Hello,

I installed Avast Internet Security for its outbound firewall rules. This has worked with other firewalls (e.g. Norton Internet Security): I create rules for my email program to allow access to DNS, POP3 and SMTP ports only, and the default rule is otherwise BLOCK. This should prevent my email program from making HTTP (and HTTPS, etc.) requests - so it cannot phone home via 1x1 transparent pixel web bugs (or load images either).

This is either not working at all, or only rarely. My email program uses embedded IE DLL for page rendering, and that may be what is confusing Avast. Obviously I can’t disable the browser’s Internet access.

I can see in the page source that all of the images are being downloaded. On some emails, some things are probably being blocked… but not all.

In addition, I don’t understand the port numbers that are being permitted for email. The program says I am using 12995 and 12465, but I thought 995 and 465 were the secure email ports.

There is a bug when manually entering separate application packet rules - the local port, remote port, and ICMP types turn into orange boxes with a white line in the middle of them, and nothing can be entered. It is still possible to enter multiple ports on a single existing line, though. And it’s necessary to do that since I can’t input other rules.

Any idea how to fix the outbound rules to accomplish what I need?

Thanks.

The avast email shield handles the email and is uses localhost addresses.

In addition, I don't understand the port numbers that are being permitted for email. The program says I am using 12995 and 12465, but I thought 995 and 465 were the secure email ports.

The ‘12’ before those ports indicate that they are localhost ports.

EDIT: I broke the URL examples as suggested by DavidR to make them impossible to execute.

Interesting. Thanks for the info. The situation is confusing. I’m looking at the source for an email - Avast blocks around half of the http fetches of images, and doesn’t block the other half.

In the firewall log I do see a LOT of port 80 and port 443 outbound requests from this program blocked by Avast. (Regular and Secure http access.) This is good. It just isn’t working consistently.

I don’t think the email shield would be involved in the stage of email processing that I’m referring to. When email is sent or received, I would think the firewall first allows or blocks any data transfer, and then it is passed to the email shield to check for viruses. Once an email is received by an application, it is decrypted and interpreted. If the email application sees any http “directives” in the email, it will then execute them, and this is independent of email protocols. At this point the request just looks like a program doing a typical outbound web request, which the firewall should handle like any such request. The email shield wouldn’t be involved.

Here is a typical http directive in a commercial email - I edited this down from a log so there may be typos, and I replaced most of the numbers and letters with new info so they no longer personally identify anything:

FACEBOOK

That’s probably the fetch of a Facebook button; it is a fetch to the nytimes with information that almost surely identifies me to the nytimes (user_id), tells them what email I am reading (campaign_id, instance_id, segment_id); etc.

Here’s the URL to put up a link to view email in a browser, and it identifies a lot more to campaign-archive1.com than I probably want:

View this email in your browser

I haven’t got any examples at the moment, but there are lots of fetches of transparent 1x1 gifs embedded in emails whose sole purpose is to let the commercial sender know that you read the email. This circumvents the convention of letting recipients control whether to respond to servers requesting a “return receipt” or “read receipt.”

I know lots of people debate whether an outbound firewall is ever useful. I think it is. We can configure our web clients with ad blockers and script blockers to prevent the browser from doing many kinds of outbound requests we may not want - to advertisers, to trackers, to social media networks. But all emails except plain text emails are essentially “web pages,” and without a firewall, there’s nothing in place to let us similarly block access to - advertisers, trackers, and social media networks. An outbound firewall is the first, last, and only resort that I know of.

1. That rather depends on what the locations are.

2. Avast redirects browser traffic through its scanners (the same for email) so it is scanned before it is either displayed to your screen or delivered as an email.

3. Please break links to suspect URLs, to avoid accidental exposure, change the http to hXXp, so the link isn’t active.

Unfortunately I don’t use the avast firewall so I’m not familiar its settings - I use Outpost Firewall where I can block 1x1 images so these tracking images don’t get downloaded.

DavidR, I messed up the URLs, as you suggested. Thanks for the suggestion.

Looks like Outpost Firewall is being discontinued. I’d be happy to revert to free Avast AV and use some other firewall - but I’ve found few that allow specific outbound rules.

I do use the Avast web scanning. It complements my ad blocking and script blocking by scanning for viruses and watching for known malware URLs. I’m pretty well covered by the 3 kinds of features.

If my email program had ad and script blocking plug-ins available, I wouldn’t need an outbound firewall to assist me here.

I’m going to try Avast support.

Yes Agnitum has been bought out by Yandex, so no new sales of the product, for me that isn’t an issues as there is limited support to the end of this year.

By “I’m going to try Avast support.” I would steer clear of the Free Telephone Support, I don’t have a huge degree of confidence in these 3rd party support companies (avast has commissioned them to handle that).

You could try support ticket system (but this can take 5-10 working days): https://support.avast.com/support/tickets/new

Hopefully one of the regular volunteers on the forum who uses the avast firewall can join the topic.

You are quite right. I did call support right after I wrote that this morning, and I do have 3 good things to report about it:

1. Very brief hold time

2. Free

3. Without making a mess of things or spewing unhelpful ideas, the support engineer immediately told me this was a job for what he called “dev” and I was directed to submit a ticket with screencaps.

