How to autodetect infected or spammer users and temporary block the SMTP output

From MikroTik Wiki
Jump to: navigation, search

Here can see in the solution which i invented and work excellent to autodetect and block SMTP viruses or spammers!

Only create these 2 rules in firewall forward:

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"

When an infected user is autodetected with a virus worm or doing spam, the user is added to a spammer list and block the STMP outgoing by 1 day, all the values can be adjusted for different networks types or at your convenience

Antispam-rules.jpg


Logging detected users

Next, to display a red Log each 30 minutes listing the detected infected or spammers users using hotspot, add the next script:

/system script
add name="spammers" source=":log error \"----------Users detected like \
    SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
    list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
    address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
    do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
    error \$usser} };" policy=ftp,read,write,policy,test,winbox 

Logging-spammers.jpg

[Alessio Garavano]


DesertAdmin correction to the above rule set.

/ip firewall filter
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp

Remove the following line if you already have a virus chain if not added it in.

add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus

Also remember to move newly updated rules logically above your current jump forward rule. I like to keep my rules in orders of ports.

-Sincerely, DesertAdmin

Netinthewest says. (My first ever Mikrotik script) I got e-mail blacklisted so had to do something fast. I used DesertAdmins solution and it worked great. Took a while though to work out logging from Alessio's script.(screenshots were great) Turns out I needed to create the variable first before I could use it to log the spammers IP. I called it "spamip" This version works straight from the tin.

:global spamip;
:log error "----------Users detected like SPAMMERS -------------";
:foreach i in [/ip firewall address-list find list=spammer] do={:set spamip [/ip firewall address-list get $i address];
:log error $spamip};

Thanks guys! You got me out of trouble.


Modification by Bob Burley

I liked and implemented this method of trapping spammers but I wanted to prevent unnecessary log entries every 30 minutes when the spammer list was empty. I made the following change to the script;

:global spamip;
:if ([:len [/ip firewall address-list find list=spammer]]>0) do= {
:log error "---------- IP's detected as SPAMMERS ----------";
:foreach i in [/ip firewall address-list find list=spammer] do={ :set spamip [/ip firewall address-list get $i address];
:log error $spamip };
}


Another Modification by Bob Burley

This version will also send an email ONLY ONCE for each new IP address detected. It uses another address-list called "email-log" to keep track of which addresses have been emailed. The addresses are removed from the "email-log" list after they timeout from the "spammer" list so that you will be notified again if that address is detected again.

:local emailip
:local spamip
:local keepflag 0
:foreach j in [/ip firewall address-list find list=email-log] do={
  :set emailip [/ip firewall address-list get $j address]
  :foreach i in [/ip firewall address-list find list=spammer] do={
    :set spamip [/ip firewall address-list get $i address]
    :if ($emailip=$spamip) do={:set keepflag 1}
  }
  :if ($keepflag=0) do={/ip firewall address-list remove $j} else= {:set keepflag 0}
}
:if ([:len [/ip firewall address-list find list=spammer]]>0) do={
  :local bodymsg ""
  :local emailflag 0
  :log error "---------- IP's detected as SPAMMERS ----------"
  :foreach i in [/ip firewall address-list find list=spammer] do={
    :set spamip [/ip firewall address-list get $i address]
    :log error $spamip
  }
  :foreach i in [/ip firewall address-list find list=spammer] do={
    :set spamip [/ip firewall address-list get $i address]
    :foreach j in [/ip firewall address-list find list=email-log] do={
      :set emailip [/ip firewall address-list get $j address]
      :if ($spamip=$emailip) do={:set emailflag 1}
    }
    :if ($emailflag=0) do={
      :set bodymsg ($bodymsg . $spamip . "\r\n")
      /ip firewall address-list add address=$spamip list=email-log
    } else= {:set emailflag 0}
  }
  :if ([:len $bodymsg]>0) do={
    /tool e-mail send from=MikroTik-XX@yourisp.com server=xxx.xxx.xxx.xxx to=youremail@yourisp.com subject="IP's detected as SPAMMERS" body=$bodymsg
    :set bodymsg ""
  }
}