Community discussions

MikroTik App
 
User avatar
chimaster
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Tue Feb 07, 2006 8:54 am
Location: Queenstown
Contact:

Spambots

Fri Feb 15, 2008 3:09 am

Hey everyone, I hope I'm not doubling up, but I couldn't find any relevant posts...

I have some issues on my hotspot network. I'll give you some history first.

First we re-directed all email through to our isps mailserver and told our customers to turn of SMTP auth as we were trusted ip. However, a spammer (probalby a bot) blew out a few hundred thousand emails and our ISP asked us to use our own mail system. Fair enoug as they were then blacklisted as a result.

I setup my own filtering mail server and trusted my hotspot network. However, this time my source ip was blocked and the issues began again.

Then, we decided to not use our own mail server, telling our customers to use their isp's smtp auth systems to get their mail out, which works well, however, now spambots / viruses, nastys are sending directly to other smtp servers and as a result our hotspot external IP is blocked again *sigh*. Even our internal mail server (for our wirelss business customers with smtp auth) is blocking from our hotspot source IP as it's listed in some RBLs. It's also seeing legitimate traffic being blocked as the source IP is listed.

Now, obviously I could block all smtp traffic over the wireless, but then I'm taking the S and the I out of WISP.

I'd love some pointers towards a solution, I've thought perhaps a rule to block too many simultanous connections or to tarpit them, perhaps there is a "spam" detection script I could put in place? I'm afraid my Mikrotik consultant has been very hard to get hold of recently and my knowledge is building a little too slowly to nail this one... (next time there is a MUM in NZ I'm coming up)

So... Ideas anyone? Love some feedback.

thanks in advance.
 
csickles
Forum Guru
Forum Guru
Posts: 1257
Joined: Fri May 28, 2004 8:46 pm
Location: Phoenix, AZ
Contact:

Re: Spambots

Fri Feb 15, 2008 8:41 pm

Yes you can limit the SMTP connections by rule and you can test for too many connections to several hosts (firehosing) and bann that ip etc.

There is one more solution...

SPAM and viruses should be a world wide capitol offence !!! One proven intentionail SPAM and you are history

A $.39 bullet would fix the prob.

DEATH to SPAMMERS !!!
Things that make you go "Hmmmmmmmm"...

Craig
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 600
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Spambots

Fri Feb 15, 2008 10:02 pm

we use this script to help stop flooding of smtp, works pretty good, only 2 times did we catch a false positive, they were both mail servers for large companies that were legitimatly sending out tons of email, so we whitelisted them.
/ ip firewall filter 
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp \
    src-address-list=spammer address-list=WasASpammerOnce \
    address-list-timeout=0s comment="Log Spammer to address list for future \
    investigation" disabled=no 
add chain=forward action=tarpit dst-port=25 protocol=tcp \
    src-address-list=spammer comment="BLOCK SPAMMERS OR INFECTED USERS" \
    disabled=no 
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp \
    connection-limit=30,32 limit=50,5 src-address-list=!WhiteListed \
    address-list=spammer address-list-timeout=30m comment="Detect and add-list \
    SMTP virus or spammers" disabled=no 
 
User avatar
chimaster
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Tue Feb 07, 2006 8:54 am
Location: Queenstown
Contact:

Re: Spambots

Sun Feb 17, 2008 11:41 pm

Hey Guys Thanks!!!

Forepoint, I'm gonna try that out today, hopefully it will help get me off the block lists. Can I safely just add this to my firewall / permimiter device, or am I better off adding to each of my radios (50 Hotspots) ?

I'm also gonna trawl the forum for auto backup and update scripts, logging into 50 hotspots can be painful. :-)

Thanks!!
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 600
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Spambots

Thu Feb 21, 2008 8:43 pm

I run this on just our upstream edge/BGP routers. if you try to run it on a more customer centric router it's less likley to detect an external attack that's doing a flood to a number of IPs, but on the other hand you'd be able to head off a infected customer closer to them, and reducing the load on your backhauls if you ran it at each hotspot...
 
User avatar
chimaster
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Tue Feb 07, 2006 8:54 am
Location: Queenstown
Contact:

Re: Spambots

Fri Feb 22, 2008 12:42 am

I've run it on my "Supernode" which will catch all Hotspots, I'll see how it goes. I'm dubious about running such scripts on my firewall, last time I ran a similar item I got too many false positives and had some grumpy customers... However, after my clamav had a panic attack last night I'm tempted to try it out.