The support engineer had possibly no training in packet rules, or very little, but didn’t try to bs his way through it and waste everyone’s time.

Holy cow. Custom firewall packet rules in current version of Avast - DO NOT WORK AT ALL.

In this thread from a year ago, I reported that the firewall sometimes failed to block some http fetches. Avast fixed this. It worked beautifully.

Stupidly I failed to review whether the firewall in the completely redone version of Avast - version 17.2.2288 (build 17.2.3419.64) was still blocking anything. It blocks - NOTHING! I am absolutely stunned.

My rules are right there. They are ignored. The firewall logs have no mention of any blocking, and all of my emails show that all images (from http fetches) are appearing. There is no outbound blocking AT ALL.

If I even move the default rule - to block EVERYTHING - on top for the application, it makes no difference. Avast firewall allows everything.

What the heck?

Why not update to the latest avast (or perhaps even the latest beta) and check again ?
You are using a old(er) version of avast.

Good idea. My update settings are “Ask when an update is available” and I don’t recall seeing a notice.

Things are working now, but I can’t swear it is because of the program update. Just before updating the program I deleted the application and firewall group that wasn’t working, allowing Avast to create a new default Allow for the program next time I ran it, then entered my custom packet rules again. I should have tested my change before upgrading the program but didn’t, so we’ll never know, but happily the firewall is now working.

Thanks for your suggestion.

Well - it’s working partially, like it did when I first reported this problem a yearr ago. It is allowing certain http fetches through.

I get one email newsletter that has some separate columns with images in them, and Avast is blocking the images from one column but letting the other column through.

I can see from the email source that all these images are loaded via http URLs. None are embedded images.

Are you still using Outpost Firewall ?
I’m still using it on my XP Pro system and I don’t have any custom rules for my email client.

What email client are you using ?
I ask this because I’m using Thunderbird and it has a function not to download external content, but when an email is downloaded. You can selectively accept external content, either just for then or for all to that source.

If you aren’t using Thunderbird, perhaps your email client has a similar function.

I never tried Outpost, have just used Avast, and the last version did start working shortly after I followed through with Avast “dev” support about the matter.

For email, I still use the old Eudora desktop email client. It has an option to disable “download of HTML graphics,”, but that doesn’t cover all remote access. Just whatever Eudora thinks is a “graphic.”

I want to block any access at all to anything that isn’t port 995, 465 or 25.

So bottom line: no, my email client doesn’t quite have the option that I’d like, sadly.

Probably for consistency I should add port 110 to my allowed ports, or remove port 25 (the unencrypted POP and SMTP ports), but this set of 3 seemed to work best for me.

With some firewalls I needed to enable Eudora for port 53 (for DNS), but it seems Avast allows that through without my having to explicitly enable it for Eudora. The DNS requests may not seem to Avast to be emanating from Eudora. Different firewalls respond a bit differently to these sorts of things, and as long as Eudora is able to resolve host names I don’t need to do anything special with port 53.

I just though you might be using outpost given you mentioned it in one of your earlier posts.

I have never used the avast firewall, so I’m in the dark here.

I was thinking (dangerous I know), these accesses to external content, would they actually be using normal html/https connections rather than using your email ports. I don’t know what stats you get from the avast firewall, if it shows any non email port activity, clutching at straws a bit, given some of your custom rules work but others don’t.

Thinking sometimes causes trouble! :-\

I can see from the source that they are using standard http port. With any other port, the URL would look like http://avast.com:xx/… where xx is any port other than 80, which is the standard port assumed for the http protocol.

You have uncovered the flaw in my scheme that I have long known of - that someone could run a malicious web server on a port that is normally used for an email server, which would outwit my block. That means, using a URL like:

http://avast.com:25/…

No one has ever gone to the trouble. How many people are using firewalls to block email program outbound http fetches? Most people don’t even use desktop email programs anymore. The clever scheme might even cause them more trouble than it’s worth.

The Avast firewall log shows that most activity I’d expect to be blocked, is being blocked. In my emails, the blocked content shows up as empty square boxes.

Here’s a log of a block, caught by the default rule for the program - my default rule is to block everything except those ports I allow in a higher rule. This is a block of port 80 at 70.96.128.165, which appears to be the publisher darkhorse.com. It’s just a regular http fetch to port 80, most likely a graphic in an email newsletter.

[size=10pt][size=8pt]4/30/2017 12:56:07 AM 70.96.128.165 80 0.0.0.0 51312 TCP Out C:\Program Files\Qualcomm\Eudora\Eudora.exe Default Rule[/size][/size]

If the problem continues I’ll have to contact Avast support again.

I’m certainly not a hands on firewall user, Outpost was/is very configurable, but for the most part it has a flexible almost friendly user interface.

On this win10 acer laptop I’m using the default win10 firewall, but the Thunderbird option to block external content, is a saving grace. I too still prefer client based email to webmail although I have a gmail account it is more of a backup than a primary option.

I would agree that it may be time to get in touch with avast support

Use this form and “not” the third party phone support.