Community discussions

MikroTik App
 
User avatar
nabilx
just joined
Topic Author
Posts: 18
Joined: Thu Jul 06, 2017 11:19 pm
Location: Syria, Hama
Contact:

My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 1:57 am

HI all,
Spamhuas is blacklisted my server public IP and had to change it last month, and now it's blacklisted again!
blacklisting my ip caused me some issues with annoying captcha that pop up every time i enter a site , blocking some connection to social apps (Yalla-Free voice chat roms) , even playstation4 had no access to the login page!
I can't even post on mikrotik from that ip !

on spamhuas page i saw this :
New: many of these listings are caused by a MikroTik Router compromise. If you have a Microtik router, please consult this entry on the MikroTik Support Forum
viewtopic.php?t=133533
which leads to the Advisory: Vulnerability exploiting the Winbox port
My router already using 6.40.9 bugfix even before the blacklisting.
Any ideas to slove this (even if i changed the ip i'm afraid it will be blacklisted too)

Thanks in advanced.
Not English , Ignore bad grammar :)
 
trace323
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu May 07, 2015 5:52 pm

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 2:38 pm

Hi nabilx,

Your Mikrotik Router is infected. You need to disinfect and change your password.

-
 
User avatar
nabilx
just joined
Topic Author
Posts: 18
Joined: Thu Jul 06, 2017 11:19 pm
Location: Syria, Hama
Contact:

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 6:36 pm

Hi nabilx,

Your Mikrotik Router is infected. You need to disinfect and change your password.

-
Thanks for your replay,
I change the password frequently
No strange script ,No strange scheduler
IP > Socks is disabled
If you know other ways to disinfect the router please tell me.
Not English , Ignore bad grammar :)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 6:39 pm

disconnect router from Internet
review configuration
export configuration to file
netinstall
set new admin password
add new user with admin privileges
remove admin
import configuration
connect to Internet
Real admins use real keyboards.
 
User avatar
nabilx
just joined
Topic Author
Posts: 18
Joined: Thu Jul 06, 2017 11:19 pm
Location: Syria, Hama
Contact:

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 6:53 pm

disconnect router from Internet
review configuration
export configuration to file
netinstall
set new admin password
add new user with admin privileges
remove admin
import configuration
connect to Internet
I did that without a netinstall because the MT is way too far to reach my self.
In configuration the only thing that is abnormal to the common use is fetch to telegram bot url a lot, could that be causing the problem?
any other ideas?
Not English , Ignore bad grammar :)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 7:03 pm

Check computers, servers etc. behind your router if they are sending emails. Just observe connections in the firewall or torch WAN interface.
Real admins use real keyboards.
 
User avatar
nabilx
just joined
Topic Author
Posts: 18
Joined: Thu Jul 06, 2017 11:19 pm
Location: Syria, Hama
Contact:

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sat Oct 06, 2018 8:25 pm

Check computers, servers etc. behind your router if they are sending emails. Just observe connections in the firewall or torch WAN interface.
The problem is I have an ISP With 600Mbps I can't manually observe the traffic.
Can I just block a specific port or something that may send spam emails?
Not English , Ignore bad grammar :)
 
trace323
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu May 07, 2015 5:52 pm

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sun Oct 07, 2018 7:17 am

Check computers, servers etc. behind your router if they are sending emails. Just observe connections in the firewall or torch WAN interface.
The problem is I have an ISP With 600Mbps I can't manually observe the traffic.
Can I just block a specific port or something that may send spam emails?
Please show us your config
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sun Oct 07, 2018 8:57 am

You can.

A. You can filter connections for SMTP ports
B. Make Torch buffer time longer than 3 sec.

or

C. Make firewals rules adding src address to SMTPsenders list for PC's starting traffic to any SMTP port
Real admins use real keyboards.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1750
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: My Mikrotik Public IP Has been blacklisted by spamhuas, for the second time!

Sun Oct 07, 2018 11:14 am

If you filter SMTP port, you could see if there comes packet trough ii in Winbox.
You could also log the Filer Rule to an external Syslog server like Splunk for deeper inspection.

What version of Router OS do you use?
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 

Who is online

Users browsing this forum: medm, mivsek and 120 guests