Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.

Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.

you REALLY need to handle this situation with your mail server and not the router...

Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.

you REALLY need to handle this situation with your mail server and not the router...

Why and what direction would you send me?

Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.

you REALLY need to handle this situation with your mail server and not the router...

Why and what direction would you send me?

A mail server is perfectly able to, and is designed to handle this type of spam problems. This is not the proper place to get help with mailserver settings, though. You should have documentation and manufacture support with your mail server.

eg:

eg:

Code: Select all

webmail_163
 ^(get|post) .*host:.*\.mail\.(163\.com|126\.com|yeah\.net)\x0d\x0a
 webmail_gmail
 get (http://mail.google.com/mail/|/mail/)?.*host: mail\.google\.com\x0d\x0a
 webmail_hinet
 ^post ((http://webmail\.hinet\.net/login\.do|/login\.do).*host: webmail\.|(http://webmail1\.hinet\.net/cgi-bin/login\.cgi|/cgi-bin/login\.cgi).*host: webmail1\.)hinet\.net\x0d\x0a
 webmail_hotmail
 ^get (http://.*mail\.live\.com/mail/|/mail/).*host: .*mail\.live\.com\x0d\x0a
 webmail_pchome
 ^(post|get) .*host: mail.pchome.com.tw\x0d\x0a
 webmail_qq
 ^(get|post) /cgi-bin/login.*host:.*(\.mail\.qq|\.foxmail)\.com\x0d\x0a
 webmail_seednet
 ^(post|get) .*host: webmail.seed.net.tw
 webmail_sina
 ^(post|get) .*host: (mail\.sina\.com\.cn|mp\.sina\.com\.tw)\x0d\x0a
 webmail_sohu
 ^(get|post) .*host: .*mail\.sohu\.com\x0d\x0a
 webmail_tom
 ^(get|post).*host: (login\.mail|pass)\.tom.com\x0d\x0a
 webmail_url
 ^post (http://www\.url\.com\.tw/sgllogon/|/sgllogon/)sgllogon\.asp.*host: www\.url\.com\.tw\x0d\x0a
 webmail_yahoo
 get (http://.*mail\.yahoo\.com/ym/login|/ym/login)?.*host: .*mail\.yahoo\.com\x0d\x0a
 webmail_yam
 ^(get|post).*host: mail.yam.com

You obviously did not even read this thread at all. He is NOT asking how to block email websites!!! He is asking how to reduce spam by stopping people with CERTAIN EMAILS from sending to his mailserver!!!!

It's actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.

It's actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.

If your mailserver is under load because of that, then it is improperly configured. You should set the mailserver to "fail" the account. This means that the server does not even accept the messages to that account. It immediately rejects them based on the address instead of accepting the message and then dropping it.

Again, you need to consult your mailserver support.

I'm not sure you understand the load. I am getting over a million messages a day. That's a lot. That's a ton of rejection.

As recommended elsewhere, I am looking into Fail2ban to automate this process using the mail server's firewall. I just figured a quick and easy firewall script could have been had, but people insist on the run-around.

I'm not sure you understand the load. I am getting over a million messages a day. That's a lot. That's a ton of rejection.

As recommended elsewhere, I am looking into Fail2ban to automate this process using the mail server's firewall. I just figured a quick and easy firewall script could have been had, but people insist on the run-around.

So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...

So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...

It would be added to a blacklist address list so further SPAM attempts are tarpitted.

Sent from my EVO using Tapatalk

So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...

It would be added to a blacklist address list so further SPAM attempts are tarpitted.

Sent from my EVO using Tapatalk

So, if someone sends spam from gmail... you are going to blacklist that IP address... and therefore blacklist all of gmail? (Or Yahoo, etc)?

So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...

It would be added to a blacklist address list so further SPAM attempts are tarpitted.

Sent from my EVO using Tapatalk

So, if someone sends spam from gmail... you are going to blacklist that IP address... and therefore blacklist all of gmail? (Or Yahoo, etc)?

See what I said earlier:

It's actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.

I will be putting in that particular compromised user's address. The firewall will start blacklisting the IPs of the various machines on the botnet to prevent them from attempting to login to the mail server repeatedly.

Now:
1) PC on botnet attempts to authenticate to my SMTP server.
2) The account is in "maintenance mode", so it is rejected.
3) Bunch of log data is written pertaining to the rejection.
4) Goto: 1.

Future:
1) PC on botnet attempts to authenticate to my SMTP server.
2) Router sees the username of the attempted authentication through layer 7.
3) Router adds IP to a blacklist, shutting down present connection, possibly some bit of log entry.
4) PC cannot goto 1 because the router blocks the communication before it ever gets there, saving gigs upon gigs of logs.

saving gigs upon gigs of logs.

So, the issue is that you can't control the logs on the mail server? And this is the workaround to stop the massive log files???

The logs rotate on schedule, but what's the point in filling them up with junk? I don't need any logs of the spammers failed sessions. All of this literally useless garbage just gets in the way.

Tell you what. Instead of disposing of my trash as I do now, I'll bring it over and dump it in your living room on the floor. Only, I'll tell 45k other people to do the same. Do you let it pile up and clear it on a given schedule or do you lock your door?

See the actual answer to your question a few posts up from here:

So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop.