Hello everyone,
i have a client with 64/256 kbps internet limitation in my MT4.1 everything fine until someday he has no internet and his TX avg rate get the max limit and my Global local interface get to 2 mbps. i tried torch to see what happen and i see that his ip request 1 mbps that it doesn't see in RX rate so i blocked his ip with arp and input but nothing changed until he restart his pc then i blocked the ip appeared in torch but nothing happen. so any help how can i determine what is happening and how can i block such things and why he is going over the simple queue limitation?
best regards

I too would like to know how does one stop this! we have faced this issue a couple of times.

99% of the time virus is trying to send spam, solution is to block outgoing port 25. Also, it is a good practice to block packets destined to port 25 outside your network. Most of the time that traffic belongs to viruses. Even if not, human users can easily use smtp-auth to send emails, and smtp-auth is on remote port 587 (submission). One good sideffect of blocking port 25 is lower RBL listing frequency.

port 25 droped my friend. issue not with port 25 and most of time users use bandwidth more than what is in their qeue i always see download rate 256 for user who has lmax-limit 128 and in same time all my bandwidth is pushed to the max. even when i drop this client's ip in input and forward chain. why Mikrotik team not make drop options in torch so we can automaticly drop what make the issue from torch.
best regards