Hey everyone, I hope I'm not doubling up, but I couldn't find any relevant posts...

I have some issues on my hotspot network. I'll give you some history first.

First we re-directed all email through to our isps mailserver and told our customers to turn of SMTP auth as we were trusted ip. However, a spammer (probalby a bot) blew out a few hundred thousand emails and our ISP asked us to use our own mail system. Fair enoug as they were then blacklisted as a result.

I setup my own filtering mail server and trusted my hotspot network. However, this time my source ip was blocked and the issues began again.

Then, we decided to not use our own mail server, telling our customers to use their isp's smtp auth systems to get their mail out, which works well, however, now spambots / viruses, nastys are sending directly to other smtp servers and as a result our hotspot external IP is blocked again *sigh*. Even our internal mail server (for our wirelss business customers with smtp auth) is blocking from our hotspot source IP as it's listed in some RBLs. It's also seeing legitimate traffic being blocked as the source IP is listed.

Now, obviously I could block all smtp traffic over the wireless, but then I'm taking the S and the I out of WISP.

I'd love some pointers towards a solution, I've thought perhaps a rule to block too many simultanous connections or to tarpit them, perhaps there is a "spam" detection script I could put in place? I'm afraid my Mikrotik consultant has been very hard to get hold of recently and my knowledge is building a little too slowly to nail this one... (next time there is a MUM in NZ I'm coming up)

So... Ideas anyone? Love some feedback.

thanks in advance.

Yes you can limit the SMTP connections by rule and you can test for too many connections to several hosts (firehosing) and bann that ip etc.

There is one more solution...

SPAM and viruses should be a world wide capitol offence !!! One proven intentionail SPAM and you are history

A $.39 bullet would fix the prob.

DEATH to SPAMMERS !!!

we use this script to help stop flooding of smtp, works pretty good, only 2 times did we catch a false positive, they were both mail servers for large companies that were legitimatly sending out tons of email, so we whitelisted them.

Hey Guys Thanks!!!

Forepoint, I'm gonna try that out today, hopefully it will help get me off the block lists. Can I safely just add this to my firewall / permimiter device, or am I better off adding to each of my radios (50 Hotspots) ?

I'm also gonna trawl the forum for auto backup and update scripts, logging into 50 hotspots can be painful.

Thanks!!

I run this on just our upstream edge/BGP routers. if you try to run it on a more customer centric router it's less likley to detect an external attack that's doing a flood to a number of IPs, but on the other hand you'd be able to head off a infected customer closer to them, and reducing the load on your backhauls if you ran it at each hotspot...

I've run it on my "Supernode" which will catch all Hotspots, I'll see how it goes. I'm dubious about running such scripts on my firewall, last time I ran a similar item I got too many false positives and had some grumpy customers... However, after my clamav had a panic attack last night I'm tempted to try it out.

Thanks guys.

even if it does catch a false positive (which so far has only been a few large exchange servers of our customers, which were easily whitelisted), they are automatically unblocked after 30 minutes with the way it's set, so most people will never even know they have been blocked as the serer will automatically retry delivery and the message will arrive, just a little delayed.

Hi ForePoint

I am a newbie, can you give a little explanation of how this firewall filter to stop spammer works. I put in two of my main Mikrotik boards, ( production units) and one on the bench, that I have been trying to tweak on some of the setting to see if I can trig it my self to see what it does, but since I don't have a spamming software ( and don't want any ) on my computer, it is hard to see if it is working. I thought if I set the limit down to 1 or 0 and open three telnet sessions to our mail server, I would trig it, but I can't. So I don't know if it is working or not.

Thanks

Glenn

I see how this can work for port 25, but I appear to have spambot's that are using none standard ports to send e-mails. How would I go about trapping something like that? Would I set a rule that limits the amount of active connections one IP can have? Would that effect my other normal members?

First, digging up almost ten years old post is rarely good idea, don't do it.

And spambot using non-standard ports doesn't make much sense. Mail servers all use port 25, They have to, because that's how e-mail system works. While some may also have smtp on other ports in addition to 25, spambot aiming only for that would have really bad success rate, so I don't think that's it.

First, digging up almost ten years old post is rarely good idea, don't do it.

And spambot using non-standard ports doesn't make much sense. Mail servers all use port 25, They have to, because that's how e-mail system works. While some may also have smtp on other ports in addition to 25, spambot aiming only for that would have really bad success rate, so I don't think that's it.

Sorry for digging up the past, I just didn't see any other posts that have info related to this subject. But I really appreciate your reply to this.

I'm seeing mail traffic on such ports as 35740 & 59595. Are the bots using my router as a relay? My public static has been listed in a few spam lists because of this.

You were probably affected by https://blog.mikrotik.com/security/winb ... ility.html.

See this very recent related thread: viewtopic.php?f=13&t=139684&p=688903&hilit=spam#p688903

You were probably affected by https://blog.mikrotik.com/security/winb ... ility.html.

See this very recent related thread: viewtopic.php?f=13&t=139684&p=688903&hilit=spam#p688903

Thank you very much for this info. I'm looking over the 2 threads now. It does appear I was infected by the WinBox vulnerability, and I had upgraded the routers OS to 6.43 but was still getting notes from my ISP about smap still being sent out. I did how ever notice the sock issue, and then investigated my deployed routers. Sure enough the infected devices had the sock port opened and that matched the ports my ISP's were seeing.

I have since then implemented the below code, changed all user/password's, and upgraded the OS to 6.43.2. I have also setup the second below code to catch any bots that may try to use port 25 for spam sending.
this is what I added to catch other spam bots.