A useful firewall rule trick to prevent your email client from accessing the web

Discussion in 'other firewalls' started by Wayne - DiamondCS, Jan 18, 2003.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    If you use Port Explorer or any other realtime port monitoring tool you'll see that when you open a HTML email from a spammer, the email client often connects out to remote websites, usually on port 80 but that can vary. This isn't good at all -- it basically allows the spammer to detect that you have read your email, and in addition to this, they garnish your IP address and web-browser information when your browser visits their server.

    The good news is that it can easily be prevented by adding two simple rules to your personal firewall (should work with all personal firewalls):
    Rule #1 - Allow your email client outbound TCP access on port 25 (sending mail), 110 (receiving mail), and 119 (newsgroups, if you visit them).
    Rule #2 - Block ALL other access by your email client

    Note that the rules must be in that order to work :). The first rule simply allows your email client outbound access to the ports it needs to get access to, while the second rule blocks all other access, thus preventing your email client from connecting out to remote webservers.

    Best regards,
    Wayne
     
  2. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re:A useful firewall rule trick to prevent your email client from accessing the

    as an additional constraint on those rules, specify the IP(s) of your account's associated mail servers as the only possible destinations.

    It is child' play for a script to configure a new address in most email clients (worst of all is Outlook97/2k/xp - the vba extensibility is pretty powerful) and download attachments residing on a mailserver of the script writer's choice.

    I don't know if this has happened but I can't be the first to have thought of it. I've seen an ftp version of this scenario, so the same advice applies there.
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Yup :) and to extend further, it won't stop your email client from connecting to a webserver that is listening (strangely) on port 25 or 110 - it's not likely to happen, but it's possible, so if you only use a few particular IP addresses, then use those :)
    We get asked this quite a lot in emails so its a problem that affects a lot of people, but it's easy to deal with!
     
  4. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Thanks for the information Wayne. :)
    I ended up moving to “The Bat” to prevent this sort of thing happening and increase protection. The advice would have maybe saved a lot of work. I do believe the next version of Outlook will include an option to stop mail doing this. Could it be that Microsoft is now beginning to take notice? :eek:
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:A useful firewall rule trick to prevent your email client from accessing the

    MS should notice with less people using their OU and OE for this and all the comments worldwide.
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Let's not forget IMAP port 143 shall we !
     
  7. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Hi Jooske ;)

    They already took care : in OE6SP1 options you may read all your mails in *.txt ;)

    To complete excellent Wayne's advice : you may also need port 143 (IMAP)
    If you use hotmail.com from your mail client you need port 80, bad luck :)

    Rgds,
     
  8. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Hi Wayne,

    Great piece of advice and only takes a few seconds to re-configure, simple yet very affective. As soon as I flicked through a few emails I had notifications on blocked connections (some emails were not overtly HTML either just shows that things can hide very easily).

    Wink.
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Hello Wayne!

    A decent firewall is doing this job already from itself! :)

    And because I'm using such a decent firewall, Outpost Pro ;), I don't care about rules for my email program (Outlook XP).
     
  10. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Re:A useful firewall rule trick to prevent your email client from accessing the

     
  11. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Re:A useful firewall rule trick to prevent your email client from accessing the

    NOT wrong: when you are using the "Rules Wizard" in Outpost it works just like I explained before! :cool: :cool: :D

    BTW: you are talking about Outlook Express, I'm talking about Outlook XP....
     
  12. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Re:A useful firewall rule trick to prevent your email client from accessing the

    For Outlook, when using "Create rules using preset" => Email client the only rule is TCP out :25 Allow. Hence you will be prompt to edit some more rules according to your whim : you may or may not accept in learning mode TCP OUT 80, 8080, etc... when you first time receive some kind of HTLM mails requesting OUTBOND connexion ;)

    Rgds,
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re:A useful firewall rule trick to prevent your email client from accessing the

    As for hotmail: I´m trying out this program called web2pop
    It does what it promises, I can fetch my Hotmail with The Bat this way.
    Do you see any additional security risks?

    Regards,

    Pieter
     
  14. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Re:A useful firewall rule trick to prevent your email client from accessing the

    This was a longer post but as I posted I got a 404 error and then lost it. So I will shorten this one.

    Want to stop spam? Grab Mailwasher
    http://www.mailwasher.net

    What does it do? It allows you to bounce emails which removes you from 99% of spam lists and also allows you to delete emails off the server which means you don't have to download it in your client (really only a problem if your on dialup)
    -Jason-
     
  15. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Hi Jason ;)

    Excellent little App but I don't think bouncing is a great idea : lot of stupid robots consider it as a positive answer
    and you are at risk to receive some more spam IMHO.

    I NEVER answer any spam even NEVER unsuscribe : it's often a trick to cheat you ;)

    Best regards,
     
  16. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Hi Jack,
    Well I don't know what robots they use on me but bouncing them makes them disappear, whereas doing nothing I just kept getting more and more of the same email from the same people 5 times a day. Also recently I've been getting a lot of the boss.com worm which is a pain to have to download a lot when your on a 56K :)
    -Jason-
     
  17. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Doing nothing confirms to spammers that some mailbox is getting the spam. An unsuccessful bounce can do no more harm than that.
     
  18. Joesmith

    Joesmith Guest

    Re:A useful firewall rule trick to prevent your email client from accessing the

    Unless the spam bounce is so badly done that it's gives away the fact that it's a live account.

    I doubt spammers keep track of bounces anyway.
     
  19. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Re:A useful firewall rule trick to prevent your email client from accessing the

    most likely, all returns go to /dev/null
     
  20. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Re:A useful firewall rule trick to prevent your email client from accessing the

    Hmm even I thought of it. It's basically an example of the basic principle of making firewall rules as restrictive as possible. Which itself is a subet of the general security rule to use only needed services and get it simple.

    I've applied this restrictive rules (to specific ips) from anything like antivirus updates to Newsgroups and htmlclients (to specific email hosts I upload my site) .

    To be extra careful, normally I do a reverse DNS (using web-based sites and local) to see if the Ips make sense.
     
Loading...
Thread Status:
Not open for further replies.