Page 1 of 1

Layer 7 regex e-mail address

Posted: Sat Oct 26, 2013 7:39 am
by Hammy
Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.

Re: Layer 7 regex e-mail address

Posted: Sun Oct 27, 2013 9:18 pm
by jandafields
Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.
you REALLY need to handle this situation with your mail server and not the router...

Re: Layer 7 regex e-mail address

Posted: Sun Oct 27, 2013 9:48 pm
by Hammy
Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.
you REALLY need to handle this situation with your mail server and not the router...

Why and what direction would you send me?

Re: Layer 7 regex e-mail address

Posted: Sun Oct 27, 2013 9:58 pm
by jandafields
Is there a way I can implement a layer 7 firewall rule to match a specific e-mail address?

I'm having a problem with SPAM, but disabling the account on the mail server just results in massive log files. I'd like to shut down all transmissions as soon as that e-mail address is discovered. I can manage the bulk of the rule, but I don't know jack about the layer 7\regex matching.
you REALLY need to handle this situation with your mail server and not the router...

Why and what direction would you send me?
A mail server is perfectly able to, and is designed to handle this type of spam problems. This is not the proper place to get help with mailserver settings, though. You should have documentation and manufacture support with your mail server.

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 6:35 am
by prince90s
eg:
webmail_163
 ^(get|post) .*host:.*\.mail\.(163\.com|126\.com|yeah\.net)\x0d\x0a
 webmail_gmail
 get (http://mail.google.com/mail/|/mail/)?.*host: mail\.google\.com\x0d\x0a
 webmail_hinet
 ^post ((http://webmail\.hinet\.net/login\.do|/login\.do).*host: webmail\.|(http://webmail1\.hinet\.net/cgi-bin/login\.cgi|/cgi-bin/login\.cgi).*host: webmail1\.)hinet\.net\x0d\x0a
 webmail_hotmail
 ^get (http://.*mail\.live\.com/mail/|/mail/).*host: .*mail\.live\.com\x0d\x0a
 webmail_pchome
 ^(post|get) .*host: mail.pchome.com.tw\x0d\x0a
 webmail_qq
 ^(get|post) /cgi-bin/login.*host:.*(\.mail\.qq|\.foxmail)\.com\x0d\x0a
 webmail_seednet
 ^(post|get) .*host: webmail.seed.net.tw
 webmail_sina
 ^(post|get) .*host: (mail\.sina\.com\.cn|mp\.sina\.com\.tw)\x0d\x0a
 webmail_sohu
 ^(get|post) .*host: .*mail\.sohu\.com\x0d\x0a
 webmail_tom
 ^(get|post).*host: (login\.mail|pass)\.tom.com\x0d\x0a
 webmail_url
 ^post (http://www\.url\.com\.tw/sgllogon/|/sgllogon/)sgllogon\.asp.*host: www\.url\.com\.tw\x0d\x0a
 webmail_yahoo
 get (http://.*mail\.yahoo\.com/ym/login|/ym/login)?.*host: .*mail\.yahoo\.com\x0d\x0a
 webmail_yam
 ^(get|post).*host: mail.yam.com

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 6:55 am
by jandafields
eg:
webmail_163
 ^(get|post) .*host:.*\.mail\.(163\.com|126\.com|yeah\.net)\x0d\x0a
 webmail_gmail
 get (http://mail.google.com/mail/|/mail/)?.*host: mail\.google\.com\x0d\x0a
 webmail_hinet
 ^post ((http://webmail\.hinet\.net/login\.do|/login\.do).*host: webmail\.|(http://webmail1\.hinet\.net/cgi-bin/login\.cgi|/cgi-bin/login\.cgi).*host: webmail1\.)hinet\.net\x0d\x0a
 webmail_hotmail
 ^get (http://.*mail\.live\.com/mail/|/mail/).*host: .*mail\.live\.com\x0d\x0a
 webmail_pchome
 ^(post|get) .*host: mail.pchome.com.tw\x0d\x0a
 webmail_qq
 ^(get|post) /cgi-bin/login.*host:.*(\.mail\.qq|\.foxmail)\.com\x0d\x0a
 webmail_seednet
 ^(post|get) .*host: webmail.seed.net.tw
 webmail_sina
 ^(post|get) .*host: (mail\.sina\.com\.cn|mp\.sina\.com\.tw)\x0d\x0a
 webmail_sohu
 ^(get|post) .*host: .*mail\.sohu\.com\x0d\x0a
 webmail_tom
 ^(get|post).*host: (login\.mail|pass)\.tom.com\x0d\x0a
 webmail_url
 ^post (http://www\.url\.com\.tw/sgllogon/|/sgllogon/)sgllogon\.asp.*host: www\.url\.com\.tw\x0d\x0a
 webmail_yahoo
 get (http://.*mail\.yahoo\.com/ym/login|/ym/login)?.*host: .*mail\.yahoo\.com\x0d\x0a
 webmail_yam
 ^(get|post).*host: mail.yam.com
You obviously did not even read this thread at all. He is NOT asking how to block email websites!!! He is asking how to reduce spam by stopping people with CERTAIN EMAILS from sending to his mailserver!!!!

