pfBlockerNG-devel 3.1.0_4 Not Blocking Email Content

Gertjan

@newuser2pfsense

A mail client can, when receiving a mail from an 'unknown' source, decide not to load any URLs listed in the mail. These are often images, and other content.
Ones you've selected , Outlook (Office 365) shows this like this :

( sorry, French, but you get the picture )

Ones I click on that text, outlook reaches out to get all the non shown images and other content.
Btw : this actions often confirms to the sending side you've 'seen' the mail.
Sometimes a text is shown to 'trust' the host name, or just the mail address, and any further mails from them will get shown immediately and entirely.

If the URLs used on the mail (they contain host names) and these are listed in a DNSBL, then the content can't be loaded by Outlook, (or a web browser, or whatever you use).

You can see for yourself what happens :
Look at the mail, not the one shown by your 'html' capable mail reader : look at the real mail as it is received. Also called "the source".
There you will find the URLs that link to outside content.
If these URL ( == their host names ) are in a DNSBL, then that info will never be shown, as the mail reader won't be able to read ( access ) that host.

This implies of course that the mail reader should use the DNS by pfSense, so the resolver can do it work. The resolver will use the DNSBL lists, and return 0.0.0.0 ( or 10.10.10.1) if there is a match, so the content can't be loaded.

There can also be a general mail reader setting that

newUser2pfSense

@gertjan Thanks for the reply. I began seeing this issue when I was testing pfBlockerNG-devel. This is what I did -

1. I began with pfBlockerNG-devel Enabled.
2. I unchecked Enable and saved.
3. I then checked Enable and saved.
4. I restarted pfSense.
5. The unbound DNS Resolver service would not start at all after several pfSense restarts.
6. I had the following entries in the Services > DNS Resolver > General Settings > Custom options -
   log-replies: yes
   server:include: /var/unbound/pfb_dnsbl.*conf
7. I deleted the following line -
   log-replies: yes
8. I saved and then restarted pfSense.
9. The unbound DNS Resolver service started and has stayed on ever since.

I can't attribute the above steps to what I'm seeing but it's the only thing I did to pfSense before advertising email content stopped being stripped out.

Gertjan

You don't need these :
@newuser2pfsense said in pfBlockerNG-devel 3.1.0_4 Not Blocking Email Content:

The unbound DNS Resolver service would not start at all after several pfSense restarts.

and the error in the unbound / resolver log file said what ?

@newuser2pfsense said in pfBlockerNG-devel 3.1.0_4 Not Blocking Email Content:

I had the following entries in the Services > DNS Resolver > General Settings > Custom options -
log-replies: yes
server:include: /var/unbound/pfb_dnsbl.*conf

For example, this : "server:include: /var/unbound/pfb_dnsbl.*conf" is needed if you manage you own DNSBL files called "pfb_dnsbl.*conf" in the folder /var/unbound/

That was needed before, with the old version, a couple of years ago.

provels

Just throwing this out there, but could the phone be using DNS over HTTPS which is not blocked by pfB unless you're using a DoH blocklist?

On the other hand, I have images that get blocked in Outlook emails even though I have WL'd the source... But that's something else.

johnpoz

@provels said in pfBlockerNG-devel 3.1.0_4 Not Blocking Email Content:

but could the phone be using DNS over HTTPS

yeah it sure could..

provels

Linky => does iphone use dns over https

Etc. => DoH Blocklists

newUser2pfSense

@gertjan I deleted the remaining following line from the Services > DNS Resolver > General Settings > Custom options -

server:include: /var/unbound/pfb_dnsbl.*conf

After deleting the above line, I saved and restarted pfSense with no issues. Guess what, I went back to see if Custom options was blank and it was not. That line reappeared automagically. I deleted the line again, saved, and restarted pfSense once more. The line reappeared automagically again. Apparently I cannot delete the line.

Gertjan

@newuser2pfsense said in pfBlockerNG-devel 3.1.0_4 Not Blocking Email Content:

pfb_dnsbl

Ok, I saw this also :

This gets added when you use the 'old' unbound mode :

All dnsbl entries, like the feeds, are stored in these files :

so unbound reads all /var/unbound/pfb_dnsbl.*conf files upon start.

I wasn't seeing /var/unbound/pfb_dnsbl.*conf initially, as I do not use the "unbound mode" any more, the far superior (IMHO) "python mode" was made available when version 3.x came out.
Having unbound read in all the DNSBL info upon start is painfully slow. The authors of unbound recommend using this mode when huge file handling needs to take place.

newUser2pfSense

@Gertjan Thanks for that tidbit of info. I now set my DNSBL Mode to Unbound python mode. I'll see if this will strip out unwanted malvertising from my emails.

newUser2pfSense

@Gertjan The Unbound python mode seems to be working. It's definitely stripping content from advertising emails but not all. I'll take what I can get.