How to autodetect infected or spammer users and temporary block the SMTP output

From MikroTik Wiki
Revision as of 18:57, 29 May 2009 by Desertadmin (talk | contribs) (Logging detected users)
Jump to: navigation, search

Here can see in the solution which i invented and work excellent to autodetect and block SMTP viruses or spammers!

Only create these 2 rules in firewall forward: 

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"

When an infected user is autodetected with a virus worm or doing spam, the user is added to a spammer list and block the STMP outgoing by 1 day, all the values can be adjusted for different networks types or at your convenience

Antispam-rules.jpg


Logging detected users

Next, to display a red Log each 30 minutes listing the detected infected or spammers users using hotspot, add the next script: 

/system script
add name="spammers" source=":log error \"----------Users detected like \
    SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
    list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
    address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
    do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
    error \$usser} };" policy=ftp,read,write,policy,test,winbox

Logging-spammers.jpg

[Alessio Garavano]


DesertAdmin correction to the above rule set. /ip firewall filter add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 protocol=tcp src-address-list=spammer add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp


Remove the following line if you already have a virus chain if not added it in.

add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus

Also remember to move newly updated rules logically above your current jump forward rule. I like to keep my rules in orders of ports.

-Sincerely, DesertAdmin

Retrieved from "https://wiki.mikrotik.com/index.php?title=How_to_autodetect_infected_or_spammer_users_and_temporary_block_the_SMTP_output&oldid=12654"