Thanks guys.
 
User avatar
BrianHiggins
Long time Member
Long time Member
Posts: 600
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: Spambots

Fri Feb 29, 2008 5:17 pm

even if it does catch a false positive (which so far has only been a few large exchange servers of our customers, which were easily whitelisted), they are automatically unblocked after 30 minutes with the way it's set, so most people will never even know they have been blocked as the serer will automatically retry delivery and the message will arrive, just a little delayed.
 
ke6hpz
newbie
Posts: 38
Joined: Tue May 13, 2008 8:16 pm

Re: Spambots

Tue Mar 24, 2009 11:31 pm

Hi ForePoint

I am a newbie, can you give a little explanation of how this firewall filter to stop spammer works. I put in two of my main Mikrotik boards, ( production units) and one on the bench, that I have been trying to tweak on some of the setting to see if I can trig it my self to see what it does, but since I don't have a spamming software ( and don't want any ) on my computer, it is hard to see if it is working. I thought if I set the limit down to 1 or 0 and open three telnet sessions to our mail server, I would trig it, but I can't. So I don't know if it is working or not.

Thanks

Glenn
 
ChefJay
newbie
Posts: 31
Joined: Mon Mar 20, 2017 7:25 pm
Location: Folsom, CA, USA

Re: Spambots

Fri Sep 28, 2018 8:18 pm

I see how this can work for port 25, but I appear to have spambot's that are using none standard ports to send e-mails. How would I go about trapping something like that? Would I set a rule that limits the amount of active connections one IP can have? Would that effect my other normal members?
 
Sob
Forum Guru
Forum Guru
Posts: 5590
Joined: Mon Apr 20, 2009 9:11 pm

Re: Spambots

Fri Sep 28, 2018 8:57 pm

First, digging up almost ten years old post is rarely good idea, don't do it.

And spambot using non-standard ports doesn't make much sense. Mail servers all use port 25, They have to, because that's how e-mail system works. While some may also have smtp on other ports in addition to 25, spambot aiming only for that would have really bad success rate, so I don't think that's it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
ChefJay
newbie
Posts: 31
Joined: Mon Mar 20, 2017 7:25 pm
Location: Folsom, CA, USA

Re: Spambots

Fri Sep 28, 2018 9:45 pm

First, digging up almost ten years old post is rarely good idea, don't do it.

And spambot using non-standard ports doesn't make much sense. Mail servers all use port 25, They have to, because that's how e-mail system works. While some may also have smtp on other ports in addition to 25, spambot aiming only for that would have really bad success rate, so I don't think that's it.
Sorry for digging up the past, I just didn't see any other posts that have info related to this subject. But I really appreciate your reply to this.

I'm seeing mail traffic on such ports as 35740 & 59595. Are the bots using my router as a relay? My public static has been listed in a few spam lists because of this.
 
tippenring
Member Candidate
Member Candidate
Posts: 243
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Spambots

Fri Sep 28, 2018 10:38 pm

 
ChefJay
newbie
Posts: 31
Joined: Mon Mar 20, 2017 7:25 pm
Location: Folsom, CA, USA

Re: Spambots

Tue Oct 02, 2018 12:02 am

Thank you very much for this info. I'm looking over the 2 threads now. It does appear I was infected by the WinBox vulnerability, and I had upgraded the routers OS to 6.43 but was still getting notes from my ISP about smap still being sent out. I did how ever notice the sock issue, and then investigated my deployed routers. Sure enough the infected devices had the sock port opened and that matched the ports my ISP's were seeing.

I have since then implemented the below code, changed all user/password's, and upgraded the OS to 6.43.2. I have also setup the second below code to catch any bots that may try to use port 25 for spam sending.
/ip sock set enabled=no
this is what I added to catch other spam bots.
/ip firewall filter
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp src-address-list=spammer address-list=WasASpammerOnce address-list-timeout=0s comment="Log Spammer to address list for future investigation" disabled=no 
add chain=forward action=tarpit dst-port=25 protocol=tcp src-address-list=spammer comment="BLOCK SPAMMERS OR INFECTED USERS" disabled=no 
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 src-address-list=!WhiteListed address-list=spammer address-list-timeout=30m comment="Detect and add-list SMTP virus or spammers" disabled=no

Who is online

Users browsing this forum: No registered users and 20 guests