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 3:59 pm
by Hammy
It's actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 5:04 pm
by jandafields
It's actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.
If your mailserver is under load because of that, then it is improperly configured. You should set the mailserver to "fail" the account. This means that the server does not even accept the messages to that account. It immediately rejects them based on the address instead of accepting the message and then dropping it.

Again, you need to consult your mailserver support.

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 5:29 pm
by Hammy
I'm not sure you understand the load. I am getting over a million messages a day. That's a lot. That's a ton of rejection.

As recommended elsewhere, I am looking into Fail2ban to automate this process using the mail server's firewall. I just figured a quick and easy firewall script could have been had, but people insist on the run-around.

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 5:34 pm
by jandafields
I'm not sure you understand the load. I am getting over a million messages a day. That's a lot. That's a ton of rejection.

As recommended elsewhere, I am looking into Fail2ban to automate this process using the mail server's firewall. I just figured a quick and easy firewall script could have been had, but people insist on the run-around.
So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 7:14 pm
by Hammy
So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...
It would be added to a blacklist address list so further SPAM attempts are tarpitted.

Sent from my EVO using Tapatalk

Re: Layer 7 regex e-mail address

Posted: Mon Oct 28, 2013 7:33 pm
by jandafields
So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...
It would be added to a blacklist address list so further SPAM attempts are tarpitted.

Sent from my EVO using Tapatalk


So, if someone sends spam from gmail... you are going to blacklist that IP address... and therefore blacklist all of gmail? (Or Yahoo, etc)?

Re: Layer 7 regex e-mail address

Posted: Tue Oct 29, 2013 12:31 am
by Hammy
So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop. Of course, this will still hit your mailserver up until the remote server sends this email address in the header...
It would be added to a blacklist address list so further SPAM attempts are tarpitted.

Sent from my EVO using Tapatalk


So, if someone sends spam from gmail... you are going to blacklist that IP address... and therefore blacklist all of gmail? (Or Yahoo, etc)?
See what I said earlier:
It's actually a user account that has been compromised. I disabled the account, but instead I get several gigs of rejected logins each day. The SPAM problem has stopped, but the server is under high load just rejecting logins.
I will be putting in that particular compromised user's address. The firewall will start blacklisting the IPs of the various machines on the botnet to prevent them from attempting to login to the mail server repeatedly.

Now:
1) PC on botnet attempts to authenticate to my SMTP server.
2) The account is in "maintenance mode", so it is rejected.
3) Bunch of log data is written pertaining to the rejection.
4) Goto: 1.

Future:
1) PC on botnet attempts to authenticate to my SMTP server.
2) Router sees the username of the attempted authentication through layer 7.
3) Router adds IP to a blacklist, shutting down present connection, possibly some bit of log entry.
4) PC cannot goto 1 because the router blocks the communication before it ever gets there, saving gigs upon gigs of logs.

Re: Layer 7 regex e-mail address

Posted: Tue Oct 29, 2013 12:40 am
by jandafields
saving gigs upon gigs of logs.
So, the issue is that you can't control the logs on the mail server? And this is the workaround to stop the massive log files???

Re: Layer 7 regex e-mail address

Posted: Tue Oct 29, 2013 12:48 am
by Hammy
The logs rotate on schedule, but what's the point in filling them up with junk? I don't need any logs of the spammers failed sessions. All of this literally useless garbage just gets in the way.

Tell you what. Instead of disposing of my trash as I do now, I'll bring it over and dump it in your living room on the floor. Only, I'll tell 45k other people to do the same. Do you let it pile up and clear it on a given schedule or do you lock your door?

Re: Layer 7 regex e-mail address

Posted: Tue Oct 29, 2013 4:32 am
by jandafields
See the actual answer to your question a few posts up from here:
So, if you insist on using the mikrotik to try and do this, then simply type that email address into the L7 and set the rule to drop.