hello guys
I have problem with spamhaus, all of my ip blocked in spamhaus
I wanna set rule in firewall to limit 5 Email per hour

how to configuration this rule ?
can you help me ?

MikroTik devices have no information about how many emails are sent. You can't do such limitations on a router.

There are methods whereby you could configure RouterOS's firewall to permit no more than 5 SMTP outbound connections per hour, but that's attacking the symptom instead of the cause.

What's more useful here is to useRouterOS's packet filterto capture outbound SMTP connections and then use the information you glean from them to find the host(s) that's getting your public IP space blacklisted. Fix the cause, then petition Spamhaus and the others that are rightfully flagging your network as a source of spam.

You might have malware on one of your local machines, for instance. Choking the malware back to 5 emails/hour is a worse solution than killing the malware.

Regardless the configuration of remote mail server, with a single connection is possible to send near-unlimited ammount of e-mail...
Just counting outgoing connections, for this, is useless...

thanks guys
yes you right
but I have access to mail server

I wanna limit port 25

for example use 5 time port 25 in 1 hour , is it true ?

whats your ideas ?
is it work ?

You can do that, but if the mesage are spammed for 10.000 users, just a single connection suffice...
And not only 25, but also 587 (I ignore deprecated 465 and 2525)

lista_ip_clienti = user list created dynamically from PPPoE Server
@SMTP_troppi_src = user list of IP than connect to SMTP Server more than 5 times in a minute

lista_ip_clienti = user list created dynamically from PPPoE Server

In my alternative below, I use "!LAN" instead, since that's a defconf address list, thus more likely to be applicable to the OP's configuration.

@SMTP_troppi_src

I searched the docs, but I couldn't find a special meaning for "@" at the beginning of a list name. Is that a local convention, or did I miss something?

connect to SMTP Server more than 5 times in a minute

I don't see the "in a minute" limit in your example. I think you need an "address-list-timeout" in there somewhere.

Also, the OP specified "per hour" in the thread title, not "per minute".

/ip firewall mangle

I don't see any reason this has to be in the "mangle" section. Regular IP firewall filtering will do for this.

chain=prerouting

I'd put this in the "forward" chain since the rule may need to change based on "out interface" or similar, which the firewall only knows after the routing decision.

add action=return chain=prerouting_smtp

My understanding of the underlying netfilter mechanism is that you don't need an explicit return from a jumped-to chain if you reach the end. Explicit return is for when you want to jump back out in the middle of the chain, as you see in my alternative:


This is more complicated than rextended's method, but it works according to the requested specs, and it's more explicit, thus easier to debug. You can see the counters go up on the address lists and watch the timeouts to see what state any given host is in.

I doubt it matters which way you do it because both methods use a separate chain, so the action logic only affects SMTP TCP SYN packets, which should be rare. However, I do note that the docs claim the use of "connection-limit" is "very resource-intensive". My simple state-machine logic should not be "very resource intensive".

Beware: both methods need to be repeated for IPv6 if that's a possibility in your setup. The firewalls are separate, and you can't share rules among them. It's really too bad; otherwise, you could "jump" from the v6 firewall into the v4 firewall and share virtually all the logic.

And not only 25, but also 587 (I ignore deprecated 465 and 2525)

Sidenote, 587 is submission port that always requires login, you can't use it for unauthorized spamming. And 465 was reinstated/repurposed as replacement for 587 with implicit TLS (RFC 8314).

@tangent, on sort order... @ is before a,b,c..... etc.
Yes, my connection-tracking settings is involved in limits, I forget that
I do not want block nothing, I just want be notified,
and the return is present because some other rules are present after that check...
I really do not want block anything, but chek suspicious connections behaviour...

How about you fix the mail server? m?

( @Znevna: for who is that question?)

为谁开这个话题关于IP黑名单s in spamhaus.

hello guys I have problem with spamhaus, all of my ip blocked in spamhaus I wanna set rule in firewall to limit 5 Email per hour how to configuration this rule ? can you help me ?

This may happen if you're an ISP or at home where there are infected pc's actings as email bots. Either way you should block smtp If you're not using you own email server. Regular email clients are not dependent on smtp since they connect using other ports as @rextended explained.

Bottom line, I strongly advice you to disable smtp (tcp port 25). When this is fixed you may send a request to spamhaus to remove the block.

EDIT:
it doesn't matter if the bot sends only 5 emails since you might get blocked anyway because the content itself risks being marked as spam.

thanks guys
yes you right
but I have access to mail server

It is best to solve that in your mailserver. Also, block all outgoing TCP port 25 traffic except from your mailserver.

Regular email clients are not dependent on smtp since they connect using other ports as @rextended explained.

All four of the ports mentioned in this thread carry SMTP, just with different options and restrictions. (Details)

The proper distinction is that 25 is now supposed to be used only for SMTP-to-SMTP transport, between MTAs.

I don't see any of this as a good reason not to include port 25 in the port lists in these examples, however. Spammers are all about getting around supposed-to-bes.

it doesn't matter if the bot sends only 5 emails since you might get blocked anyway because the content itself risks being marked as spam.

Agreed. I posted my solution more as an answer to an intellectual challenge than as good advice. OP should fix the cause, not the symptom.

In general we allow MTA communication only for customers with business contracts. For private customers, all such traffic is closed to fight bots. This applies to most other ISPs that I know of.

当说到SMTP当然SSL / TLS (SMTPS) and measures like SPF/DKIM/DMARC (ARC) to check if the origin is legit.

hello guys
I have problem with spamhaus, all of my ip blocked in spamhaus
I wanna set rule in firewall to limit 5 Email per hour

how to configuration this rule ?
can you help me ?

Why? How do you figure that will help??

Fix the SPAM problem, or if you are the SPAM problem, stop sending SPAM..