Community discussions

MikroTik App
 
User avatar
azurtem
Trainer
Trainer
Topic Author
Posts: 217
Joined: Mon May 16, 2011 5:35 pm
Location: Nice, France
Contact:

SMTP mass mailing interception

Sat Feb 06, 2016 10:08 am

Hi

I have a client site that got blocked by their ISP because of mass mailing attempt (>10000)

This attempt was apparently executed using a legitimate user's account

If the attempts weren't using our ISP's SMTP server it would be easy to detect and prevent

I was wondering if anyone had any ideas or tools that could help prevent this type of situation at the upstart ?
Or at the very least detect it while it is happening

At the router level I suppose I could setup a netwatch script to react if there were a certain number of smtp connections within a short period of time

thanks
yann
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 183
Joined: Wed Feb 25, 2015 8:15 pm
Location: Romania

Re: SMTP mass mailing interception

Tue Feb 09, 2016 7:08 am

The client has his own Mail Server? Or he uses the ISP one?
If he has his own, just block all outgoing on tcp 25, 587 to all other destinations but his SMTP Server IP and filter/tarpit from there.
You can also monitor outgoing connections on 25 and 587 and if more than x connections in 1 minute, add to list and drop.
http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output
 
User avatar
azurtem
Trainer
Trainer
Topic Author
Posts: 217
Joined: Mon May 16, 2011 5:35 pm
Location: Nice, France
Contact:

Re: SMTP mass mailing interception

Tue Feb 09, 2016 9:07 pm

ISP Mail server

Thanks

Who is online

Users browsing this forum: accarda, G00dm4n, kretzu77, MasteRTriX, Znevna and 105 guests