Community discussions

MikroTik App
 
Willy65
just joined
Topic Author
Posts: 5
Joined: Sun Jul 06, 2014 2:58 pm
Location: Nederland / Eindhoven

Abuse of port 25

Thu Dec 18, 2014 8:12 pm

Hi Guys

I have run an e-mail server, and it will abused as spam server by means of port 25, it is possible to create a rule that for example, at 5 messages from the same IP in 10 seconds to send the ip blocks forever or for a very long time.
I have now this rule but it doesnot work. Can somebody help me white this.

Thanx in advance.
add chain=input protocol=tcp dst-port=25 src-address-list=smtp_blacklist action=drop comment="drop smtp brute forcers" disabled=no
add chain=input protocol=tcp dst-port=25 connection-state=new src-address-list=smtp_stage3 action=add-src-to-address-list address-list=smtp_blacklist address-list-timeout=365d comment="Geblokd ivm aanval" disabled=no
add chain=input protocol=tcp dst-port=25 connection-state=new src-address-list=smtp_stage2 action=add-src-to-address-list address-list=smtp_stage3 address-list-timeout=365d comment="Geblokd ivm aanval" disabled=no
add chain=input protocol=tcp dst-port=25 connection-state=new src-address-list=smtp_stage1 action=add-src-to-address-list address-list=smtp_stage2 address-list-timeout=1m comment="Geblokd ivm aanval" disabled=no
add chain=input protocol=tcp dst-port=25 connection-state=new action=add-src-to-address-list address-list=smtp_stage1 address-list-timeout=365d comment="" disabled=no
add chain=forward protocol=tcp dst-port=25 src-address-list=smtp_blacklist action=drop comment"Geblokd ivm aanval"
 
Thalid
newbie
Posts: 38
Joined: Sun Mar 31, 2013 11:33 pm

Re: Abuse of port 25

Sat Dec 20, 2014 11:38 am

that kind of mail server is this?
A mail server should only send spam mails if the mail server is infected ore a valid user is infected by a virus.

One more senario is
If this server is runned on the same ip as the other internal client of your orgination then the infection is on you intranet.
 
Willy65
just joined
Topic Author
Posts: 5
Joined: Sun Jul 06, 2014 2:58 pm
Location: Nederland / Eindhoven

Re: Abuse of port 25

Sat Dec 20, 2014 3:51 pm

@ Thalid,

It`s a Windows 2003 exchange server (Yes almost end of live) i`m busy with a new server but there are sebding on port 25 mail and its forwarded to the senders (18.000 a minut) i was blocked by the ISP and i have blocked the IP`s but if i can provend this with a role then i don`t have to worry for this problem (i Hope) and i`m busy with a 2008 server with 2013 exchange i hope i can finisch it this year but there are somethings i don`t can manage in the familie and that has the prio on this moment.
 
Thalid
newbie
Posts: 38
Joined: Sun Mar 31, 2013 11:33 pm

Re: Abuse of port 25

Sat Dec 20, 2014 7:56 pm

The spam have to come from a source exchange server only replays the info and for that it need valid user credentinals.

How is you network setup do you run the server behind the same ip as you provide internet for internal users?

Some virus send spam on smtp that is part off most computer ore they can even emulate it.

If this comes from internal client you should be able to block outgoing smtp from all ip`s except the one belonging to the Exchange box

excample
http://forum.mikrotik.com/viewtopic.php ... 08#p248060
 
Willy65
just joined
Topic Author
Posts: 5
Joined: Sun Jul 06, 2014 2:58 pm
Location: Nederland / Eindhoven

Re: Abuse of port 25

Sat Dec 20, 2014 8:09 pm

The spam have to come from a source exchange server only replays the info and for that it need valid user credentinals.

How is you network setup do you run the server behind the same ip as you provide internet for internal users?

Some virus send spam on smtp that is part off most computer ore they can even emulate it.

If this comes from internal client you should be able to block outgoing smtp from all ip`s except the one belonging to the Exchange box

excample
http://forum.mikrotik.com/viewtopic.php ... 08#p248060
Thanx Thalid for your replay,

It`s a single Domaincontroler with the exchange running on it OS 2003 server Ent. and the exch 2003 Ent.
I can see the traffic coming in the logfiles of mij Draytek Firewall so i see the traffic coming in on port 25 with a IP and going out on my smtp IP i change the Password of that smtp controler but it didn`t work.

I have 2 users and both were off line on that moment so that can`t by the problem.
 
Kindis
Member Candidate
Member Candidate
Posts: 284
Joined: Tue Nov 01, 2011 6:54 pm

Re: Abuse of port 25

Sun Dec 21, 2014 10:57 pm

This is not a network issue. Exchange 2003 is open for relay at start. It also does not come with it's own SMTP engine. To fix this I recommend opening the iis config and going to SMTP. Select options at then lockdown relay. I recommend to always lockdown which servers that can relay.
 
Willy65
just joined
Topic Author
Posts: 5
Joined: Sun Jul 06, 2014 2:58 pm
Location: Nederland / Eindhoven

Re: Abuse of port 25

Sun Dec 21, 2014 11:12 pm

This is not a network issue. Exchange 2003 is open for relay at start. It also does not come with it's own SMTP engine. To fix this I recommend opening the iis config and going to SMTP. Select options at then lockdown relay. I recommend to always lockdown which servers that can relay.
Hoi Kindis,

Relay is closed, so thats not the problem i have this before and then the relay was open after an update from MS. so i look richt away to that and its closed, and if OWA is just i get poort 443 in the logs of my firewall (Vigor) and thats not so, so there is no remote loggin at the time of sending the SPAM and no users are log on the server.

Who is online

Users browsing this forum: anav, leosmendes and 91 guests