Here can see in the solution which i invented and work excellent to autodetect and block SMTP viruses or spammers!
Only create these 2 rules in firewall forward:
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"
add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"
When an infected user is autodetected with a virus worm or doing spam, the user is added to a spammer list and block the STMP outgoing by 1 day, all the values can be adjusted for different networks types or at your convenience
Logging detected users
Next, to display a red Log each 30 minutes listing the detected infected or spammers users using hotspot, add the next script:
/system script
add name="spammers" source=":log error \"----------Users detected like \
SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \
error \$usser} };" policy=ftp,read,write,policy,test,winbox
DesertAdmin correction to the above rule set.
/ip firewall filter
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="add to spammer list" connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp
Remove the following line if you already have a virus chain if not added it in.
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus
Also remember to move newly updated rules logically above your current jump forward rule. I like to keep my rules in orders of ports.
-Sincerely, DesertAdmin
Netinthewest says. (My first ever Mikrotik script) I got e-mail blacklisted so had to do something fast. I used DesertAdmins solution and it worked great. Took a while though to work out logging from Alessio's script.(screenshots were great) Turns out I needed to create the variable first before I could use it to log the spammers IP. I called it "spamip" This version works straight from the tin.
:global spamip;
:log error "----------Users detected like SPAMMERS -------------";
:foreach i in [/ip firewall address-list find list=spammer] do={:set spamip [/ip firewall address-list get $i address];
:log error $spamip};
Thanks guys! You got me out of trouble.
Modification by Bob Burley
I liked and implemented this method of trapping spammers but I wanted to prevent unnecessary log entries every 30 minutes when the spammer list was empty. I made the following change to the script;
:global spamip;
:if ([:len [/ip firewall address-list find list=spammer]]>0) do= {
:log error "---------- IP's detected as SPAMMERS ----------";
:foreach i in [/ip firewall address-list find list=spammer] do={ :set spamip [/ip firewall address-list get $i address];
:log error $spamip };
}
Another Modification by Bob Burley
This version will also send an email ONLY ONCE for each new IP address detected. It uses another address-list called "email-log" to keep track of which addresses have been emailed. The addresses are removed from the "email-log" list after they timeout from the "spammer" list so that you will be notified again if that address is detected again.
:local emailip
:local spamip
:local keepflag 0
:foreach j in [/ip firewall address-list find list=email-log] do={
:set emailip [/ip firewall address-list get $j address]
:foreach i in [/ip firewall address-list find list=spammer] do={
:set spamip [/ip firewall address-list get $i address]
:if ($emailip=$spamip) do={:set keepflag 1}
}
:if ($keepflag=0) do={/ip firewall address-list remove $j} else= {:set keepflag 0}
}
:if ([:len [/ip firewall address-list find list=spammer]]>0) do={
:local bodymsg ""
:local emailflag 0
:log error "---------- IP's detected as SPAMMERS ----------"
:foreach i in [/ip firewall address-list find list=spammer] do={
:set spamip [/ip firewall address-list get $i address]
:log error $spamip
}
:foreach i in [/ip firewall address-list find list=spammer] do={
:set spamip [/ip firewall address-list get $i address]
:foreach j in [/ip firewall address-list find list=email-log] do={
:set emailip [/ip firewall address-list get $j address]
:if ($spamip=$emailip) do={:set emailflag 1}
}
:if ($emailflag=0) do={
:set bodymsg ($bodymsg . $spamip . "\r\n")
/ip firewall address-list add address=$spamip list=email-log
} else= {:set emailflag 0}
}
:if ([:len $bodymsg]>0) do={
/tool e-mail send from=MikroTik-XX@yourisp.com server=xxx.xxx.xxx.xxx to=youremail@yourisp.com subject="IP's detected as SPAMMERS" body=$bodymsg
:set bodymsg ""
}
}
Here is a guide how to block Team Viewer connection
