Page 1 of 1

How to email when IP added to address list?

Posted: Fri Nov 06, 2009 2:58 pm
by Geoffb
Hi All,

I need a little bit of help please.

We have a generic firewall rule which checks for more than 30 SMTP connections and then adds the clients IP to a src-address list.
See below:
37   ;;; Detect SMTP Spammers
     chain=SMTP action=add-src-to-address-list protocol=tcp address-list=smtp_spammers address-list-timeout=3h dst-port=25 connection-limit=30,32
What we want to do now is whenever an IP address is added to this src-list, we want it to email through to our support department so they can be aware of who was added.

Can anyone give some ideas?
Thanks. :)

Re: How to email when IP added to address list?

Posted: Fri Nov 06, 2009 3:44 pm
by kirshteins
Set up action and rule for logger
/system logging action
action add name=mail email-to=email@server.com target=email 
/system logging
add action=mail disabled=no prefix=_mail topics=firewall
Set up e-mail settings under
/tool e-mail
Then copy your given rule and place a copy before original rule. Change action=log and log-prefix=_mail properties for the new rule

Then you should be able to receive e-mails with necessary information. Something similar to:

firewall,info _mail: _mail input: in:ether1 out:(none), src-mac xx:xx:xx:xx:xx:xx, proto ICMP (type 0, code 0), src-IP-address->dst-IP-address, len 44

Re: How to email when IP added to address list?

Posted: Fri Nov 06, 2009 5:05 pm
by Nutcracker
Is there any chance of making that line any short, ie just the IP and some text of our choice?

PS. I work with Geoffb, that is why i am asking.

Re: How to email when IP added to address list?

Posted: Fri Nov 06, 2009 6:00 pm
by fewi
Since it simply emails out the log entry itself you cannot easily change the content. You can either log to an external syslog server, parse the incoming logs there and email out alerts, or you can log to memory and write a script that is scheduled to run every minute or so and finds new log lines matching the pattern you are looking for, and then emails you. An example of such a script is on the wiki.

Personally I'd just keep it as you have it now.

Re: How to email when IP added to address list?

Posted: Sat Nov 07, 2009 11:44 pm
by er
Hi
I use this script
:foreach i in [/ip firewall address-list find list=spamm] do={ /tool e-mail send to=xxx@xxxx.xx subject="Spamm" body=("Spamm fra " . [/ip firewall address-list get $i  address])}

Re: How to email when IP added to address list?

Posted: Mon May 15, 2017 11:52 pm
by ploquets
Hi
I use this script
:foreach i in [/ip firewall address-list find list=spamm] do={ /tool e-mail send to=xxx@xxxx.xx subject="Spamm" body=("Spamm fra " . [/ip firewall address-list get $i  address])}
Is there any way to create only one email with all IPs inside at the address-list? Not one email per IP.
Thank you