A couple of months ago, we received a report about misuse of some public IPs; it was spam to SMTP servers from our network. We quickly took action, and after a couple of months of testing, this is how it turned out.
/ip fire fil
add action=jump chain=forward comment=\
"Agregar por 1 horas a la Lista de Clientes SMTP" connection-state=new \
dst-address-list=!not_in_internet dst-port=25,587,143,993,110,995,465 \
jump-target=forward-smtp protocol=tcp src-address-list=not_in_internet
add action=drop chain=forward-smtp comment="Avoid spammers action" \
src-address-list=smtp_spammers
add action=add-src-to-address-list address-list=smtp_client \
address-list-timeout=1h chain=forward-smtp comment=\
"Agregar por 1 horas a la Lista de SMTP-Clients"
add action=accept chain=forward-smtp comment="Allow Traffic" dst-limit=\
5,8,src-address/3s
add action=add-src-to-address-list address-list=smtp_spammers \
address-list-timeout=8h chain=forward-smtp comment=\
"Agregar por 8 horas a la Lista de Spammers"
This MikroTik script creates firewall rules to monitor and control SMTP-related traffic, aiming to prevent spam. Here’s a breakdown of each part:
- Jump to Forward-SMTP Chain for SMTP Clients:
- The first rule adds a jump action in the
forward
chain for new connections to SMTP ports (25, 587, 143, 993, 110, 995, 465). - It applies only to IPs in the list
not_in_internet
and directs matching traffic to a custom chain calledforward-smtp
. - This rule also excludes destinations in the
not_in_internet
list.
- The first rule adds a jump action in the
- Drop Rule for Known Spammers:
- In the
forward-smtp
chain, any traffic from IPs in thesmtp_spammers
list is dropped immediately. - This helps to block known sources of spam.
- In the
- Add New SMTP Clients to the List:
- The next rule adds the source IP of traffic in
forward-smtp
to a list calledsmtp_client
with a timeout of 1 hour. - This rule temporarily tracks IPs that are initiating SMTP connections, assuming they might be legitimate clients.
- The next rule adds the source IP of traffic in
- Allow Limited Traffic for SMTP Clients:
- This rule limits accepted traffic to five packets every 3 seconds per source IP.
- It controls traffic volume and helps mitigate potential abuse by limiting each IP’s rate of SMTP-related traffic.
- Add New Spammers to the Block List:
- Finally, if the packet limit is exceeded, the source IP is added to the
smtp_spammers
list for 8 hours. - This rule flags the IP as a spammer, preventing it from sending further SMTP traffic for a set period.
- Finally, if the packet limit is exceeded, the source IP is added to the
In summary, this script dynamically manages SMTP clients and spammers by monitoring traffic rates and maintaining address lists, effectively controlling spam in the network.
Remember to add this script too:
/ip fire add
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
This MikroTik script adds IP ranges to a not_in_internet
list, which includes private, reserved, and special-purpose addresses. These addresses are commonly used for internal networks or specific functions (like multicast or loopback). By listing them here, the router blocks them from accessing the internet, ensuring they’re only used locally or for designated purposes.
Leave a Reply