MikroTik

Hello,

My network send spam and I can't search in google. How to find spammer and stop to send spam?

Hi there,

I also had the same problem, solved with this:

/ip firewall filter
add action=drop chain=forward comment="Drop Spammer" disabled=no dst-port=25 \
protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=forward comment="Add to Spammer list" connection-limit=30,32 \
disabled=no dst-port=25 limit=50,5 protocol=tcp

Hope this helps,
Regards

Hi there,

I also had the same problem, solved with this:

/ip firewall filter
add action=drop chain=forward comment="Drop Spammer" disabled=no dst-port=25 \
protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=forward comment="Add to Spammer list" connection-limit=30,32 \
disabled=no dst-port=25 limit=50,5 protocol=tcp

Hope this helps,
Regards

I allready did this. But doesn't help.

you could add stricter limitation or drop all of users traffic to bring into attention that there is a problem that has to be solved.

you could add stricter limitation or drop all of users traffic to bring into attention that there is a problem that has to be solved.

Dear, janisk

Could you give some example or advice?

I had that same exact problem a couple of years ago for a Justice Center I support and the ISP got my attention by turning off the Internet until they knew I was working on it.

The network I setup there has a SonicWALL, going to some managed switches. But for you, it doesn't matter because the process will be the same, and you should be able to find the spammer like a 'big red truck' if you do what I did. Here's a brief overview of my steps:

• - I setup port mirroring to monitor the WAN/LAN traffic coming from the router to the main switch
  - Unless you have multiple networks coming off of that router (which would have to be monitored seperately if you did,) I only hooked up one connection from the router to the switch for normal use
  - Make sure you do a "true port mirroring" - NO sniffing from a workstation that is just plugged into a switch without the port mirroring
  - Plugged into the mirrored port, I used the latest version of wireshark on my notebook to capture traffic for several hours during business hours when most people would have their comptuers on
  - Then I downloaded a 10day trial of "Cascade Pilot Personal Edition" and started digging through the traffic
  - You can filter by several different protocols. In your case, SMTP
  - Hopefully it will be a station off of your main network
  - But if it is seperated by another internal router for some reason and you track it down to that internal router, then you will need to change your port mirror to that main LAN to switch connection and go again
  - My 'big red truck' ended up looking like a "speaker cone" with many connetions out to the internet

Someone more efficient in Wireshark could probably do it without the "Cascade Pilot Personal Edition" software. But it sure does make it very fast and easy!

If anyone has any other suggestions of similiar software that doesn't have the price tag or is free, I would love to hear other thoughts on that.

I hope that helps!

Billy

I had that same exact problem a couple of years ago for a Justice Center I support and the ISP got my attention by turning off the Internet until they knew I was working on it.

The network I setup there has a SonicWALL, going to some managed switches. But for you, it doesn't matter because the process will be the same, and you should be able to find the spammer like a 'big red truck' if you do what I did. Here's a brief overview of my steps:

• - I setup port mirroring to monitor the WAN/LAN traffic coming from the router to the main switch
  - Unless you have multiple networks coming off of that router (which would have to be monitored seperately if you did,) I only hooked up one connection from the router to the switch for normal use
  - Make sure you do a "true port mirroring" - NO sniffing from a workstation that is just plugged into a switch without the port mirroring
  - Plugged into the mirrored port, I used the latest version of wireshark on my notebook to capture traffic for several hours during business hours when most people would have their comptuers on
  - Then I downloaded a 10day trial of "Cascade Pilot Personal Edition" and started digging through the traffic
  - You can filter by several different protocols. In your case, SMTP
  - Hopefully it will be a station off of your main network
  - But if it is seperated by another internal router for some reason and you track it down to that internal router, then you will need to change your port mirror to that main LAN to switch connection and go again
  - My 'big red truck' ended up looking like a "speaker cone" with many connetions out to the internet

Someone more efficient in Wireshark could probably do it without the "Cascade Pilot Personal Edition" software. But it sure does make it very fast and easy!

If anyone has any other suggestions of similiar software that doesn't have the price tag or is free, I would love to hear other thoughts on that.

I hope that helps!

Billy

Thanks justfishing

Another advice?

Deleted because not related.

Follow this http://wiki.mikrotik.com/wiki/Protecting_your_customers. i have same problems before.

Thanks guys! I still fight with this and I think need to use advice from Dobby.

Deleted because not related.