Community discussions

MikroTik App
 
armorforrent
just joined
Topic Author
Posts: 1
Joined: Tue Dec 10, 2024 5:17 pm

Need help with blocking port 25

Tue Dec 10, 2024 5:23 pm

I thought I had Port 25 blocked on my Mikrotik. I keep getting these in my log

output: in:(unknown 0) out:ether1, proto TCP (SYN), 173.x.x.x:50383->185.64.106.147:25, len 60

I redacted my Public IP.

We are occasionally getting blacklisted. Have scanned our network and have found nothing. I am suspecting the Mikrotik is doing this. Any ideas?

We have a FW rule TCP Drop Dst Port 25 Source Address LOCALS Action DROP
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Need help with blocking port 25

Tue Dec 10, 2024 7:26 pm

You might want to post your config. By default, port 25 is allowed outbound.

If your added rule to block outbound 25 is after an "accept", that could be the problem.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11103
Joined: Mon Dec 04, 2017 9:19 pm

Re: Need help with blocking port 25

Tue Dec 10, 2024 7:53 pm

The log message clearly indicates that it is the Mikrotik itself that initiates the TCP connections to port 25 - it says output which is the firewall chain that handles packets sent by the router itself, and it says in:(unknown 0) which says the same in another way (packets sent by the router itself have no in-interface to be printed at this place of the message template).

So in the better case, you have misconfigured the /tool e-mail or some script; in the worse one, some malware is squatting on your router and trying to send spam. This normally means that you are not the only administrator of your router as the malware must obtain the spam contents to distribute and the list of addressees, so it has to talk to some control center.

So by just preventing the router from initiating SMTP connections, you will prevent it from getting blacklisted, but it won't prevent that hypothetical malware from doing something else.

What does /tool e-mail export show (before posting, obfuscate any usernames and passwords if set!)? What does /system logging action print where target=email show? Do you have any scripts that contain tool e-mail send?

Who is online

Users browsing this forum: intelvtd and 29 guests