The ISP I work for has had problems getting blacklisted due spam coming from the network, junk email sucks as well. So...... This is an attempt at limiting the exposure to this problem without blocking mail ports all together. Expanding on Butch Evans posted Mikrotik Filters. This idea was shamelessly borrowed from his work as well as finding the exact text word for word posted on a dozen more blog sites each claiming that it was their own. This is not mine, however, I expanded the list of check-mail server ports as well as connection limits rather than 1 single hit triggering a block. I also added logging for debug purposes. I guess I need someone to get a virus to see the real result... probably won't be long.<!--more-->
Summary of what this does
- Monitor outbound port 25 connections from the internal network and log/block/tarpit on more than 3 simultaneous connections.
- Monitor outbound connections on ports 110, 143 463, 465, 587, 993 and 995 (common mail ports for auth etc.), inserts the target ip addresses into VALID_SMTP address-list. Outbound port 25 connections to these targets are allowed since the IP has been authenticated against at some point.
- APPROVED_SMTP_SERVERS is an address-list that you add static entries to your hosts that are valid email servers on your network.
- POSSIBLE_TROJAN is an address-list that gets populated by the 3 strikes you are out rule, these IP addresses are blocked from sending on port 25 for 1 hour.
Ugly code follows....
/ip firewall address-list
# Modify below with your email server(s)
add address=XX.XX.118.0/24 comment="An email server INSIDE the network" \
disabled=no list=APPROVED_SMTP_SERVERS
add address=XX.XX.118.0/24 comment="An email server INSIDE the network" \
disabled=no list=APPROVED_SMTP_SERVERS
add address=XX.XX.118.0/24 comment="An email server INSIDE the network" \
disabled=no list=APPROVED_SMTP_SERVERS
#seed the VALID_SMTP address-list
add address=74.125.148.13 comment="!PLACEHOLDER email server OUTSIDE your network - POP/IMAP Verify" \
disabled=no list=VALID_SMTP
# Now the actual work filters
/ip firewall filter
add action=accept chain=forward \
comment="Allow email from our approved SMTP senders list regardless of destination" \
disabled=no dst-port=25 protocol=tcp src-address-list=APPROVED_SMTP_SERVERS
add action=accept chain=forward \
comment="Allow email from our approved SMTP senders list regardless of destination" \
disabled=no dst-address-list=APPROVED_SMTP_SERVERS dst-port=25 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=110 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=143 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=463 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=465 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=587 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=993 protocol=tcp
add action=add-dst-to-address-list \
address-list=VALID_SMTP address-list-timeout=0s chain=forward comment="" \
disabled=no dst-port=995 protocol=tcp
add action=accept chain=forward \
comment="Allow SMTP going to known servers" \
disabled=no dst-address-list=VALID_SMTP dst-port=25 protocol=tcp
#log them, as a possible_trojan and add to the address-list
add action=add-src-to-address-list address-list=POSSIBLE_TROJAN address-list-timeout=1h chain=forward \
comment="These will be users using SMTP servers that are not on our approved list" connection-limit=3,32 disabled=no dst-port=25 protocol=tcp
add action=log chain=forward comment="" \
connection-limit=3,32 disabled=no dst-port=25 log-prefix=marked-rule-6 protocol=tcp
#did not match above so we are going to tarpit after 3 connections
#(disable the tarpit for testing)
add action=log chain=forward \
comment="This would drop the connections if the action was drop" \
disabled=no dst-port=25 log-prefix=drop-rule-8 connection-limit=3,32 protocol=tcp
add action=tarpit chain=forward \
comment="" disabled=no dst-port=25 connection-limit=3,32 protocol=tcp
