot It's time to catch next one ....

Hahahaha!!!! thanks BartoszP!!
Well, I now have about 100 IPs (external) using this ports.
I want to block them without blocking our internal users.
Could I use this two rules to achieve such security?

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Add SMTP spammers"

d3tonador · Tue Jul 12, 2016 10:02 pm

Hi,

Any update about this?

Blacklisting SPAM

Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Re: Blacklisting SPAM

Who is online