We need to create a Firewall Filter Rule
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=suspectedspambot \
action=drop comment="Drop traffic from those on the suspect list"
add chain=forward protocol=tcp dst-port=25 \
connection-limit=10,32 \
action=add-src-to-address-list \
address-list=suspectedspambot \
address-list-timeout=2d \
comment="More than 10 simultaneous connections looks spammer"
We use alternated colors for readability. The operation of this approach is quite simple. The first rule (in blue) simply drops any SMTP connection attempts from anyone who is found in the address list called “suspectedspambot”. The second rule (in red) is the one that does the work of actually detecting spammers. What this rule does is watch for SMTP connections and, if the count of connections from a single IP (/32) goes above 10, then the source address of that packet is added to an address list called “suspectedspambot”. On the next connection attempt, the packet will be dropped. The only problem with this approach is that it assumes that there are NO mail servers that MAY be sending more than 10 emails at a time legitimately. If this is the case, you can simply create another address list called “smtpservers” then add a rule as follows ABOVE the rule above (in blue):
add chain=forward protocol=tcp dst-port=25 \
src-address-list=smtpservers action=accept \
comment="Allow known smtp servers to send email"
This would allow your known mail servers to send email without fear of being “caught” and tagged as a spam source. One further comment on these rules. This set of rules does not take into account smtp traffic that is going TO your mail server. I will leave that fix as an exercise for the reader. If one of your customers is “tagged” as a suspected spambot, you will find their IP address in the address list and can begin troubleshooting from there.
No comments:
Post a Comment