/ip firewall filter
add chain=forward
protocol=tcp dst-port=25 \
src-address-list=suspectedspambot \
action=drop comment="Drop traffic from
those on the suspect list"
add chain=forward
protocol=tcp dst-port=25 \
connection-limit=10,32 \
action=add-src-to-address-list \
address-list=suspectedspambot \
address-list-timeout=2d \
comment="More than 10 simultaneous
connections looks spammy"
I have alternated colors for
readability. The operation of this approach is quite simple. The first rule (in
blue) simply drops any SMTP connection attempts from anyone who is found in the
address list called “suspectedspambot”. The second rule (in red) is the one
that does the work of actually detecting spammers. What this rule does is watch
for SMTP connections and, if the count of connections from a single IP (/32)
goes above 10, then the source address of that packet is added to an address
list called “suspectedspambot”. On the next connection attempt, the packet will
be dropped. The only problem with this approach is that it assumes that there
are NO mail servers that MAY be sending more than 10 emails at a time
legitimately. If this is the case, you can simply create another address list
called “smtpservers” then add a rule as follows ABOVE the rule above (in blue):
add chain=forward protocol=tcp
dst-port=25 \
src-address-list=smtpservers
action=accept \
comment="Allow known smtp servers
to send email"
This would allow your known mail
servers to send email without fear of being “caught” and tagged as a spam
source. One further comment on these rules. This set of rules does not take
into account smtp traffic that is going TO your mail server. I will leave that
fix as an exercise for the reader. If one of your customers is “tagged” as a
suspected spambot, you will find their IP address in the address list and can
begin troubleshooting from there.
===============================================================================